Email phishing

  • Despite businesses investing in next-gen technologies, phishing threats continue to become more sophisticated and effective according to a new report.

    The study from intelligent phishing defense company Cofense shows how threat actors, armed with an ever-growing arsenal of tactics and techniques, continue to tweak their campaigns and enhance their capacity to deliver malware, ultimately getting more messages past perimeter controls to user inboxes.

    Among the findings are that between October 2018 and March 2019, 31,429 total threats were reported by end users after delivery to the inbox, these included 23,195 via credential phishing and 2,681 via business email compromise (BEC).

  • Some of the most convincing email phishing and malware attacks come disguised as nastygrams from a law firm. Such scasuingms typically notify the recipient that he/she is being sued, and instruct them to review the attached file and respond within a few days — or else. Here’s a look at a recent spam campaign that peppered more than 100,000 business email addresses with fake legal threats harboring malware.

    On or around May 12, at least two antivirus firms began detecting booby-trapped Microsoft Word files that were sent along with some variation of the following message:

    {Pullman & Assoc. | Wiseman & Assoc.| Steinburg & Assoc. | Swartz & Assoc. | Quartermain & Assoc.} <legal@wpslaw.com>

    Hi,

  • A couple weeks ago I received an email message with the subject line “Urgent Request !!!” The note purported to be from Adam Lashinsky, this newsletter’s weekday columnist, a man whose comminqués I am wont not to ignore. Yet I knew instantly, even before opening the note, that the composer was an imposter.

    The tell: Three more exclamation points than I have observed the bossman ever having used !!!

    Phishing, the attempted ensnarement of people’s personal information through fraudulent dispatches, continues to be one of the web’s great scourges. The tactic remains an effective means for spies to commit espionage, a lucrative pastime for criminals, and a nuisance to my inbox. Naturally, the practice is a highlight in Verizon’s 2019 data breach investigations report, a compendium of useful cybersecurity insights, published Wednesday.

Passwords

  • password length

    As you can see below add 4 characters to a password with no complexity rules makes the password much more secure than requiring adding special characters like uppercase, lowercase, digits and symbols

  • PasswordsPasswords are (one of) the biggest pain(s) in today’s IT security. They are a factor of life, and the modern lifestyle requires us to have a great many of them. So we need to make sure we’re aware of what is a strong and a secure password. How many times did we enter our information into an online service, registering with our credentials, only to be greeted with a variation of a “Please use a strong password” message?

  • NIST Guidelines for Password Security: If You Are Using a Password Manager, You Should Be in Good Shape

    The US National Institute of Standards and Technology (NIST) is a federal agency that is part of the US Department of Commerce which means that although it doesn't have any regulatory functions, it employs plenty of people that are supposed to know what they're talking about. For years, NIST has discussed, among other things, the problem of secure online authentication and passwords. As the organization's name suggests, its goal is to standardize the world of technology, and although it hasn't completely unified everyone's perception, its guidelines have, to a certain extent, influenced our ideas on what is and what isn't a good password.

    Should we continue to listen to everything it says about online authentication?

  • ** A huge thanks to the MS Crypto Board for all of the hand-holding and explanations -- especially David LeBlanc, Michael Scovetta, and Marsh Ray.

    For the purpose of this post, the following definitions will be used:

    • Password Complexity:  the rules associated with setting passwords to try and guarantee that the passwords used are both difficult-to-crack as well as difficult-to-guess.
    • Password Entropy:  the level of chaos or randomness present in a system -- in this case, a string of characters that make up a password.
    • Bits of Entropy:  the mathematical measurement, in bits, of how difficult it is to crack a password.

    So there are a couple of really interesting things you might have noticed:

  • computerworld

    The company now says forcing users to routinely reset passwords at pre-set time intervals doesn't work as well other security options.

    Microsoft last week recommended that organizations no longer force employees to come up with new passwords every 60 days.

    The company called the practice - once a cornerstone of enterprise identity management - "ancient and obsolete" as it told IT administrators that other approaches are much more effective in keeping users safe.

  • Microsoft Technet

    There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.

  • The National Institute of Standards and Technology (NIST) has issued new guidelines regarding secure passwords. Who is NISTNIST? NIST is a non-regulatory federal agency whose purpose is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology, in ways that enhance economic security and improve our quality of life.

