Ultimately, management (including the owners) are responsible for the implementation and oversight of both the Information Security and Physical Security programs of an organization. So when you read about a data breach where a retail vendor had thousands (or millions) of credit card records stolen, or a hospital is locked out of their systems for days/weeks due to ransomware, or a real estate broker that had their e-mail compromised by a phishing attack, at the end of the day it is management that is responsible, not IT, and not the security officer or security analysts. It is an organization's management that approves the security policy and the security budget which determines the level of effort given to the security of the organization. Even if employees or an outsourced company are responsible for implementing and maintaining good security practices, management is still held accountable for monitoring their activities and ensuring that the organization's security program is being carried out according to the security policies.
There is also another group of individuals in an organization who are responsible for the day-to-day execution of proper security procedures and processes: the employees. Or, in other words, Everyone. In an organization, it is everyone's responsibility to follow good security practices, from setting strong passwords, to not letting strangers piggy-back into secure buildings, to reporting anything suspicious to management or their designee. Truth be told, no matter how much money is in the budget for security, there is never enough. So to provide adequate protection for your organization, your employees need to be trained, empowered and in a sense, be "deputized" as security officers in order to maintain a culture of security in your organization.
So to answer the question "Who is Responsible for Security?", the answer is two-fold; primarily management for ensuring good security practices are in place (including security awareness training for employees and contractors). And the organization's employees who need to follow security procedures and act in a secure manner at all times when conducting the organization's business.
Be Secure!
@tjmprofessional.com
Sunday, January 6, 2019
Tuesday, October 16, 2018
Information Leakage - Using the Internet Judiciously
One of the best online resources for cyber criminals is Google. While businesses seek to utilize their company website, Facebook, Twitter, LinkedIn, and the like for marketing and recruitment purposes, they are unintentionally leaking information that can be useful to cyber criminals. At the same time, their employees are also guilty of both disclosing more details about their job duties as well as connecting to and friending people based on invites without any due diligence.
For businesses, below are some typical areas where internal information is disclosed:
Press Releases: Expanding your business? Offering a new product? That is great and something to brag about. But pick and choose what details you make public. Let's say you are offering a new product or service, and you bought a new piece of equipment to provide it, or have a new vendor to help you support it. If possible, don't name business partners or describe any new additions of equipment by name. While these details don't sound like anything of importance, internal details can be used in spear-phishing to gain the trust of your employees. Let's say you name your new business supplier (XYZ Corp) in your press release. A few weeks later an e-mail is sent to your accountant that appears to be from XYZ Corp saying they just changed banks and to use the below banking information to pay future invoices. You figure out that it was a phishing e-mail when XYZ Corp starts calling you because of all the unpaid invoices, and now you are out the money.
Job Postings: One of my pet peeves is all of the information you can glean from an organization's job postings. An example is if your company is hiring a Database Administrator, you don't have to say in the posting "Must be experienced with MS SQL Server 2008 R2 Express" This tells the public what version of your database you are running, and what security issues you may be vulnerable to. Simply saying "Must be experienced with MS SQL Server" will suffice.
Vendor Endorsements: I never give public vendor recommendations (posted on the vendor's website). Why? Because I don't want anyone knowing too much about the inner workings of my business, such as my vendors. The reason being is that a cyber criminal can use that relationship to try to spear phish either company. Also, this may not be something you want your competitors to know about either. If you have a really good vendor relationship and they want a recommendation, offer to give one-off personal recommendations. Just don't put it out on the web for the world to see.
Website Contacts: If possible (granted it is a must for some industries), do not have a directory of your employee's names and contact information on your company website. This is a treasure trove for cyber criminals for both phishing e-mails as well as scam phone calls. Use generic contact e-mails in your Contact US sections such as sales@xyzcorp.com, or even better is a contact form that does not disclose company e-mail addresses.
Tips for your employees:
Social Media: Encourage your employees to leave their job duties generic when updating their LinkedIn profile or online resumes. If you are an Accountant for a business, that is great. You don't have to put on LinkedIn that you handle all of the business's banking, send wire transfers, or are familiar with Wells Fargo's business banking portal. This is way too much information to be giving out to potential cyber criminals and can be utilized in a Business Email Compromise (BEC) or spear -phishing attack. Save the details for the resume you submit to a potential employer. The one you publicly post should be a summary.
