Information Week has written a list of top security trends to watch in 2012. Topping the list is the now inevitability of breaches. It’s not if or when you’re going to get hacked, but how, and what are you going to do about it?

Cyber espionage will also continue to rise, and while China often gets the blame for its aggressive cyber tactics, every major country today is practicing cyber espionage, notes the article.

Check out the list of trends – from the importance clean code to the rise of mobile malware one thing is certain – demand for security professionals will continue to rise. And as threats evolve and mature, the need for qualified professionals with up-to-date certifications and industry skills will grow along with them.

There’s a reason cybersecurity is a hot and in-demand industry – it’s because the level and sophistication of malware and other attacks are growing. A new malware attack is aimed at the smart cards used across the department of defense and for a number of defense contractors and employers. Smart cards are credentials used to grant access to computer systems and secure information.

The new malware attack uses spear phishing to get users to open a PDF file, which then installs malware on the machine. Once installed, it uses a keylogger to obtain the PIN numbers used with smart cards, and later uses those PIN numbers to gain access to secure information.

It’s not the first malware to target smart cards according to Digital Trends, but it is rare in that it seems to explicitly target smart cards. The fact that it only acts when an authorized user is using their smart card credential may also make it more difficult for security systems to detect.

It should come as no surprise that cybersecurity experts are anticipating the sophistication of attacks and malware threats to grow in 2012. From organized networks of black hat hackers such as Anonymous to state-sponsored cyber espionage originating in China and Russia, threats will expand and continue to affect both personal data and critical infrastructure.

Despite cyber event such as Stuxnet, experts are hesitant to call all-out cyber war, and note that even in an era of sophisticated attacks data mining remains the most effective brand of cyber espionage used today.

"People still represent the weakest link in security for a large amount of enterprises and that is the reason they are targeted," Rik Ferguson, director of security research and communication at Trend Micro was quoted as saying in Computerworld. "Training still has an important place in an organisation's security planning but it needs to be ongoing training, not a one-time only event."

As fast as companies and security professionals can be at alerting their staff to new or emerging threats, the efforts of malicious attackers often outpace those efforts. As cheesy as it sounds, every user on every network needs to have constant vigilence in their online actions.

The creation of fake websites — often known as spoofing — is becoming a major concern for the U.S. military, according to a new article by Rita Boland in SIGNAL Magazine. Spoofing involves individuals making a website that looks on the surface nearly identical to a legitimate one. Many users will not know the difference. The purpose of the spoofing website is to fool the user into sending sensitive information which can be used by the website’s creator. Types of information which can be gained by spoofing websites include login names, passwords, email addresses, addresses, and other private information.

In the article, Boland describes one incident earlier in the year when the U.S. Air Force Portal was spoofed in an attempt to trick servicemembers into entering their login and password information. It is unknown how many Air Force personnel fell for the scam, but the threat is great enough that all the services are paying attention to the problem of website spoofing.

Boland reports that aside from the Air Force, the U.S. Army is also threatened by spoofing attempts, including Army Knowledge Online, one of the most used websites by Army personnel. There is no doubt that many more federal agencies and companies, including those involved in national security work, have and will continue to be targeted by spoofing attacks. The low cost of spoofing (which could be as low as a few hundred dollars) likely make it an appealing method for individuals or foreign agents looking to collect intelligence on the United States.

With the extent of the spoofing threat, it is not hard to see why cybersecurity continues to be one of a few areas immune to budgetary cutbacks. While many federal agencies including the FBI and the Department Of Defense are cutting back on new hires, most if not all are planning on increasing the size of their cybersecurity workforce. Cybersecurity budgets at many of these organizations has so far been spared from the wave of realized or planned budgetary cutbacks.

With official military websites and defense contractors perhaps some of the most likely candidates for spoofing attacks by hackers and foreign governments, it's of increasing importance for individual users to monitor urls and ensure websites they're visiting the right website before entering any information.

An Inspector General audit flaming the FBI for a lack of cybersecurity skills may prove to be an opportunity for the agency, which is set to receive an additional $18.6 million to create 42 new positions, including 14 special agents, to work directly on combating cyber threats.

