Tag: phishing

23 Apr 2015

RSA 2015 Roundup

RSA’s annual security conference, San Francisco

Here are a few of the notable trends at this year’s conference:

1. Focus on Cybersecurity

From RSA Conference general manager Linda Gray: “This year, the spotlight has been on cybersecurity more than ever. From massive breaches to the announcement of President Obama’s new cybersecurity initiatives, the information security industry certainly has a lot to talk about. Over the course of the conference, we’ll be challenging the status quo of thoughts and procedures, and we will come up with new ways to secure our digital future.” Cybersecurity concerns have continued to grow, and it’s definitely the topic on everyone’s minds at RSA this year.

2. How much should threat intelligence cost?

New York Times Bits reports “grumblings that such intelligence [reports] should be offered for free.” Companies that provide intelligence about the hackers behind cyberattacks typically charge for their service. But some would argue that cybersecurity is in everyone’s best interest and this information should be as openly accessible as possible.

3. Phishing awareness training is working … but hackers are adapting

We’ve talked about the threat phishing attacks pose to your company in previous blogs, and recommended employee awareness. A report released at RSA indicates that this kind of training has proven effective, but has been primarily targeted at executives and upper management. Hackers have retargeted their efforts towards lower level employees, which can be just as dangerous to your business.

16 Apr 2015

Giving Your Personal Information to Hackers?

What about emails from within your organization?

We’ve covered being aware of phishing emails in a previous blog, but what about emails from within your organization? If hackers have access to the email of someone within your organization or that you communicate with, a phishing email could be hard to spot. This kind of attack is called “spear phishing”. It is more targeted than a regular phishing email, and if successful hackers could gain access to sensitive information just by asking for it.

“…the White House intrusion began with a phishing email that was launched using a State Department email account that the hackers had taken over.”

It was revealed this week that the White House system breach first reported in October 2014 stems from this type of attack. As reported by CNN, “the White House intrusion began with a phishing email that was launched using a State Department email account that the hackers had taken over.” Both the State Department and White House cyberattacks are believed to be the work of Russian hackers. Although the White House network that was breached was reportedly unclassified, new information indicates the hackers were able to gain access to non-public details of President Obama’s schedule.

If you receive an email asking for sensitive information that you are not expecting, double check with the person or organization via other means that they have actually sent the request. Always be aware of workplace guidelines regarding who should have access to sensitive information because a few minutes of investigation could save you from a major cyber attack.

By Jacob Ginsberg, Senior Director of Products, Echoworx

12 Mar 2015

4 Fraud Prevention Tips for Businesses

Prevent your business from fraud

There are many resources available for consumers wanting to protect themselves from fraud, and much of the advice is straightforward; don’t open emails from unknown senders, monitor your credit card statements, etc. But what about for businesses? Here are four tips to help you prevent your business from becoming a victim of fraud.


1. Consumers aren’t the only phishing targets

Legitimate looking emails or phone calls may be a phishing tactic in disguise, and your business makes an attractive target for fraudsters. What’s more important is that phishing emails capitalize on human error to compromise your data, making every employee in your business a possible vulnerability. A recent Verizon report shows that 18% of people click on suspicious links. These links could be asking them to reset or verify account information, giving the hackers access to whatever your employee has access to. Make sure your employees are aware of these tactics and stick with internal processes such as contacting IT regarding account information instead of providing their credentials to external websites. If you receive a message from your banking, healthcare or insurance provider, contact them directly rather than clicking on links in email.

2. Don’t send sensitive data in email unless it is encrypted

You may have successfully avoided giving away your data through a phishing email, but what about over legitimate email? You control this information within your organization, but once it leaves your inbox, are you sure about who is accessing it? Human error on both your or the recipient’s end could expose sensitive information contained in emails to hackers. Email is still the best way for businesses to communicate with both customers and with each other, so your business needs an email encryption solution to keep accounting information, SSNs and other private data encrypted over email.

 3. Set a strong password policy for employees

You probably have at least one work-related password. When was the last time you changed it? Do you use the same password for another service that may have been hacked? How many characters is it, and does it include your birthdate, name of a loved one, or hometown? If so, your password is probably easy to guess through social engineering, or could be hacked via other means. Make sure to choose a strong password, and enforce a password policy that requires you employees to do so as well. Check out one of our previous posts for password security tips.

4. Have a security plan for mobile devices

Smartphones are everywhere, including in your business. Employees who use their devices for work, even just for email, put your data at risk if their device is lost or stolen. Your business should have guidelines for mobile usage in your workplace and a security plan for when losses happen. Read our post “Does Your Mobile Security Plan Measure Up?” for more information.

The size of your business no longer matters to your vulnerability to cyberattack or data loss; security is every business’ responsibility. How do you prevent fraud in your business? Share your own tips in the comments below.

 

08 Oct 2014

JP Morgan Chase Security Breach

Personal information of 83 million, exposed

I suppose everyone has heard of the JP Morgan Chase security breach by now, but I think there are some key points that are lost in this story. Before I get too far into this, it needs to be said that this investigation is still under wraps, so nothing is known for sure at this point. However, information sources like the New York Times have reported on this story and in the past they have been known to be a reliable source for matters such as this.

First the scope:
this is one of the largest security breaches ever. The personal information of 83 million households and small businesses were exposed.  The last major breach not a month ago of Home Depot was only 56 million if you want a basis for comparison.

It gets worse: the hackers took inventory of what was installed on the servers (which they had full admin/root access to). What does this mean?  It means they were not script kiddies who blundered into a gold mine. The attackers, from Russian IP addresses, were very methodical. They went through the complete list of programs and web applications looking for unpatched vulnerabilities and obtained full root access on those twelve servers and reached another nintey machines on top of that.  This information can be sold or used by the hackers to get back into those servers.

Still worse:
They knew about this in June and did not report it until now. JP Morgan Chase did not have to report it because it cannot be proven that one cent was fraudulently transferred, at least not yet.

Perhaps the worst yet is the fact that nine more major banks were also compromised and are yet to be named. If these breaches are as significant as the JP Morgan Chase one and you add them up, this may become THE largest data breach of all time.

The only good news in this story is the fact that unlike the Home Depot breach passwords and credit card numbers were not stolen. The only data that was obtained was the fact these are JP Morgan Chase clients, their address, names, and phone numbers. What this means is that money can’t be stolen without client involvement.

The real take home here which has been stated in the past is that never do any online banking or phone banking unless you contact the bank to initiate it. With the data that was stolen a malicious hacker could call or email a client and with social engineering or a phishing email get confidential information needed to access an account.