What businesses can learn from armadillos, seahorses, and zebras. By GilesWitherspoon-BoydHackers are a lot like predators in the wild. After finding an unsuspecting animal, nature’s hunters test their victim for weaknesses before taking it down. Just like nature’s hunters, hackers aren’t looking for a challenge. They’re looking for an easy target. Unfortunately, it seems as if hackers are always one step ahead. So how do you avoid becoming dinner? Take a clue from nature. It’s all about defense mechanisms.Tweet1. The LookoutDwarf mongoose post sentries that stand on their hind legs to watch for birds (their main predator). When a bird is sighted, they send a warning call to others and run to safety. Just like the sentries that stand outside dwarf mongoose burrows, businesses have file integrity monitoring software, or log monitoring. Log monitoring systems collect and store logs. Logs are user actions inside an operating system (e.g., renaming a file, opening an application). Some systems have a real-time reporting system (like the dwarf mongoose call) that alerts you via email or text of suspicious activity.Reviewing logs on a regular basis helps identify malicious attacks on your system. According to the PCI DSS, businesses are supposed to have 12 months of logs stored, with 3 months readily available. Systems that have log monitoring capabilities include operating systems, Internet browsers, point of sale systems, firewalls, and intrusion detection systems (IDS). Some systems do not automatically enable logging (e.g., Windows XP out of the box has logging turned off).2. The UpgraderIn the animal kingdom, bigger is often better. A larger, stronger set of antlers helps white-tailed bucks successfully battle other males during mating season. Every year, they shed their antlers to grow bigger ones for next season.Just like deer upgrade their antlers, you should be regularly updating your software to make sure it has the most up to date patches for security vulnerabilities. Devices and software that should be regularly updated include: operating systems, anti-virus software, POS terminals, firewalls, intrusion detection systems (IDS), mobile devices, Internet browsers, app software, and more. 3. The HiderEveryone knows that chameleons change colors to match their environment and allow attackers to pass them over. But so do seahorses, cuttlefish, octopus, and dozens of other animals. Changing colors is a great defense mechanism for animals without strength or stamina. Just like these animals hide their vulnerable bodies, it’s important for you to hide what’s most important to your business: customer credit card data. Did you know 63% of businesses store unencrypted card data? If a credit card isn’t encrypted, it’s completely exposed on your network, with no camouflage protecting it from predators snooping around. Encryption is the best way to hide data, but by finding and deleting unnecessary data, you have nothing to hide. After all, hackers can’t steal what isn’t there.4. The TankSome animals undergo structural changes to protect their bodies from predators. Take the thick skin of the armadillo. It’s made of an armor-like substance and can roll into an indestructible ball if the armadillo is threatened. The structural change businesses should use to protect their business is a firewall, both software and hardware. Like a security guard, properly configured firewalls control what goes in, and what comes out of your business. SEE ALSO: How Does a Firewall Protect a Business?5. The TricksterZebras use their striped pattern as an optical illusion to confuse predators. Because each zebra has a unique striped pattern, it’s difficult for predators to single one out. Businesses should apply the zebra strategy to passwords. Each network, device, and user should have a unique username and password. In addition, make sure each of those unique passwords are difficult to guess. The easiest way to create a tricky password is by creating a passphrase. Anyone love Corey Hart’s 1980’s hit, “I wear my sunglasses at night”? If you do, good. If not, too bad. It’s turning into my example passphrase. To create a complex passphrase, take the first letter of each word, and substitute special characters/numbers where you can. I wear my sunglasses at night –> Iwmsg@n1980!6. The TeacherIn a recent study on lion cubs, researchers learned lions aren’t born with a natural fear of humans. They learn it from their mothers and the rest of the pride. For a species like lions to continue to prosper, their defense mechanism is to quickly teach their young to avoid other species that could harm them…aka humans.Training is such a crucial security strategy. I can’t count how many compromises could have been prevented if staff were simply educated on the dangers of hackers. Business owners, IT staff, and managers must train staff members on physical security, phishing, passwords, policies, etc. so they can take the necessary steps to protect the business. 7. The IntimidatorHave you ever seen a lizard do a pushup? Those lizards are showing their strength to intimidate predators. Do you know the reason gazelles jump so high? It’s to demonstrate their ability to outrun pursuers. You know those lizards that flare extra skin around their neck when they are threatened? By doing so, they appear larger and more threatening to those that may try to eat them.With nothing but their body language, animals signal to predators, “Attacking me is not worth your time. So don’t even try.”While it’s difficult to show to a hacker just how strong your business security posture is, the best way all-around way to maintain solid security is by complying with the PCI DSS. That means going through each section of the Self-Assessment Questionnaire (SAQ) and ensuring your organization’s compliance with all the requirements.SEE ALSO: Which PCI SAQ is Right for My Business?If you liked this post, please share!Giles Witherspoon-Boyd (PCIP) is Enterprise Account Manager at SecurityMetrics and assists businesses in defining their PCI DSS scope. Follow him on Twitter and check out his other blog posts.
