Social Engineering Blogs

Security Metrics Blog November 9, 2015

Physical Security: What You Aren’t Thinking About

Often it’s the little security issues we overlook that hurt us the most. By: Brand BarneySecurity cameras? Check. Guards? Check. Locked doors? Check. Privacy monitors? Umm . . .When it comes to data security, many health organizations don’t always worry as much about the physical aspect. While many foundational security issues may have been addressed, organizations are likely to have overlooked details such asUnlocked office doors during the dayWindow blindsReception desksLack of screensavers and privacy monitorsTheft of devices/hardwareMalware in left-behind devicesPeople may think physical security only applies after hours. However, most data thefts occur in the middle of the day, when the staff is too busy with various assignments to look at the person walking out of the office with a server, company laptop, phone, etc.Organizations may also think data thefts are large events that take months of planning, looking like something from those heist movies. (Oceans 11, anyone?) However, most data thieves use simpler plans.The majority of physical data thefts take less than only minutes in planning and execution.TweetMalicious entities (hackers) strike quickly, take what data they can and leave with little to no trace. In this case, data thieves take advantage of the lack of physical security in healthcare organizations. Here are some issues that your organization may not have considered.Taking devicesThe main problem offices have with devices is a nurse and a client use the same type of mobile device, such as an iPad. A thief could walk in, take an iPad off the reception desk when no one was looking, and walk out, all within five minutes. Would you stop someone if they were walking out of your office with an iPad? Probably not, because you would assume it was theirs. But within a few potential minutes, that hacker has access to the network and whatever data or PHI is on that iPad. This type of theft can and does happen, and sadly it’s not limited to your office, hospital, etc. Many workforce members work long hours and take devices with PHI on them home, stopping at a grocery store or a child’s school on the way home from work. Theft is quite likely if a device is left alone and unsecured in or out of the workplace, and that breach can cause quite a bit of heartburn.See also: Balancing Mobile Convenience and PHI SecurityLeaving devicesYou don’t often think of thieves leaving something behind, but for hackers, an easy way to further the data heist is to leave behind malware. Here’s an example: A receptionist at a large hospital notices a flash drive was left on the desk. It’s labeled “HR,” so the receptionist decides to just drop it off at the Human Resources Department. The person in HR takes it and plugs it into a computer without a second thought. But that flash drive was full of malware and now the hospital’s system is infected and likely losing data.Be suspicious of any unfamiliar hardware or device that randomly appears.Windows and peeping eyesOften a thief doesn’t have to enter an office to steal information. They can look through a window and see information on the computer screens of workers. This can be remedied simply by putting up blinds in offices that have sensitive information.Follow for more data security articles like thisReception desks reveal more than you thinkReceptions desks are filled with tidbits of information and loose PHI that cause data thieves to grin. Things like passwords written on sticky notes, computers without privacy monitors, and patient records lying out in the open are all fair game for social engineers.Reception desks also get the most traffic, which is why they are typically the first target. Social engineers can steal a lot of information without being noticed. It’s critical to the safety of your patient’s data that your receptionists are properly trained to handle social engineers and aware of everything that’s going on.See also: Healthcare Reception Desks: Breeding Ground for HIPAA CompromiseCheck-in and check-outKeeping track of clients coming in and out may seem insignificant, but it can help discourage thieves and provide information should your data get stolen.Having check-ins helps your staff to acknowledge and remember the clients that come in, making it harder for social engineers to slip in and out unnoticed. Make sure all clients/vendors that come into the building sign in and out when entering secure zones (like a data center, or networking areas/server areas), and always assess who really needs access to those very sensitive areas.Unlocked doors: a social engineer’s paradiseSocial engineers love an entity that doesn’t pay as much attention to physical security. It makes their jobs that much easier, and if you aren’t paying attention to these areas, what else might that attacker poke around at? A social engineer can go into a hospital, walk into an unlocked office, sit down on an unlocked computer, steal phi, and then leave all within ten minutes.But if the office door is locked, then the social engineer usually won’t bother.Hackers and thieves are often lazy. Why go to a lot of trouble to get past a locked door if there’s an unlocked one down the hall? By locking office doors and computers, you deter many data thieves (what’s crazy is this very basic concept translates to all areas of security).Fighting back: it’s surprisingly easyMost of these risks can be prevented with little effort. Here are some suggestions:In risk analysis, look for physical security risksLock all office doors when not in use day and nightRequire passwords to access computers and mobile devices (encrypt your data or don’t have data on devices)Use screensavers and privacy monitors on computersInstall and use blinds in all office windowsKeep logs of who goes in and outKeep track of devices that go in and outHave policies in place for stolen equipment (Make sure to have a good Incident Response Plan and know your Breach Notification Policy front and back.)Train staff against social engineeringLimit access to PHI through role-based access.Have staff report suspicious people and devicesMake sure all reception desks protect PHI from prying eyesSee also: Common HIPAA Violations: HIPAA Quiz/HIPAA TestMost social engineering and data thefts can be prevented by following these simple practices. If your organization is taking into account the smaller issues, a social engineer, or a thief will be less likely to bother you because it’s not worth the effort.It’s the greatest benefit from the littlest effort.Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

