It's been awhile since I've connected with this blog, I figure I should update it a bit. After roughly 8 months of study I tested and obtained CISSP certification. I view the certification as a rigorous process that covers many different facets of security. In my IT circle of friends I'm commonly asked about the exam's difficulty as well as what advice I could give for anyone interested in taking the test. I offer the below tips that I've collected both of my own experience and helpful advice from others. This will be a little more advanced than my previous postings, so I apologize if this goes over some people's heads. Stay tuned, I plan on getting back into the swing of things with regular security updates.
The Exam:
The single most important thing when taking this test is to be prepared. One of the first things I set out to do was figure out what made the exam tick, so here are the basic stats;
You are given six hours to complete the test, and I clocked in at roughly four with my brain feeling scrambled.
The test consists of 250 questions, 25 are used for research and won't be graded.
At the time I took the test, it was a pencil and paper test. You were not able to take the exam via a computer like most Tech certs. So make sure you are accustomed to the old scan tron/test book formula.
Six hours is a long time, you are allowed supervised breaks.
The test will be proctored so there will be a person in front of you most of the time and possibly people walking around answering questions and monitoring.
Tips: Make use of breaks, after I went through the test book the first time I was feeling a little nervous and antsy. I took a restroom break and it helped to dramatically put me at ease. Within a few minutes my head was clear and ready to focus.
Eat a decent breakfast and try to get some sleep the night before. This is easier said than done when you are nervous about whether or not you've studied enough. The more rest you get, and the better your breakfast is will help keep your batteries charged on test day.
Bring a snack. Although I didn't end up eating the one that I brought, it was nice to have it there just in case. If you are feeling run down and ready to bash your head on the table in frustration it's a good excuse to leave the test for a few minutes and refocus.
Network with people prior to test start. Chances are you'll be early and surrounded by equally nervous/excited people, use this time to meet others, find out what they do for a living, share some of your study methods. Networking is huge in IT Security, and often times more important than the cert itself!
Bring three or four sharpened pencils and a large eraser as well as a pencil sharpener. Likely you will be given pencils to take the exam, as one fellow said as they were passing them out "This is the most expensive pencil I've ever bought!" But just in case it's good to be prepared. I went through two sharpened pencils while taking the exam. By the time you are done marking the test book and scan tron you might go through as many as three. The psychological impact here is that you've taken care of all the ancillary worries, and are freed up completely to focus on the test. Don't forget your forms of ID and exam forms as well.
How to prepare for the exam:
This section is a bit subjective. We are all different learners and what worked for me may not work for anyone else. I logged about eight months worth of study time. Others bragged they prepared for less than a few weeks. Don't let the length of prep time discourage you. Since this test is pricey, it's better to err on the side of caution. It's possible I could have passed only with four months of study. Given the test schedules in my area, I made good use of time between when I scheduled and test day.
I recommend the following books:
Shon Harris' CISSP All-In-One
The Official ISC2 Guide to the CISSP CBK (2nd edition at the time of this writing)
Go with the most current versions of the books that you can. I read them cover to cover, and if you need a cure for insomnia look no further...
I can't recommend one book over another as I felt that both overlapped in some areas but they also worked together to fill in gaps. It's a small investment when you consider the price of the exam.
I didn't attend any bootcamps, nor did I do any video training. Both were out of my price range as I personally funded my exam and self-study. If you have the cash to front for video courses, I'd say go for it. It can't hurt any besides your pocket book. I've used CBK nuggets for Cisco training and was quite pleased with how their system was set up. I can't vouch specifically for their CISSP videos, but they do a good job. Shon Harris' videos are well done that I've been told as well.
My personal feeling is to avoid boot camps for this particular exam. There is just far too much material to cover to cram it all into a few days. I have heard people touting success after doing self-study and then using the bootcamps as a refresher shortly before taking the exam. So if you are dead set, it works as a good compliment. Just don't utilize it as your only course of study.
Know the domains! No matter which method of study you use, learn the domains like you've learned the OSI Networking model. It's so important I'm going to list them below.
