10 Tips To Avoid Being The Next Miami Hacker Victim
In what security experts say is the largest hacking and identity theft case ever prosecuted, Albert Gonzalez, a 28-year old hacker from Miami, and two other Russian co-conspirators were indicted in New Jersey Monday for the theft of more than 170 million credit and debit card numbers in numerous high profile data heists that included high profile attacks on TJX, Hannaford Brothers, 7-11 and credit card processor Heartland Payment Systems.
With 45 million hacked TJX accounts, almost 100 million accounts exposed at Heartland Payment Systems, and tens of millions of other accounts compromised in breaches, the Miami hacker has affected a great number of U.S. consumers.
But while Gonzalez is safely behind bars, security experts contend that other hackers deploying similar attacks are sure to follow, which doesn't bode well for the average user. So how can organizations and users protect themselves? There are a few ways:
1: Beef Up Security On Desktops/Laptops
Hackers are cutting right to the chase and writing malware specifically designed to capture credit card numbers, banking information, user names and passwords. "The hacker community is making it easier on themselves to identity the bigger targets instead of having to go through every account they come across," said David Sockol, president of eMagined Security based in Santa Clara, Calif.
Consequently, protecting computers means keeping them updated with not just the latest antivirus, but also anti-malware protection.
"This stuff is actually more valuable than credit card numbers," said David Perry, director of global education for security company Trend Micro. "That's one of the reasons we're seeing so many raids. They're looking for your grandmother's maiden name. There are actually people sifting through all that information."
2: Strengthen Network Configuration
"A lot of companies pay lots of attention to their borders," said Bill Calderwood, president and CEO of the Root Group, based in Boulder, Colo, in an e-mail. "That certainly can't be neglected, but the stuff that is probably a lot more frightening and deserves a lot more attention than it gets is when hacks get physical access to your facility. This is why network configuration is so vitally important, and it's constantly overlooked."
Calderwood recommended putting servers on a different subnet from their workstations, keeping routing protocols hidden from anything visible from the workstation, and maintaining user accounts so that only authenticated employees have access.
3: Maintain Physical Security
This can be as low tech as making sure that employee security badges are current, security cameras are working, and employees don't leave passwords and company data in plain sight. It also requires companies to have stringent security policies regarding mobile devices, such as Blackberrys, as well as laptops -- any piece of equipment that leaves the building at the end of the day.
"The big high-profile exploits are often made possible by some low-tech entry point into the organization, and the only way to close that entry point is often low-tech as well and easy to overlook," Calderwood said.
4: Maintain PCI Compliance
Security partners say that organizations should take the Payment Card Industry security guidelines to heart and apply them in a concerted effort to be secure, rather than check a box. It might require more effort, and in some cases, additional expense. However, the 12 PCI compliance guidelines are crafted so that, when implemented in full, they can drastically reduce an organization's chances of becoming the victim of a data breach or malware attack.
"Efforts should be made to utilize best security practices, rather than the minimum to pass an audit," Sockol said.
5: Apply Defense In Depth
In order to ensure protection against attack, security partners advise that organizations to layer security products instead of relying on a single source. For example, couple antivirus and basic firewall with URL filtering, e-mail security and intrusion prevention. Apply the latest security patches and keep abreast of software updates. Taking these kinds of precautions might not completely prevent an attack, but it sure puts the odds in your favor, experts say.
6: Conduct Ethical Hacking Assessments
Too often organizations have vulnerabilities where they don't even know they had data. By conducting ethical hacking assessments, organizations are able to find the security holes in their network and source codes -- and subsequently patch them -- before the criminals do.
On the Consumer Side, users should:
7: Regularly Check Credit Card Statements
Look for anything suspicious. And it doesn't have to be big. Hackers all too often believe in the "death by a thousand cuts" theory-- stealing millions of dollars by siphoning a few dollars here and there from thousands or millions of users, experts say. It adds up over time.
8. Be Wary Of Social Networks
Security experts say that hackers are increasingly looking for identifying information, which has facilitated a rash of social networking attacks on sites like Twitter and Facebook. Security experts contend that personally identifying information has become more valuable in recent years because it so often provides access to so many other accounts.
9: Be Aware When Surfing The Web
Is it a trusted site? Does it request credit card or identifying information? If so, does it have that padlock symbol in the bottom right hand corner? These are things that users need to keep in the back of their minds when submitting financial or personally identifying information online. And, of course, users should avoid clicking on links sent from unknown sources via e-mails, even if the URL looks legitimate.
10: Hold Merchants Accountable
In short, partners say users should avoid doing business with organizations reputed to have security flaws or known security breaches. Those businesses will eventually get the message, and be forced to enhance their security infrastructure as a result. And that benefits everyone.