Bringing new employees up to speed on company policies and procedures, or employee onboarding, is standard practice. In well-prepared companies, it also includes extensive cybersecurity training.
To read more about this, click here.
Use of text messages as a phishing vector has become more popular becuase it is effective. Text messages have a 98% open rate and 90% of messages are opened in the first three minutes, according to Proofpoint. The success rate - as measured by the proportion of users that click through to an attacker's page - is eight times that of email phishing.
Click here to read more.
TikTok scammers tried hacking 125 targets that followed famous accounts, researchers find. Click here to read more.
HP finds that 75% of threats were delivered by email in the first six months of 2021. Click here to read more about this phishing threat.
It can be difficult to tell a legitimate website apart from an unsafe one, but you can easily follow these steps from welivesecurity to identify and protect yourself from bad websites. Click here to read the helpful article.
New research suggests that cybersecurity risks are 'new neither hypothetical, nor trivial." Read more about this threat, click here.
What is cyber insurance? Everything you need to know about what it covers and how it works.
When it comes to various types of malware, non has ever dominated the headlines quite as much as ransomware. To read more about ransomware, click here.
Scammers use email or text messages to trick you into giving them your personal information. They may try to steal your passwords, account numbers, or Social Security numbers. If they get that information, they could gain access to your email, bank, or other accounts. Scammers launch thousands of phishing attacks like these every day — and they’re often successful. The FBI’s Internet Crime Complaint Center reported that people lost $30 million to phishing schemes in one year. But there are several things you can do to protect yourself.
WebEx Best Practices
Auto Lock Personal Room for secure meetings. This prevents all attendees in your lobby from automatically joining in the meeting. The host will see a notification when attendees are waiting in the lobby and as the host, you will authorize the attendees to join. This can be done from My Webex > Preferences > My Personal Room on your Webex site.
Set Personal Room Notifications before a Meeting to receive an email notification when attendees are waiting for a meeting to begin. You will then be able to review the participant list and expel any unauthorized attendees.
Schedule a Meeting instead of using your Personal Room. Personal Rooms web links do not change. Improve security by scheduling a meeting which includes a one-time web link.
Scheduled Meetings are unlisted by default by the Site Administrator for all Webex sites. Unlisting Meetings enhances security by requiring the host to inform the meeting attendees, either by sending a link in
an email invitation, or hosts can enter the meeting number using the Join Meetings page. Listing a meeting reveals meeting titles and meeting information publicly.
Set a password for every Meeting by creating a high-complexity, non-trivial password (strong password). A strong
password should include a mix of uppercase and lowercase letters, numbers and special characters (for example, $Ta0qedOx!). Passwords protect against unauthorized attendance since only users with access to the password will
be able to join the meeting.
Do not reuse passwords for meetings. Scheduling meetings with the same passwords weakens meeting protection considerably.
Use Entry or Exit Tone or Announce Name Feature to prevent someone from joining the audio portion of your meeting without your knowledge. This feature is enabled by default for Webex Meetings. For notifications, select Audio Conference Settings > Entry and exit tone > Beep or Announce Name. Otherwise, select No Tone.
Do not allow attendees or panelists to join before host. This setting is set by default by the Site Administrator for Meetings.
Assign an alternate host to start and control the meeting. This keeps meeting more secure by eliminating the
possibility that the host role will be assigned to an unexpected, or unauthorized, attendee, in case you inadvertently lose your connection to the meeting. One or more alternate hosts can be chosen when scheduling a meeting. An alternate host can start the meeting and act as the host. The alternate host must have a user account on your Webex Meetings website.
Lock the meeting once all attendees have joined the meeting. This will prevent additional attendees from joining. Hosts can lock/unlock the meeting at any time while the session is in progress.
Expel Attendees at any time during a meeting. Select the name of the attendee whom you want to remove, then select Participant > Expel.
