April 22, 2014 by Carsen
I am very excited to announce our new Anti-Phishing training program. It is our hope that through this education, employees across the globe will become aware of these sophisticated phishing threats, understanding how to identify them and how to respond, keeping both the individual and their organization secure.
As I posted several weeks ago, my husband was recently a victim of a sophisticated phishing attack posing as Google Docs, but because of his knowledge, he recognized the attack for what it was and stayed protected. To me, this clearly shows the importance of education and awareness in order to maintain security, as he almost fell for the well-disguised attack.
This course teaches employees about phishing and social engineering threats through a scenario-based, online format with gamification and achievement elements to engage and challenge the user’s understanding of these attacks. The course has three rounds, and in each round, learners are challenged to recognize common types of phishing and social engineering attacks and choose the safest course of action.
By not only telling the user what phishing is, but also testing them on detecting a phishing attack, the learner is engaged and learns how to quickly identify the attack and take proper action. We also work with organizations to create the right program for their specific needs. In addition to the online course (which is fully hosted, globally, for 24/7 delivery), the program can include testing and simulated attacks, posters, quick tips cards and newsletters to offer multiple channels of communication.
For more information on the course, a free trial and a quote, visit this page. Contact us today to discuss how your organization can start on an anti-phishing program.
April 17, 2014 by Eric Cates
The Heartbleed Internet bug is being called one of the biggest bugs to hit the Internet in the past decade, and with all of our most personal information linked through the Internet, you need to understand the threat and how to stay protected. What is it? What does it do? How can you stay protected?
What is it?
Simply put, Heartbleed it is an information leak. It begins with a dead zone in the software that the majority of websites on the Internet use to comprise personal information into endless strands of data and targets the encryption software that is involved with the collected data.
The Department of Homeland Security posted on their blog, April 11, 2014, warning that malicious attackers could exploit unpatched systems:
“While there have not been any reported attacks or malicious incidents involving this particular vulnerability confirmed at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems. That is why everyone has a role to play to ensuring our nation’s cybersecurity. We have been and continue to work closely with federal, state, local and private sector partners to determine any potential impacts and help implement mitigation strategies as necessary,” posted by Larry Zelvin, Director of the National Cybersecurity and Communications Integration Center.”
What does it do?
The Heartbleed bug allows hackers to gain access of a feature that computers use to see if Internet users are still online called a “heartbeat extension”. The signal given out by this heartbeat signal could potentially enact hackers to personal information stored in its memory with no trace of you being hacked. The bug can take the sensitive data stored on a server’s memory, including private data such as usernames, passwords, and credit cards.
According to CNNMoney, tech companies have identified about two dozen networking devices affected by Heartbleed. This includes, servers, routers, switches, phones and video cameras used by small and large businesses around the United States and Canada.
What does this mean for the individual?
Reports state that the Heartbleed bug could have been hiding for the past 2 years with the potential that someone could have been able to tap cell phone calls and voicemails, along with emails and entire sessions of browsing on your computer or iPhone. While changing passwords on all accounts is a best practice and a good start to stay protected, there is more that you should consider.
What should you do?
Closely monitor all online accounts including email, social media, professional, personal, bank, billing and other accounts.
Contact your account providers, requesting the okay to safely change your password and know that you will not be further affected.
Don’t simply rely on companies contacting you to make you aware of the Heartbleed. Contact all the companies you hold an account with (large and small businesses alike) to ensure you were not affected, and to ensure they are following through to fix anything they were affected by.
As the bug is exposed, stay updated with the currency of the threat. One suggestion would be to carefully watch your financial statements over the next few days or weeks until you know that your information is safe. The earlier you find the problem the better off you will be.
”After a website you are visiting has addressed the vulnerability, ensure that if it requires personal information such as login credentials or credit card information, it is secure with the HTTPS identifier in the address bar. Look out for the “s”, as it means secure.” (From Homeland Security blog)
Furthermore, if you use Android version 4.1.1, you should avoid transactions on your devices. Recent reports show that as many as 50 million Android devices worldwide may be vulnerable to the Heartbleed bug, according to the Guardian. The Huffington Post reported that a Google spokesperson said less than 10 percent of devices run on the vulnerable Android operating system.
In conclusion, contact all account providers to ensure your security, keep updated on the threat and understand the role you play in your security.
April 09, 2014 by Eric Cates
60 Minutes Reported on Where your Personal Data is Really Going
Ever wondered where all of your personal information ends up at the end of the day? CBS recently reported on what are being called “Data Brokers”. It is a new way of marketing products to people but it also seems to be an invasion of personal information through computers and mobile phones. What we are seeing is an array of companies that collect data from your web browser, search history, social networks and phone applications, and are accessing the data by default.
