Is poor cyber hygiene crippling your security program?

Cybercriminals are targeting vulnerabilities created by the pandemic-driven worldwide transition to remote work, according to Secureworks.

vulnerabilities remote work

The report is based on hundreds of incidents the company’s IR team has responded to since the start of the pandemic.

Threat level is unchanged

While initial news reports predicted a sharp uptick in cyber threats after the pandemic took hold, data on confirmed security incidents and genuine threats to customers show the threat level is largely unchanged. Instead, major changes in organizational and IT infrastructure to support remote work created new vulnerabilities for threat actors to exploit.

The sudden switch to remote work and increased use of cloud services and personal devices significantly expanded the attack surface for many organizations. Facing an urgent need for business continuity, many companies did not have time to put all the necessary protocols, processes and controls in place, making it difficult for security teams to respond to incidents.

Threat actors—including nation-states and financially-motivated cyber criminals—are exploiting these vulnerabilities with malware, phishing, and other social engineering tactics to take advantage of victims for their own gain. One in four attacks are now ransomware related—up from 1 in 10 in 2018—and new COVID-19 phishing attacks include stimulus check fraud.

Additionally, healthcare, pharmaceutical and government organizations and information related to vaccines and pandemic response are attack targets.

The issue with dispersed workforces

Barry Hensley, Chief Threat Intelligence Officer, Secureworks said: “Against a continuing threat of enterprise-wide disruption from ransomware, business email compromise and nation-state intrusions, security teams have faced growing challenges including increasingly dispersed workforces, issues arising from the rapid implementation of remote working with insufficient consideration to security implications, and the inevitable reduced focus on security from businesses adjusting to a changing world.”

ATM cash-out: A rising threat requiring urgent attention

The PCI Security Standards Council (PCI SSC) and the ATM Industry Association (ATMIA) issued a joint bulletin to highlight an increasing threat that requires urgent awareness and attention.

ATM cash-out

What is the threat?

An ATM cash-out attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time.

Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

How do ATM cash-out attacks work?

An ATM cash-out attack requires careful planning and execution. Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts. This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems.

The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner.

With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

These attacks usually do not exploit vulnerabilities in the ATM itself. The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.

Who is most at risk?

Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.

What are some detection best practices?

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools.

What are some prevention best practices?

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS.

Europol analyzes latest trends, cybercrime impact within the EU and beyond

The global COVID-19 pandemic that hit every corner of the world forced us to reimagine our societies and reinvent the way we work and live. The Europol IOCTA 2020 cybercrime report takes a look at this evolving threat landscape.

europol IOCTA 2020

Although this crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behavior should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems.

Europol IOCTA 2020

Social engineering and phishing remain an effective threat to enable other types of cybercrime. Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.

Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.

Encryption continues to be a clear feature of an increasing number of services and tools. One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.

The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.

Malware reigns supreme

Ransomware attacks have become more sophisticated, targeting specific organizations in the public and private sector through victim reconnaissance. While the pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis.

Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.

Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.

Child sexual abuse material continues to increase

The main threats related to online child abuse exploitation have remained stable in recent years, however detection of online child sexual abuse material saw a sharp spike at the peak of the COVID-19 crisis.

Offenders keep using a number of ways to hide this horrifying crime, such as P2P networks, social networking platforms and using encrypted communications applications.

Dark web communities and forums are meeting places where participation is structured with affiliation rules to promote individuals based on their contribution to the community, which they do by recording and posting their abuse of children, encouraging others to do the same.

Livestream of child abuse continues to increase, becoming even more popular than usual during the COVID-19 crisis when travel restrictions prevented offenders from physically abusing children. In some cases, video chat applications in payment systems are used which becomes one of the key challenges for law enforcement as this material is not recorded.

Payment fraud: SIM swapping a new trend

SIM swapping, which allows perpetrators to take over accounts, is one of the new trends. As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.

Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.

Criminal abuse of the dark web

In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year.

Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralized marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year.

OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.

VP for Promoting our European Way of Life, Margaritis Schinas, who is leading the European Commission’s work on the European Security Union, said: “Cybercrime is a hard reality. While the digital transformation of our societies evolves, so does cybercrime which is becoming more present and sophisticated.

