Cyber Sentinel - Episode: 006 -Do you buy tickets online? Is your information safe when you do it?
LinkedIn Business: http://bit.ly/2ZrXBBr
LinkedIn Personal: http://bit.ly/2ZnyW0S
Facebook Business: http://bit.ly/2Zh5OYW
Twitter Business: http://bit.ly/2ZiCeSU
How can spearphishing affect our everyday lives?
So spearphishing's been in the news back with the Mueller Report we talked about it. It's been out again, this time with more details coming out on the Florida voting system compromises. Again, the perpetrators used spearphishing. Spearphishing is targeted email, targeted deceptive email practices. This can affect any company, not just election stuff, any company so we're gonna talk about this again. The key here is end user training. There's no way to fully stop spearphishing attacks at the edge of the network. There's no amount of scanning of inbound email, there's no amount of anything like that we can do on a technical side to fully stop spearphishing. It has to be a full-staff effort to be able to identify spearphishing emails and they're tough. These guys are getting really good at compromising your message traffic, looking through that message traffic and crafting stuff that looks incredibly realistic and looks like it comes from the internal source. For our clients we do a double number of things to help with this. We can put banners on inbound mail so you can tell if a message originated from outside the organization. We also do a ton of end user training. Training can take the place, it can take place in a classroom setting, it can take place in a online web-based training platform. We recommend using all the above and it has to be something that's integrated into your company culture and is something that people get used to as a regular course of business. You know, one of my favorite things around here too, is to go and phish those clients, friendly phishing, to make sure that those lessons are being taken to heart and that your staff is learning how to do those, our guys are getting really good at creating these as well. Just to see with kind of learning path your company is on. So make sure that you're focused in on that. Have some kind of at least some computer-based training program around phishing and spearphishing, in particular. And have those controls around financials that use another method other than email to make sure that those transfers of funds are authorized by the correct people.
Is there a way mobile tickets can get hacked?
So it's the end of basketball season and the Atlanta Hawks have been in the news recently, unfortunately, it's for a cyber breach on their website. So the Hawks website was compromised and what happened was, there was some malicious code inserted into the website where you go and purchase your tickets. So the code would record the transactions, all the keystrokes coming from those transactions. So the guys that put that code there then had access to usernames, passwords, any of that information that was keyed in, potentially credit card numbers. They're still doing research on that to figure out how far along that is. This one was discovered by a company that was scanning the internet, looking at website code to see if a particular method was in place that these guys were using to skim that information. It detected it on the Hawks site. Again, they're still researching how long it had been there. If you purchased tickets for the Hawks online at their site, you might wanna look at, watch those credit card statements, make sure you don't have credit card fraud going on, with that credit card information being compromised. As business owners we all gotta be diligent about making sure that our sites aren't compromised in this way. Your web host should be able to provide at least quarterly scans of your site code to make sure that there's nothing like this in place. They can perform delta analysis to make sure that none of that code has changed over time, since the last time that your marketing department made changes to that site. But we just wanna make sure that you're, that you have a process in place to make sure that your site stays secure. And we wanna make sure that you've got good backup procedures in the event that your website is compromised. You won't be able to restore that thing rapidly to a known good configuration that doesn't have any malware on it. So just keep that in mind when you're buying tickets online, that site could be compromised. We also go ahead and make sure that you're not compromised yourself.
What are your insights on account passwords?
So we've got some interesting survey results out of the UK Cyber Security Center. The survey that they did over there and the results are fairly interesting. So what we've got here in 2019, interestingly there's a large percentage, 37% of respondents felt that getting mugged online was pretty much inevitable these days. Most of the population is primary concern is losing money online and yet over 90% of the population is still buying stuff online. And which we're not discouraging. But you gotta take some steps to make sure that you stay secure when you're doing so. So interesting numbers here. Using Center and pins to unlock smartphones and tablets, only 70% of the population over there, of respondents, is doing that. It should be a 100%, it's really easy to set up on all the phones. Make sure you've got that set. If you lose your phone, there's no passcode, then somebody's got the keys to your digital world. Make sure you've got those phones locked up. Strong passwords are separate from other passwords for your main email account, only 55%. Again, can't keep reusing passwords all over the internet. You gotta have some different passcodes, particularly for privileged information, stuff that's got financial information, your company access codes, you cannot reuse those company access codes on other stuff like social media and your personal stuff. Big no no there. We've got only 25% of respondents are using two-factor authentication. I think in the coming next 12 to 24 months you gonna see a huge push on two-factor authentication. Two-factor authentication means you have something you own and something you know to unlock access into an account. So you have an app on your phone that you get a number off of to put in in addition to a pin code, is a common one, a little RSA, the random number generators from RSA and other places are good. I've got one of those for my eBay account. I've got a little random number generator so when I log in I gotta put in my username, my password, and my random number off my random number generator. Three pieces of information in to login and make sure that's me. Don't want anybody else in my account. And then only 14% of respondents are using a password manager. Again, this really needs to be a lot higher percentage. There's some really good ones out there on the market. They're free for home use, for the most part. Most of them have a paid enterprise edition that you can upgrade to. These just make sense with the number of passwords, the number of systems that an average employee has to know at a company, is somewhere around 50 to 60 passcodes on average. Sounds like a huge number but when you start thinking about it, it's easy to get there. Having this tool when you have a master passcode that you change frequently, that that's something you can remember. Everything else, store in the password manager. Let the password manager generate hard passwords for all those sites that you can't memorize yourself. And you're gonna be a lot better off. If something gets compromised, you've got one password to change, instead of trying to remember all the places that you used, you know, fluffy7 or whatever your favorite password is across the internet. You're always gonna forget some site, some place that's using that old password. Just to mention feedback from this survey, out of the UK National Cyber Security Center. So that's all we've got for this week's episode of Cyber Sentinel. If you have questions you want us to address, please reach out to us online at #cybersentinel. We'll be sure to get those queued up for a future episode. Thank you very much.