Access Control
Application Development Security
Business Continuity and Disaster Recovery
Cryptography
Information Security Governance and Risk Management
Legal, Regulations, Investigation, and Compliance
Operations Security
Physical (Environmental) Security
Security Architecture and Design
Telecommunications and Network Security
Once you are armed with the CBK (Common Book of Knowledge) domains and have read through the above books, you can start to speed up your study methods.
Hit up http://www.cccure.org/ and invest in their practice tests. I was lucky as back when I studied their practice test engine was free. It's a decent set-up with test questions written by the community to test your understanding of the CBK. This isn't an "actual test" engine, that would invalidate your certificate. Their forums are fantastic for answering questions and are a wealth of knowledge in and of themselves.
The practice tests are set up so you can pick which domains and how many questions you want. The important aspect is they break down your correct/incorrect answers within each domain. Weak in Operations Security? Hit the books and study a little more, then take a new test to see how much you've improved.
Be mentally prepared for the wait:
After you take the test, do you think the worst is behind you? Unlike computer based exams, there's a wait period of up to three months for you to get your results back. If I remember correctly it took them six weeks to email me my test results. The wait is brutal, do you study in case you failed? Do you relax since you were so stressed out over the ordeal? Did they lose my answer sheet? The wait was the worst for me, and I found myself checking my email constantly. Don't be me. Try your best to forget it, and enjoy the results.
Nothing beats that moment when you read the email that says you have passed. I'll probably remember it the rest of my life, and strangely it had a much more emotional effect on me than getting my Master's.
But you're not done yet:
The next part can be difficult or easy depending on whether your know a CISSP. You now must find a CISSP to vouch for you, review your resume, and validate that you have had five years worth of full-time security experience in two of the ten domains. Chances are if you've been in the industry for five years this won't be a problem. If you don't have five years, you can still qualify for an Associate of ISC2 until you reach the five year period. The entire process is pretty painless, but will take a few more weeks before you can send off for your certification.
Good luck everyone, it's a long but worthwhile journey!
2/8/11
7/17/09
Congrats to me!
After two years of studying lunches and weekend/evening schoolwork I have completed my Masters degree program in Cybersecurity.
I thought I would take this time to reflect on what the college did correct and what they did incorrect as far as presentation. Being in the security field, I wasn't interested in a typical MIS or MBA. I wanted something relevant to my field, instructed by people who worked in the industry. One of the difficult aspects of computer and network security, a profession in its infancy, is the lack of precise standards. In other professions you know your role, i.e. in accounting you have to balance, in engineering you develop and simplify. mathematicians formulate and solve complex problems. Security is akin to MacGyver defeating terrorists with a shoe lace, gum, lye, and an oscillating fan.
I was pretty surprised to find degrees focused on security. There's a simple reason for this, technology is constantly changing. New vulnerabilities are discovered hourly, and often times it wouldn't make much sense to base curriculum off of the ever-changing world of security. If that were completely the case, however, all IT degrees would be worthless. We would have to prove our industry knowledge in certifications only, and reserve degrees for historians or other static professions.
I attempted to see what Sac State and Chico had to offer in the way of security degrees. The only programs I found at the time were generalized. My next step was to check for distance education. Holding a degree from University of Phoenix, I'm not a stranger to distance-based education, nor the stigma of being a distance education degree holder. I've always been into the current and developing methods of technological delivery including social networks. (My original ICQ number was in the thousands). I attended one of the first on-line courses that Phoenix had to offer, and determined two things that made me successful with this type of education.
1. You get out of the degree what you put into it. Yes, I found ways that I could be a completely lazy student and still manage to pass. However, this is no different than when I went to Jr. College. I immediately could tell the different between students that were interested in learning to succeed in life, and those doing the bare minimum just to pass. On one hand, I was frustrated to know that people carrying the same degree as I, hadn't put in the type of effort it should take to carry the degree. On the other hand, I reported the shortcomings to the program directors, and often times they would respond immediately with their thanks and change the systems. I've tried this in the past with brick and mortar, best I could get was to talk to a secretary who put my ideas on a post-it and conveniently filed it in the trash can as soon as I was out the door.
