Category Archives: Cyber Security

Millions of Americans Fall Victim to Identity Theft

Posted on by

While online, your personal information is constantly exposed to bad actors. Take actions to protect your identity and prevent the theft of your identity.

A shocking amount of information about you can be found online. From Social Security numbers to bank account numbers to social media profiles, a savvy thief potentially has access to all the data he or she needs to assume and steal your identity.

Identity theft is a serious crime. It happens when someone uses your Social Security number or uses other personal information about you without your permission to open new accounts, make purchases or get tax refunds. They could use your:

  • Name and address
  • Credit card or bank account numbers
  • Social Security number
  • Medical insurance account numbers

Many Americans whose information was compromised did not realize their identity was stolen until years later when they tried to buy a car, file tax returns or purchase a home.

Experts warn that identity thieves can use social engineering to steal your information. Social engineering is the art of manipulating someone to divulge sensitive or confidential information that can be used for fraudulent purposes.

Social engineering can happen everywhere, online and offline. And unlike traditional cyberattacks, whereby cybercriminals are stealthy and want to go unnoticed, social engineers are often communicating with you in plain sight. Consider these common social engineering tactics that one might be right under your nose.

  • Your “friend” sends you a strange message. Social engineers can pose as trusted individuals in your life, including a friend, boss, coworker, even a banking institution, and send you conspicuous messages containing malicious links or downloads. Just remember, you know your friends best — and if they send you something unusual, ask them about it.
  • Your emotions are heightened. The more irritable we are, the more likely we are to put our guard down. Social engineers are great at stirring up our emotions like fear, excitement, curiosity, anger, guilt, or sadness.
  • The request is urgent. Social engineers don’t want you to think twice about their tactics. That’s why many social engineering attacks involve some type of urgency, such as a sweepstake you have to enter now or a cybersecurity software you need to download to wipe a virus off of your computer.
  • The offer feels too good to be true. Ever receive news that you didn’t ask for? Even good news like, say winning the lottery or a free cruise? Chances are that if the offer seems too good to be true, it’s just that — and potentially a social engineering attack.
  • You’re receiving help you didn’t ask for. Social engineers might reach out under the guise of a company providing help for a problem you have, similar to a tech support scam. And considering you might not be an expert in their line of work, you might believe they’re who they say they are and provide them access to your device or accounts.
  • The sender can’t prove their identity. If you raise any suspicions with a potential social engineer and they’re unable to prove their identity — perhaps they won’t do a video call with you, for instance — chances are they’re not to be trusted.

A thief can get your personal information in person or online. Here are some ways thieves might steal someone’s identity. A thief might:

  • Steal your mail or garbage to get your account numbers or your Social Security number
  • Trick you into sending personal information in an email
  • Steal your account numbers from a business or medical office
  • Steal your wallet or purse to get your personal information

Identity experts share five recommendations for how to protect your identity:

  • Once a year, order and closely review a free credit report from each national credit reporting agency: Experian, Equifax and Transunion.
  • Browse and purchase online while only using a secure connection. Never use autofill features when filling out online forms, unless it is on a trusted site.
  • Refrain from giving solicitors personal or financial information over the phone, by email or through pop-up message.
  • Opt out of pre-screened offers of credit and insurance by mail.
  • Avoid oversharing on social networking sites so you’re not sharing a potential scam with others.

If you do think you’re a victim, call the three major credit bureaus and place a credit freeze and file a report with law enforcement.

Even if you don’t believe it’s that big of a deal, reporting these crimes can help law enforcement prevent others. It took identity theft victims an average of 10 hours to resolve the fraud in 2020, according to LifeLock.

Moreover, you may be responsible for what the thief does while using your personal information. You might have to pay for what the thief buys. This is true even if you do not know about the bills.

How can that happen?

  • A thief might get a credit card using your name.
  • He changes the address.
  • The bills go to him, but he never pays them.
  • That means the credit card company thinks you are not paying the bills.
  • That will hurt your credit.

This is the kind of trouble identity theft can cause for you.

Your best defense against identity theft and social engineering attacks is to educate yourself of their risks, red flags, and remedies. To that end, stay alert and avoid becoming a victim.

References:

  1. https://www.consumer.gov/articles/1015-avoiding-identity-theft#!what-it-is
  2. https://us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html
  3. https://www.usnews.com/360-reviews/identity-theft-protection

Google Knows Your Location | CNET

Posted on by

If you use any Google app, your location and data history might be stored.

