SECURING KEY ACCOUNTS AND DEVICES

03/17/2020
by Simba Chiwanza

That smartphone in your pocket – or your tablet or laptop – contains significant information about you and your friends and family, including contact numbers, photos and locations. Your mobile devices need to be protected. Take the following security precautions and enjoy the conveniences of technology with peace of mind while you are on the go.

Keep a Clean Machine

  • Keep security software current on all devices that connect to the internet: Having the most up-to-date mobile security software, web browser, operating system and apps is the best defense against viruses, malware and other online threats.
  • Delete when done: Many of us download apps for specific purposes, such as planning vacations, and no longer need them afterwards, or we may have previously downloaded apps that are longer useful or interesting to us. It’s a good security practice to delete all apps you no longer use.

Protect Your Personal Information

  • Secure your devices: Use strong passphrases, passcodes or other features such as touch identification to lock your devices. Securing your device can help protect your information if your device is lost or stolen and keep prying eyes out.
  • Personal information is like money – Value it. Protect it.: Information about you, such as the games you like to play, what you search for online and where you shop and live, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites.
  • Own your online presence: Use security and privacy settings on websites and apps to manage what is shared about you and who sees it.
  • Now you see me, now you don’t: Some stores and other locations look for devices with WiFi or Bluetooth turned on to track your movements while you are within range. Disable WiFi and Bluetooth when not in use.

Connect with Care

  • Get savvy about WiFi hotspots: Public wireless networks and hotspots are not secure, which means that anyone could potentially see what you are doing on your laptop or smartphone while you are connected to them. Limit what you do on public WiFi, and avoid logging in to key accounts like email and financial services. Consider using a virtual private network (VPN) or a personal/mobile hotspot if you need a more secure connection.
  • When in doubt, don’t respond: Fraudulent text messages, calls and voicemails are on the rise. Just as with email, mobile requests for personal data or immediate action are almost always scams.


Original Author: Stay Safe Online

Click here to follow the original link

8 Mobile Security Tips to Keep Your Device Safe

03/17/2020
by Simba Chiwanza

It’s no secret that the technology we use can make us a target for viruses and cyber attacks if not secured properly. When it comes to mobile device use, there is no manual that comes with a phone to teach the user mobile security. In addition, threats are always evolving and adjusting based on our habits. Here are 8 tips to help you keep your devices saffe:

1) Keep Your Phone Locked

One potential threat is getting your device is stolen, which could give the thief complete access to your personal information. To prevent this, be sure to have a lock on your screen. Whether this is a passcode, pattern, fingerprint or face recognition is up to you and your device’s capabilities.

When enabling a lock screen you’ll have the option to choose how long the phone can be idle before locking. Be sure to choose the shortest amount of time. This will protect you, by automatically enacting the lock screen even if you forget to lock it yourself. It will also save your battery because the screen will go dark after the set amount of time.

2) Set Secure Passwords

Setting strong passwords on your apps will make it harder for a hacker to guess them. It’s also suggested to set a different password for each app. This way if one password is discovered, the hacker won’t have access to all your information.

Not only are personal devices a concern, but professional devices are at risk as well. According to the Verizon Mobile Security Index 2018 Report, only 39% of mobile device users in enterprises change all default passwords and only 38% use strong two-factor authentication on their mobile devices. Having weak passwords can put an entire organization at risk.

3) Keep Your Device’s OS Up-To-Date

Mobile phone operating system updates are intended to improve your experience. This could entail anything from performance to security. Although they happen frequently and users tend to click through quickly or ask the device to remind them in the future, it’s important to stay up to date with these. These updates can protect both iOS and Android devices from newly discovered threats. To check if your phone’s OS is up to date, go to “about phone” or “general” and click “system updates” or “software update.”

4) Connect to Secure Wifi

The beauty of mobile devices is that we can access the internet anywhere and everywhere we go. One of the first things we do at a restaurant or friend’s house is search for wifi. While free wifi can save us on data, it’s important to be wary of unsecured networks.

To stay safe while using public wifi, be sure to connect to a virtual private network or VPN. Check out a VPN for Android, which allows you to enjoy secure Wi-Fi connection even on public networks. Changing your virtual network will protect your location and keep your information from prying eyes.

5) Beware of Downloads

When you are downloading apps, be sure to download them from the official app stores and check reviews. Cybercriminals create rogue mobile apps that mimic trusted brands in order to obtain users’ confidential information. To avoid this trap, be sure to look at the number of reviews, last update and contact information of the organization.

6) Don’t Jailbreak or Root Your Phone

Jailbreaking or rooting your phone is when you unlock your phone and remove the safeguard the manufacturers have put in place so you can access anything you want. It may be tempting to jailbreak or root your phone to access app stores other than the official ones, but this puts you at high risk. The apps on these illegitimate stores have not been vetted and can easily hack into your phone and steal your information.

