Author: Marla Rosner

Reduce Risk and Regain Control with Cloud Risk Complete

Over the last 10 to 15 years, organizations have been migrating to the cloud to take advantage of the speed and scale it enables. During that time, we’ve all had to learn that new cloud infrastructure means new security challenges, and that many legacy tools and processes are unable to keep up with the new pace of innovation.

The greater scale, complexity, and rate of change associated with modern cloud environments means security teams need more control to effectively manage organizational risk. Traditional vulnerability management (VM) tools are not designed to keep pace with highly dynamic cloud environments, creating coverage gaps that increase risk and erode confidence.

In the report “Forecast Analysis: Cloud Infrastructure and Platform Services, Worldwide” Gartner® estimates that “By 2025, more than 90% of enterprise cloud infrastructure and platform environments will be based on a CIPS [cloud infrastructure and platform services] offering from one of the top four public cloud hyperscale providers, up from 75% to 80% in 2021.”

In the face of all this rapid change, how do you keep up?

Rapid7’s Cloud Risk Complete Is Here

The future of risk management is seamless coverage across your entire environment. That’s why our new offer, Cloud Risk Complete, is the most comprehensive solution to detect and manage risk across cloud environments, endpoints, on-premises infrastructure, and web applications.

With Cloud Risk Complete, you can:

  • Gain unlimited risk coverage with a unified solution purpose-built for hybrid environments, providing continuous visibility into your on-prem infrastructure, cloud, and apps, all in a single subscription.
  • Make context-driven decisions by intelligently prioritizing risk based on context from every layer of your attack surface, driven by a real risk score that ties risk to business impact.
  • Enable practitioner-first collaboration with native, no-code automation to help teams work more efficiently and executive-level dashboards that provide visibility into your risk posture.

Cloud Risk Complete

Analyze, respond to, and remediate risks without a patchwork of solutions or additional costs.

LEARN MORE

What makes this solution different is that we started with the outcome and worked backwards to bring to life a solution that meets the needs of your security program.

  • While most solutions offer daily scans of your cloud environment, we deliver real-time visibility into everything running across your environment. So, you’re never working with stale data or running blind.
  • While most solutions only provide insight into a small portion of your environment, we provide a unified view of risk across your entire estate, including your apps, both in the cloud and on-prem.
  • While most solutions show you a risk signal and leave the analysis and remediation process up to you, we provide step-by-step guidance on how to remediate the issue, and can even take immediate action with automated workflows that remove manual effort and accelerate response times.

Risk Is Pervasive. Your Cloud Security Should Be Too

Cloud Risk Complete stands apart from the pack with best-in-class cloud vulnerability assessment and management, cloud security posture management, cloud detection and response, and automation—in a single subscription.

Unlimited ecosystem automation enables your team to collaborate more effectively, improve the efficiency of your risk management program, and save time. With all of this, you can eliminate multiple contracts and vendors that are stretching budgets and enjoy a higher return on investment.

Get comprehensive cloud risk coverage across your business—without compromise. Discover Cloud Risk Complete today.

Three Steps for Ramping Up to Fully Automated Remediation

The number one threat to cloud security is misconfiguration of resources, and frankly, it's not hard to understand why. The cloud is getting bigger, more tangled, and flat-out more unmanageable by the day.

In modern Amazon Web Services (AWS) environments, there are typically millions of resources being added and spread across various environments on the regular, and each resource has its own set of configurations, roles, and permissions. The result of this tangled web is that for one in four organizations, resolving misconfigurations manually takes at least a week—and for one in ten, it takes over a month. What's a security team to do?

The answer: don't try to resolve misconfigurations manually. At least, not entirely manually. Why do it all yourself when automation can help?

Benefits of automation include:

  • Time saved: Common issues are handled automatically, dramatically decreasing the hours teams spend addressing them.
  • Increased security and reduced risk: You can set up remediation automation to take immediate action before a security event occurs.
  • Improved compliance: Proof of automated remediation results helps keep cloud environments compliant.
  • Consistency: Repeatable workflow actions ensure consistent results across your environment.

