Category: For technologists

One must admire the ingenuity of cybercriminals.

Related: Thwarting email attacks

A new development in phishing is the “nag attack.” The fraudster commences the social engineering by irritating the targeted victim, and then follows up with an an offer to alleviate the annoyance.

The end game, of course, is to trick an intended victim into revealing sensitive information or it could be to install malicious code. This is how keyloggers and backdoors get implanted deep inside company networks, as well as how ransomware seeps in.

Spoofed alerts

A nag attack breaks the ice with a repeated message or push notice designed to irritate. The nag might be a spoofed multifactor authentication push or system error alert – a notification message that annoying repeats on a seemingly infinite loop.

The idea of this first part of the nag attack is to annoy the targeted victim. Most of us don’t like random messages out of nowhere, much less dozens of them.

The second part of the attack is the scam. If your smartphone or computer is displaying a faked alert, then this means the criminal can contact you directly on the same channel. Usually, they’ll claim to be from the IT department or perhaps from a software or service provider.

The con artist sympathetically confirms that the victim has been deluged  with notices and apologize profusely. Distracted, aggravated and eager to put a stop to it, the victim gratefully accepts the extended solution.

Paxson

Usually this requires divulging login credentials and other details. Wham: the attackers gain unauthorized access — and a foothold to probe deeper into the breached network.

Human nature

Nag attacks add to the litany of phishing techniques. Over the years, endless phishing variants have emerged, including:

•Bulk phishing. This is when mass emails are sent out

•Spear phishing. The targeting of specific individuals or organizations.

•Whaling. Putting senior executives in the cross-hairs.

•Smishing. Lures sent via text message.

We can now add nag attacks, which take full advantage of human nature. Nag attacks are proving effective because no one likes to be nagged.

The attacker sets notification fatigue in motion and then adds credibility by sympathizing with the victim’s plight, while also being able to make references to details about the nuisance alerts.

Nag attacks are simplistically clever and most effective. Even employees in well-known organizations have fallen victim of the nag, including those at Microsoft, Cisco, and Uber.

Best defense

Large scale nag attacks that randomly targeting wide swaths of email addresses or phone numbers are referred to as spray attacks. Spray attacks are noisy and thus can be mitigated with detection and response software that leverage machine learning and automation.

However, nag attacks are intrinsically difficult to stop, especially attacks targeting individual employees. This is because phone numbers and email addresses are easy to obtain. Thus, targeting specific employees in certain organizations is straight forward. This limits the effectiveness of automated detection and response tools.

The most effective defense is alert, well-trained employees. Cybersecurity training needs to be timely and relevant. This can include simulations to raise awareness and train people so when they see unprompted, persistent and annoying messages, they’ll know the real reason for the harassment.

Messages with even a hint of suspiciousness in every instance need to be validated. This needs to become engrained workplace behavior.

About the essayist. Audian Paxson is Director of Technical Product Marketing at  Ironscales, an Atlanta-based email security company.

Government assistance can be essential to individual wellbeing and economic stability. This was clear during the COVID-19 pandemic, when governments issued trillions of dollars in economic relief.

Related: Fido champions passwordless authentication

Applying for benefits can be arduous, not least because agencies need to validate applicant identity and personal identifiable information (PII). That often involves complex forms that demand applicants gather documentation and require case workers to spend weeks verifying data. The process is slow, costly, and frustrating.

It’s also ripe for fraud. As one example, the Justice Department recently charged 48 suspects in Minnesota with fraudulently receiving $240 million in pandemic aid.

The good news is that an innovative technology promises to transform identity validation is capturing the attention of government and other sectors. Self-sovereign identity (SSI) leverages distributed ledgers to verify identity and PII – quickly, conveniently, and securely.

Individual validation

Any time a resident applies for a government benefit, license, or permit, they must prove who they are and provide PII such as date of birth, place of residence, income, bank account information, and so on. The agency manually verifies the data and stores it in a government database.