7) Encrypt Your Data

Your smartphone holds a lot of data. If it’s lost or stolen, your emails, contacts, financial information and more can be at risk. To protect your mobile phone data, you can make sure the data in encrypted. Encrypted data is stored in an unreadable form so it can’t be understood.

Most phones have encryption settings you can enable in the security menu. To check if your iOS device is encrypted, go to the settings menu and then click on “Touch ID & Passcode.” It will prompt you to enter your lock screen code. Then scroll to the bottom of the page where it should say “Data Protection is enabled.”

To encrypt an Android, you must first be sure your device is 80% charged, and unroot your phone before continuing. Once these things are done, go to “Security” and choose “Encrypt Phone.” If you don’t charge your device, unroot it or interrupt the encryption process, you may lose all your data. Encryption can take an hour or more.

8) Install Anti-Virus Software

You’ve probably heard of anti-virus programs for laptops or desktop computers, but your handheld computers can benefit from them, too. These programs can protect against viruses and hacking attempts. Some softwares have a VPN features included as an added bonus.

Smartphones are pocket-sized computers that can hold all your important data and personal information. Keeping these mobile security tips in mind will help you protect your device.


Original Author: Panda Security

Click here to follow the original link

How to help protect against 5 types of phishing scams

03/17/2020
by Simba Chiwanza

A phishing scam is a type of fraud that can come in many different forms. These scams not only employ various online techniques such as fake emails and pop-up ads but can also include phone calls. The people behind these scams often use fear tactics in order to get their victims to take the bait.

Phishing is essentially an online con game, and phishers are nothing more than tech-savvy con artists and identity thieves. They use spam, malicious websites, email messages, and instant messages to trick people into divulging sensitive information. Banking information, credit card accounts, usernames, and passwords are just some of the information phishers seek to exploit.

5 common phishing scams, and how to protect yourself from them

Since phishing scams are designed to appear as if they come from reliable sources, it is smart to know the difference between real and fraudulent messages and how to spot some of the clues that a message may be a scam. Here is a list of five common phishing scams and ways to help protect yourself against falling for them.

1. Email phishing scams

An email phishing scam is a fraudulent email message that appears to be from a person or company known to the victim. It attempts to illegally gather personal and/or financial information from the recipient.

A phishing message typically includes at least one link to a fake website, designed to mimic the site of a legitimate business. The message entices the recipient to provide information that could be used for identity theft or online financial theft.

How to help protect yourself against email phishing scams:

  • Do not click any links or download any attachments in the suspicious email. Instead, open up your web browser and go to the website in question by typing it into the URL bar.
  • Be vigilant and pay attention. Phishers have been known to use real company logos to make their communications seem legitimate. They also use spoofed email addresses, which are similar to the actual company’s address. However, the address may be misspelled slightly or come from a spoofed domain.

2. Vishing scams

Vishing (voice or VoIP phishing) is the voice version of email phishing. “V” stands for voice, but otherwise, the scam attempt is the same. It is a phone scam in which individuals are tricked or scared into handing over valuable financial or personal information to scammers.

How to help protect yourself against vishing scams:

  • Never give personal information over the phone. Hang up, look for the number of the company on their website, and call them directly to make sure it was a legitimate call and request. 
  • Never call the number the caller provides. When looking up the company website, make sure it is legitimate. Fake websites often contain misspellings and other telltale signs.

3. Tech support cold call scams

Tech support cold calls are when a scammer calls a potential victim claiming to be from a reputable security company. They lie and say they found malware on the victim’s computer.

The criminal pretends to offer a solution by getting the user to install a type of remote desktop software. This allows the attacker access to the computer in order to install real malware. In addition to attempting to install malware on the machine, these scammers will often ask for a fee to “fix” the issue.

How to help protect yourself against tech support call scams:

  • If a person calls claiming to work for a specific, well-known company, look up the phone number online and tell them you will call them back.
  • Never allow remote access to your computer.

4. Pop-up warning scams

Pop-ups occur when someone is browsing the internet and sees a small graphic or ad appear on their screen. Usually, pop-ups are related to the content being viewed and link to another website with similar content or merchandise related to the content.

Malicious pop-ups can be terribly intrusive, making it difficult for the user to close the pop-up window. These pop-ups may display a message stating that the computer is infected with malware and offer a phone number for help with removing the malware. Often, the cybercriminals make pop-ups look like they come from a trusted source, such as our own Norton products, in hopes of appearing to be legitimate.