Of course, as great as all that sounds, implementing automation can't be done overnight. We're talking about major, pervasive change to your processes and workflows; setting that up within your organization takes time, and a good roadmap. We're here to help you get started with an incremental crawl, walk, run approach.

1. Crawl: Use automatic notifications to find misconfigurations

Using automated notifications is the first step to implementing an automated remediation strategy. Automated notifications can alert resource owners of misconfigurations through whatever channel they prefer, and even offer recommended steps for remediation. This eliminates the need for security teams to work to identify the owner of a resource, and significantly speeds the remediation process—even when the actual fix is done manually.

Automated notifications are a great way to dip your toes in the water and start getting used to working with an automatic process, without having to make any huge changes just yet.

2. Walk: Meet security policies and standards automatically

Once you've gotten comfortable with automated notifications, a great next step is to implement automation for security policies and standards associated with compliance. By automating compliance in this way, you'll still have a lot of control over the whole process, but your automation can now help resolve a much wider range of issues.

For this middle phase, you can establish the standards and policies your organization wants to follow—whether those are standard frameworks or custom policies—and use automation to enforce them. This means using specific actions like identifying when an account has a required service turned off and automatically turning it back on. This will also be a huge help in maintaining good security hygiene for your organization.

3. Run: Embrace automation to address risk signals and control costs

After you've spent some time working with automated notifications and policy enforcement—and verified that automation isn't going to break anything in your cloud environment—you'll be ready to make the full plunge. That means using automation for a full range of tasks, including:

  • Identifying misconfigurations or noncompliant actions
  • Taking remedial action
  • Updating resource configurations, roles, and permissions
  • Cleaning up or removing unused or over-provisioned resources

Implementing a full process like this for automated remediation drastically saves time and creates efficiencies, and ensures a consistent approach to fixing issues across your cloud.

Adding new technologies and workflows to your organization can feel like a daunting task, but it doesn't have to be. All you need is a proper plan to put it into action.

Ready to learn more about how to automate remediation for your organization? Rapid7 and AWS have teamed up for a full ebook on the subject.

Download it now!

How to Stay Secure in the Cloud While Driving Innovation and Discovery

Cloud Security Strategies for Healthcare

The healthcare industry is undergoing a transformational shift. Health organizations are traditionally entrenched in an on-prem way of life, but the past three years have plunged them into a digital revolution. A heightened demand for improved healthcare services—like distributed care and telehealth—ignited a major push for health orgs to move to the cloud, and as a result, implement new cloud security strategies.

But the processes and tools that worked well to secure healthcare organizations' traditional data centers do not directly translate to the public cloud. Resource and budget strain, priority negotiation with leadership, and challenges with regulatory compliance only exacerbate a daunting digital maturity gap. These challenges are why many healthcare organizations have approached public cloud adoption tentatively.

The healthcare industry must innovate in the cloud to meet patient and business needs, but they need to do so without creating unnecessary or unmanaged risk. Most importantly, they must move to and adopt cloud solutions securely to protect patients in a new world of digital threats.

Major Challenges

Modern technologies bring modern challenges. Here are the main obstacles healthcare organizations face when it comes to securing the cloud.

Resource Strain

Like most industries, healthcare organizations face major obstacles when finding qualified security talent. That means hospitals, clinics, and other healthcare businesses must compete with tech giants, startups, and other more traditionally cybersecurity-savvy companies for the best and brightest minds on the market.

What's more challenging is that the typical day of a security professional in healthcare tends to be disproportionately focused on time-consuming and often monotonous tasks. These duties are often related to maintaining and reporting on compliance with a sea of regulatory standards and requirements. Carrying out these repetitive but necessary tasks can quickly lead to burnout—and, as a result, turnover.

Moreover, those security professionals who do end up working within healthcare organizations can quickly find themselves inundated with more work than any one person is capable of handling. Small teams are tasked with securing massive amounts of sensitive data—both on-prem and as it moves into the cloud. And sometimes, cybersecurity departments at healthcare orgs can be as small as a CISO and a few analysts.