2. I paralleled my education with work experience. The biggest benefit that I received from distance education was the ability to work full-time in career positions while attending school. I was able to apply what I learned in class to my job, and it further solidified my education. I was living what most people only learned about in classrooms, and had a more OTJ engineering experience than years that most engineers spent in college.
So what did University of Virginia do right? Study materials were included with tuition. Often times it is a nightmare to figure out the real expense of college. All of my materials and outside reference was an incurred expense above and beyond tuition. It makes it extremely hard to budget. Back when I attended law school, I paid a huge tuition and then even more money for books. VCO provided all books and on-line services paid with tuition.
A few gem classes, a few gem instructors. One thing that caught my eye about VCO is that the instructors had real-world experience and weren't just career professors. I had hoped that there would be more people from government agencies, because unfortunately it appeared that most of the instructors were just experienced with private entities.
Pretty consistent curriculum. The curriculum paralleled with the CBK aka 10 domains of the CISSP Certification Exam. There were some interesting courses thrown in such as Criminal Law and profiling, so it wasn't completely technical. I enjoyed these out of bounds courses, and it helped give me a broad view of many aspects of professional security.
What VCO did wrong:
For roughly 75% of the courses, I had the same instructor. This concerned me because I know in security you cannot possibly be an expert in everything. It was apparent that in a few of these classes that the instructor knew quite a bit for one class, but was merely a facilitator for others. Having different and experienced instructor for each course would have made me feel better about the quality of learning that I received. The experience wasn't as negative as it seems, whenever I had a complex answer the Internet was at my fingertips. One of the things about a Master's program is that by now people should be educated enough to do their own research and come to their own conclusions. Back to rule 1 above, you get what you put in.
Interactive training was reserved for my last class. There were no network simulators, we weren't exposed to vulnerability assessment tools, and no labs. For classes like forensics, this type of hands-on approach is the difference between someone with real experience and book smarts. Thankfully I was already a security specialist and could apply what I learned at work. But for others, this might be a big con for you.
The community within VCO was pretty bland. You would expect people leaning towards a Master's degree would be fairly animated about their courses. For every one person who would participate in discussions, there were seven people who had horrendous spelling, one-liners, or add to the discussion with suggestions that were completely impractical and against best practices. I labeled these people as those who just don't get "IT". I am glad that I put effort into my discussions and work, even though it seemed like much of it went over people's heads or unacknowledged.
I am glad that I went through the course, and will hang my degree proudly on my wall. It was a good experience for the most part, and I'm better for having gone through it. So I pat myself on the back, and look forward to keeping networks secure for our future.
I thought I would take this time to reflect on what the college did correct and what they did incorrect as far as presentation. Being in the security field, I wasn't interested in a typical MIS or MBA. I wanted something relevant to my field, instructed by people who worked in the industry. One of the difficult aspects of computer and network security, a profession in its infancy, is the lack of precise standards. In other professions you know your role, i.e. in accounting you have to balance, in engineering you develop and simplify. mathematicians formulate and solve complex problems. Security is akin to MacGyver defeating terrorists with a shoe lace, gum, lye, and an oscillating fan.
I was pretty surprised to find degrees focused on security. There's a simple reason for this, technology is constantly changing. New vulnerabilities are discovered hourly, and often times it wouldn't make much sense to base curriculum off of the ever-changing world of security. If that were completely the case, however, all IT degrees would be worthless. We would have to prove our industry knowledge in certifications only, and reserve degrees for historians or other static professions.
I attempted to see what Sac State and Chico had to offer in the way of security degrees. The only programs I found at the time were generalized. My next step was to check for distance education. Holding a degree from University of Phoenix, I'm not a stranger to distance-based education, nor the stigma of being a distance education degree holder. I've always been into the current and developing methods of technological delivery including social networks. (My original ICQ number was in the thousands). I attended one of the first on-line courses that Phoenix had to offer, and determined two things that made me successful with this type of education.