A bill signed into law by President Obama Nov. 18 allocated the funds for the additional positions, as well as providing more money to help states fight cyber crime and more than doubling funding for the Federal Cyber Service's Scholarships for Service.

The IG report offered a harsh assessment, despite the fact that over the past year the FBI has had several high-level cyber wins, including working with law enforcement in Estonia to break up one of the largest Internet crime schemes, which infected more than 4 million computers with malware.

The creation of new special agents to address cyber threats points directly to one of the recommendations of the IG report. Agents themselves noted the difficulty of the FBI’s system of rotating agents through field assignments. Cyber resources were spread thin by having cyber squads in each field office, as well – many of those offices staffed by agents who said they didn’t feel qualified.

Even as the Intelligence Community tightens its belts and prepares for a budget crunch, investment in cyber, including cybersecurity positions, grows.

A new bill to protect intellectual property may cause new security risks, according to Brookings Institute Fellow Allan Friedman. Bills in both the House and Senate aimed at protecting online privacy and intellectual property use risky DNS blocking protocols, says Friedman. The legislation will allow the federal government to order Internet Service Providers to block access to certain websites using DNS resolvers. The programs don’t actually eliminate the infringing sites themselves, but simply block access by “tricking” users into thinking the sites don’t exist.

Friedman says the problem with the bills is that “it's very, very easy to get around DNS blocks. All you have to do is use a DNS resolver that's not in the jurisdiction of the bill; it's outside of America." By making DNS resolvers the answer for individuals looking to gain access to sites blocked by the federal government, demand for foreign made DNS resolvers will exist – and these have already proven to be a haven for outside countries looking to trick users with malware.

The problem, according to Friedman, is that the bill fails to address the actual problem and opens up a new host of potential issues for U.S. users.

Need a little help brainstorming your next password? Here's a hint - don't use any of these in the list of top 25 worst passwords of 2011, as composed by SplashData. They compiled the list based on stolen passwords posted by hackers online. Some on the list are things you might expect - including popular names or favorite sports. But for all of those of you using "dragon" "monkey" or "iloveyou" as your password...well.

1. password

2. 123456

3.12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passw0rd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

SplashData also offered these three tips for creating better passwords:

1. Vary different types of characters in your passwords; include numbers, letters and special characters when possible.

2. Choose passwords of eight characters or more. Separate short words with spaces or underscores.

3. Don’t use the same password and username combination for multiple websites. Use an online password manager to keep track of your different accounts.

For most organizations the answer is a resounding no, according to Department of Defense’s Office of Inspector General (IG). It’s another progress report on DoD security efforts that point to how long it has taken the government to adapt to today’s threats.

The report noted the importance of security structure in addressing persistent threats, including preventing the next Wikileaks or Fort Hood. But while security reviews and audits of security training and education have been done, “the process for training and certifying DoD security professionals remains fragmentary with no standardization across the security enterprise.”

Security managers surveyed in the report noted that most training occurs on-site, on-the-job, or online. While two-thirds of respondents felt that security training prepared professionals for their responsibilities, the fact that most of the training occurs on-the-job means there is lost time in building up security skills. And with military rotations forcing some individuals to move onto new assignments after as little as 18 months on the job, organizations go through frequent cycles of having to re-train security staff.

Training funding was also cited as an issue. With training funds considered a low priority, commands often reallocate those dollars to meet other needs.

The undersecretary of intelligence has been developing the Security Professional Education Development (SPeD) certification program since 2009, but there are fears that program may never be implemented. The SPeD program isn’t a requirement until 2017, with program officials advocating that a slow build-up period allows for lessons learned to be implemented as the program progresses.

The Defense Advanced Research Projects Agency (DARPA) was listed as one of the few bright spots in DoD security training. DARPA utilizes contract and civilian security experts, with an average of 24-years of security experience. Unlike many agencies, DARPA’s security personnel perform security as a primary, rather than a collateral duty.

Mobile devices are all the rage – from combat troops to the president, it’s hard to keep anyone away from their favorite smart phone these days. And in addition to increased demand for applications keeping IT professionals busy, security experts are also taking notice of the trend. They’re citing the importance of keeping mobile devices safe from both malware and viruses, and compromises caused by user error or laziness.

