Tag Archives: security awareness

Keep your Security Awareness Material Updated

Expanding and updating your security awareness program needs to be done on a consistent basis to keep the materials fresh and to educate users on what the latest threats are. One topic you may wish to consider in your next presentation / training material is the increased frequency of “vishing” or voice phishing attempts.

This is not a new scam per se but most of your users have most likely had “Microsoft Technical Support Representatives” who call and try to get people to install malicious software or request credit card information so they can bill for false services. In fact, in a study conducted by Microsoft, 22% of people that were called by phony support technicians fell for the scam.

See complete article here

At the recent Defcon conference a social-engineering capture the flag contest captured information such as its janitorial contractor, hours of breaks, and even got the store manager to logon to an external website to fill out a survey about an upcoming visit.

See complete article here 

We at NCI have also recently been made aware of a scam whereby cybercriminals are calling people indicating they are responding on behalf of NCI and that they have had a cyber-security breach and to provide sensitive information in order to protect themselves.

Please see our information bulletin here

Social engineering is one of the greatest risks to businesses today and the only defense is constant education and awareness programs.

Please contact NCI to schedule a free 1-hr executive education session delivered by our CIO – Eugene Ng to help you garner awareness throughout your organization.

For more information please contact your NCI rep.

 

Pay Attention!

Preying on quick decisions…pay attention!

I was travelling recently to our nation’s capital for a security conference (there’ll be another article on this topic) and most of my means of communications was through my mobile device.  I was quickly scanning my emails when the following LinkedIn invitation came through:

Most enterprise organizations have fairly sophisticated email filters today but the odd phishing, malware-link infested message does find its way through. When I receive a suspicious email, I typically look at the telltale signs of a fraudulent email – do I know the sender, who is it being sent to, do I recognize the organization.   As you can see from the screenshot above, all of the basic checks passed.  Our security awareness training teaches people to hover over the links to see where you’re actually connecting to.  However, on a mobile device, it’s not quite as easy – with all our fancy touch screens it’s sometimes difficult to select a hyperlink and browse the final destination.  I was able to determine the final destination of the hyperlink via my handheld but it made me wonder, would other people be so diligent? 

Remember the good old days when some prince in Africa wanted to transfer funds and the email body was written in horrible English and the sender would be some bizarre fellow with a name you’d never heard of.  Today’s email phishing attacks and malware link laden emails are getting quite sophisticated – pay attention…you never know when an email such as this finds itself in your inbox.

Eugene Ng 

 

Wireless Hacking with Fruit

A while back I delivered a short wireless security presentation, at a Toastmasters meeting, designed to explain a technical subject to a non-technical audience. The presentation went well enough that I’ve decided to record a modified version to place here.

This video is a very high-level explanation of how wireless networks operate. This is by design as I want to keep the information accessible to everyone and not just to those individuals who already have a deep technical understanding of wireless networking and information security.

Dan C.

Do you have additional tips for protecting yourself from this type of wireless attack? Leave your tip in the comments section and, as always, please be sure to share this post with anybody you think would benefit from viewing it.

Mobile Troubles

The growth of mobile phone usage seems to be rapidly outpacing the growth of mobile security adoption. For instance how many people are running anti-virus (AV) software on their laptops and desktops? And now how many are running AV on their mobile phone? There are several free anti-virus applications available for most platforms, including laptops, desktops, tablets or even smartphones. An informal poll conducted by SANS in July 2010 found that approximately 85% of smart phones did not have any AV installed. Of the 14% who did have AV installed, 18% had reported finding malware.

The thing I found strange about this poll is that security has seen improvements on the laptop/desktop side yet, our mobile devices have a fair bit more exposure and are left vulnerable. In 2010, Android had seen several firsts: SMS Trojan, Botnet, Monitored GPS, and even a Bank Phishing application. These firsts signal a dramatic increase of malware on the Android platform. One report, by McAfee, stated that the rise since last quarter was 76%. 

Android is not the only mobile platform that is susceptible. Research has shown that there is a positivie correlation between the popularity of the device/operating system and the infection rate. This correlation is similar to that seen in the PC world and the same is true for the techniques that are being used to infect the victims. One of the largest threat vectors I can think of is the large volume of applications within the app stores. With such an influx of new apps, it is hard to ensure that each one is safe.

You may wish to thank me for a sleepless night, but you already know how to protect yourself because mobile phones are just small computers. So you should start by doing the same things you do on your laptops and desktops. First get some basic AV installed from a reputable source. Second, perform some research before installing any apps on your phone. If you are uncertain of the source then maybe it is not worth the risk. Afterall, an ounce of prevention is worth a pound of cure.

