Nonpublic Personal Information (NPI)

Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801-6809 (2002). Available at: https://www.law.cornell.edu/uscode/text/15/6809

(4)Nonpublic personal information
(A)The term “nonpublic personal information” means personally identifiable financial information—
(i)provided by a consumer to a financial institution;
(ii)resulting from any transaction with the consumer or any service performed for the consumer; or
(iii)otherwise obtained by the financial institution.
(B)Such term does not include publicly available information, as such term is defined by the regulations prescribed under section 6804 of this title.
(C)Notwithstanding subparagraph (B), such term—
(i)shall include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information; but
(ii)shall not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information.

(GLBA, 15 U.S.C. § 6809(4)(B))

 

Phishing: Setting Traps

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy. When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder. That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked, too!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

After Epsilon: Avoiding Phishing Scams & Malware, Krebs on Security, by Brian Krebs, 04/06/2011

Unintentional Insider Threat (UIT)

An unintentional insider threat is (1) a current or former employee, contractor, or business partner (2) who has or had authorized access to an organization’s network system, or data and who, (3) through action or inaction without malicious intent, (4) unwittingly causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability.

Unintentional Insider Threat and Social Engineering, Insider Threat Blog, Carnegie Mellon University (CMU) Security Engineering Institute (SEI), by David Mundie, 03/31/2014

Spear Phishing: Effective Because it’s Believable

Quote 1:

Spear phishing is targeted. The attackers did their research, usually through social engineering. They might already know your name or your hometown, your bank, or your place of employment—information easily accessed via social media profiles and postings. That bit of personalized information adds a lot of credibility to the email.

Spear-phishing emails work because they’re believable.

Quote 2:

Spear-phishing attacks are not trivial or conducted by random hackers. They are targeted at a specific person, often times by a specific group. Many publicly documented advanced persistent threat (APT) attack groups, including Operation Aurora and the recently publicized FIN4 group, used spear-phishing attacks to achieve their goals.

-Best Defense Against Spear Phishing, FIreEye

Quote 1:

Phishing emails are exploratory attacks in which criminals attempt to obtain victims’ sensitive data, such as personally identifiable information (PII) or network access credentials. These attacks open the door for further infiltration into any network the victim can access. Phishing typically involves both social engineering and technical trickery to deceive victims into opening attached files, clicking on embedded links and revealing sensitive information.

Spear phishing is more targeted. Cyber criminals who use spear-phishing tactics segment their victims, personalize the emails and impersonate specific senders. Their goal is to trick targets into clicking a link, opening an attachment or taking an unauthorized action. A phishing campaign may blanket an entire database of email addresses, but spear phishing targets specific individuals within specific organizations with a specific mission. By mining social networks for personal information about targets, an attacker can write emails that are extremely accurate and compelling. Once the target clicks on a link or opens an attachment, the attacker establishes a foothold in the network, enabling them to complete their illicit mission.

Quote 2:

A spear-phishing attack can display one or more of the following characteristics:

  • Blended or multi-vector threat. Spear phishing uses a blend of email spoofing, dynamic URLs and drive-by downloads to bypass traditional defenses.
  • Use of zero-day vulnerabilities. Advanced spearphishing attacks leverage zero-day vulnerabilities in browsers, plug-ins and desktop applications to compromise systems.
  • Multi-stage attack. The spear-phishing email is the first stage of a blended attack that involves further stages of malware outbound communications, binary downloads and data exfiltration.
  • Well-crafted email forgeries. Spear-phishing email threats usually target individuals, so they don’t bear much resemblance to the high-volume, broadcast spam that floods the Internet.

White Paper: Spear-Phishing Attacks, FIreEye

Poverty and The Law of Compounding Exploitation

As a security professional within a corporate environment, I am tasked with identifying and mitigating vulnerabilities or threats. Information Security (InfoSec) effectively comes down to this: 1) know what you have (valuables), where it’s located and who has access to it, 2) identify potential vulnerabilities/weaknesses coming from both inside and outside the company (or DMZ), and 3) eliminate/reduce all vulnerabilities and weaknesses to the fullest extent possible, while carefully monitoring those that you choose to allow to remain unaddressed (there are many reasons for making this decision).

Take this process and apply it to a community of people. For the sake of argument:

  • Make 10% of that population homeless.
  • Create an economic structure wherein people are constantly flowing in and out of homelessness. The population keeps changing.
  • The total % of people who are homeless increases, slowly, over time.
  • 25% of the people who experience homelessness spend the rest of their lives living with a mental or physical illness (disability?) acquired as a direct result of being homeless.
  • 75% of the people experiencing homelessness, at any point in time, are children.
  • The protection afforded to housed people is not provided to homeless, making them perfect targets for criminals, predators and ‘recruiters’ of all kinds.
  • Surviving homelessness requires surviving violence.