Technology questions using company e-mail address: Technology folks will often visit tech blogs and websites soliciting information and knowledge regarding a problem they are trying to resolve. This is all well and good, but sometimes they post detailed questions that disclose the names/versions of systems and applications using their company e-mail address, and therefore identifying the organization with the problem. Information about current IT issues (whether security related or not) should not be publicly disclosed. It's not something you want hackers to see, and it doesn't look good to current or future customers to see.
Be Secure!
@tjmprofessional
For businesses, below are some typical areas where internal information is disclosed:
Press Releases: Expanding your business? Offering a new product? That is great and something to brag about. But pick and choose what details you make public. Let's say you are offering a new product or service, and you bought a new piece of equipment to provide it, or have a new vendor to help you support it. If possible, don't name business partners or describe any new additions of equipment by name. While these details don't sound like anything of importance, internal details can be used in spear-phishing to gain the trust of your employees. Let's say you name your new business supplier (XYZ Corp) in your press release. A few weeks later an e-mail is sent to your accountant that appears to be from XYZ Corp saying they just changed banks and to use the below banking information to pay future invoices. You figure out that it was a phishing e-mail when XYZ Corp starts calling you because of all the unpaid invoices, and now you are out the money.
Job Postings: One of my pet peeves is all of the information you can glean from an organization's job postings. An example is if your company is hiring a Database Administrator, you don't have to say in the posting "Must be experienced with MS SQL Server 2008 R2 Express" This tells the public what version of your database you are running, and what security issues you may be vulnerable to. Simply saying "Must be experienced with MS SQL Server" will suffice.
Vendor Endorsements: I never give public vendor recommendations (posted on the vendor's website). Why? Because I don't want anyone knowing too much about the inner workings of my business, such as my vendors. The reason being is that a cyber criminal can use that relationship to try to spear phish either company. Also, this may not be something you want your competitors to know about either. If you have a really good vendor relationship and they want a recommendation, offer to give one-off personal recommendations. Just don't put it out on the web for the world to see.
Website Contacts: If possible (granted it is a must for some industries), do not have a directory of your employee's names and contact information on your company website. This is a treasure trove for cyber criminals for both phishing e-mails as well as scam phone calls. Use generic contact e-mails in your Contact US sections such as sales@xyzcorp.com, or even better is a contact form that does not disclose company e-mail addresses.
Tips for your employees:
Social Media: Encourage your employees to leave their job duties generic when updating their LinkedIn profile or online resumes. If you are an Accountant for a business, that is great. You don't have to put on LinkedIn that you handle all of the business's banking, send wire transfers, or are familiar with Wells Fargo's business banking portal. This is way too much information to be giving out to potential cyber criminals and can be utilized in a Business Email Compromise (BEC) or spear -phishing attack. Save the details for the resume you submit to a potential employer. The one you publicly post should be a summary.
Technology questions using company e-mail address: Technology folks will often visit tech blogs and websites soliciting information and knowledge regarding a problem they are trying to resolve. This is all well and good, but sometimes they post detailed questions that disclose the names/versions of systems and applications using their company e-mail address, and therefore identifying the organization with the problem. Information about current IT issues (whether security related or not) should not be publicly disclosed. It's not something you want hackers to see, and it doesn't look good to current or future customers to see.
Be Secure!
@tjmprofessional
Thursday, October 4, 2018
How to Overcome Your E-mail Insecurity - Part 3 of 3
Phishing
Be Secure!
Less complex than BEC, but even more widespread, phishing e-mails will usually come from free e-mail providers, ex. gmail, yahoo, outlook/hotmail, but will have a display name that is different than the actual e-mail in trying to gain your trust. The e-mail is supposedly from DHL, UPS, DropBox, Microsoft, or some large company that you trust, but then you find out that the underlying e-mail address is not from that companies e-mail domain, but is a gmail account or a similar domain like DHL_Accountservices.com, etc.
Some recent attacks actually impersonated domains to try and fool employees at the actual business. An example is if your business e-mail domain is "marysdonuts,com", the impersonated e-mail domain might be rnarysdonuts.com, whereby the "m" is replaced with an "r" and an "n" to fool your eye into thinking it's a lower case "m". Cyrillic alphabet characters have also been used to play tricks on your eyes.
