 |
Password Please
Everything from phone access to bank cards require passwords. Creating secure passwords seems daunting but the alternatives can be significant and costly. Popular personal email accounts
face daily threats from hacking robots attempting to guess user accounts and passwords. When accounts are hacked,
sensitive information linked to them like bank accounts and personal information can also be compromised.
Good password security is the best defense. Articles such as Worst Passwords of 2015 contain many of the same passwords year after year. While there is no "magic formula" to ensuring your password can never be hacked, most experts, including Microsoft and ConnectSafely offer similar tips.
- Make passwords longer. Many experts have increased the recommendation to 12 or 15 characters minimum. Use a long phrase that is memorable such as "Ben and Jerry like to eat ice cream."
- Use a combination of letters, numbers and symbols. Experts recommend at least one each of upper case letters, lower case letters, numbers and symbols. For example, Ben&Jerryllk2e@t!cecreaM.
- If offered, use Two Factor Authentication. which pairs your password with another key (eg., a PIN sent by text to your cell phone) to confirm your identity. A thief would then need both your password and your cell phone in order to log on as you on a new device.
- Do not use the same password for multiple sites. A password manager such as those recommended here can be a useful way to manage passwords. Many of these can be used with a smartphone. Note: Be sure to create a master password you can remember. Credible password managing programs will not provide an alternate way to reset or retrieve your password.
- Do not ever provide your password to others or leave it written in a place it can be found. Be wary of any requests for your password. (such as phishing emails sending you to a site where you are asked to "log in").
- Change your passwords often.
If you do find your account has been compromised, don't panic. As outlined in this article,
most sites have resources in place to help you regain control of your account. If your hacked account contained sensitive information such as account numbers, bank information or social security numbers, you may need to take further action. The FBI offers good suggestions in preventing identity theft. You can also engage an identity protection service to monitor your accounts.
IoT Impact on
Digital Forensics
by Patrick Logan
Seltek President and
Certified Computer Examiner
The Internet of Things (IoT) is a system of interrelated computing devices and digital objects that are provided with unique identifiers and the ability to transfer data over a network without requiring direct communication between a person and computer. The growing implementation of the IoT will result in the connection of tens of billions of wireless devices to the Internet. These devices will form an intelligent network that will impact all aspects of life. From intelligent home control to advanced city management systems, devices interconnect and communicate with each other. Individually and collectively, these devices produce, access and use large amounts of personal and sensitive data.
Digital Forensics (formerly known as Computer Forensics) is the forensic science comprised of the recovery, investigation and interpretation of data found in digital devices and IoT. Detecting the presence of IoT activity can pose additional challenges to digital forensic investigations. The complexities and instabilities of the IoT add to these challenges. For example, data from a "thing" may be transferred and consumed by another "thing" or a local network of "things." Alternatively it may have been transferred to the cloud for storage or processing. Analyses of data from an IoT environment must include the source of evidence in order to demonstrate the evidence is reliable and authentic.
|
|
|
|
|
Breaking Up Is Hard To Do
What To Do When An
Employee Leaves
by Liz Calder
IT Support Specialist
Whether an employee is leaving amicably or being terminated, a security checklist protects the business from data theft and protects the departing employee from undue suspicion if data is compromised in the future. During the stressful termination process, it is easy to overlook security measures your company should be taking. Creating a checklist helps ensure that vital steps do not get overlooked.
Breaches can occur many years after an employee departs a company or completes a project. In
Protecting Corporate Data, Esther Schindler points out some of the areas corporate data is vulnerable after an employee leaves. She highlights areas where it was possible for her to access information or data for many years after an employee has departed a company or compled a project for a client. Sometimes a company's IT professional is not informed of a termination for many weeks, leaving data fully accessible to a disgruntled former employee. Leaving accounts open after an employee departs may also be a breach of your company's liability insurance contract or ethical responsibilities.
Most resources, including the
American Bar Association,
CCCure.org, and
CSOonline.com have similar advice regarding employee departures.
While the similarities make it easy to formulate a checklist that works for your organization, it is important to remember that each company and each employee situation is unique. You should revise your checklist to meet the needs of your organization
Employee
Departure Checklist
Prior to Departure
- Inform the IT professional of the departure as a first step. Explain the terms of the departure to the IT professional so they have a full picture of what needs to be secured, when it should be secured and the tone of the departure. If it is a non-voluntary departure, provide as many details as possible so the IT professional can be on standby.
- Ask your IT professional and the employee's manager for a list of accounts and assets to which the employee has access. If possible, make certain the company will have access to these after the employee departs by having the employee transfer access or providing user names and passwords. Accounts can include both internal accounts such as computer logins, application logins, remote access logins, and voicemail passwords as well as external accounts such as company bank accounts, marketing and social media accounts and purchasing and vendor accounts. Ask follow-up questions for external accounts. Is the employee an authorized user on accounts? Is there another authorized user for companies such as utilities, phones, copiers and office suppliers?
- Make a list of company digital assets such as smartphones, tablets, USB drives and laptops.
- Consider whether or not there may be company data on employee-owned or controlled accounts and devices such as smartphones, laptops, and cloud drives.
- Ask the IT professional and the employee's manager for a list of accounts and assets to which the employee has access. If possible, make certain the company will have access to these after the employee departs by having the employee transfer access or providing user names and passwords.
- NOTE: A signed and enforced Computer Use Policy and a BYOD Policy or Personal Device Policy can be helpful in protecting the company from liability and recovering data on personal devices.
- Determine whether the company will allow the employee to retain copies of data such as personal files, professional contacts, calendar or email. If any logins will remain open, determine an expiration date and inform your IT professional.
At Time of Departure
- Remain with the departing employee until they leave the premises. This may not be necessary for voluntary departures, however such a policy protects both the company and the employee from undue censure.
- Remove the employee's digital access. Keep the IT professional updated on the terms and timing of the departure. It may be helpful to have an IT professional available to assist with questions and access.
- If the company is allowing discretionary access to the employee after departure, provide the IT professional with the stored location of such information.
- Recover company-owned devices, bank cards and other access to company accounts.
- Remove the employee's physical access to the company. Recover keys and access cards and change access codes for the company building and parking.
After Departure
- Review the departure checklist and policies. Be certain that all access has been locked and that company devices, access and assets have been recovered.
- Remove incentive for any security breach. Turn over to the employee any property or digital information the company has agreed to release.
- Notify the IT professional immediately if there is suspicion of missing data. Promptly contacting the IT professional as soon as any problem arises increases the chances of quick and complete resolution.
|
|
|
|
|
