Online Shopping Hazards with guest WWPass VP of Strategy Perry Chaffee

Perry Chaffee of WWPassPerry Chaffee, WWPass VP of Strategy, and I turn our attention toward online shopping because it is the holiday shopping season and security is a big concern, or should be, for anyone making online purchases. You don’t want your shopping experience to be tainted with unusual charges, identity theft, or account compromise of any kind. For these reasons, you need to be aware of your shopping experience and your security.

Here are a few guidelines that Perry and I talk about during the podcast:

  1. Use a strong password.
  2. Use a password manager.
  3. Use a credit card rather than a debit card for purchases.
  4. Enable two-factor authentication for better security.
  5. Before entering passwords or credit card information, look for the https in your browser’s URL.
  6. Close your browser after shopping on a site and reopen it for your next purchase.
  7. Be sure that the site you’re on is the one you want to use.
  8. Never give anyone your password over the phone.
  9. Be VERY careful of links embedded in emails as they can look very similar to real sites.
  10. Be aware of your surroundings and don’t speak your credit card information out loud in public places.

WWPassThis is not a sponsored podcast but WWPass is a commercial security solution for individuals and businesses to help keep all your online transactions and shopping experiences secure.

Length: 18:02 minutes. Format: MP3. Rating: G

Please contact us for sponsorships, sponsored posts, and videocasts.

Copyright 2017 The SecurityNOW Podcast Show. License: CC BY.

ISACA Report Confirms SSH Keys Need To Be Properly Managed To Ensure Compliance and Reduce Risk

HELSINKI, WALTHAM, Mass. and ROLLING MEADOWS, Ill., Sept. 12, 2017 – The use of Secure Shell (SSH) is ubiquitous, a critical service on which the security profile of most organizations depends. Yet, according to a new report issued by ISACA and sponsored by SSH Communications Security, only rarely is that usage appropriately secured, assessed, documented and managed in a systematic and risk-aware way. Consequently, poorly managed SSH key environments may lead to compliance challenges and security breaches. The full report can be downloaded free of charge from the ISACA or SSH Communications Security websites.

The report outlines considerations that technology risk professionals, auditors, security practitioners and governance professionals should take into account as they approach the use of SSH in their enterprises. It offers guidance for the assessment of SSH usage, including items to incorporate in audit plans to ensure SSH access control and management is in place. Key areas auditors should consider regarding SSH keys include:

  • Security issues: Practical challenges include managing and tracking cryptographic keys at scale, responsibility for “key hygiene” and executive oversight for the use of SSH.
  • Assurance considerations:The ubiquity and transparency of SSH access makes the surface area for consideration very large, while the underlying mechanics of operation make it specialized and potentially complex. The report explores the core areas that auditors should consider when evaluating SSH usage.
  • Suggested controls: ISACA recommends specific areas to focus on when evaluating enterprise networks for SSH compliance, including configuration management and provisioning.

Frank Schettini, Chief Innovation Officer, ISACA, said: “SSH is one of those rare technologies that is in frequent use in almost every type of organization around the world. The report from ISACA examines the specific steps audit practitioners should take to ensure that they are not ignoring SSH usage and the access it provides, and gives general guidance on appropriate controls to assess and manage SSH keys. Our goal is to provide a practical starting point for improving any organization’s security posture and overall governance.”

Fouad Khalil, VP of Compliance, SSH Communications Security, said:

“Audit, risk, security and governance practitioners have a huge and complex job on their hands when it comes to SSH user key management. ISACA’s new report recommends that practitioners systematically address, assess and periodically re-evaluate the mechanics of SSH usage within their environments. Our robust set of solutions removes the complexity and difficulty from these urgent, critical tasks so organizations can become or remain secure and compliant.”

About ISACA

Nearing its 50th year, ISACA® (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology. ISACA leverages the expertise of its half-million engaged professionals in information and cyber security, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI® Institute, to help advance innovation through technology.

About SSH Communications Security

SSH Communications Security (NASDAQ OMX) is a leading provider of enterprise cybersecurity solutions that monitor, control and automate trusted access to critical data. Customers worldwide trust our flagship Universal SSH Key Manager® and other solutions to manage access, enhance security and achieve compliance. SSH sells direct through offices in North America, Europe and Asia and through a global network of certified partners. Access more at www.ssh.com

Social Media Security with Proofpoint’s Dan Nadir (Podcast)

ProofpointPreston and I had the opportunity to speak with Proofpoint‘s Vice President of Digital Risk on the hot topic of social media security. I say it’s a hot topic because it’s a hot topic for me because I’m not really a fan of most social media sites. I generally only use LinkedIn and Twitter. But there’s more to social media than Facebook, Twitter, and LinkedIn. There’s Instagram, Snapchat, and others. And security for all them is a big concern–or should be. In this podcast, we discuss the problems with social media security and some possible solutions.

Listen in and tell us what you think.

Podcast details:

Length: 19:59 minutes. Format: MP3. Rating: G for all audiences.

