(661) 281-4000

Fixing Your Weakest Link: Your Employees

You can have every piece of security hardware in the books: firewall, backup disaster recovery device, anti-virus; but your employees will still be the biggest vulnerability in your organization when it comes to phishing attacks. How do you mitigate as much risk as possible?

  1. Create and Strictly Enforce a Password Policy: Passwords should be complex, randomly generated, and replaced regularly. In order to test the strength of your password go to this site. (This is a perfectly safe service sponsored by a password protection platform that tells you how long it would take a hacker to decode your password.) When creating a password policy, bear in mind that the most prevalent attacks are Dictionary attacks. Most people utilize real words for their passwords. Hackers will typically try all words before trying a brute force attack. Instead of words, use a combination of letters, numbers, and symbols. The longer the password, the stronger it is. While it’s difficult to remember passwords across different platforms, try not to repeat passwords. This will protect all other accounts in the event of a breach on one of your accounts.
  2. Train and Test Your Employees Regularly: Educate your employees on how they can spot a phishing attack. Then, utilize penetration testing (a safe phishing attack orchestrated by your IT company to see how employees respond) to see how well they do. If employees fall for phishing attempts, send them through training again. We recommend doing this on a quarterly basis to ensure that your employees stay on their toes, and you always provide education on the latest attacks.
  3. Create a Bring Your Own Device Policy and Protect all Mobile Phones: You can safeguard as much as humanly possible on your network, but your employees are all walking in with a cell phone. Are they allowed to get emails on these phones? What about gaining access to the network remotely? Cell phones create a big black hole in security without proper mobile device management and mobile security.
  4. Perform Software Updates Regularly: Make sure that your software is up-to-date with all the latest security patches. Holding off on updates means that you’re leaving yourself open to vulnerabilities that have been discovered and addressed.
  5. Invest in Security: Security is not something for cost savings. Home-based hardware is not sufficient, and you at the very least need a quality firewall and backup device. Invest in your employee’s training, ongoing security updates, and maintaining a full crisis/breach plan.

There are two things that aren’t going away in any business, employees and security threats. Make sure that you’ve taken care of everything you can to avoid falling victim.

Would you know if you were the subject of a phishing attack? Many people claim that they’d be able to tell right away if they received an email from an illegitimate source. If that were the case, there wouldn’t be 1.5 million new phishing sites every month, a 65% increase in attacks in the last year, and hackers would have moved on to their next idea for swindling people out of their identities and money.  How do you spot a phishing attack and avoid falling victim yourself?

Look for these red flags:

  1. Sender Email Address: Always check to make sure that the email address is legitimate. Amateur hackers will send things from Gmail or Hotmail accounts and hope you don’t notice. More sophisticated hackers will closely mimic an actual email domain, like amazonprime.com rather than amazon.com. Double check the email address before responding, clicking, or opening, even if the from name appears correct.
  2. Discrepancies in Writing Format: If the attack is coming from overseas, you’re likely to notice some small issues in writing format, like writing a date as 4th April, 2018 rather than April 4, 2018. While this is subtle, it should be a red flag.
  3. Grammar Issues: We all fall victim to the occasional typo, but if you receive an email riddled with grammar and spelling mistakes, consider the source. It’s likely a hacker, especially if the email supposedly comes from a major organization.
  4. Sender Name: This one is also difficult to track, but phishing emails will typically close with a very generic name to avoid raising suspicion. You should recognize the people that send you emails, or at the very least, clearly understand their role at the organization.
  5. Link Destination: Before you click on any link in an email, hover over it. The destination URL should pop up. Check out the domain name of this URL. Similar to the sender email address, make sure that this address is legitimate before clicking.
  6. Attachments: Is it realistic to expect an attachment from this sender? Rule of thumb, don’t open any attachment you don’t expect to receive, whether it’s a Zip file, PDF or otherwise. The payload for a ransomware attack often hides inside.
  7. Email Design: A cooky font like Comic Sans should immediately raise red flags if you don’t clearly recognize the sender.
  8. Links to Verify Information: Never, ever click on a link to verify information. Instead, if you think the information does need updating, go directly to the website. Type in your email and password, and update your information from the Account tab. Always go directly to the source.
  9. Odd Logo Use: Hackers try their best to mimic the site’s look and feel. Oftentimes, they get very close; but they won’t be perfect. If something feels off, it probably is.

While there is no fool-proof method for avoiding falling victim to a phishing attack, knowing how to spot likely culprits is one step in the right direction. We’ll cover other protective measures to reduce your risk of falling victim to phishing attacks in our next blog.