“We will spare no efforts to further enhance our cybersecurity and step up law enforcement capabilities to fight against these evolving threats.”

EU Commissioner for Home Affairs, Ylva Johansson, said: “The Coronavirus Pandemic has slowed many aspects of our normal lives. But it has unfortunately accelerated online criminal activity. Organised Crime exploits the vulnerable, be it the newly unemployed, exposed businesses, or, worst of all, children.

“The Europol IOCTA 2020 cybercrime report shows the urgent need for the EU to step up the fight against organised crime [online] and confirms the essential role of Europol in that fight”.

Increased attacks and the power of a fully staffed cybersecurity team

The cybersecurity landscape is constantly evolving, and even more so during this time of disruption. According to ISACA’s survey, most respondents believe that their enterprise will be hit by a cyberattack soon – with 53 percent believing it is likely they will experience one in the next 12 months.

cybersecurity hiring and retention

Cyberattacks continuing to increase

The survey found cyberattacks are also continuing to increase, with 32 percent of respondents reporting an increase in the number of attacks relative to a year ago. However, there is a glimmer of hope—the rate at which the attacks increase is continuing to decline over time; last year, just over 39 percent of respondents answered in the same way.

Though while attacks are going up—with the top attack types reported as social engineering (15 percent), advanced persistent threat (10 percent) and ransomware and unpatched systems (9 percent each)—respondents believe that cybercrime remains underreported.

Sixty-two percent of professionals believe that enterprises are failing to report cybercrime, even when they have a legal or contractual obligation to do so.

“These survey results confirm what many cybersecurity professionals have known from for some time and in particular during this health crisis—that attacks have been increasing and are likely to impact their enterprise in the near term,” says Ed Moyle, founding partner, SecurityCurve.

“It also reveals some hard truths our profession needs to face around the need for greater transparency and communication around these attacks.”

Security programs tools

Among the tools used in security programs for fighting these attacks are AI and machine learning solutions, and the survey asked about these for the first time this year. While these options are available to incorporate into security solutions, only 30 percent of those surveyed use these tools as a direct part of their operations capability.

The survey also found that while the number of respondents indicating they are significantly understaffed fell by seven percentage points from last year, a majority of organizations (62 percent) remain understaffed. Understaffed security teams and those struggling to bring on new staff are less confident in their ability to respond to threats.

Only 21 percent of “significantly understaffed” respondents report that they are completely or very confident in their organization’s ability to respond to threats, whereas those who indicated their enterprise was “appropriately staffed” have a 50 percent confidence level.

Cybersecurity hiring and retention

The impact goes even further, with the research finding that enterprises struggling to fill roles experience more attacks, with the length of time it takes to hire being a factor. For example, 35 percent of respondents in enterprises taking three months to hire reported an increase in attacks and 38 percent from those taking six months or more.

Additionally, 42 percent of organizations that are unable to fill open security positions are experiencing more attacks this year.

“Security controls come down to three things—people, process and technology—and this research spotlights just how essential people are to a cybersecurity team,” says Sandy Silk, Director of IT Security Education & Consulting, Harvard University, and ISACA cybersecurity expert.

“It is evident that cybersecurity hiring and retention can have a very real impact on the security of enterprises. Cybersecurity teams need to think differently about talent, including seeking non-traditional candidates with diverse educational levels and experience.”

Money is still the root of most breaches

Verizon has released its annual Data Breach Investigations Report (DBIR), which offers an overview of the cyber security incidents and data breaches that happened in/were discovered in the past year.

Based on an analysis of incident and breach reports by 81 contributing organizations – companies, CERTs, law enforcement agencies and cybercrime units, etc. – from around the world, the DBIR offers insight into current cyber attack trends and the threats organizations in various industry verticals and parts of the world face.

2019 cyber attack trends: the “WHO”

The researchers analyzed 32,002 security incidents that resulted in the compromise of an information asset. Of those, 3,950 were data breaches, i.e., incidents that resulted in the confirmed disclosure of data to an unauthorized party.