Security Tip: Like the BEC e-mails, there is a call to action, usually an attachment (virus infected) or a button/link to click.
Ask yourself these questions when you receive an e-mail:
- Do I know the sender? (hover your cursor on the display name or click the display name to see the real e-mail address)
- Am I expecting this e-mail or any attachments from this sender?
So the lesson at the end of the day, is if you want to be safe, and not be a victim of e-mail fraud, BEC, or phishing you should use the low tech communication device that was invented by Alexander Graham Bell and verify before taking action based on e-mailed instructions. After all, as discussed in my Part 1 blog post, e-mail is not secure by design.
Be Secure!
@tjmprofessional
Tuesday, September 11, 2018
How to Overcome Your E-mail Insecurity - Part 2 of 3
Business E-mail Compromise (BEC)
For the last two years this has been a growing threat to small businesses. It is a phishing e-mail, whereby the hacker poses someone of authority, your boss, the CEO, the CFO, the IRS, etc. and asks you to send either your employees HR data, ex. W-2 information, customer information, send money or buy gift cards. The things to look for in identifying a BEC attempt is:
For the last two years this has been a growing threat to small businesses. It is a phishing e-mail, whereby the hacker poses someone of authority, your boss, the CEO, the CFO, the IRS, etc. and asks you to send either your employees HR data, ex. W-2 information, customer information, send money or buy gift cards. The things to look for in identifying a BEC attempt is:
- Usually sent off hours or right before you are about to leave for the day.
- Has the appearance of being from someone you know, work with, or government agency, but is usually from a g-mail, yahoo, or some other free e-mail domain and not a business domain.
- Has a sense of urgency, and asking you to take immediate action.
- May be written in odd English or European style English.
- The message in the e-mail is usually short and to the point, and may be trying to start a conversation to gain your trust. E-mail #1 might say "Are you in the office?" Which will cause you to respond "Yes", then E-mail #2 says "Great, I need you to send (money, gift cards, data) urgently. More likely than not will have the word "Kindly" as in "Kindly send,,,".
- The e-mail will probably be asking you to do something out of the ordinary. (This is where the red flashing lights should start going off in your head)
Security Tip: Always pick up the phone and call a number (that you already have on file) and verify with the person sending the e-mail is who you think it is and not a hacker. As for the IRS,,they will never e-mail you asking for anything. They used certified/registered mail for official business.
A good rule of thumb is, if an e-mail seems strange, or is requesting something that is not normal procedure, it's probably a scam.
Be Secure!
@tjmprofessional
Be Secure!
@tjmprofessional
Thursday, September 6, 2018
How to Overcome Your E-mail Insecurity - Part 1 of 3
As a small business owner you probably have a lot of things
keeping you up at night. Your use of E-mail in doing business probably
wasn't one of them, until you read this post.
E-mail was not designed to be secure. It was created to be a simple electronic messaging platform for trusted networked computers back in the late 1960's, and grew in use during the 1990's. It eventually replaced both the telephone and the fax machine as the primary communication medium for business in the 2000's. Its security flaw of being "trusted" remains from its original 1960's design, and is what has also made it the preferred attack vector for cyber criminals to defraud both individuals and businesses. Rather than dwell on what we can't change, let's focus on what we can.
The E-mail Interloper
Over the last year a very popular type of e-mail hacking has been
targeting attorneys, loan officers, and realtors. (Although there have been
similar scams with vendor payments and payroll provider settlements) A
hacker compromises one of these party's e-mail accounts. Rather than make
their presence known, they will just sit back and read through the person's
e-mails and wait for the right situation to arise, usually a real estate
transaction. Once the hacker knows the particulars of the deal, they wait
until the time of closing and then send an e-mail from the compromised party's
e-mail account stating to the buyer or the buyer's agent that the wiring
instructions for the settlement has changed and to use the new bank routing and
account number to transfer the proceeds of the transaction. The buyer
then sends the wire to the hacker's bank, and by the time all the parties
figure out what has occurred, the hacker has since moved the money to several
other banks and eventually wires the funds to an overseas bank and
"poof" hundreds of thousands, potentially millions are gone. If
that wasn't bad enough, now everyone gets lawyer-ed up to try and figure out
who is at fault, and the real mess begins. Regardless of whether you are
the buyer, seller, a real estate agent, or attorney, this can be a business
nightmare as both the money and the deal are gone.