Whenever the resident wants to apply for services from another agency, the process repeats. Every transaction involves redundant steps and is an opportunity for fraud. Meanwhile, PII in government databases is at risk for cybertheft.

SSI – sometimes referred to as decentralized identity – uses a different strategy. Rather than rely on centralized databases, PII is validated via a distributed ledger or blockchain. Data is never stored by the government agency, yet they can still be sure they are transacting with the right person. This approach makes the data fundamentally secure and makes identity theft virtually impossible. Once the data is initially validated, it can be trusted by every agency, every time.

SSI also puts residents in control. They decide which data to release to which agencies and can revoke access at any time. They don’t need to worry about data privacy or whom the data might be shared with. Finally, they don’t have to endure a lengthy process of gathering data and waiting for approvals.

Conceptually, SSI functions the same way in any scenario. But three use cases demonstrate its promise.

Simplifying applications

Bhatnagar

For programs that benefit families, applications can run 20 pages and take weeks to process. An example is the Supplemental Nutrition Assistance Program (SNAP). Applicants must provide details on the entire household, including dates of birth, incomes, assets such as bank accounts, and expenses such as utilities.

Many people who receive SNAP benefits are also eligible for Medicaid, Temporary Assistance for Needy Families (TANF), and the Children’s Health Insurance Program (CHIP). Without SSI, residents must manually submit the same information to each program, and each program must manually verify the information before storing it in a database.

Furthermore, benefits applications like SNAP aren’t one-off processes. Say a mother with two children suddenly finds herself a single parent with no employment. She might qualify for SNAP until she gets a job. Then she might have another child and qualify again. Without SSI, each time she re-applies, her data needs to be re-verified and re-stored.

With SSI, applicants submit their household data for verification only once. When that information is verified, each datapoint is stored in the resident’s digital wallet as a credential. When they need to share that information with another agency, it’s validated via the public ledger in minutes.

With SSI, once a credential is in the digital wallet, all programs can trust it. The process is faster and easier for both the applicant and the benefits administrator.

Preventing fraud

Government-backed loans for college, certificate, and vocational programs help residents achieve financial wellbeing and contribute to society, but they’re also opportunities for fraud. For instance, California community colleges received 65,000 fraudulent loan applications in 2021.

What’s more, institutions collect, verify, and store vast amounts of student data. When a specific department needs student data for its own needs, it often repeats the process. Meanwhile, all that data makes colleges targets for cybertheft.

SSI solves these issues. Once their identity is verified via the distributed ledger, students can release data to any institution or department. Schools can trust the data, and they no longer need to store it in their own databases. Plus, identify theft and loan fraud become virtually impossible.

The student’s digital wallet can expand over time with relevant data such as course credits, grade point averages, and degrees. Once the data is verified, it remains trustworthy – even if, say, the school that issued a degree no longer exists.

Medical marijuana access

More than 30 U.S. states and territories have legalized cannabis products for medical use. To access medical marijuana, patients typically require a medical marijuana card.

The process normally starts with a doctor’s prescription. The patient then applies to the state for a card. Once the card is issued, the patient presents it at a dispensary to purchase a cannabis product. In cases where the patient isn’t mobile, a caregiver is authorized to make the purchase.

SSI streamlines and provides assurance throughout this process. The state can trust any patient identity or PII already verified via the distributed ledger. The doctor’s credentials can be validated in the same way. Prescriptions and authorized caregivers can be stored as patient credentials.

The dispensary needn’t worry about being held liable for accepting a fake medical marijuana card. In fact, once patient data is validated in the distributed ledger, no party in the supply chain needs to independently verify it.

For residents, SSI provides control over PII and eases worries about confidentiality. For governments, it streamlines data verification and strengthens cybersecurity, saving significant time and cost. For both, it can build trust and enable easier access to services that benefit individuals and communities. Ultimately, SSI promises to transform how people and organizations manage sensitive data across a multitude of use cases.

