One of the best online resources for cyber criminals is Google. While businesses seek to utilize their company website, Facebook, Twitter, LinkedIn, and the like for marketing and recruitment purposes, they are unintentionally leaking information that can be useful to cyber criminals. At the same time, their employees are also guilty of both disclosing more details about their job duties as well as connecting to and friending people based on invites without any due diligence.
For businesses, below are some typical areas where internal information is disclosed:
Press Releases: Expanding your business? Offering a new product? That is great and something to brag about. But pick and choose what details you make public. Let's say you are offering a new product or service, and you bought a new piece of equipment to provide it, or have a new vendor to help you support it. If possible, don't name business partners or describe any new additions of equipment by name. While these details don't sound like anything of importance, internal details can be used in spear-phishing to gain the trust of your employees. Let's say you name your new business supplier (XYZ Corp) in your press release. A few weeks later an e-mail is sent to your accountant that appears to be from XYZ Corp saying they just changed banks and to use the below banking information to pay future invoices. You figure out that it was a phishing e-mail when XYZ Corp starts calling you because of all the unpaid invoices, and now you are out the money.
Job Postings: One of my pet peeves is all of the information you can glean from an organization's job postings. An example is if your company is hiring a Database Administrator, you don't have to say in the posting "Must be experienced with MS SQL Server 2008 R2 Express" This tells the public what version of your database you are running, and what security issues you may be vulnerable to. Simply saying "Must be experienced with MS SQL Server" will suffice.
Vendor Endorsements: I never give public vendor recommendations (posted on the vendor's website). Why? Because I don't want anyone knowing too much about the inner workings of my business, such as my vendors. The reason being is that a cyber criminal can use that relationship to try to spear phish either company. Also, this may not be something you want your competitors to know about either. If you have a really good vendor relationship and they want a recommendation, offer to give one-off personal recommendations. Just don't put it out on the web for the world to see.
Website Contacts: If possible (granted it is a must for some industries), do not have a directory of your employee's names and contact information on your company website. This is a treasure trove for cyber criminals for both phishing e-mails as well as scam phone calls. Use generic contact e-mails in your Contact US sections such as sales@xyzcorp.com, or even better is a contact form that does not disclose company e-mail addresses.
Tips for your employees:
Social Media: Encourage your employees to leave their job duties generic when updating their LinkedIn profile or online resumes. If you are an Accountant for a business, that is great. You don't have to put on LinkedIn that you handle all of the business's banking, send wire transfers, or are familiar with Wells Fargo's business banking portal. This is way too much information to be giving out to potential cyber criminals and can be utilized in a Business Email Compromise (BEC) or spear -phishing attack. Save the details for the resume you submit to a potential employer. The one you publicly post should be a summary.
Technology questions using company e-mail address: Technology folks will often visit tech blogs and websites soliciting information and knowledge regarding a problem they are trying to resolve. This is all well and good, but sometimes they post detailed questions that disclose the names/versions of systems and applications using their company e-mail address, and therefore identifying the organization with the problem. Information about current IT issues (whether security related or not) should not be publicly disclosed. It's not something you want hackers to see, and it doesn't look good to current or future customers to see.
Be Secure!
@tjmprofessional
Tuesday, October 16, 2018
Thursday, October 4, 2018
How to Overcome Your E-mail Insecurity - Part 3 of 3
Phishing
Be Secure!
Less complex than BEC, but even more widespread, phishing e-mails will usually come from free e-mail providers, ex. gmail, yahoo, outlook/hotmail, but will have a display name that is different than the actual e-mail in trying to gain your trust. The e-mail is supposedly from DHL, UPS, DropBox, Microsoft, or some large company that you trust, but then you find out that the underlying e-mail address is not from that companies e-mail domain, but is a gmail account or a similar domain like DHL_Accountservices.com, etc.
Some recent attacks actually impersonated domains to try and fool employees at the actual business. An example is if your business e-mail domain is "marysdonuts,com", the impersonated e-mail domain might be rnarysdonuts.com, whereby the "m" is replaced with an "r" and an "n" to fool your eye into thinking it's a lower case "m". Cyrillic alphabet characters have also been used to play tricks on your eyes.
Security Tip: Like the BEC e-mails, there is a call to action, usually an attachment (virus infected) or a button/link to click.
Ask yourself these questions when you receive an e-mail:
- Do I know the sender? (hover your cursor on the display name or click the display name to see the real e-mail address)
- Am I expecting this e-mail or any attachments from this sender?
So the lesson at the end of the day, is if you want to be safe, and not be a victim of e-mail fraud, BEC, or phishing you should use the low tech communication device that was invented by Alexander Graham Bell and verify before taking action based on e-mailed instructions. After all, as discussed in my Part 1 blog post, e-mail is not secure by design.
Be Secure!
@tjmprofessional
Subscribe to:
Posts (Atom)