May 26, 2017 by Michelle Lopez
Webinar GLS May 25, 2017
Phishing — Exploit of choice for cybercriminals and what can be done about it
Global Learning Systems (GLS) hopes you enjoyed and profited from our webinar on Wednesday May 25, 2017, and would like to provide you with an overview of the session if you attended, and a summary of it if you were not able to do so.
Two co-presenters welcomed participants to the webinar.
Keith Murphy, product manager for GLS’s popular security package PhishTrain™, opened the presentation and provided details on his background, which includes close to 20 years in product development. He described PhishTrain as a “dynamic phishing simulator that is integrated with the GLS portal and helps to enforce the awareness level of clients and end users through a variety of testing.”
Co-presenter Jeff Bernstein, currently a managing director of T&M Protection Resources in New York, which is a global provider of security consulting solutions focused on “protection of people, property and information.” He said in his role he helps “oversee and help clients’ overall security postures,” through “the delivery of tactical and strategic information for security assurance, response, compliance and training programs,” noting that his firm has partnered with GLS for four years, and closely aligned with GLS for seven years.
Murphy provided an overview of GLS, which has 30 years in learning and development, and 16 years as an award-winning InfoSec partner. The company offers a comprehensive security and compliance product library, a robust cloud-based learning management assessment and phish-testing program, and custom learning development and program management services. Among the company’s offerings are “short courses that are highly engaging … and meant to drill down on a specific element like phishing awareness or working safely from home.” Keeping cybersecurity “top of mind all year” is the main objective of the company, Murphy said.
He spoke about the “State of the Phish,” which is “pretty alarming.” He covered recent events and provided a number of statistics and examples supporting the need for advanced awareness and training, such as the monetary cost of compromised information, as well as loss of reputation and customers.
Bernstein said that the statistics of cybercriminal activity include only those who have come forward, and reminded the audience of all those many instances that are not reported. A case study was presented, and Bernstein asked what could be done about stopping the cybercriminality, but “the long and short of it is that it comes down to the security of your data…it depends on people making the right decisions, not making the wrong decisions, and being educated to tell the difference between the two.”
Bernstein then provided overviews of some of the types of courses available to educate people in protecting themselves and their data. “We’re not just about information security, we also cover HIPPA, PCI, data protection, and a lot of other topics. We have office training and skills, OWASP, roll-based training, and also a wealth of topics around HR.” He also provided in-depth details of how some courses would work and the benefits.
GLS presented its anti-phishing solution, which includes a number of items such as an unlimited SaaS phishing platform access with admin dashboard analytics and reports, simulations, a customizable landing page template library, and much, much more.
Murphy then took questions, such as the ability for an individual company to create its own templates and what size company was appropriate for the anti-phishing courses (to which the answer was that the courses are always scalable and localized to that particular company and/or region of the world.) Every size organization could benefit from the type of education offered by GLS. Prices fit every budget, and GLS tries to be a true partner in crafting that “specific solution” that will meet a particular company’s needs.
More information in detail was presented to participants by Bernstein, who stressed once more the importance of educating people, “which is what the Global Learning Platform does.” Murphy concurred with his assessment, and said in conclusion that “this is real life… and a problem to a large degree that can be mitigated through continuous education” as well as “structuring a deliberate and methodical plan… of trying to move your culture from reactionary to owner-operator when it comes to the security of your data.” He urged people to contact GLS and “let us talk about how we can help strengthen your human firewall.”
The entire presentation is available to you at:
May 15, 2017 by The GLS Team
More than 200,000 computers in over 150 countries were struck with a worm-like ransomware known as “WannaCry” as they were booted up their systems around the world. As word spread, experts interviewed on television said that not having sufficient protection and allowing outdated software to reside on computers contributed to the effectiveness of the attack.
According to the Associated Press, experts urged organizations and companies to immediately “update older Microsoft operating systems, such as Windows XP” with a patch released by Microsoft Corp. “The patch limits vulnerability to a more powerful version of the malware or to future versions that can't be stopped,” the AP said.
GLS provides security awareness training as well as many other services to help protect and upgrade your current protetction or systems. Providing such services to your company is not just a nicety, but a necessity in an age where armies of malware promoters are working to disrupt business as usual wherever and however they can.
According to Vikram Thakur, technical director of Symantec Security Response, “Just one click on an infected attachment or bad link would lead to all computers in a network becoming infected.” GLS has repeatedly stressed the importance of a company’s defending itself against phishing attacks, which reportedly was used to begin the “WannaCry” outbreak.
