EB Security Technical Implementation Guide » Security

Workplace Security Are You Any Safer At Work From Terrorism

admin — Mon, 28 Sep 2009 11:41:24 +0000

TABLE OF CONTENTS

1. The Security Consultant’s Perspective…

2. The Insider Threat…

3. Threats by the Outsiders

4. The Terrorist Threat…

5. Protective Measures…

1) Security Consultant’s Perspective…

Traditional techniques at combating Workplace Violence pits the disgruntled employee against the system and the potential victims in a waiting game. It seems that the “Inside Threat” is reduced to monitoring the known potential, the “Ticking Bomb”, while the unknown threats go unmonitored. Threats by “Outsiders” are just as common and equally violent. Complicating this challenge, we now must grapple with the threat of terrorism (political and domestic) in our workplaces. I am reminded of a quote by James Baldwin from his book, “The Price of the Ticket”. “No one can possibly know what is about to happen: it is happening, each time, for the first time, for the only time”. Fighting the potential workplace threat requires a change in tactics and training techniques in order to be proactive.

2) The Insider Threat…

The “going postal” employee is as real in many workplaces as was the case of the rash of Postal Service incidents that gave rise to the phrase by the media. The difference between the postal employee and the ConAgra Shooting, Kansas (July 2004), the DaimlerChrysler Shooting, Ohio (January 2005) and the Weequaic High School Shooting, Newark, NJ (July 2005) North Toledo was the lack of sensationalized media coverage. I have found that career employees who “go postal” did not plan to do so over night, nor was he predisposed to kill employees. It was a series of gradual events in the employee’s life brought about by changes in personal relationships, a diagnosed medical condition perceived unjust or a caustic domestic situation
gone awry given rise to violence aggression as a form of retaliation at home and the workplace.

The environmental, societal factors and contributing events could not have been more apparent to the trained eye. Perpetrators of workplace violence are victims of their environment because they did not plan their rampage the first day hired. It was a gradual process with changes which bought about behaviors, attitudes and methodical planning clearly evident by the employee’s daily interactions, physical appearance, verbal utterances and documented slips in performance and efficiency. Everybody can see the indicators in the aftermath but most do not understand how to collaborate to prevent the “Ticking Bomb” from exploding before it is too late.

The Threat Assessment Process though intrusive in some quarters is an instrumental process worthy of attention. Subtle but contributory changes in an employee’s demeanor can be detected with early warning signs to provide assistance and intervention. This response unlike the threat posed by “The Outsider” is manageable (predictable)and preventable.

3) Threats By Outsider…

Confrontational crimes committed by “Outsiders” though unmanageable can be mitigated and somewhat preventable. Take the following incidents. A nurse who works at a hospital who tells a horrific story of being punched, kicked, scratched, bitten, nose and ribs broken, stabbed with a pen and suffered eye damage all as a nurse at the hospital are true incidents. He also testified that patients have assaulted his co-workers. This account represents one of several hundred such incidents at hospitals in our Nation yearly. A storekeeper who confronted an armed robber was shot because he did not have enough money. You stop your car at a client’s business and exchange what you need between the car’s compartment and the trunk and return to discover the trunk broken into and the goods stolen? How about the lurking perpetrator who finds the pleasure in attacking helpless victims between floors on the stairwell or on the elevator? But nothing is worst than the unsuspecting medical service provider who is confro nted by a client in his home or the office helpless to defend himself without any insight into appropriate protective measures.

These are situational accounts of innocent employees, victims of their unique situations created by their workplace environments and the threats posed by “Outsiders”.

4) The Terrorist Threat…

Though much attention has been given the political terrorist, little is mentioned in the workplace about our homegrown terrorists. The political terrorist who assimilates into the fabric of America to await the “call to arms”, is much different than the “normal” employee who harbors outward
political, social and religious positions but, is protected by freedom of speech that permits the employee to maintain antithetical positions for the safety and security of the workplace. Our workplaces are full of ideologies that spawn terrorism; Para-military and militia groups, white supremacist
groups, black hate groups; those who believe in extreme defense of the unborn, even environmentalist who work on the fringes of the law have spawned eco-terrorists, defenders of animal rights have attacked furriers and researchers and religious sects have spawned “holy warriors” who attack commercial and cultural interest. Similar to both of these groups they choose targets of value and opportunity. Unlike the “Insider” and the “Outsider”, the criminal behaviors of the domestic terrorist advertise their
moves and are predictable because they are known and apparent.

5) Proactive Measures…

In no particular order: Train your leaders in Threat Assessment, Synchronize the security process with other departments, Structure personnel security procedures, Design a unique security policy, Plan and Test your emergency
evacuation plans, implement strategy to prevent and interdict workplace violence by all, Limit & restrict access, Issue a suitable form of identification with photograph, Teach crime prevention and have desktop exercises and scenarios, test your crisis communications plan, run periodic background checks on all employees and establish a repoting policy to encourage early identification of potential perpetrators.

Nater Associates, Ltd is a Security Management Consulting Practice specializing in Workplace Security Issues and dedicated to providing clients superior security services based on Solid Situational Experiences.

Tags: assessment, Security, threat, workplace

The Weakest Link In Your Information Security Chain

admin — Wed, 15 Jul 2009 07:13:20 +0000

At times I laugh when I see companies, banks, educational institutions laying so much emphasis on the deployment of firewalls, anti-virus, server room protection e.t.c.

Yes firewalls, anti-virus are good but without a comprehensive information security program in place all these security technology tools will only provide a false sense of security. When we start thinking about information security, we need to think about security as a system not a single technology.

Let Us take a Hypothetical Scenario

A company has over 5 million clients. It has an e-business website. It has deployed firewalls, anti-virus solutions and other vendor security solutions. It conducts 90% of its business through its e-business website.

