Thursday, February 28, 2019

Beware of Compromised Personal E-mail

Over the last few years personal e-mail providers like Yahoo and AOL have had massive data breaches, in which user's e-mail addresses and passwords were compromised.  Recently there have been a number of phishing campaigns whereby these compromised e-mail accounts are being used. 

How this works
So a Yahoo or AOL e-mail account owner who has never changed their password, and a hacker gains access to it (Most likely from a password list bought on the Dark Web).  The hacker then send a personalized e-mail to everyone in the compromised account owner's Address Book with a link to either collect credentials or launch malware.  The sad thing is some people have been getting these phishing e-mails from people close to them who have passed away.  Other's are getting e-mails from friends and relatives that seem legitimate and so the recipient innocently clicks on the link seeing that the e-mail is from someone they know.

Security Tip
Ask yourself these questions when you receive an e-mail:
  1. Do I know the sender?  (hover your cursor on the display name or click the display name to see the real e-mail address)
  2. Am I expecting this e-mail or any web links/attachments from this sender?
If you answer "No" to either question, it is probably a phishing e-mail.

If you know the sender, pick up the phone and verify that they sent you the e-mail and any attachments or web links.  Don't reply to the sender's e-mail as the hacker has control over the e-mail account.

In 2018, the number of malicious web links (URLs) sent by cyber criminals was more than twice as many as malicious attachments sent.

Think before you click!


In addition, if you have a Yahoo or AOL e-mail address and haven't changed your password in the last year,,,,CHANGE YOUR PASSWORD NOW!


Be Secure!

@TJMProfessional

Sunday, January 6, 2019

Who is Responsible for Security?

Ultimately, management (including the owners) are responsible for the implementation and oversight of both the Information Security and Physical Security programs of an organization.  So when you read about a data breach where a retail vendor had thousands (or millions) of credit card records stolen, or a hospital is locked out of their systems for days/weeks due to ransomware, or a real estate broker that had their e-mail compromised by a phishing attack, at the end of the day it is management that is responsible, not IT, and not the security officer or security analysts.  It is an organization's management that approves the security policy and the security budget which determines the level of effort given to the security of the organization.  Even if employees or an outsourced company are responsible for implementing and maintaining good security practices, management is still held accountable for monitoring their activities and ensuring that the organization's security program is being carried out according to the security policies.

There is also another group of individuals in an organization who are responsible for the day-to-day execution of proper security procedures and processes: the employees.  Or, in other words, Everyone.  In an organization, it is everyone's responsibility to follow good security practices, from setting strong passwords, to not letting strangers piggy-back into secure buildings, to reporting anything suspicious to management or their designee.  Truth be told, no matter how much money is in the budget for security, there is never enough.  So to provide adequate protection for your organization, your employees need to be trained, empowered and in a sense, be "deputized" as security officers in order to maintain a culture of security in your organization.

So to answer the question "Who is Responsible for Security?", the answer is two-fold; primarily management for ensuring good security practices are in place (including security awareness training for employees and contractors). And the organization's employees who need to follow security procedures and act in a secure manner at all times when conducting the organization's business.


Be Secure!

@tjmprofessional.com