If this community has 100,000 people, then a minimum of 10,000 people are being forced to live underground at any given moment in time. 7500 of these individuals are children whose education is being interrupted and/or negatively impacted by the experience. There are also a minimum of 2500 people who are dealing with illnesses and disabilities as a direct result of being forced to live underground while surviving extreme poverty.

Those 7500 children and 2500 permanently injured/disabled adults (we’ll assume they are all adults) are (re)entering society with training, experience, perspective and skills that may or may not positively contribute to the safety, security and positive function of society.

As a security professional, I shake my head in disgust because those 7500 unknowns (at this point, they are not officially threats) were completely avoidable. I did not have to be concerned about them at all. It is a situation that could (should) be eliminated through housing, access to basic resources/necessities, respectful and effective assistance from police forces and safe, quality, reliable and free education.

Now, let’s introduce some known threats.

All of these threats could consist of a grand total of 10,000 people due to overlap (read: the highest number listed above), but it also could consist of a total threat base of 16,200 people – assuming no overlap. So my known threat base ranges from 10,000 to 16,000 people in the total population. Assuming %s remain consistent and all known threats are adults, then it can be assumed 250–400 experienced homelessness at some point.

I’m guessing that you are looking at that relatively low number of homeless predators and wondering: how does this illustrate compounding vulnerability exploitation? Allow me to illustrate…

Compounding force #1: One vulnerability leads to a strengthening of a threat which, in turn, creates another vulnerability.

10,000 perpetrators/threats (10% of the total population) are committing crimes against 10,000 vulnerable (homeless) people (10% of the total population) either by preference or as a form of practice. The homeless are not provided police protection and they cannot defend themselves due to extreme poverty and social stigma. Therefore, a potential criminal who has not crossed the line into full-blown criminal activity, is provided a ‘sandbox’ where these behaviors can be acted out and perfected before perpetrating them against people who ‘matter.’

Compounding force #2: The purposeful allowance of an exploitation, and the refusal to take proper action in response, increases both the threat and the vulnerability.

The widespread acceptance surrounding the degradation, marginalization and violent treatment of poverty survivors (homeless people in particular), creates a pervading social construct (culture) that is less able (unable?) to identify and address these same behaviors perpetrated against the general population. The community has become ‘numb’ to criminal activity and lost a significant (important) portion of it’s willingness and/or ability to properly address these actions.

The culture of a community/environment must be such that threats can be identified and addressed, promptly, properly and effectively. If the culture is negatively affected in one circumstance, allowing a known threat/criminal act to go unaddressed (unpunished), then that same threat will not only continue, but will grow stronger and begin to expand (aggressively).

Compounding force #3: Threats that are mitigated ad-hoc and separate from the whole often generate more vulnerabilities and create new categories of threats.

The widespread refusal to treat poverty survivors (homeless in particular) with the basic respect due to any human being, combined with an aggressively enforced caste system that forces people into permanent association with a ‘lesser-than’ category, directly and negatively affects all poverty survivor’s ability to improve their lives both financially and socially. They are placed between the proverbial ‘rock and a hard place.’

Desperation and lack of options can force people to find creative solutions (this is good), but it can also push them into making alliances and decisions that place them into the community threat category (this is bad).

The homeless are the absolute bottom, they are not the entire community of poverty survivors. Those who are surviving poverty while remaining housed (however tenuous that situation may be) will see what is happening to those trying to survive homelessness. The actions taken against the homeless will directly and profoundly effect the decisions made by those who are ‘merely poor.’

The two communities combined are placed in a state of desperation, trying to improve their situation. This makes them all particularly vulnerable to everything from relatively light criminal activity (e.g.: shoplifting) to criminal association (e.g.: joining a gang or a criminal network) and radicalization (e.g.: joining terrorist organizations like the KKK or ISIL and participating in hate crimes or terrorist attacks).

By isolating and ignoring the safety and welfare of one segment of the community, the threat level is increased for another segment of the community. Due to the ostracism and marginalization of poverty survivors, the actions taken by poverty survivors, in reaction to their situation, are separate from the actions taken by the police and similar organizations in protections of the community as a whole. This disconnect creates an increased number of threats seeking to exploit vulnerabilities found throughout the community.

Compounding force #4: The creation of exploitable vulnerabilities increases with the acceptance of those exploitations.

When the only thing separating those vulnerable to degradation, vicious social behavior and open violence is financial standing, moving a targeted individual into a state of absolute vulnerability hinges on destroying their financial standing.

In other words, everyone is vulnerable, because anyone can have a financial crisis at any moment.

It’s easy to assume that you are immune to such experiences. But it is even easier to examine the life and habits of any individual or family and identify that ways in which they could go from housed and financially secure to living out of shelter – in a stunningly short period of time.