After all, gullible employees lead to security breaches. By: Brand BarneyHumans want to trust other humans. If I struck up a conversation with a gentleman in a suit at the bus stop who explained his life story, why would I distrust him? We all have a natural tendency to believe what trustworthy-looking people tell us. And that’s what gets us in trouble.TweetWhat is social engineering?Social engineering is a way of manipulating people socially so that they trust the social engineer and eventually provide some sort of useable data. For instance, instead of trying to find software vulnerabilities to exploit for sensitive data, a social engineer might try to trick someone into divulging an administrative password without realizing it.Have you ever seen the crime drama Catch Me If You Can? Frank Abagnale, the main character, is a master of social engineering. He convinces people he’s an airline pilot, doctor, and attorney by forging documents and acting like he belongs. The scary thing is, it’s a true story.What’s the problem with social engineering?
© SecurityMetrics | www.securitymetrics.com/pci | 801.705.5665 |
Hey guys and welcome back to the SecurityQ, your source for business data security Today on the SecurityQ, we’re back with part two of social engineering. Alright guys. Last time on the SecurityQ, we talked a little about social engineering and I showed you a pretty sweet example. But today I interviewed two security experts: an auditor and forensics investigator. Here’s what they had to say about social engineering. Social engineering, the part that frustrated us was how easy it was to do this with customers. We’d say, hey we’re here to work on your network or work on your computers, can you show me to your server room? And they’d lead us right back there. They wouldn’t ask us, you should know the password, and I’m gonna give it to you. They’d just give us the password. We would send a letter later on and tell them how easy it was to get inside. They’re always quite surprised. Usually when you go to a company they feel like their people are trained very well. I’ve worked at customer sites where they’ve been really secure and they’ve done a much better job. Bu by far, most companies are lax on their rules and people need better training. There’s another way that it’s kind of unusual. That merchants really need to be on guard for the social engineer. For example, there was a an investigation we were involved in where this guy had very limited IT skills, but he knew how to talk. He simply opened up the yellow pages and started calling all the restaurants in a particular chain that were in this area. He said, I have to do some system maintenance and I can walk you right through it. We’ll do it together over the phone. Enabled a remote session with them, and virtually while he was on the phone with the manager, installed malware. Alright guys, I’ve said it before and I’m gonna say it again. You may have the best technology on the face of the planet, but if you don’t protect yourself from the social threat, you’re leaving your business wide open. Our advice? Train your employees against the social threat and remember to always prepare because your security matters. Well guys that’s all the time we have today on the SecurityQ. But as always, we want to hear from you. So post your questions in the comments below and don’t forget to subscribe. See ya next time on the SecurityQ.wistiaEmbed = Wistia.embed(“5mi8u7k6kc”); Here are some common ways social engineers try to socially engineer us Steal badges and credentials in unlocked carsGo to the local donation store and buy old company T-shirtsPose as janitorial staff to get into a building“Can you hold the door for me? I don’t have my badge.”Pose as an IT person that needs to fix the networkTry unlocked doors around the backside of buildings Pose as law enforcement conducting an inspection Dumpster dive for sensitive documentsHere’s what happens when I try to socially engineer someone.
