weborionsales-blog - Tumblr blog

weborionsales-blog · 6 years

Text

Cyber Security Awareness

We hear a lot about hacking these days, but in fact, hacking is nothing new. Even long before computers existed, people have tried to hack things. The public became aware of hacking as early as 1903, when Marconi’s wireless telegraph was hacked just as the technology’s capabilities were about to be demonstrated to a large crowd gathered at London’s Royal Institution.

Today, hacking has evolved into a wide-ranging web of cybercrime that is hard to avoid, with perpetrators carrying out their misdeeds for a variety of motives – selling data for profit, hacktivism, stealing state secrets, and revenge against former employers or enemies. But make no mistake, the prime motive is profit. The cost of cybercrime will top $2 trillion by 2019, according to Juniper Research.

The expansion of the Internet of Things (IoT), and its potential to connect every device that can be connected, creates even more opportunities for hackers. We’ve already seen hacks involving WiFi-connected insulin injectors, automobiles, baby monitors and webcams. The massive Oct. 21 DDoS (distributed denial of service) against DNS provider Dyn used hundreds of thousands of connected devices, including webcams, to block access to a host of popular websites, including Twitter, Netflix and the New York Times.

How Basic Security Knowledge Can Help Any Career

Aside from simply not clicking suspicious email attachments, there are things nearly all employees can do to enhance company security and make themselves more valuable workers.

"Within any role in the organization, learning about security can help an individual understand the risks and make informed decisions for their key stakeholders," says Pavi Ramamurthy, senior manager of information security at LinkedIn.

Like what, you ask? Here are a few of Ramamurthy's examples:

In sales, reassure customers of an organization’s security posture.

In corporate communications, you should assess in the context of business reputation and brand trust.

The legal team should ensure that the right security clauses are built into supplier and customer contracts.

Regarding HR and/or security, know what’s needed for better security awareness and training.

Product managers should advise on good security features.

In engineering development, make sure you develop secure code.

Security professionals should perform reviews and quality assurance tests for functional and security verification.

Corporate management should ensure that a good security incident response plan is in place to address any vulnerabilities.

As you can see, it certainly doesn't require being a security professional to contribute to security-related projects and awareness. In fact, the more equipped a workforce is with this knowledge, the less money and time will be lost to security breaches.

WHATSAPP SCAM

WHAT TO DO IF YOU HAVE BEEN TARGETED WITH FAKE SUPERMARKET VOUCHERS?

The messenger app was used to send fake vouchers to people, purporting to be from trusted chains such as Asda, Tesco and Aldi.

The messages claimed to offer hundreds of pounds in savings so long as the user followed a link to an online survey asking for personal details.

The scam is a form of phishing, where fraudsters pose as reputable organisations to gain personal details.

Action Fraud, the UK's national reporting centre for fraud and cyber crime, suggests anyone who has fallen victim to this scam to report it online or call 0300 123 2040.

So far, 33 people have come forward to report falling victim to the scam, although it is unclear how many people have received the message.

Fake WhatsApp fools Android users

'We lost £300,000 through payment scam'

“If you've received spam from a contact, delete the message and do not click on any links or provide personal information. Tell the contact that the message they sent includes spam and point them to this WhatsApp safety page,”

7 Essential Security Awareness Topics

1. Email Security

Email is the primary method that attackers will use in order to target your organisation. They may do this via targeted phishing emails, malicious URLs or even email attachments containing malware. Learning to spot these emails and distinguish them from legitimate communication is an essential skill to have.

Other email related topics should include spear phishing and business email compromise attacks. Staff should be able to recognise and avoid clicking on malicious URLs, and understand the threat posed by malicious attachments.

You should educate staff about things such as email spoofing, and ensure that they are familiar with the difference between the CC and BCC email fields. More importantly, every security awareness training programme should promote the use of encrypted email.

2. Web Security

Cybercrime is rampant on the web today. There’s identity theft, organized fraud, malicious hacking and even political hacktivism. It’s now estimated that around 1 in 10 web pages contains some kind of malicious code. The primary motivation for these cyber criminals is financial – and financial crimes makes up a significant majority of threat landscape.