About the essayist: Piyush Bhatnagar, Vice President of Security Products and Platforms at GCOM Software. A graduate of Cornell University, Bhtnagar received his MBA in General Management and Strategy from Cornell’s Johnson Graduate School of Management. In addition he holds Masters Degree in Science (Computer Science) from Allahabad University as well as a Bachelor’s Degree in Science from University of Delhi.

Endpoints are where all are the connectivity action is.

Related: Ransomware bombardments

And securing endpoints has once more become mission critical. This was the focal point of presentations at Tanium’s Converge 2022 conference which I had the privilege to attend last week at the Fairmont Austin in the Texas capital.

I had the chance to visit with Peter Constantine, Tanium’s Senior Vice President Product Management. We discussed how companies of all sizes and across all industries today rely on a dramatically scaled-up and increasingly interconnected digital ecosystem.

The attack surface of company networks has expanded exponentially, and fresh security gaps are popping up everywhere.

Guest expert: Peter Constantine, SVP Product Management, Tanium

One fundamental security tenant that must take wider hold is this: companies simply must attain and sustain granular visibility of all of their cyber assets. This is the only way to dial in security in the right measure, to the right assets and at the optimum time.

The technology and data analytics are readily available to accomplish this; and endpoints – specifically servers and user devices – represent a logical starting point.

“We have to make sure that we truly know what and where everything is and take a proactive approach to hardening security controls and reducing the attack surface,” Constantine observes. “And then there is also the need to be able to investigate and respond to the complexities that come up in this world.”

For a full drill down on Tanium’s approach to network security that incorporates granular visibility and real-time management of endpoints please give the accompanying podcast a listen.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Consider what might transpire if malicious hackers began to intensively leverage Artificial Intelligence (AI) to discover and exploit software vulnerabilities systematically?

Related: Cyber spying on the rise

Cyber-attacks would become much more dangerous and much harder to detect. Currently, human hackers often discover security holes by chance; AI could make their hacking tools faster and the success of their tactics and techniques much more systematic.

Our cybersecurity tools at present are not prepared to handle AI-infused hacking, should targeted network attacks advance in this way. AI can help attackers make their attack code even stealthier than it is today.

Attackers, for obvious reasons, typically seek system access control. One fundamental way they attain access control is by stealthily stealing crypto-keys. Hackers could increasingly leverage AI to make their attack code even more  undetectable on computers – and this will advance their capacity to attain deep, permanent access control of critical systems.

If AI-infused hacking gains traction, breaches will happen ever more quickly and automatically; the attack code will be designed to adapt to any version of an OS, CPU or computing device. And this would be a huge game-changer – tilting the advantage to the adversaries in command of such an AI hacking tool.

Wittkotter

This scenario is nearer than we might think or expect. Consider the approach to AI taken by the software firm DeepMind; their system turns technical problems into rules for games — and can deliver extraordinary results even if their developers are non-expert in the underlying problems.

We assume we are okay or safe if responsible humans are in the loop, i.e., switch things off or press a button. But every button/switch is linked to software; and advances like those made by DeepMind can be adopted to malicious purposes, such as to continually make unauthorized modifications at the access control level.

Cybersecurity must become better prepared to defend against super-hackers, master-thieves of crypto-keys and digital ghosts who are driving in this direction. Here are three fundamental practices that I believe need to become engrained:

Never commingle security code and regular code. We must make every change or manipulation of anything security-related detectable. Security operations should be separate from the main operating system and CPU. This independence makes attacks on security easier to detect.

Hashcodes need to be registered. Hashcodes are unique values linked to software that can be associated with the manufacturer. Registering — and thus whitelisting hashcodes – will reduce and eventually eliminates unauthorized code from circulating.

Protect crypto-keys. Crypto keys processed in main CPUs, as well as the public keys in PKI, should always be referred to via their registered hashcodes; and they should never stored in clear text. In short, crypto-keys must be extremely well-guarded and processed on separate, independent security systems.

I’d argue that these practices make good, common sense; they are practices that make code changes updateable and deployable, so device owners remain in control. Unauthorized access control needs to become next to impossible.

