Tag: phish

  • The first rule of security: “Be aware” of your surroundings

    The first rule of security: “Be aware” of your surroundings

    The COVID19 Coronavirus situation has affected our families, our homes, and our work environments. Our children are home, some people are new at working remotely, others have to be extra vigilant in keeping their areas clean and sterile, and even more are stressed and overworked with more caseloads and more patient care than is common.

    Bad guys! First rule of security, be aware of your surroundings
    Internet Bad Guys!

    During these stressful times, the Internet Bad Guys are going to do their best to trick you. They are working hard to entice you to do the wrong thing. The Bad Guys are going to strike your nerves with Fear, Uncertainty, and Doubt, three of the most powerful influencers ever used against mankind.

    How can you protect yourself? The same methods you use to keep you safe “in real life” will also secure your digital world — be aware!  Know your contacts, know your computer, and know your context. Let’s take a look.

    Know your contacts (your people, your connections)

    • Do not open links from unknown contacts! Do not open files! Are you receiving more emails about “COVID19”? Information about your stimulus check? Brand new “Preventions” and “Cures”? Source for Toilet Paper and Masks? Do not click those links unless you know the sender, and do not open attachments. These social engineering techniques are known as Phishing attacks.
    • Are you receiving phone calls asking for information? Spoofing Caller ID is easy; do not rely on Caller ID alone to identify the caller. Be especially vigilant with odd requests such as sending money, or a caller suggesting that you open a web page.  These social engineering techniques are known as Vishing attacks.
    • Did you receive a USB memory stick in the mail or find one while shopping? “Free Gift” from Best Buy or your favorite shopping site? “Proprietary Information” from your employer? Just toss it in the garbage. USBs can be used to spread viruses. If you do not know its origin, it is not worth risking a computer virus infection.  These social engineering techniques are known as USB Drop attacks.

    Know your computer (your systems)

    • Be aware when things are not working correctly, or seem particularly slow. Contact your manager or help desk if you notice anything that “doesn’t seem right”.
    • Keep your computers and phone software up to date. Install all security updates when they are available. Make sure your virus protector is on and updated.

    Know your context (your surroundings, your work environment)

    • Just like in the real world, know your surroundings. Be aware of who is around. Be especially aware when discussing sensitive information. Our environments are rapidly changing, and our work lives and home lives are now more tightly integrated than just a few weeks ago. Know who is around when you are discussing sensitive information, whether it be financial information, patient data, or anything else that should be kept private.

    Famous last words

    Take care of yourself
    Take care of yourself

    Remember, security starts with you. Be aware, be conscious of your surroundings, and be knowledgeable about your rapidly changing work environment. 

    Fear, uncertainty, and doubt:  Three powerful influencers especially at times like today when our physical health is threatened.  Let’s be careful out there.

    Tell me more! What are your safety tips? How can we all be safe out there?

  • Phish for phun and profit

    Phish for phun and profit

    Phishing is a real problem, and that problem is only increasing in frequency.

    Phish attacks come in many different forms. Everyone is affected by phishing. Whether it be that a credit card number is stolen from your family member, or your friend gets their Facebook account hijacked, or you have your company web site blacklisted for SPAM, we are all affected by phishing attacks. Some of those attacks are worse than others.

    Click here for the presentation

    All information in this presentation is derived from public sources.

    A few definitions

    • Exploitation is an attack on a computer system, especially one that takes advantage of a particular vulnerability that the system offers to intruders
    • Social engineering is a confidence trick, an attack vector that relies on human interaction to take advantage of tricking people into doing something that is likely not in their best interest
      • Social Engineering is an attempt to take advantage of the vulnerability called the Human OS
    • Phishing is the attempt to take advantage of social and emotional constructs to obtain sensitive information by disguising as a trustworthy entity in an electronic communication

    Comparison to SPAM

    • SPAM are unsolicited or unwanted emails, often related to product endorsement
      • Unsolicited mail predates computers; SPAM is electronic unsolicited mail
    • Phish are pretextual lies intended to dupe the victim into providing something private or valuable, or inadvertently providing command and control access to a computer
      • Pretexting predates computers; a pretext is something that is put forward to conceal a true purpose

    References

    1. “You’ve Been Phished!”,
      https://www.nist.gov/news-events/news/2018/06/youve-been-phished
    2. “Avoiding Social Engineering and Phishing Attacks”,
      https://www.us-cert.gov/ncas/tips/ST04-014
    3. “Phishing: Don’t be phooled”,
      https://www.dhs.gov/sites/default/files/publications/2018_AEP_Vulnerabilities_of_Healthcare_IT_Systems.pdf