It's now an industry that’s estimated to be worth $113 billion US dollars. That’s enough money to host the London 2012 Olympics almost ten times over – or more than the global black market in marijuana, cocaine and heroin combined.

We need to keep our staff up to date with the latest web based attacks, and stress the importance of keeping software up to date. We must provide education and training around how to recognise malicious web pages, and spot websites which aren't using HTTPS to process personal data securely.

We need more education around password security, and the importance of two-factor authentication when it comes to securing our accounts. We also need to highlight awareness around common internet scams, and train users to be suspicious of unknown internet downloads.

It's also a great idea to include some information regarding online payments, to ensure that financial data is handled and processed correctly.

3. Mobile Security

We’re living in the information age of cloud-based platforms, where we require data on demand, and increasingly use mobile devices to enable our businesses. Field based teams use tablets, laptops and mobile phones to access the resources they need to do their jobs, and to stay in touch with their teams.

These devices store more sensitive information than ever, and in many cases utilise VPN connections back to our company head-quarters. The digital perimeter used to be within the physical confines of our premises, but today it extends across the globe.

Each mobile device represents a potential point of compromise, so it’s critical to our security that we take steps to secure these devices.

This includes training on mobile application security - including information about best app installation practices. It should also include information about public Wi-Fi hotspots, and the importance of VPN usage when using new or unknown networks.

Additionally, it's important to educate staff about PIN & passcode security, and the importance of encrypting the data on their devices. Make sure that you have a policy for lost & stolen devices, and communicate that out to your staff.

You may also want to include information that will help staff to detect and avoid newer SMS style phishing attacks (often referred to as smishing).

4. Data Protection

The majority of developed countries have data protection legislation, which govern the protection of personal information. This legislation often covers the collection and processing, transfer and security of personal data. In many cases the legislation also outlines the penalties for cases where data has been mishandled.

You may also have to comply with regulations and standards that govern your particular industry, for example medical practices in the United States have to maintain HIPPA compliance. These standards often include strict guidelines on handling personal information, and failure to comply can again result in heavy sanctions.

Providing adequate training to employees around data protection is critical. Employees all have a legal duty to protect and safeguard the information and data that they handle, particularly Sensitive PII.

Employees should be educated around topics such as data protection legislation, industry compliance obligations, personally identifiable information, secure data destruction, data classification and breach notification procedures.

5. Environmental Security

Environmental security concerns the systems and controls that we use to restrict access to sensitive information or resources. Environmental security controls include CCTV cameras, ID cards and access control systems.

Without physical security controls, our digital defences could be rendered completely useless. For example, if attackers had physical access to our servers they could install a key-logger to gather password information.

Security awareness training is essential to preventing physical security attacks such as tailgating and shoulder surfing. We should be educating employees about best security practices such as workstation locking, visitor policies and the importance of a clear desk.

6. Malware

Malware is one of the most serious threats to any organisation - particularly with the introduction of new ransomware style attacks. Malware has gone from becoming a nuisance to a legitimate threat to the confidentiality, integrity and availability of your data.

This is a particular problem when malware attacks are combined with other techniques such as phishing. Anti-spam filters are often unable to detect and prevent these emails from making it through, and anti-virus solutions are unable to detect the malware using signature-based matching.

Employees should be educated about malware and the risks that it poses. It's important that your security awareness programme includes information on what malware is, how exactly it behaves, how to recognise it and what to do if you become infected.

Your security awareness training can include information about common attack vectors such as ZIP files and macro-enabled Office documents. It's important to educate staff about the importance of backing up their files, particularly any email archives that they might have saved to their local disk.

7. Social Engineering

The single greatest threat to your security today is an attacker that’s skilled in manipulating human relationships. These attackers will attempt to gain the trust of somebody within your organisation in order to obtain information or access they otherwise wouldn’t have.

Scams such as business email compromise rely upon social engineering in order to be successful. Other social engineering pretexts may call unsuspecting employees and pose at the IT department. Social engineering is the #1 method that attackers will use to bypass your expensive firewall equipment.

To combat these threats our awareness training needs to educate employees about the nature of the risk and how it affects them. It's important that they understand a little bit about the psychology of influence (for example scarcity, reciprocity and urgency) so that they can better combat these attacks.

0 notes