You think that you’ve turned off your location history and tracking on your Google account, so now your. But, hold on.

While disabling that setting sounds like a one-and-done, some Google apps are still storing your location data, as explored in a 2018 investigation by the Associated Press.

Fortunately, Google has made it easier to control what location and other data is saved, and what is deleted with features like Your Data in Maps and Search, which give you quick access to your location controls, according to CNET.

How to turn off Google’s location tracking 

To completely shut down Google’s ability to log your location, here’s what to do:

  1. Open up Google.com on your desktop or mobile browser. 
  2. At the top right, log into your Google account if you aren’t already.
  3. Select Manage your Google Account.
  4. In the Privacy & Personalization box, select Manage your data & personalization.
  5. Scroll down to the Activity Controls, and select Manage your activity controls.
  6. There you’ll see a box called Web & App Activity. From there, you can slide the toggle switch to off. 
  7. There will be a disclosure to ensure you understand what disabling this setting will do before you select Pause.

References:

  1. https://www.cnet.com/tech/services-and-software/google-always-knows-where-you-are-heres-how-to-turn-that-off
  2. https://apnews.com/article/north-america-science-technology-business-ap-top-news-828aefab64d4411bac257a07c1af0ecb

The Secret Password’ is key 

Posted on by

As aspects of our lives continue to move to digital spaces, it’s more important than ever to make sure you are taking the right steps to protect yourself. No matter the type of online account, your first line of defense is often your login password.

1. LONGER IS STRONGER
The longer and more complex you make your passwords, the stronger they’ll be in the long term. Short, simple passwords are often much easier for hackers to crack. Aim for at least 8-12 characters, and consider these other basic guidelines for how to create strong passwords:

  • Use a combination of upper and lower case letters, numbers and symbols.
  • Avoid easy, simple phrases like “Password123” and never use personal information (birth dates, pet names, etc.)
  • Random is better: pick a strange phrase and replace letters with numbers or symbols where you can. Have some fun with it!

2. CYCLE PASSWORDS OFTEN
Larger companies like Google and some financial institutions often prompt users to change their passwords after a certain period of time. A good rule of thumb is to rotate passwords at least every six months. It might feel like a chore to go through every single online account. But when you’re considering sensitive personal and financial information, what’s an extra 15 minutes twice a year to protect yourself?

3. NEVER USE THE SAME PASSWORD FOR MULTIPLE ACCOUNTS
We’ve all been guilty of it. You craft one really strong password and decide to use it for every account. Sure, it’s convenient and may help you save time during your day. But, in the event of a breach, it’s not just one account you have to worry about. By not taking the time to create multiple passwords, you’re leaving your entire digital identity at risk by the right hacker.

4. USE A PASSWORD MANAGER
With so many different passwords for each online account, it can be difficult trying to keep track of them all. However, you should never write your passwords down. Even if you think your home or office is safe, all it would take is for you to lose the slip of paper or notebook and suddenly all of your accounts are at risk. With an encrypted password manager you can house all of your passwords on a single, private and secure server. Just make sure to never forget the master password! And be sure to follow the same tips to make sure it is as strong as possible.

5. ENABLE TWO-FACTOR AUTHENTICATION
Some of your accounts may prompt you to enable two-factor authentication. It’s always tempting to click “remind me later” and put it off, but taking a few minutes can really go far in the long run. Two factor authentication adds an extra layer of protection, simply by verifying that you are who you say you are. Usually that comes in the form of a direct text message or email to confirm a login attempt. Again, it’s the simple, extra steps that can save you so much trouble.

Online Security

Posted on by

With more people than ever shopping online this holiday season, scams are an even bigger risk.

Always look for the little lock symbol or “https” is the web address. That lets you know your traffic to and from the webpage is encrypted. Encryption is standard these days for any kind of e-commerce site. If you don’t see it, it could mean you’re on the wrong site, according to Consumer Reports.

It’s more important than ever to use strong passwords

A strong password isn’t always enough to keep your personal and financial information safe. Many security experts recommend safeguarding your accounts with another layer of defense, namely multifactor authentication (MFA…aka two-factor authentication).

When you turn on MFA, which is available for financial sites, social media sites, and many others, you need a second factor in addition to your password to log in. That way, if a hacker gets your password, they still won’t be able to access your account. Probably the most common way to use MFA is to have the site send you a text message with a code that you enter into a pop-up box.

To beef up your password security, many experts recommend using an authentication app.