Some federal agencies and local governments have jumped in with both feet, deciding that the benefits of mobile devices outweigh the risks.

Delaware is one of those states. Elayne Starkey, chief security officer for the state, recently traded her Blackberry for an iPhone and offered these simple tips for employees using their personal devices to connect to the state’s network:

1. Strong password.
2. Password history.
3. Password that expires.
4. Inactivity time out.
5. Lock out after seven failed attempts to log on.
6. Remote wipe if device is compromised or failure to log on after seven failed tries.
7. Encryption, if device is capable of employing it.

They’re simple tips pretty much everyone should take regardless of whether you’re using your device for work. Just like computers themselves, “smart” phones are only as smart as their users, and require a few extra steps to ensure data is secure.

Can a black hat hacker make a turn for the ethical? Cisco thinks so. It recently conducted an interview with a former Anoymous hacker who goes by SparkyBlaze. Fed up with the nearly continual flooding of the Internet with people’s personal data, SparkyBlaze left the controversial group and is now hoping to move from Manchester, England to the U.S. to study computing and land a gig as an ethical hacker.

SparkyBlaze is no cyber Robin Hood, however. He defends the actions of Wikileaks and sees hacking as a demonstration of free speech. His justifications aside, he notes the perils of hacktivism, including the reality that if an individual is ever convicted for hacking or breaching computer systems, his career chances are slim. Add in the reality that for hackers in the U.S. hoping to make a turn to the government’s very lucrative cybersecurity industry, the possibility of obtaining a security clearance is also slim.

In addition to dishing on hactivism and computing, SparkyBlaze also offers sage advice for companies and individuals looking to make their data secure. He shared this specific advice for companies:

• Deploy defense-in-depth
• Use a strict information security policy
• Have regular audits of your security by an outside firm
• Use IDS or IPS
• Teach your staff about information security
• Teach your staff about social engineering
• Keep your software and hardware up to date
• Watch security sites for news on computer security and learn what the new attacks are
• Let your sysadmins go to defcon ;D
• Get good sysadmins who understand security
• Encrypt your data (something like AES-256)
• Use spam filters
• Keep an eye on what information you are letting out into the public domain
• Use good physical security. What good is all the [security] software if someone could just walk in and take [your “secure” systems]?

He also offered companies a warning about social engineering, which he sees as the biggest computer security issue today. Companies can invest all of the time, resources and personnel into security they’d like. If someone comes along and is able to convince a user to give up his or her password or critical data, it’s irrelevant.

Visitors to federal websites continue to be vulnerable covert redirections to fake websites. By exploiting weaknesses in the internet's domain name system (DNS), criminals are able to transfer visitors to bogus websites for the purposes of stealing their personal information. Worst still, more than three years ago all federal websites were directed to install safeguards to protect such redirections. In 2008, the Bush administration ordered all agencies to adopt a set of digital signatures and keys which would allow a web address to be verified. The safeguards, called domain name system security extensions (DNSSEC) would allow visitors to US government websites to be certain that they on a legitimate website, not one set up by online criminals. However, according to the General Services Administration, currently less than a quarter of federal websites use DNSSEC.

According to Lee Ellis, program manager of the .gov top level domain name, one of the major barriers to implementation is that web users do not have a visual indication that a website is using DNSSEC. Unlike some other security measures, DNSSEC is invisible to users. Some federal agencies, like the Health and Human Services, NASA, and the General Services Administration, use DNSSEC, however to visitors their site looks just as secure as other agencies which have yet to incorporate the security feature in their online presence.

News of the low levels of DNSSEC adoption comes at the same time that new statistics are showing that even enterprise networks are highly vulernable to malware. Data released late last month by the online threat protection company FireEye claims that 99% of enterprise networks have malware entering their systems each week, with 80% of networks seeing more than 100 new instances. As reported by Net-Security.org, the statistics reveal that enterprise networks “are not keeping up with highly dynamic, multi-stage attacks that cyber-criminals now use to attack enterprises and federal agencies”.

As an increasing number of federal agencies use their online presence to provide critical services to their customers, it is more important than ever to protect users from online criminal activity. Improving the adoption rates of DNSSEC is a good start, but efforts by federal agencies to protect themselves and their users still have a long way to go. 