CyberheistNews warned: “If you or a co-worker are not paying attention and accidentally open one of these phishing email attachments, you might infect not only your own workstation, but immediately everyone else's computer too. Be very careful when you get an email with an attachment you did not ask for. If there is a .zip file in the attachment, do not click on it but delete the whole email. Remember: "‘When in doubt, throw it out!’"
GLS’ ransomware solutions and advice can provide companies with the kind of security that is needed in today’s treacherous malware environment. Don’t take chances with your data or your company! Help Strengthen Your Human Firewall™ today!
Take a brief moment to watch a clip from our ransomware Security Short Video
May 04, 2017 by The GLS Team
Google took an unprecedented step this week by publicly warning followers on Twitter and other channels about a sophisticated new phishing scheme targeting Google Doc users. Like all phishing scams, this one attempted to gather information and gain access to your accounts; unlike most phishing attempts, this one was polished and sophisticated.
Designed to look like an email from someone you know and trust, the latest scam asks you to click on a “Google Doc” link to access a file or document. Since the email was very convincing and seemed to be from someone you know – either a coworker, friend or family member – it was fooling quite a few users into taking the bait.
How the Google Docs Scam Works
The emails sent to victims were created using OAuth credentials from real Google accounts, so they looked exactly like you would expect an email from a friend or colleague to look. A look at the headers and the sending address wouldn’t reveal the attack; the messages legitimately came through the Gmail system.
Once you clicked “Open in Docs” you were presented with a real looking page asking you to tie your real Google account to a fake (but convincing) Google Docs page. Once you agreed, the fake app then requested to access your Google account.
Spreading Like the Common Cold
Once the fake app had control of the victim’s email address, it didn’t stop there. It began automatically creating new messages or versions of itself, sending the same convincing message to everyone in the victim’s contact list. Once sent, the messages would be deleted from the “sent” folder in the victim’s Gmail account, leaving no trace of the activity behind. This delivery method caused the phishing attack to spread through organizations and social groups in record time.
Key Takeaways from the Google Docs Attack
What can we learn from this recent attack?
Hackers are becoming more sophisticated – you can’t rely on poor spelling or even a quick look at the header to reveal the signs of a scam.
The right attack will spread quickly, too quickly even for a large, invested organization like Google to stop it before it impacts you.
Never click on a link in an email you did not specifically ask for or that you were not already expecting and don’t grant access to your Gmail account for any reason.
Access to your email account could be access to everything from your sensitive work files to your personal bank account, so this type of phishing attack can have a big impact on victims.
Protect yourself and your Business from Phishing
While the heads’ up from Google was helpful, you can’t rely on a big provider to let you know there’s a problem or threat every time one arises. Educating yourself and your staff about the ways a cybercriminal could try to infiltrate your business or identity can keep you from becoming a victim. If you are worried about the increasing sophistication of phishing scams and concerned about falling for one, we can help. Our anti-phishing training is designed to help you spot a phishing scam with ease and stop a would-be scammer in his tracks. Contact us to learn how easy it is to protect your assets and network from sophisticated criminals seeking to do you harm.
April 28, 2017 by The GLS Team
Payment Card Industry Data Security Standards (PCI DSS) is how the credit card industry makes an effort to control cardholder data and subsequently reduce the incidence of credit card fraud. If your organization processes credit card transactions from major issuers like Visa and Mastercard, you must comply with PCI DSS.
Founded in 2006 to fight credit card fraud, identity theft, and help organizations of all types and sizes adapt to the growing and changing world of online commerce and related technologies, PCI DSS is an industry-wide standard that all organizations should adhere to if they take accept credits at various points of sale.
How Does PCI DSS Compliance Affect My Organization?
The Payment Card Industry Security Standards Council mandates and administers these standards. You can see a brief overview of the security standards on the council's website.
In general, organizations are required to undergo annual compliance checks by qualified external auditors, or self-assessment if you have a very small transaction volume. However, PCI DSS is not codified into actual federal law. Depending where your organization does business, some states and cities mandate PCI DSS compliance or an equivalent set of standards and practices concerning large volumes of credit card transactions and their subsequent data trails.
To date, Nevada has adopted PCI DSS into official state law as of 2009. Merchants who do business in Nevada must comply with the standards, and if they do they are shielded from liability under state law. Washington also adopted PCI DSS into law in 2010, but does not actually require organizations to adhere to these standards although it also shields them from liability.
Even if your organization does not do business in these states, complying with PCI DSS can help your organization employ better security practices when it comes to credit card data.
Passing a PCI DSS Compliance Audit
The goals of PCI DSS are as follows:
To build and maintain a secure network
Keep sensitive cardholder data safe
Maintain a secure system and address vulnerabilities
Keep access to cardholder data highly restricted
Ongoing monitoring and testing of networks
Maintaining sound information security policies
Each of these goals has its own subsequent standard that must be adhered to.