Joe O.

What do you do to protect your mobile phone from malware? Share you thoughts, and techniques in our comments section.

A New Dad’s Perplexed Ramblings on Internet Security

I recently had the pleasure of becoming a new father, complete with all the joys of sleepless nights, diaper changing, and the almost-complete loss of personal time. One thing I’ve learned since we got the good news is that you will never stop worrying about your children, no matter what age, and no matter where they are.

As a security professional, I am dreading what is going to happen when my child starts peeling back the proverbial onion that is the Internet. In the past, I always had a very strong stance on how I would monitor my children’s activity on the Internet, and it was to monitor everything. I wanted email alerts for keywords, URL filtering with daily reports, and emails of chat logs each night. That would be a good start, right? 

Since looking into the adoring eyes of my first child, however, I have had to ask myself some morality questions. How do you know when you’re going too far?  When do these protections change from monitoring into spying? Will all of these protections affect my child negatively instead of positively in the end?  Will I be using my child’s future education funds to maintain all these protections?

These questions (and many others) have caused me to look at how businesses handle the same issues and whether their solutions can translate to the home front.  No, I’m not talking about writing a security policy for usage of family computers and the Internet.  The best proactive deterrent in business is education.  Educate your staff (my children in this case) about the dangers of the Internet, appropriate surfing, what to look out for, and what to do if you think something bad has happened.  Without education, we really are just letting ourselves bang our heads against the wall of overprotection, and – let’s face it – that hurts our heads and our wallets!  All of this being said, there is still a time and a place for a little additional protection to ensure that some of our more deviant staff (or teenagers) are kept in check.  

Speaking of teenagers, does anyone have a manual?

Finding yourself in the same predicament? Check out our post on Child Safety Resources Online.

Why Security Awareness Training Isn’t Enough

More often than not, organizations make the mistake of confusing security awareness training with a security awareness program. The two terms appear remarkably similar but are actually very different.

Security awareness training is a course designed to increase knowledge of security best-practices or procedures for employees. These courses can be instructor-led, self-paced, online, or a combination of all three. Like all courses, they all have a  finite duration and employees earn a grade or a shiny check mark indicating completion. Security awareness training should be considered a small piece of an overall security awareness program. Continue reading

Is Your Personal Information Safe?

Security awareness is not solely relegated to computers. Identity theft is one area that individuals need to be aware. We tend to forget the simple things we need to do. Did you move recently? Have you advised your employer? Your former employer? So many times, individuals forget to communicate these changes. Then your employer or former employer sends your T4  information to your former  address, the one they have on file. Presto! Your personal financial information and your social insurance number are in the hands of a stranger. T4 season is on the way. Are you prepared?

You carry a lot of information in your wallet. Your social insurance number and your birth certificate are items that should be stored in a safe place; that is not your wallet.  These two items can be used to create an entirely new identity with your personal data. It is extremely difficult to correct the situation. Why even take the chance? 

While people may have skills to locate your information, why give it to them freely? So many people just toss out bills, credit card statements, pay and bank statements into the trash. Investing in a shredder, which is a relatively small cost may prevent your personal data being obtained, which is a much greater cost.

A couple of little things to think about to help keep your personal information personal.

Andrea

Do you have any simple tips or tricks that you use to help protect your personal information? Leave a comment, we’d love to hear them.

Social Engineering Primer: Introduction

Security awareness is crucial for organizations as technical controls can only offer protection to a certain degree. In targeted attacks, organizations may find that attackers do not only attempt to penetrate an organization by way of technical control bypass or exploitation, but also by exploitation of employees; in the security industry, we refer to this skill set as social engineering. Social engineering, for lack of a better explanation, can be summarized as manipulation of individuals to attain an end goal that is usually not aligned with the victim’s best interests. In other words, social engineering is crafty lying with a technical focus on psychological human behavior. Before we go on to discuss the impact of social engineering on organizations, it is worthwhile to discuss the mechanics of social engineering.

Primarily, social engineering relies on the use of cognitive-biases to manipulate victims in to disclosing information or performing actions for the social engineer that are typically against their best interests or at least not something the individual would perform without manipulation. For the not so psychologically inclined, a cognitive bias is essentially the human tendency to make systematic errors in reasoning. Now that we have an idea for what social engineering is, we can explore common attack vectors and technique employed by social engineers in the next few blog entries to come.

Milos

(Editor’s Note: This is Part 1 of a 5 part series on social engineering.)