The report is massive, so we’ll highlight some interesting tidbits and findings:

  • 70% of breaches perpetrated by external actors (except in the healthcare vertical, where it’s 51% external, 48% internal)
  • 86% of breaches were financially motivated
  • Organized criminal groups were behind 55% of breaches
  • 72% of breaches involved large business victims

2019 cyber attack trends

“This year’s DBIR has once again highlighted the principal motive for the vast majority of malicious data breaches: the pursuit of profit. This is surprising to some, given the extensive media coverage of national security-related breaches. However, it should not be. Most malicious cyber actors are not motivated by national security or geopolitical objectives, but rather by simple greed,” the data scientists who compiled the report noted.

“Financially motivated breaches are more common than Espionage by a wide margin, which itself is more common than all other motives (including Fun, Ideology and Grudge, the traditional ‘go to’ motives for movie hackers).”

2019 cyber attack trends: the “HOW”

The majority of data breaches (67% or more) are caused by credential theft, social attacks (phishing, business email compromise, pretexting) and errors (mostly misconfiguration and misdelivery of documents and email).

“These tactics prove effective for attackers, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts,” they advised.

Another interesting finding is that attacks on web apps were a part of 43% of breaches, which is more than double the results from last year. The researchers put this down to more workflows moving to cloud services and attackers adjusting to the shift.

“The most common methods of attacking web apps are using stolen or brute-forced credentials (over 80%) or exploiting vulnerabilities (less than 20%) in the web application to gain access to sensitive information,” they shared.

Less than 5% of breaches involved exploitation of a vulnerability, and it seems that most organizations are doing a good job at patching – at least at patching the assets they know about.

“Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defenses,” the authors pointed out.

Most malware is still delivered by email and the rest via web services. Attackers have mostly given up on cryptocurrency mining malware, RAM scrapers and malware with vulnerability exploits, but love password dumpers, malware that captures app data, ransomware and downloaders.

Even though it is a small percentage of all incidents, financially motivated social engineering is on the rise – and attackers have largely stopped asking for W-2 data of employees and switched to asking for the cash directly.

Cloud assets were involved in about 22% of breaches this year, while the rest were on-premises assets.

“Cloud breaches involved an email or web application server 73% of the time. Additionally, 77% of those cloud breaches also involved breached credentials. This is not so much an indictment of cloud security as it is an illustration of the trend of cybercriminals finding the quickest and easiest route to their victims,” they noted.

Use the information to improve defenses

An interesting finding that can be used by defenders to their advantage is that attackers prefer short paths to a data breach. Throwing things in their way to increase the number of actions they have to take is likely to decrease their chance of making off with the data.

Knowing which actions happen at the beginning, middle and end of incidents and breaches can also help defenders react quickly and with purpose.

2019 cyber attack trends

“Malware is rarely the first action in a breach because it obviously has to come from somewhere. Conversely, Social actions almost never end an attack. In the middle, we can see Hacking and Malware providing the glue that holds the breach together. And so, [another] defensive opportunity is to guess what you haven’t seen based on what you have,” the authors noted.

“For example, if you see malware, you need to look back in time for what you may have missed, but if you see a social action, look for where the attacker is going, not where they are. All in all, paths can be hard to wrap your head around, but once you do, they offer a valuable opportunity not just for understanding the attackers, but for planning your own defenses.”

What should organizations do to bolster their cyber security posture?

DBIR report author and Information Security Data Scientist Gabe Bassett advises organizations to keep doing what they are doing: anti-virus at the host, network, and proxy level plus patching and filtering (e.g., with firewalls) will help push the attackers towards other attacks.

“Address the human element. The top actions (phishing, use of stolen credentials, misconfiguration, misdelivery, and misuse) all involve people. No-one is perfect so find ways to set people up for success and be prepared to handle their mistakes,” he noted, and added that all organizations should have some level of security operations.

“You can’t make the defenses high enough, wide enough, deep enough, or long enough to keep an attacker out if you don’t have someone watching the wall. For large organizations this means having a dedicated security operations center. For smaller ones it may mean taking advantage of economies of scale, either by acquiring managed security services directly, or by using services (payment systems, cloud services, and other managed services that have security operations incorporated).

Finally, to add extra steps to attackers’ path and to deter all but the most persistent ones, they should use two factor authentication whenever possible.