Cut down on data collection and prevent hackers from invading your laptop, tablet and even your phone. To do a thorough digital cleanup, there’s a free wonderful tool called #SecurityPlanner developed by internet watchdog group @citizenlab, now run by @ConsumerReports:

  • Safely backup files
  • Browse online without tracking
  • Avoid phishing scams
  • Prevent identity theft

https://twitter.com/manjaselva/status/1331366229840424967?s=21

References:

  1. https://www.consumerreports.org/digital-security/use-authentication-apps-for-multifactor-security/?EXTKEY=YSOCIAL_TW

Cyber Security for Small Business – Social Engineering

Posted on by

Social engineering is a cyber criminals favorite way to manipulate and attack small businesses

Small businesses remain extremely exposed to cyberattacks. And, cybersecurity remains one of the primary operational risks for most small businesses . Similarly, many small businesses demonstrate problematic cybersecurity practices in their daily operations.

Almost 60 percent of business executives report an increase receipt of suspicious email over the past year, proving an increasing cyber concern for small businesses. Adapting new technology system without proper knowledge or preparation is another problem of small businesses that may lead to preventable problems like small business owners that may refrain from two-step factor authorization during password setups on a site.

To avoid becoming a victim,  it is important for small businesses to implement proper security measures. From consequences that unpreparedness can bear to reasons behind small businesses as targets, prioritizing cyber-security is extremely critical as hackers get much smarter and more determined.

Cyber security weakest link

People are the weakest link when it comes to cyber security, which is why psychological manipulation of cyber attack victims is so common. Phishing scams, for instance, is an effective form of social engineering in email format that can be sneakily disguised as arriving from legitimate sources. This can fool employees into clicking a virus-filled link.

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. This is used to gather information, initiate cyber fraud, or gain unauthorized IT system access.

Preventing an attack

For small businesses, there are plenty of ways on preventing cyber-attacks – from enforcing simple measures or hiring specialized teams to stay alert on the issue. Along with employing IT teams/specialists, training workers on the current dangers of cyber-security is a necessity as it can avert various issues (such as phishing scams as mentioned earlier). Installing security software and investing in proper cyber-security insurance is also vital in securing businesses from these attacks.

With the extent of small business being large targets for attackers, acquiring proper cyber-security is becoming increasingly important and a necessity, particularly in 2020. As small businesses adopt remote work methods, risks and dangers arise, proving that implementing proper precautions like an IT team or training results to be beneficial.

There are many effective practices that small businesses can implement to address selected cybersecurity risks while recognizing that there is no one-size-fits-all approach to cybersecurity. It is recommended that small businesses consider implementing the following effective practices:

  • Developing identity and access management protocols for staff, including managing the granting, maintenance and termination of access to business and customer data;
  • Limiting access only to their own customers’ data and related reports;
  • Setting minimum password requirements and multi-factor authentication for access to systems and applications employees, vendors, contractors and other insiders;
  • Prohibiting the sharing of passwords among firm staff;
  • Prohibiting the storage of sensitive customer or data in unapproved or prohibited locations (e.g., a file server, cloud provider or thumb drive and without encryption or transmitted without encryption);
  • Establishing minimum encryption standards for all hardware used to access firm systems, including laptops, desktops, servers, mobile devices and removable media devices;
  • Requiring adherence to minimum encryption standards for data-in-transit, such as emails and file transfers that include customer sensitive information;
  • Ensuring only secure, encrypted wireless settings for office and home networks;
  • Maintaining regular patching, anti-virus protection, anti-malware and operating system updates for all computers and servers that access data in a manner that is consistent with industry standards;
  • Developing physical security protocols for all portable devices used to access data and systems, including laptops and mobile devices;
  • Mandating all vendors meet business’ security requirements, especially if the data or other sensitive information will be accessed or maintained by the vendor; and
  • Creating processes and selecting approved vendors for the secure disposal of hard copy records and firm computer hardware (e.g., hardware listed in the firm’s inventory) that may contain sensitive information.

References:

  1. https://cyber-security.mytechmag.com/cyber-security-for-small-businesses-is-important-now-1379.html
  2. https://www.pcworld.idg.com.au/article/636083/10-alarming-cybersecurity-facts/#:~:text=%2010%20alarming%20cybersecurity%20facts%20%201%20There,are%20more%20than%203%20billion%20active…%20More%20

Cyber Security Checklist

Posted on by

Working Together to Prevent Fraud and Protect Your Financial Data

Threats to your cyber security are constantly growing.  Most organizations have systems in place to protect you, but you can take steps on your own to fight hackers.