© SecurityMetrics | www.securitymetrics.com/pci | 801.705.5665 |
Hey guys, welcome back to the SecurityQ, your source for business data security. Today on the SecurityQ, we’re gonna discuss one topic. The social threat to your business. Here’s the game if you don’t mind if I try. Out of the things you have inside, would you say would be most valuable? The thing inside your pockets We’ll take your front pocket here, do you have something inside? You don’t mind if I bring this out in public do you? I believe that’s really strange. So you have anything else? Okay guys, so we just saw a pretty sweet video of a social engineer, or a con man, stealing personal items from a guy. I have to tell you I’m quite impressed with his skill. Now a lot of businesses ask me, what is a social engineer and how does that apply to my business? The truth is, a social engineer is somebody that uses social interaction to steal data. It could be personal, that data could be physical, that data could be coming from your trash can. It’s data they want. And they’re gonna use any and all tactics to get that data. Now I’m gonna show you what social engineering looks like at an actual business and I’m personally going to do it. Jive Communications, Voice over IP made affordable and reliable, has graciously given us permission to run a simulation. Everyone involved is an actor. Hi how are you? My name is Brandon Barney and I’m the IT director upstairs. I was monitoring our logs this weekend, and it looked like your Wi-Fi was bleeding into ours. If I could jump onto your computer systems real quick and make sure that’s not the case, I’d sure appreciate it. This employee has one have two choices. They’re either going completely fold and give me access to the network, or they’re gonna shut me down. The question is, what are you and your employees going to do? If you’re looking for information or tactics used by these criminals, check out the link for information from PC world. Our advice? Train your employees and test them. There are lots of professionals out there that can assist you in doing this. Remember, your security matters. Well guys, that’s all the time we have for today on the SecurityQ. If you’re looking for detailed information on social engineering, I’m going to be posting a pretty sweet video response. Remember, we want to hear from you so post your questions in the comments below, and don’t forget to subscribe. See you next time on the SecurityQ.wistiaEmbed = Wistia.embed(“deuhcjmzzj”); How to avoid being a victim of social engineeringThe best way to avoid being socially engineered is by educating yourself and your employees. Here are some points you should touch on during training:You should be slightly paranoid (better to be safe than sorry)Social engineers don’t sneak around. They’re confident and friendly. They look like they belong. Don’t be pressured by their convincing ways.Never give out your username/password, badge, PIN, ID number, credit card, or schedule. In essence, never give out sensitive information about you or your company.Ask for a contact to verify why the person needs the information they’re asking forDon’t hold secure doors open for people you don’t knowThe only way to identify if your employees have soaked in all that social engineering knowledge is to test them. You can don a disguise and test them yourself, or enlist the help of a social engineering professional (also called a pen tester), to come onsite and test your employees, experiment with your physical security, and see what interesting information they can find in your trash cans.Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.Brand Barney (CISSP) is an Associate Security Analyst at SecurityMetrics and has over 10 years of compliance, data security, and database management experience. Follow him on Twitter and check out his other blog posts.
“You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.” –Abraham Lincoln By: David EllisAre you sure that email from UPS is actually from UPS? (Or Costco, BestBuy, or the myriad of unsolicited emails you receive every day?) Companies and individuals are often targeted by cybercriminals via emails designed to look like they came from a legitimate bank, government agency, or organization. In these emails, the sender asks recipients to click on a link that takes them to a page where they will confirm personal data, account information, etc.
© SecurityMetrics | www.securitymetrics.com/pci | 801.705.5665 |
Hey guys, and welcome back to the SecurityQ, your source for business data security. Today on the SecurityQ, I want to cover one question. Are your employees properly trained to protect your business against phishing attacks? Not that type of fishing! Phishing is another tool used by hackers to gain access to your personal data. Phishing relies on your employees willingness to provide sensitive information like passwords, bank, and tax information. Here’s how it works. Companies are targeted via an email that is designed to look like it comes from a legitimate bank, organization our government agency. Then the sender asks to confirm personal information, in essence, phishing for data. For example. Let’s say your business does e-commerce through Pay Pal. Hackers posing as PayPal will contact you via email asking you to confirm sensitive information pertaining to your account. Once information is obtained, hackers use the credentials gained to steal your sensitive data mostly through attacks like malware and back doors to your network. That’s hook, line, and sinker. The scary thing is, you may have the best technology in the world but if your employees aren’t properly trained, that technology is a complete and utter waste. Currently twenty percent of all breaches now involve phishing. Everyone in every industry and every company is ultimately a target. Keep in