Category Archives: Blog

Remember, Think Before You Click!

There is a phishing attack going on you need to know about. The campaign sends and email with the subject: “Assessment document” and the body of the email has a PDF attachment in it that claims that it is locked. The message reads: “PDF Secure File UNLOCK to Access File Content”. If you click to unlock the document, a dialog box comes up that asks you to put in your email address and password.

If an email like that makes it into your inbox, do not click on anything, and definitely do not enter your email address and password. Follow the organization’s procedure and if you are at the house, delete the email. Remember, Think Before You Click!

YAHOO Users beware, act Now!!!

I don’t like to just parrot other posts, but this is too important to waste time.  If you have a YAHOO account take note, change your password and identity questions or close it and open a new one. (best option)

“Yahoo announced that 1 billion of their accounts were hacked. These accounts are now sold by internet criminals to other bad guys which are going to use this information in a variety of ways. For instance, they will send phishing emails claiming you need to change your Yahoo account, looking just like the real ones. Here is what I suggest you do right away.

• If you do not use your Yahoo account a lot. Close it down because it’s a risk. If you use it every day:
• Open your browser and go to Yahoo. Do not use a link in any email. Reset your password and make it a strong, complex password or rather a pass-phrase.
• If you were using that same password on multiple websites, you need to stop that right now. Using the same password all over the place is an invitation to get hacked. If you did use your Yahoo passwords on other sites, go to those sites and change the password there too. Also change the security questions and make the answer something non-obvious.
• At the house, use a free password manager that can generate hard-to-hack passwords, keep and remember them for you.
• Watch out for any phishing emails that relate to Yahoo in any way and ask for information.
• Now would also be a good time to use Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.

Repeated to get the word out from:  http://newsletter.knowbe4.com/a/1022/preview/105/345449/7f81410a6165cd68d60697e95c319548ced801da?message_id=IjE5ODViMDQwLWE4MmItMDEzNC0zMmIxLTE0MDJlYzgzYjg3MEBrbm93YmU0LmNvbSI=

Anticipating Black Friday Threat Trends 2016

Posted in Cyber Threat Intelligence by Tanya Widen on November 21, 2016

• We studied attacks reported during the 2015 holiday period and identified new tools, techniques, and procedures (TTPs) that have emerged recently to help anticipate what to expect this year.
• Targeted threats against shoppers and retailers increase as the volume of shoppers surges during the holiday period.
• Key attack methods used over the Black Friday holiday period include phishing/smishing/spam, malvertising, pre-installed malware, point-of-sale (POS) malware, service disruption attacks, and account takeovers.
• Recent advances in threat actor TTPs have included updated POS malware such as FastPOS and increased service disruption potential following the Mirai botnet 1.2TB distributed denial of service (DDoS) attack.
• Both consumers and retailers can take actions to minmize successful attacks.
• In addition to strengthening security within the network, retailers can gain awareness into external risks using threat intelligence; for example, a recent Recorded Future analysis shows how analysts can be alerted to fake company websites used in phishing and other attacks.
• Consumers need to be vigilant with both online and offline transactions and check with your bank on setting up alerts on suspicious transactions, ensure your computer has the latest security updates and anti-malware, and don’t be afraid to ask retailers on the protection measures they have implemented.

Be very suspicious of emails offering deals to good to be true, check the links, are you sure they go to the place you shop or bank?   Be sure and type them in yourself and not just click on it   Look closely and you might be fooled just clicking on something bad.  For example example[.]com can become exanple[.]com.  Do you see what happened, the M was changed to N and would take you to a hostile site to steal your credentials, credit card, or deliver malware.  Typing it yourself helps avoid this optical illusion by making  sure it is correct.

Don’t fall for any odd prompts in your browser to load or change things.

When in doubt call the vendor to confirm what you see is what they are doing.  A little more effort may just save your identity, bank account, or even the data and pictures on your computer or phone.

Happy Thanks Giving and a safe Black Friday and Cyber Monday.

The Hard Truth about CyberSecurity in 2016 going forward

CyberSecurity planning Takeaways in 2016.

Without Clear Business Alignment, Your Company Will Not Prioritize Security

Security leaders have often ignored CyberSecurity — until something goes wrong.  If you do not see how CyberSecurity efforts help achieve business objectives, there is no compelling reason for supporting them  with budget, communication, or inclusion in projects.  CyberSecurity is now a key component to any business plan because your data is your business.  Need to protect the data assets of the business as much as is done financially.  Without your data there is no business, without CyberSecurity there maybe no data.  Time for CyberSecurity to have a seat at all of the tables of the business just like policy, finance, and planning.   From Board room to break rooms.  To preserve the business reputation, future prospects, and C-Suite jobs CyberSecurity needs to be factored into all the calculus used to drive the business to success.

A Truly Business-Savvy company Will Have A Truly Business-Savvy Strategy

Business leaders have adopted a technology agenda that allows the organization to successfully compete and grow, but they left out the most important part to keeping their business.  CyberSecurity is the missing critical piece. Weekly we hear of another business being attacked and data lost or compromised.  Because they did not consider security of  business data and the ability to process it each day worth what it represents.   Business data represents the business itself, protecting it is not some insignificant  bother or a promise of a one time purchase solves all.  The data is the business, protect it as you do the finances, the 5 year plan, growth, and success.   CyberSecurity is here to stay with costs and planning.   Without a CyberSecurity plan a business will not reach its potential and possibly perish.

If You Can’t Communicate Your Strategy Simply, You May As Well Not Bother

Your business needs to be able to communicate all of the business strategies including CyberSecurity. If you cannot communicate it in a clear and concise manner, then there is a problem, it probably doesn’t exist.   A business can communicate its financial plan to banks, boards, and stock holders precisely, but what about the Cyber protection of the business essence from being compromised or ruined by neglecting to address the fiduciary responsibility of CyberSecurity.  Remember Ben Franklin’s words, “failure to plan is planning to fail.”  Is the Board and Executive team planing to fail foolishly thinking that they are saving money?   If it cannot be communicate your CyberSecurity strategy because it didn’t spike the administration interest, then you may as well not bother continuing the business because eminent failure will be in your future.

Is your business is planning to fail by ignoring the fact that CyberSecurity is a critical  business problem of the 21st century?  This is a Board and Executive level fiduciary responsibility for any business.  To not deal with it is negligence  and eminent failure is what is coming, followed by losses, regulatory fines, litigation, and the demise of a once viable company that failed to protect it self from those that wanted to harm it.  Certainly those that ignore the eminent threat will not continue in the same profession.

Time to make a critical business decision to protect the business by protecting the data that defines it.   What is your answer?