Even if you are doing the self-assessment, or aren't even required to comply, it's a good idea to be prepared for your PCI DSS compliance audit. While these standards are applied to some of the largest organizations in the world, small and medium sized businesses can also benefit from these best practices. Taking the following steps will not only help you pass a PCI DSS audit but also improve your overall security:
Only use validated payment software for physical points of sale and online shopping carts.
Never store sensitive cardholder data on paper or even computers.
Make sure all the computers in your network utilize firewalls.
Keep passwords strong on all devices and always change the default passwords on both hardware and software. Two-factor and multi-factor authentication is not required, but highly encouraged.
Only use PCI-approved PIN devices if you accept cards that entail using a PIN number.
Keep your wifi router password-protected and encrypted.
Perform routine checks on all PCs, PIN devices, and credit card machines to ensure that no one has installed "skimmers" or malware.
Train your employees in best practices for keeping cardholder data secure. Our PCI DSS training course can also give your employees the tools and knowledge they need, with interactive modules, to ensure your organization passes the audit.
Global Learning Systems can keep your organization one step ahead of data thieves all while ensuring that your organization passes all relevant compliance checks. Please contact us today to learn more about our compliance courses and on-site training.
April 28, 2017 by The GLS Team
Each quarter, the Anti-Phishing Working Group (APWG) puts out a report to keep all sectors aware of current cybercrime threats. The APWG is an international coalition that consists of more than 1,800 institutions globally designed to create a unifying force to combat these threats. Their latest published report offers some interesting insights into phishing attacks and how they are escalating including what vertical is at the most risk. Consider four takeaways worth understanding from the APWG’s latest phishing activity report.
1. The Data Proves Phishing Attacks are Escalating
The report states that phishing attacks are up by 65% from the previous year. The total number of attacks in 2016 was 1,220,523 – this breaks down to between 70,000 to 156,000 attacks each month. The net average is listed at 92,564. December was the least active with a recorded 69,533 attacks. Their theory is that the phishers slowed down purposely during the holiday season, focusing more on lower-yielding and experimental targets. The AWPG post states the most attacks came in April.
The increase of attacks includes spear-phishing activity on employee email accounts, putting companies at even greater risk of data theft. As a result, phishing has become much more sophisticated, as well. The attackers take their time to find out which companies and employees are most vulnerable.
2. The Fourth Quarter Reports the Highest Level of Attacks Ever
The AWPG began producing this report in 2004. That year, the average number of phishing attacks was just 1,609 per month. With the fourth quarter numbers in, that average has grown exponentially. The AWPG has seen an increase of 5,753% in the 12 years they have monitored this data.
The country most affected by this increase is China. The group found that 47% of this country’s machines were infected. Turkey and Taiwan had impressive numbers, as well. Over 42% of the machines in Turkey show infection and 39% in Taiwan.
3. The Most Targeted Industry was Retail/Service
Retail has been consistently targeted for a number of years. In the fourth quarter of 2016, this industry owned 41.9% of the reported attacks. In second place was financial at 19.6% and ISP following third at 12.6%.
The report also states that the number of brands targeted average about 400 per month during the first three quarters but dropped down to 264 in the fourth. This supports the idea that phishing decreased somewhat during the holiday season.
4. Phishers Didn’t Require Specific Domain Names to Fool Their Victims
As part of the study, RiskIQ reviews domain names used in these attacks. Often phishers will provide familiar domain names or ones that are very similar in an attempt to confuse their victims. This is known as spoofing. The 2016 analysis found that very few attackers spoof a brand in their domain name. This shows that it is not necessary to be deceptive in order to fool many Internet users. They could use other tricks such as:
Allowing the user to hover over the hyperlink to see a fake destination domain
URL shorteners to make the destination domain
Insert brand names somewhere else in the URL
By publishing their quarterly report, the APWG is providing businesses with a powerful security tool. They can see the trends in phishing scams and use that information to improve the company security protection.
This year, the report detailed that:
The total number of phishing attacks in 2016 was 1,220,523 – a 65% increase over 2015.
The APWG recorded more phishing in 2016 than in any year since it began monitoring in 2004.
The most targeted industry was once again retail/service.
Phishers don’t need to choose domain names to fool victims.
Another practical solution to avoiding phishing scams is to engage the management and staff in a comprehensive training course about the risks of Internet fraud. The Anti-Phishing Training course offered by Global Learning Systems, for example, teaches awareness and avoidance using interactive and scenario-based instruction. Contact us today to find out how you can get learn more.