Those challenges with resource strain can lead to worse problems for security teams, including:

  • Burnout and rapid turnover, as discussed above
  • Slow MTTR, exacerbating the impact of breaches
  • Shadow IT, letting vulnerable assets fall through the cracks

Balancing Priorities With Leadership

It's up to cybersecurity professionals to connect the dots for leadership on how investing in cloud security leads to greater ROI and less risk. Decision-makers in the healthcare industry are already juggling a great deal—and those concerns can be, quite literally, a matter of life or death.

In the modern threat landscape, poor cybersecurity health also has the potential to mean life or death. As medical science tools become more sophisticated, they're also becoming more digitally connected. That means malicious actors who manage to infiltrate and shut down servers could also possibly shut down life-saving technology.

Tech professionals must illustrate to stakeholders how cybersecurity risk is interconnected with business risk and—perhaps most importantly—patient risk. To do that, they must regularly engage with and educate leadership to effectively balance priorities.

Achieving that perfect balance includes meeting leadership where they're at. In healthcare, what is typically the biggest security concern for leaders? The answer: Meeting the necessary compliance standards with every new technology investment.

HIPAA Compliance and Protected Health Information

For stakeholders, achieving, maintaining, and substantiating legal and regulatory compliance is of critical importance. When it comes to the healthcare industry, one compliance standard often reigns supreme over all business decisions: HIPAA.

HIPAA provides data privacy and security provisions for safeguarding Protected Health Information (PHI). It addresses the use and disclosure of individuals' health information and requires that sensitive information be governed by strict data security and confidentiality. It also obligates organizations to provide PHI to patients upon request.

When migrating to the cloud, healthcare organizations need a centralized approach to protecting sensitive data. InsightCloudSec allows you to automate compliance with HIPAA. Through our HIPAA Compliance Pack, InsightCloudSec provides dozens of out-of-the-box checks that map back to specific HIPAA requirements. For example, InsightCloudSec's “Snapshot With PHI Unencrypted" policy supports compliance with HIPAA §164.312(a)(2)(iv), Encryption Controls.

Experience Gap

An evolving threat landscape and growing attack surface are challenging enough to deal with for even the most experienced security professionals. Add the health industry's talent gap into the mix, and those challenges are multiplied.

Cloud security in the healthcare space is still relatively new. That means internal cybersecurity teams are not only playing a relentless game of catch-up—they also might consist of more traditional network engineers and IT pros who have historically been tasked with securing on-premises environments.

This makes it critical that the cloud security solutions healthcare industries implement be user-friendly, low-maintenance, and ultra-reliable.

Cloud Security Solutions and Services

As health organizations dive into work in the cloud, their digital footprints will likely grow far faster than their teams can keep up with. Visibility into these cloud environments is essential to an organization's ability to identify, assess, prioritize, and remediate risk. Without a clear picture of what they have and where they have it, companies can be vulnerable to malicious attacks.

To avoid biting off more than they can chew, security professionals in healthcare must leverage cloud security strategies and solutions that grant them complete real-time visibility in the cloud over all their most sensitive assets. Enterprise cloud security tools like InsightCloudSec can enable automated discovery and inventory assessment. That unlocks visibility across all their CSPs and containers.

InsightCloudSec also makes it easier for teams, regardless of their cloud security expertise, to effectively define, implement, and enforce security guardrails. With resource normalization, InsightCloudSec removes the need for security teams to learn and keep track of an ever-expanding list of cloud resources and services. Security teams can make use of InsightCloudSec's native, no-code automation to enable hands-off enforcement of their organization's security practices and policies when a non-compliant resource is created or a risk configuration change is made.

The fact of the matter is that many healthcare security teams will need to build their cybersecurity programs from the ground up. With limited resources, strained budgets, and patients' lives on the line, they can't afford to make big mistakes. That's why, for many organizations, partnering with a managed service provider is the right approach.

