Cyber Threats are Clear and Present

Cybersecurity threats, malware and ransomware are clear and present danger threats to American businesses and way of life.

This week, Americans wake-up to dire warnings from the federal government in Washington to growing cyber threats and malware from Russia. The federal government warns American citizens, organizations and businesses to enhance their cyber vigilance and security in preparation of cyber attacks originating from Russia targeting critical information and infrastructure.

The latest cybersecurity threats are taking advantage of pandemic induced work-from-home environments, remote access tools, and new cloud services. According to CISA, these evolving cybersecurity threats include:

  • Malware — malicious software variants—such as worms, viruses, Trojans, and spyware—that provide unauthorized access or cause damage to a computer. Malware attacks are increasingly “fileless” and designed to get around familiar detection methods, such as antivirus tools, that scan for malicious file attachments.
  • Ransomware — a type of malware that locks down files, data or systems, and threatens to erase or destroy the data – or make private or sensitive data to the public – unless a ransom is paid to the cybercriminals who launched the attack. Recent ransomware attacks have targeted state and local governments, which are easier to breach than organizations and under pressure to pay ransoms in order to restore applications and web sites on which citizens rely.
  • Phishing / social engineering — a form of social engineering that tricks users into providing their own sensitive information. In phishing scams, emails or text messages appear to be from a known individual or legitimate company asking for sensitive information, such as credit card data or login information. The FBI has noted about a surge in pandemic-related phishing, tied to the growth of remote work.
  • Insider threats — Current or former employees, business partners, contractors, or anyone who has had access to systems or networks in the past can be considered an insider threat if they abuse their access permissions. Insider threats can be invisible to traditional security solutions like firewalls and intrusion detection systems, which focus on external threats.
  • Distributed denial-of-service (DDoS) attacks — attempts to crash a server, website or network by overloading it with traffic, usually from multiple coordinated systems. DDoS attacks overwhelm enterprise networks via the simple network management protocol (SNMP), used for modems, printers, switches, routers, and servers.
  • Advanced persistent threats (APTs) — an intruder or group of intruders infiltrate a system and remain undetected for an extended period. The intruder leaves networks and systems intact so that the intruder can spy on business activity and steal sensitive data while avoiding the activation of defensive countermeasures. The recent Solar Winds breach of United States government systems is an example of an APT.
  • Man-in-the-middle attacks — an eavesdropping attack, where a cybercriminal intercepts and relays messages between two parties in order to steal data. For example, on an unsecure Wi-Fi network, an attacker can intercept data being passed between guest’s device and the network.

A majority of Americans have moved their financial and daily lives online, and thus are more susceptible than ever to of cyber crime, malware and ransomware attacks.

As you might image, today’s world is more interconnected than ever before. Yet, for all its advantages, increased connectivity brings increased risk of theft, fraud, and abuse.

As Americans become more reliant on modern technology, we also become more vulnerable to cyberattacks and cybercrimes.

Every organization—large and small—must be prepared to respond to cybercrime and disruptive cyber incidents, explains the Cybersecurity and Infrastructure Security Agency (CISA). CISA leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.

CISA recommends all individuals and organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets, like a “zero trust strategy”.

A zero trust strategy assumes compromise and sets up controls to validate every user, device and connection into the business for authenticity and purpose. To be successful executing a zero trust strategy, organizations need a way to combine security information in order to generate the context (device security, location, etc.) that informs and enforces validation controls.


References:

  1. https://www.ibm.com/topics/cybersecurity
  2. https://www.cisa.gov/shields-up

Protect yourself from identity theft

Nearly 45 billion dollars were stolen from identity theft victims in 2020. LifeLock

Identity theft is one of the fastest growing financial crimes in America. Each year, millions of Americans discover that a criminal has fraudulently used their personal information to obtain goods and services and that they have become victims of identity theft.

A wide range of sensitive personal information can be used to commit identity theft, including a person’s name, address, date of birth, Social Security number (SSN), driver’s license number, credit card and bank account numbers, and phone numbers.

