Trump Hotels Latest Victim of Card Breach

It appears hotels associated with the Trump Collection are the latest reported victims of a credit/debit card data breach. Brian Krebs of krebsonsecurity reported yesterday that multiple banks had traced fraudulent debit and credit card activity to use at Trump Collection hotels across the country. Sources in the financial industry, according to Krebs, “say they have little doubt that Trump properties in several U.S. locations — including Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York — are dealing with a card breach that appears to extend back to at least February 2015.”

Scope Of OPM Breach

Trillion Dollar Breach

Is Government Data Breach Linked to Anthem Breach

CBS News Reporting On Government Employee Data Breach

Small Business Security Basics

Social Engineering

Simply stated, “Social Engineering” as it relates to cybersecurity is tricking someone into giving up information or violating security procedures. It is non technical in nature relies heavily on human interaction. Most of the major breaches heard about in the press used social engineering tactics as a component of the attack.

Authors of virus software use social engineering to get users to open malware infected emails. Phishing is used to convince people to give out sensitive information. Some scammers use scareware to get individuals to purchase useless and sometimes dangerous software.

Often social engineers try to gain the confidence or trust of the authorized user of a system to get them to reveal sensitive information that could compromise system security. They take advantage of people’s natural desire to be helpful. An example would be to contact an employee with an urgent issue that requires immediate access to the network or system. It also includes just snooping or looking over a coworkers shoulder.

There are several defined types of social engineering:

Baiting: Leaving media such as a usb drive or CD rom laying around for some curious individual to find to load onto their workstation which then automatically installs malware.

Phishing: Using disguised fraudulent email that appears to be from a trusted source. The purpose is get the recipient to install malware on the system or share sensitive information.

Spear Phishing: A phishing attack aim at a specific target or individual.

Pretexting: Pretexting would is lying to obtain information. An example of pretexting is an attacker pretending to need personal or financial data to confirm the identity of the target.

Quid pro quo: The attacker offers something the target might like (free gift) in exchange for sensitive information.

Shoulder Surfing: Just what it sounds like. Looking over a person’s shoulder while they entering sensitive information such as login credentials.

Dumpster Diving: Going through an organizations trash to obtain information.

Tailgating: Unauthorized person following authorized person into otherwise secure location.

The best method to combat social engineering is employee awareness and education. Make certain individuals are aware of security policies and the potential threats and consequences when personal, company, and or client data is exposed to the wrong people


The availability of and relatively easy access to broadband and and the Internet are powerful tools for small businesses. It allows them to reach new markets and increase sales and productivity. However cybersecurity threats are real and can threaten businesses, their employees, their customers and their data. Businesses should develop a security plan as a part of the business structure. I will provide a couple of resources to go to for help at the end of this article. In the mean time however there a few fundamentals should adhere to get you started.

One of the most often overlooked areas of any security plan is employee training once security practices and policies have been developed. The best plan has no effect if people are not aware the policies. This initial policy does not need to be detailed or complicate however is should include certain items at a minimum.

-Employees should be required to use strong passwords
-Office policy regarding appropriate Internet use should be established
-Employees should be made aware of penalties for violating policies
-Rules and standards should be established regarding protection of sensitive client and company data

Employee responsibility regarding security policy should be in writing and required reading for all employees.

Priority should also be given to protection of your technology assets such as data, workstations and networks. Computers should be kept as clean as possible. Any unnecessary software should be removed. Software that is installed should be kept current with latest updates. This includes web browsers, application software and operating systems. It is essential that ant-virus software is updated as computer threats change on a daily basis.

Physical access to your computers should be a part of your security plan as well. Use of business computers should be limited to authorized personnel only. Create individual user accounts for each employee. Laptops and other mobile devices should be locked down when not in use. Administrative accounts should only be used when absolutely needed and restricted to IT and key personnel.

As with all plans always prepare for the worse. All important data should be backed up in the event your data falls victim to natural disaster, theft or damage. Data backup should occur weekly at a minimum. There should also at least 2 copies of backed up data with at least 1 copy stored off site.

This is a start to get you thinking. I will be providing additional and more detailed information in future post. The links below can be used as a resource for more detailed security planning and cybersecurity in general.