A Hacker studied the situation and asked; how do i get at this company?

What is the weakest link in the companies information security model? Why the weakest link? The hacker knew that going through the firewall, the intrusion detector systems would take him time which he was not willingly to spare. The hacker found out through painstaking research and study that the over
5 million customers were the weakest link.

The attack followed;

A fake website of the company was created.

E-mails were sent to the company’s over 5 million customers.

The E-mail read.

Dear customer,

We have deployed new security solutions that will help increase the security of conducting business with us through our website. Please kindly enter your contact and billing details, by clicking on this link. www.wilbroser.com/details.html.
Thanks for your cooperation.

Yours faithfully,
Alex Brown
Head of IT

Result of the E-mail

Out of the 5 million customers, 3 million of them clicked the link and reentered their contact and billing details.
The remaining 2 million felt indifferent and didn’t respond to the mail. The credit card information of over 3 million customers was stolen.

Why did the Hacker Target the 5 Million Customers of the Company?

The hacker found out that to commit e-fraud, it will take more effort and time going through the firewall, anti-virus and the other security solutions of the company.

The thought of the weakest link came. The company has never embarked on a security awareness training program for customers. A lot of emphasis has been on staff and security solutions.

The hacker identified the customers as the weakest link. Having identified the weakest link , the attack was launched.

Why Was the Attack Successful?

1. The over 5 million customers. None could tell the difference between a fake copy of the company’s website and the company’s website.

Tags: e-fraud., Information Security, Security

How To Cover Your Tracks On The Internet

admin — Sat, 16 May 2009 10:44:29 +0000

Every single time you access a website, you leave tracks. Tracks that others can access. If you don’t like the idea, find out what software can help you cover them.

Anti Tracks

Anti Tracks is a complete solution to protect your privacy and enhance your PC performance. With a simple click Anti Tracks securely erase your internet tracks, computer activities and programs history information stored in many hidden files on your computer.
Anti Tracks support Internet Explorer, AOL, Netscape/Mozilla and Opera browsers. It also include more than 85 free plug-ins to extend erasing features to support popular programs such as ACDSee, Acrobat Reader, KaZaA, PowerDVD, WinZip, iMesh, Winamp and much more. Also you can easily schedule erasing tasks at specific time intervals or at Windows stat-up/ shutdown.
To ensure maximum privacy protection Anti Tracks implements the US Department of Defense DOD 5220.22-M, Gutmann and NSA secure erasing methods, making any erased files unrecoverable even when using advanced recovery tools.

Free Download: http://www.deprice.com/antitracks.htm

East-Tec Eraser

East-Tec Eraser goes beyond U.S. Department of Defense standards for the permanent erasure of digital information and easily removes every trace of sensitive data from your computer.

Completely destroy information stored without your knowledge or approval: Internet history, Web pages and pictures from sites visited on the Internet, unwanted cookies, chatroom conversations, deleted e-mail messages, temporary files, the Windows swap file, the Recycle Bin, previously deleted files, valuable corporate trade secrets, business plans, personal files, photos or confidential letters, etc.
East-Tec Eraser 2005 offers full support for popular browsers (Internet Explorer, Netscape Navigator, America Online, MSN Explorer, Opera), for Peer2Peer applications (Kazaa, Kazaa Lite, iMesh, Napster, Morpheus, Direct Connect, Limewire, Shareaza, etc.), and for other popular programs such as Windows Media Player, RealPlayer, Yahoo Messenger, ICQ, etc. Eraser has an intuitive interface and wizards that guide you through all the necessary steps needed to protect your privacy and sensitive information.
Other features include support for custom privacy needs, user-defined erasure methods, command-line parameters, integration with Windows Explorer, and password protection.

Free Download: http://www.deprice.com/eastteceraserstandard.htm

Ghostsurf Platinum

GhostSurf Platinum ensures your safety online by providing an anonymous, encrypted Internet connection, and GhostSurf stops spyware, eliminates ads and erases your tracks. GhostSurf lets you customize your privacy level in real-time to suit your surfing needs. A variety of options enable you to block personal information, mask your IP address, route your data through anonymous hubs and even encrypt your Internet connection. GhostSurf’s Privacy Control Center allows you to see and block every piece of data that your computer emits over the Internet, preventing even your Internet Service Provider (ISP) from creating a profile on you.

Free Download: http://www.deprice.com/ghostsurfplatinum.htm

CyberScrub Pro

Sensitive data can easily fall into the wrong hands. And because Windows is not capable of deleting information beyond recovery, you are at risk!

Passwords, financial documents, even those “about last night” e-mails are fair game for the IT professional, computer technician or hacker.

CyberScrub allows you to purge, wipe and erase data with methods that far exceed US Department of Defense standards for file deletion (DOD 5220.22).

CyberScrub Erases:

* Selected Files/Folders beyond recovery

* Cookies

* Cache (Temporary Internet Files)

* All traces of Peer2Peer activity (16 popular apps)

* Website History

* Chat Room Conversations, Instant Messages

* Pictures viewed

* Email & “previously deleted files”

* Recycle Bin, Recent Documents

* Swap and other “locked” files that contain sensitive data

* Peer2Peer Applications activity

Free Download: http://www.deprice.com/cyberscrubprofessional.htm

John Deprice owns and operates http://www.deprice.com

Tags: internet, Safety, Security, tracks

Christina Aguilera In Security, Back to Basics

admin — Thu, 16 Apr 2009 06:35:03 +0000

Christina Aguilera has gone back to basics, stopped dating toxic guys and married a down-to-earth music executive. Christina is becoming more secure in her womanhood. Her new elegant look and soul CD Back to Basics are evidence of her personal evolution and transformation.