Once identity thieves have your personal information, they can drain your bank account, run up charges on your credit cards, open new utility accounts, or get medical treatment on your health insurance. An identity thief can file a tax refund in your name and get your refund. In some extreme cases, a thief might even give your name to the police during an arrest.

The most common form of identity theft involves the fraudulent use of a victim’s personal information for financial gain. According to the Federal Trade Commission’s Guide for Assisting Identity Theft Victims, there are two main types of financial frauds:

Using the victim’s existing credit, bank, or other accounts

  • A victim of existing account misuse often can resolve problems directly with the financial institution, which will consider the victim’s prior relationship with the institution and the victim’s typical spending and payment patterns.

Opening new accounts in the victim’s name

  • A victim of new account identity theft usually has no preexisting relationship with the creditor to help prove she is not responsible for the debts.
  • The new account usually is reported to one or more credit reporting agencies (CRA), where it then appears on the victim’s credit report. Since the thief does not pay the bills, the account goes to collections and appears as a bad debt on the victim’s credit report. Often, the victim does not discover the existence of the account until it is in collection.
  • The victim must prove to the creditor that she is not responsible for the account and clear the bad debt information from her credit report.

The primary tool for preventing criminals from opening additional new accounts in your name are to implement a fraud alert and credit freeze. In most cases, you should place an initial fraud alert on your credit report as quickly as possible after discovering that you have become an identity theft victim, or you realize that your sensitive personal information has been stolen. Once you implemented a fraud alert, you will have some time to consider whether to place an extended fraud alert or a credit freeze on your credit report. You also will be able to obtain a free credit report and review the report to see if it shows that there has been additional fraud by the criminal.

https://twitter.com/ebrownl33/status/146436870204497510

To prevent identity theft, it is critical to keep your personal information safe:

  • Shred financial documents and paperwork with personal information before you discard them.
  • Protect your Social Security number. Don’t carry your Social Security card in your wallet or write your Social Security number on a check. Provide it only when absolutely necessary. You may always ask to use another identifier.
  • Don’t provide personal information over the phone, through the mail, or over the Internet unless the party is known and reputable.
  • Never click on links sent in unsolicited e-mail messages.
  • Use firewalls, anti-spyware, and anti-virus software to protect your personal computer. Keep the protections up-to-date. Visit OnGuardOnline.gov for more information.
  • Don’t use an obvious password like your birth date, your mother’s maiden name, the last four digits of your Social Security number, or your phone number.
  • Keep all personal information in a secure place at home, especially if you have roommates or employ outside help.

Monitor your financial information regularly and request a free copy of your credit report annually. Review various financial accounts and statements, checking for the following:

  • Purchases that were not made by you
  • Bills that do not arrive as expected
  • Unexpected credit cards or account statements
  • Denials of credit for no apparent reason
  • Calls or letters about purchases you did not make

If identity theft is suspected, act quickly!

Identity theft victims have the right to block the reporting of information that resulted from identity theft. Credit reporting agencies (CRAs) are responsible for blocking fraudulent information from appearing in victims’ credit reports, but also to notify furnishers (creditors, debt collectors, and other companies that reported the information).

As the victim, you must provide the CRAs with the following information in writing:

  • a copy of an Identity Theft Report (filed with law enforcement). The Identity Theft Report is the primary tool for removing inaccurate identity theft-related information from your credit report.
  • a letter explaining what information is fraudulent as a result of identity theft
  • the letter should state that the information does not relate to any transaction that the consumer made or authorized
  • proof of identity, which may include the consumer’s Social Security number, name, address, and other personal information requested by the CRA

In summary, identity theft happens when someone steals your personal information to commit fraud. The criminals may use your information to apply for credit, file taxes, or get medical services. These acts can damage your credit status, and cost you time and money to restore your good name.

