| |
Security Info
& Alerts from Reputable Sources
Too many small business owners believe that they
do not need to worry much about security. Your reasoning may run something like this:
"Who would want to target my business when there
are so many bigger targets out there?" While it
is true that small businesses have not been
directly directly
attacked as often as larger ones, today there are
several factors working to prove you wrong:
1) small businesses often end up as part of
larger attacks, such as mass worm outbreaks or
efforts to harvest credit card numbers
2) security is becoming tighter than ever at
larger companies, so small business networks
look increasingly tempting to attackers
3) not all attacks come from the outside
According to a recent
article at TechTarget's SMB site, "the
typical owner of an SMB is a prime target for
identity theft via spyware. Creditworthy and
financially solvent, many small business owners
fit the profile identity thieves are casting for
in their spyware nets." Ed Skoudis, a noted
expert on malicious software, offered the
following observation in that same article:
"Most people feel that the odds are in their
favor when it comes to avoiding identity theft.
The odds are stacked against SMB owners,
however, and they can't afford to be complacent
about the possibility of identity theft through
spyware."
Identity Theft
Identity theft has emerged as America’s
fastest-growing crime:
according to recent congressional testimony by
the Federal Trade Commission (FTC), a
12-month study from 2003 showed there were
nearly 10 million victims at a cost of more than
$53 billion. The epidemic is fuelling, and being
fuelled by, a host of other crimes ranging from
burglary to methamphetamine production and
abuse. (I'll bet you're wondering, "Why meth?" Some of the same chemicals used in the
production of methamphetamine can be used to
"wash" checks - that is, to remove or alter the
original
payee name and dollar amount of a check. Since
Identity Theft is a relatively low-risk activity
for perpetrators, it is an attractive way for
methamphetamine producers to finance their
operations.)
California has the third highest per capita rate
of identity theft in the nation, behind Arizona
and Nevada, according to a
February 2005 report by the FTC that ranked
identity theft as the number one consumer
complaint for the fifth straight year.
Among the FTC report highlights:
× Nationwide,
identity theft complaints jumped 14.6% between
2003 and 2004.
× In California,
the number of identity theft complaints jumped
11% between 2003 and 2004.
× Looking at per
capita identity theft-related complaints by
major metropolitan area, California holds four
of the top ten slots and six of the top
twenty-four slots - the San
Francisco-Oakland-Fremont metro area ranked 9th,
and the San Jose-Sunnyvale-Santa Clara metro
area ranked 24th.
According to an Identity Theft Resource
Center
report published in October 2003:
× ID theft
victims spend an average of 600 hours and $1,400
in out-of-pocket expenses recovering from the
crime and restoring their good name.
× Businesses
suffer losses of more than $92,000 per name used
for identity theft, up 410% from $18,000 in
2000.
× Even though
identity theft victims are learning about the
crime sooner than ever, it’s also taking them
far longer to clear their names and repair their
credit.
× Only 15% of ID
theft victims find out because a credit card
company noticed suspicious activity on an
account or suspicious information on a credit
application and took extra steps to verify
identity. The remaining 85% of victims discover
the fraud after the fact (e.g., after being
denied a loan or credit card, after being billed
for a credit card or service they never signed
up for).
Identity Theft Resources: If you are
looking for assistance or information on
Identity Theft, a good rule of thumb might be to
look closely at the
URL (uniform Resource Locator) or web
address before you go to the site: Non-profit
organizations will have web addresses that
usually end with the
top-level domain (TLD) ".org",
while those for commercial or for-profit
companies will usually end with the TLD ".com".
This can be especially important when using a
search engine, since some less than honest
companies may seek to benefit financially from
your misfortune.
Identity Theft Resource Center (http://www.idtheftcenter.org),
a non-profit organization based in San Diego,
CA, which "provides consumer and victim support
and advises governmental agencies, legislators
and companies" about ID Theft.
Privacy Rights Clearinghouse (http://www.privacyrights.org),
a nonprofit consumer
information and advocacy organization
established in 1992 and based in San Diego, CA.
State Public Interest Research Groups (www.pirg.org)
and
CALPIRG (ww.calpirg.org) -CALPIRG has a
section on
Privacy Rights and Identity Theft resources
The 3
major credit reporting bureaus offer consumer
education information about Identity Theft and
its prevention, in addition to their for-profit
credit reporting and monitoring services.
×
Equifax Learning Center - Protecting Against
Identity Theft
×
Experian Credit Education - What is Credit
Fraud?