Christina’s crusade to help victims of domestic violence is dear to her heart. She herself grew up in an unstable environment as there was abuse in her household. Christina works a lot with a domestic violence and child-abuse center in Pittsburgh. She is passionate about rebuilding battered women’s self-esteem and providing for their necessities.

Christina unveiled herself a bit telling Seventeen magazine: "Thank God for my first record: I was able to get my foot in the door with a [CD] that wasn’t so much me but has given me the freedom to do what I want to now."

Married to a man who embraces her individuality, Christina is undoubtedly growing increasingly comfortable in her own skin. Christina proudly says of her husband Jordan, "He’s my best friend and he’s my backbone and number one supporter. …He’s a very real, down-to-earth person. When he walks into a room, his energy is so calm and peaceful, like you wouldn’t even know he was there. He’s a great balance for me." (Seventeen, September 2006, p. 179)

Not only is Christina more relaxed, but her new song "Save Me From Myself" shows that she is also becoming increasingly self-aware. Christina candidly admitted, "I think a lot of us can act as our own worst enemies at times, digging ruts for ourselves and making things out to be worse than they really are."

We all experience bad feelings at times, during which if we isolate ourselves can feel as if we’re being sucked into a black hole. It is important to have loved ones and solid people to whom we can turn. Thankfully Christina has found the light in her hubby Jordan.

When I was going through a dark time following my divorce a couple years ago (which resulted from my ex-wife cheating on me), I happened to see an article about Christina on a Rolling Stone magazine. It talked about her brutal break-up with her first boyfriend who proved to be quite the player. Some friends helped Christina through it by taking her into the kitchen of a restaurant where they told her to break some champagne glasses and release her anger. As Christina broke the champagne glasses she felt somewhat of an emotional breakthrough. It was this article that inspired my new book "Breakthrough for a Broken Heart."

Christina’s "Fighter" song was a personal favorite of mine as I bounced back from my personal setback. Today like Christina I have stepped back into the light and found the love of my life. Whereas Christina used music throughout her life to escape the abuse, I have found writing to be therapeutic and healing. Settled in security is a wonderful place to be emotionally and relationally.

Paul Davis is a love coach and author of Breakthrough for a Broken Heart a book telling us “How to overcome disappointments and blossom into your dreams!” He is a dating expert, life coach (relational & professional), popular worldwide keynote speaker, creative consultant, humor being, adventurer, explorer, mediator, minister, liberator and dream-maker.

Paul’s compassion for people & passion to travel has taken him to over 50 countries of the world where he has had a tremendous impact. Paul has also brought revival to many in war-torn, impoverished and tsunami stricken regions of the earth. His nonprofit organization Dream-Maker Ministries is building dreams and breaking limitations.

Paul’s Breakthrough Seminars inspire, revive, awaken, impregnate with purpose, impart the fire of desire, catapult people into a new level of self-awareness, facilitate destiny discovery and dream fulfillment.

Paul can be contacted at: RevivingNations@yahoo.com 407-967-7553.

For additional info: http://www.CreativeCommunications.TV and http://www.DreamMakerMinistries.com

Tags: breakthrough for a broken heart, Christina Aguilera, love, Paul Davis, Security, toxic guy, transformation

Top 5 Ways to Create Job Security

admin — Wed, 01 Apr 2009 09:20:27 +0000

A 5 POINT STRATEGY FOR ENSURING YOUR JOB SECURITY

Think Job Security is a thing of the past? Think again. While it may be true that no one is exempt from a downsizing, layoff, or unexpected re-organization in today’s economic climate, that doesn’t have to mean you have no job security. Today’s workers simply need to redefine what job security really is given the competitive environment we live in, and where security comes from. You can (and should) have a sense of job security, but it won’t come from your employer. You must give it to yourself. Your number one priority, if you wish to have career longevity and fulfillment, is to remain highly employable. Here’s a proven 5 point strategy to ensure you have security in an uncertain job economy.

1. Under-promise, over-deliver
2. Nurture Your Network
3. Invest in Your Competence
4. Have a Plan B and Plan C Ready to Execute
5. Build Your Reserves

UNDER PROMISE and OVER DELIVER
The first strategy is simply to outperform your peers. Under promising may sound like a lethal career strategy, but in reality it’s the opposite, as long as you consistently over deliver. Bosses and peers become most frustrated with those who make empty promises, right? These are the people who OVER promise and then consistently UNDER perform. By getting really skilled at setting reasonable expectations, building in time for the unexpected (which you can almost always expect!), and then meeting or beating every agreed upon target, how much does that increase your value to the organization? Lots. People want to know what to expect and be wowed. Wow! them with your performance, not your promises. Valuable employees manage to escape much of the corporate shake ups, even when the shake ups hit their home turf. Create a reputation for being someone who delivers value and you’ll add a lot of staying power to your career.

NURTURE YOUR NETWORK
Do you maintain relationships with a diverse group of peoplefrom close friends to casual business acquaintances? Or is your social life basically built around the coffee pot and bagel box at work? When faced with changing jobs (by choice or not), it is important that you have strong, reliable network in place. You don’t want to be building up relationships at a time when you need them mostit drains your energy and looks and feels too desperate! You want to continually work toward having strong relationships with a variety of contacts because you enjoy them and they enjoy you. These relationships are in the spirit of helping whenever it’s needed. You may include professional contacts within and outside your employer, as well as a diverse group of acquaintances through community, school, and social circles. Stay plugged in with others. It can make the difference between a long and difficult job search, and a smooth job change.