How to help protect yourself against pop-up scams:

  • Examine the message closely. Look for obvious signs of fraud such as poor spelling, unprofessional imagery, and bad grammar.
  • Remember, when in doubt, never click on the pop-up. Instead, open up your antivirus software and run a system scan.
  • Norton pop-ups will only appear within the interface of the Norton Security Dashboard, and never from a web browser or other program. In addition, Norton customer support will never send users unsolicited pop-ups stating that they will fix a user’s computer if given remote access.

5. Fake search results scams

Fraudulent companies frequently use paid search ads for their “support services” as if they were legitimate, well-known companies. These paid listings can appear at the top of a search results page, a prime location. These results, which can look like the real thing, can promise support offers that seem too good to be true in hopes of luring in a victim, whose top concern is to fix their computer. Unfortunately, when you click on the ad, malware may begin to download to your device, compromising the security of your information and adding to your computer woes.

How to help protect yourself against fake search results scams

  • Examine the URL closely. Creators of fake websites will sometimes try something called typo squatting, where they register a domain name that looks similar to the URL of the legitimate site they’re duplicating.
  • Use a secure search service, such as Norton Safe Search, to know if the site you’re about to visit is safe.

What to do if you’ve been scammed

If you think you’ve been the victim of a phishing scam:

  • Change your passwords. Your computer, financial institutions, your Norton Account, and any other password-protected websites that you visit should be updated.
  • Run a Full System Scan for viruses on your computer.
  • Contact your bank to report that you may have been the victim of fraud.


Original Author: NortonLifeLock Employee

Click here to follow the original link

Phishing attacks

03/17/2020
by Simba Chiwanza

What is a phishing attack

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.

Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

Phishing attack examples

The following illustrates a common phishing scam attempt:

  • A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty members as possible.
  • The email claims that the user’s password is about to expire. Instructions are given to go to myuniversity.edu/renewal to renew their password within 24 hours.

Phishing attack example - Phishing email

Several things can occur by clicking the link. For example:

  • The user is redirected to myuniversity.edurenewal.com, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network.
  • The user is sent to the actual password renewal page. However, while being redirected, a malicious script activates in the background to hijack the user’s session cookie. This results in a reflected XSS attack, giving the perpetrator privileged access to the university network.

Phishing techniques

Email phishing scams

Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam. As seen above, there are some techniques attackers use to increase their success rates.

For one, they will go to great lengths in designing phishing messages to mimic actual emails from a spoofed organization. Using the same phrasing, typefaces, logos, and signatures makes the messages appear legitimate.

In addition, attackers will usually try to push users into action by creating a sense of urgency. For example, as previously shown, an email could threaten account expiration and place the recipient on a timer. Applying such pressure causes the user to be less diligent and more prone to error.

Lastly, links inside messages resemble their legitimate counterparts, but typically have a misspelled domain name or extra subdomains. In the above example, the myuniversity.edu/renewal URL was changed to myuniversity.edurenewal.com. Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place.

Phishing techniques - Phishing link example

Spear phishing

Spear phishing targets a specific person or enterprise, as opposed to random application users. It’s a more in-depth version of phishing that requires special knowledge about an organization, including its power structure.

An attack might play out as follows:

  1. A perpetrator researches names of employees within an organization’s marketing department and gains access to the latest project invoices.
  2. Posing as the marketing director, the attacker emails a departmental project manager (PM) using a subject line that reads, Updated invoice for Q3 campaigns. The text, style, and included logo duplicate the organization’s standard email template.
  3. A link in the email redirects to a password-protected internal document, which is in actuality a spoofed version of a stolen invoice.
  4. The PM is requested to log in to view the document. The attacker steals his credentials, gaining full access to sensitive areas within the organization’s network.

By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of an APT.

How to prevent phishing

Phishing attack protection requires steps be taken by both users and enterprises.

For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.

For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks:

  • Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, since these alone are insufficient to gain entry.
  • In addition to using 2FA, organizations should enforce strict password management policies. For example, employees should be required to frequently change their passwords and to not be allowed to reuse a password for multiple applications.
  • Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links.


Original Author: Imperva

Click here to follow the original link

What is Phishing?

03/17/2020
by Simba Chiwanza

Phishing Defined

Phishing is the fraudulent use of electronic communications to deceive and take advantage of users. Phishing attacks attempt to gain sensitive, confidential information such as usernames, passwords, credit card information, network credentials, and more. By posing as a legitimate individual or institution via phone or email, cyber attackers use social engineering to manipulate victims into performing specific actions—like clicking on a malicious link or attachment—or willfully divulging confidential information.

Both individuals and organizations are at risk; almost any kind of personal or organizational data can be valuable, whether it be to commit fraud or access an organization’s network. In addition, some phishing scams can target organizational data in order to support espionage efforts or state-backed spying on opposition groups.