Even with tremendous investments in cyber security, the most prevalent way for hackers and fraudsters to gain access is to exploit human behavior through social engineering or simply uncovering information that hasn’t been well protected by a consumer.

It’s hard to keep up with all your accounts and your distributed digital footprint. Following a simple cyber security checklist can help you avoid becoming an easy target for hackers and fraudsters.

1. Use strong passwords and protect them

  • Create long passwords that contain symbols, numbers, and uppercase and lowercase letters
  • Don’t store your passwords anywhere
  • Don’t reuse or recycle your passwords
  • Don’t share your passwords with anyone
  • Change your passwords using a randomly generated schedule
  • Ensure that your passwords bear no resemblance to former passwords 

2. Opt in to multifactor authentication where available. Multifactor authentication requires additional verifying information to grant access to an account. This gives your accounts an added layer of security. Multifactor authentication can include:

  • SMS or email notifications 
  • Biometric identification 
  • Tokens

3. Avoid links from unknown sources in text, email, instant message, social media and websites

  • Be suspicious of any message that asks you to provide personal information. Banks never uses emails or text messages to solicit your personal information.
  • Hover your mouse over hyperlinks to inspect their true destination
  • Make sure you’re on the right site before entering personal information—such as your name, address, birth date, Social Security number, phone number or credit card number
  • Report suspicious email that claims to be from financial institutions to the financial institution
  • Learn as much as you can about phishing

4. Limit what you share on social media and who can view your profile

You should protect the following information in particular:

  • Your birthdate 
  • Your street address
  • Geotagged photos 
  • The time you’re away on vacation

5. Secure your devices

  • Always keep your device’s software updated (use the latest operating system and browser versions available)
  • Download apps from trusted app stores 
  • Turn off Wi-Fi/file sharing/AirDrop options when not in use 
  • Avoid working with personal or sensitive data when you’re using unsecured, public Wi-Fi

6. Secure your important documents

  • Protect your Social Security cards, passports and birth certificates by storing them in a secure place such as a safe deposit box, and only carry them when you need them for a specific purpose. 
  • This information can be used by an identity thief to commit fraud like taking over your financial accounts, opening new loans and credit cards, and establishing utility services in your name.

7. Shred documents containing personal/financial information

  • When you’re done reviewing your paper documents like your receipts, financial statements, or credit card bills, put them in the shredder instead of the trash.

8. Order your credit report annually from each credit bureau

  • Best practice: Order a free copy once a year from AnnualCreditReport.com and from a different bureau (Equifax, Experian, TransUnion) every four months so that you’re always covered.

9. Keep your contact information up to date.

  • Update your email, mobile phone and mailing address.

10. Opt in to security alerts, and promptly respond to the notifications you receive

  • If you haven’t done so already, set up alerts to keep tabs on your account.

 

References:

  1. https://www.bbt.com/education-center/articles/cyber-security-checklist.html
  2. https://www.finra.org/compliance-tools/cybersecurity-checklist

Cyber Security: Recognize Social Engineering

Posted on by

Social engineering is highly successful because the cyber criminals make their work look and sound legitimate, sometimes even helpful, which makes it easier to deceive users. 

Large companies, like Equifax and Home Depot, are often the target of the most sophisticated and large-scale cyberattacks, but attacks aimed at small businesses can be equally as devastating. Some of the most common social engineering threats include phishing emails, texts or phone calls and malware.

Stay vigilant to social engineering

Small businesses need to do more to protect their IT systems against growing cyber threats. Larger companies have taken significant steps and dedicated significant resources to secure their systems.  As a result, less cyber secure small businesses have become easier targets for cyber criminals.

95% of cyber security breaches are due to human error!

Most small businesses and organizations lack the resources to hire dedicated IT staff and incorporate basic cyber security processes to protect their business, information and customers from cyber threats. Even a small business with one computer or one credit card terminal can benefit from strengthening their cyber security protocols.

Image

Social engineering is used by many criminals, both online and off, to trick unsuspecting people into giving away their personal information and/or installing malicious software onto their computers, devices or networks.  Social engineering is a psychological attack where an attacker tricks you into doing something you should not do through various manipulation techniques. Think of scammers or con artists; it is the same idea. However, today’s technology makes it much easier for any attacker from anywhere in the world, to pretend to be anything or anyone they want, and target anyone around the world, including you.

Social engineering is successful because the cyber criminals are doing their best to make their work look and sound legitimate, sometimes even helpful, which makes it easier to deceive users.  A 2014 IBM study revealed that human error was the primary reason for 95% of cybersecurity breaches.