Rapid7's managed services relieve security teams from the strain of running and building cloud security frameworks. They can also help healthcare security pros better connect lack of investment with risks to stakeholders—acting as an external set of experts.

The Bottom Line

Staying continuously secure in the cloud can be daunting, particularly for those responsible for not only sensitive medical, patient, and research data, but also the digitally connected machines and tools that ensure top-of-the-line patient care. Protecting the health of patients is paramount in the healthcare industry.

With the right tools (and teams) to support continuous security and compliance, this responsibility becomes manageable—and even, dare we say, easy.

InsightCloudSec

A complete cloud security toolbox in a single solution.

LEARN MORE

What Tech Companies Should Look For in Cloud Security

The cloud's computing power and flexibility unlocks unprecedented speed and efficiency—a tech company's two best friends. But with that speed and efficiency comes new environments and touchpoints in an organization's footprint. That expanding attack surface brings along with it an expanding range of security concerns.

Rapid7's Peter Scott joined Temporal Technologies's Brandon Sherman and Ancestry's Tony Black for a fireside chat to address today's growing CloudSec challenges.

The key? Building technologies and security policies alongside one another—from the start. That applies to both companies that are moving to the cloud and those that are cloud-first.

Making Security an Enabler, Not a Blocker

When companies start to move and function in the cloud, SecOps must adapt their thinking and processes to ephemeral environments. That entails getting down in the trenches early on with tech teams as they innovate and create while spinning up new instances.

“We started working with the idea that everything should be ephemeral and short-lived… That really started getting us into that mindset of a true cloud infrastructure and architecture," says Black. “It allowed us to start doing some things like tearing down our dead environments on the weekend if no one is using it. It reduces our attack surface and reduces our cost."

Collaboration between tech and security teams drives secure cloud innovation. However, that level of collaboration requires consistent communication and most importantly, a willingness to build trust.

“If you don't exercise that muscle of being engaged with those teams, then it's going to atrophy," says Sherman. “But if you keep working on it, then you get in earlier and earlier. Even with simple Slack conversations—if I can get involved at that part of it and help shape this whole process as it's built out to help experiment securely… That's awesome."

Consistently collaborating with tech teams not only helps keep security top of mind and integrate cloudsec with DevOps; it also transforms SecOps from a dreaded blocker into a reliable enabler. This level of collaboration requires not only trust but also a mutual understanding that implementing security is a problem-solver, not a problem to be solved.

That gives SecOps the power to help dev teams accelerate into production with fewer bumps in the road—because each new feature is built securely from the start.

Cloud Risk Complete

Analyze, respond to, and remediate risks without a patchwork of solutions or additional costs.

LEARN MORE

Operationalization and Resiliency as Cloud Maturity Increases

Reframing security from a blocker to an enabler is indicative of a larger shift in security's role across the entire enterprise. As companies' cloud footprints grow and their maturity increases, CloudSec teams must ensure that their practices are not only scalable but also sustainable.

That means the security mindset needs to shift towards operationalization and resiliency.

“We want to be as reliable as running water," says Sherman. “That is a really high bar to obtain. So you need really good operational metrics, rigor, and processes. But the nice thing about the cloud is that you can practice all those things."

With the power of the cloud, tech companies have the freedom to rehearse their responses to even the most large-scale, potentially devastating attacks. By taking the time to practice building and breaking down high-risk environments, security teams can operationalize and, most importantly, plan for when—not if—new threats emerge.

To Black, it also comes down to establishing a consistent set of security practices that tech organizations hold to.

“A bunch of practices have to be in place. For example, no one should be able to touch a certain server, because if someone touches a certain server, then all of a sudden I can't rebuild that the way it was before," says Black, “Then, everything has to go through a pipeline. And that pipeline has to have controls … and checks in place to make sure that what we deploy is consistent and repeatable."

Keeping track of that decision-making ripple effect is a major factor in how well security teams can operationalize their best practices for securing cloud-native environments.That dedication to operationalization and resiliency ensures a better experience for devs, sec, and—most importantly—clients.