INVEST IN YOUR COMPETENCE
Staying current in your field is critical to long term employabilitya.k.a. ’security’. If your employer provides some of this, great! Take them up on it. But if they don’t (as many are cutting back here), take it upon yourself. Create your own professional development plan. Find professional associations, training programs, published material (books, internet sites, magazines and journals, etc) and/or mentors/peers that can help you stay abreast of trends and issues impact your field, industry and geographical area. In order to be employable (whether at your current employer or somewhere else), you have to be current and be able to talk about future trends. If your most recent ‘update’ to your knowledge, skills, or abilities was the day you walked down the aisle to pick up your degree (and that wasn’t last year), then you’ve got to develop a plan to get in the game. Allocate 2 hours a week, or even a month, to getting and staying current or learning something completely new. A high level of competence sells no matter the economy.

HAVE A PLAN B READY TO EXECUTE
You may not be ‘expecting’ to lose your job or be re-organized into the job from he**, but who is? The point is -always be ready, willing, and able to do something else. If you love what you do, then all you need is a current resume and job search plan in your back pocket at all times. Your plan B should include the network and competencies pieces discussed in this article. If you think you might like to try something new then you definitely must start creating that plan. What would you need to know in order to make a move into something new? Who would you need to know? What would be the first 3 things you would do if you were no longer employed? Create your plan B and start working on gathering some of the key pieces (information, contacts, experiences, etc.). Pull it out every so often, update it, and keep it working for you. It’s like job security insurance. It’s there when you need it. And then, create your Plan C. You just never know.

BUILD UP YOUR RESERVES
Are you prepared for a job loss should one occur unexpectedly? Do you have reserves of money to carry you through 6-12 months without a regular paycheck? Do you have reserves of confidence in your ability to land on your feet and make the most of whatever comes your way? Do you have reserves of energy to conduct a full scale job search? Do you have strong, stable friendships that could and would support you if you needed them?

Having a strong reservefinancially, physically, emotionally, and sociallywill help you be strong and confident before, during, and after any career challenge or change. This level of confidence keeps you afloat and, in fact, makes you more attractive as an employee (because you are strong and confident!). You may be less affected by a corporate shake-up and not have to draw upon your reserves. But, if you need them, they are there for you. How secure is that?!

Employers are no longer able to provide the kind of job security they once did. But that doesn’t mean we all have to walk around vulnerable and stressed. Create your own brand of job security and take control of your career. After all, it’s YOUR careerit doesn’t belong to the company anymore. And that can be a great thing!

This article may be reproduced, in its entirety, along with the following information:

© 2006, Shawn Driscoll, Succeed Coaching & Development. This article is provided courtesy of Shawn Driscoll, Career Success Coach and owner of www.succeedcoaching.com. Professionals: upgrade your work life today! We provide products and services to help you succeed at work, in business and in life. Sign up to receive your free Success Wise ezineand get success tips, inspiration, and resources to skyrocket your successat www.succeedcoaching.com.

Shawn Driscoll, owner of Succeed Coaching & Development, partners with motivated professionals to dramatically improve the quality of their career and lives. She challenges clients to stop struggling and sacrificing in the name of making a living and inspires them to re-define success on their own terms. Pick up your free copy of her special success report “How to Chart Your Course for Success and Fulfillment” at http://www.succeedcoaching.com/report.html.

Tags: coaching, job security, Security, succeed, success

Workplace Security for Small to Midsize Businesses

admin — Tue, 17 Mar 2009 18:07:01 +0000

Contents

1.) Workplace Security for Small to Midsize Businesses…

2.) Understanding the Mutual Need to Invest…

3.) Motivational Reasons to Invest…

4.) About Nater Associates, Ltd…

1.) Workplace Security for Small to Midsize Businesses…

Since September 11, 2001 surveys, polls and research suggests that a majority of small to midsize businesses are not yet prepared to handle a terrorist attack, let alone a natural catastrophe. The research suggest that this segment of our business society is thirsting for information and looking for leadership. However, it does appear this community is willing to
invest in security but, are not yet in a position to make costly investments without a clear understanding of the value. There is no debate on the need and the awareness to do something but, they want to know “who” will work with them and “how” will their needs be addressed? Knowing the existence of risks is understandable; however closer to home is the question, “how” will it improve the situation and show a Return on the Investment (ROI) after my commitment? In arriving at this understanding, some perspectives will be presented that might encourage an investment based on a collective accord on
the “why” and the “how”.

2.) Understanding the Mutual Need to Invest…

Understanding is the vitally important link, if we in the security industry are to sufficiently convince this segment of the value to invest. While the small to midsize business community remains an important connection to our
day-to-day lives, it remains an untapped security market. There are synergies to stimulate positive relationships that must be tapped regardless of the perceptions. Insufficiently energized since September 11, 2001, one speculative reason might be that the security industry and this community have not really talked to each other about the unique needs and the perceptions. Suggesting that this market was not yielding any market
interest could be further from the truth. I have found a keen interest on both sides; however, the common denominator preventing a decisive step to move forward involves a lack of time, money, sufficient knowledge and dedicated resources to address their concerns.

These realistic reasons might be unintentionally contributing to their current vulnerability. Of concern is that this threat or vulnerability is not just to the potential of a terrorist strike, but a general inability to respond in the wake of a
natural disaster, power outage, water or fire damage, human error, death of key staff, labor dispute, hostage taking, workplace violence, bomb threat, HVAC failure/temperature inadequacy or any industrial mishap requiring emergency evacuation or protective measures. Assuming CEOs and other
decision makers recognize these as their day-to-day concerns, why then has there not been a mutually concerted effort to bridge the inhibitors cited above to reach a greater understanding for the need?