More authentication and identity tech needed with fraud expected to increase

The proliferation of real-time payments platforms, including person-to-person (P2P) transfers and mobile payment platforms across Asia Pacific, has increased fraud losses for the majority of banks.

identity tech

FICO recently conducted a survey with banks in the region and found that 4 out of 5 (78 percent) have seen their fraud losses increase.

Further to this, almost a quarter (22 percent) say that fraud will rise significantly in the next 12 months, with an additional 58 percent saying they expect a moderate rise in fraud.

“While the convenience of real-time payments is great news for customers, increasingly, banks have zero time to clear a transaction or payment. AI can’t slow down the clock, but it can help create systems that are radically quicker to recognize a transaction that smells likely to be fraudulent,” said Dan McConaghy, president of FICO in Asia Pacific.

“Banks will need to move beyond passwords and OTPs and add biometrics, device telemetry and customer behavior analytics to keep up with the changing payments landscape.”

Authentication and identity tech

When asked which identity and authentication strategies they used, the majority of APAC banks have a strategy of multi-factor authentication (84 percent). They increasingly use a wide range of authentication methods including: biometrics (64 percent), normal passwords (62 percent) and in last place behavioral authentication (38 percent).

Interestingly, nearly half of the respondents (46 percent) are currently only using 1 or 2 of these strategies, potentially leaving them more exposed to attack vectors such as identity theft, account takeovers, cyberattacks.

“Why try to crack a safe when you can walk in the front door?” explained McConaghy.

“Criminals are trying to fool banks into thinking they are new customers or stealing account access by tricking people into making security mistakes or giving away sensitive information. When they are successful, criminals are making use of real-time payments to move funds quickly through a maze of global accounts.”

The survey bore this out with 40 percent of banks naming social engineering as the number one fraud concern when it comes to real-time payments. Account takeovers were ranked second, with false accounts and money mules also rated as problems.

New forms of biometric, multi-factor and behavioral technologies allow banks to stop payments being made, even if an account appears to be using the correct but stolen password or entering the right, but intercepted, one-time-password.

“Beyond this type of account take over, we also have authorized push payment fraud, such as when a customer is tricked into paying what they think is a legitimate invoice like a fake school bill or payment to a tradesperson,” said McConaghy.

“This type of social engineering is harder to stop but better KYC, link analysis to find money mule accounts and behavioral analytics to flag new accounts for a regular payee, are all examples of how to tackle it.”

Mitigating criminal behavior

Further to stopping fraud in real-time payment platforms, crimes such as drug trafficking, human smuggling, tax evasion and terrorism finance are also attracted to the irrevocable nature of instant payments.

The lack of visibility between jurisdictions has seen regulators encouraging banks to move quickly in this cross-border payments space to ensure payments are compliant and secure.

In terms of mitigating this criminal behavior, more than 90 percent of APAC banks surveyed thought that convergence between their fraud and compliance functions would be helpful in defending transactions on real-time payments platforms.

“We estimate that there is about an 80 percent overlap in software functionality between legacy fraud and anti-money laundering systems,” added McConaghy.

“To tackle fraud and money laundering schemes that exploit real-time money movement you need to leverage all the available technologies, automate as much as you can and introduce models that can identify outlier transactions and customer behavior so your teams can spend their time investigating the riskiest of the red flags.”

Hackers go phishing for the holidays

It’s that time of year again. Everyone’s busy – at work and at home. That includes cybercriminals, too. In fact, the holiday season is when busy, distracted people tend to be especially vulnerable to phishing attacks. Just one click on a phishing link in a realistic-looking email or package shipment notice from even the savviest small business user opens the door to scammers.

phishing holidays

Cybercriminals becoming more sophisticated

Those scammers have honed their skills in recent years, coming up with more sophisticated ways to find businesses via websites, social media, and email address books. With this information, they can make their outreach more targeted, which makes the email appear more legitimate to the recipient.

What’s more, they often take advantage of the data they’ve acquired via breaches at retailers and other companies to create realistic-looking emails that appear to have come from co-workers, friends, vendors, clients or banks. Some even try to pass themselves off as IRS agents. These social engineering tactics further deceive the recipient into believing that the communication is trustworthy.

