9 minute read
CYBER SECURITY
CYBERSECURITY
by DANIEL TALBOT
It is important that we keep our guard up for cybercrime during the Covid-19 pandemic. We are only halfway through 2020, but cybercrime reporting by the FBI suggest that this year will exceed the more than five billion records stolen in data breaches in the US alone in 2019. Globally it is estimated that we will experience a record number of identify thefts equal to more than 60% of the global population being affected. Covid-19 has us in various forms of isolation during global lockdowns working from home, the bad guys are taking advantage of this situation and getting more aggressive all the time. Several governmental agencies have reported criminals contacting us by phone and email to commit financial fraud with a number of scams. Threat actors can be very convincing and appear very authentic.
SOME OF THE REPORTED SCAMS INCLUDE:
•Offers for free Covid-19 test kits •Promotions for a Covid-19 cure requesting payment to get yours ordered •Lists of work-from-home opportunities
•Student loan repayment plans & debt consolidation offers due to financial hardships •Offers for small business funding or loans •Offers to sell PPE supplies •Offers for lower-cost-health insurance if you verify personal details •Offers to help with government funding if you provide financial account information •Notices that the U.S. Department of Health and Human Services or any other governmental agency is requiring you to click a link to take a “mandatory online Covid-19 test” •Requests for money to support the World Health Organization (WHO) or another health organization that needs funding to advance research.
Fighting these threats requires being aware of the risk and being prepared when something happens. The goal of this article is to provide some guidance on what to look for and how to reduce the risk that you will become a victim of this growing problem. I tell everyone that just buying security tools doesn’t make you secure. You have to take actions to protect your data from the many threat actors who are working to trick you into taking their bait.
Talking with clients, I hear comments like this type of crime is only targeted at big enterprises not us small guys. Statistics suggest that the single greatest source of cyber attacks starts with a phishing email. Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card/ bank data by disguising oneself as a trustworthy entity in an electronic communication. Unfortunately, these kinds of phishing scams happen to large enterprise companies and small business. Small businesses are hit with nearly the same frequency as their larger counterparts. A phishing email may be a link that they want you to click on and they will download malware to your machine or corporate network.
Phishing schemes can be sophisticated and sound very authentic because there is so much information about you on social media. Today, bad actors can craft a very convincing imitation of known brands by scraping information from sites like LinkedIn or Facebook crafting believable situations that you accept without great inspection because it is something that you consider familiar. Recently one of the more popular software security companies did a survey where 97% of consumers couldn’t determine that an email message was a phishing attempt. The conclusion being that the vast majority of US employees have no concept of cybersecurity best practices.
Online domains that we once considered secure by definition because it has the HTTPS(secure): is used more and more by phishing websites. Almost half of the
phishing attempts are to install a malware infection. Some of the companies most imitated in phishing attacks include Microsoft, PayPal, Netflix, all the major financial institutions, Facebook and Dropbox just to name a few. They use official logos taken from many sources and bait you with topics like “your password needs to be reset” and they offer a link to accomplish that. You enter your data and they have you. Some don’t even try to be sophisticated, they something like here is a new email feature and click here to learn all about it. If you click on the link, they have downloaded malware into your system. Some of the most common words that appear in the subject line include: payment, urgent, request, attention, important with the goal to fool the recipient into opening the email and taking the intended action.
It used to be everyone knew not to touch an email attachment that had .exe as the file type. That barely makes the top 5 file extensions used today. Most people don’t pay any attention to the file type. The majority of malware downloads comes in visual basic script (.vbs), java script (.js), word files (.doc) and of course the executable program (.exe).
Bad actors exploit weaknesses in organizational security through vulnerabilities in very common software like Adobe PDF, Adobe Flash, Java, Microsoft, etc… It is important that you install updates from your software suppliers (often referred to as patches). Many people now keep Bluetooth enabled on their mobile phone because they are using wireless head phones, watches, or many other devices anchored to their mobile phone. Some companies are prescriptive on which internet browser they support because of all the plugins that users install or the tracking that the service provider does. I have said many times, if you didn’t pay for the service or software, you are the product. They are tracking your actions and selling data about you to make their money. Microsoft recently added a feature to Windows 10 to detect and block potentially unwanted apps (PUA). There is no advantage of any mobile phone operating system over another anymore as all the major platforms are very broad in their use and many users store application user ids and passwords on their mobile devices.