My theoretical answer to these questions, suggests that this community has not been presented the benefit of the expertise in a simple, uncomplicated and understandable manner as the other awaited the “hot-button need” or for the catastrophe that will justify the investment. The reality is that this
business segment has unique but realistic concerns that must be addressed. Unfortunately, the lack of true understanding keeps the security and business community at arms-length as practicality is avoided. In reality, his segment’s security needs might be imbedded in their day-to-day safety and security concerns and not the threat of terrorism.

2.) Motivational Reasons to Invest…

There are many reasons to invest in this market! Since the research suggest there is a lack of time, money, knowledge and resources, designing an approach to address these challenges might be a solution. Instead of making security a complex process let us tailor the need to the individual client,
provide security awareness and follow-up support to insure the need is addressed and concerns minimized. Whenever I present the value of security awareness, I am reminded of a Long Island firm that made the investment in security technology but failed to teach the employees the value of the technology. While visiting with the CEO on two separate occasions, access was easily gained without as much as a challenge. In one incident, my cordial greeting was enough to disarm the employees and in the second incident, I merely walked in through a door held open with a woodchuck placed there by employees taking a smoke break.

Since it is believed this lack of understanding my drive the lack of purchase, the use of case studies and lessons learned become important in demonstrating the value of the implementation. So, why not tailor the security need to situations this segment is more apt to experience and value such as chemical spills, exposure to contaminants, victimization by criminals, disruptions due to workplace
violence and natural disaster, and fire and all the other possibilities mentioned above?

Taking a practical approach might be a stronger motivational tact that could have appeal. Keeping security methodology simple might trigger yet another motivational strategy to address their lack of resources. Involving employees in the security process is certainly another approach to show
value. Promoting the that the investment be undertaken in “little chunks” might encourage a greater appreciation for the need and increase preparedness by employing realistic and uncomplicated security plans and programs.

Another approach to the “little chunk” anology might be the value of making minimal yet inexpensive changes that will cost little more than time and effort to close the exisiting security gaps. Pursuing these approaches might insure some measures are in place “Now” to insure readiness, avoid
allegations of due diligence shortfalls or suggestions of irresponsibility and malfeasance. Lastly, instead of the buying motivation being driven by the proverbial “fear” approach we might build a client following based on the clear understanding of the need. These strategies factored by a prioritized understanding that “little chunks” can bring about a greater
degree of security preparedness rather than doing nothing will greatly enhance this business segments security posture.

4.) About Nater Associates, Ltd.

Felix P. Nater, President, Nater Associates, Ltd, Workplace Security Consultant, 116-03 Parkway Drive, Elmont, New York 11003, Office: 516-285-8484, (Toll Free) 1-877-VALU101, Fax: 516- 285-0880, Cell: 516-946-8416, email:info@naterassociates.com & Website: www.naterassociates.com

Felix has over 30 years of criminal and security experience and expertise as a United States Postal Inspector having spent the last 13 years specializing in the interdiction of workplace violence and formulating workplace security threats and risks mitigation strategy. Nater Associates, Ltd. offers clients integrated business-security solutions for thier Workplace Security and Workplace Violence Prevention needs using a variety of products. Felix calls himself the Outsource Security Director. Call Nater Associates for a Security Audit or a Security Awareness Presentation.

Tags: assessments, audits, interdiction, policy, presentations, prevention, Security, threats, violence

Money & Marriage Ten Tips for a Power Meeting

admin — Sat, 31 Jan 2009 10:47:28 +0000

” ‘Honey, this looks much, much more expensive than it really was. I got such a tremendous bargain on this.’ When I hear those words, I know my goose is cooked and that the credit card bill will be a big one.” How many husbands have uttered these or similar words after their wives return from the shopping mall.

He wants a giant HDTV so he can put up his feet.
She wants no less than 50 pairs of shoes.

He wants the latest outdoor kitchen.
She wants the indoor kitchen remodeled.

He wants the Mustang GT so he can ride the road in style.
She wants the thoroughbred with riding attire and regular lessons.

Any one of these real-life scenarios can cause a family war.

What is really important about money to you?
Do you know what is important about money to your significant other?

Do you know WHY it is important at this time?

How important will financial security be when you are in the last third of your life?

In the last third of life you will have experienced the trials and triumphs of family life. You will have been pulled into the demands of the day.
But in the last third of life, it is less likely you will continue to make the peak income of your career years. It is more likely you will have some health issues. As you add years, you will add vulnerability.

Do you have a strategy that will give you strength for your vulnerable season? A strategy that is adaptable, pro-active, and proven to work in hundreds of different scenarios?

Your strategy may not include the old-age idea of retirement—instead you may choose to work part-time, advise or consult or engage in some long-desired activity that you put off until later life.

But whether you are male or female, you will need financial resources. And whether you outlive your spouse or not, you never want to outlive your assets.

If you are reading this now, it is probable that you need to make an actual meeting time with your significant other and place on paper the ideas that you SHARE IN COMMON about money and your marriage. And if you want to live happily ever after, NOW IS THE TIME to secure your MEETING OF THE MINDS ABOUT MONEY.

According to a financial advisor friend of mine, money is only a tool, but it allows people to live in alignment with their most deeply held values. This makes it a powerful emotionally charged subject.

Here are ten key things to discuss at your Money Meeting:

1.How important is money to you?

2.Why is it important?

3.What do you want to do, achieve, be, or realize in the Best Third of your life?

4.How much money will it take to do that, or be that, or have that?

5.Where will this money come from?

6.Do you have a will?

7.Do you have medical power of attorney?

8.In the event of an emergency do you know how to access the assets of your significant other?

9.Are all of your financial records in reasonably good order?

