Cyber Tips

Spring is Here - Time to Clean up your Gear!
Lessons in Strength from Hercules 
Shopping Online Securely
What You Should Know About...Good Cyber Hygiene
Notice: New Attempt at Phishing
 
|  Whaling Attacks

 

Spring is Here - Time to Clean up your Gear!
May 2018
By Dr. Meg Layton

It may have held out until the last minute, but there's no denying that spring is finally here. Spring is a time when we open our windows, and do traditional spring cleaning - and it's a great time to do this same spring cleaning on your mobile devices.  Break out your device and take a few minutes to take some steps to keep yourself and your family secure!

  • Backup your device and data. Make sure you have a secure location.
  • Delete unnecessary files/pictures/messages/voice mails. Remove old contacts. Did you take a picture of your tax return or a medical form? Be sure to remove it from your device.
  • Review your apps. That game your child no longer plays? The conference app you used once two years ago? Remove them. Don't keep apps you don't use on your device!  If some are pre-loaded, you can also disable them if you don't use them.
  • Put a password on your device. Just do it.  Secure it from unintended prying eyes.
  • Apply any outstanding patches. Make sure you have the up to date applications, as well as the operating system.  A secure device is a patched device.
  • Review the privacy and security settings of your device, and any application/online presence you connect to from your device. There is a good chance that they have changed since the last time you looked!  Make sure you only have enabled what you intend.
  • Don't forget the basics: clean your screen, cancel accounts you no longer use, and make sure you have appropriate "ICE" (In Case of Emergency) contacts in your device.  

Spring can be a great time to connect with old friends, take pictures of flowering trees, and travel to new places. A few spring cleaning tasks will make sure your mobile device is up to the challenge and ready for the adventure!

 


Lessons in Strength from Hercules
February 2018
By Laura Owens

In Greek mythology, Hercules was a divine hero, universally known as a strongman, the Gatekeeper of Olympus, and the protector of mankind. Thinking of our computer systems today, what might we learn from this strongman about keeping our computer systems, applications and personal information protected? He’d teach us to create strong passwords!

63% of data breaches last year used weak, guessable or stolen passwords. While biometric devices, tokens and other means can be used to authenticate a user to a system, the good ole’ password is still ubiquitous - and still the weakest link. Companies can implement security policies which enforce password rules, but often these rules make passwords difficult to remember. Enforcing a password lifespan (how long you can use a password before you have to change it), composition or complexity (a minimum length, or special characters must be used), or password history (how long before you can re-use an old password again) certainly increase security - but you still need to start with a strong password.

“Password123” “guest” or “QwErTy” are easily broken because they aren’t complex – yet users are often reticent to create complex passwords because they are hard to remember. What a conundrum! Here’s some sound advice for creating strong passwords: they need to be easy to remember, yet complex enough so they can’t be guessed easily.

Start with a meaningful word or phrase and try spelling it phonetically, with some creative substitutions for characters. Make the password as long as you can (longer passwords are harder to crack.)

  • Fantastic becomes Phant@st1k
  • Cornfield becomes K0rnfi31d
  • PrivacyFirst becomes pr1v@Sea1$t
  • Motivation becomes MowTuhvay$hun

NIST created a special publication, 800-63-3 on Digital Identity Guidelines, published last year, if you’d like to read more.

Don’t forget the mainstream guidance on passwords – it still applies: don’t share your passwords, or use the same password for all of your accounts, and don’t write them down somewhere public. Engaging these password safeguards would be sure to gain the approval of Hercules himself!

 


Shopping Online Securely
November 2017

By Diana Donohue
 
The holiday season will soon be upon us -- and you know what that means… An increase in scams targeting online shoppers. SANS recently released its November Ouch! Newsletter with helpful tips to avoid becoming a victim, including what you can do to avoid potential fake websites, securing your computer or mobile device and closely monitoring charges on your credit card during the shopping season.
 