To get there, cybersecurity must become much more proactive and incorporate more fundamental preventative elements. Once we create overkill in our security measures, in a way that goes unnoticed by regular users, we’ll achieve effective countermeasures to global cyber-threats

About the essayist: Erland Wittkotter is an inventor and technology architect. He is the founder of No-Go-* —  a grassroots developer community focused on the promise to make our digital life much safer.

Consider what might transpire if malicious hackers began to intensively leverage Artificial Intelligence (AI) to discover and exploit software vulnerabilities systematically?

Related: Bio digital twin can eradicate heart failure

Cyber-attacks would become much more dangerous and much harder to detect. Currently, human hackers often discover security holes by chance; AI could make their hacking tools faster and the success of their tactics and techniques much more systematic.

Our cybersecurity tools at present are not prepared to handle AI-infused hacking, should targeted network attacks advance in this way. AI can help attackers make their attack code even stealthier than it is today.

Attackers, for obvious reasons, typically seek system access control. One fundamental way they attain access control is by stealthily stealing crypto-keys. Hackers could increasingly leverage AI to make their attack code even more  undetectable on computers – and this will advance their capacity to attain deep, permanent access control of critical systems.

If AI-infused hacking gains traction, breaches will happen ever more quickly and automatically; the attack code will be designed to adapt to any version of an OS, CPU or computing device. And this would be a huge game-changer – tilting the advantage to the adversaries in command of such an AI hacking tool.

Wittkotter

This scenario is nearer than we might think or expect. Consider the approach to AI taken by the software firm DeepMind; their system turns technical problems into rules for games — and can deliver extraordinary results even if their developers are non-expert in the underlying problems.

We assume we are okay or safe if responsible humans are in the loop, i.e., switch things off or press a button. But every button/switch is linked to software; and advances like those made by DeepMind can be adopted to malicious purposes, such as to continually make unauthorized modifications at the access control level.

Cybersecurity must become better prepared to defend against super-hackers, master-thieves of crypto-keys and digital ghosts who are driving in this direction. Here are three fundamental practices that I believe need to become engrained:

Never commingle security code and regular code. We must make every change or manipulation of anything security-related detectable. Security operations should be separate from the main operating system and CPU. This independence makes attacks on security easier to detect.

Hashcodes need to be registered. Hashcodes are unique values linked to software that can be associated with the manufacturer. Registering — and thus whitelisting hashcodes – will reduce and eventually eliminates unauthorized code from circulating.

Protect crypto-keys. Crypto keys processed in main CPUs, as well as the public keys in PKI, should always be referred to via their registered hashcodes; and they should never be stored in clear text. In short, crypto-keys must be extremely well-guarded and processed on separate, independent security systems.

I’d argue that these practices make good, common sense; they are practices that make code changes updateable and deployable, so device owners remain in control. Unauthorized access control needs to become next to impossible.

To get there, cybersecurity must become much more proactive and incorporate more fundamental preventative elements. Once we create overkill in our security measures, in a way that goes unnoticed by regular users, we’ll achieve effective countermeasures to global cyber-threats

About the essayist: Erland Wittkotter is an inventor and technology architect. He is the founder of No-Go-* —  a grassroots developer community focused on the promise to make our digital life much safer.

Ever feel like your smart home has dyslexia?

Siri and Alexa are terrific at gaining intelligence with each additional voice command. And yet what these virtual assistants are starkly missing is interoperability.

Related: Why standards are so vital

Matter 1.0 is about to change that. This new home automation connectivity standard rolls out this holiday season with sky high expectations. The technology industry hopes that Matter arises as the  lingua franca for the Internet of Things.

Matter certified smart home devices will respond reliably and securely to commands from Amazon AlexaGoogle Assistant,  Apple HomeKit or Samsung SmartThings. Think of it: consumers will be able to control any Matter appliance with any iOS or Android device.

