Defensive Sphere

Enable GoDaddy Two-Factor Verification

You should always enable two-factor verification for all your online accounts whenever it’s available. GoDaddy is no exception.

Two-factor verification simply means you have two steps to verify your identity using something you know (username/password), something you have (cell phone number or token), and/or something you are (biometrics).

For most companies, access to the internet registrar that hosts domain names should be labeled highly critical to secure. If attackers have access to your internet registrar, they can send all your company’s email to their server, send your website traffic to nefarious places, and well, pretty much create a lot of big problems. 

You can increase your account's security by using two-factor verification, also known as Two Factor Authentication (2FA), MultiFactor Authentication (MFA), and two-step verification.

When you enable verification, every time you perform a high-risk task (like changing your username) GoDaddy will text you a code you must enter. You can also choose to require the code every time you log in to your account.

1)    Log in to your GoDaddy account.

2)    In the upper left corner of the page, click Account Settings, and then select Login & PIN.


3)    In the 2-Step Verification area, click Add Verification.


4)    Select the way you want the code sent to you and then click Continue:

a.     Select SMS text messages if you want the code sent to you as a text.

b.     Select Authenticator App to use an authentication app to create the code.

5)    Select when you would like to use two-step verification and then click Continue:

6)    If you selected SMS text messages, enter your mobile phone number and click Continue. Enter the code we text you, and then click Save.

  7)    If you selected Authenticator App, follow the instructions to download an app, scan the bar code, and enter the authentication code, and then click Continue.

8)    Click Add Backup.

9)    Repeat Steps 4 through 6 to select a backup authentication method.

Starting immediately, your account will require two-step verification based on the options you selected.

NOTE: Business owners and executives need to take extra precautions when it comes to two-factor verification.

1)    Make sure company policy requires two-factor verification codes only go to company-owned cell phones. It’s not fun trying to get a former employee to send you login codes going to their personal cell phones.

2)    Always document your two-factor verification settings in a secure location in the event of employee turnover.

 

Protect Your PII - Know Yourself

Do you have a complete list of your critical PII assets, where they reside, and how they are accessed?

If you answered no, don’t worry – you are not alone.

Of the two concepts discussed previously in the Protect Your PII series, this third one, Know Yourself, is the most important. You will never effectively secure what you don’t know, and to effectively secure yourself you must know yourself.

Let’s start with a snippet from one of the best security strategists of all time, Sun Tzu.

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

—Sun Tzu, The Art of War

Our “enemy” in this case is loosely defined as cybercriminals looking for PII. They are willing to obtain PII using any tactics possible, and they typically have the technical skills and resources to achieve their objectives. Since there’s an economy behind cybercrime, cybercriminals will generally look for the lowest hanging fruit first - easy targets cost less. Or, they look for the biggest score – volume discounts apply.

It’s safe to say we know the “enemy” wants our PII. So, check the know the enemy item off the Sun Tzu list.

The next item on the list, know yourself, is the weakest link within personal and business security. Knowing yourself is the process of defining what’s important. It’s defining your most critical assets. Few people and companies do this. Instead companies tend to go with the latest and greatest silver bullet. It’s quick and easy - albeit far from effective. People seldom do this because we have trained ourselves to believe nobody would want our critical assets, our PII in this case.

The first two steps on your way to know yourself are:

First, ditch the misconceptions that your PII isn’t valuable. Your PII is money. Your PII is a cybercriminal’s potential stepping stone to something else. Like pieces of a puzzle, cybercriminals will put together elaborate systems to get your PII. They are smart, tenacious, and should never be underestimated.

Second, define your critical assets and document them. Get out a sheet of paper and write down all your most important critical assets. This list should include financial accounts, retirement accounts, life insurance accounts, home loans, medical information, just to name a few.

Brainstorm. Think this through.

Critical assets/PII can exist in the form of online accounts, accounts with no online access, or documents.

An online account, for example, could be your online banking that includes your checking account, credit card, and home loan.

An account with no online access might be a life insurance policy that has physical paperwork, but no online access.

Documents might be your social security card, passport, driver’s license, etc.

Here’s a list of PII examples to refresh your memory.

·        Name

·        Social Security Number (SSN)

·        Date and place of birth (DOB/POB)

·        Mother’s maiden name

·        Medical information

·        Financial information

·        Email address

·        Driver’s license number

·        Passport number

Your goal is to define your important critical assets, their function, importance, how they are accessed, where they reside, and later… the credentials.

But for now, just brainstorm, write everything down, then store your list in a safe place. Please don’t leave it sitting at the restaurant or BlackHat convention. We will go over securely storing this information digitally in the next Protect Your PII blog.

Here’s a quick sneak peek of what we are striving for in the next step.

Stay tuned for Protect your PII - Part 5. We will look at storing your critical assets securely.  

Stay secure,

Michael

Protect Your PII Series:

  1. Protect Your PII - The Beginning
  2. Protect Your PII - Small Changes
  3. Protect Your PII - The Law of Low Hanging Fruit
  4. Protect Your PII - Know Yourself
     

Protect Your PII - The Law of Low Hanging Fruit

Have you seen the T-Shirts that read, “When the zombie apocalypse arrives, I don’t have to be the fastest runner. I just have to be faster than you?

The Law of Low Hanging Fruit is very similar, and it’s the second of three fundamental concepts in the Protect Your PII series.

Here’s another one for you – in case you like to rhyme:

Information that hangs low on the vine is often the first target time after time.

At this point you probably understand that just as water will always take the path of least resistance, so will most (cyber) criminals.

