 |
|
| | An old friend, but a new threat
|
We all tend to know that email message attachments can be dangerous. There are many file types and associated icons we should actually be careful with. (There's a link below that has a good list of ones to watch out for). But there's a new technique used by attackers to launch ransomware, which leverages a particular type of file that makes it easy for them to install their own software on your computer.
|
|
| | Are you sure you know who's sending those invitations?
|
By now, you might think that employees are able to distinguish between legitimate LinkedIn connection requests and those from people using faked profiles. Unfortunately, recent statistics show that this doesn't seem to be the case. Is it just wishful thinking that a CEO might want to connect with you? Or is collecting social media connections still an ego-driven habit?
|
|
| | What info could somebody charge you for to keep it private?
|
In one sense, it's hard to believe it's taken so long for identity theft to get to this point. At least, up until now, most of us believed that personal information gathered in its raw form would probably be sold in underground black markets and then exploited for financial gain such as opening and accessing large lines of credit in the victim's name.
But it has always seemed that the vast majority of incidents simply required people to replace their credit cards. Now, thanks to the anonymous web-currency, Bitcoin, it's much easier for identity thieves to launch a simple extortion attack, which is more profitable for them, and probably more costly for you when you're the victim.
|
|
| | It's amazing what you can get a customer service rep to do for you, even if you're not you...
|
If you think companies you trust have good security practices for authenticating their customers in phone support calls, you may be right. But the security of call-centre support processes is becoming a serious issue. Every call-centre rep is human, and humans respond to emotional situations in different ways. This is what many attackers are learning to exploit.
|
|
|
Many organizations are now starting to do internal employee phishing assessments to determine how vulnerable their team is to targeted phishing attacks. This is because phishing is one of the primary ways that ransomware makes its way into corporate networks - through emails targeted at employees who click on links or attachments. Your IT Security team can assess your organization's vulnerability in this area by simulating attack emails, but with harmless links or attachments that can provide feedback to IT Security.
But when your IT Security team undertakes an employee phishing assessment initiative, there are many subtle decisions that must be made that can have in impact not only on the validity of the results, but on employee morale and trust. So, I'm creating a list of dangerous pitfalls to be avoided when implementing an employee phishing assessment program. Not fully considering the employees' responses to these emails is probably the easiest landmine to step on, which can cause serious employee backlash, and put the program in jeopardy. Here's the problem and the solution. |
Terminology:
Insider Threats
Insider threats are usually considered to be from individuals with internal access to a business who might have a reason to cause damage to the organization, its employees, customers or partners. There are a lot of reasons why insiders might act against the organization, including: - Disagreements with the employer or a co-worker
- Additions leading to feelings of desperation
- Extortion or blackmail based on the threat of exposure of personal information, actions or history
- Feelings of being treated unfairly by the organization or individuals
- Personal greed
- Fear of being fired
- Delusions or mental illness
For example, a few years ago a system administrator at the City of San Francisco disabled access to a large part of the city's computer network configuration by anyone but himself, because he apparently believed he was the only one who knew how to properly administer it. While the network was still usable, nobody could change it. When asked for the passwords by authorities, he refused, and was then arrested. Here's more on this somewhat bizarre, but very plausible story. Sometimes there are very few indicators that an employee is about to cause an incident or act in a way that could damage the organization. This is an area I'm starting to get very interested in, so if you have any thoughts, or know anyone who has an interesting situation worth exploring in terms of managing risks from insider threats - on both the human and technical sides - please let me know.
|
|
|
|
Scott's Update
Ransomware is definitely one of the biggest cyber-threats to businesses these days. So, I'm spending a lot of time talking with associates and prospects about how to prepare teams and assess their level of vulnerability.
I'm also starting to look at something called "cyber-continuity", which is really a new way of looking at the old problem of "business-continuity". There are so many ways that cyber-threats now represent major disruptions to business operations that we have to step back and re-evaluate how we plan for outages, and how to properly respond to them. There can be many stakeholders of a business affected by cyber-security incidents. So, it's important not to gloss over the risks to business continuity from cyber-incidents.
Finally, please share this newsletter issue using the social icons at the top of the page. I would also appreciate it if you could forward this to anyone you think might appreciate the stories, and suggest that they subscribe. You can always subscribe by clicking HERE.
Sincerely, Scott WrightThe Streetwise Security Coach
P.S. You should be able to find all of the above articles on my Security Views Blog.
|
|
Invite Scott Wright to jump-start your security awareness program, live in your office!
If you've been meaning to launch a security awareness program, but haven't had the time to organize it, there's an easy way to get started, TODAY!
For as little as $1,500*, you can host a live security awareness session on-site, featuring Scott Wright.
* includes a half-day of presentation and/or consultation, travel and living not included. Limited time, pricing may change in future.
|
|
|
|
STAY CONNECTED BY FOLLOWING OR CONNECTING WITH ME:
| |
|
|
|
|
|
|
