August 15, 2017 by The GLS Team
There's a new piece of malware in the wild called Ovidiy Stealer and it's looking to steal both individual and company passwords. This password malware isn't particularly sophisticated, and if one has up to date anti-virus and anti-malware programs, a corporation may not have to worry about it -- yet. Ovidiy Stealer's claim to fame isn't its sophistication, but its price. For a mere 450 to 750 Rubles (that's a mere $7 to $13 USD), crooks not only get a license for the malware, but they also get support from the mastermind in Russia, who calls himself, "TheBottle."
A $7 Piece of Malware?
Believe it or not, it's a competitive market out there when it comes to attracting malware customers. The Ovidiy Stealer is dangerous because for only $7, it's universally affordable--and appealing. It lures its victims with an executable attachment (it may be compressed as a zip file), or a link to an executable file in an email, pretending to be something it clearly is not. Once it is run, the malware targets certain browsers and steals the passwords.
Which Browsers Does it Target?
According to Proofpoint, Ovidiy Stealer is currently targeting the following browsers:
- Amigo browser
- Google Chrome
- Kometa browser
- Opera browser
- Orbitum browser
- Torch browser
The savvy user may note that it doesn't target Internet Explorer, Safari, or Firefox, but given that this password malware is constantly evolving, it may prove problematic even for those browsers in the future.
Why Should Companies Be Concerned About Ovidiy Stealer?
Ovidiy Stealer isn't aimed simply at stealing individuals' passwords. Anyone targeted could inadvertently execute the password malware themselves, allowing the criminals to obtain passwords for company bank and investment accounts, financial records, medical records, clouds, and more. Just one breach in security could result in serious damage and even serious fines, depending on the nature of the compromised data.
Is There Any Way to Prevent Ovidiy Stealer from Stealing a Company's Passwords?
The good news is that while Ovidiy Stealer is targeting a large number of accounts, it isn't particularly cutting-edge. Taking precautions as small as adding a two-factor authentication will help reduce the number of exposed accounts. Adding a password manager to all accounts, changing passwords frequently, and making certain that if there is a breach, the password manager can change the passwords quickly, is a good first step. But none of that addresses the human element. All the antivirus and malware protection available doesn't protect computer systems if the users are unaware of the potential risks and still click on harmful links or accidently run malware.
Addressing the Human Factor
Global Learning Systems offers comprehensive online security awareness training that can show employees how to spot threats like Ovidiy Stealer and avoid turning their companies into malware victims. They have a wide variety of security courses designed to train employees to remain vigilant when it comes to viruses and malware. They offer Information Security Awareness Training Courses which cover the basics, such as phishing/social engineering, Internet safety, mobile security, email safety, and identity theft. They also offer their Information Security “Best Practice” Modules Suite which provides the learner ways to put into action best security practices in everyday online use. They also offer role-based training and compliance courses which will train employees to assure compliance with specific regulations.
While Ovidiy Stealer isn't the most sophisticated malware out there, in terms of overall scale and prevalence it is deadly, and has the ability to become a real threat to any organization. A company can thwart this attack using:
- Two-step authentication
- A powerful password manager
- Training that will teach its employees to recognize potential threats
Contact Global Learning Systems today and find out how you can protect your company from Ovidiy Stealer and other malware threats.
August 11, 2017 by The GLS Team
HIPAA, or the Health Insurance Portability and Accountability Act, was enacted in 1996 to ensure that patients' medical records remained private and accessible only to the patient and the required healthcare professionals. Failure to comply with HIPAA can result in steep fines and even criminal penalties. The minimum penalty for non-compliance due to willful neglect--if it is corrected--is $10,000 for each violation and up to $250,000 per year. However, the maximum penalty is $50,000 for each violation, and up to $1.5 million in a year. Even if HIPAA regulations are violated out of ignotance, the maximum fines can reach $1.5 million. And what counts as non-compliance? The list includes lost and stolen devices, hacking, lack of training, third party disclosure, and employee dishonesty.