To Prevent Identity Theft

According to USA.gov, you should keep these tips in mind to protect yourself from identity theft:

  • Secure your Social Security number (SSN). Don’t carry your Social Security card in your wallet. Only give out your SSN when necessary.
  • Don’t share personal information (birthdate, Social Security number, or bank account number) because someone asks for it.
  • Collect mail every day. Place a hold on your mail when you are away from home for several days.
  • Pay attention to your billing cycles. If bills or financial statements are late, contact the sender.
  • Use the security features that can help protect the device and the information on it from threats and vulnerabilities on your mobile phone.
  • Update sharing and firewall settings that analyzes and blocks or allows information traveling between the internet and your computer based on a defined set of security rules.
  • Use a virtual private network (VPN) if you use a public wi-fi network A Virtual Private Network (VPN): a private network that connects your computer or mobile device to the internet and encrypts (codes) your information to protect your internet activity from monitoring or spying.
  • Review your credit card and bank account statements. Compare receipts with account statements. Watch for unauthorized transactions.
  • Shred receipts, credit offers, account statements, and expired credit cards. This can prevent “dumpster divers” from getting your personal information.
  • Store personal information in a safe and secure place.
  • Install firewalls and virus-detection software to prevent, detect, and remove malicious programs that have been placed on your computer to spy on you or to do damage to your computer.
  • Create complex passwords that identity thieves cannot guess. Change your passwords if a company that you do business with has a breach of its databases
  • Review your credit reports will show your bill payment history, current debt, and other financial information once a year. Be certain that they don’t include accounts that you have not opened. You can order it for free from Annualcreditreport.com.
  • Freeze your credit files with Equifax, Experian, Innovis, TransUnion, and the National Consumer Telecommunications and Utilities Exchange for free. Credit freezes prevent someone from applying for and getting approval for a credit account or utility services in your name.

You have limited liability for fraudulent debts caused by identity theft.

  • Under most state laws, you’re not responsible for any debt incurred on fraudulent new accounts opened in your name without your permission.
  • Under federal law, the amount you have to pay for unauthorized use of your credit card is limited to $50. If you report the loss to the credit card company before your credit card is used by a thief, you aren’t responsible for any unauthorized charges.
  • If your ATM or debit card is lost or stolen, you can limit your liability by reporting the loss immediately to your bank or credit union.
  • If someone makes unauthorized debits to your bank or credit union account using your debit card number (not your card), you aren’t responsible – if you report the problem within 60 days after they send your account statement showing the unauthorized debits.
  • Most state laws limit your liability for fraudulent checks issued on your bank or credit union account if you notify the bank or credit union promptly.

References:

  1. https://www.identitytheft.gov/#/
  2. https://www.consumer.ftc.gov/articles/pdf-0119-guide-assisting-id-theft-victims.pdf
  3. https://www.usa.gov/identity-theft

Preventing Scams and Cybercrime

Fraudsters and cybercriminals are getting sneakier – sometimes even claiming to be your bank or financial institution. Outsmart scammers with these tips.

With more than 2 billion people worldwide accessing the internet through smartphones, hackers have never had greater incentive to devise new scams. Getting scammed is an unpleasant experience, but you can be one step ahead.

For example, you look at your phone and you have a new text message saying it is from your bank or financial institution. The message tells you to click this link and download a new app to secure your identity or customer account. It’s strange because you’ve never received a text from your bank at this number before, and you already have your bank’s app downloaded, or at least you thought?

STOP! Don’t click that link. There are a number of red flags to watch out for to recognize a phishing attack. Although this trick is commonly employed over email, savvy thieves are now trying to install ransomware or steal your financial or personal information by impersonating a bank, credit card company or service provider by phone calls or even text messages. Phishing is when a fraudster tricks a consumer into providing their personal information through a fake app or website. The site may appear have a copy of your bank’s or another company’s logo and appears legit. So how do you tell it’s not?

  • With increasing number of cases related to cyber frauds or online scams, it’s recommended that you follow these tips to detect a scam by text and protect your identity:
    • Check the number and search for how your bank has texted you in the past. Are they different? Don’t click the link!
      Is this message irregular? If you have not recently conducted business, used your cards or logged into your bank via the app, mobile or desktop, it may feel out of context to be receiving this request. Don’t click it!
      Are they using the right terminology for you and your account? Does your bank refer to you as a member but this text message says “customer.” Don’t click it!