Most offline social engineering occurs over the telephone, but it frequently occurs online. Information gathered from social networks or posted on websites can be enough to create a convincing ruse to trick your employees. For example, LinkedIn profiles, Facebook posts and Twitter messages can allow a criminal to assemble detailed dossiers on employees. Teaching people the risks involved in sharing personal or business details on the social media can help you partner with your staff to prevent both personal and organizational losses.

Many criminals use social engineering tactics to get individuals to voluntarily install malicious computer software such as fake antivirus, thinking they are doing something that will help make them more secure. Fake antivirus is designed to steal information by mimicking legitimate security software. Users who are tricked into loading malicious programs on their computers may be providing remote control capabilities to an attacker, unwittingly installing software that can steal financial information or simply try to sell them fake security software. The malware can also make system modifications which make it difficult to terminate the program.

The presence of pop-ups displaying unusual security warnings and asking for credit card or personal information is the most obvious method of identifying a fake antivirus infection.

Guard against cyberthreats

Here are 10 tips to help small businesses and organizations to guard against new and emerging cyberthreats:

  1. Develop or review your cybersecurity plan. An effective cybersecurity plan should include strong network security, encryption and authentication technologies. The FCC offers a free cybersecurity planner for small business owners.
  2. Use a firewall and antivirus software. Protect your internet connection by setting up a firewall and encryption. All computers should be equipped with antivirus software and antispyware. Set up automatic software updates on all company devices to ensure security fixes are in place.
  3. Secure your Wi-Fi network. Make sure your Wi-Fi network is secure with password-protected access to your router. Set up a separate guest account with a different password for customers or clients who need to access Wi-Fi, so they don’t have access to your main network.
  4. Protect your devices. Hackers can use a stolen laptop, smartphone or tablet to access your network. Maintain an inventory of equipment, and make sure your employees know to secure any company devices when not in use.
  5. Back up your data. Store data in several places, using off-site and cloud-based services. If you become a victim of a cyberattack, you’ll be able to restore operations quickly without having to pay for a ransomware decryption key.
  6. Strengthen passwords. Enforce strict company-wide policies for creating strong passwords, using different passwords for different applications and changing passwords on a regular basis.
  7. Educate employees. Develop an employee training program to ensure everyone understands security policies and procedures. Schedule refresher courses periodically to keep employees informed.
  8. Increase email security. Train your employees on how to spot a phishing attempt by paying close attention to URLs and reading emails carefully, even those appearing to come from a known sender. Ask them to avoid opening unknown or unexpected email attachments (especially compressed or ZIP files) or clicking on links.
  9. Separate your important data. Reduce the damage of a potential security breach by making sure your data isn’t all stored on one device or in one place. For instance, don’t keep your payroll information on the same device you use to process credit card payments. That way, if one of your devices is compromised, some of your data will still be safe.
  10. Implement an incident response plan. Documenting what to do in the event of a security breach—such as who to notify and where backups are stored—can save your organization valuable time in a crisis.

Cyber training and protocols can make a crucial difference in reducing or eliminating the number of cybersecurity breaches.

References:

  1. https://transition.fcc.gov/cyber/cyberplanner.pdf
  2. https://www.navyfederal.org/resources/articles/small-business/protect-your-business.php
  3. https://www.sans.org/security-awareness-training/resources/social-engineering-attacks/?utm_campaign=2020%20Social%20Media&utm_content=145945029&utm_medium=social&utm_source=twitter&hss_channel=tw-41655252
  4. https://www.ibm.com/developerworks/library/se-cyberindex2014/index.html#:~:text=IBM%20Security%20Services%202014%20Cyber%20Security%20Intelligence%20Index.,names%2C%20emails%2C%20credit%20card%20numbers%2C%20and%20passwords%E2%80%94were%20stolen.

Cyber Secure by Design

Posted on by

In 2019, victims lost $2.7 billion to cybercrime, according to the Federal Bureau of Investigation.

When it comes to ransomware attacks and data breaches, most cybersecurity experts agree that it’s not a matter of if, but when your business or organization will become a target or a victim of cybercrime. In CyberEdge Group’s 2019 Cyberthreat Defense Report, an astounding 78% of surveyed organizations admitted being victims of cyber attacks. That’s why it’s important to have the right incident response tools and plans in place.