Do all of these security breaches have you feeling nervous for your own personal computer at home? Have no fear – the National Security Agency has produced a series of documents to let you know how you can lock down your computer and increase your operating system’s security. Divided by operating systems, from Linux to Mac to Windows, the easy-to-read (relatively speaking) PDFs offer step-by-step instructions on a variety of vulnerabilities and issues. According to the NSA, “these guides are currently being used throughout the government and by numerous entities as a security baseline for their systems.” Check them out to get your computer up-to-snuff with the latest security configuration guidelines.

A data breach this spring resulting in over 24,000 files being stolen, the Pentagon revealed as it unveiled its long-awaited “Strategy for Operating in Cyberspace.” Spokespersons acknowledged the attack as one of the most aggressive to date, but described much of the data stolen as “mundane” although some information concerning sensitive military systems was involved.

The fact that defense department systems are under constant attack comes as no surprise. Officials have long acknowledged that new malicious programs and threats are discovered every day. The fact that so many files were obtained in a single breach, and that the Pentagon was able to keep it a secret, did come as a surprise to many.

But it isn’t the first time the Pentagon has remained mum when it comes to cybersecurity. It only recently acknowledged a 2008 attack involving a flash drive, which caused so much damage the entire defense network quickly banned the use of any portable drives on government systems.

So how does the Pentagon lose 24,000 sensitive files? It isn’t disclosing details, but Deputy Secretary of Defense William Lynn acknowledged that it was a “foreign” attack on a defense contractor. Cybersecurity experts are speculating that the breach is likely to have been the result of a spear phishing or data mining campaign targeting users with access. Another friendly reminder to view emails, links and internet postings with caution.

Service members were again targeted in a data security breach involving defense contractor Booz Allen Hamilton. Hackers posted approximately 90,000 military email addresses obtained from the company on their website. Booz Allen Hamilton confirmed the breach this week in a statement posted to their website, noting that they are in the midst of conducting a full review but believe the data breached was related to a learning management system for a government agency.

Antisec, a part of the activist hacker group Anonymous, posted the information on its site and claimed responsibility in a message to the Pastebin file storage site. “"We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty," said the hackers.

The Washington Post Jobs site has joined a growing list of websites being hit with data security breaches. In an email to users last week the Washington Post verified that an “unauthorized third party attacked” the Jobs website once on June 27 and once on June 28. While user IDs and e-mail addresses were compromised, Washington Post assured customers that passwords and other sensitive data were not a part of the breach. 1.27 million accounts were compromised.

The publication noted that no other parts of washingtonpost.com or the Washington Post system were affected. Users are urged to be cautious about any emails they receive, as it’s expected the user data will be used for spear phishing and data mining campaigns.Users were also cautioned to be aware of additional SPAM, and offered these tips for recognizing it:

• You do not recognize the sender.

• The message is unexpected or unsolicited.

• The subject line and/or e-mail contain misspellings or grammatical errors.

• The message is alarmist or has a strong sense of urgency.

• The message includes or references an altered, misspelled, suspicious, or bogus web address. (You should always verify web addresses before clicking on a link.)

• The message requests money or rescue.

• The message solicits personal information (e.g., password or bank account number).

The Washington Post established an online Q and A and directed individuals to the Stay Safe Online site sponsored by the National Cyber Security Alliance. The web site offers online safety tips and Internet awareness on topics ranging from cyberbullying for parents and kids to business tips on computer safety.

The Washington Post Jobs breach follows a string of highly publicized breaches of government agencies, major companies and small businesses.

Their ability to dominate internet forums with jihadist propaganda aside, terrorist lack sophisticated cyber skills, according to the State Department.

“The cyberthreat is growing, but it is not first and foremost a terrorist threat. It is a state-on-state threat,” said State Department counterterrorism coordinator Daniel Benjamin, as reported by National Defense.

Recent high-level breaches, including attacks on major defense companies, are likely coming from other states, and are not the result of terrorist networks including Al Qaeda. The fact that today’s cyber warfare is of the more traditional state-on-state nature is a key reason why Pentagon officials are categorizing cyber threats in traditional defense terms, and are willing to meet a cyber attack with a more traditional counterattack.