Phishing Methods

Phishing attempts most often begin with an email attempting to obtain sensitive information through some user interaction, such as clicking on a malicious link or downloading an infected attachment.

  • Through link manipulation, an email may present with links that spoof legitimate URLs; manipulated links may feature subtle misspellings or use of a subdomain.
  • Phishing scams may use website forgery, which employs JavaScript commands to make a website URL look legitimate.
  • Using covert redirection, attackers can corrupt legitimate websites with malicious pop-up dialogue boxes that redirect users to a phishing website.
  • Infected attachments, such as .exe files, Microsoft Office files, and PDF documents can install ransomware or other malware.

Phishing scams can also employ phone calls, text messages, and social media tools to trick victims into providing sensitive information.

Types of Phishing Attacks

Some specific types of phishing scams use more targeted methods to attack certain individuals or organizations.  

Spear Fishing

Spear phishing email messages won’t look as random as more general phishing attempts. Attackers will often gather information about their targets to fill emails with more authentic context. Some attackers even hijack business email communications and create highly customized messages.

Clone Phishing

Attackers are able to view legitimate, previously delivered email messages, make a nearly identical copy of it—or “clone”—and then change an attachment or link to something malicious.

Whaling

Whaling specifically targets high profile and/or senior executives in an organization. The content of a whaling attempt will often present as a legal communication or other high-level executive business.  

How to Prevent Phishing Attacks

Organizations should educate employees to prevent phishing attacks, particularly how to recognize suspicious emails, links, and attachments. Cyber attackers are always refining their techniques, so continued education is imperative.

Some tell-tale signs of a phishing email include:

  • ‘Too good to be true’ offers
  • Unusual sender
  • Poor spelling and grammar
  • Threats of account shutdown, etc., particularly conveying a sense of urgency
  • Links, especially when the destination URL is different than it appears in the email content
  • Unexpected attachments, especially .exe files

Additional technical security measures can include:

  • Two Factor Authentication incorporating two methods of identity confirmation—something you know (i.e., password) and something you have (i.e., smartphone)
  • Email filters that use machine learning and natural language processing to flag high-risk email messages. DMARC protocol can also prevent against email spoofing.
  • Augmented password logins using personal images, identity cues, security skins, etc.


Original Author: Forcepoint

Click here to follow the original link

South African National Cybersecurity Awareness - Phishing

03/17/2020
by Simba Chiwanza

Phishing

Phishing is a method of deceitfully obtaining personal information such as passwords, identity numbers, credit card details and sometimes, indirectly, money. Essentially, it is an online con game, and phishers are nothing more than tech-savvy con artists and identity thieves. Phisher might call you or send e-mails that appear to be from trusted sources such as banks, other financial institutions or legitimate companies. If they used emails, such may direct you to click on a link to a website where you are asked to update your personal information such as passwords, credit card details, social security number or bank account number. This fake website is specifically designed for information theft. One of the most common forms of Phishing is “Spear Phishing”, which is a more targeted version of Phishing where an e-mail is sent to a targeted individual. Spear Phishing often has a high success rate as it bypasses traditional security defences and exploits vulnerable software. Spam, fake websites and other techniques are used to trick people into divulging sensitive information, such as bank and credit card account details. Once they have captured enough victims' information, they either use the stolen information themselves to defraud the victims (e.g., by opening up new accounts using the victim's name or draining the victim's bank accounts) or they sell it on the black market for a profit.


How to spot a phishing attack:

Generic greeting – Phishing emails are usually sent in large batches. Phishers use generic names like "First Generic Bank Customer”. If you do not see your name, be suspicious. Forged links – Even if a link has a name you recognise somewhere in it, it does not mean it links to the real website. Roll your mouse over the link and see if it matches what appears in the email. If it does not match, do not click on it. Requests personal information – The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt. Sense of urgency – Cybercriminals wants you to provide your personal information now.

Recommendations:

The most effective defence against phishing attacks is prevention. To prevent, or at least cut down, on phishing attacks, you must: Avoid providing personal identifiable information to strangers or unknown websites, replying to unknown numbers, etc. Always type in the full URL of the website. Do not follow links from another website. Send request to hosting company to take down the fraudulent website. Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future. Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organisation, try to verify his or her identity directly with the company. Do not provide personal information or information about your organisation, including its structure or networks, unless you are certain of a person's authority to have the information. Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in emails. Don't send sensitive information over the Internet before checking a website's security. Pay attention to the URL of a website. Malicious websites may look identical to a legitimate website, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Never use contact information provided on a website connected to the request; instead, check previous statements for contact information. Install and maintain antivirus software, firewalls, and email filters to reduce some of this traffic. Take advantage of any anti-phishing features offered by your email client and web browser. Consider reporting the attack to the police, and file a report with the Cybersecurity Hub Phishing Department


Original Author: South African National Cybersecurity Awareness Portal

Click here to follow the original link

Cyber security: making the most of passwords

03/17/2020
by Simba Chiwanza

This article looks specifically at how individual users and businesses can use passwords to improve their cyber security.