    Do you have to follow these guidelines? No, you don’t. But they are generally considered a reasonable standard not only in the U.S., but also around the globe. Following these standards are likely to give you a fair bit of protection, should you ever be accused of not following good security practices.

  • There are actually several things you need to keep in mind when creating and using passwords, but a good password manager will help you take care of the two most important ones. It will make sure all your passwords are long and strong, and it will also make sure each password is used for only one account.

    Why you need a password manager

    These days, an eight-character password just won't do. Modern password-cracking tools will make short work of it. It's much safer to have a 15-character password.

    What password managers do

    That's where the password manager comes in. It remembers your passwords for you. All you need to remember is the single "master" password that unlocks the password manager.

Breaches

  • ClockThe European Union (EU)’s General Data Protection Regulation (GDPR) is in full effect, but many organizations still don’t have the processes in place to be compliant. According to an IBM survey, only 36 percent of executives said they expect to be GDPR-compliant by the enforcement date.

  • Looking to 2019

    A chain is only as strong as its weakest link. This is also true in the world of security. In 2018, we tracked a key growing threat trend - that when just one device in a home or small business (usually the router) is compromised, then the rest of the devices on the network become easy to compromise. With connected devices - known as the Internet of Things - growing faster than any device category in history, it’s increasingly difficult to buy appliances and home goods that do not have some connection over to the internet.

  • Verizon 2019 DBIR Shows Financially Motivated Attacks Increasing While Criminals Switch to Easiest Targets

    VerizonThe Verizon 2019 Data Breach Investigations Report (DBIR) was published just after midnight today. This is the 12th edition since its launch in 2008, and the most extensive to date, with 73 contributors and an analysis of 41,686 security incidents including 2,013 confirmed breaches. A breach is defined as an incident that results in the confirmed disclosure or exposure of data.

Account security

  • Have I Been Pwned? (HIBP, with "Pwned" pronounced like "poned," and alternatively written with the capitalization 'have i been pwned?') is a website that allows internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for internet users wishing to protect their own security and privacy. Have I Been Pwned?

  • We’ve all heard the proverb: Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime. Well now, threat actors don’t even have to exert the effort to phish to land business email accounts. 

    According to an alert published earlier this year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. These methods play out as follows:

  •  The cyber threat environment is becoming more dangerous every day. A recent survey by the World Economic Forum revealed that cyber-attacks were the number-one concern of executives in Europe and other advanced economies. As we approach the winter holidays and the end of the year, let’s examine the top cyber security threats enterprises can expect to grapple with in 2019.

  • Researchers looked at multifactor authentication tools like physical security keys, on-device prompts, and text messages to figure out how well these techniques really protect you. It turns out: really well.

    The security key prevented 100 percent of attempted account takeovers of all types in the year-long study. Last year, Google said there hasn’t been a single account takeover of a Google employee since they started using security keys.

    Account takeover prevention by type

Stakeholders and management

  • To ensure boards are fully prepared to face the consequences of a cyberattack, the report recommends six key areas to focus on:

    1. Establishing a cyber-incident response plan 
    2. Regularly rehearsing the response plan using a range of different scenarios
    3. Monitoring and managing the risk posed from their supply chain
    4. Ensuring they understand the terms of their insurance and what is covered 
    5. Understanding what 'normal' looks like for their business, in terms of application usage, so they can identify any unfamiliar patterns
    6. Investing in regular training and raising their people's awareness of cybersecurity

    Cyberattacks and data breaches have cost UK mid-market companies over £30 billion, yet organisations remain complacent about their cybersecurity capabilities – putting them at greater risk from hackers and cybercrime.

  • Posted on Monday, February 19th, 2018 by Katharina Gerberding

    In today’s increasingly complex IT landscape, we are exposed to a sheer infinite number of cybersecurity buzzwords and strategies when it comes to protecting your organization’s critical data assets. The terms vulnerability scans, vulnerability assessments and vulnerability management are often mixed up and still cause confusion on many accounts. To make sure that your organization can focus on the most effective tactics when it becomes to dealing with vulnerabilities, we’ve explained the main differences between vulnerability assessments and vulnerability management once and for all.