10.Finally, when you successfully manage this meeting with each other, make another time and date certain for the next meetingand keep the communication open around this highly charged subject that is at the core of your life, whether or not you recognize it.

Simone Nathan
Author of “Going for Gold after 50: An Illustrated Guide to High Probability Investing for The Plus Years”. Discover how to put the investing odds greatly in your favor at http://www.goldafter50.com

Personal, spiritual, financial, healthful life planninghttp://www.dreamcatcherprogram.com

Tags: finance, financial, income, marriage, money, Security

Identity Theft and Pharming – A New Twist on an Old Theme

admin — Fri, 16 Jan 2009 07:45:11 +0000

Identity theft is big business and, like it or not, the likelihood that you will become a victim is increasing. As the Internet and its popularity have grown, the number of unscrupulous operators out there has grown as well. There are so many scams and attack methods out there it is difficult to keep up with them.

One of the identity thief’s more productive techniques is phishing. A phishing scam is one where an email message contains a link to a web site that asks for personal information. The scam uses social engineering to trick people to go to a web site they would not normally visit. A common scam is one in which an email that looks like it has come from a bank or credit card company asks you to “click on this link” to update your user information. There is generally a part of the email that tries to convey a sense of urgency to get you to “do it now”. When you click on the link you are actually forwarded to a thief’s web site that is designed to look like your bank or credit card company’s web site. You are then asked to provide information, such as user id, password, and other identifying information. Identity thieves use this information to open or use credit accounts and steal money from unsuspecting consumers.

Phishing attacks are relatively easy the spot and avoid. Never follow links in email messages unless you know the link is valid. Compare the actual link address with the text you see. If you are expecting to go to PayPal.com, make sure the link really takes you there. You can view the hyperlink before you click on it buy pointing your mouse cursor at the link. Most email clients and web browsers will show you what the actual address is before you click on it. If the address doesn’t match the web site address you expected to see, don’t click on the link. Likewise, NEVER provide any personal information from an unsolicited source. You will also see the address you are visiting in your web browser’s address bar. Make sure you are visiting the site you expect.

There is a new trend in identity theft, called pharming. Well, it is actually a fairly old type of attack put to a new and alarming use. The basic attack generally relies on DNS poisoning or domain spoofing. The difference between phishing and pharming is that while phishing targets individuals, pharming targets large groups of people. Before we get into a discussion of a pharming attack, let’s look at a short primer on how Internet addresses work.

Anytime you type in an address in your web browser, such as http://www.somecompany.com, your computer needs to find the Internet Protocol (IP) address before sending any information. There are two main methods for finding IP addresses for web site addresses. The legacy method consists of a file, called the ‘hosts’ file, that lists all of the host names you may want to visit, along with their IP addresses. The other method is to send a name resolution request to a Dynamic Name Server (DNS). The DNS server looks up the address in its database and returns the corresponding IP address. Once your computer looks up the IP address for http://www.somecompany.com, it then uses the IP address for all further communication.

A pharming attack is one where the host file or DNS entry is modified to send users to a counterfeit web site. The slightly simpler of the two attacks is the host file modification. This can be accomplished with a virus or worm. It is generally harder to compromise DNS servers. With the phishing attack, a careful view of your web browser’s address bar will show that you are visiting a site you did not expect. Pharming attacks are more difficult to detect since your web browser tells you that you are at the right site even when you really aren’t.

The effect of a pharming attack is that all users who want to go to a particular site end up being redirected to a thief’s site. While this might sound similar to a phishing attack, it can be much worse. There is no indication to the end user that a redirect has occurred. The web browser still shows the original web address. This behavior makes pharming attacks more difficult to detect. Also, if the thief is able to change DNS entries on a commonly used DNS server, all users who request IP addresses from the compromised server will be sent to the counterfeit site.

So, how do you protect yourself from a pharming attack? Much of the work in stopping pharming attacks is up to the DNS administrators. They will be responsible for ensuring any DNS entry changes are authentic. But, there are some steps you can take. Following these guidelines will reduce your chances of becoming a pharming victim:

Install and update a good anti-virus program. Since many attacks start as malicious software, protecting your system from viruses and other malicious software will go a long way toward stopping an attack before any information is changed.
Protect your ‘hosts’ file. On Windows operating systems, the hosts file resides at: (assuming C:\Windows is where your OS installed) C:\Windows\system32\drivers\etc\hosts. On Unix systems, it resides at /etc/hosts. You can manually check your hosts file to ensure no unusual entries have been put there or you can install software shields that watch the hosts file for you (along with anti-virus software).
Know the sites you visit and carefully protect any information you give out. Never divulge any information for any reason unless you are absolutely certain the information is necessary and you are providing it to the correct organization. If your bank web site, or any other web site, asks you to provide confidential information, call their customer service department to get confirmation that the information is needed. Don’t call the number on the web site (it may be compromised). Look up the number in the phone book or use directory assistance.
As more and more web sites start using digital certificates to authenticate their identities, you will begin to see more popup windows asking you to accept these certificates the first time you visit the web site. Always read the certificate details and ensure the web site really is the one you wanted to visit. If you are unsure, reject the certificate.

We will all hear more about pharming in the coming months. Its use is growing. This is just another opportunity to remind as many people as possible to be careful with the sites you visit and the information you give out. Protect your personal information. Not doing so can be very expensive.

Want more tips and information on how to recognize, prevent, and repair the effects of identity theft? Go to http://www.thesecurityguy.net right now and you’ll find eBooks and home study courses on identity theft and other security related topics.

Tags: identity, pharming, phishing, Security, theft, virus

5 Mac Security Tips You Can’t Live Without

admin — Wed, 17 Dec 2008 14:19:09 +0000

So, you’ve bought a new Macintosh, and now you may be wondering how to make it safer. There are several things that you can do which will protect your Mac from viruses and hackers. Macs are already very difficult to hack, but don’t let that fact allow you to become lenient with your security.