Small businesses under attack

Small businesses are especially prone to these phishing attacks. Because they have access to fewer cybersecurity resources and operate on tighter budgets than larger organizations, small businesses are frequent targets for scammers. Even if security isn’t in their budget, small businesses will end up paying for it one way or another: the average cyberattack costs a small business $53,987. Of course, that’s far less than the millions of dollars we hear about when medium and large enterprises are the victims, but it’s proportionally substantial.

Phishing for the holidays

It’s estimated that one in every 99 emails contains a phishing attack, which amounts to slightly fewer than five emails per employee in a five-day work week for a small business. What’s more, 30% of phishing emails typically make it past security built into popular cloud email providers like Office 365.

Given those kinds of success rates, it’s no surprise that scammers continue to increase the number of phishing attacks they launch every year. In 2018, 83% of people received phishing attacks worldwide, resulting in decreased productivity, loss of propriety data, reputational damage, and other disruptions and damages.

In recent years, scammers have upped their sophistication, making it even more difficult for unsuspecting victims to recognize a phishing email for what it is – especially when the pace of nearly everything picks up during the holidays. But there are several things you can do to avoid getting reeled into a phishing scam when you get an email (or text) that looks like it’s from someone you know and asks you to click on a link to update an account or your information.

Is it real?

Remember, it’s easy for scammers to spoof logos and create fake mail addresses to make it look like it’s coming from a person or company you know. But you should always double-check the address. It’s easy for a scammer to make small changes, such as replacing an “m” with an “r” and an “n,” which you might not notice at first glance. And beware of any message that’s pressuring you to act immediately to prevent something bad from happening. Remember, too, that the IRS will never send you email.

Is there an attachment or a link?

Be especially cautious if the email is from someone you don’t know and you’re being asked to click on a link, type in your password, account name or number, or provide other sensitive information. The exception is when you’re expecting a link or an attachment from someone you know and trust (for example, your lawyer sending a contract you discussed, a client sending details for an ad you’re developing, or a vendor verifying an order you placed).

Are you familiar with the sender?

If you get an email you weren’t expecting with an attachment or a link, verify that it’s coming from the person you think it is. But instead of clicking on “reply” or copying the email address, call the person or use an email address you already have on file.

Alerts

But what if you or someone in your company inadvertently falls for a phishing scheme? First, contact whoever is in charge of your company’s IT systems and let them know what happened. And since phishing attacks (even during the holidays) often strike more than one person in a company, be sure to talk to your colleagues – to alert them and confirm that no one else has made the same mistake.

Of course, you should also notify any affected parties, including customers and suppliers. Then limit the damage by changing your passwords and disconnecting from your company’s network. Finally, report the incident to the appropriate authorities and report spam to the Federal Trade Commission.

And finally, enjoy the holidays.

How to test employee cyber competence through pen-testing

Social engineering hacking preys on the vulnerabilities inherent in human psychology, so it’s vital for organizations to test employee cyber competence.

test employee cyber competence

Take the Nigerian 419 scam as an example – the scammer tries to convince the victim to help get supposedly ill-gotten cash out of their own country into a safe bank, offering a percentage of the money for their participation. While “Nigerian prince” emails have been scamming people for decades, it’s still an effective social engineering technique that people fall for.

Employees post a huge threat to your organization if they’re not properly trained and educated on their role and responsibilities when it comes to cybersecurity. To weed out the vulnerable workers that may require some extra learning, your organization can utilize social engineering pen-testing.

Employees are the first line of defense

Your employees are truly the first line of defense to keeping your company safe and secure. Employees need to understand how their personal social media habits and oversharing information online can have a direct correlation to the safety of their companies. With the amount of information shared on platforms such as LinkedIn, Facebook, Twitter, and Instagram, hackers can gather information to build trust with the victim or even assume the identity of someone in your social circle.

In other cases, employees lack the knowledge to identify cyber threats, and therefore, fall victim to the attack. Threats such as phishing emails, tailgating, and baiting may seem very legit to an employee that has no reason to be skeptical. Why wouldn’t you open an email from your boss on vacation that’s asking you to transfer money for him? Why wouldn’t you open the door for a colleague who happened to leave their keycard at home that day?