Passwords, when used correctly, are an extremely simple and effective way to protect data and IT systems from unauthorised access.  However, many individuals continue to use passwords in a way which exposes them to risk, and IT policies do not always encourage better user behaviour.

This article summarises some simple ideas for individuals and businesses to improve their use of passwords and prevent them being cracked.

How are passwords cracked?

There are a number of methods criminals can employ to crack passwords, including:

  • Intercepting them as they are transmitted over the network.
  • Brute force - automated guessing of millions of passwords.
  • Physically stealing them, for example when they are written down close to a device.
  • Searching IT infrastructure for stored password information.
  • Manual guessing based on easily accessible personal information (e.g. name, date of birth).
  • Shoulder surfing – observing people typing in their passwords in public places.
  • Social engineering – tricking people into handing over passwords.
  • Key-logging malware which records passwords as they are entered.

These methods help to highlight some basic precautions which users can take to protect themselves. 

How can individuals prevent their passwords being cracked?

A key recommendation is to use a strong, non-predictable password.  What makes a good password (and what doesn’t) is discussed further below.

It is also important not to use the same password for everything.  Different websites have different levels of security - if you use the same password all the time then a criminal could crack this on a low security site and use to access important information on higher security sites. 

On average, users use the same password across four different sites.  Ideally, you should have a different password for every site and system you access.  However, it can be difficult to remember that many passwords in practice. 

As a minimum you should use a different password for the most sensitive sites you visit – such as email, online banking, and any other sites that hold confidential or financial information.  Alternatively, you could set up a system for passwords, for example using a core password which is complex and then adding letters or numbers to this relevant to the website name. 

Other recommendations for individuals include:

  • Using two factor authentication where possible.  This requires two different methods to prove identity before you can use a service – for example a password and a unique code sent to a mobile number.  Many online banking services already use this, and HMRC are rolling it out across their online services (see here for more information).
  • Be wary of public wi-fi, and do not use it to log onto secure sites.
  • Never log onto secure sites through following a link in an email: this is a common phishing scam.
  • Only use remember password facilities on personal computers where you trust any other users.
  • Look for https:// or a small password symbol at the beginning of a website’s URL - this indicates the site is using a secure link.
  • Don’t enter passwords where someone may be able to see you typing.
  • Never send passwords by email.
  • Never share passwords, or leave them written down next to your computer or in an easily found place.
  • Don’t re-use passwords after giving them a break.

What makes a good password?

The main thing is to avoid using predictable passwords.  Passwords should be easy to remember, but hard for somebody else to guess.  The National Cyber Security Centre (NCSC) recommends that a good rule is to make sure that somebody who knows you well couldn’t guess your password in 20 attempts.

Passwords that are easily cracked tend to include:

  • Your actual or user name.
  • Place names
  • Family members’ or pets’ names / birthdays.
  • Single dictionary words
  • Personal information such as your date or place of birth.
  • Favourite sports teams or other things relevant to your interests.
  • Numerical or keyboard sequences (e.g. qwerty, 12345).

The most common passwords include 123456, password, 12345678, qwerty, 12345 and football.

Strong passwords will:

  • Be at least 8 characters long.
  • Use a combination of upper and lower case letters, symbols and numbers.  Substituting letters for numbers (e.g. 3 for E or 1 for I) is however a well-known practice and should be avoided.

Very long and complex passwords are often viewed as being the strongest, but this is often not the case in practice.  Such passwords are hard to remember and this can lead to people using coping mechanisms (such as writing passwords down or using the same password multiple times) which, ironically, make them more vulnerable to cyber criminals.

The NCSC, in conjunction with Cyber Aware, advise that an easy way to create a secure password is to use three random words – for example coffeetrainfish or walltinshirt.  The words you pick can be memorable, but shouldn’t be easy to guess (i.e. onetwothree) or too personal (e.g. pet names, childrens’ names).

How can businesses support staff users?

It is important for businesses to ensure that their staff use passwords effectively to protect IT systems and data.

However, you need to be careful that IT policies do not lead to users having password overload.  The average UK citizen has 22 online passwords which they need to remember, so enforcing passwords where they are not needed should be avoided. 

Businesses can also help their staff cope by:

  • Using technology to reduce the number of passwords they need to remember: for less important accounts password managers can be used (tools which create and store passwords for you, accessed via a master password).
  • Allowing users to securely record and store their passwords – for example written down passwords could be kept in a secure cabinet or safe. 
  • Only asking users to change their passwords where there is an indication or suspicion they have been compromised.
  • Allowing users to reset passwords easily, including when they are out of the office.

