In this issue:
In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.
- Protecting Yourself from Ransomware
- Password Security
- Tackling the Phishing Epidemic
- Phish Tale of the Week
- How can Netizen Help?
Protecting Yourself from Ransomware
Ransomware cost the world more than $5 billion in 2017 and is predicted to cost more than $8 billion in 2018. Previously ransomware was more indiscriminate, and many average people suffered from the effects. However, after 2014, malicious actors began to employ ransomware in a more targeted way, increasingly focusing on businesses and governments.
Just this past spring, the city of Atlanta, Erie County Medical Center in Buffalo, NY and the Colorado DOT were hit by ransomware and the total cost, which includes rebuilding IT infrastructure, was nearly $30 million. This underscores the importance of good security policies and practices to prevent these attacks from happening in the first place.
- Cyber Hygiene & User Training
- Cyber hygiene starts with enforcing proper password policies, which include regular password changes, ample minimum length and special characters.
- Public facing servers must have passwords.
- Phishing training is a must to ensure employees don’t click on suspicious links in emails or download files.
- Best Practices
- Keeping all machines used within your organization current with patches and updates is critical.
- Using appropriately configured firewalls with unnecessary ports blocked.
- Ensuring your IT professionals that set up your systems are either also trained in best security practices or have very good communication with your security team.
- Testing Disaster Recovery Plans
- Simply implementing Disaster Recovery plans is not enough. They must be tested in training scenarios.
- Using cloud infrastructure for backups helps add layers of recoverability.
- Never use personal information; like names, addresses, phone numbers or birthdays.
- Do not use a single real word. Also, intersperse special characters within your password.
- Make your password long. A minimum of 10 characters, recommended that they be 16 or more.
- Never use the same password on more than one site. If one site becomes compromised and that password is revealed it will be tested on other sites.
- Use a password generator like 1Pass, KeePass or LastPass. They can generate a completely random password of any length for you and remember them for each site you use them on.
- If a password generator isn’t an option for you, in order to help with password memorability, put 4 or more random common words of 4+ characters together; like “correcthorsebatt$erystaple”
- Never write your password down on a sticky note which you then keep on or around your workspace.
- For your most important assets, use two-factor authentication. If possible, use an authenticator app or a physical USB token.
Tackling the Phishing Epidemic
What makes phishing so effective is that it goes after the weakest link in any given company’s security: the human being. Even when employees receive training concerning phishing, cyber criminals are using increasingly advanced tools that make phishing emails look more convincing as time passes.
Many people are becoming complacent about phishing due to the number of consistent warnings, which makes the situation more dangerous. The criminals behind phishing attacks are steadily getting more convincing with their methods, so it is important to remember to be suspicious of emails you aren’t expecting that are asking you to click on a link or download something.
Cybercriminals are making their phishing attacks more focused, targeting organizations with large amounts of consumer data and are stealing the organization’s credentials to further their nefarious activities.
Despite all this, there are several things you can do to mitigate the risk as best as possible:
- Use multi-factor authentication, neutering the power a criminal has if they do manage to get a username and password.
- Train the staff. Make sure they are informed how to recognize phishing and have phishing drills to test your peoples’ awareness.
- Use a reputable email scanner.
Phish Tale of the Week
Netizen captures many phishes each month, which we feature here. This week we haven’t found anything new or unique to share. Remember these tips to stay safe:
A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.
- Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message.
- Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
- Do not give out personal or company information.
- Review both signature and salutation.
- Do not click on attachments.
- Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
- Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.
Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management) certified company.