1. You get out of the degree what you put into it. Yes, I found ways that I could be a completely lazy student and still manage to pass. However, this is no different than when I went to Jr. College. I immediately could tell the different between students that were interested in learning to succeed in life, and those doing the bare minimum just to pass. On one hand, I was frustrated to know that people carrying the same degree as I, hadn't put in the type of effort it should take to carry the degree. On the other hand, I reported the shortcomings to the program directors, and often times they would respond immediately with their thanks and change the systems. I've tried this in the past with brick and mortar, best I could get was to talk to a secretary who put my ideas on a post-it and conveniently filed it in the trash can as soon as I was out the door.
2. I paralleled my education with work experience. The biggest benefit that I received from distance education was the ability to work full-time in career positions while attending school. I was able to apply what I learned in class to my job, and it further solidified my education. I was living what most people only learned about in classrooms, and had a more OTJ engineering experience than years that most engineers spent in college.
So what did University of Virginia do right? Study materials were included with tuition. Often times it is a nightmare to figure out the real expense of college. All of my materials and outside reference was an incurred expense above and beyond tuition. It makes it extremely hard to budget. Back when I attended law school, I paid a huge tuition and then even more money for books. VCO provided all books and on-line services paid with tuition.
A few gem classes, a few gem instructors. One thing that caught my eye about VCO is that the instructors had real-world experience and weren't just career professors. I had hoped that there would be more people from government agencies, because unfortunately it appeared that most of the instructors were just experienced with private entities.
Pretty consistent curriculum. The curriculum paralleled with the CBK aka 10 domains of the CISSP Certification Exam. There were some interesting courses thrown in such as Criminal Law and profiling, so it wasn't completely technical. I enjoyed these out of bounds courses, and it helped give me a broad view of many aspects of professional security.
What VCO did wrong:
For roughly 75% of the courses, I had the same instructor. This concerned me because I know in security you cannot possibly be an expert in everything. It was apparent that in a few of these classes that the instructor knew quite a bit for one class, but was merely a facilitator for others. Having different and experienced instructor for each course would have made me feel better about the quality of learning that I received. The experience wasn't as negative as it seems, whenever I had a complex answer the Internet was at my fingertips. One of the things about a Master's program is that by now people should be educated enough to do their own research and come to their own conclusions. Back to rule 1 above, you get what you put in.
Interactive training was reserved for my last class. There were no network simulators, we weren't exposed to vulnerability assessment tools, and no labs. For classes like forensics, this type of hands-on approach is the difference between someone with real experience and book smarts. Thankfully I was already a security specialist and could apply what I learned at work. But for others, this might be a big con for you.
The community within VCO was pretty bland. You would expect people leaning towards a Master's degree would be fairly animated about their courses. For every one person who would participate in discussions, there were seven people who had horrendous spelling, one-liners, or add to the discussion with suggestions that were completely impractical and against best practices. I labeled these people as those who just don't get "IT". I am glad that I put effort into my discussions and work, even though it seemed like much of it went over people's heads or unacknowledged.
I am glad that I went through the course, and will hang my degree proudly on my wall. It was a good experience for the most part, and I'm better for having gone through it. So I pat myself on the back, and look forward to keeping networks secure for our future.
4/30/09
Scam Alert - Swine Flu
Leave it to scammers to pick up on the latest disaster to incite fear amongst people. As a courtesy to Bad Astronomy I will upload the image here that he has on their site. Please send word to everyone, there is no homeopathic cure for swine flu!
3/23/09
Fake text messages
I've you've begun to start understanding the world of the smartphone, some of its features may often times go overlooked depending on what type of a phone user you are. These days phones come equipped with SMS, which stands for Short Message Service. Otherwise known as "texting" or often times talked about as text messages. Since I personally own an iPhone, it's not often I'll find myself using SMS. It's just one of those features I'm not that in to, since I can usually communicate with my friends via Instant Messaging. So I was surprised that I received a cryptic message from AT&T about account information.
I found out later that the text was a scam to try and get people to respond and provide personal information. Whenever you get something out of the ordinary, never go with your first impulse just to respond and provide more info. Instead contact your cell phone carrier directly and question them on it. It is important that you use a number off of your billing statements, and not any contact information provided in the message itself. There is just no telling whether the information is accurate.