Be sure to look for the letters HTTPS in green right before the website’s name as indication that the connection is encrypted before purchasing any items online.  The SANS newsletter on this subject can be found at this link: Shopping Online Securely

 


What you should know about … Good Cyber Hygiene
By Laura Owens

Cyber criminals thrive on your mistakes.  And navigating the Internet continues to be more complex – free Wi-Fi, large digital footprints, ransomware … if you don’t watch your digital behavior you raise the odds of becoming a victim of cybercrime. Some simple reminders can help keep you safer:

  1. Pay attention to physical security. Lock your computer (or at least your screen) when you leave your desk. Know who’s around you and who might be watching to capture your PIN entry on a website, or capture your keystrokes as you enter a password.
  2. Use public Wi-Fi wisely. While you’re using a public Wi-Fi (even if you’ve entered a password to get on) avoid confidential activity if possible, such as accessing your bank accounts. In some cases it can be more secure to use your smartphone’s personal hotspot and data plan to access the Internet instead of public Wi-Fi. Always be sure to log out of sites and disconnect the Wi-Fi connection when you’re done.
  3. Watch your social media posts - don’t overshare. When you post details about your location by “Checking in” somewhere, or share photos and other personal information, you give social engineers content they can use to exploit your identity.
  4. Email is not encrypted. Be careful what you put in an email. Unless you use a special encrypted email application (such as Tutanota or ProtonMail) email is not encrypted as it traverses the Internet on its way to the recipient. If you need to give someone confidential information, pick up the phone instead.
  5. Keep your Internet browser up to date. And all of your software for that matter! Installing updates to your applications, including your web browsers, closes backdoors and other vulnerabilities that hackers can exploit and gain access to information on your computer. Did you know the recent WannaCry ransomware attack exploited a vulnerability that MicroSoft had identified and patched several months ago? Only computers that had not installed the OS update were at risk of being infected.
  6. Revisit the basics. You know these – use strong passwords and change them frequently, don’t click on suspicious links in emails and on websites (even those links to cute kitten pictures!). Maintain a good cyber posture and you significantly drop the odds you’ll be a victim.
Want more information on cyber hygiene? Check out the Stop.Think.Connect campaign from DHS.


Notice: New attempt at phishing
By Diana Donohue
Laura Owens

In recent months, ransomware senders have attempted to trick people into opening Word documents that look like Invoices or Receipts, but the new method seems to come from an irate person who has a charge from your company’s domain name (yourcompany.com, so to speak). There is also a Word attachment included which likely has some form of malware. Some spam filters will block this, but not all. In any case, the senders will become more savvy and find ways to bypass such filters. The body of the email is typically as follows:

What is this ****ing charge on my card?
I never visited or bought anything from your company.
I have attached a screenshot of my statement.
I want my money back!!!
I have attached my card statement, please get back to me ASAP.

Resist the urge to open the attachment. Contact your company’s helpdesk or fraud alert line if you receive this type of email. If this comes to your personal email delete the email without opening the attachment.


Whaling Attacks

Have you heard of people being “harpooned”, taken in by a cyber whaling attack?  A whaling attack is a type of phishing directed specifically at senior executives and other high profile targets within businesses, where a masquerading web page or email will take a more serious executive-level form. The email may appear to be from an executive or director of the company (CEO, CFO, Board member, etc.) emailing a member of the finance department requesting a money transfer out of the company.  Or, it may be written as a legal subpoena, customer complaint, or executive issue.  Whaling phishermen have also forged official-looking FBI subpoena emails, and claimed that the manager needs to click a link and install special software to view the subpoena.

These types of attacks are increasing substantially and have generated billions of dollars for fraudsters in the past two years.

How can you protect against whaling attacks? 

  • Have good processes and controls in place for all payments, such as separation of ordering and payment processes, using approved purchase requisitions, paying based on an invoice, etc.
  • Educate executives to not deviate from such standard payment processes within their company.
  • Encourage an open and transparent company culture where a member of the staff (especially from HR or Finance) can call the CEO or CFO directly to check on questionable items. 
  • Learn how to identify potential threats and attacks.  
  • Educate executives and staff on the nature of such attacks and what to look for.  
  • Watch for odd requests, wording that doesn’t sound like it’s from the sender, typographical errors, links that don't make sense to normal everyday communications, and attachments that are not generally sent by the purported sender. 
  • Be suspicious of all unsolicited email. 
  • Never click through links or open an attachment in an email message from someone you don't know -- unless you initiated the email exchange.
  • Implement email-embedded digital signatures throughout your company in addition to other security tools, such as spam filters, firewalls, and intrusion detection and prevention systems.
  • Check with the sender to make sure he or she actually sent if an email that appears to be sent by a colleague but seems suspicious.
  • Reinforce good behaviors when staff check to confirm the legitimacy of email requests, and otherwise follow appropriate policies and procedures.