That’s just to start. Backed by a who’s who list of tech giants, Matter is designed to take us far beyond the confines of our smart dwellings. It could be the key that securely interconnects IoT systems at a much deeper level, which, in turn, would pave the way to much higher tiers of digital innovation.

I had the chance to sit down, once more, with Mike Nelson, DigiCert’s vice president of IoT security, to discuss the wider significance of this milestone standard.This time we drilled down on the security pedigree of Matter 1.0. Here are the main takeaways:

Pursuing interoperability

Connectivity confusion reigns supreme in the consumer electronics market. From wrist watches to refrigerators and TVs to thermostats, dozens of smart devices can be found in a typical home. Each device tends to be controlled by a separate app, though many can now also respond to one proprietary virtual assistant or another.

And then there’s Zigbee, Z-Wave and Insteon. These new personal networking protocols have caught fire with tech-savvy consumers hot to pursue DIY interoperability.

The tech giants saw this maelstrom coming. Google, Amazon, Apple, Samsung and others have spent nearly three years hammering out Matter. 1.0. What they came up with is an open-source standard designed to ensure that smart home devices from different manufacturers can communicate simply and securely via an advanced type of mesh network. 

Nelson

“Matter will create a level of interoperability that makes it so that a consumer can control any Matter-compliant device with whatever virtual assistant they might have,” Nelson says. “It’s going to become a product differentiator because it’s going to create so much value for them.”

This fall, certain brands of smart light bulbs, switches, plugs, locks, blinds, shades, garage door openers, thermostats and HVAC controllers will hit store shelves bearing the Matter logo. If all goes well, soon thereafter Matter-compliant security cameras, doorbells, robot vacuums and other household devices will follow.

Industry work groups already have started brainstorming future iterations of Matter that will make IoT systems in commercial buildings and healthcare facilities much more interoperable – and secure – than is the case today. Beyond that, Matter could bring true interoperability and more robust security to smart cities and autonomous transportations systems. Someday, perhaps, Matter might help to foster major medical breakthroughs and much-needed climate change mitigation.

Preserving digital trust

It’s not too difficult to visualize how imbuing true interoperability into advanced IoT systems, starting small with smart homes, can take us a long way, indeed. It’s also crystal clear that to get there, security needs to become much more robust.

Matter seeks to achieve this right out of the gate by leveraging and extending the public key infrastructure (PKI) — the tried-and-true authentication and encryption framework that underpins the legacy Internet.

PKI preserves digital trust across the Internet by designating a Certificate Authority (CA) to issue digital certificates, which are then relied upon to authenticate user and machine identities during the data transfer process. PKI also keeps data encrypted as it moves between endpoints.

Matter sets forth a similar approach for preserving trust, going forward, of the data transfers that will take place across advanced IoT systems. An extensive process for issuing a “device attestation certificate” for each Matter-approved device has been put into place. DigiCert, which is a globally leading provider of digital trust and happens to be a leading Certificate Authority, recently became the first organization approved to serve much the same role when it comes to issuing Matter attestation certificates.

With respect to Matter, DigiCert has met the requirements to be designated as the first Product Attestation Authority (PAA.) This boils down to DigiCert taking extensive measures to create, preserve and distribute, at scale, an instrument referred to as a ‘root of trust.

Nelson described for me how these roots of trust are at the core of each certificate issued for every smart device that meets the Matter criteria.

Observes Nelson: “The root of trust creates an immutable identity . . . So when you have a Yale lock trying to connect to an Amazon virtual assistant, the first thing it does is look to see if there’s a trusted signature from a trusted root. If it’s there, it greenlights the communication and now two secure, compliant devices can interoperate. So these roots of trust become the magic of secure interoperability.”

It’s encouraging to see security baked in at the ground floor level of a milestone standard; Matter could pave the way for the full fruition of an  Internet of Everything that’s as secure as it ought to be. For that to happen, wide consumer adoption must follow; hardware manufacturers and software developers must jump on the Matter band wagon. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Phishing emails continue to plague organizations and their users.