Clients, the Cloud, and Securing Sensitive Data

Tech companies are (for better or for worse) held to a higher standard by users in terms of reliability, ease of use, and security. Meeting those standards is even more critical when users are trusting tech companies with personal information that might be as sensitive as DNA, as is the case with some of Ancestry's clients.

What helps ensure and improve data protection in the cloud? A company-wide emphasis on customer trust.

“Fundamentally, our management team agrees that customer trust is part of the value proposition," says Black. “We have to earn that trust every day… It really helps when the management team says that customer trust is part of the value proposition, so we have to spend money and take an effort to maintain that customer trust."

Establishing a strong cloudsec foundation helps enable experiences that build customer trust. How can security teams create that base of security that keeps both dev teams and consumers happy? By approaching features as if they were to personally use them.

“Part of that comes down to being your own customer. If you trust your own company with your own data… You feel a lot better about it," says Sherman.

Aligning the Evolution of Security and Technology

Security teams are no longer the department of “no." With Gartner having predicted a 22% growth in worldwide cloud use by the end of 2022, tech companies should look out for this constant in cloud security: Change.

“The cloud changes beneath our feet. Things constantly evolve. If you're stuck in a mentality of, 'We do this thing, and this thing is security'," says Sherman, “even if that's best practice today, it might not be best practice tomorrow."

Because of that constant change, success in the cloud is rooted in incremental progress. Taking on cloudsec challenges one bit at a time will ensure a smoother cloud journey for organizations looking to unlock the power of working in ephemeral environments.

Want deeper insights on how tech companies can tackle today's cloud security challenges? Watch the full webinar below:

Evolving networks and evolving threats

Vulnerability Management vs. Vulnerability Assessment

When it comes to protecting your cloud or hybrid networks, what you don't know can most certainly hurt your enterprise. Today's NetOps teams are tasked with monitoring the health and performance of both on-premises and cloud applications, as well as software, devices, and instances. As if this wasn't complicated enough, malicious threat actors relentlessly seek to capitalize on the vulnerabilities in an enterprise's network.

These attacks affect enterprises across all industries. Recently, Gartner predicted that 45% of global organizations will have experienced attacks on their software supply chains by 2025. Statista also reported that approximately 15M data records were exposed worldwide through data breaches in the third quarter of 2022. This staggering figure represented a quarterly increase of over 37%.

Network attacks are costly, too. In fact, the average cost of a data breach increased to $9.44M in the United States in 2022. Keep in mind, this figure doesn't include the frustration, lost productivity, and negative impact on brand reputation that often accompany cyber attacks.

Vulnerability assessment (VA) and vulnerability management (VM) are two of the best ways to protect your enterprise against threats, but these terms are often used incorrectly and interchangeably. A better understanding of these concepts and how they relate to one another can help you significantly boost the security posture of your hybrid and cloud environments.

What is a vulnerability assessment?

TechTarget defines vulnerability assessment as “the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures." These vulnerabilities usually fall into one of three categories:

  • Hardware: Hardware refers to the physical devices in your network infrastructure, such as servers or routers. These require firmware upgrades and patches to remain secure. Vulnerabilities result from failure to perform upgrades and using outdated devices.
  • Software: Software refers to the applications an organization uses. Software vulnerabilities might be a flaw, glitch, or weakness in the software code. Again, patching and other updates are required to maintain security.
  • Human: These vulnerabilities stem from user security issues like weak (or leaked) passwords, clicking links on malicious websites, and human error such as opening a phishing email. Of the three categories, this is often the hardest for NetOps teams to control and enforce.

Vulnerability assessments scan your network for potential issues in each of these categories, and provide your team with crucial insight into the weaknesses of your IT infrastructure. Ideally, a vulnerability assessment will also prioritize the risks by level of severity, showing your team which to address first.

Enterprises looking to shift from reactive security measures like firewalls to a more proactive security approach look to vulnerability assessment as the first step in building an information security program.