The NCSC no longer recommends requiring users to change passwords frequently, or requiring them to have several different complex passwords.  The cost of forcing users to regularly change passwords outweighs any protection it may give –  staff often end up using weaker passwords as a result, making only minor changes to previous passwords or having to ask for a password reset more frequently.  Instead, the NCSC recommend asking staff to concentrate on:

  • Making sure passwords aren’t easy to guess.
  • Storing passwords securely.
  • Reporting unrecognised logins or suspicious activity.
  • Changing passwords where compromise is evident or suspected.

Other measures which businesses can take to increase security include:

  • Steering users away from predictable passwords and banning the most common.
  • Encouraging users not to use the same passwords at home and at work.
  • Changing all default vendor supplied passwords before giving devices to staff.
  • Monitoring failed login attempts.
  • Putting in place account-lockout, throttling or monitoring to counteract brute force attacks.
  • Ensuring IT systems do not require staff to share accounts or passwords: every user should have personal access to the systems they need to get the job done (and nothing beyond this).


Original Author: ATT

Click here to follow the original link

What Is A Password Manager In Cyber Security?

03/17/2020
by Simba Chiwanza
There are countless articles and tips on how to create the perfect password. So what's best practice really?

Research shows that poor password practices account for 63% of data breaches. A password management servicer is a third party solution that helps organizations mitigate this risk by creating a secure, master password for users throughout a network.

THE IMPORTANCE OF PROPER PASSWORD PRACTICES

The 2016 Verizon DBIR report stated that 63% of data breaches were caused by poor password practices. Nearly 75% of online users depend on a single password across all their accounts. Stealing a user’s credentials is the easiest way for hackers to open the doors to your network, and poor password practices can put savvy attackers one move away from doing just that.

 

ARE YOUR PASSWORDS PUTTING YOUR ORGANIZATION IN THIS PREDICAMENT?

You and your other users may think it’s clever to use a loved one’s birthday or other personal information as a password. But in reality, these passwords can be easily guessed and stolen. Meanwhile, we all know how frustrating it is to constantly create and remember new passwords, and how difficult it is to compel your team to do this when they’re busy handling other key responsibilities. 

There are countless articles and tips on how to create the perfect password. But rather than giving this crucial task to each individual user, implement a password manager that does the heavy lifting for you.

 

WHAT DOES A PASSWORD MANAGER DO?

A password manager is a third party that creates a master password for users throughout your network. Once users are in the system, they receive personalized access as determined by administrators and the password manager. Using a password manager mitigates the risk of your users trying to keep track of multiple passwords, or creating passwords that will be easily stolen. Password managers enable users to exchange the time spent entering, recalling or changing multiple passwords for a password they can trust.

Unique passwords are stored based on the policy of the password manager—important information to know when choosing which is best for you. However, it’s common for password managers to store this information in a database or in a cloud that can only be accessed by top administrators.

 

WHAT IS USING A PASSWORD MANAGEMENT SERVICE LIKE FOR YOUR TEAM?

In the nascent stages of password management, all current passwords are entered into the system. If, for example, a user has created a password for his email, that password is stored in the password management system. The next time the user logs into his email, he simply enters the master password, and the password manager automatically pulls up and enters the original email password. When users need to create a new password, they simply use the master password, which in turn automatically generates a unique password that cannot be “guessed” by hackers. Users can enter the master password on their smartphones, home devices or on the go—a major perk for today’s increasingly global workforce. This process can be even simpler if your password manager is installed as a browser plug-in.

Administrators do not have to be tech-savvy in order to use and make changes to the password manager. Most interfaces have been designed to be user-friendly, and customer service representatives can guide administrators through changing master passwords or restricting information.

 

MORE CYBER SECURITY ADVANTAGES OF PASSWORD MANAGEMENT SERVICE

But password creation isn’t all that a password manager does. It’s only the beginning. A password manager can also help your organization:

  • Automatically update data across the network
  • Control distribution of password and information sharing
  • Require that passwords are created according to best practices (passphrases, complex passwords, etc.)
  • Identify current passwords that are too similar or too simple
  • Alert users of compromised websites or accounts—and change passwords within minutes
  • Provide optional two-factor authentication for added security
  • Store important information and documents such as credit card numbers, software licenses and photos

A password manager minimizes the time and effort of keeping your network safe. If you’re not using a password manager yet, it’s time to explore how this tool can help your users access all the information they need to be productive—without the hassle or responsibility of remembering and creating multiple hacker-proof passwords.


Original Author: OBT

Click here to follow the original link

What is social engineering

03/17/2020
by Simba Chiwanza

Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.

What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.