This data includes your personal interests, political views and associations, sexual orientation, income, family history, previous medical conditions, even where you go out for dinner, just to name a few. These companies are taking your information and categorizing it for marketing purposes and selling it to organizations like our federal government and advertising companies that target you.
The reason for the new boom in this data collection is the belief that the data collected about their target market is more valuable than the actual product they sell. It seems to be logical. Of course, finding the right target market is extremely valuable if you have a product to sell, but at whose expense? It seems these “Data Broker” companies are hacking into your personal information and stealing it.
Who is taking our information?
Companies such as Axciom and Epsilon are two big names in the data collection field. Both companies promote data and technology have transformed marketing but they do not tell you how exactly they are “transforming the market”. Companies like these have over 1500 pieces of data on over 200 million Americans.
How are these “Data Brokers” crossing the line?
Millions of people download applications to their phones daily. An application as simple as a flashlight is now being used by data collection companies as a tracking device. Just by having the application on your cell phone they can now track your every move to find where you go on any given day. They gather your activity and categorize it and sell it.
During the 60 Minute report they also referenced webistes such as, http://www.okcupid.com and www.take5solutions.com. Okcupid.com is a website designed for online dating that asks numerous personal questions about the user which would seem to be the perfect cover for data collection. Take5solutions.com oversees 17 different websites all designed for users to share personal information such as, medical history and health. At any given time dozens of data collection companies are tracking your every move online.
What can you do to prevent this?
Be aware of what you are posting on social networks. Never share personal information such as your children’s names, your date of birth, maiden name, and answers to your security questions (like the name of your first pet, etc). Also, be careful what you share in posts. The rule is if you wouldn’t want it posted in a magazine or newspaper, don’t post it on your social sites.
Know the background of what websites you are getting on beforehand. Never click through an email link to a website. Always enter in the web address manually via a different window. When providing information on the web, make sure you read over the website’s security policy. Know what information they are sharing and what is private.
Be sure the website is legitimate and not only set up to activate your information. These phishing websites are disguised as legitimate websites, though they are there to gather your personal information. Sometimes they pose as your trusted banks, phone companies or they can even pose as a new app that you think would be fun to have. Make sure you are on a legitimate site before ever creating an account.
Read the fine print. Again, it is important to understand the policies of the website, and this means reading the fine print that normally is looked over. If you have questions about the policies, as a contact on the site. If they do not get back to you, it’s probably not worth creating an account.
For more information on security best practices and employee education to keep your organization secure, check out our compliance training library here.
April 01, 2014 by Eric Cates
March Madness is here and not everyone is interested in putting his or her bracketology knowledge to the test.
When March comes around every year, many people log into websites, mobile apps and email offers to place bets and start up groups of competing brackets to see who will take home the prize of this year’s March Madness results, and while this can all be in fun, it can also lead to information security breaches.
Whether it’s searching the web for live streaming video or updated scores and news, this could mean business for the bad guys looking to corrupt your system. For these scammers, March Madness means several weeks of opportunity to bring in unsuspecting employees; plant malware on their companies’ networks, applications and databases; and steal valuable data.
This can result in few different ways, such as the following:
Compromising legitimate websites
Poisoning search engine results
Delivering phishing emails inviting people to click on malicious links
Many companies find this time of year offsetting because many polls are done through offices with fellow colleagues, which increase camaraderie and morale, but security awareness is key in keeping this a positive experience.
Knowing what technology you are using is essential to detect, block and filter out malware before it reaches the end user. According to a recent study titled “Security Pressures Report” done by Trustware, which details the findings of a worldwide survey asking IT professionals about the pressures they face surrounding security, targeted malware topped the list of threats exerting pressure on IT professionals. To defend against this threat, programs such as a secure web gateway can help protect against malware and data loss.
AVG Technologies recently offered listed methods used to trick March Madness enthusiasts as well as tips to stay protected:
Spamdexing – Designed to elevate fraudulent websites to the first page of search results. Cyber criminals manipulate search engines by using repeated phrases or optimizing a Web page around one topic to confuse visitors into downloading virus-infected brackets, encouraging them to register and collecting identity details in the process.
Phishing – Cyber criminals send out emails suggesting recipients register now to put in their playoff predictions, they deploy clever tactics to direct fans to places where they can steal personal details. They may even suggest using Facebook login to register, giving them access to very valuable pieces of a persons identity.
Tips to winning the security battle:
Go to a trusted source to enter your predictions or collect bracket printable content.
If someone is making you an online offer that seems too good to be true, the offer is likely a scam. Check the address of the website in question. If you do not recognize the brand or if it looks suspicious, leave immediately.
If you are unsure about an email, delete it.
Rather than clicking a link, manually type in the Web address of a site and navigate to the content you want to get.
For more information on security best practices for your organization, check out our security awareness and compliance library here.
***Photo credit (image was cropped).