What is vulnerability management?

Vulnerability management is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. Sounds a lot like vulnerability assessment, right? The key difference between the two, however, is that vulnerability management is a continuous cycle that includes vulnerability assessment. Where VA identifies and classifies the risks in your network infrastructure, VM goes a step further and includes decisions on whether to remediate, mitigate, or accept risks. VM is also concerned with general infrastructure improvement and reporting.

According to Gartner, vulnerability management runs on a cycle—a five-step process (not including pre-work like selecting vulnerability assessment tools) that most organizations follow.

The vulnerability management cycle

  1. Assess: Here's where vulnerability assessments come in. In this step of the cycle, NetOps teams will identify assets, scan them, and build a report.
  2. Prioritize: The report generated in the first phase is used to prioritize risks. The NetOps team will also add threat context to the risks, which requires a thorough knowledge of the existing threat landscape as well as consideration of how threats may evolve over time.
  3. Act: The prioritized threats are then sorted into remediate, mitigate, and accept buckets. Remediation calls for removing the threat completely, if possible. Mitigation, on the other hand, reduces the likelihood of a vulnerability being exploited. Mitigation may be used if remediation is too disruptive to the system or if a patch isn't available yet. You may also have threats that fall under the acceptance category. These may include devices/software soon to be replaced, which wouldn't require any action.
  4. Reassess: Once the team has processed the risks according to their final recommendations, they'll need to rescan and validate that the risks have been properly remediated, mitigated, or accepted.
  5. Improve: In this final step, the team should evaluate their metrics, checking that they're accurate and up to date to ensure that they're correctly assessing risks. Additionally, this phase should be used to eliminate any other underlying issues that may be contributing to system vulnerabilities.

Benefits of vulnerability management and vulnerability assessment

Vulnerability assessments are an important part of the vulnerability management cycle, and the VM cycle should be a key component of your NetOps team's security strategy. Organizations today simply can't afford to ignore the risks in their network infrastructure. As networks grow more complex, teams struggle to maintain visibility into their network. This creates an ideal environment for threat actors looking to exploit system vulnerabilities. Often, risks and attacks go unnoticed until they've caused irreparable damage at considerable cost to the organization.

VM has benefits that extend beyond security. For example, regularly evaluating your network's devices and applications can help your team identify outdated technology or potential patches that will not only improve the general security of the network, but also optimize its performance. VM can also help your organization meet federal and internal compliance requirements. Regularly identifying and resolving risks through vulnerability assessments and the VM cycle can help your organization stay ahead of changing compliance requirements and prevent non-compliance penalties like fines.

Get started with vulnerability assessment and vulnerability management

With the obvious benefits, it should be clear that vulnerability assessment and vulnerability management are crucial to reducing overall risk in an organization's infrastructure. And yet, many NetOps teams struggle to implement these processes. Whether your team is just getting started with vulnerability management, or looking to optimize your VM cycle to meet the challenges of an increasingly complex network and threat landscape, Rapid7 has the solutions that will empower your team to tackle vulnerabilities head on.

Ready to see the benefits of the vulnerability management cycle in your network?

Our report, Best Practices for Vulnerability Management in an Evolving Threat Landscape, can show you how!

Tis the Season to Be Wary: Three Holiday Shopping Scams To Watch For

Chestnuts roasting on an open fire, scammers nipping at your bank account… that might not be the carol you were expecting, but unfortunately it’s the frosty truth.

Most everyone has tons of shopping to do in preparation for holidays, whether they’re buying gifts, decorations, or tickets to visit loved ones. And with so many of these transactions happening online, all these shopping sprees add up to a potential goldmine for scammers.

Don’t let those grinches get you down. Fraud might be out in full force, but some simple cyber hygiene is all it takes to stay safe. In the spirit of the holiday season, we’ve made you a list—check it twice, and you’ll find out which online deals are naughty or nice.