     

  • Every company that uses computers, email, the internet, and software on a daily basis should have information technology (IT) policies in place. It is important for employees to know what is expected and required of them when using the technology provided by their employer, and it is critical for a company to protect itself by having policies to govern areas such as personal internet and email usage, security, software and hardware inventory and data retention. It is also important for the business owner to know the potential lost time and productivity at their business because of personal internet usage.

    Consider the following scenarios, which are not uncommon in most companies:

  • Some 71% of businesses plan to use AI and machine learning in their security tools this year, though over half aren't sure what that tech really does, according to Webroot.

    Artificial intelligence (AI) and machine learning tools are creeping into every part of the enterprise, including security. But while 71% of US businesses said they plan to spend more budget on AI and machine learning in their cybersecurity tools this year, 58% said they still aren't sure what the technology really does, according to a Webroot report released Thursday.

  • Business leaders and security leaders don’t always see eye to eye.

    I like to compare the business decision to invest in cybersecurity to a homeowner’s decision to spend money on a fence or a hot tub. Sometimes you know you need a fence, but you really want a hot tub. You can imagine sipping on your favorite beverage and watching the sunset from your hot tub, and when you think of the fence, well …

    So how can business leaders and security leaders get on the same page?

    I recommend that security leaders directly ask business leaders about their top priorities and goals for the year. It’s extremely important at this point to listen and learn. Based on this information, security leaders can identify risks that might prevent business objectives from being accomplished and plan accordingly.

Ransomware

  • A ransomware infection can be a very, very scary situation to deal with. Many victims aren't sure what to do next when ransomware hits. There's one thing that you should never do, and that pays the ransom.

     

    Shutterstock

    That's a point that cybersecurity experts have been trying to drive home ever since ransomware first started infecting computers. When faced with the frightening reality that treasured family photos or essential business documents have been encrypted, however, not everyone follows that advice.

    Those who don't aren't always pleased with the results. In fact, a recent report from the CyberEdge Group revealed that only 19% of ransomware victims who pay the ransom actually get their files back. It's a risky roll of the dice, to be sure... and just as many people CyberEdge surveyed said they paid and still lost their data.

     

  • BALTIMORE —

    Tuesday began week five of coping with a ransomware attack in Baltimore City government. City officials now expect nearly all city employees to be back on their email accounts by week's end, but other systems are still offline.

    The City Finance Director Henry Raymond described the current status of city operations affected by the ransomware attack as not ideal, but manageable, and one official warned about what to expect once water billing is restored.

    Mayor Jack Young brought most his cabinet to a briefing Tuesday morning on progress on repairing and restoring the city's computer operations.

    "All city services remain operational. Baltimore is open for business," Young said.

  • Ransomware is falling in popularity as cyberattackers look for other ways to earn a criminal living out of compromising enterprise companies, with cryptojacking now capturing the interest of these individuals worldwide.

Training and awareness

  • FraudwatchDoes your business have employees? If so, cyber security (and cyber security awareness) are critical to your survival in an industry dominated by growing virtual crime. Certainly, most people know about costly identity theft and reputation-destroying network hacks, which seem to be on the news almost every day. Organizations implement firewalls, comprehensive cyber security defense systems, and sophisticated IT protocols to keep themselves safe from online threats.

    The problem? Without an embedded culture of cyber security awareness and enforcement, all of those fancy and expensive systems aren’t going to do you much good.

  • Someone once said, “Never stop learning, because life never stops teaching.” That’s the perfect attitude to apply towards security awareness programs.

    The keyword is learning. Not to be confused with training, learning is the process of absorbing information to improve skills and the ability to apply knowledge in a real-life situation. Training is undoubtedly an important part of that, but if you want your SAP to be successful, it’s the learning part of the equation that’s most important.

  • Security isn’t just a technical problem. It’s also a people problem, and keeping the people side of the security equation strong requires that all people in your organization have an awareness of security. This is why security awareness programs are so important.

    The goal of a security awareness program — as you may have guessed — is to increase organizational understanding and practical implementation of security best practices. A program like this should apply to all hires — new and old, across every department — and it should be reinforced on a regular basis.

    Here’s what you need to know to create a first-class security awareness program at your organization.

    What Is a Security Awareness Program?

    A security awareness program is a way to ensure that everyone at your organization has an appropriate level of know-how about security along with an appropriate sense of responsibility.