But just because most major attacks today aren’t terrorist related doesn’t mean they won’t be in the future. Terrorists have already been credited with low-level denial of service attacks, according to the State Department, and just as they have adapted in the past, they will likely continue to adapt their online techniques to include the cyber threats so often on the minds of many in the U.S. national security industry, and creating a sharp increase in demand for cybersecurity professionals.

If you’ve provided your information to popular military news sites, you may want to be extra cautious about any emails you receive asking for personal information. Gannett Government Media, the publisher of military news sites including Army Times, Defense News, Federal Times, and the Armed Forces Journal, notified readers this week of a breach that impacted user files. Information accessed included names, userID, password, email address, and for those who provided it, zip code, duty status, pay grade, and branch of service.

It’s yet another high profile breach but particularly important because of the unique user base it’s after. Service members and veterans make up the majority of account holders on the sites affected. Military and defense industry targets are highly sought after for cyber criminals, who use spear phishing campaigns to try to gain access to classified systems.

Gannett isn’t saying who is responsible for the attack or if they have any other details, but simply stated that they have hired an outside cybersecurity company to investigate and increase security measures.

Gannett is encouraging users to change their passwords on both Gannett news sites as well as other online accounts, specifically those connected to the same email address used on their sites.

Hackers are making their ambitions known with increasingly high-profile attacks and flagrant public admissions of their online exploits. And now two hacker communities, LulSec and Anonymous appear to be teaming up to continue their efforts to infiltrate government websites. Most worrisome, they appear to be moving past harmless break-ins designed to demonstrate poor network defenses and onto Wiki-leaks inspired efforts to disseminate classified information.

A June 19 statement released by LulSec illustrated their efforts in naval warfare terminology, declaring their “Lulz Lizard battle fleet is now declaring immediate and unremitting war on the freedom-snatching moderators of 2011.”

Government agencies aren’t the only targets. The statement noted that banks and “high-ranking establishments” would also among the institutions hackers look to breach.

This rise in network breaches highlights the need for cybersecurity experts and those with the skills to defend computer networks, including certified ethical hackers - people paid to think like hackers and provide companies and government agencies the information they need to keep their systems safe.

“An ethical hacker is nothing more than a computer bodyguard,” said Jay Bavisi, cofounder of the EC-Council. “Ethical hackers are trying their best to determine if a hacker were to attack your network, how they would do it. They're trying to figure out if they are able to protect your system and if the system has been sufficiently protected. That's what an ethical hacker is. An ethical hacker is not a person that goes out and picks any Tom, Dick or Harry, or any corporation and without their permission launches an attack and then comes back to you and says we attacked your system and you are vulnerable.”

The EC-Council offers a Certified Ethical Hacker professional certification. There is also a Certified Network Defense Architect, a certificate designed specifically for government agencies and available only to those agencies.

If you didn’t already think cybersecurity is hot the latest round of web breaches is bound to make those in the IT/information security industry feel pretty good about their job prospects. Major defense contractors, including Lockheed Martin, L-3 and Northrop Grumman, are the latest to be hit in a series of web breaches.

The sophisticated attack by hackers was able to breach defense systems by creating duplicates to “SecureID” electronic keys from the RSA security division. The electronic keys are basically fobs that display a constantly changing password. A long-standing means of security, the key fobs are far less expensive than other options, such as biometrics based options such as fingerprinting and retina scans, and typically seen as a solid form of information security. In the face of the RSA breach, however, it is speculated that biometric security may become more in demand.

Most of the defense contractors have declined to comment, noting that they don’t discuss the details of breaches. Many in the intelligence field have noted that major defense contractors have been under attack by cyber criminals since the 1990s. Hackers seek proprietary information, research and development data and information on weapons systems.

"We have policies and procedures in place to mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security," said Lockheed spokesman Jeffery Adams.

The attacks come on the heels of a White House announcement on cybersecurity, as well as a Pentagon cybersecurity strategy set to be released later this month. Early reports on the Pentagon strategy note that it will be coming out strongly against cyber attacks, declaring them an act of war.