1. Download all of the software updates available. This seems like a no-brainer, but some Mac users forget to download the newest updates. You can even set your computer to automatically download new updates. However, some dial-up users encounter trouble when trying to downloaded updates. If you are a dial-up user, the best suggestion is to leave your Mac on overnight and let it download. Apple releases many programs that fix bugs in iLife applications, and in Mac OS X. Probably the most important of these updates are the security updates. Apple periodically offers security updates for its operating systems (Panther and Tiger).

2. Be careful what you download. Some people use P2P downloads for Macintosh (I.E. Poisoned). Be careful when downloading using a P2P because you do not know where the music or file is coming from. Some P2P users specifically make corrupted files to send via music downloading programs. Generally, it is a good idea to stick to iTunes, because those files are ACC Protected and offered through Apple so they certainly won’t have viruses.

3. Choose the best and safest Internet Browser. Safari comes standard on all new Macs as part of iLife. However, some people do not enjoy Safari as much as others. Some say that Safari is not as safe from hackers as other browsers. Safari can also be a problem if you are going to a web page that requires a version of Internet Explorer or Netscape to view it. You can download Internet Explorer and Netscape for Mac, but again, some believe that these browsers are not as safe from hackers. Many people believe that Mozilla Firefox (my personal favorite) is the safest browser to use because of its customizable features. Firefox is available for downloading on the Macintosh.

4. Don’t be afraid to buy anti-virus software. If you have to download files from the internet as part of a job or hobby, then it is probably a good idea to have some sort of anti-virus software on your Macintosh. Apple provides a wide-variety of anti-virus software that is constantly updated.

5. Finally, keep an eye on those e-mail attachments and instant messages. Some hackers have programmed viruses to IM you from one of your friends’ screen names. Don’t click on any link without knowing what it is first. Most e-mail providers use virus scans automatically, but you should always be extra careful when downloading an attachment. If it is from someone you do not know, don’t trust it.

Apple computers are very safe from hackers, but they can always be improved. Keeping a computer safe, and running well requires a great amount of time and energy. Just remember that if your computer is safe, your Apple experience will be much more rewarding.

Paulo Fretowski enjoys writing about computers because he uses them for his job with BizNicheMedia.

Tags: apple, firefox, mac, macintosh, OS, OS X, panther, Security, tiger

DOS Attacks Instigation and Mitigation

admin — Tue, 02 Dec 2008 14:19:08 +0000

During the release of a new software product specialized to track spam, ACME Software
Inc notice that there was not as much traffic as they hoped to receive. During further
investigation, they found that they could not view their own website. At that moment, the
VP of sales received a call from the company’s broker stating that ACME Software Inc
stock fell 4 point due to lack of confidence. Several states away, spammers didn’t like the
idea of lower profit margins do to an easy to install spam blocking software so they
thought they would fight back. Earlier that day, they took control of hundreds of
compromised computers and used them as DoS zombies to attack ACME Software Inc’s
Internet servers in a vicious act of cyber assault. During an emergency press conference
the next morning, ACME Software Inc’s CIO announced his resignation as a result of a
several million dollar corporate loss.

Scenarios like the one above happen a more then people think and are more costly
then most will admit. Denial of Service (DoS) attacks are designed to deplete the
resources of a target computer system in an attempt to take a node off line by crashing or
overloading it. Distributed Denial of Service (DDoS) is a DoS attack that is engaged by
many different locations. The most common DDoS attacks are instigated through viruses
or zombie machines. There are many reasons that DoS attacks are executed, and most of
them are out of malicious intent. DoS attacks are almost impossible to prevent if you are
singled out as a target. It’s difficult to distinguish the difference between a legitimate
packet and one used for a DoS attack.

The purpose of this article is to give the reader with basic network knowledge a
better understanding of the challenges presented by Denial of Service attacks, how they
work, and ways to protect systems and networks from them.

Instigation:

Spoofing – Falsifying an Internet address (know as spoofing) is the method an attacker
uses to fake an IP address. This is used to reroute traffic to a target network node or used
to deceive a server into identifying the attacker as a legitimate node. When most of us
think of this approach of hacking, we think of someone in another city essentially
becoming you. The way TCP/IP is designed, the only way a criminal hacker or cracker
can take over your Internet identity in this fashion is to blind spoof. This means that the
impostor knows exactly what responses to send to a port, but will not get the
corresponding response since the traffic is routed to the original system. If the spoofing is
designed around a DoS attack, the internal address becomes the victim. Spoofing is used
in most of the well-known DoS attacks. Many attackers will start a DoS attack to drop a
node from the network so they can take over the IP address of that device. IP Hijacking is
the main method used when attacking a secured network or attempting other attacks like
the Man in the Middle attack.

SYN Flood – Attackers send a series of SYN requests to a target (victim). The target
sends a SYN ACK in response and waits for an ACK to come back to complete the
session set up. Instead of responding with an ACK, the attacker responds with another
SYN to open up a new connection. This causes the connection queues and memory buffer
to fill up, thereby denying service to legitimate TCP users. At this time, the attacker can
hijack the system’s IP address if that is the end goal. Spoofing the “source” IP address
when sending a SYN flood will not only cover the offender’s tracks, but is also a method
of attack in itself. SYN Floods are the most commonly used DoS in viruses and are easy
to write. See http://www.infosecprofessionals.com/code/synflood.c.txt

Smurf Attack- Smurf and Fraggle attacks are the easiest to prevent. A perpetrator sends a
large number of ICMP echo (ping) traffic at IP broadcast addresses, using a fake source
address. The “source” or spoofed address will be flooded with simultaneous replies (See
CERT Advisory: CA-1998-01). This can be prevented by simply blocking broadcast
traffic from remote network sources using access control lists.