Social engineering hacks infiltrate your organization by “hacking the human brain” and preying on its vulnerabilities. Without a general understanding and training on how to identify cyber threats, employees will remain a target for cybercrime.

Make employee training a priority

Seek out comprehensive training services to prepare your employees to recognize and avoid the latest cybersecurity threats to safeguard your organization. You’ll want to find a cybersecurity training program that is unique to your organization’s vulnerabilities. Different industries, like legal services, healthcare, financial services, or retail and hospitability, have different needs to meet compliance standards.

For example, law firms and others in the legal services field have strict requirements that cover both the handling of paper documents and digital security. Custom employee training programs for legal services will help staff adapt to the latest technologies and reduce liabilities with best practices in data hygiene and physical security.

The same training program that focuses on your industry should also be customizable to an employee’s role within the company. Some examples being that paralegals should worry about spoofed emails from court systems, wait staff at a restaurant should focus on credit card theft or identify fraud, and financial advisors need to be cautious when wiring money to and from their clients’ accounts.

Another crucial aspect of employee cybersecurity training is teaching your staff the importance of digital hygiene and how to keep their online data organized, safe, and secure from outside threats. This can be established through digital hygiene practice and data-loss prevention methods. Educate your employees on the value of information and how to properly share it at different levels. This will help protect against accidental disclosures.

Going back to oversharing on social media, training can help employees better understand social media hygiene and better gauge when and where it is appropriate to share personal information. If employees are aware of how the information they post can be used, they’ll be less likely to make that information so easily accessible to hackers.

One-time-training isn’t going to cut it. Frequent training sessions for employees are crucial to highlight new social engineering hacks that are being seen by experts as well as keeping best practices fresh in employees’ minds. Regular sessions keep information active in the brain and not pushed to long-term memory.

Just to keep in mind for your non-technical minded employees, short, 5 to 10-minute micro-training sessions will help allow for more information to be absorbed than the typical annual one-hour training session.

Test employee cyber competence

Your employees have gone through training programs and are more aware of their responsibilities. It’s time to put them through the test – you can do this by utilizing social engineering pen testing to evaluate your employee’s level of cyber awareness through simulations. Hiring an outside penetration testing firm to run your security preparation through the paces is ideal since a third party can bring to light issues that may have fallen into the companies’ blind spot.

The value of social engineering pen testing is that it will uncover security weaknesses in the following areas:

  • Physical security (of the entire building)
  • Corporate security policies connected to proper usage and disposal of sensitive data
  • Employee’s security awareness and implementation – you will see if the staff needs additional security training

Social engineering pen-testing can be used on your employees, either offsite or on-site. Offsite testing is designed to make employees divulge information intended for internal use only. You can attempt to compromise employees through methods of phone phishing, e-mail phishing or SMS phishing. A pen tester would send employees an e-mail with a link to files containing malware. For example, staff members may receive an e-mail that informs them they’ve won a vacation. If employees fall into the trap, they’ll click the link, giving the pen tester access to the target’s corporate account. A test of this nature will provide the organization with analytics on how many employees clicked the link, or which employees are the biggest threat.

On-site penetration applies various techniques to gain physical access to the office of the target company. This can include impersonation of employees or clients, dumpster diving, and physical honey pots. One way to test employee cyber competence through this method is to try out impersonation. Have a pen tester impersonate a tech support worker to gain access directly to the company’s network. The pen tester can launch a USB thumb-drive on the target computer and compromise the company within seconds. You can then analyze the employees that were easily targeted and fooled by the imposter.

Take a dumpster dive into your employee’s trash bins. Have they left printouts and pieces of paper with critical information? Was the paper shredder not used to get rid of data? This is an effective way to see which employees may not be cautious with sensitive corporate information.

Takeaway

You may think your organization is safe, but it only takes one individual to jeopardize the security of the whole company. Social engineering pen testing is an efficient way to identify where your employees stand when it comes to cybersecurity best practices. Making employees aware is the key, and results from pen testing can help drive this awareness.

Pen testing also provides valuable metrics – education and training without metrics fail to show if people are learning and putting what they’ve learned to use. Testing employees when they don’t know they’re being tested enables real insight into their cyber awareness and how you can best train them. With your employees being your biggest cybersecurity vulnerability, training is the most cost-effective way to safeguard your organization.