I found out later that the text was a scam to try and get people to respond and provide personal information. Whenever you get something out of the ordinary, never go with your first impulse just to respond and provide more info. Instead contact your cell phone carrier directly and question them on it. It is important that you use a number off of your billing statements, and not any contact information provided in the message itself. There is just no telling whether the information is accurate.
3/11/09
Falling behind in cyber warfare
I came across an interesting article today: The Battle Over Cybersecurity
It talks about the arguments that NSA and Department of Homeland defense have about taking on Cybersecurity. The term cybersecurity is an interesting term, and as discussed in the article really deals with protecting against cyber-terrorism. There are currently organized crime rings in China and Russia dedicated to taking down America's financial sense of well-being by attacking various points of interest that we've come to rely on now that our monetary system is virtually paperless. Sadly these two countries are leaps and bounds ahead of us when it comes to experience and methods of intrusion.
The major problem we currently have is a resource problem. Investigations are being processed by local agencies, state agencies, and federal agencies. The problem with local agencies is that often these crime are committed by people overseas utilizing compromised systems as hosts. Everyone out there who has malware installed on their computers had directly contributed to terrorism. On a Federal level, the agencies continue to fight for jurisdiction and each may hold a piece of the puzzle without communicating with other levels. This is a huge weakness within the system. The less people communicate, the easier it is for criminal computer hackers to get away with their activities. The crime rings are organized and often with the backing of the government that protects them, in order to succeed in security we too must be organized and cooperative with all agencies. From the local police who may not have technology resources to conduct proper forensics, all the way up to the level of FBI/NSA/DoHD/DoD.
If we know it: Government Needs to Get Its Cybersecurity In gear
The criminals definitely know it.
It talks about the arguments that NSA and Department of Homeland defense have about taking on Cybersecurity. The term cybersecurity is an interesting term, and as discussed in the article really deals with protecting against cyber-terrorism. There are currently organized crime rings in China and Russia dedicated to taking down America's financial sense of well-being by attacking various points of interest that we've come to rely on now that our monetary system is virtually paperless. Sadly these two countries are leaps and bounds ahead of us when it comes to experience and methods of intrusion.
The major problem we currently have is a resource problem. Investigations are being processed by local agencies, state agencies, and federal agencies. The problem with local agencies is that often these crime are committed by people overseas utilizing compromised systems as hosts. Everyone out there who has malware installed on their computers had directly contributed to terrorism. On a Federal level, the agencies continue to fight for jurisdiction and each may hold a piece of the puzzle without communicating with other levels. This is a huge weakness within the system. The less people communicate, the easier it is for criminal computer hackers to get away with their activities. The crime rings are organized and often with the backing of the government that protects them, in order to succeed in security we too must be organized and cooperative with all agencies. From the local police who may not have technology resources to conduct proper forensics, all the way up to the level of FBI/NSA/DoHD/DoD.
If we know it: Government Needs to Get Its Cybersecurity In gear
The criminals definitely know it.
1/27/09
How not to lose your shirt on craigslist (Unless you're selling it)
With these hard economic times it makes sense that more people are looking to sell items on Craig's list or other online yard-sale or auction sites. For the most part you are safe so long as you observe a few of the following safety tips.
A person may try to contact you with the following scam: "Hey I noticed you are selling yyyy item, the crazy thing is that I have a cashier's check but it's $100 more than what you're asking for. If you're willing to cash the check, and give me the remaining amount I would be glad to buy your item."
The cashier's check is counterfeit, and by the time the bank figures this out you are out the $100 deposit, the item you were selling, and the amount that you paid to the scammer.
Tip: When selling from Craig's List or other classified advertisement, deal in cash only unless it is absolutely someone you trust. Cashier's checks cost about $2 - $5 there's no reason why a person could not cut a check for the exact amount. Even then, you should arrange for the check to clear (Up to three weeks) before giving your item over to the buyer. Cash is always better.
Ebay: a few days before your auction ends you receive an email "I will be willing to pay you double what you are asking if you close the auction and use a different pay site to purchase your auction. This can also work in reverse where you bid on an item and the person offers to end the auction early if you use a different pay site. Paypal insures your purchases against fraud, if you use a different payment site you could very well be out of your item and your money.