Social engineering attack techniques

Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. The following are the five most common forms of digital social engineering assaults.

Baiting

As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.

The most reviled form of baiting uses physical media to disperse malware. For example, attackers leave the bait—typically malware-infected flash drives—in conspicuous areas where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as the company’s payroll list.

Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system.

Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting consist of enticing ads that lead to malicious sites or that encourage users to download a malware-infected application.

Scareware

Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself. Scareware is also referred to as deception software, rogue scanner software and fraudware.

A common scareware example is the legitimate-looking popup banners appearing in your browser while surfing the web, displaying such text such as, “Your computer may be infected with harmful spyware programs.” It either offers to install the tool (often malware-infected) for you, or will direct you to a malicious site where your computer becomes infected.

Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for users to buy worthless/harmful services.

Pretexting

Here an attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task.

The attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are ostensibly required to confirm the victim’s identity, through which they gather important personal data.

All sorts of pertinent information and records is gathered using this scam, such as social security numbers, personal addresses and phone numbers, phone records, staff vacation dates, bank records and even security information related to a physical plant.

Phishing

As one of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.

An example is an email sent to users of an online service that alerts them of a policy violation requiring immediate action on their part, such as a required password change. It includes a link to an illegitimate website—nearly identical in appearance to its legitimate version—prompting the unsuspecting user to enter their current credentials and new password. Upon form submittal the information is sent to the attacker.

Given that identical, or near-identical, messages are sent to all users in phishing campaigns, detecting and blocking them are much easier for mail servers having access to threat sharing platforms.

Spear phishing

This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully.

A spear phishing scenario might involve an attacker who, in impersonating an organization’s IT consultant, sends an email to one or more employees. It’s worded and signed exactly as the consultant normally does, thereby deceiving recipients into thinking it’s an authentic message. The message prompts recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials.

Social engineering prevention

Social engineers manipulate human feelings, such as curiosity or fear, to carry out schemes and draw victims into their traps. Therefore, be wary whenever you feel alarmed by an email, attracted to an offer displayed on a website, or when you come across stray digital media lying about. Being alert can help you protect yourself against most social engineering attacks taking place in the digital realm.

Moreover, the following tips can help improve your vigilance in relation to social engineering hacks.

  • Don’t open emails and attachments from suspicious sources – If you don’t know the sender in question, you don’t need to answer an email. Even if you do know them and are suspicious about their message, cross-check and confirm the news from other sources, such as via telephone or directly from a service provider’s site. Remember that email addresses are spoofed all of the time; even an email purportedly coming from a trusted source may have actually been initiated by an attacker.
  • Use multifactor authentication – One of the most valuable pieces of information attackers seek are user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise. 
  • Be wary of tempting offers – If an offer sounds too enticing, think twice before accepting it as fact. Googling the topic can help you quickly determine whether you’re dealing with a legitimate offer or a trap.
  • Keep your antivirus/antimalware software updated – Make sure automatic updates are engaged, or make it a habit to download the latest signatures first thing each day. Periodically check to make sure that the updates have been applied, and scan your system for possible infections.


What is Social Engineering?

03/17/2020
by Simba Chiwanza

Examples & Prevention Tips

Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.

Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software.  For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).

Security is all about knowing who and what to trust. It is important to know when and when not to take a person at their word and when the person you are communicating with is who they say they are. The same is true of online interactions and website usage: when do you trust that the website you are using is legitimate or is safe to provide your information?

Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.

What Does a Social Engineering Attack Look Like?

Email from a friend

If a criminal manages to hack or socially engineer one person’s email password they have access to that person’s contact list–and because most people use one password everywhere, they probably have access to that person’s social networking contacts as well.

Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends.

Taking advantage of your trust and curiosity, these messages will:

  • Contain a link that you just have to check out–and because the link comes from a friend and you’re curious, you’ll trust the link and click–and be infected with malware so the criminal can take over your machine and collect your contacts info and deceive them just like you were deceived
  • Contain a download of pictures, music, movie, document, etc., that has malicious software embedded. If you download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal has access to your machine, email account, social network accounts and contacts, and the attack spreads to everyone you know. And on, and on.

Email from another trusted source

Phishing attacks are a subset of social engineering strategy that imitate a trusted source and concoct a seemingly logical scenario for handing over login credentials or other sensitive personal data. According to Webroot data, financial institutions represent the vast majority of impersonated companies and, according to Verizon's annual Data Breach Investigations Report, social engineering attacks including phishing and pretexting (see below) are responsible for 93% of successful data breaches.

