Jim Bagley is an expert on security. He asked me to throw in my two cents… I have a lot of respect for him. I have a few thoughts on what is going on these days regarding protecting a business:
1. Distrust everything until it can be proven. This especially applies to the client side software (browsers) and the fact that the layman IT security expert may not be up to date on the latest exposures.
2. Spoofing is almost archaic as companies like Skype can give you a number that appears to emanate (if you choose the caller id option) from anywhere.
3. Voice distortion software (albeit hard to find for Skype) can give you a decent ‘other’ accent and thereby obfuscate your tone if you are speaking to someone who knows you.
4. Never store PII unless absolutely necessary. And check to make sure the accounting department does not have spreadsheet files with backup CCNs, DOB, SSNs, CVV (for heavens sake) and other info.
5. Do not make any assumptions except for this one: assume you are being unethically hacked. Why? Because of ISIS and other emerging endeavors, increasingly aggressive organizations and countries.
6. Look out for slightly misspelled domain names that purport to come from your HR department. Clicking these links, now more than ever, can lead to malware being downloaded to your device.
7. Strangely enough, two days ago I came across the LinkedIn page of a professed IT security professional. He has his actual birth date listed! If you have to say how old you are use January 1st unless you were really born on that date.
8. Check (if available) your code base for any signs of Chinese code or the usual suspects (the axis of evil).
9. Think about time zones and languages if you come across arbitrary code and/or attacks on your system. This speaks to basic forensics.
10. Use common sense. If you have proprietary data like sensitive information, code, CCN/DOB, and of course a reputation to protect, do not let it hang out there. By this I mean do not store it or store it off complete access to the Internet. It is pretty risky otherwise. If you disagree let me provide you multiple examples from 2014 and 2015.
11. Optional in my opinion but if contacted by a government organization, ask for a supervisor. A second person lessons the chances that you are being tricked. Enough said.
12. Again, do not trust anybody that you do not know. Trust is earned, not asked for. When it comes to IT security, social engineering, simply trying to break into a company, vigilance is completely necessary.
jockpereira.com | firstname.lastname@example.org | 978-666-4000