These days it’s easier to think of who hasn’t faced a major cyber security breach than who has. Everyone from government agencies to major companies and even defense contractors have faced recent and high profile breaches. These incidents don’t just cause a media headache, but present major costs to the companies affected. A cybersecurity breach presents a double-edged sword. Companies don’t just have to deal with the physical security hole itself but must also cover the cleanup including customer notification and attorney’s fees.

And gone are the days when only large companies had to fear hackers. Verizon’s 2011 Data Breach Investigations Report cites that smaller sized companies are now prime targets for hackers. Smaller companies may not be able to recover from problems as easily as large companies, and lack the financial infrastructure to cover costs.

Enter “cyber liability coverage” which is a relatively new offering in the insurance industry. Operating under the commonly held belief today that it’s not if you’ll undergo a cyber attack it’s when, liability coverage ensures that businesses are covered for the costs associated with a breach, from attorney’s fees to credit monitoring.

Fox’s Business’ Small Business Center notes that cybersecurity policies may include:

• Breach Notice Costs (Don’t think those mailed notices and credit reports come cheap)
• Damages and Defense Costs (Coverage for information security and cyber breaches)
• Service Provider Breach (Protects your information wherever it’s at – even in the cloud)
• Crisis Management and Data Restoration (Helps you get up and running)
• Denial-of-Service Attacks (Lost income or the cost to get up-and-running after a denial of service)
• Cyber Extortion (Can cover the costs of settlement or hiring a security team to track down a hacker)

In yet another reason why it’s not a good idea to say you hate your boss on Facebook, Eric O’Neill, FBI operative and security expert, notes that it’s the “human element” that often poses the greatest risk to network security.

Hackers don’t just spend hours online looking for information, they spend hours on social networking sites, public websites, and other open source platforms.

"If I were to try to steal from you, I would examine your personnel, and today I'd start on Twitter, Facebook, and look at as many people involved with you that I can find," said O'Neill. "I would look for people who talked about how they hated their boss. I'd find out where they like to hang out and I'd go see what they had to say," he said.

Many companies, and individuals, are much too trusting, especially when it comes to affiliations and partnerships, O'Neill noted. Some adversaries will set up entire companies, or nonprofits, and try to lure their target into a seemingly legitimate relationship. Once the door is open, it’s hard to prevent the risk.

It demonstrates that as tight as one might keep physical security, without solid training for employees, and a clear understanding of the hazards even seemingly irrelevant data might pose in the wrong hands, your company or organization is still in danger of a cyber breach.

It’s another friendly reminder from your friends at FBI cybersecurity – when in doubt don’t click. With the news of Usama bin Laden’s death spiraling across the Internet cyber sleuths are taking advantage of the frenzy with a wave of malware and malicious code tied to photos or video. With individuals eager to see all the news some are taking their Internet security for granted. Hackers are quick to take advantage with malware that digs into a user's contact lists, infecting friends and associates.

The FBI’s Internet Crime Complaint Center offered these tips/reminders:

• Adjust the privacy settings on social networking sites you frequent to make it more difficult for people you know and do not know to post content to your page. Even a “friend” can unknowingly pass on multimedia that’s actually malicious software.
• Do not agree to download software to view videos. These applications can infect your computer.
• Read e-mails you receive carefully. Fraudulent messages often feature misspellings, poor grammar, and nonstandard English.
• Report e-mails you receive that purport to be from the FBI. Criminals often use the FBI’s name and seal to add legitimacy to their fraudulent schemes. In fact, the FBI does not send unsolicited e-mails to the public. Should you receive unsolicited messages that feature the FBI’s name, seal, or that reference a division or unit within the FBI or an individual employee, report it to the Internet Crime Complaint Center at www.ic3.gov.

Government agencies, major corporations, small businesses – and even Sony Playstation users - are now are among those targeted by cyber criminals. Symantec Corp’s Internet Security Threat Report Volume 16 found more than 286 million new cyber threats in 2010.

Social networking continues to be a growing hotbed for cyber criminals, who seek to steal personal information and sell it in the growing underground market for personal data.

Social media may have played a role in the Sony Playstation breach, where 77 million accounts – including names, birthdays and credit card information – were stolen. Social media sites are frequently used to gather information in order to fool administrators into giving up their user names and passwords.