Lost and Stolen Devices
According to the Texas Medical Association, mobile devices such as laptops, tablets, thumb drives, and smartphones are more likely to be lost or stolen than other pieces of equipment, thus causing HIPAA non-compliance . Even if employees do as little as check their work email on their smartphones, if the email contained any personal health information or PHI it can count as a serious breach of HIPAA compliance .
Theft, unfortunately, happens all too often, and a single laptop theft can result in huge fines if the device is not sufficiently encrypted so as to prevent access to PHI. While encryption is not mandated by HIPAA, encrypting sensitive data can prevent a breach of compliance should a device become lost or stolen.
Making up 23 percent of HIPAA violations, Hacking is the second most common cause of HIPAA non-compliance. Weak passwords, unintentionally downloaded malware, internet worms, phishing, and lack of sufficient firewall protection offer hackers a way into systems and thus a way of obtaining PHI. Hackers can be deterred by the use of strong passwords, frequent updates, and firewalls. All software should be kept up to date to avoid possible security breaches. Having a good anti-malware and antivirus checker running frequent scans will also help prevent possible security breaches.
Lack of Training
Lack of HIPAA compliance training is also a crucial reason why HIPAA violations occur. It's not enough for just simply an owner or an upper management team to receive HIPAA compliance training. HIPAA violations frequently occur at a lower employee level, where office staff, contractors, volunteers, and others who have access to PHI may unknowingly violate HIPAA rules. Global Learning Systems specializes in HIPAA compliance training for all employees.
Third Party Disclosure
But It isn't sufficient for a company or clinic simply to maintain their own HIPAA compliance. Under the HIPAA Omnibus Ruling, companies are also responsible for their business associates and even subcontractors for their business associates. So, if a business associate or one of their subcontractors violates HIPAA by putting the company or clinic's PHI at risk, the company can be held liable. For this reason, it is crucial that a company's owner or manager scrutinize his business associates' compliance plans before partnering or entering into a contractual agreement with them.
Whether they are accessing PHIs with malicious intent or out of simple curiosity, if an employee does not have the right to access certain patient records, they can cause the company to be in breach of HIPAA compliance. Global Learning Systems can provide employees with HIPAA compliance training so that they fully understand the dangers and risks of accessing sensitive patient records without authorization. With our training, employees will learn that illegally accessing--not to mention stealing--personal health information can and will result in termination, strict fines, and even jail time.
HIPAA violations can occur anytime, which is why so crucial that companies and clinics be on guard when it comes to their patients' sensitive information. In particular, they should guard against:
- The security of lost and stolen devices, with data encryption.
- Hacking, by insisting on strong passwords, up to date software, firewalls, and anti-malware and antivirus software.
- Lack of training, by having all employees, contractors, and volunteers participate in HIPAA compliance training.
- Third Party Disclosure, by ensuring all third parties and their contractors have proper HIPAA compliance plans.
- Employee dishonesty, by properly training employees in HIPAA compliance to deter violations.
Global Learning Systems can help instruct you and your employees in HIPAA compliance, and provide safeguards and solutions for every possible security breach. Contact us for all your HIPAA compliance training needs.
August 03, 2017 by The GLS Team
Business ethics is constantly evolving to meet the needs of our current societal norms and expectations of business leaders. With more Millennials becoming business leaders and simultaneously representing a significant percentage of retail sales, the generation's values are definitely reshaping how corporate ethics are approached. How closely are you examining business ethics in your organization, and prioritizing your policies concerning ethical conduct, stakeholder relationships, and social responsibility?
Corporate Social Responsibility
Corporate social responsibility (CSR) measures are incredibly important to the 18-35 demographic today, with the Millennial generation being more responsive to CSR initiatives in terms of both employment and consumption.
86% of Millennials claim that it's not merely preferable, but a priority, to lend their talent to a workplace that is socially responsible. Social responsibility isn't just a platitude that gets thrown around boardrooms but a proactive approach that encompasses any and all of the following, and more:
- Using local suppliers
- Buying and hiring American
- Diverse hiring initiatives
- Investing in green, sustainable production methods and workspaces
- Addressing workplace harassment
- Fair wages and benefits to all employees, not just white-collar professionals
- Making workplace safety a priority
- Charitable giving initiatives (including paid time off for volunteer work)
The list goes on, but CSR scorecards are based on how well the organization treats its employees and the planet by the decisions made.