Security Tip: If you are in the real estate business, or another business
where you frequently send wires to different parties, always pick up the phone
and call a number (that you already have on file) and verify with the receiving
party the wiring instructions before sending the funds. A simple five
minute phone call will defeat an e-mail take over scam, and will also
demonstrate to your customers and business partners that you take security and
doing business with them seriously. If your clients are the ones sending
funds, remind them to do this one simple thing to protect themselves, and your
commission.
Be Secure!
@tjmprofessional
Saturday, August 25, 2018
Phishing is not a Technology Problem
In reading the title of this post, IT folks all around the world are shouting at the top of their lungs; "Amen!".
While perhaps not a profound statement for the IT community, it is however a true statement that phishing is not an IT risk, but it is a Business risk. Phishing is about social engineering or the use of trickery and deception through the utilization of technology as a delivery platform to coerce your employees into e-mailing mass HR or customer data, give up their password, or send money to the criminal posing as a company executive, government official or a vendor. Therefore it is the social engineering aspect that needs to be addressed, but rarely is. Hence, why Phishing is very effective, very profitable, and the volume and complexity of attacks are growing at a rapid pace.
The security software and appliance providers keep upping the ante with the latest technology tools (now AI) to detect or block phishing e-mails, but at the end of the day, this is just a holding action, not a sustainable solution as it is not 100% effective. The root cause is still sitting one foot in front of the keyboard. It is your employees and contracted staff that make phishing attacks possible. And this is where the least amount of budget and time are spent on reducing your organization's risk of being phished.
Security experts have been debating for years about how effective security awareness training, mock phishing exercises, the security posters hung in the break room, and posting security tips on your organization's intranet site are. And to be honest, perhaps the jury is still out on having any scientific data on that, but what is the alternative? Do nothing? We've seen first-hand with recent data breaches how well that works.
Perhaps the secret formula is a balanced approach of tools, training, and procedures to combat this business risk. At the end of the day, if you have tools that scan e-mails for suspicious activity, you train your employees on what phishing e-mails look like, give them an avenue to report them (be included in the security process), and hold mock phishing exercises with a teachable moment built in to educate, plus have well communicated procedures on not e-mailing mass data without approvals, or not sending wires without phone verification, or that the CEO (who probably doesn't remember your name) is never going to ask you to "kindly" pick up some iTunes gift cards at the store, then perhaps your organization has a shot at thwarting the Phishers.
Be Secure!!!
@TJMProfessional
While perhaps not a profound statement for the IT community, it is however a true statement that phishing is not an IT risk, but it is a Business risk. Phishing is about social engineering or the use of trickery and deception through the utilization of technology as a delivery platform to coerce your employees into e-mailing mass HR or customer data, give up their password, or send money to the criminal posing as a company executive, government official or a vendor. Therefore it is the social engineering aspect that needs to be addressed, but rarely is. Hence, why Phishing is very effective, very profitable, and the volume and complexity of attacks are growing at a rapid pace.
The security software and appliance providers keep upping the ante with the latest technology tools (now AI) to detect or block phishing e-mails, but at the end of the day, this is just a holding action, not a sustainable solution as it is not 100% effective. The root cause is still sitting one foot in front of the keyboard. It is your employees and contracted staff that make phishing attacks possible. And this is where the least amount of budget and time are spent on reducing your organization's risk of being phished.
Security experts have been debating for years about how effective security awareness training, mock phishing exercises, the security posters hung in the break room, and posting security tips on your organization's intranet site are. And to be honest, perhaps the jury is still out on having any scientific data on that, but what is the alternative? Do nothing? We've seen first-hand with recent data breaches how well that works.