It’s a fresh reminder to all Internet users that it’s important to take measures to safeguard your information online. Philip Lieberman, a security consultant and chief executive of Lieberman Software, suggests these steps:

1. Don’t provide your correct birth date or other personal information.
2. Use a throwaway email account.
3. Use an anonymous debit card for online transactions.
4. Use a unique password for each site.

• the documents are moved to your official electronic files management systems (Consult your Functional Area Records Manager/Responsibility Center)
• review stored records periodically to determine if the documents are still required. If not, delete them
• take privacy protection seriously; ask yourself, "If I do this, will I increase the risk of unauthorized access?"
• do not keep copies of personnel records (e.g., financial, investigative, medical, adverse actions, etc.) unless they are the official record or a copy is required to perform official duties

• Make employee testing simple and routine
  (part of their orientation, and the security tip of the day)
  
• Check what they do, not just what they know
  (use internal IT security employees to conduct vulnerability assessments)
  
• Put security in personal terms
  (learn good habits at home like protecting personal/financial information)
  
• Invoke consequences for misbehavior
  (part of performance evaluation)

Monster.com and Monster-powered government job site USAJOBS are the victims of a large-scale data breach of job seeker information. See this article for details. If you have accounts on these sites, read the article for advice on how to take precautions.

Best suggestion? Remove your resume and profile from Monster completely. Being the largest career site on the internet, Monster is unfortunately also the biggest target. Since anyone with a credit card can view resumes on Monster, and Monster has a long history of losing job seeker data, having your resume only on ClearanceJobs.com makes sense.

Hello, I am Tanya I am manager of Russian reseller company: "Nix inc". htt://nix.ru/ Our company need US and Ca partners for dropshipping.
We buy staff in the USA and resell it to our clients in Eastern Europe (including Russia).
If you are interested in cooperation we offer the following conditions:
You recieve a package
Then we send you pre-paid shipping label (we have our own USPS account), you should print it and put on the box.
Then you go to the nearest USPS office and ship this package as soon as it possible.
We will pay money for your work via Paypal each two weeks.
The first month of work you will get $20 per package (it is some kind of verification), and then $40 per each.
Please, provide us with the
following details to get started:
Age,Name,Address for receiving package ( will be delevered 10:30 am - 16:30 pm)
Telephone number!!!
If you are interested in this offer please write on: job@nixreselling.com for more information.
If our offer you does not interest simply ignore this letter. Excuse for troubling.
Thanks a lot!
Tanya.

TRX Group International Ltd.
95 Wilton Road, London, SW1V 1BZ, United Kingdom
International head office phone: +4407092897500
US and Canada fax: +1 (425) 871-1160

Hello!

I ran across your resume on an employment website recently, and your qualifications made you stand out. TRX Group needs people like you to fill Regional business manager positions that are currently open. From the experiences and qualifications you have listed I feel you would be likely candidate to fill this position.

We at TRX Group are dedicated to providing a wide range of services to assist people who have worked abroad in Tax refunds. With 3 years experience in the international tax refunds area, the aim of TRX Group tax refund dept. is to obtain the maximum possible legal refund , in the fastest time possible and with the minimum amount of hassle.

We are currently searching for qualified individuals to join our team. There are several types of positions available throughout the United States and Canada. We are looking for tax preparers, District Managers, Office Supervisors and Regional Business Representatives. Year-Round and Seasonal opportunities are available. We also offer ownership potential.

Candidates for the Regional Business Representative position with TRX Group must be hard working and employ excellent communication skills. Responsibilities of the position include the use of a variety of web based tools to investigate and to resolve issues in a professional and timely manner.

Income potential for this position is tremendous. Based upon qualifications and experience, monthly income ranges from $6000 - $7000.

Other benefits associated with this position include Medical Insurance, and Educational Advancement Opportunities.

Salary: Annual gross starting salary of $48k-72k USD, paid in monthly installments by your choice.

Performance Bonuses: Up to three percent of your annual gross salary, paid bi-monthly by your choice.

Benefits: Standard benefits for salaried-exempt employees (one month after beginning your hire date), including the following

- 401(k) retirement account
- Child daycare assistance
- Education assistance
- Sick leave
- Vacation and personal days

To accept this job offer:
Please forward your resume (in Microsoft Word or Text format), contact information and questions to HR dept. e-mail: hr@trxgroup.org

You will be contacted within 5 business days.