Hyper-transparency in the Internet Age
Millennials are more skeptical of businesses than previous generations. Because they are digitally-connected, the younger generation wants to see actions and not words when it comes to promises made to both the organization's workers and the public.
Business ethics accounts for transparency, but to what extent? Are your policies up-to-date to be hyper-transparent in the internet age, where immediate action is expected and claims can be debunked in seconds? With this constant state of connection, organizations can't afford to not be hyper-transparent today.
Being Good to People and the Planet = Good for Profit
Also known as the "triple bottom line", business practices that are good to people and the planet don't have to compromise profits.
Millennials want to see more than the CEO cutting a large check to a charity in order to keep up appearances. By adopting policies that are friendly to workers and consumers alike, and greener practices that are better for the planet than that which merely produces larger profit margins, the triple bottom line actually increases. As Millennials continue to be maligned for "killing" types of businesses known for exploitative labor practices--such as the diamond industry and chain restaurants--they are simply voting with their wallets in favor of businesses that have a strong triple bottom line.
It may be good for profit margins to ask employees to take work home or do clean-up off the clock, and sometimes it may even be legal. But since it's highly unethical, don't expect Millennials to be too excited about increasing your bottom line when there are organizations more committed to the triple bottom line. The same goes for continuing to use suppliers who don't engage in environmentally-friendly practices or who support causes that are seen as harmful.
Being good to both people and the planet is better in the long run. Millennials are committed to making businesses they lead, own, and patronize adhere to the triple bottom line.
Business ethics involve more than staying compliant with regulations, putting up a front for public relations purposes, or even switching just one supplier or changing one policy and only after immense public backlash. Social and ethical responsibility are ongoing commitments that are integral to attracting and retaining both customers and employees in the Millennial generation. Global Learning Systems can keep you up-to-date on the latest trends in corporate social responsibility and ethics training with our comprehensive business ethics training course. Contact us today to learn more!
July 31, 2017 by The GLS Team
Phishing. Social Engineering. Cyber attacks aimed at specific corporations. These are some of the concerns that many of the IT security professionals surveyed at the Black Hat USA 2017 conference stated, and is no doubt a concern of any manager involved in making certain his or her company is compliant. The Black Hat survey offers an eye-opening look into the cyber threats facing businesses today. Of the 580 IT security professionals surveyed, about 66 percent of them worked for large corporations with more than 1000 employees. The survey allowed the IT security professionals to select their top three answers, so the data would be more meaningful.
Security Foremost in the Minds of Black Hat Attendees
As might be expected, most IT professionals who attended this conference were concerned about their company's security. More than two-thirds (67 percent) of those surveyed stated that within the next 12 months they would have to deal with a serious breach in security. Almost two-thirds (60 percent) were concerned that there would be a cyber attack on a critical US infrastructure. These attendees also felt that they were short-staffed to handle the crisis when it happened. A majority of professional (71 percent) stated they didn't have enough staff to adequately combat such a cyber attack, and 61 percent felt that they could use more training to combat these threats effectively.
When asked what consumed most of their time, 35 percent of the respondents said that counteracting phishing, social engineering, and exploitation of social media took up most of their day. Indeed, these attacks are the biggest concern of half the attendees, showing how serious a problem it is. This problem is widespread and could affect your company.
What's Responsible for Breaches in Security?
It's not surprising that IT security professionals are concerned over phishing and social network exploitation due to breaches in security, but the surprising side is what -- or rather, who -- is actually to blame. Nearly one-fifth of the security professionals at the Black Hat said that they spent most of their time compensating for accidental data leak by users who did not follow security procedures. This was also a major concern of 21 percent of the IT professionals who answered the survey.
About one third of the IT security professionals spent most of their time working on keeping their company compliant with regulatory and industry security guidelines. Even so, more than a quarter (26 percent) were constantly working on fixing breaches made by their own application programmers and more than one fifth (21 percent) spent most of their time fixing mistakes made by someone in the company or external attacks that caused their company to become non-compliant.
