Category Archives: Managed Services

Strengthening the Weakest Link – The Ultimate Spear Phishing Defense

Not convinced your employees need the training?

Late in 2012 Trend Micro reported that 91% of targeted online attacks involved spear phishing, making this the most favored type of APT (Advanced Persistent Threat) attack. When spear phishing, attackers make use of information about prospective victims to increase their credibility, and the likelihood that recipients will “bite” (click a URL) in an e-mail or social media post. That’s why spear phishing attacks yield a 70% open rate because people extend trust to the putative source, if not to the actual attacker. Because of the portability and ease of spear phishing, its popularity will only continue to grow. Traditional methods don’t stop spear phishing because individual employees and customers open the doors to attackers. In these circumstances, the employee/victim becomes the weak link in IT security.

Today’s employees need next-generation security awareness training on a regular basis to keep them informed and your network protected.

“A staggering 91 percent of targeted attacks begin with a spear phishing email”

 

Introduction

Spear phishing is a CSO’s worst nightmare because it is the most di cult attack to protect against. The use of targeted social engineering, practically undetectable malware and zero-day exploits are just some of the reasons why this is so. Clever hackers use legitimate-looking emails from organizations like the IRS, local banks, or Internet portals, targeted directly at CEO’s and other executives and employees.

One such incident occurred in 2012 when business executives received personalized emails informing them that their company was under investigation for criminal fraud. The email looked like a legitimate email from the IRS, and the link in that email directed the recipient to a website that looked exactly like an IRS webpage. But when the target clicked on a link, a Trojan was loaded into their computer which would steal everything interactive in the person’s email account before it could be securely encrypted. The result of such attacks is that customers are 42% less likely to do business with a company that has fallen victim to spear phishing and a resulting data breach. Even worse, phishing costs brands and corporations more than 98 billion dollars a year.

A Sorry Security Situation

CSOs are responsible for a company’s entire security. As such they oversee network security and are the first person everyone turns to whenever there is a breach. People expect CSOs to protect the company and prevent such breaches, but spear phishing makes even a CSO more likely to be blindsided. Once a breach occurs it is up to CSOs to act quickly and protect the company before any damage is done. Hackers count on this and act quickly to get every ounce of information they can before a breach is closed. Those who don’t understand how spear phishing works may blame the CSO or the security software in use. However, even the best CSO and best security software on the planet can’t stop an intelligent and motivated hacker.

If CSOs are to do their jobs well, then not only must they have the best security hardware and software, they also need the support of well-educated staff, and the ability to test their staff and find any weak links in need of strengthening. With all possible ‘defense-in-depth’ components properly in place, an organization becomes a very hard target, causing hackers to move on to pursue easier game.

The Missing Link

Several missing components can prevent employees from unwittingly opening the door to hackers:

How do you make sure your employees are getting the best education?

How do you make sure after your employees are educated that they don’t make security mistakes anyway?

If you could find out if they might be vulnerable to spear phishing, how can you enlighten them?

If existing methods for educating employees were effective, then spear phishing wouldn’t remain problematic for so many companies. Thus, it is obvious that a different approach is called for.

Hackers aren’t just looking to get at a company’s financial records and information. They are also after source code and intellectual property. In fact, they are literally trying to steal the future of your company. Years of work in your R & D department could end up in the hands of a Chinese competitor thanks to a single click of a mouse from an untrained employee.

Spearphishing has become so endemic in corporate and government networks that there is a joint government operation in effect to counteract it. Per the FBI: “Instead of casting out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, [or] order merchandise from the same website. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive…

Law enforcement takes this kind of crime seriously, and we in the FBI work cyber investigations with our partners, including the U.S. Secret Service and investigative agencies within the Department of Defense.”

During a recent Microsoft TechEd conference, held in June 2012, Proofpoint surveyed 339 IT professionals about their concerns regarding targeted phishing attacks and enterprise data loss risks. Half of all respondents (51%) believed that their organization were targeted by a phishing email in the past year designed specially to compromise their users.

Dramatic examples of recent spear phishing attacks include:

The White House – China-based hackers breached a network used by the White House Military Office. According to their website, this office provides military support for White House functions, including food service, presidential transportation, medical support and hospitality services. There is no clear report on what the hackers were trying to access. An Obama administration national security official simply said: “This was a spearphishing attack against an unclassified network.”

Google, Inc. – A US official says that the same group that attacked the White House also broke into Google. Among those targeted were people who work at the White House. It is presumed that they were hoping these people would discuss secure information or conduct administrative business using their personal Gmail accounts.

South Carolina Department of Revenue – According to an official report, “A malicious email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password.” These attackers then gained access to “millions of Social Security numbers, bank account information and thousands of credit and debit card numbers” SearchSecurity’s coverage notes that, “In addition to the 3.8 million people whose data were exposed, the breach included information on 1.9 million dependents. It also included data on 699,900 businesses. Information on 3.3 million bank accounts were also stolen.”