While the number of people falling for sending personal information to the crown prince of Nigeria in hopes of receiving his promised wealth and riches seems to be dropping, phishing remains a major issue. In fact, the number of phishing campaigns pursued by hackers around the world increased 65% in the last year.

What exactly is phishing? Hackers mimic the emails, forms, and websites of legitimate companies in an effort to lure people into providing their private, personal information, like credit cards numbers, social security information, account logins, and personal identifiers. The victim typically doesn’t realize they’ve been compromised until long after the event, and oftentimes only after their identify or finances are affected. In the past, an attack was carried out relatively quickly. As soon as the victim gave up their information, the hacker moved in and stole money from the compromised bank account. Today, it’s often more lucrative for hackers to sell that information on the Dark Web, resulting in longer-lasting, even more devastating attacks.

3 Types Of Phishing Attacks

Spear phishing

Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is by far the most successful on the Internet today, accounting for 91% of attacks.

Threat Group-4127 used spear phishing tactics to target email accounts linked to Hillary Clinton‘s 2016 presidential campaign. They attacked more than 1,800 Google accounts and implemented accounts-google.com domain to threaten targeted users.

Clone phishing

Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.

Whaling

Several phishing attacks have been directed specifically at senior executives and other high-profile targets within businesses, and the term whaling has been coined for these kinds of attacks. In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will be crafted to target an upper manager and the person’s role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern. Whaling phishers have also forged official-looking FBI subpoena emails, and claimed that the manager needs to click a link and install special software to view the subpoena.

Have you ever gotten an email from your bank or medical office asking you to update your information online or confirm your username and password? Maybe a suspicious email from your boss asking you to execute some wire transfer. That is most likely a spear phishing attempt, and you’re among the 76% of businesses that were victims of a phishing attack in the last year.

Method of Delivery

Phishing scams are not always received through email and hackers are getting trickier and trickier with their preferred method of execution. Last year, in 2017, officials caught on to attacks using SMS texting (smishing), Voice phishing (vishing) or social engineering, a method in which users can be encouraged to click on various kinds of unexpected content for a variety of technical and social reasons.

Ransomware: The Consequence

Phishing is the most widely used method for spreading ransomware, and has increased significantly since the birth of major ransomware viruses like Petya and Wannacry. Anyone can become a victim of phishing, and, in turn, ransomware attacks; however, hackers have begun targeting organizations that are more likely to pay the ransoms. Small businesses, education, government, and healthcare often, unfortunately, don’t have valid data backups, so they are unable to roll back to a pre-ransomed version of their data. Instead, they have to pay their way out or cease to exist. Outside of ransom costs, victims of phishing campaigns are often branded as untrustworthy, and many of their customers turn to their competitors, resulting in even greater financial loss.

Why are effective phishing campaigns so rampant despite public awareness from media coverage?

  1. Volume: There are nearly 5 million new phishing sites created every month, according to Webroot Threat Report. There are now even Phishing as a Service companies, offering phishing attacks in exchange for payment. One Russian website, “Fake Game,” claims over 61,000 subscribers and 680,000 credentials stolen.
  2. They Work: Over 30% of phishing messages get opened, and 12% of targets click on the embedded attachments or links, according to the Verizon Data Breach Investigations Report. In short, these hackers have gotten really good at looking really legitimate.
  3. They’re simple to Execute: New phishing campaigns and sites can be built by sophisticated hackers in a matter of minutes. While we think there are far more legitimate ways to be earning money, these individuals have made a living out of duplicating their successful campaigns.

How do you protect yourself from a phishing attack?

Now that you have an understanding of what phishing is, our next two blogs will teach you How to Spot a Phishing Attack, and Fixing Your Weakest Link: Your Employees.

Have you ever used a public Wi-Fi signal here in Bakersfield? If you live here, it’s highly likely and it’s even more likely you’ve tapped into a free signal during your travels. We are a culture on the move and we are becoming more and more mobile every day. Whether you’re at a coffee shop, 32,000 feet in the air over the Pacific Ocean or even simply within some cities jurisdictions, you have Wi Fi options to tap into.  As of 2017, there were 9 billion mobile devices in use globally and over 300 million Wi-Fi hotspots with an anticipated 432.5 million hotspots by 2020.  Wi-Fi is such an integrated part of society, it even has an official day of recognition each year – June 20th.

With the availability of public Wi-Fi, more than 43% of all workers in the United States were able to take advantage of working remotely from their office and while some may have their own private Wi-Fi hotspots, many rely on the public access.