Clearly, breaches in security is a serious problem and are often caused by employees who do not fully understand the procedures or do not recognize the seriousness of their actions. Although more employees are taking IT security seriously, 58 percent of respondents did not believe non-security employees fully understood the security issues IT faces. In fact, 13 percent of IT professionals said that their users were "completely clueless." Not a confidence builder if you're the manager who must ensure your company is compliant with regulatory and industry security guidelines.
Your Employees Are Your Greatest Danger -- and Greatest Asset
Your employees are the lifeblood of your company, but they are also your biggest security risk. Uneducated, your employees could accidentally cause security breaches that could cost your company thousands, or even millions of dollars. You can mitigate those risks through training. When each employee learns the dangers to the company and learns the correct security procedures, he or she becomes part of your "human firewall." Your employees can stop security risks before they even occur by understanding and following your company's security procedures.
At Global Learning Systems, we offer courses tailored to enhance security awareness and thwart security breaches. We offer:
Information Security Awareness Training Courses
Information Security “Best Practice” Modules Suite
Simulated Social Engineering Exploit Testing, Accompanied with Robust Phishing Awareness Training
Security Awareness Role-based Training and Compliance Courseware
With more than 25 years of experience in training employees, we can help you build your "human firewall" and give you peace of mind. Contact us at Global Learning Systems today.
June 29, 2017 by The GLS Team
Secure coding standards are a set of uniform guidelines that software developers can apply in order to provide safeguards against security vulnerabilities. The guidelines are set by the project or organization rather than going by what the programmer is familiar with in terms of the information security issues that need to be addressed.
Why is Secure Coding Necessary for Organizations?
In the information-based society we live in, security threats are constantly evolving. IT departments need to constantly try to outwit cyber criminals and be one step ahead of them. Organizations put themselves at serious risk by not employing best practices for secure coding, because even the best and brightest programmers can miss security shortfalls in any given project. Software, websites, and mobile applications can be subjected to any kind of threat ranging from phishing to ransomware and these threats can be internal or external.
By having one unified set of guidelines that project managers and other key decision-makers can refer to for projects, organization policy, and other parameters for information security this makes it easier to define security protocols. Moreover, an entire community of web coders, project managers, security researchers, and other thought leaders contribute to secure coding guidelines to provide their unique perspectives instead of simply relying on what one team of programmers is knowledgeable in.
OWASP and its Role in Software Security
The Open Web Application Security Project (OWASP) is a nonprofit organization dedicated to the endeavor of keeping software secure, and the processes surrounding security transparent and visible so that individuals and organizations can make informed decisions when it comes to secure coding. Individuals, policy makers, trade organizations, governmental entities, universities, and corporations of all sizes have come to rely on OWASP for setting industry standards for secure coding.
All of the information on OWASP is free and available to the public, and the organization also has several chapters and conferences that discuss application security and the threats that programmers must constantly work around. OWASP has helped shaped information and application security policy for governments around the world and continues to be a trusted resource for secure coding standards whether organizations need to set guidelines for projects or individuals would like to learn best practices in their own coding projects.
Secure Coding Training for Your Organization
Global Learning Systems has been recognized by OWASP as a Top 10 instructor for our role-based secure coding training that relates to the latest computer threats. Given that OWASP's knowledge base is a vast ocean of information that can make it difficult to isolate which areas to focus on, our online course identified the areas that every software and web developer should be trained in to best mitigate organization-wide security threats.
By investing in proper OWASP-recognized computer security threat training, you can be assured that your staff will have detailed instruction in looking for the cracks that need to be sealed in any given network's or project's security. Recognition of risks will not only be covered, but also how to deal with them.
Secure coding refers to a set of standards, created and collaborated on by several contributors in the application security and software and web development spheres, that organizations adopt for organization-wide or project-specific use.
Computer threats are always evolving and even the most proficient programmers and web developers can miss security vulnerabilities since their job is to create a functional project rather than prioritize mitigation of threats.
OWASP is the main organization that sets the guidelines for secure coding.
OWASP-approved training by role is a valuable investment for your IT talent.
Global Learning Systems' online secure coding training can be accessed 24/7 and can be customized to other roles in addition to software and web developers. Contact us today to learn more!