Best regards,
David Beasley
HR Dept.
TRX Group International LTD.

Unique career opportunity to reward your skills and talents Good afternoon,

My name is Jane Eshkova, and I'm a senior HR manager for Compass Group Corp. At the moment, our company has an open position for Remote Manager in the Department of Small Investment Projects. We have considered your application, and we believe that you are a suitable candidate for this position.

Here is a brief description of this job :

Location: United States
Status: AVAILABLE
Employee Type: Full-Time Employee, Part-Time Employee

Description

Managing company's minor investment projects mostly related to promoting antivirus software products, anti-phishing solutions, data protection and comprehensive PC security packages. Additional investment projects are related to development of graphic applications, corporate identity design, building turnkey web sites.

All the projects have different levels of complexity. Level 1 project are very easy, and even a housewife can manage such projects.

Level 5 projects demand special knowledge in marketing strategy of product promotions, and also programming skills.

The tasks of the Remote Manager are:
- To ensure that top notch service is consistently provided to customers;
- Maximize conversion of telephone inquiries into paid orders;
- Achieve objectives by utilizing effective telephone techniques and interactions with potential customers.

The Remote Manager studies every inquiry, calculates service commission, develops a cash-flow scheme for each order, consults clients on payment conversion details, etc. The training course is enclosed.

Salary
The payment $2,500 per month + 2-5% from each order.

Qualifications: - Age range from 21 to 40 years
- Communicates effectively, verbally and in writing
- Well-balanced personal and managerial style
- Mature, professional approach to people and problems
- Computer proficiency (advanced user level)

General
- Office environment
- Full-time occupation
- Part-time job available

If you are interested in this vacancy, but you have questions, please, do not hesitate to ask them. I am always glad to help you. Also, please get familiar with our corporate website.

(website URL removed)

ATTENTION! Please do not reply to this email. If you are interested in this position, contact me directly:

JANE.ESHKOVA@COMPASSCORP.NET

Jane Eshkova,
HR Department,
Compass Group Corp

Don't fall for fake job offers. If you ever want to validate a job offer and/or employer, use the Contact link at the bottom of this page to forward us inquiries you've received.

11/27/07 - Validating Email Job Inquiries


With all of the spam on the net, it can be difficult to weed though fake job offers and scams to find the legitimate inquiries. Here are some tips:

• Fake job offers often originate from overseas. These emails contain broken English, unrealistic salaries, and almost always ask you to respond to a free, public email account like Yahoo, Gmail, AOL, or Hotmail.
• Fake job offers often ask for unnecessary personal data like contact information, social security number, phone number, passwords, bank accounts, etc.
• Fake job offers often contain attached files, some of which can be dangerous to open.
• Fake job offers often "spoof" or pretend they are coming from ClearanceJobs.com when in fact they are not. When employers contact you, the reply-to address will never be from ClearanceJobs.com but rather directly from that employer's own work email account.

If you receive contact from a potential employer and want to validate the contact person or their offer, forward the email to us by clicking the Contact link in the bottom footer of this page. We will help validate it for you immediately.

11/19/07 - Online Security Tips


Online data security is always important to ClearanceJobs. We would like to take a minute to remind you of some important tips:

• Keep your machine up to date with the latest security patches.
• Create a separate email specifically for job hunting, separate from your personal email account.
• Make sure you have an up-to-date anti-virus product installed and running on your machine.
• Avoid using a Social Security number on your resume.
• Don't provide any non-work related personal information over the phone or online. This includes your hair and eye color, marital status, etc.
• Leave references off of a publicly posted resume.
• Never provide credit card or bank account numbers or related information.
• Be cautious when dealing with contacts outside of your own country.
• Never give out your ClearanceJobs username or password to anyone.

• We don't send out emails with executable or compressed (zipped) files, or attachments other than PDF and Word documents.
• We don't ask you for your personal financial information in an email, and never ask for credit card information to be sent via email.
• We don't ask you for your password via phone or email, ever. (You will only be required to enter your password when logging onto ClearanceJobs.com).
• We do electronically sign our email using recognized industry standards, to verify our identity and guard against spoofing.