For example,

·        A stack of useful documents sitting in a trash can or recycle bin is far more attractive than a bag of cross-cut shredded paper.

·        Accounts with easy passwords will get compromised faster than accounts with complex passwords.

·        A car with a laptop bag sitting on the front seat is a bigger target than one that is not. 

Sounds pretty straightforward, right?

The answer is, it is! Applying even the simplest security controls can limit the attack surface you inadvertently provide an adversary. Remember Protect Your PII – Small Changes? Each small change you make raises those tree branches, keeping your fruit a little bit higher than everybody else’s fruit.

Regardless of whether you are a random or specific target in cybercrime, this rule will always apply, so don’t give anybody an easy path to your PII.

Practice applying small security improvements over time and your fruit will rise higher and higher.

Stay tuned for Protect your PII – Know Yourself.  

Stay secure,

Michael

 

*For the purpose of this article this rule always applies. Exceptions to this rule are targeted attacks/objectives. If an attacker’s objective is to compromise Information X, the state of security surrounding that asset will analyzed and techniques to bypass security controls will be utilized.

Protect Your PII Series:

  1. Protect Your PII - The Beginning
  2. Protect Your PII - Small Changes
  3. Protect Your PII - The Law of Low Hanging Fruit
  4. Protect Your PII - Know Yourself
     
Defensive-Sphere-Logo-color-tm.png

Protect Your PII - Small Changes

As we learned in Protect Your PII - The Beginning, identity theft can negatively impact your credit, finances, and family life. We will outline the steps you can take to protect your PII, but first we need to start with three fundamental concepts that are critical to success.

These concepts are:

1.      Small changes over time

2.      The Law of Low Hanging Fruit

3.      Know Yourself

Small Changes Over Time

First, let’s start with a good old fashioned analogy. No analogy could be better than one that refers to diet. Why diet you say? Because every time I say or think about PII, I think about pie. Today I’m really craving pumpkin pie again. With whipped cream. Lots of whipped cream. But enough of my cravings… let’s get back to PII.

To make successful lifestyle changes to improve overall health, your best strategy is to make small adjustments over time. Sure, it would be wonderful to all at once eat clean, do cardio five times a week, lift weights three times a week, get eight hours a sleep every night, and miraculously come out chiseled.

I can tell you right now, starting all of the above at the same time, for an average person, is setting a course to failure. Permanent lifestyle changes are best executed in small stages, giving them time to become engrained in your day-to-day. The same is true for protecting your PII.

As you implement strategies within the Protect Your PII blog series, it’s important to take them one step at a time and execute to success. You don’t need to strive for perfection; Strive for small successful steps.

For example, a future topic will be simple document shredding. Once you have a cross-cut shredder and you make PII shredding a habit, you will be ready to successfully implement another step in protecting your PII. Continuing with this example, you can move on to monitoring your credit report, then another task after that.

Each successful small change over time will improve the protection of your PII and help reduce the risk of identity theft.

Stay tuned for the second of three fundamental concepts, Protect your PII – the Law of Low Hanging Fruit.

Stay secure,

Michael

Protect Your PII Series:

  1. Protect Your PII - The Beginning
  2. Protect Your PII - Small Changes
  3. Protect Your PII - The Law of Low Hanging Fruit
  4. Protect Your PII - Know Yourself
     

Protect Your PII - The Beginning

I love pie, especially a warm slice of pumpkin pie topped with a dab of cool whip. Although this sounds incredibly tasty, and I’m a bit heartbroken to say I am currently without, this isn’t the kind of “PII” I’m talking about.

But there’s no reason to worry. Our fresh dab of cool whip to brighten your day will come in the form of another PII, or Personally Identifiable Information. That’s a mouthful of words, but rest easy. Instead of eating this PII, we are going to protect it.

Let’s go ahead and dig in.

One of the most common types of information assets we encounter in our Defensive Sphere engagements is PII. Human resources departments, financial institutions, insurance agencies, healthcare, education, you name it… Personally Identifiable Information, or PII, is everywhere.

So, what is PII?

PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

PII can be found in most companies as well as everybody’s personal life. Everybody has PII, and very often the companies we work for interact with other people’s PII.

Examples of PII include:

·        Name

·        Social Security Number (SSN)

·        Date and place of birth (DOB/POB)

·        Mother’s maiden name

·        Medical information

·        Financial information

·        Email address

·        Driver’s license number

·        Passport number

PII is highly sought by cyber criminals for many nefarious purposes so it’s very important to protect it.

The biggest reason is identity theft. An increase in spam or unsolicited phone calls is a nuisance, but identity theft can negatively impact your credit, finances, and family life.

Identity theft can result in the following:

·        Financial problems

o   Compromised bank accounts

o   Stolen money from accounts and investments

o   Unauthorized credit cards and transactions

o   Increased debt

·        Credit issues

o   Damaged credit scores

o   Inability to purchase home or car

o   Increased financial loss due to lower credit rating

·        Medical benefit losses

o   Improper use of your medical benefits

·        Legal problems

o   In some cases, you could become the criminal if your stolen identity is given to police

o   Failed criminal background checks

o   Attorney fees related to clearing your name/credit

·        Personal cost

o   Lots of lost time, money, and reputation

Continue to Protect your PII - Small Changes. I’ll introduce you to steps you can take to protect it.

In the meantime, go treat yourself to a piece of your favorite pie.

Stay secure,

Michael

Protect Your PII Series:

  1. Protect Your PII - The Beginning
  2. Protect Your PII - Small Changes
  3. Protect Your PII - The Law of Low Hanging Fruit
  4. Protect Your PII - Know Yourself
DS-BLACK.PNG