For criminals and predators, this is an important loophole. It permanently establishes a vulnerability within every single household, that can be exploited to reduce or eliminate a threat to criminal operations. Because the vulnerability is entirely financial, exploiting it presents minimal risk to criminals and predators. After all, arranging for a family member for come down with a mysterious illness that requires a lengthy hospital stay, or simply ensuring the primary breadwinner looses his or her job, is relatively easy.

Conclusion

There is no such thing as an isolated threat. Every ecology or environment (e.g.: computer systems, the environment, human social networks, towns and cities, etc.) operates within the push-and-pull of threats-vs-vulnerabilities. Every threat has the potential to grow strong and every vulnerability has the potential to grow larger. Both have the ability to spread to other systems, ecological environments, communities, etc.

Dividing the world into absolute, unchanging, categories of US and THEM is a dangerous habit. A truly effective system of threat identification and mitigation recognizes that there is no them – there is only us.

Securing Credit and Identity After the Equifax Breach

Amazon.com

Step 1: Read this article –>How I Learned to Stop Worrying and Embrace the Security Freeze

Step 2: Place a freeze on social security numbers of all family members. Note: A freeze cannot be placed on minors through online portals. Most agencies offer snail-mail options for minors.

Step 3: Place all account IDs, passwords and PIN numbers in a safe place! Applying for credit in the future will require contacting the agency and removing the freeze, temporarily or permanently.

Link

Has anyone succeeded in erasing someone’s memory? by Gagan Bir Singh https://www.quora.com/Has-anyone-succeeded-in-erasing-someones-memory/answer/Gagan-Bir-Singh?share=d15154d6&srid=zRYF

The possibilities for abuse are massive and terrifying.

Business Law: Intellectual Property Theft

Quote

Amazon.com

 

“Put as much in writing as possible and save that documentation. By creating a paper trail, you’ll have proof of your concept if it does go to court. Keep a log of every discussion you have where details of your business are disclosed. This log could come in handy if you find one of those conversations go somewhere.”

7 Simple Ways You Can Protect Your Idea From Theft, Forbes.com, by Drew Hendricks

Amazon.com

“To make sure your next million dollar idea isn’t stolen or copied, we enlisted the help of specialists in “idea security” to find out how you can avoid becoming a hard luck story…Rather than trying to avoid attention, flag ideas as your own even at an early stage. “Use the right symbols in your media and marketing material alerts,” recommends David Bloom, head of Safeguard iP, a specialist Intellectual Property (IP) insurance broker. Patent and design numbers can be added later…”

5 ways to stop your ideas being stolen, CNN.Com, by Kieron Monks

Amazon.com

“Turn to the U.S. Patent and Trademark Office for help. Fortunately, patents aren’t the only tools available to protect our ideas. First, file a provisional patent application. You can do this yourself online or use a template such as Invent + Patent System or Patent Wizard to help you. The USPTO also has call centers available with staff members on hand to answer questions and offer guidance.”

How to Protect Your Business Idea Without a Patent, Entrepreneur.com, by Stephen Key

“Tortious interference with business occurs when another person directly interferes with a business’s ability to operate. This offense usually involves other offenses, such as defamation. However, if a person steals your idea and then actively works to prevent you from bringing your idea to fruition, this could constitute tortious interference.”

What Is the Legal Term for Stealing a Business Idea?, AZCentral.com, by Van Thompson

“I say do what you can. Do the legal end when it’s practical, but don’t trust it. Don’t think it solves the problem.

You’ll never get a legitimate investor to sign one of those documents before you pitch. If an investor signs off on a non-disclosure, she’s just ruled out a whole class of business she can never invest in without risking legal action. They just don’t do it.

And, I think lots of people who you might want as team members would be put off with the idea of signing a legal document before talking about it. I would.”

How to Really Protect Your Business Idea, BPlans.com, by Tim Berry

Security or Identity?

Quote

Amazon.com

On the Steps of the Palace

“So then which do you pick:
Where you’re safe out of sight,
And yourself, but where everything’s wrong,
Or where everything’s right,
And you know that you’ll never belong?”

Into The Woods, lyrics by Stephen Sondheim and book by James Lapine

Sustainability and IT

Quote

Amazon.com

“Sustainability is a stakeholder need and business requirements. But more than anything, it is a human responsibility. IT plays an important role. ”

“IT can be a solution or part of the problem, depending on how it is governed and managed.”

“For business to be sustainable, it has to consider sustainability as a strategic priority…COBIT 5 assists enterprises in achieving this goal.”

The Time for Sustainable Business Is Now: Leveraging COBIT 5 in Sustainable Businesses, ISACA Journal, Volume 3, 2015, by Graciela Braga