    REMEMBER: Do not download any software or click on unknown links sent to you by email or text! Banks will typically never ask you to download software in an email or while you are on the phone with us..

    Emails

    There are some easy ways to ensure the email is from bank. Bank emails typically include a Security Zone to help you distinguish a legitimate email from a fraudulent one. Here is what to look for to help identify authentic emails:

    • Always hover over the sender’s email address to verify who it is from. Banks will only send emails from an address that clearly indicates it is from your bank.
    • To be effective, you must verify the spelling of your first and last name and the accuracy of the last four digits of your USAA member number every time you receive an email from USAA.

    Phone Calls

    RING, RING, RING

    The caller ID says your bank across the top. It’s not a 1-800 or a 1-877 number, but when you answer, the caller says they are with your bank and now asks for your customer service identification number to verify you. The caller may offer to assist with installing software you need for your financial services … what do you do?

    STOP! Don’t share your personal information before verifying the caller. If your bank is calling you, they typically will never ask for your “customer” identification number, credit card number or other personal information.

    Follow these tips to detect a scam by a phone call and protect your identity:

    • Do not share security or personal data: Your bank will never call you and then ask you for your one-time verification code, PIN, password or other personal identification details.
    • Always realize that you can call your bank to determine if any request for information is valid. When you call us, know that we’ll use the multifactor identification code from your phone to verify you.

    “Grandpa, I need your help. My car won’t start. Please send me money using this app…” OR

    “Hi, how are you? I can’t deposit any money into my bank account because I am deployed. Can you send me some money for my phone card so we can continue talking? I really miss you.”

    STOP! Imposters have many tricks up their sleeves when they are trying to access your information or steal your assets. As discussed above, it could be by impersonating a company through a phone call, email or text, but now they are even trying to contact you on third-party social platforms, like Facebook or Twitter, or through dating apps and sites.

    Follow these tips to avoid a grandparent or romance scam:  

    • Never send money to someone you don’t know in real life, especially using a third-party app like Zelle, CashApp, etc.
    • If someone claims to be a family member, verify with that family member by calling them directly! If you think your grandson needs help, call him or call his parents before sending money unintentionally to a scammer.
    • Do your research. If you are getting to know someone online, make sure you look them up, validate they are who they say they are. Some also claim to not have access to common resources overseas because they are serving, which is often untrue.

    If any of these situations should happen to you, reach out for advice before giving out any personal information. And, if you get a suspicious email, text, instant message or phone call, you can report it to your bank or to the Federal Trade Commission at ftc.gov/complaint.

    If a scam does trip you up in real life, get help! The FBI has an Internet Crime Complaint Center at ic3.gov. You can also report identity theft to the Federal Trade Commission to 1-877-ID-THEFT (84338).

    There are also some easy ways to ensure a text message is from your bank.  Based on your request, many banks may send a one-time code as part of its multi-factor authentication process. If you suspect fraud, you should:

    •  REPORT! Even if you didn’t share personal information or click a questionable link, if you suspect fraud, let us know so we can help prevent it to protect you and other members in the future.
    • If you receive a suspicious call from someone claiming to be your bank and is requesting account information or security credential information, hang up immediately!
    • If you provided any personal identifiable information prior to hanging up, alert your bank.
    • If you did not provide any information, you should still send an email to your bank reporting the phone number or text message and message details. This helps them to actively work to shut down fraudulent callers, sites and emails.

    Imposters can come from the least expected places and they are constantly changing their tactics. That’s why it is so important to always be on alert. While financial institutions can use sophisticated detection processes, they are most effective in fighting fraud when they work together with their customers.

     

    Cyber Security Awareness: Ransomware

    “Organizations and consumers are frequently exposed to the clear and present danger of sophisticated phishing and ransomware cyber attacks.”

    Over the last several years, ransomware has remained a “clear and present” cyber security threat for organizations and individuals around the world. As companies have gone increasingly digital, cyber criminals have sought to maximize their profits by exploiting the vulnerabilities that come with a rapidly expanding cyber ecosystem.