Using a compelling story or pretext, these messages may:

  • Urgently ask for your help. Your ’friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home and they tell you how to send the money to the criminal.
  • Use phishing attempts with a legitimate-seeming background. Typically, a phisher sends an e-mail, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or institution.
  • Ask you to donate to their charitable fundraiser, or some other cause. Likely with instructions on how to send the money to the criminal. Preying on kindness and generosity, these phishers ask for aid or support for whatever disaster, political campaign, or charity is momentarily top-of-mind.
  • Present a problem that requires you to "verify" your information by clicking on the displayed link and providing information in their form. The link location may look very legitimate with all the right logos, and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site and provide whatever information the crook is asking for. These types of phishing scams often include a warning of what will happen if you fail to act soon because criminals know that if they can get you to act before you think, you’re more likely to fall for their phishing attempt.
  • Notify you that you’re a ’winner.’ Maybe the email claims to be from a lottery, or a dead relative, or the millionth person to click on their site, etc. In order to give you your ’winnings’ you have to provide information about your bank routing so they know how to send it to you or give your address and phone number so they can send the prize, and you may also be asked to prove who you are often including your social security number. These are the ’greed phishes’ where even if the story pretext is thin, people want what is offered and fall for it by giving away their information, then having their bank account emptied, and identity stolen.
  • Pose as a boss or coworker. It may ask for an update on an important, proprietary project your company is currently working on, for payment information pertaining to a company credit card, or some other inquiry masquerading as day-to-day business. 

Baiting scenarios 

These social engineering schemes know that if you dangle something people want, many people will take the bait. These schemes are often found on Peer-to-Peer sites offering a download of something like a hot new movie, or music. But the schemes are also found on social networking sites, malicious websites you find through search results, and so on.

Or, the scheme may show up as an amazingly great deal on classified sites, auction sites, etc.. To allay your suspicion, you can see the seller has a good rating (all planned and crafted ahead of time).

People who take the bait may be infected with malicious software that can generate any number of new exploits against themselves and their contacts, may lose their money without receiving their purchased item, and, if they were foolish enough to pay with a check, may find their bank account empty.

Response to a question you never had

Criminals may pretend to be responding to your ’request for help’ from a company while also offering more help. They pick companies that millions of people use such as a software company or bank.  If you don’t use the product or service, you will ignore the email, phone call, or message, but if you do happen to use the service, there is a good chance you will respond because you probably do want help with a problem.

For example, even though you know you didn’t originally ask a question you probably a problem with your computer’s operating system and you seize on this opportunity to get it fixed. For free! The moment you respond you have bought the crook’s story, given them your trust and opened yourself up for exploitation.

The representative, who is actually a criminal, will need to ’authenticate you’, have you log into ’their system’ or, have you log into your computer and either give them remote access to your computer so they can ’fix’ it for you, or tell you the commands so you can fix it yourself with their help–where some of the commands they tell you to enter will open a way for the criminal to get back into your computer later.

Creating distrust

Some social engineering, is all about creating distrust, or starting conflicts; these are often carried out by people you know and who are angry with you, but it is also done by nasty people just trying to wreak havoc, people who want to first create distrust in your mind about others so they can then step in as a hero and gain your trust, or by extortionists who want to manipulate information and then threaten you with disclosure.

This form of social engineering often begins by gaining access to an email account or another communication account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering, or simply guessing really weak passwords.

  • The malicious person may then alter sensitive or private communications (including images and audio) using basic editing techniques and forwards these to other people to create drama, distrust, embarrassment, etc.  They may make it look like it was accidentally sent, or appear like they are letting you know what is ’really’ going on.
  • Alternatively, they may use the altered material to extort money either from the person they hacked or from the supposed recipient.

There are literally thousands of variations to social engineering attacks. The only limit to the number of ways they can socially engineer users through this kind of exploit is the criminal’s imagination.  And you may experience multiple forms of exploits in a single attack.  Then the criminal is likely to sell your information to others so they too can run their exploits against you, your friends, your friends’ friends, and so on as criminals leverage people’s misplaced trust.

Don’t become a victim

While phishing attacks are rampant, short-lived, and need only a few users to take the bait for a successful campaign, there are methods for protecting yourself. Most don't require much more than simply paying attention to the details in front of you. Keep the following in mind to avoid being phished yourself. 

Tips to Remember:

  • Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
  • Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
  • Don’t let a link be in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
  • Email hijacking is rampant. Hackers, spammers, and social engineers taking over control of people’s email accounts (and other communication accounts) has become rampant. Once they control an email account, they prey on the trust of the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
  • Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
  • Foreign offers are fake. If you receive an email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.

Ways to Protect Yourself:

  • Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
  • Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
  • Set your spam filters to high. Every email program has spam filters. To find yours, look at your settings options, and set these to high–just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ’spam filters’.
  • Secure your computing devices. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so.  Use an anti-phishing tool offered by your web browser or third party to alert you to risks.


Original Author: Webroot

Click here to follow the original link