The New York Times – The same China-based hackers who have wreaked havoc on the White House, Google, and others have been named as the responsible parties for this breach, too. In this particular case, the newspaper blames Symantec’s antivirus software for not foiling a malware installation.

Attacks against Google, Adobe and at least a dozen other advanced persistent threats (APT) that have been publicly documented have been initiated at least in part through targeted spear phishing emails. By itself, software alone is not a completely effective defense.

SC Magazine reports:

“Researchers have noted an increase in spear phishing targeting numerous industries, primarily in the United States, where malware evades detection by hiding inside Windows help (HLP) files attached to emails. The HLP files are embedded in attachments that appear to users to be ZIP files. Once the ZIP files are opened, however, one of several backdoors will be downloaded, allowing an attacker to carry out a range of feats – from changing users’ passwords to logging keystrokes to capturing screenshots or a number of other information-stealing tactics sent from the command-and-control server.”

Strengthening the Weakest Link

There is an important conclusion to be drawn from all this recent news. Security products continue to become more advanced and sophisticated, and that will certainly help. But to cope with the current situation and future attacks, end-users must be educated and informed. The more knowledge they possess, and the better informed those users are about attacks, the less likely they are to fall prey to scammers, online or off.

We are also starting to see an increase of social engineering over the phone. Hapless users are being called on behalf of ‘Microsoft’ or well-known security software companies and directed to allow access to their computers. Educated end-users do not fall prey to such scams.

But how do you train jaded users? Users who think they know everything. Users who have heard it all and are more sophisticated than average users. It’s not good enough that the trainer is a highly regarded security expert. You need that training to come from someone who understands hacker culture and how hackers think.

Contact us to learn how you can protect yourself from these types of phishing scams. Call 920-885-0141.

Your Bank Emails

Your bank emailed you…  or did they?

What does an email from a cybercriminal look like compared to your bank?  For example, Bank of America…

The email above LOOKS so authentic…

What is RIGHT?

– Bank of America logo looks real.

– Color and style of email is similar to Bank of America’s customer emails.

– Return email address is one of those used by Bank of America.

– Website appears to be a Bank of America website.

What is WRONG?  (You need to watch for this information.)

– The formatting of the email is not correct.

– The typeface of the P.S. is different.

– The signature is BOA Member Services Team, which is not used today.

– The copyright is BOA LLC, not Bank of America.

The more sophisticated thieves direct you to a website that looks like your bank.  See the example below.  Do you know how to recognize it is a hoax designed to capture some of your private information?

One way / ANSWER:  ALWAYS look at the domain name address.  Make certain you are confident it is correct.  If it appears to be suspicious, then do not proceed.

All of the other aspects explained below about email phishing also apply to a website.  These are relatively simple ways to confirm what you click on is safe.

In general, phishing emails include:

Ways to identify phishing and spoofing emails include:

1. Links that appear to be from your bank… but are NOT – Test any link by placing your cursor it, but do not click.  Your email program should display the destination URL.  Does it match the correct web address to your bank?  If not, you can search past emails you have to see if it is another domain name used by your bank.

2. Urgent requests – Banks do not threaten to close your account if you fail to respond to an email.

3. Warnings about system and security updates – Banks may inform you of pending system upgrades and/or security updates, but they do not require any personal information from you to complete these changes.

4. Requests for personal information – No reputable bank ever asks or demands that you reply via email with your personal information, such as your driver’s license #, Social Security #, ATM or credit card #, PIN #…

5. Do NOT fall for “the deal” – Banks are not hucksters.  They do not push you to ask you to do something and in return you get a huge payoff.  They do not pay you to complete surveys.  They do not ask you to do anything that requires you to enter your account number, PIN…

6. Obvious typos, grammar, and formatting errors – As mentioned above, although cyber thieves are smart they still seem to make mistakes in their email requests.  However, be warned:  Today, the mistakes they make are rare.  The phishing emails and websites now online posing as your bank can be very convincing.  You may have to choose safety over timeliness.

7. Someone once said, “Assumptions are the mother of all mistakes.” Do not assume your computers, mobile devices, and networks are secure from phishing, ransomware, and other cyber theft attempts.  Confirm

Business Needs:  If you are concerned about these risks for your business or nonprofit, then don’t wait.  Contact Inter-Quest online or call (608) 571-3071 to schedule a conversation with Lisa Fichter, one of our Senior Problem Solvers.  She can schedule a free, no obligation conversation about your situation.  She can help you assess your risk, and for a limited time, even provide a free network security assessment if you like.

Personal Needs:  As an individual concerned about an email you received you visit, a good approach is to call your bank to confirm if they sent the email or directed you to a website.

THE GOOD NEWS

You can avoid most phishing scams and other hacker attacks, including ransomware.  The only solution is to fully protect every computer, mobile device, and network of your organization with the latest anti-virus, firewall, and other applicable security tool.

The most cost effective way to do this is to have your systems kept secure daily by a professional I.T. security firm, such as Inter-Quest, highly qualified, diverse, 20-year-old I.T. services team with offices in Beaver Dam and Madison, Wisconsin.  Their team of computer experts provide IT security and managed services to businesses, government, and nonprofits.