    Global cyber threats include ransomware, common hacks such as phishing and malware, or complex state- sponsored spying efforts like with SolarWinds. And, the frequency of today’s cyber attacks is growing and compelling companies to secure their networks with the most modern threat detection technology.

    Ransomware is a malware that infects computers (and mobile devices) and restricts their access to files, often threatening permanent data destruction unless a ransom is paid. It has reached epidemic proportions globally. According to the Cybersecurity and Infrastructure Assurance Agency (CISA): “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”

    These cyber attacks against U.S. companies and organizations result in shutdown of critical infrastructure, which can create shortages, increased cost of goods/services, financial loss due to shutdown of operations, and loss of money due to having to pay the ransom to the hackers, and worse.

    Ransomware costs include ransom payouts, damage and destruction (or loss) of data, downtime, lost productivity, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hostage data and systems, reputational harm, and employee training in direct response to the ransomware attacks.

    Source: Cybersecurity Ventures

    For example, the DarkSide hacker gang is an organized group of hackers set up along the “ransomware as a service” business model, meaning they develop and market ransomware hacking tools, and sell them to other cyber criminals who then carry out cyber attacks. Additionally, DarkSide steals private data and threaten to make it public unless the victim pays a large sum of money — typically in the range of $200,000 to $2 million, according to CNBC. The FBI has determined that DarkSide was behind the devastating Colonial Pipeline ransomware cyber attack which targeted the company’s billing system and internal business network. Subsequently, the company reportedly paid out $4.4 million dollars in bitcoin. Fortunately, US law enforcement was able to recover much of the $4.4 million ransom payment.

    Human element

    “Ransomware is expected to attack a business every 11 seconds by the end of 2021.” Steve Morgan, Editor-in-Chief, Cybersecurity Ventures

    Ransomware still uses social engineering as its main infection vector,” says KnowBe4’s Sjouwerman. “Some 91% of cyberattacks begin with a “spear phishing” email, according to research from security software firm Trend Micro.

    Spear phishing is an increasingly common form of phishing that makes use of information about a target to make attacks more specific,sophisticated and “personal”. These attacks may, for instance, refer to their targets by their specific name or job position, instead of using generic titles like in broader phishing campaigns.

    According to research firm Cybersecurity Ventures, ransomware damages will reach $20 billion this year, up more than 100% from 2018 and 57 times higher than in 2015.

    As cyber attacks and ransomware continues to grow in frequency and severity, it’s essential that individuals receive security awareness training that specializes in making sure they understand the mechanisms of spam, phishing, spear phishing, malware, ransomware and social engineering and apply this knowledge in their day-to-day online activities.

    Additionally, it’s imperative that organizations employ an endpoint detection and response (EDR) tool which can provide the visibility and cyber protection that organizations need.


    References:

    1. https://www.cnbc.com/2021/05/27/cybereason-ceo-was-in-israel-bomb-shelter-telling-world-about-darkside.html
    2. https://blog.knowbe4.com/bid/252429/91-of-cyberattacks-begin-with-spear-phishing-email
    3. https://illinois.touro.edu/news/the-10-biggest-ransomware-attacks-of-2021.php
    4. https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/
    5. https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/

    Avoid These 3 Cybersecurity Mistakes

    CISA warns of risky behaviours that leave networks exposed to cyberattacks

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which leads the national effort to protect and enhance the resilience of the nation’s physical and cyber infrastructure, warns that “”exceptionally risky” [cyber] behaviors that can put critical infrastructure at extra risk of falling victim to cyberattacks”.

    The three cyber security mistakes and behaviors to avoid are:

    1. Using unsupported software,
    2. Allowing the use of default usernames and passwords, and
    3. Using single-factor authentication for remote or administrative access to systems

    According to CISA, these are all dangerous behaviors when it comes to cybersecurity and should be avoided by all organizations.

    Using multi-factor authentication can help disrupt over 99% of cyberattacks. Microsoft

    Use of single-factor authentication – where users only need to enter a username and password – was recently added to the list of risky behaviors. CISA warned that single-factor authentication for remote or administrative access to systems supporting the operation of critical infrastructure “is dangerous and significantly elevates risk to national security”.