Related: Botnets accelerate business-logic hacking

No matter how many staff training sessions and security tools IT throws at the phishing problem, a certain percentage of users continues to click on their malicious links and attachments or approve their bogus payment requests.

A case in point: With business losses totaling a staggering $2.4 billion, Business Email Compromise (BEC), was the most financially damaging Internet crime for the seventh year in a row, according to the FBI’s 2022 Internet Crime Report.

BEC uses phishing to trick users into approving bogus business payments to attackers’ accounts. BEC succeeds despite years of training users to recognize and address BEC emails properly and next-generation tools that harness AI, machine learning, and natural language processing to block phishing and BEC attempts.

The truth is that neither humans nor machines will ever be 100 percent successful tackling the phishing and BEC challenge. Even harnessing both side by side has not proven 100 percent effective.

What is the answer? Meld humans and AI tools into a single potent weapon that can beat the clock and catch just about every phishing email and BEC that attackers throw at it. Let’s examine how each of these strategies works and why both working together stands the best chance of solving the problem.

Leveraging AI/ML

Most people have a pretty good idea how phishing emails and BEC use social engineering to trick their unwitting victims. After extensive research and target identification, the attacker sends an innocent looking email to the victim, who is often someone in the finance department.

Ovadia

The email appears to come from the CEO, CFO, or a supplier, who requests with great urgency that the recipient update a supplier, partner, employee, or customer bank account number (to the attacker’s) or pay a phony late invoice. Thanks to careful research, the invoice is likely to look very convincing.

Legacy secure email gateways (SEG’s) miss these phishing emails because they lack the malicious attachments and links these tools typically look for. SEG’s are also only good at identifying widely known threats and require a lot of time and resources to maintain.

A more recent alternative, next-generation email security tools use advanced AI/ML with natural language processing, visual scanning, and behavioral analysis to recognize potential phishing emails.

Machine learning identifies and even predicts advanced attacks simply by analyzing large data sets, including emails, for similarities, correlations, trends, and anomalies. It requires few instructions and little maintenance.

As with many security tools, however, machine learning often fails to identify zero-day attacks–in this case spear phishing emails–if they’re different enough from previous ones.

With new types of phishing emails released by millions of attackers daily, it’s no surprise that a few get past the best designed ML models. ML can catch 99 percent of phishing emails, but you need more help to catch the remaining one percent.

Human-machine melding

Fortunately, it turns out that while some people can be fooled by phishing emails, others are adept at spotting suspicious emails and the phishing attempts that ML often misses. Multiply that human capability by thousands across hundreds of organizations of all sizes and you can create a very valuable threat intelligence system.

Such a system could potentially feed new phishing information right back into the machine learning models in real time, so they can start identifying similar phishing exploits immediately. Obviously, a machine learning system trained on phishing information only seconds or minutes old will spot potential zero-day attacks much more competently and rapidly than a machine with information that is days or weeks old.

The key is to meld the capabilities of human and machine into one, as the two-working side by side with no interaction cannot be nearly as effective. This melded process must constitute a constant feedback loop with an army of hundreds of thousands of human eyeballs.

The only way to solve a problem that grows exponentially is with a solution that grows exponentially as well. This is a similar strategy used by Waze, Google Maps, and Uber to keep users out of heavy traffic and allow them to share rides.

No doubt phishing and BEC will continue to grow in both frequency and sophistication. Technology and humans cannot catch all of them alone but working tightly together they can come very close.

About the essayist: Lomy Ovadia is Senior Vice President of Research and Development at  Ironscales, an Atlanta-based email security company.

Cybercriminals are becoming more creative as cybersecurity analysts adapt quickly to new ransomware strategies.

Related: How training can mitigate targeted attacks

Ransomware has evolved from classic attacks to more innovative approaches to navigate reinforced security infrastructure.