With all of the positive benefits a connected society has, there leaves as much opportunity for criminals to exploit the system. Public hotspots leave a very open avenue into your digital fingerprint. Bank accounts, credit card numbers, passwords, and so much more. In 2017, there were over 143 million hacks reported in the United States alone from Wi-Fi entries.

Here are some of our biggest threats when it comes to using these hotspots:

Credential Theft

This is one of the easier attacks and can be the beginning of a very damaging effort. On public Wi-Fi, tools such as packet analyzers and LAN keylogger software can give someone sitting nearby everything they need to act as you or your employee. In some cases the software can monitor the screen activity of each computer on the network. All of this unknown to the victim

Malware Installation

Thanks to software vulnerabilitiesmalicious code can be injected into any device on the network. This opens up a world of opportunity for a hacker. Malware can be used to continuously feed information to someone outside your organization. The malware can also be used to activate the microphones on laptops and mobile devices for eavesdropping. The installation of malware is the most dangerous risk. This is because your employee could have compromised your network a long time ago and you wouldn’t know because they access from various locations all the time. So any behavior may not be immediately detectable while using their credentials. The depth of compromise is entirely dependent on the creativity of the hacker.

Man-in-the-Middle Attacks

These are common especially for people who do not visit sites with https. A man-in-the-middle attack occurs when a hacker interceptions your communications. So before you data reaches its intended audience, it goes through the hacker first. This can also apply to passwords and usernames. The man-in-the-middle method is commonly used for eavesdropping and intercepting file or financial transfers.

Unencrypted Networks

Encryption means that the information that is sent between your computer and the wireless router are in the form of a “secret code,” so that it cannot be read by anyone who doesn’t have the key to decipher the code. Most routers are shipped from the factory with encryption turned off by default, and it must be turned on when the network is set up. If an IT professional sets up the network, then chances are good that encryption has been enabled. However, there is no surefire way to tell if this has happened.

With the vulnerability public Wi-Fi leaves us open to, how can anyone consider tapping into it? The good news is that all hotspots are NOT created equally and there are a lot of things you can do to protect yourself.

6 Steps To Keep Yourself Safe

1. Check Names

ALWAYS confirm the network name. Bumming Wi-Fi at a local coffee shop? Looking for a network in a hotel lobby? Wherever you are, never assume you know the network name. Some hackers create free Wi-Fi spots that don’t require passwords, making it easy to access your information due to lack of encryption security. To be sure, verify with an employee or triple check the spelling if it’s printed out before connecting.

2. Always Look For The ‘S’

Use HTTPS when browsing the web. Hypertext Transfer Protocol Secure is the secure version of the HTTP you usually use when visiting a URL. Adding that simple ‘S’ at the end encrypts everything between your browser and the sites you visit, keeping information like banking passwords and credit card numbers safe and sound.

3. Store Your Data Safely

Use encrypted storage security. Storing your important files in encrypted storage means they’re password protected and as safe as the money in a bank vault. You can find a range of encryption options, from free downloads to software for purchase that offers more security features. This will ensure that even if hackers do gain access to your computer via an open network, they will not be able to enter your protected vault of files. Think of it like a locked treasure chest within your system, and you’re the only one with the map and the key.

4. Consider Using a VPN

VPN (Virtual Private Network) is simply a group of networks that secure and encrypt communication, and can be connected to remotely. Businesses use this often to connect individuals to network resources, but you can use it to secure your public Internet connection and to protect any data you’re sending and receiving. However you choose to use your VPN, make sure you choose a service that offers protocols on connectivity, server location, and offers features that meet your needs.

5. Utilize Checklists

Make a turn-off checklist and follow it. When you’re planning to visit a location where you know you’ll be using a public network, turn off automatic connection to Wi-Fi on your device. This guarantees you’ll never accidentally join a fake network created to steal your data. Also remember to turn off Wi-Fi when you’re done browsing, always ensuring that you are in control of what, when, and how you connect.

6. Avoid Convenience

Finally, make it a habit to turn off sharing. You never know who’s roaming around trying to covertly access your information. If you have sharing enabled on your device and forget to turn it off, you’re basically waving a flag to potential cybercriminals and saying, here’s an easy target! And never, ever save passwords. It’s convenient but it makes it even easier for any potential threats to access your electronic information.

It’s simple. Make sure that your passwords are strong and unique. Don’t use your birth date, phone number, social security number, family members name or your pet’s name – these can be easily guessed by a cyber crook usually just by looking over your social profiles.

Don’t use your birth date, phone number, social security number, family members name or your pet’s name – these can be easily guessed by a cyber crook usually just by looking over your social profiles.