    Microsoft says that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks.

    Change default passwords as soon as possible, and use a sufficiently strong and unique password. CISA

    CISA describes that using fixed or default passwords as “dangerous” and should be avoided at all cost. Default or simple passwords are good for cyber criminals because there’s a much higher chance of them being able to simply guess passwords to compromise accounts.

    CISA also warns against the use of passwords that are known to have been breached previously, as that means they also provide cyber criminals with a simple means of gaining access to networks.

    One in three breaches are caused by unpatched vulnerabilities. ZDNet

    Finally, CISA warns that the use of unsupported or end-of-life software in critical infrastructure. By using software or operating systems that no longer receive security patches or updates, there’s the risk that cyber criminals could exploit newly discovered security vulnerabilities that emerge because old software often doesn’t receive security patches.

    The 2017 WannaCry ransomware attack stands a shining example of what can go wrong when patches aren’t applied. While a patch for the vulnerability exploited by the ransomware had existed for several months, many organizations failed to install the it.

    Takeaway

    Reducing your organization’s cyber risks requires a holistic approach. CISA

    Avoiding the use of single-factor authentication, default passwords and unsupported software will also help protect you and others from falling victim to cyberattacks.

    To reduce risks, here are three cyber security actions that organizations should do first:

    • Backup Data – Employ a backup solution that automatically and continuously backs up critical data and system configurations.
    • Multi-factor Authentication – Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative and remote access users.
    • Security Patch and Update Management – Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.

    References:

    1. https://www.zdnet.com/article/dont-want-to-get-hacked-then-avoid-these-three-exceptionally-dangerous-cybersecurity-mistakes/
    2. https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/
    3. https://us-cert.cisa.gov/ncas/alerts/TA13-175A
    4. https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Starter%20Kit_03.12.2021_508_0.pdf

    T-Mobile Data Breach – Was Your Digital Data Compromised

    T-Mobile confirmed that its customers’ data had been accessed without authorization in a breach that may impact more than 100 million of its users.

    According to an underground forum post, the data for sale includes social security numbers, phone numbers, names, physical addresses, IMEI numbers, and driver licenses information.

    T-Mobile is conducting an extensive analysis alongside digital forensic experts to understand the severity of the breach, and they’re coordinating with law enforcement.

    This is the third time in recent years that a data breach has hit the wireless carrier.

    Have You Been Pwned

    Have you been affected by a past or recent data breach? Fortunately, you can minimize your chances of getting “pwned” in the future by using https://haveibeenpwned.com/, a free tool created by Troy Hunt, a Microsoft Regional Director and Most Valuable Professional awardee for Developer Security.

    The word “pwned” has origins in video game culture and is a derivation of the word “owned”, due to the proximity of the “o” and “p” keys. It’s typically used to imply that someone has been controlled or compromised, for example “I was pwned in the Adobe data breach”.

    The “Have I Been Pwned” (HIBP) site can reveal whether your log-in credentials, financial data, or other details have been stolen or leaked online, and send email alerts about new data breaches.

    Consumer Reports

    To tighten up your digital security, it’s important to know which of your accounts have been affected. That’s a task you can accomplish at the free site “Have I Been Pwned”, a resource that is widely recommended by security experts and by Consumers Reports. (The term “pwn” is hacker jargon for compromising or taking control of a computer or an application.)

    Consumer Reports has been steering people to Have I Been Pwned for years, and the site has gradually become more robust, adding features and expanding its records of compromised data.

    Data breaches are rampant and many people don’t appreciate the scale or frequency with which they occurred, according to HIBP. By aggregating the data helps victims learn of compromises of their accounts, but also highlights the severity of the risks of online attacks on today’s internet.


    Reference:

    1. https://www.macrumors.com/2021/08/16/t-mobile-data-breach
    2. https://www.consumerreports.org/data-theft/how-to-use-have-i-been-pwned-data-breach-a6598286668
    3. https://haveibeenpwned.com/