Here’s how hackers crafting new ransomware extortion tactics to keep analysts on their toes:

Data exfiltration is no more. Most ransomware attacks follow a familiar formula — the hacker gets into a network, grabs data and takes it out to hold onto until the company pays. This storyline is flipped on its head if ransomware hackers decide to destroy information when companies don’t pay the ransom.

This increases the stakes, primarily if entities did not engage in proper backup protocols before the attack. This is known as data destruction. It makes scenarios worse if hackers remain in the network, and instead of taking any information out, they stay and destroy everything from within.

This method means hackers don’t need to create additional infrastructure to combat new security methods. Once they’re in, they can delete everything in the attack’s wake.

However, companies can teach employees proper backup techniques, and IT departments can institute rules for an ideal recovery time objective (RTO). That way, recovery will not exceed the max time before irreversible damage is done.

Amos

Double extortion is twice the ransom. Hackers continue to find more ways to make up for the rising costs of cybercriminal activity by making ransoms cost double. They do this by encrypting the stolen data and forcing victims to pay for a decryption key on top of the ransom fee.

There are ways to decrypt the data without paying this portion of the ransom, utilizing programs that perform actions like changing file extensions to manipulate them to a usable format.

There is even triple extortion. A therapy center in southwestern Finland was the first hit by this intense variation of the ransomware attack. The hacker added another layer of extortion by making the center pay, as well as the individual victims whose files the hacker had in possession.

Governments expect ransomware attacks to cost more than $265 billion by 2031, meaning every dollar invested now to prepare will not be wasted paying ransoms.

Physical intimidation for enhanced digital attacks. Imagine if a ransomware attack happened in a business and a physical ransom note appeared out of the printer among a stack of analytics reports.

What could have been isolated to management and the IT department to crowd control is now known among every employee, causing hysteria and potentially leaking the news to local reporters.

This is the aim of physical intimidation attacks with ransomware. It also causes victims to remain distracted, buying the hacker time to solidify their position in the attack. The more time they buy with physical distractions, the less time the victims have to consider how they will or won’t pay the ransom.

During this frenzy, hackers could initiate a ransom denial-of-service (DDoS) attack, adding more stressors to the already intense situation.

Every moment focused on reaching out to authorities or attempting to find freelance analysts when a company should have had a business continuity plan in place gives cybercriminals more opportunities to take advantage of more information.

Diversifying ransomware attacks. Analysts must take the time to educate themselves about new and upcoming risks. When a unique tactic appears, they cannot waste time lingering in surprise when they need to take action to stop the threat.

Investing in solid cybersecurity, crafting a business continuity plan and staying informed about current trends will save companies millions, if not billions, of dollars. Businesses and individuals can work collaboratively, sharing their experiences to broaden the scope of ransomware extortion tactics for everyone to prepare equally.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

Humans are rather easily duped. And this is the fundamental reason phishing persists as a predominant cybercriminal activity.

Related: How MSSPs help secure business networks

Tricking someone into clicking to a faked landing page and typing in their personal information has become an ingrained pitfall of digital commerce.

The deleterious impact on large enterprises and small businesses alike has been – and continues to be — profound. A recent survey of 250 IT and security professionals conducted by Osterman Research for Ironscales bears this out.

The poll found that security teams are spending one-third of their time handling phishing threats every week. The battle has sprawled out beyond email; phishing ruses are increasingly getting seeded via messaging apps, cloud-based file sharing platforms and text messaging services.

Guest expert: Ian Thomas, VP of Product Marketing, Ironscales

Some 80 percent of organizations reported that phishing attacks have  worsened or remained the same over the past 12 months, with detection avoidance mechanisms getting ever more sophisticated.

I had the chance to visit with Ian Thomas, vice president of product marketing at  Ironscales, an Atlanta-based email security company.

We discussed advances in cybersecurity training that combine timely content and targeted training to combat the latest phishing campaigns. For a full drill down, please give the accompanying podcast a listen.

Timely, effective security training of all employees clearly must continue to be part of the regimen of defending modern business networks, even more so as cloud migration accelerates. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Employee security awareness is the most important defense against data breaches.