Share an Application instead of sharing your Screen to prevent accidental exposure of sensitive information on your screen. Ex. Microsoft Office products, Web browsers, etc.
Set password for your recordings before sharing them to keep the recording secure. Password-rotected recordings require recipients to have the password in order to view them.
Delete recordings after they are no longer relevant.
Create a Host Audio PIN. Your PIN is the last level of protection for prevention of unauthorized access to your personal conferencing account. Should a person gain unauthorized access to the host access code for a Personal Conference Meeting (PCN Meeting), the conference cannot be started without the Audio PIN. Protect your Audio PIN and do not share it.
Do not click on emails where you don't know the sender, email has inconsistencies with grammar and/or spelling, or contain a web link you're unfamiliar with.
Zoom Best Practices:
Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
Add a passcode to your meeting, then share that passcode with your guests. Once set, the passcode is required in order to enter the meeting.
Manage screensharing options. In Zoom, change screensharing to “Host Only.”
Ensure users are using the updated version of remote access/meeting applications.
Do not use Facebook to sign in: It might save time, but it is a poor security practice and dramatically increases the amount of personal data Zoom has access to.
Use two devices during Zoom calls: If you are attending a Zoom call on your computer, use your phone to check your email or chat with other call attendees. Don't use your personal meeting ID for meetings. A Zoom Personal meeting ID is the same as a Personal Room meeting in WebEx.
Consider turning on the “waiting room” for your meeting so that you can scan who wants to join before letting everyone in.
If you don't want participants to join/interact before the host enters, uncheck "Join Before Host". Set an alternate host if you need a backup host.
Disable "Allow Removed Participants to Rejoin" so that participants who you have removed from your session cannot re-enter.
Disable "File Transfer" unless you know this feature will be required.
Disable annotation if you don't need it.
Holiday Shopping
It’s that time of year again, holiday shopping has begun! Everyone is looking for those unique gifts, hot toys and cool electronics. Whether it is a hard-to-find toy for kids or the latest 4K smart TV. Black Friday sales seldom fail to pique the interests of even the most casual shoppers. Yet even after the chaos of Black Friday lies both Small Business Saturday and Cyber Monday. While it’s clear that businesses are after your dollars during the holidays, you should be aware that cybercriminals are on the lookout, too.
When it comes to holiday shopping, you need to be careful that you don’t fall prey to these criminals. Here are some tips to following for your holiday shopping:
Online Shopping Tips
Do not use public Wi-Fi for any shopping activity.
Public Wi-Fi networks can be very dangerous, especially during the holiday season. Public Wi-Fi can potentially grant hackers' access to your usernames, passwords, texts and emails. For instance, before you join a public Wi-Fi titled "Apple Store," make sure you first look around to see if there's actually an Apple Store in your vicinity, and thus, confirm that it is a legitimate network. To help stay secure, you should always be on the lookout for the lock symbol on your webpage.
Look for the lock symbol on websites.
When visiting a website look for the “lock” symbol before entering any personal and/or credit card information. The lock may appear in the URL bar, or elsewhere in your browser. Additionally, check that the URL for the website has “https” in the beginning. These both indicate that the site uses encryption to protect your data.
Know what the product should cost.
If the deal is too good to be true, then it may be a scam. Check out the company on “ResellerRatings.com”. This site allows users to review online companies to share their experiences purchasing from those companies. This will give you an indication of what to expect when purchasing from them.
One-time use credit card numbers.
Many banks are now offering a single use credit card number for online shopping. This one-time number is associated with your account and can be used in place of your credit card number. This way, if the credit card number becomes exposed, it cannot be used again. Check with your credit card company to see if they have this option available.
Keep your computer secure.
When using your computer to do your holiday shopping, remember to keep your Anti-virus software up to date and apply all software patches. Never save usernames, passwords or credit card information in your browser and periodically clear your offline content, cookies and history. You will want to keep your computer as clean as possible for online shopping. The world of online shopping can bring lots of new products to your doorstep and
can prove to be a lot of fun finding that special gift. Just remember to be careful so that you don’t make your data a special gift to cybercriminals.