mind, it takes only one untrained employees to give away all the data you worked so hard to protect. As a business owner, how can you detect phishing attacks and properly train employees? First the message or email you’re receiving may appear entirely convincing. You should keep a lookout for three things. Layout issues, spelling , and grammatical issues, go hand in hand with phishing attacks. Second don’t just check the name of the person sending email. You need to check the email address and ensure that there are no alterations made to it. For example, additional letters for numbers added to the email address. Last, most companies will never ask for your personal information through email. If there’s any doubt, contact the sender. Remember, even savvy technology users can find themselves fooled by messages that appear authentic so be cautious, Our advice? Educate your employees about phishing attacks. When it comes to staying safe online, it never hurts have a little bit a cynicism. Well guys, that’s all the time we have for today on the SecurityQ, but as always we want to hear from you. So post your questions in the comments below, and don’t forget to subscribe. See ya next time on the SecurityQ.wistiaEmbed = Wistia.embed(“exi3oxmnof”); This technique is called phishing, and it’s a way hackers con you into providing your personal information or account data. Once your info is obtained, hackers create new user credentials or install malware (such as backdoors) into your system to steal sensitive data. SEE ALSO: Examples of common phishing attempts.It’s often difficult to distinguish a fake email from a verified one, however most have subtle hints of their scammy nature. Here are seven ways to help you recognize a phishing email and maintain email security.1. Legit companies don’t request your sensitive information via emailChances are if you receive an unsolicited email from an institution that provides a link or attachment and asks you to provide sensitive information, it’s a scam. Most companies will not send you an email asking for passwords, credit card information, credit scores, or tax numbers, nor will they send you a link from which you need to login. Notice the generic salutation at the beginning, and the unsolicited web link attachment?2. Legit companies call you by your namePhishing emails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.” If a company you deal with required information about your account, the email would call you by name and probably direct you to contact them via phone.Sir/Madam? Also, what’s up with the 17 in the middle of the sentence?3. Legit companies have domain emailsDon’t just check the name of the person sending you the email. Check their email address by hovering your mouse over the ‘from’ address. Make sure no alterations (like additional numbers or letters) have been made. Check out the difference between these two email addresses as an example of altered emails: firstname.lastname@example.org email@example.com Just remember, this isn’t a foolproof method. Sometimes companies make use of unique or varied domains to send emails, and some smaller companies use third party email providers.“Costco’s” logo is just a bit off. This is what the Costco logo is supposed to look like.See the difference? Subtle, no? 4. Legit companies know how to spellPossibly the easiest way to recognize a scammy email is bad grammar. An email from a legitimate organization should be well written. Little known fact – there’s actually a purpose behind bad syntax. Hackers generally aren’t stupid. They prey on the uneducated because they are easier targets.Notice the apostrophe in the word ‘friends’? Me neither. Other than that tiny grammar mistake, this is a very convincing email. 5. Legit companies don’t force you to their websiteSometimes phishing emails are coded entirely as a hyperlink. Therefore, clicking accidentally or deliberately anywhere in the email will open a fake web page, or download spam onto your computer.This whole email is likely a gigantic hyperlink. 6. Legit companies don’t send unsolicited attachmentsUnsolicited emails that contain attachments reek of hackers. Typically, authentic institutions don’t randomly send you emails with attachments, but instead direct you to download documents or files on their own website. Like the tips above, this method isn’t foolproof. Sometimes companies that already have your email will send you information, such as a white paper, that may require a download. In that case, be on the lookout for high-risk attachment file types include .exe, .scr, and .zip. (When in doubt, contact the company directly using contact information obtained from their actual website.)Just remember, curiosity killed the cat.7. Legit company links match legitimate URLsJust because a link says it’s going to send you to one place, doesn’t mean it’s going to. Double check URLs. If the link in the text isn’t identical to the URL displayed as the cursor hovers over the link, that’s a sure sign you will be taken to a site you don’t want to visit. If a hyperlink’s URL doesn’t seem correct, or doesn’t match the context of the email, don’t trust it. Ensure additional security by hovering your mouse over embedded links (without clicking!) and ensure the link begins with https://.Although very convincing, the real Nokia wouldn’t be sending you a “Save your stuff” email from firstname.lastname@example.orgIt doesn’t matter if you have the most secure security system in the world. It takes only one untrained employee to be fooled by a phishing attack and give away the data you’ve worked so hard to protect. Make sure both you and your employees understand the telltale signs of a phishing attempt.Was this post helpful? If so, please share!wistiaEmbed = Wistia.embed(“exi3oxmnof”); David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.