Related: Leveraging security standards to protect your company

It involves regularly changing passwords and inventorying sensitive data. Cybercriminals view employees as a path of least resistance. As such, you should limit the amount of information that employees have access to.

There are several ways you can protect your business from data breaches.

Create security awareness for employees. One of the most important ways to protect against data breaches is to increase employee security awareness. Employees are the first line of defense against cybercrime and should understand how to recognize phishing emails and what to do if they suspect them. With proper training, employees can prevent these attacks before they happen.

While the protection of the company’s assets can never be completely guaranteed, security awareness training should be a top priority for business owners. Without it, a business is vulnerable to a variety of risks, including financial loss, damage to intellectual property, and brand reputation. In addition, educating employees about cybersecurity issues can help to reinforce the security-minded culture of the organization and change employee behaviour.

Provide frequent training about the risks of cyberattacks. One of the best ways to increase employee security awareness is to provide frequent training and communication about the risks of phishing and other cyberattacks. This training should be short and concise and provide guidance on identifying security risks.

Additionally, employees should receive guidance on how to report suspicious activity and confront strangers in secure areas. After a few months, organizations should evaluate the security awareness training to make sure that it is still relevant and effective.

Shafiq

Cybercriminals are constantly searching for ways to gain access to an organization. As a result, they seek to exploit the weakest link. This can include phishing emails that contain malicious links that infect an organization’s network or steal its database login credentials. Training employees is a crucial part of fighting back against this kind of attack and can complement other technological security solutions.

•Change passwords regularly. One of the most overlooked ways to protect your business from data breaches is changing passwords on a regular basis. Many people have their original passwords from college, and they never update them. This can be risky. It can also leave your company vulnerable to disgruntled employees. That’s why it’s essential to change passwords regularly and change them after every staff change.

Passwords are easy to steal, and hackers can use them in just a few seconds. If you’re not changing passwords regularly, you’re inviting hackers and cybercriminals to steal your company’s sensitive data. Changing passwords regularly will make the lives of cyberbullies much harder. It also ensures that your account credentials won’t be used for as long. The best practice is to change passwords every 90 days. You can even use password managers to automatically create strong passwords for you.

In addition to changing passwords, you should also change passwords when entering sensitive information on public computers.

The best passwords are those that are difficult to guess. A common problem is that people tend to use the same password for too long. If you want to be completely safe, use passwords that are hard to guess and don’t use passwords you don’t know.

Inventory your sensitive data. Inventorying sensitive data is a crucial process in protecting your business from data breaches. It helps you determine gaps in security and prioritize your efforts. Data discovery technologies can scan data stores and label sensitive and regulated data by purpose and type. By doing so, you can better protect sensitive data and improve security. This process also helps you determine the amount of data you have in your possession.

Sensitive data may be stored on different media, including discs, tapes, mobile devices, or websites. Every potential source should be considered when creating an inventory. Make sure to involve each department in the process. This includes accounting, sales, and other teams. You should also include third-party service providers, like call centres and contractors.

Data inventory also makes your data searchable. Often, it is the first time a company has a common definition of data. If teams have different naming conventions, data inventory can be a confusing process. Make sure to use common, understandable labels and data value tags for your data.

•Use a corporate VPN. Encrypting data on corporate devices can prevent hackers from accessing sensitive information. The best way to protect data in this way is to set up a corporate VPN (a virtual private network). VPNs allow employees to connect to the internet securely while hiding the company’s IP address. This method is particularly important for employees working remotely and in public places.

Identifying sensitive data is an essential part of effective information security. You must understand how sensitive data is moved and who has access to it. The Federal Trade Commission recommends that organizations put sensitive data in inventory stored on storage devices and add the devices of employees who work from home. By identifying these locations, you can easily determine security vulnerabilities.

About the essayist: Idrees Shafiq  is a Research Analyst at AstrillVPN with diverse experience in the field of data protection, and cyber security, particularly internet security.