Always use credit cards for purchases.
Avoid using your ATM or debit card while shopping. If your debit card is compromised, criminals can have direct access to the funds from your bank account. This could cause you to miss bill payments and overdraw your account. When using a credit card, you are not using funds associated with your bank account. This means you are better protected by your credit card company’s fraud protection program. If you pay off the credit card balance
each month, you won’t pay interest and your banking information will be protected.
Don’t leave purchases in the car unattended.
Criminals can be watching and will consider breaking into your car to get the merchandise you just purchased. If you must leave some items in your car, consider leaving them in the trunk or glove compartment rather than in a visible location.
Beware of “porch pirates.”
When shopping online and receiving purchases by mail, make sure you are always tracking your packages. The US Postal Service, FedEX and UPS all have systems to track your packages, and all three utilize tracking numbers that can be used to figure out where your item is and when it should be delivered to your home. However, the only surefire way to thwart porch pirates is to not have packages delivered to your home at all. Consider having your holiday packages delivered to a family member, your workplace, or a trusted neighbor!
Vishing — or “voice phishing” — is phishing via phone call. Vishing scams commonly use Voice over IP (VoIP) technology like we have in state government.
Vishing attacks are sometimes called “social engineering attacks.” While 96% of phishing attacks arrive via email, criminal hackers can also use social media channels to trap you. Regardless of how the attack is delivered, the message will appear to come from a trusted sender.
Like targets of other types of phishing attacks, the victim of a vishing attack will receive a phone call (or a voicemail) from a scammer, pretending to be a trusted person who’s attempting to elicit personal information such as credit card or login details.
We have had a small number of reports of attempts to spoof the STS Customer Care Center with the actual phone number (615) 741-1001.
So how do the hackers pull this off? They use a range of advanced techniques, including:
• Faking caller ID, so it appears that the call is coming from a trusted number
• Using synthetic speech and automated call processes
A vishing scam often starts with an automated message, telling the recipient that he or she is the victim of identity fraud. The message requests that the recipient call a specific number. When doing so, they are asked to disclose personal information. Hackers then may use the information to gain access to other accounts or sell the information on the Dark Web.
How to Identify a Vishing Attack
We can categorize vishing attacks according to the person the attacker is impersonating:
Businesses or charities — Such scam calls may inform you that you have won a prize, present you with you an investment opportunity, or attempt to elicit a charitable donation. If it sounds too good to be true, it probably is.
Banks — Banking phone scams will usually incite alarm by informing you about suspicious activity on your account. Always remember that banks will never ask you to confirm your full card number over the phone.
Government institutions — These calls may claim that you are owed a tax refund or required to pay a fine. They may even threaten legal action if you do not respond.
Tech support — Posing as an IT technician, an attacker may claim your computer is infected with a virus. You may be asked to download software (which will usually be some form of malware or spyware) or allow the attacker to take remote control of your computer.
How to Prevent Vishing Attacks
The key to preventing vishing attacks is security training.
Training can help ensure all employees are familiar with the common signs of phishing and vishing attacks which could reduce the possibility that they will fall victim to such an attack.
But, what do you do if you receive a suspicious message? The first rule is: don’t respond.
If you receive a text requesting that you follow a link, or a phone message requesting that you call a number or divulge personal information — ignore it, at least until you’ve confirmed whether or not it’s legitimate. The message itself can’t cause damage, but acting on it can.
If the message appears to be from a trusted business, search for their phone number and call them directly. For example, if a message appears to be from your phone provider, search for your phone provider’s customer service number and discuss the request directly with the operator.
If you receive a vishing at work or on a work device, make sure you report it to your IT or security team.
Unfortunately, we can’t block these types of call, but we would like to remind you that spoofed calls can come from any familiar number including the Service Desk.