Cybersecurity must become a priority and a core business objective for organizations of all sizes and technology orientation. In order to conduct business and navigate today’s increasingly complex technology threat environment, it is critical for businesses and organizations to devote their time, talent and treasure to securing and building resiliency in cyber technology equipment, systems and protocols.

Cyber security incident plan

Organizations need a written incident response plan, spelling out the necessary steps to address a cybersecurity incident, vulnerability assessments and details on who is is notified, who is responsible for implementing the plan after a data breach.

An incident response plan is a documented, written plan with 6 distinct phases that helps cyber professionals and IT staff recognize and deal with a cyber security incidents like a data breach or ransomware attacks. An incident response plan should be set up to address a suspected data breach in a series of phases. Within each phase, there are specific areas of need that should be considered. The incident response phases are:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

Cybersecurity needs to become core to an organization’s overall business strategy. Organizations and boards need to take effective steps to become “secure by design”. They need to ensure security procedures, controls and policies are integral within all levels of the organization, in all technology solutions and business process from the outset.

Cyber security solutions need to provide the latest cyber threat protection required for an organization’s operations. Whether a business’s digital transformation is migrating to the cloud, application development, leveraging the power of the IoT or integrating IT and operational networks, taking a “secure by design” approach is crucial for business continuity by identifying, responding to, and protecting against known and unknown threats and minimizing the potential effects on core assets.

Shortage of cyber security and IT staff

In most organizations, there exist a critical shortage of cyber security staff. As a result, it has become nearly impossible for organizations to review the plethora of cyber alerts, not to mention investigate and respond to all security incidents. Statistics show that the average time to identify and remediate a cyber security breach is over 100 days. Additionally, the Mandiant Security Effectiveness Report 2020 found that 53% of successful cyber attacks infiltrate organizations without being detected, and 91% of all incidents didn’t generate an alert.

To help address this shortage, the security industry is developing tools to perform automated incident response. An automated tool can detect a cyber security condition, and automatically execute an incident response playbook that can contain and mitigate the incident. For example, upon detecting traffic from the network to an unknown external IP, an incident playbook runs, adding a security rule to the firewall and blocking the traffic until further investigation.

By supplementing manual incident response with automated playbooks, organizations can reduce the burden on security teams, and respond to many more security incidents, faster and more effectively.

Weakest link

Cyber-resiliency also involves recognizing that security is no longer solely a technology or governance, risk and compliance issue. Instead, the whole workforce, including both technical and non-technical employees, should be a student of cybersecurity. Since cyber security is as strong as the organization’s weakest link.

Research participants felt that their respective organizations had invested adequately in cyberthreat solutions. Although four in five respondents (81.7%) felt their employers had invested adequately, that means one in five (18.3%) was not confident in this regard. Given the sophistication and magnitude of today’s cyber threats and the advancements in modern cyber threat hunting technology, the survey results are discouraging.

To implement truly robust and effective measures, businesses and organizations must employ multi-faceted risk mitigations solutions like:

  1. Centrally manage and promulgate robust teleworking solutions to empower and enable employees, customers, and third parties.
  2. Leverage role-based rather than location-based identity and access management solutions, analytics, and controls.
  3. Establish two factor authentication, such as manual phone calls, a system of shared secrets, or other authentication controls.

Technology:

  1. https://www.itproportal.com/features/cyber-security-awareness-month-2020-six-experts-share-their-thoughts-on-staying-safe-online/
  2. https://cyber-edge.com/wp-content/uploads/2019/03/CyberEdge-2019-CDR-Report.pdf
  3. https://www.itgovernanceusa.com/blog/how-long-does-it-take-to-detect-a-cyber-attack
  4. https://www.fireeye.com/current-threats/annual-threat-report/security-effectiveness-report.html
  5. https://www.securitymetrics.com/blog/6-phases-incident-response-plan#:~:text=An%20incident%20response%20plan%20is%20a%20documented%2C%20written,incident%20like%20a%20data%20breach%20or%20cyber%20attack.
  6. https://www.ey.com/en_us/consulting/covid-19-steps-to-defend-against-opportunistic-cyber-attackers?WT.mc_id=10642922&AA.tsrc=paidsearch
  7. https://www.cynet.com/incident-response/incident-response-plan-template/

Be Cyber Smart: Prevent Identity Theft and Internet Scams

Posted on by

Americans are more vulnerable than ever to cyber attacks arising from the pandemic.

Today’s technology allows Americans to connect around the world, to bank and shop online, and to control their homes, smart devices and cars from their mobile phones. And with the advent of 5G, this capability to connect and to control will expand exponentially. With this added convenience comes an increased risk in cybercrime of identity theft and internet scams.