Humble Bundle alerts customers to subscription reveal bug

You’ll want to check your mailbox if you have a Humble Bundle account, as they’re notifying some customers of a bug used to gather subscriber information.

bug notice

Click to enlarge

The mail reads as follows:

Hello,

Last week, we discovered someone using a bug in our code to access limited non-personal information about Humble Bundle accounts. The bug did not expose email addresses, but the person exploited it by testing a list of email addresses to see if they matched a Humble Bundle account. Your email address was one of the matches.

Now, this is the part of a breach/bug mail where you tend to say “Oh no, not again” and take a deep breath. Then you see how much of your personal information winged its way to the attacker.

Oh no, not again

For once, your name, address, and even your login details are apparently in safe hands. Either this bug didn’t expose as much as the attacker was hoping for, or they were just in it for the niche content collection.

The email continues:

Sensitive information such as your name, billing address, password, and payment information was NOT exposed. The only information they could have accessed is your Humble Monthly subscription status. More specifically, they might know if your subscription is active, inactive, or paused; when your plan expires; and if you’ve received any referral bonuses.

I should explain at this point. You can buy standalone PC games on the Humble store, or whatever book, game, or other collection happen to be on offer this week. Alternatively, you can sign up to the monthly subscription. With this, you pay and then every month you’re given a random selection of video game titles. They may be good, bad, or indifferent. You might already own a few, in which case you may be able to gift them to others. If you have  no interest in the upfront preview titles, you can temporarily pause your subscription for a month.

This is the data that the bug exploiter has obtained, which is definitely an odd and specific thing to try and grab.

Security advice from Humble Bundle

Let’s go back to the email at this point:

Even though the information revealed is very limited, we take customer trust very seriously and wanted to promptly disclose this to you. We want to make sure you are able to protect yourself should someone use the information gathered to pose as Humble Bundle.

As a reminder, here are some tips to keep your account private and safe:

  • Don’t share your password, personal details, or payment information with anyone. We will NEVER ask for information like that.
  • Be careful of emails with links to unfamiliar sites. If you receive a suspicious email related to Humble Bundle, please contact us via our support website so that we can investigate further and warn others.
  • Enable Two-factor authentication (2FA) so that even if someone gets your password, they won’t be able to access your account. You can enable2FA by following these instructions.

We sincerely apologize for this mistake. We will work even harder to ensure your privacy and safety in the future.

Good advice, but what’s the threat?

One could guess that the big risk here, then, is the potential for spear phishing. They could exploit this by sending mails to subscribers that their subscription is about to time out, or claim problems with stored card details. Throw in a splash of colour text regarding your subscription “currently being paused,” and it’s all going to look convincing.

Phishing is a major danger online, and we should do everything we can to thwart it. While the information exposed here isn’t as bad as it tends to be, it can still cause major headaches. Be on the lookout for dubious Humble mails, especially if they mention subscriptions. It’ll help to keep your bundle of joy from becoming a bundle of misery.

The post Humble Bundle alerts customers to subscription reveal bug appeared first on Malwarebytes Labs.

APT10 Stone Panda – Operation Cloud Hopper – Social Engineering

APT10 Stone Panda – Operation Cloud Hopper

On 3 Apr 2017, the National Cyber Security Centre (NCSC) briefed major UK businesses about a significant Chinese Cyber-Espionage Threat called APT10, also known as Stone Panda.

  • APT10, are operating a campaign called ‘Cloud Hopper’, which is actively targeting Managed Service Providers (MSPs) in order to steal their client’s NCSC has stated UK MSPs were known to be infiltrated, however they are not naming them.
  • The Cloud Hopper campaign focuses on sending malware infected emails to staff at Managed Service Providers (MPS). Once executed the malware creates a backdoor which allows the attacker remote access to the MSP’s backend systems. From there the attackers are able to navigate the MSP network and identify external connections with the MSP clients, which are their actual targets. These network channels are then used to steal data from those clients, data which is packaged and exhilarated through the MSP remote connection. These backdoors are known to remain undetected for months, due to tailored malware which is undetectable by anti-virus and security monitoring
  • PwC and BAE Systems have been assisting NCSC and have produced a list of IP addresses and MD5 hash files associated with Cloud Hopper attacks. These can be used to detect (scan) and prevent (monitor) against the Cloud Hopper