The Influence People Blog November 2, 2015

Ironing out the Buying Thought Process

I’ve been on the road a lot lately. In a recent stretch I was gone Monday through Thursday or Friday four weeks in row. When I returned from a recent trip, my wife, Jane, had gone to Myrtle Beach to spend time with her family. I was left with a daunting task: two-dozen shirts to iron!But there was a problem; our iron was ruined not long ago when I dropped it on the floor. Before I could start ironing I needed to buy a new iron, something I knew nothing about. I’d like to let you in on my thought process as I made the purchase. I don’t think I’m much different than any of you reading this so perhaps it will help you understand why you do what you do when it comes to certain purchasing decisions.Let’s start with this fact – the vast majority of our decision-making takes place at the subconscious level. Martin Lindstrom, author of Buyology (yes, I spelled it correctly) contends non-conscious forces drive upwards of 85% of our decision-making. People who’ve been in sales for any length of time understand this and that’s why it’s often said, “People buy based on emotion then justify with logic.”My first decision was where to go to get the iron. I ended up at Target. I guess I could have stopped by Sears, Wal-Mart or some lesser-known stores but I didn’t even consider them because prior experiences at Target have been good, their prices are reasonable and Target is burned into my subconscious more than the other stores because of their advertising. After asking a clerk where I could find irons I ended up in front of shelving full of irons ranging in price from $12.99 to $89.99. Immediately I knew I would not spend anywhere close to $12.99 because having some cheap irons in the past and using them at hotels is frustrating. I also knew there was no way I’d pay anywhere near $89.99 for an iron because ironing as little as I do doesn’t necessitate one that would be used in a laundry mat.As I looked at all the different the models I saw several options from Shark. I’d heard of Shark and seen some commercials and remembered their products seemed unique although I couldn’t recall specifics. Other than glancing at some other brands I really gave all my attention to the Shark models.As I looked at the Shark irons they did look different than all the others and the price range was reasonable with the low-end model for $29.99 (Lightweight Professional) and the top of the line model for $49.99 (Ultimate Professional). There was one other model for $39.99 (Professional Steam Power).At this point I did what most discriminating shoppers do – I compared. Did I need 1800 watts, 1600 or 1500? Was the 9.5 inch base, 9.0 or 8.5 best for me? Does it matter that one is 3.6 lbs., 3.3 lbs. or 2.0 lbs.? Decisions, decisions, decision, all of which I knew nothing about. That led me to one more decision criteria; what do people say about each model? That was easy enough to look up on my phone as I stood in the aisle. Each iron had 4.5 stars, some with more than 100 reviews. I felt comfortable because people just like me (principle of consensus) thought highly of each model so I felt better and better about my potential Shark decision.With all that going on in my head which model did I buy? I bought the $39.99 model, which is what most people would do. I remember thinking, “Do I really need the top of the line and will those subtle feature differences be worth it?” I also thought, “If I buy the low-end model will I regret it because maybe it turns out a be a little cheap?” The middle seemed to be a safe alternative. Most companies offer three product models (cars, shoes, bread makers, etc.) exactly because of the thinking I outlined above. Some people will want the top of the line, some will default the cheapest but most people will buy in the middle. If a company removes its high priced model the average sale will drop because some people buy the top of the line but also because more people will shift from the mid-range product down to the lowest priced model. Pay attention next time you’re in a store and see if you begin to notice the three choice offerings.Although I’m in tune with buying, selling and psychology, I must admit, it was an interesting exercise to really pay attention to what was driving my purchasing decision. I got home and used that iron for three hours as I knocked out all the shirts at once. I must say, I was pleased with my purchase – at least that’s what my mind told me.Brian Ahearn, CMCT® Chief Influence OfficerinfluencePEOPLE Helping You Learn to Hear “Yes”.