Additionally, most Americans and business owners are not well versed in cybersecurity, nor understand the financial impact it can have on their everyday remote work and online lives and businesses. Meanwhile many people approach security as a purely technical challenge dictated by technology and security updates. With this change in behavior brought by COVID pandemic comes additional cyber security risks to privacy and personal information.

Cybercriminal activity is one of the biggest challenges that humanity will face in the next two decades and it causes far more financial damage than people can imagine, according to Cybersecurity Ventures. By 2021, Cybersecurity Ventures estimates that cybercrime could cost upwards to $6 trillion to protect and/or recover from cybercrime. When companies like Yahoo or Equifax are hacked, it causes the size, sophistication, and cost of these crimes to grow at an astronomical rate.

Did you know

  • The average financial cost of a data breach for a US company in 2019 was $8.19 million. That’s an increase of 130% since 2006!
  • 7-10% of the U.S. population are victims of identity fraud each year, and 21% of those experience multiple incidents of identity fraud.

Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.

Common internet scams

As technology continues to evolve, cybercriminals will use more sophisticated techniques to exploit technology to steal your identity, personal information, and money. To protect yourself from online threats, you must know what to look for.

Cybercriminals — from government-backed groups to organized crime gangs — are using the public’s fear, uncertainty, and curiosity about the pandemic to adapt their techniques, tactics, and targeting strategies.

  • There has been an increase in the number of phishing, malicious sites, and business email compromise attempts linked to the pandemic. This malicious content can appear as fraudulent news updates, precautionary guidance, virus maps, friend requests, or employer’s memos.
  • Cyber criminals, conducting data theft for economic gain, extortion, disruptive or destructive ransomware attacks, have targeted individuals and organizations perceived as under pandemic-related stress and strain.

Some of the most common Internet scams include:

  • COVID-19 Scams take the form of emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.
  • Imposter Scams occur when you receive an email or call from a person claiming to be a government official, family member, or friend requesting personal or financial information. For example, an imposter may contact you from the Social Security Administration informing you that your Social Security number (SSN) has been suspended, in hopes you will reveal your SSN or pay to have it reactivated.
  • COVID-19 Economic Payments scams target Americans’ stimulus payments. CISA urges all Americans to be on the lookout for criminal fraud related to COVID-19 economic impact payments—particularly fraud using coronavirus lures to steal personal and financial information, as well as the economic impact payments themselves—and for adversaries seeking to disrupt payment efforts.

Simple tips for online safety and protection

Getting educated and savvy on how to recognize and react to phishing emails and cyber threats may be the best way to protect yourself virtually and financially against cybercrime.

  • Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring.
  • Shake Up Your Password Protocol. According to NIST guidance, you should consider using the longest password or passphrase permissible. Get creative and customize your standard password for different sites, which can prevent cyber criminals from gaining access to these accounts and protect you in the event of a breach. Use password managers to generate and remember different, complex passwords for each of your accounts. Read the Creating a Password Tip Sheet for more information.
  • Be up to date. Keep your software updated to the latest version available. Maintain your security settings to keeping your information safe by turning on automatic updates so you don’t have to think about it, and set your security software to run regular scans

Protect yourself from online fraud

Stay Protected While Connected: The bottom line is that whenever you’re online, you’re vulnerable. If devices on your network are compromised for any reason, or if hackers break through an encrypted firewall, someone could be eavesdropping on you—even in your own home on encrypted Wi-Fi.

  • Practice safe web surfing wherever you are by checking for the “green lock” or padlock icon in your browser bar— this signifies a secure connection.
  • When you find yourself out in the great “wild Wi-Fi West,” avoid free Internet access with no encryption.
  • If you do use an unsecured public access point, practice good Internet hygiene by avoiding sensitive activities (e.g., banking) that require passwords or credit cards. Your personal hotspot is often a safer alternative to free Wi-Fi.
  • Don’t reveal personally identifiable information such as your bank account number, SSN, or date of birth to unknown sources.
  • Type website URLs directly into the address bar instead of clicking on links or cutting and pasting from the email.

If you discover that you have become a victim of cybercrime, immediately notify the business and authorities to file a complaint. Keep and record all evidence of the incident and its suspected source.