Perhaps the secret formula is a balanced approach of tools, training, and procedures to combat this business risk. At the end of the day, if you have tools that scan e-mails for suspicious activity, you train your employees on what phishing e-mails look like, give them an avenue to report them (be included in the security process), and hold mock phishing exercises with a teachable moment built in to educate, plus have well communicated procedures on not e-mailing mass data without approvals, or not sending wires without phone verification, or that the CEO (who probably doesn't remember your name) is never going to ask you to "kindly" pick up some iTunes gift cards at the store, then perhaps your organization has a shot at thwarting the Phishers.
Be Secure!!!
@TJMProfessional
Sunday, July 8, 2018
"Are you still in the office?" - A Phishing Story
The below is based on a true story:
Monday at 5:00 pm - You are just leaving the office.
You make a slight detour on the way to your after-work event to stop by a store and purchase four iTunes gift cards with your corporate card. You then whip out your phone and send your boss photos of the codes by 6:20 pm, and are still able to make your event. You saved the day for your boss and helped him/her win over the new clients. Deep down you are hoping your part in this is remembered when raise/bonus evaluation time comes around. All is right in the world.
Tuesday Morning at 8:10 am - You are in the office and just grabbed your morning coffee.
The boss walks by your desk and says "Good Morning". You respond in kind and add, "How did the clients like the gift cards?" Your boss stops, turns to you and says "What are you talking about?"
It is at this point you find out that the e-mail was not from your boss, but that you were the victim of a spear-phishing e-mail. The cyber criminal stole a $1,000 which you put on your corporate card and had thought you would be getting reimbursed for.
Does this sound like a far fetched story? It's not. It is safe to say that thousands of intelligent people around the world fall for this type of phishing campaign every day. Per the FBI's 2017 Internet Crime Report*, there were 25,344 reported phishing victims in the US alone in 2017. Keep in mind, most phishing attacks go unreported due to the victim being embarrassed for having been tricked. Today's cyber criminals rely on human behavior over technical skill. They will use fear, greed, people's good nature and helpfulness to try to defraud your employees and your business. Security awareness training is a very effective defense against phishing attacks and is fairly cheap. Speaking of awareness, let's get to it. Below are some tips as to what this employee should have done to prevent being a victim:
Tips:
1.) If you are getting an e-mail from someone (such as your boss), and the request is unusual (ie. not something they have ever asked you to do before.), pick up the phone and call them on a number you know is valid. Also, if the e-mail is from the CEO or CFO and they most likely don't even know your name, they probably aren't asking you for a favor. This is when it is good to forward it to your boss with your suspicions, and ask him/her to look into it. Communicate outside the e-mail thread and use the chain of command to authenticate odd e-mail requests.
2.) Any e-mail asking you to buy something (typically iTunes, gift cards, or prepaid debit cards), transfer customer/employee data, or transfer funds (sending a wire, ACH, Western Union, Money Gram, etc.) needs to be independently verified by picking up the phone and calling the person on a number you know is valid (don't use any contact info in the e-mail that was sent to you).
3.) Cyber criminals know what your office hours are. So look for "Urgent" requests after hours as highly suspicious.
4.) As with #3 above, the cyber criminals know you most likely will be checking your work e-mail after-hours with a mobile device. Most mobile phones only show the display name, not the actual e-mail address, so they can send an e-mail from a gmail account with your boss, CEO, or CFO's name displayed and it will appear on your phone or tablet as the display name, not the actual e-mail address. Click on the display name to show the actual e-mail address. Even if it looks legit, still call. No one ever got fired or in trouble for verifying e-mail instructions that seem odd.
5.) Look for very short e-mail messages (with no details). Also bad grammar/spelling are common signs. In addition, look for non-American style English being used "I have a most urgent request" or "Kindly send me the gift card codes." Does your boss or CEO talk like that?
6.) Let's say you fell for it, and realize it afterwards. Report it! You can still save the day. In this case, the employee should have notified his company's security officer or HR so that all the other employees could be notified of the scam to prevent additional victims at your organization. Secondly, he/she should contact Apple and had the codes deactivated. It wouldn't get the money back, but it would stop the criminals from getting it. When criminals see a good target, they will keep coming back. Try to ensure that their attack on you isn't profitable. This way they will seek an easier target next time and leave you alone.
Be Secure!
Link to the 2017 FBI Internet Crime Report
* https://pdf.ic3.gov/2017_IC3Report.pdf
Subscribe to:
Posts (Atom)