Preventing Fraud from Top to Bottom | Information Security Summit 2014

An estimated 5% of annual corporate revenues are lost each year to fraud, represented in part by computer fraud. Protection against this threat requires a strong, proactive and comprehensive, entity-wide set of policies, procedures and controls. Anti-fraud measures should include strong manual and automated controls which are designed, implemented, tested and monitored to prevent and detect fraud on a timely basis. This presentation aims to explain how organizations can integrate anti-fraud initiatives into their daily activities to:

  • Develop a system of manual and automated, preventative and detective anti-fraud internal controls
  • Proactively monitor, identify, assess and manage fraud risks
  • Creating an anti-fraud culture and fraud awareness program
  • Respond to incidents involving fraud

Is staying safe online possible?

I was asked a question on Twitter today. The question was, ÔÇ£Is staying safe online possible?ÔÇØ This is a great question because I increasingly see a sense of apathy in users due to the frequent threats to online safety that are reported. They ask questions such as ÔÇ£If big companies canÔÇÖt protect themselves, what chance do I have?ÔÇØ or ÔÇ£If identify theft is inevitable, what is the point of protecting oneself?ÔÇØ LetÔÇÖs look at the question in an Aristotelian manner. We first must establish what staying safe is. LetÔÇÖs start with this definition:

Being safe online is having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself to harm*

Having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself or others to harm*

 *harm is being described as the following:

  • Unauthorized disclosure of personal or sensitive information
  • Identify theft
  • Misuse of computing resources due to unauthorized access or presence of malicious code
  • Persuasion or coercion to perform actions due to misrepresentation or incorrect facts presented in phishing emails

With this definition in hand, I can now consider whether this is possible. First, this definition means that no harm, as described above, would come to the individual despite the frequency of use as long as they utilized sufficient knowledge, ability and opportunity. I believe this is false. Even those equipped with sufficient knowledge, ability and opportunity will eventually come to some harm in utilizing the Internet and Internet-based resources. So, what if I revise my definition to this?

Being safe online is having the knowledge, ability and opportunity to minimize the harm* and frequency of harm caused due to the use of the Internet and Internet-based resources.

This definition allows for someone to be safe online but still have harm occasionally occur. However, in such occurrences, the damage done would be minimized. For example, if personal information was disclosed, the individual would be able to recognize that disclosure quickly and work with persons and companies to restrict the value the ability of malicious user to employ the information disclosed and to reduce the amount of damage incurred through use. More specifically, if a person entered a username and password in a fake web site, they would realize their mistake and change their password on the legitimate site before an attacker would have the ability to utilize their credentials. They would also utilize different credentials for other sites so the information gained would have no value if employed for other Internet services.

Using this definition, I believe I could say that it is possible to stay safe online. However, possibility is not probability. Those that would be safe under this definition must have the knowledge, ability and opportunity. If the majority of people utilizing the Internet do not have this then the majority of users are not safe. Our logical step, therefore, is to educate users to give them the knowledge and ability and to make the technology and environment that will provide them with the opportunity something that is available to the majority of users.

For more information:

The Human Side of IT Security

Organizational Security Culture

Securing the Network against Inevitable Human Slipups

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and donÔÇÖt necessarily represent DellÔÇÖs positions or strategies.

Virtual Machine Parent Child Relationships

A coworker ran into a problem the other day that I wanted to highlight for those who may run into this.  First off, never, ever resize a VHD that has snapshots on it.  Snapshots are child objects that relate to a VHD and they map changes to certain places in the VHD.  When you resize a parent VHD, the child VHDs have incorrect references and this needs to be corrected.

You can fix the problem with VHDtool.exe.  The program is a bit hard to find now but once you find it, the process is quite straightforward.

Cyber safety at St. Mark Lutheran

Gail Larrow invited me to speak at St. Mark Lutheran school on cyber safety.┬á It was a pleasure to speak to the students there and to find out how they are using technology.┬á Honestly, I didn’t even recognized some of the technology they mentioned.┬á However, I was able to offer them a lot of information on how to protect themselves online.┬á Here is a copy of the presentation.

Security Awareness: 360 empowerment for cyber defense

A few days ago, I delivered a training session on security awareness.  The employees who attended the training discussed quite a few items that they will bring back to their management that I hope will inspire some culture change and a differing view on information security.  Here is the presentation if you would like to view it.