For more information about how you can Do Your Part. #BeCyberSmart, visit www.cisa.gov/ncsam

References:

  1. https://www.cisa.gov/sites/default/files/publications/NCSAM_TheftScams_2020.pdf
  2. https://www.ey.com/en_us/consulting/covid-19-steps-to-defend-against-opportunistic-cyber-attackers?WT.mc_id=10642922&AA.tsrc=paidsearch
  3. https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
  4. https://www.cisa.gov/shop-safely

Cyber Attacks Becoming Faster and More Sophisticated

Posted on by
“One thing is clear…with cyber attacks becoming faster and more sophisticated, education about prevention is necessary for everyone.”

More and more Americans are using cyber technologies and spending more time online during COVID-19 than ever before. Our growing dependence on technology, coupled with the increasing threat of cyber attacks, demands greater security in our online world.

Consequently, the FBI has seen a significant spike in cyber crimes reported to its Internet Crime Complaint Center (IC3) since the beginning of the COVID-19 pandemic, as hackers take advantage of Americans’ daily activities moving increasingly online. IC3 has been receiving between 3,000 and 4,000 cybersecurity complaints each day, a major jump from prior to the COVID-19 pandemic when about 1,000 complaints were received daily.

Additionally, Microsoft reports that COVID-19 themed attacks, where cybercriminals get access to a system through the use of phishing or social engineering attacks, have jumped to 20,000 to 30,00 a day in the U.S. alone. And, researchers for the cyber group Barracuda Networks found a 667 percent increase in phishing emails using the coronavirus to trick individuals into clicking links or downloading attachments that included computer viruses, such as ransomware that lock up computers and demands a ransom to unencrypt them, according to The Hill.

Both the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) have put out alerts warning Americans to watch out for these phishing emails while working from home.

To protect yourself and your money from cyber threats, it is important to understand how hackers think and act. Today’s hackers are using “social engineering” to take information they glean from social media and publicly available information, such as speaking engagements and media profiles. Armed with that data, they target people using personal details that make them feel comfortable sharing pertinent information.

Hackers can spoof phone numbers or email addresses to look like they’re coming from a legitimate financial or mobile service provider. They ask questions or send links that mine for personal data, such as credit card numbers and identifying information.

“Defend Today, Secure Tomorrow”—Protect Yourself from Cyberattacks

It’s imperative to understand the nature of cybercrime and to get educated about avoiding it. While nothing is foolproof, there are tangible steps you can take to ensure you are not an easy target for hackers.

Five Ways to Keep Your Information and Systems Secure:

  1. Use two-factor authentication everywhere you can. Yes, it can make logging in more time-consuming, but it’s much more difficult for a hacker to breach your password and access your PC or phone.
  2. Make your passwords more complicated and use different ones for different sites or a password vault. Use phrases that are longer, rather than generic word and number combinations that fall into a pattern (e.g., Fall2019, Winter2019). A phrase such as ILoveBuckeyes! is more difficult to hack. If remembering multiple passwords is an issue, try a recommended password vault provider, an online service designed to help keep your password information secure and consolidated into one location, such as 1Password, KeePass, LastPass, or Dashlane.
  3. Make sure you keep your computer software up to date. Security updates are designed to fix known attacks or vulnerabilities that software developers are monitoring and addressing.
  4. Be careful of how much information you share on social media. Social engineers can track your spending habits, location, busy times on your schedule, travel plans, and more and strike when you’re preoccupied, attending functions, at work, or traveling. That catchy Facebook quiz? Watch out if it asks for too much personal data like your birthdate or address.
  5. Do not give out personal information without verification. Hackers can impersonate financial services providers. If you receive an email or phone call that looks official, do not respond directly. Use the phone number on your financial services provider’s statements to call and confirm whether the call/email was genuine. Never give out your Social Security number or credit card information to an unverified person on the phone, and avoid clicking on any links in emails you receive.
STOP. THINK. CONNECT.
The STOP.THINK.CONNECT.™ Campaign is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. Cybersecurity is a shared responsibility. We each have to do our part to keep the Internet safe. When we all take simple steps to be safer online, it makes using the Internet a more secure experience for everyone.

References:

  1. https://thehill.com/policy/cybersecurity/490232-cyber-threats-spike-during-coronavirus-pandemic
  2. https://www.microsoft.com/security/blog/2020/06/16/exploiting-a-crisis-how-cybercrimincybersecurity-in-the-hacking-age.jspals-behaved-during-the-outbreak/
  3. https://www.key.com/businesses-institutions/business-expertise/articles/
  4. https://www.cisa.gov/cybersummit2020
  5. https://www.stopthinkconnect.org