WyzGuys Tech Talk

Controlling your professional information can mean managing the information you disclose on professional networking sites such as LinkedIn.  It can also mean protecting the client and employee information you have gathered through your employment.   It may mean securing your computer network from outside and inside attackers, or your website from compromise.  It may mean properly securing online assets such as websites.  It may mean protecting the reputation of a business that you founded, own, and operate.

• Understand that the first part of an attack is reconnaissance, and LinkedIn is a prime location for great information about people who work at the target organization, what they do, and what special skills they have.
  • It is relatively easy to identify and profile the CEO, CFO and other top managers on LinkedIn, and use that information for a password stealing spear-phishing email.
  • If you work in IT, some of your skill information will let the attackers know what sorts of systems are in operation.  This allows them to find workable exploits more easily.
  • If you have a security clearance, or work in a job with privileged access sensitive data, avoid disclosing your employer and title, especially on websites like LinkedIn.
• As owner, manager, or webmaster of a business, properly securing your website from intrusion is important.
  • This is especially true for e-commerce sites where credit card data comes into play, or any website that is used to gather customer or visitor information and store the information in a database.  This can be user names and passwords, or very detailed personal profiles.
  • Make sure user information is encrypted, and that passwords are hashed, salted, and stretched to make them difficult to crack.
• Disclosures of business emails, like what happened in the Sony breach, can have a devastating impact on client relationships and your business reputation.  Make sure your mail servers are secured, and that you have appropriate data retention and data destruction procedures in place.
  • If I can hijack your email account by tricking you into providing your email password, I can learn a lot about you just by reading your inbox and sent mail, looking at your contacts and calendar.  I can use your email to impersonate you, including sending emails requesting wire transfers of large sums of money.
• Locate and identify your sensitive information, and properly secure it.  Make sure your employees are not system admins with unlimited access.  Limit their rights to the data they need to do their jobs, but no more.
• Develop a computer incident response plan, and if you have an incident, use your plan to figure put what happened, and what, if anything, was lost.
  • If something happens it is an “incident” not a “breach.”
  • A breach occurs when you know that protected data was accessed or lost.  Anything less is an “incident.”  The choice of terminology has legal repercussions.
  • Get your corporate legal counsel involved in all discussions about your incident.  This creates attorney-client privilege, and can protect your company from legal actions against your company that would involve discovery.  You can’t be forced to reveal privileged communications.
  • If you are truly breached, do not wait until Eyewitness News or Brian Krebs reports on it first.  Be forthcoming and truthful.  If you are just starting your investigation and don’t know much, it is OK to say so.
  • Cyber attacks happen a lot these days, and there is no shame in it, unless you were negligent in some way.  If there is negligence, then there is shame, and big class-action lawsuits.

Hopefully, some of these ideas will help you to protect your professional information, reputation, and income.  Tomorrow we wrap up this series with a post about protecting your social networks.