Copyright 2017 SecurityNOW  Licensing: CCBY

Introducing True Digital Security and CEO and Founder Dr. Jerald Dawkins (Podcast and Video)

True Digital SecurityPreston and I had the pleasure of speaking with, Dr. Jerald “Jerry” Dawkins, the CEO and founder of True Digital Security, the premier local security company here in Tulsa, Oklahoma. For this one, I stayed behind the scenes (literally) and Preston took the solo spotlight for this rare interview with Dr. Dawkins. This podcast is actually the audio extract from the video (Coming soon) we captured during the interview. True Digital Security is headquartered in Tulsa but has offices in Tulsa and Oklahoma City and cover clients globally.

Jerry and Preston discuss passwords, compliance issues, security pain points, and how to engage True Digital Security for your corporate security needs. This is a special focus on a growing company of security experts who are ready to help you navigate HIPAA, PCI, FFIEC, NERC CIP, and your other corporate security requirements and needs.

I think you’ll agree that after listening to this interview that Dr. Dawkins and his team knows security. You’ll also agree that this discussion is far too short. We hope to have Jerry and other True Digital Security folks on the show in the future so that you can get to know the whole team.

Podcast details:

Length: 22:12 minutes. Format: MP3. Rating: G for all audiences.

Our video interview is up and ready and available above. You can meet some of the True Digital Security team in their spotlight video.

Copyright 2017 SecurityNOW. Licensed CC BY.

IoT and Mobile Security with Zimperium CPO John Michelsen (Podcast)

ZimperiumIn this podcast, Preston, our guest John Michelsen, CPO of Zimperium, and I discuss mobile security and extrapolate what’s happening in that space to what’s happening, and about to happen, with IoT security. We touch on monitoring, general security, costs, and the bigger problem of security implementation on devices that until recently were used based on an “air of trust.”

April is our “Month of Preventing Surprises” and this podcast kicks off that topic for The SecurityNOW Show. How awkward would it be to move headlong into a large IoT implementation only to realize that someone has easily hacked your devices and siphoned off your data? Surprise!

Mobile security has come a long way in the past two years with the adoption of higher security measures from vendors and third parties, such as per-app VPN, two-factor authentication, and containerization. IoT vendors will have to step up and enable encryption, use multi-factor authentication, and wipe or brick devices that have been compromised or moved. The Internet of Things may very well be security’s biggest challenge yet, not only because of the sheer numbers of devices but also because of device diversity.

Preston, John, and I just touch the surface of these topics in this podcast but stay tuned for more from all three of us on IoT security.

Podcast details:

Length: 20:45 minutes. Format: MP3. Rating: G for all audiences.

Licensed CC BY (2017)

SecurityNOW’s Cybersecurity Tips of the Week – March 31, 2017

TipsPasswords, they used to say, are like toothbrushes–don’t share them and change them often. Indeed that rule is still true but security is more than just changing your passwords often and keeping them to yourself. Passwords, unfortunately, are our first line of defense in protecting our online accounts, our identities, and our transactions. Passwords should be as long and as complex as possible, which is why you should use a password manager such as LastPass. LastPass will generate a random, long, and complex password that you don’t have to remember because it remembers them for you. There’s only two things you have to remember when you use LastPass: logoff of LastPass before you leave your computer and the LastPass master password.

And since passwords aren’t your only defense in this cyber-connected and unsafe world, I’m providing a list of tips to help keep you safe and secure during your online excursions. Read and heed.

  1. Use the screen lock feature of your phones, tablets, and computers.
  2. Use a random non-guessable passcode for unlocking screens.
  3. Use a password manager.
  4. Use different passwords for each online account (saved in your password manager)
  5. Install all hardware and software updates as they’re presented.
  6. Only install apps from the app store and only those that have many good reviews.
  7. Turn off tracking from your apps.
  8. Use a VPN or your cellular network in public places.
  9. Keep phone conversations private.
  10. Perform online banking in private.
  11. Use two-factor authentication on social media and financial sites.
  12. Cover your device when entering passwords.

I know these are tips that you read and hear all the time but you need to remember them at all times. There is no trusted public environment and a secured WiFi connection is no guarantee of security. Anyone can setup a WiFi connection and supply a common password to it.

If you ever have questions about cybersecurity, use our contact page to ask your questions. We will reply.

Enterprise Security Trends with Absolute’s Richard Henderson (Podcast)

AbsolutePreston and I discussed security trends with Absolute‘s Global Security Strategist, Richard Henderson (@richsentme) on St. Patrick’s Day eve. Unfortunately, the whole thing took place via Skype rather than at Doolin’s. Hey, some people work for a living and can’t always get to the fun right away or even on the day after. 

Some of the topics covered by our broad swipe at enterprise security trends were two-factor authentication, advanced persistent threats, SSO, and insider threats. We also touched on Absolute’s strategy for protecting you, your applications, and your entire enterprise from security threats.

Richard is one of the best guests we’ve ever had on the show and we hope that he’ll return to discuss Absolute’s products in more depth and to discuss other timely security topics.

Podcast details:

Length: 23:46 minutes. Format: MP3. Rating: G for all audiences.

Remember, our podcasts are licensed CC BY.