I would be remiss to not say something as ransomware continues to be used broadly in 2020. If struggling with the Covid-19 impacts, a small to medium business couldn’t survive a ransomware attack with an average demand that reaches more than $100,000. If they can get hit by malware into your systems and bad actors hold you hostage. The average ransomware ransom demand in Q1 of 2020 was over $100,000. To make
matters worse now, if you pay their ransom demand they may give you the key to unlock your systems and data but then they want a second ransom to release the data they stole from you on the open market. So you have to pay to get your systems unlocked and you have to pay to not expose your stolen files to their market place. Some software packages like NortonLifeLock now offer to protect you from ransomware and create and securely store backup versions of your files, as part of their service now. I will do a future article on the dark web and how this all works and help explain why the number of bad actors is growing the way it does. Now that I have shared some of the many risks that are out there, let’s talk about what you should do if you determine that you have fallen victim to any of these traps. It benefits everyone if you think about what you need to do before you have a problem. Cyber laws vary by state so you need to understand the laws where you do business and how they apply to you. Some of the laws are very prescriptive with punitive penalties about notice and disclosure that you must follow. There are also mandated notices and remedies that you must offer like credit monitoring and identity theft repair. Some of these are very expensive but are required by laws. Here are some suggestions for a Cybersecurity Incident Response.
IDENTIFY A TEAM AND GIVE THEM THESE INSTRUCTIONS:
Do you have cybersecurity incident plan? Any form of checklist of what you need to do? •Do you know how to determine if incident justifies escalation? •Begin documentation of decisions and actions immediately. •Do not destroy any evidence. It could help lead you to the source of the breach. •Consider experienced legal counsel to lead this process and determine what is privilege vs disclosure tracks. •Remove any improperly posted information. •Do you have cyber insurance? •Engage a forensics firm to mitigate continued harm, gather evidence, and investigate. •Assess scope and nature of data compromised and stop additional data loss. •Preliminarily determine legal obligations, use a firm that understands cyber liability. •Determine whether to notify law enforcement. •Prepare a public relations message. •Engage notification/credit services vendors. •Notify affected business partners. •Determine when notification “clock” started. •Determine proper remediation requirements.
HOW TO REDUCE BECOMING A TARGET:
•Keep your operating system current with updates •Keep antivirus protection current •Have ransomware protection •Use malware removal software
•Have good internet security practices including firewalls and VPN’s for remote use for example. •Implement strong authentication and encryption •Follow wireless security best practices •Establish strong physical security also. Are work areas with PCs secure, passwords are not posted. •Microsoft operating systems are by far the biggest target for viruses and malware. Make sure that you regularly update all software applications, browsers and operating systems on all machines. It only takes one machine to allow malware inside your company. •Android is the second with the largest threat coming from sideloaded apps – installed from outside Google’s Play Store •Create a regular data backup routine that is offline to reduce the vulnerability of ransomware •Conduct security training with your staff •Develop a comprehensive data security plan
Fix vulnerabilities before you need them. Work with your service providers and understand their standards and encryption practices. Know what certifications they have or that you need for security. Get to know your local law enforcement including the FBI and Homeland Security along with your local police. Have a call list before you need it. Make sure you have home and mobile numbers for your leadership team in case of an emergency. Know how you will notify affected business partners. Utilize the many tools offered by organizations like the FBI, Secret Service, Homeland Security on their web sites. The Federal Trade Commission even recommends you have a model letter prepared so you can act quickly. With some of the short notice and discloser windows of states that you do business in, you don’t want to lose valuable time agreeing with all the parties on what the letter should say, get that worked out now.
This topic is a complex issue but it must be addressed. Do not hesitate to suggest future topics that you would like to see a more in-depth review for future articles. My goal with this article is to get you thinking about cyber security and steps you could take now to avoid future problems. I look forward to our next article together. I’ll throw out a thought, does your organization use wireless devices? It is possible that data leaves your facility via wireless devices, Bluetooth, wireless keyboards, etc.. by bad guys parked in your parking lot who record all the unencrypted data using Bluetooth antennas that extend the range upwards of a 1000 feet.
Just something to think about.