Tip: Always pay or collect payment via trusted and guaranteed methods. Check your credit card terms to see how much they restore if you are the target of fraud. The major credit card companies give 100% back with a few conditions. If you pay with a regular debit card, you may lose out. If you fear you are the target of a fraudulent purchase, don't hesitate to contact your credit card company. The sooner you catch it, the faster the process goes. I've personally been through the process three times.
A person may try to contact you with the following scam: "Hey I noticed you are selling yyyy item, the crazy thing is that I have a cashier's check but it's $100 more than what you're asking for. If you're willing to cash the check, and give me the remaining amount I would be glad to buy your item."
The cashier's check is counterfeit, and by the time the bank figures this out you are out the $100 deposit, the item you were selling, and the amount that you paid to the scammer.
Tip: When selling from Craig's List or other classified advertisement, deal in cash only unless it is absolutely someone you trust. Cashier's checks cost about $2 - $5 there's no reason why a person could not cut a check for the exact amount. Even then, you should arrange for the check to clear (Up to three weeks) before giving your item over to the buyer. Cash is always better.
Ebay: a few days before your auction ends you receive an email "I will be willing to pay you double what you are asking if you close the auction and use a different pay site to purchase your auction. This can also work in reverse where you bid on an item and the person offers to end the auction early if you use a different pay site. Paypal insures your purchases against fraud, if you use a different payment site you could very well be out of your item and your money.
Tip: Always pay or collect payment via trusted and guaranteed methods. Check your credit card terms to see how much they restore if you are the target of fraud. The major credit card companies give 100% back with a few conditions. If you pay with a regular debit card, you may lose out. If you fear you are the target of a fraudulent purchase, don't hesitate to contact your credit card company. The sooner you catch it, the faster the process goes. I've personally been through the process three times.
Yet another Phishing alert
NCUA brings us news that there are scammers out there trying to take advantage of Instability concerns of the Federal Reserve(PDF). Ignore any NCUA / FED official looking letters, they apparently contain links that will attempt to install malware on your system. Remember to share this information with your friends.
1/26/09
Social engineering attacks in full-force 2009
2009 may very well become known as the year of fraud. Within only the last month we've watched as big name twitter accounts were compromised, recent worm attack, and any number of phishing attempts.
I say this not to scare you, just to recommend that everyone keep their SINRR tuned up and ready.
How do you prevent these recent attacks?
Knowledge is power. Make sure that your systems have the latest updates to protect from worm vulnerabilities. I know this isn't a catch-all, but you'd be surprised at how much damage control this helps with when a new worm springs up.
Keep an ear to various news sites. I personally go to about three or four consumer related security sites on a weekly basis. I was alerted to the NCUA scam by a co-worker, and from time to time I pass important information to colleagues just to keep them in the know.
If you click a link and it asks for you to log in, double-check the link at the top of your browser. Phishing starts with the redirection of your personal information to a place you don't want it to go. Always double-check your urls to make sure you aren't somewhere than where you expect to be. Especially if you've already logged in, and are once again being asked for a password.
When in doubt, don't give your information out. Ask yourself whether or not convenience is worth the time and expense it takes to recover your identity.
I say this not to scare you, just to recommend that everyone keep their SINRR tuned up and ready.
How do you prevent these recent attacks?
Knowledge is power. Make sure that your systems have the latest updates to protect from worm vulnerabilities. I know this isn't a catch-all, but you'd be surprised at how much damage control this helps with when a new worm springs up.
Keep an ear to various news sites. I personally go to about three or four consumer related security sites on a weekly basis. I was alerted to the NCUA scam by a co-worker, and from time to time I pass important information to colleagues just to keep them in the know.
If you click a link and it asks for you to log in, double-check the link at the top of your browser. Phishing starts with the redirection of your personal information to a place you don't want it to go. Always double-check your urls to make sure you aren't somewhere than where you expect to be. Especially if you've already logged in, and are once again being asked for a password.