Contact Inter-Quest online or call (608) 571-3071 to schedule a conversation with Lisa Fichter to confirm your employees and sensitive company data are safe from cyber criminals.

Anti Virus Myths Debunked

Top 5 Antivirus Myths Debunked

Top Five Myths about Antivirus Software

Antivirus is software that every computer user should have on their computer regardless of the computing platform. However, for some reasons, this becomes hard to wrap the mind around due to some myths and untrue information about the antivirus software. This makes some users afraid of installing the software on their machines. The most common myths include;

You will only visit safe websites

This is among the main excuses that people use to avoid antivirus software. However, the truth is that there is no safe site and there is no website that is 100 percent secure and not prone to potential threats. In fact, most of the most secure sites have become prey to viruses and hackers.

The attackers are working around the clock looking for means to exploit and improve their techniques so that they can match the security level. With this said you should not consider ruling out the idea of having antivirus for your computer as you are aware that no website can be termed as entirely safe.

Antivirus will slow down your machine

This idea has misled a lot of people who believe that security solutions like antivirus can slow down their computer. Although there is some truth in the argument, the fact is that antivirus can only slow down a computer if it does not meet the system requirements for it to run smoothly. Moreover, this happens if many scans are running concurrently or if you have installed more than one antivirus program or if there are too many activities happening simultaneously which leads to an overlap which slows down your computer. With the advanced encryption, an antivirus program should not cause any changes in the speed of the system.

You do not need a Mac protection

The Mac owners think that they do not need antivirus protection and that they are safe. However, the truth is that they need the protection as much as the window users do. No system is completely safe, and they are all prone to security threats.

Hackers are not interested in your system

Some people feel like their machines are not carrying any information that can draw the attention of hackers, but what they fail to understand is that as long as they are using the Internet, any information is useful to hackers. Thus no one should ignore their computer’s security.

You do not need to use the Internet

Some people tend to think that they will not log into any systems thus they are not at risk. But what would be the use of having a computer if you are not going to use the Internet from time to time? Time will come when you will not have a choice, and for this, it is better to be safe always.

You need to invest in getting quality antivirus software due to many reasons which include:

    You can never predict when virus will attack your PC

    Once the damage is done, it may cost you a lot to repair. Thus it is wise to avoid the future repair costs

    Protecting personal data

    Protecting others

Just like in everything else, there is a lot of false information about antivirus software, and it is essential to be knowledgeable about it no matter how convincing it may sound.

a photo of a female teachar and students in a classroom

7 Smart Uses for Digital Signage in Higher Education

Digital signage is being used in higher education in different ways. The students are constantly looking for rich media to help them interact and university staff and administration have acknowledged it.

The number of higher education institutions using digital signage has increased as it is implemented to serve students and staff in a better and more efficient manner as explained. The following are the seven smart digital signage:

Changing the menu

Restaurants and food kiosks are now using electronic menus, and the practice has been adopted by lunchrooms at different campuses. Since new foods are constantly being developed, it is important to keep people informed of these changes.

Using digital menus makes it easier to inform people of changes in the menu and prices. They can also contain enticing videos to make the students interested in trying the meal. The staff also has an easier time managing the queues and food and the wait time is reduced.

Change of classes

In the past students would get notified of class changes through a sticker on the door. Digital signage solutions ensure students get alerts on their phones saving them the time it would take to get to the campus only to get turned back.
Closed buildings

Accidents happen, and there might be an issue with a building rendering it unusable for a while. Students and staff benefit from digital signage in two ways.

They can be advised using the mobile system and signs.
Students get to know where their class has relocated to and if there are any changes regarding the session.

Wayfinding

Digital signage makes it easier for students and staff to find key areas before they get used to the campus grounds. It is beneficial especially for first-timers who are bound to get lost in the first few days.

Wayfinding is also useful in informing staff and students if there are some campus parts under construction.

Better sense of a community

Digital signage creates a sense of community by encouraging the sharing of information relating to events like birthdays, sports events and others that are done by groups. There are also bios of players in sports events together with their picture. It makes it easier for other students to cheer the players and identify them by name. It creates a better sense of pride in the school.
Emergency alerts

Tragedy strikes at any time but the first few seconds are important in determining how the situation will be handled. Some emergencies might be relating to security that is considered a big concern for the school. In the case of any emergency, there are buttons or levers on different parts of the school that can be used to initiate lockdown protocols.

The use of emergency message signage keeps people aware of the situation and what to do to enforce their safety within the campus. Students who are not yet on campus can be advised not to go to the campus. The police can also get informed on the intruder for them to take the necessary steps.
Improved library circulation

Not many people visit the library. However, with digital signage, attendance has increased, and more people have been utilizing library resources. Students and staff have also been informed of campus events they can attend and staff has been introduced using the technology.

Digital signage has made life easier by improving communication among staff and students and also integrating different parts of the campus.