×
TransUnion - True Credit Learning Center
California Privacy Legislation (A.B.1950, S.B.1,
S.B.1386, S.B.852)
California state law is in the forefront of
establishing consumer privacy protection, and
this has major implications for many businesses.
Perhaps you should reconsider what information
you "need" to collect from your customers:
do you really need a record of their Drivers
License or Social Security Number, or could you
conduct your business without that data? If so,
you could avoid a massive notification effort
required by S.B. 1386 if an unauthorized person
acquired, or is reasonably believed to have
acquired, computerized data that contains a
California resident's unencrypted "Personal
Information", defined as an individual's first
name (or initial) and last name, in combination
with one of the following:
¤
Social Security Number,
¤
Driver's License or California ID number, or
¤
Information sufficient to gain access to a
financial account (e.g., Credit/Debit card
number with PIN).
Pending legislation in the California Senate
(S.B.852) would expand the requirement to notify
affected persons if the lost or stolen data is
on an unencrypted computer backup tape or in
printed form. This legislation has been
prompted by recent high-profile losses of
computer backup tapes [Bank
of America, December 2004, and
Citigroup, June 2005] and theft of printed
account data [Bank
of America and Wachovia Group, 2005].
S.B.1386
California Database Security Breach Notification
Act went into effect July 2003
S.B.1
California Financial Privacy Act went into
effect July 2004
A.B.1950
California General Security Standards for
Business went into effect January 2005 - this
includes (but is not limited to) personal
information that a business retains as part of
its internal customer account or for use in
transactions with the person to whom the
information relates.
S.B.852 is
a pending act to amend sections of the
California Civil Code relating to Identity Theft.
In late June 2005, this bill was passed by the
Assembly Judiciary Committee but was
subsequently blocked in the Assembly Business &
Professions Committee; it may be reconsidered by
the Assembly Business & Professions Committee in
the coming weeks.
California Office of Privacy Protection
- provides a
summary of pending California privacy
legislation,
current state privacy laws, and additional
privacy resources including
recommended privacy practices for business.
Additional California
data privacy and security requirement resources
will be posted here in the near future.
Virus and
SpyWare Information
Because computer network security is so vital
for the safe operation of your business, most of
the major companies offering commercial security
products also provide a wealth of information
about current security risks. Several
companies make this information available in a
form that can be incorporated into other web
sites, such as this one. I encourage you to bookmark this
page and the pages that launch from the links
below and periodically refer to them
F-Secure Virus Statistics
eset NOD32 Virus radar
Symantec
Disclaimer: The information in the Symantec
Security Alerts Box is believed to be accurate
at the time of publishing based on currently
available information. Use of the information
constitutes acceptance for use in an AS IS
condition. There are no warranties with regard
to this information. Neither the author nor the
publisher accepts any liability for any direct,
indirect, or consequential loss or damage
arising from use of, or reliance on, this
information.
Symantec, Symantec products, and Symantec
Security Response are registered trademarks of
Symantec Corp. and/or affiliated companies in
the United States and other countries.
Eset virus radar on-line and NOD32 are
registered trademarks of Eset Software.
All other registered and unregistered trademarks
represented in this document are the sole
property of their respective companies/owners.
Hoaxes and Fraud
Schemes
Referring to the following pages could be
helpful when you need to sort out whether
something you've heard is really a new security
risk or a hoax. Many hoaxes begin as
emails claiming to originate from major
corporations, news organizations, government
agencies or universities. Usually, they
advise you to send the message to everyone in
your address book and take certain actions, such
as searching for and then deleting specific
files from your computer. These e-mails
waste time, clog inboxes, and may cause some
general embarrassment when they're proven
untrue.
Sometimes the message is an offer than sounds
too good to be true: these are usually some
variant of an
advance fee fraud scheme
and could end up costing you a lot of money.
Urban Legends Reference Pages
(snopes.com)
Computer Incident Advisory Capability "Internet
Hoaxes" page (ciac.org)
DataFellows "Hoax Warnings" page (F-Secure
Security Information Center)
Internet ScamBusters (scambusters.org)
Heads Up Fraud Prevention Association (Edmonton,
Alberta, Canada) - This Canadian site has
several PDF documents describing fraud schemes;
the toll free number on their site would appear
to work only within Canadian provinces, and I
don't have a non-toll number for them, so e-mail
is probably the best contact method.
Current Netlore - Internet hoaxes, email rumors
and urban legends (about.com)
CERT Coordination Center (Carnegie Mellon
University)
|
|