For more info: https://www.fcc.gov/spoofed-robocalls
You are a part of Cyber Security.
Cyber security is how we protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: confidentiality, integrity, and availability.
Cyber security is achieved through implementing technical, management, and operational controls designed to protect the confidentiality, integrity and availability of information. Your continued investment in participating in this year’s information security training class, will help drive the actions and activities that will help to sustain a culture of cyber security.
- Use the latest version of your virus/spyware software.
- Update your virus/spyware software regularly.
- Scan your computers for virus/spyware on a regular basis
- Think before clicking.
- Use extreme caution before you take action.
- Verify links that may be included in an email.
- Don't open emails from unknown sources.
When accessing websites online or using various online services, you are often asked to create a unique user name and password. A password is a unique identifier of letters and/or numbers which allow a computer user to gain access to a computer and all of its files. In addition, most online activity (such as shopping, participating in an online discussion, or simply signing up to receive a coupon or an electronic newsletter) now requires the selection of a user name and a password.
Secure Passwords
Ideally, a secure password is one which no one else can guess and which is resistant to being hacked. Hacking occurs when one's online information is breached. This leads to the danger of having one's identity, credit card information, and/or money stolen. In order to make your passwords less susceptible to compromise, you should seek to create passwords that avoid dictionary words and use six or more characters with a mix of letters and
numbers and uppercase and lowercase letters to create the strongest password possible. You should also create a new password for each site on which you engage in online commerce. Avoid using the same password for all of your online accounts - and never share these passwords with anyone.
Since users are being asked more and more to think of unique user names and/or passwords, many are resorting to less than creative solutions. For example, many users will choose easy to remember passwords (such as admin, 12345, their own first name or year of birth, or even the word "password") to make this process more manageable. Unfortunately, these solutions are risky as they make one much more susceptible to a computer hacker. Avoid the use of obvious passwords such as your birthday, nickname, mother's maiden name, phone number, or the name of your pet.
Many Internet service providers now offer guidance on strategies to select a password which is less likely to be hacked. These strategies include:
- Choose a long password (12 or more characters) rather than a short one.
- Instead of a single word, use a combination of uppercase and lowercase letters, numbers, and/or symbols.
- Avoid using dictionary words. Use a phrase for a password such as "mydogsnameisfluffy."
- Create a password which is actually an acronym for a phrase that only you would know, such as: "My favorite food is the Chicago style pizza they have at 19 Main Street," which becomes the password: MffitCspth@19MS.
- Take advantage of free password selecting software located via any Internet search engine.
Storing Passwords
Some websites provide the user with an option to allow the computer to remember usernames and/or passwords. Although this is a convenient feature, in general, it is more prudent not to rely on these options. It is recommended that you use the "Delete stored passwords" feature (typically found under "tools" and then "Internet options"), available through most Internet browsers, to increase your password security.
- Avoid opening emails and clicking on links in email messages.
- Don't buy anything from a spammer.
- Don't be tempted to reply.
- Avoid 'unsubscribe' options on spam emails.
What is it?
Disaster recovery plans (DRP) seek to quickly redirect available resources into restoring data and information systems following a disaster. A disaster can be classified as a sudden event, including an accident or natural disaster, that creates wide scoping, detrimental damage. In information management, DRPs are considered a critical subset of an entity's larger business continuity plan (BCP), which seeks to prepare for, prevent, and recover from potential threats affecting an organization. While BCPs address all facets of an organization, DRPs specifically focus on technology. DRPs provide instructions to follow when responding to various disasters, including both cyber and environment-related events. DRPs differ from incident response plans that focus on information gathering and coordinated decision making to understand and address a specific event.
Why does it matter?
When DRPs are properly designed and executed, they enable the efficient recovery of critical systems and help an organization avoid further damage to mission-critical operations. Benefits include minimizing recovery time and possible delays, preventing potential legal liability, improving security, and avoiding potentially damaging last minute decision making during a disaster.