When in doubt, don't give your information out. Ask yourself whether or not convenience is worth the time and expense it takes to recover your identity.
1/21/09
Large scale credit card attack exposed
As many of you may have heard by now, Heartland Payment Systems has released news that it ha been the target of an attack in 2008. What does this really mean to a regular person? A payment processor is a company that works as a middle-man between credit card transactions and financial institutions. When you swipe your card at a restaurant it likely goes through a third party validation process before Visa or the debit card companies collect the money from your account for the transaction. It is basically the person who says "Hi there, this person wants to give money for this item/service, let's make a deal!" what that also means is that a large volume of credit card information gets sent to Heartland's servers for processing.
Software targeted specifically to lift magnetic stripe data made its way into their transaction servers and began to send this data to a third party. Because proper reporting mechanisms weren't in place, the company had no idea this information was being beamed to another location. As such, it is estimated that 100 million transactions have been lifted. This is quite a bit more than the estimated 94 million accounts compromised by TJX.
Should you be worried? Luckily track data on credit cards doesn't give out much information. Really the only thing that is on your magnetic stripe is the account number and some other bits of information processors need to create a transaction. Essentially they can duplicate your credit card. What they don't have is your PIN, the verification code on the back of the card, or any personal information more than your name and possibly address.
Your course of action? Watch your purchase statements closely on any of your credit/debit cards. If you see transactions you didn't authorize call your bank/credit card company and have them freeze your account immediately. If a transaction from your card number was logged, Heartland is likely notifying your issuer and you may see a new card created in the near future.
Often times these card numbers are sold, and it could be months before someone even attempts to pull money from the account. A new card issued to you, will remedy the situation.
Software targeted specifically to lift magnetic stripe data made its way into their transaction servers and began to send this data to a third party. Because proper reporting mechanisms weren't in place, the company had no idea this information was being beamed to another location. As such, it is estimated that 100 million transactions have been lifted. This is quite a bit more than the estimated 94 million accounts compromised by TJX.
Should you be worried? Luckily track data on credit cards doesn't give out much information. Really the only thing that is on your magnetic stripe is the account number and some other bits of information processors need to create a transaction. Essentially they can duplicate your credit card. What they don't have is your PIN, the verification code on the back of the card, or any personal information more than your name and possibly address.
Your course of action? Watch your purchase statements closely on any of your credit/debit cards. If you see transactions you didn't authorize call your bank/credit card company and have them freeze your account immediately. If a transaction from your card number was logged, Heartland is likely notifying your issuer and you may see a new card created in the near future.
Often times these card numbers are sold, and it could be months before someone even attempts to pull money from the account. A new card issued to you, will remedy the situation.
1/6/09
30 Minute Security -- Phishing
Phishing has been around for quite some time now. I don't have a lead on the early history of phishing, but academically I'm sure I'll learn where it originated just to have an anecdote to talk about in class. Phishing is the use of social engineering paired with technology in its simplest form.
The Con:
It's 7:30am and you log on to your email for the first time in the morning. Your head is fuzzy from all the partying you did the night before and the screen comes to you in a blur. You see a new e-mail from your bank marked urgent and all caps IMPORTANT NOTICE ABOUT YOUR ACCOUNT! This very authentic email notifies you that your bank has closed your account due to a security incident. You are shocked and immediately click the link on the web site or call the number. You are so distraught about your account (I have to go grocery shopping, I need the co-pay for my medical today, I have bills to pay!) that you don't notice that the redirected web page takes you to an unrelated site, or the shady foreign accent you hear over the phone (most call centers are outsourced anyway right?). In order to "authenticate" you, they ask for your SSN, Address, Mother's Maiden name, credit card number, pin, ID number from the back of your card.
"Thank you sir, your account has been reactivated." is all you hear, or when you click submit to the page, perhaps you get a 404 not found error. You've just had your identity stolen.
How it works:
This type of social engineering attempt plays on your fears of change and hectic lifestyle. There is nothing more inconvenient than all your finances screeching to a halt, and not having access to your money. This is exactly the atmosphere the fraudster wants to create. You bypass some level of logic when you are in panic mode, and don't stop to verify the telephone number or web site address before entering your information in order to get your money back.