It’s also important that you don’t reuse passwords between your accounts or change them too often. A good password should last a year. Although this may sound counter-intuitive, frequent updates to passwords often result in “password1”, “password2” patterns and these are easy to uncover.

Unfortunately, it’s not uncommon in our current culture to face major security breaches on our favorite platforms, such as the recent ones that involved LinkedIn, MySpace and Tumblr, where hundreds of accounts details went for sale on the dark web. Think about it. If you used the same pass everywhere, attackers would be able to quickly access all of your other accounts quickly (and they know it).

The bottom-line is that breaches are on the rise year over year and according to Netherlands-based security firm Gemalto, more than 2.6 billion records were breached in 2017, which breaks down to:

To put that in perspective, there were “only” 1.6 billion records lost or stolen in 2016 — in other words, there’s been a 163% increase in breached records. These numbers could be even higher, but nearly 60% of the total breaches include an unknown or unreported number of compromised records (similar to the Yahoo breach, which was reported as a larger breach over time – now listed at 3 billion-plus records).

Prioritizing breach-prevention tools and policies is extremely critical for small businesses. Hackers know small businesses have less resources to counter their efforts (whether it be shortage of staff or budget), and have targeted them at an alarming and increasing rate each year, according to Symantec’s Internet Security Threat Report.

What’s more alarming than that? Almost 90% of small business owners don’t feel like they’re at risk of experiencing a breach.

LAST YEARS STATISTICS

According to Statista.com, 22% of respondents stated that they used different passwords for every online login.

Password management company Keeper Security released a list of the most common passwords of 2017 and the most common password, making up nearly 17% of the 10 million passwords the company analyzed, was “123456.”

See their reported top 25 passwords below:

PASSWORDS - 2017 WORST COMBINATIONS

KEEPING YOUR PASSWORDS SAFE

After you determine your password for various platforms, avoid writing them down at all costs.  This includes creating an Excel spreadsheet or an office document for your team to share.

Instead, start using a password manager, such as LastPass. It will remember all of your passwords and store them in a secure way. This way, you’ll only have to remember one master password, the one for your main LastPass account.

In addition, avoid using the “REMEMBER PASSWORD” option on websites. With the convenience of being remembered by your favorite platforms comes the ability for crooks to effortlessly cruise right into your cyber world.

When it comes to creating your passwords, consider these best practices:

Adopt the 8 + 4 Rule

This rule helps you to build passwords that are strong as steel. Use eight characters with one upper and one lower case, a special character like as asterisk and a number. The more random the better.

Keep Symbols/Numbers Separate

Here’s another hint for an effective password policy to foil hackers. Make sure the numbers and symbols are spread out through the password. Bunching them up makes the password easier to hack.

Don’t Make it Personal

Everyone involved in a small business needs to understand there’s a big difference between security and convenience when it comes to passwords. It needs to be clear using personal information like your first name and birth date is a recipe for disaster. If a hacker ever gets his hands on company HR data, this information will be the first set of combinations he tries.

Avoid Dictionary Words

It might sound safe to go to the dictionary for a password, but hackers actually have programs that search through tens of thousands of these words.  Dictionary attack programs have been around for years.

Keep the Character Limit Down

The average person can only remember 10 characters or less. Long passwords run the risk of being written down so they can be remembered.

Adopt Passphrases

Abbreviations are usually immune to dictionary attacks. So TSWCOT for The Sun will Come Out Tomorrow is a good choice for a secure password. Remember to add symbols and numbers.

Stay Away from Acronyms

Don’t use these as a shortcut to identifying your department or who you are. It might be temping for an accountant to use CPA. However, that opens a cybersecurity door wide enough for a hacker to walk right through.

Don’t become a statistic this year and help keep your employees safe as well.

HOW TO OBSERVE

Celebrate World Password Day by visiting PasswordDay.org and taking the World Password Day pledge, sharing a password tip on social media, changing an old password to a long, strong one or by turning on two-factor authentication for your important accounts.

HISTORY

Security researcher Mark Burnett first encouraged people to have a “password day,” where they update important passwords in his 2005 book Perfect Passwords.  Inspired by his idea, Intel Security took the initiative to declare the first Thursday in May World Password Day in May 2013.  Submitted by Big Monocle in 2016, Password Day is meant to create awareness of the need for good password security.

———————————————————————————–

ABOUT BIG MONOCLE

Founded in 2012, Big Monocle designs creative branding and marketing that tells impactful stories. Their growing, energetic team of talented professionals focus on developing experiences and connecting with every client.