1. All They Want for Christmas is Venmo

Not all payment methods are created equal—and scammers know this all too well. So if a seller is insisting you pay for those stocking stuffers with Zelle, gift cards, Dogecoin, or wire transfer, you should probably steer clear.

Peer-to-peer payment apps like Venmo, Zelle, or Cash App are incredibly handy, but they’re designed for paying your friends for your share of brunch, not for sending money to unknown online sellers. These apps offer you little to no recourse in the event of fraud, so stick to using them with close friends and family. No reputable online retailer will request payment through these apps.

Same goes for wire transfers. Wire transfers of money are irreversible, and next to untraceable to boot. So, they’re a popular choice for cybercriminals, and should be a huge red flag for holiday shoppers. Cryptocurrency is the favorite payment method of hackers worldwide for the same reasons; by design, cryptocurrency transactions are anonymous, untrackable, and impossible to reverse.

Gift cards might seem more at home at a lackluster White Elephant party than in a fraudster’s arsenal, but they’re used in online scams with surprising frequency as well. Some scammers offer to accept gift cards as payment—you just need to send them the card number and PIN. But, like all of the other types of payment above, gift cards can’t be tracked and offer no protection to fraud victims, and the fake sellers can quickly and easily convert the gift card’s contents into cash or items.

The bottom line: Stick to credit cards or digital wallets for anything you buy online this December. And of course, be sure to keep a close eye on your statements, so you can alert your credit card company of any transactions you didn’t make.

2. There Might Have Been Some Malware in That New Top Hat You Found

Right about now, online retailers are out in full force advertising their wares over social media and email—and scammers are right there with them. That email you got about a deep discount on PS5s might not actually be from Amazon, and the Instagram ad offering Taylor Swift tickets should definitely be looked at with suspicion. Hackers know all too well that many people are in a hurry to finish up their holiday shopping, or are desperately hunting for a good deal on that perfect gift, and they’re all too ready to take advantage.

Scammers will frequently prop up advertisements or send messages posing as companies you know and trust to get you to let your guard down. The goal, as in all phishing scams, is to get you to click on a link you shouldn’t. Just by clicking, you could be unknowingly downloading malware onto your computer.

Alternatively, these links may send you to a fake online storefront designed to look like a well-known legitimate retailer. These storefronts generally offer popular holiday items or travel fares at irresistible prices. When you make a purchase, the “retailer” might grab your credit card details or other personal information. Or, they might ask for payment in one of the unsecure methods discussed above, and never deliver you the goods.

So, don’t let holiday stress (or an excess of eggnog) get in the way of your better judgment. Be sure to hover over links to check where they actually lead before clicking—or better yet, open up a new tab and navigate to the retailer’s site directly. Make sure you thoroughly vet any seller before making purchases, checking for reviews and feedback. And remember: Any deal that seems too good to be true probably is.

3. Last Christmas, I Gave You My SSN. The Very Next Day, You Stole My Identity

Even if you’ve made all your holiday purchases safely, you’re not out of the woods quite yet. There’s a popular new type of scam on the rise you need to watch out for: fake delivery notifications.

At this time of year, just about everyone is waiting on one package or another, so some scammers send fake texts claiming that your package has been delayed, you missed its delivery, or something along those lines. And, of course, they’ll give you a link to click. Once you do, scammers will often ask for sensitive information—such as your credit card number, SSN, or even just login credentials to an online retailer—so that they can “find” your lost package. Alternatively, they may claim that you owe an extra fee before your package can be delivered.

Luckily, once you’re aware of this scam, it’s also fairly easy to avoid. Take note of tracking information for any online orders you make, so if you get any messages about problems with delivery, you can independently track your package and see what’s really going on. And know that delivery companies like FedEX or UPS will never ask you for sensitive personal information to track a package.

Cyber scams may be coming to town, but that doesn’t mean you have to be a victim. Just a few extra precautions—using safer payment methods, vetting sellers, and avoiding suspicious links—will keep you safe. Deck the halls with good cyber hygiene and make sure you know when those jingle bells should actually be alarm bells.