Fraggle Attack – This types of attack is the same as a Smurf attack except using UDP
instead if TCP. By sending an UDP echo (ping) traffic to IP broadcast addresses, the
systems on the network will all respond to the spoofed address and affect the target
system. This is a simple rewrite of the Smurf code. This can be prevented by simply
blocking broadcast traffic from remote IP address.

Ping of Death – An attacker sends illegitimate ICMP (ping) packets larger than 65,536
bytes to a system with the intention of crashing it. These attacks have been outdated since
the days of NT4 and Win95.

Teardrop – Otherwise known as an IP fragmentation attack, this DoS attack targets
systems that are running Windows NT 4.0, Win95 , Linux up to 2.0.32. Like the Ping of
Death, the Teardrop is no longer effective.

Application Attack – Thess are DoS attacks that involve exploiting an application
vulnerability causing the target program to crash or restart the system.

Kazaa and Morpheus have a known flaw that will allow an attacker to consume all
available bandwidth without being logged.
See http://www.infosecprofessionals.com/code/kazaa.pl.txt

Microsoft’s IIS 5 SSL also has an easy way to exploit vulnerability. Most exploits like
these are easy to find on the Internet and can be copied and pasted as working code.
There are thousands of exploits that can be used to DoS a target system/application. See
http://www.infosecprofessionals.com/code/IIS5SSL.c.txt

Viruses, Worms, and Antivirus – Yes, Antivirus. Too many cases where the antivirus
configuration is wrong or the wrong edition is installed. This lack of foresight causes an
unintentional DDoS attack on the network by taking up valuable CPU resources and
bandwidth. Viruses and worms also cause DDoS attacks by the nature of how they
spread. Some purposefully attack an individual target after a system has been infected.
The Blaster worm that exploits the DCOM RPC vulnerability (described in Microsoft
Security Bulletin MS03-026) using TCP port 135 is a great example of this. The Blaster
targeted Microsoft’s windows update site by initiating a SYN FLOOD. Because of this,
Microsoft decided to no longer resolve the DNS for ‘windowsupdate.com’.

DoS attacks are impossible to stop. However, there are things you can do to
mitigate potential damages they may cause to your environment. The main thing to
remember is that you always need to keep up-to-date on the newest threats.

Mitigation:

Antivirus software – Installing an antivirus software with the latest virus definitions will
help prevent your system from becoming a DoS zombie. Now, more then ever, this is an
important feature that you must have. With lawsuits so prevalent, not having the proper
protection can leave you open for downstream liability.

Software updates – Keep your software up to date at all times. This includes antivirus,
email clients, and network servers. You also need to keep all network Operating Systems
installed with the latest security patches. Microsoft has done a great job with making
these patches available for their Windows distributions. Linux has been said to be more
secure, but the patches are far more scarce. RedHat is planning on incorporating the
NSA’s SE Linux kernel into future releases. This will give Mandatory Access Control
(MAC) capabilities to the Linux community.

Network protection – Using a combination of firewalls and Intrusion Detection Systems
(IDS) can cut down on suspicious traffic and can make the difference between logged
annoyance and your job. Firewalls should be set to deny all traffic that is not specifically
designed to pass through. Integrating an IDS will warn you when strange traffic is present
on your network. This will assist you in finding and stopping attacks.

Network device configuration – Configuring perimeter devices like routers can detect
and in some cases prevent DoS attacks. Cisco routers can be configured to actively
prevent SYN attacks starting in Cisco IOS 11.3 and higher using the TCP intercept
command in global configuration mode.

Access-list number {deny | permit} tcp any destination destination-wildcard
ip tcp intercept list access-list-number
ip tcp intercept ? (will give you a good list of other options.)

Cisco routers can prevent Smurf and Fraggle attacks by blocking broadcast traffic. Since
Cisco IOS 12.0, this is the default configuration. ACLs or access control lists should also
be configured on all interfaces.

No ip directed-broadcast

The Cisco router can also be used to prevent IP spoofing.
ip access-group list in interface
access-list number deny icmp any any redirect
access-list number deny ip 127.0.0.0 0.255.255.255 any
access-list number deny ip 224.0.0.0 31.255.255.255 any
access-list number deny ip host 0.0.0.0 any
See Improving Security on Cisco Routers – www.cisco.com/warp/public/707/21.html

Old Cisco IOS versions are vulnerable to several DoS attacks. The “Black Angels” wrote
a program called Cisco Global Exploiter. This is a great software to use when testing the
security of your Cisco router version and configuration and can be found at
http://www.blackangels.it/Projects/cge.htm

Security is not as mystical as people believe. DoS attacks come in many different
types and can be devastating if you don’t take the proper precautions. Keep up to date and
take steps to secure network nodes. Keeping security in mind can minimize damages,
downtime, and save your career.

Security Resources:
Black Angels: http://www.blackangels.it/
Cisco: http://www.cisco.com
Microsoft: http://www.microsoft.com/technet/security/current.aspx
Forum of Incident Response and Security Teams: http://www.first.org/
SANS Institute: http://www.sans.org/resources/

Author: Jeremy Martin CISSP, ISSMP, ISSAP, CEI, CEH, CHS-III, CCNA, Network+, A+
http://www.infosecwriter.com

Member of:
BECCA – Business Espionage Controls & Countermeasures Association
ISACA

Tags: CEH, CISSP, DoS, hacking, homeland security, ISSAP, ISSMP, JEREMY MARTIN, Security