Apart from their specific focus on technology, DRPs and the process for developing them are no different than the range of emergency response protocols and backup plans developed to address potential issues or disruptions. The lessons learned from those exercises are often valuable to DRP development. You develop these plans due to the potential risk impacts during key operational periods.
What you can do?
You should have a comprehensive DRP in place and regularly exercise it to ensure effectiveness. In order to create an effective DRP, we recommend the following:
- Includerelevant stakeholders from the various business units that may be impacted in the planning process.
- Conduct abusiness impact analysis (BIA) to identify and prioritize critical systems.
- Test your DRP.
- Conduct after action reviews to identify what went right, what went wrong, and make improvements.
- Regularly review the DRP to ensure contacts are up to date and procedures are still effective and relevant.
What are they?
A backup is a copy of the system or network’s data for file restoration or archival purposes. Backups are an essential part of a continuity of operations plan as they allow for data protection and recovery.
To successfully backup data, administrators use one of the three backup types: full, differential, and incremental, or a combination of the types. A full backup copies the whole system, or all of the network’s data, every time a backup is completed. A differential backup copies anything that has changed since the previous full backup was completed. Lastly, an incremental backup is a backup of any changes since the last backup, whether that happened to be a full or differential backup.
Full backups are the most complete, allowing for a faster restore process, but are also slower and more expensive to implement. Incremental backups are the fastest and most cost effective to implement because they only include changed information, but restoring the system is slow because it requires reinstalling from many backups to ensure all information is retrieved. For this reason, many administrators perform a combination of backups, creating weekly full backups, supplemented by differential and incremental backups.
Why do they matter?
Backups are necessary due to the constant threat of modification or erasure of data due to accidental deletions; malware and ransomware; natural disasters; or other events. CIS Control 10 advises the creation of processes and
tools to properly back-up critical information with a proven methodology for timely recovery of it. Backups also play a crucial role in expediting the recovery from malicious cyber activity; allowing the restoration of a system to
a reliable state that is free of malware infections and retains the original data. Rebuilding or reimaging an infected system from a known good backup or fresh operating system installation is a common best practice in incident
response.
What can you do?
An effective backup strategy consists of six components: data classification, frequency, encrypted, offline, offsite, and tested. In addition, best practices dictate that any time major system upgrades or changes occur, technical staff should re-evaluate and test the backups.
1. Data Classification – Classifying data by its importance and sensitivity is part of the risk management process
and will help you determine what, and how frequently, that data should be backed up.
2. Frequency – Utilize a risk management process to identify the frequency in which the data should be backed up, based on how much data loss would be acceptable in the event of a catastrophic failure. The amount of data that can be lost (e.g. 24 hours’ worth) should then be used to determine how often data should be backed up. When making this decision, look back to your data classification. Data that is classified as essential should be backed up more often than less important data. Additionally, examine whether you will back up everything every time, or only the newer data that has been added to the system.
3. Encrypted– To ensure data integrity, backups should be encrypted. Having the backup encrypted will safeguard it if someone unauthorized tries to access it.
4. Offline – Storing backups offline is an industry best practice that reduces the risk of malware infecting the copies. Some malware, such as ransomware, will specifically look for backups that are available on the network to hinder the recovery process.
5. Offsite – Decide where and how often the backups will be stored offsite. Industry best practice dictates that backups should be stored offsite to ensure recovery is possible in the event of disasters, such as fire or flooding. Offsite backups could be physical copies or cloud based. The backup location is vital to the recovery process and must be a place where the backups will be secure and quickly accessible. The backup’s accessibility is directly tied to your recovery objective (how fast you need the data restored), which should be taken into consideration.
6. Tested– Testing the backup’s integrity and the ability to successfully restore a system from the backup is essential to a successful restoration. This ensures that, if needed, the backups will be able to restore what has been corrupted or destroyed.