The Influence People Blog October 26, 2015

Practice Doesn’t Make Perfect, Perfect Practice Makes Perfect

You’ve probably heard the old expression, “Practice makes perfect.” The message is intended to convey that you won’t improve at something without practice. However, the reality is this – not any old practice will do. For example, who will ultimately perform better in each of the following scenarios?

The golfer who hits a large bucket of balls with a variety of clubs or the golfer who picks one or two clubs and works on a few specific things?
The basketball player who hurriedly tosses up 50 free throws at the end of practice or the player who takes his time during his 50 attempts because he tries to correct mistakes after missing free throws?
The businessperson who participates in training or the businessperson who repeatedly practices on their own certain skills learned in training?

In each case I’m guessing you’d agree the second person would be more successful in each of these scenarios.

In the golf example you’re game will improve much more if you work on a few specifics, master them, then move on to other areas of your game.

A basketball player who focuses on what went wrong and actively corrects the mistakes is less likely to repeat them at the free throw line.

The businessperson who takes time to practice certain skills learned at a workshop should improve upon those skills much more than the person who doesn’t do anything after the training.

What we’re talking about here is a concept known as “deep practice.” Simply practicing, repeating the same thing over and over, could actually hinder you if you happen to be doing something incorrectly. Practicing incorrectly can easily lead to ingraining bad habits! If you want to improve at something you have to practice it correctly. In other words, perfect practice makes perfect.

According to Daniel Coy, author of The Talent Code and The Little Book of Talent, deep practice is hard and can be exhausting. But there’s good news – you can accomplish more with less when you practice deeply.

But don’t take that last statement to mean a little hard work is all it takes. People who master their chosen field usually put in more than 10,000 hours and their time practicing far exceeds the actual time in competition. For example, Jerry Rice is estimated to have practiced 20,000 hours (20 years x 50 week/year x 20 hours a week) and his playing time was about 150 hours (300 games x ½ [assuming the offense was in the field ½ the time]). Think about that for a moment; 20,000 hours of preparation for 150 hours of game time. That’s more than 133 hours of preparation for every hour of playing time.

After college I was a competitive bodybuilder for several years. I would routinely spend at least two hours a day in the gym every day. Conservatively I’d have 250 hours of gym time for 30 minutes of competition on stage. Would you be willing to devote 100, 200, or 500 hours of prep time to get ready for an event?

In business the model is flipped because we spend so much time at the office, in meetings, on sales calls, etc., that we can’t afford to spend as much time in preparation. That means we need to be as efficient as possible with our time. Here are some things you can do:

Assess what went well and what didn’t. After a big meeting or sales call assess what went well and what could be improved on. Take time to practice what can be practiced and/or change what needs to be changed next time.
Use drive time to practice. A few weeks ago I had a three-hour drive from Indianapolis to Columbus and I used almost two hours of the drive to practice parts of an upcoming presentation. I practiced so much that people noticed my voice was hoarse when I got back to the office. It was much better use of my time than talk radio, music or daydreaming.
Focus on specifics. As you go into a meeting, sales call, or presentation focus on certain things you want to improve. Just one or two things are enough. Ask someone to keep an eye out for those things and get some feedback.
Be playful. Almost every interaction with someone is a chance to do playful practice, especially when there’s not a lot on the line. I do this quite often in an exaggerated way and people who know me know what I’m doing so we usually get a good laugh.

Let’s not fool ourselves; just because we do something over and over doesn’t mean we’ll necessarily get better at it. It’s very hard for someone to get good at golf when all they do is play. If the pros practice then we need to all the more. The same logic applies in business; just because we’ve done something for a long time doesn’t mean we’re good at it. So remember, perfect practice makes perfect.

Brian Ahearn, CMCT®
Chief Influence Officer

influencePEOPLE

Helping You Learn to Hear “Yes”.