The role of Social Engineering media in society

The Social engineering media has a greater role to play in the society. Whether you want to give out or receive information, you will not help but use any available form of media that will either relay the information inwards or outwards. There are numerous media types such as the ones concerned with news, advertising and social engineering. The social engineers would just want to gather information that will do you harm in some way or another. Their main ways of contacting the victims would be through the internet or through mobile phones where you will give out private and sensitive information to an unknown person who will be pretending to be a legitimate user.

This has helped people lose a great amount of money. However, some people have used this approach to better their prospects of doing pretty well in then business world. For example, by tricking their competitors to release some certain sensitive data, a business can plan well in advance to counter the actions that the competitor is planning top put in place. Given that the right information has been leaked, it can be impossible for the company concerned to continue acting on it without making necessary changes hence making them incur a huge loss.

These attributes of attack are mainly based with the way human beings live and interact with each other making it possible to manipulate the way people think of the possible hackers. Take for instance what happens when a person hacks into your email account and gets all your account details such as credit cards and many more, what amount of financial loss will you occur? What will prevent them from using this card to make all the unnecessary purchases that will shock you when you come to discover?

What if they get your old chat histories s and have they edited with the aim of soliciting money from you, will they not succeed? What will actually prevent you from not believing them? This has played a huge role in killing the attributes which are related to a human nature since they precede on to get all the information that they require to destroy you without having you raise any suspicion at all.

Since they mainly occur in terms of human and non human based hacking, the right measures should be taken to ensure that the right information gets to the right people so as to enable them defend themselves against this vice. People should learn how to know the human hackers and learn to practice some caution while dealing with the internet based hackers. This will ensure that the war is won at last.

Social engineering media has played many roles of diverse nature in the society. The role is both negative and positive in nature. Courtesy of this, people, have lost private information and got embarrassed terribly as a result. Furthermore, those who have used it well in business to gain competitor information have used it to gain a lot in business. All these have helped shaped the society.

The Impacts Of Social Engineering Media In Everyday Life

Social engineering media has grown over time and has become a common phenomenon in the life of almost every person. Life is completely changing as a result of this phenomenon. Hence you can have a lot of chance to control the requests that reach your site from your friends. You can decide to reject or accept them without offering any possible explanation, making life a little easier. For instance, if someone requests to be chatting with you, you can see the notification in the waiting list, making it possible for you to take the appropriate action. Your failure to accept this request may make your friends have certain perceptions towards you. Others might perceive you as slow while others may think that you are damn busy even to click on that request.

This type of media has helped the entire business community set up sites where people would join and share ideas concerning things that are of interest. Many of the people who interact on the social media are not friends who have met face to face hence most of the friendships are just superficial.

If you are the type of person who likes to exert some influence on your friends, this type of media is very essential for you. You can have your updates posted after some certain period of time. Ideas can be shared and the discussions that take place there can be of great use not only to yourself but also to your friends. You can build a huge following of friends who will, in one way or another like you in whatever you do. That’s the reason as to why people will click the “I like it button” in medias such as facebook .This kind of following, especially when the author of the concerned message is creative can help bring many people to your side. They will help spread your message which in one way or another represent personal brand to many people.

Social sites have changed the way we run our lives on a social scene through different techniques. For instance, facebook has offered each and every person a wall where any person could post something on. This is just lice a public notice board where every person can post and read available information.

Every person whom you happen to know is a de facto acquaintance. The social networks can also enable us embrace all of them in the many available ways hence offering us a chance to reconnect for a long time.

It’s important that you practice some caution since as you move up the ladder, many people will approach you. Many people will reach to you and the way you handle their requests would determine whether you make or break it. It’s always important that you use courteous language while dealing with every person.

Social engineering media dominates our daily lives. The controls that have been placed make you accessible to many people. However, you can choose to accept or reject their requests. It’s advisable that you maintain good relationships by minding your language. Do not post an offensive statement since it could be used against you in the future. You can use this great network to attract a huge gathering. Through this, you will manage to promote the brand in you.