How to fight this con:
When you see an E-mail message that disturbs you to this extent, sit back from your computer and first take a deep breath. The important part of determining if an email is legitimate is taking a few steps before acting on instinct.
Step 1: Is it even a bank account you have? Phishers send out a massive email to a list of people that they've culled online. Many of these e-mails tend to target public entities because email addresses are posted on the public web site. If your address exists somewhere on the WWW, it's safe to say it will be farmed and you will be targeted by emails like these until the end of time. If it's not even a bank you have an account under, that's the first clue that the email is a scam.
Step 2: If it is your bank, ask yourself why an e-mail was their first communication to you. Something as serious as an account closure will usually warrant a phone call, a letter via postal service, and possibly not even a notification until you use your card, find it expired, and you are forced to contact the bank on your own. You should never call or click links provided in emails that ask for personal information. Instead use the 1-800 number on the back of the card, or use the contact information provided by the bank when you open your account.
Step 3: Don't give out all your information unless you are positive you are talking to the correct people. All companies will have to verify that you are who you say you are, but usually they won't ask you for super sensitive information. Perhaps last four of your social, or secret questions you set up when you created your account. One good verification question, is how much you paid on your last monthly statement. A legitimate place should never ask you for your full information.
The big thing in this situation is not to act on impulse. Step back from the situation and ask yourself how you can shape it to what feels comfortable to you.
The Con:
It's 7:30am and you log on to your email for the first time in the morning. Your head is fuzzy from all the partying you did the night before and the screen comes to you in a blur. You see a new e-mail from your bank marked urgent and all caps IMPORTANT NOTICE ABOUT YOUR ACCOUNT! This very authentic email notifies you that your bank has closed your account due to a security incident. You are shocked and immediately click the link on the web site or call the number. You are so distraught about your account (I have to go grocery shopping, I need the co-pay for my medical today, I have bills to pay!) that you don't notice that the redirected web page takes you to an unrelated site, or the shady foreign accent you hear over the phone (most call centers are outsourced anyway right?). In order to "authenticate" you, they ask for your SSN, Address, Mother's Maiden name, credit card number, pin, ID number from the back of your card.
"Thank you sir, your account has been reactivated." is all you hear, or when you click submit to the page, perhaps you get a 404 not found error. You've just had your identity stolen.
How it works:
This type of social engineering attempt plays on your fears of change and hectic lifestyle. There is nothing more inconvenient than all your finances screeching to a halt, and not having access to your money. This is exactly the atmosphere the fraudster wants to create. You bypass some level of logic when you are in panic mode, and don't stop to verify the telephone number or web site address before entering your information in order to get your money back.
How to fight this con:
When you see an E-mail message that disturbs you to this extent, sit back from your computer and first take a deep breath. The important part of determining if an email is legitimate is taking a few steps before acting on instinct.
Step 1: Is it even a bank account you have? Phishers send out a massive email to a list of people that they've culled online. Many of these e-mails tend to target public entities because email addresses are posted on the public web site. If your address exists somewhere on the WWW, it's safe to say it will be farmed and you will be targeted by emails like these until the end of time. If it's not even a bank you have an account under, that's the first clue that the email is a scam.
Step 2: If it is your bank, ask yourself why an e-mail was their first communication to you. Something as serious as an account closure will usually warrant a phone call, a letter via postal service, and possibly not even a notification until you use your card, find it expired, and you are forced to contact the bank on your own. You should never call or click links provided in emails that ask for personal information. Instead use the 1-800 number on the back of the card, or use the contact information provided by the bank when you open your account.
Step 3: Don't give out all your information unless you are positive you are talking to the correct people. All companies will have to verify that you are who you say you are, but usually they won't ask you for super sensitive information. Perhaps last four of your social, or secret questions you set up when you created your account. One good verification question, is how much you paid on your last monthly statement. A legitimate place should never ask you for your full information.
The big thing in this situation is not to act on impulse. Step back from the situation and ask yourself how you can shape it to what feels comfortable to you.
Subscribe to:
Posts (Atom)