Nov 6, 2015 | Cybersecurity News
Personal losses may not be suffered after responding to a phishing email sent to a work email address, but that does not mean an employer is the only victim. A U.S. stockbroker has just discovered that falling for a phishing campaign can result in loss of employment, as well as being barred from gaining employment as a stockbroker for a year.
Responding to a phishing email can have serious consequences
In this case, the ban was not issued for simply responding to a phishing email, but for the actions taken by the stockbroker. The phishing email response occurred last year, and resulted in $160,000 in funds being transferred from a client’s account into the bank account of a scammer.
The stockbroker, David P. Santos, received an email that had apparently been sent by his client. However, the client did not make the transfer request. The email was sent by a hacker who had managed to gain access to the client’s email account. The email requested a transfer of funds to a third party bank.
Santos obliged, but in order to do so, forged the signature of his client. He did this on 10 separate documents and made a series of transfers. According to a report issued by the Financial Industry Regulatory Authority (FINRA), in order to obtain the necessary funds, Santos liquidated holdings and conducted improper trades.
The matter has recently been back in the news as it was incorrectly tied to another security incident at the bank involving the theft of a laptop computer. According to the Pioneer Bank of Troy, Santos’s former employer, the matters are totally unrelated.
This may be an extreme example of an employee falling for a phishing scam, but the incident does highlight the need for employers to be vigilant, and to implement multi-layered security controls to protect against scam emails and phishing campaigns.
Proven phishing prevention strategies to minimize risk
If enough spam and phishing emails reach the inboxes of employees it is only a matter of time before someone responds and opens an infected attachment, visits a malware-ridden website, or exposes sensitive information to hackers. In some cases, even accountants fall for scams and make bank transfers from corporate accounts.
There are a number of measures employers can take to reduce the risk from spam and phishing emails. If no action is taken, it is just a matter of time before users fall for a scam. Once that happens, a network can be compromised or fraudulent bank transfers made.
Develop a culture of security awareness in the workplace
- Ensuring all new employees receive security awareness training as part of their induction program
- Conducting regular refresher training to keep data privacy and security matters fresh in the mind
- Place notices of the latest security threats on company noticeboards
- Issue email alerts warning of current threats, new scam emails and phishing campaigns as soon as they are discovered
Purchase software solutions to reduce the risk of employees falling for phishing scams
- Invest in a robust and effective spam filter to prevent spam and phishing emails from being delivered
- Employ a web filtering solution to stop employees visiting known malware-infected websites
Check for intrusions and malicious software that has bypassed security controls
- Use Anti-Virus software and ensure virus definitions are set to update automatically.
- Schedule full system scans during periods of low network activity
- Install Anti-Malware software, keep definitions updated, and regularly schedule malware scans
- Use an AV engine to protect end users and a separate one for servers. Two engines will maximize the chance of catching all viruses and malware
Nov 5, 2015 | Cybersecurity Advice, Social Media
A new study conducted by CompTIA has highlighted the risks that are being taken by end users, and suggest low awareness of security threats. End users’ lack of knowledge of basic security measures continually frustrates IT security professionals. End users are usually seen as the weakest link in the security chain, and the results of this study are unlikely to see many minds changed. The study also suggested the persons most likely to take risks and jeopardize security are in their early twenties: Gen Y.
Gen Y Has Low Awareness of Security Threats
One of the tests conducted was a relatively straightforward but ingenious test of risk awareness. CompTIA researchers dropped 200 unmarked thumb drives in locations that received high volumes of foot traffic. The researchers wanted to find out how many individuals would pick up the drives and plug them into their computers.
Thumb drives can be purchased cheaply, but are extremely useful. Finding one in the street may be seen as a lucky find. However, plugging such a drive into a computer carries a huge risk. There is no knowing what software is installed on the drive, and simply plugging it into a computer could easily result in malware or viruses being installed.
In this case, doing that just resulted in a pop up message being displayed which prompted the new owner of the thumb drive to send an email to the researchers to let them know that the device had been found and plugged in. In total, 17% of the 200 thumb drives resulted in a response being received by the researchers. Not all of the individuals who picked up the thumb drive will have responded to pop-up request to send an email to the study organizers, so the number of individuals who did plug in the drive may well have been higher.
The company also conducted a survey to discover more about end user awareness of security threats. Over 1200 completed surveys were collected by the company, and the results show that many end users are taking considerable security risks. Those risks could result in laptops, computers, and mobile phones being compromised. If IT security professionals were worried about end user risk taking before, they are likely to be even more worried now.
Numerous questions were asked; however, the most worrying statistics for security professionals is the volume of individuals who use the same passwords for personal accounts as they do for their work computers. The study revealed 38% of respondents did this, while 36% used their work email address for personal accounts.
Gen Y end users were most likely to take risks, with 40% saying that they would pick up and use a flash drive they found in the street, and 94% of respondents connect either their laptop computer or mobile to public Wi-Fi networks. Nearly seven out of ten individuals said they use their laptops for work purposes or to handle work-related data and 6 out of ten employees used employer-supplied mobile devices for personal applications.
While IT security professionals reading the CompTIA’s statistics may break out in a cold sweat at the excessive risks being taken by end users, there is a solution. That is to provide more security awareness training to staff. End users may be the weakest link, but with training, risk can be managed.If awareness of security threats increases, organizations will be better protected from cyberattacks.
Less than half of respondents reported having received any cyber security training, so consequently awareness of security threats was understandably low. Employees were not aware of the level of risk they were talking. Unless end users are shown how to be more security conscious, risky behavior is unlikely to decrease.
Nov 3, 2015 | Cybersecurity News, Internet Security News
A new security report issued by leading Anti-Virus firm Kaspersky Labs has highlighted the growing mobile malware risk, with Adware (intrusive mobile advertising) seeing a huge increase since last quarter.
The third quarter report shows a 3.1% increase in the number of new mobile malware programs discovered by Kaspersky Labs’s Q1, 2015 figures, with a 1.1% increase since last quarter. In total, Kaspersky products detected 323,374 new mobile malware threats over the past three months. The mobile malware risk appears to be growing.
Only a small increase in mobile malware was recorded since last quarter, but the same cannot be said of mobile malware installation packages. 1,583,094 new installation packages were detected in Q3, which is one and a half times the total discovered in Q2.
There have been some significant changes in the types of mobile malware discovered, with some vectors seeing a fall in prevalence. Trojan Downloaders, Backdoors, Trojans, Trojan-Spy’s and Trojan-SMS’s all decreased in prevalence in Q3. The most significant reduction was in Trojan-Spy and Trojan-SMS malware, which dropped by 1.6 and 1.9 percentage points respectively.
However, the biggest drop since last quarter was recorded for RiskTool, which fell by 16.6 percentage points since the last quarterly report was issued. The RiskTool category includes legitimate mobile programs which are not malicious in nature, but can be manipulated by hackers. This makes them particularly risky to have installed on mobile devices. These programs are capable of terminating processes (such as security applications), hiding processes from the user, and concealing files within the Android system.
There were marginal increases in Trojan-Dropper, Trojan-Banker and Trojan-Ransom detections. The biggest rise by a considerable margin was Adware. Mobile Adware jumped from 19% of detections in Q2 to 52.2% in Q3: An increase of 33.2 percentage points.
Huge Hike in AdWare Highlights Increasing Mobile Malware Risk
Cybercriminals manage to install malware on mobile devices, but how do they actually make money from those infections? Many items of malware log keystrokes and capture passwords and logins used to access Internet banking websites but, the majority of mobile threats involve monetization via advertising. This quarter over half of all mobile malware threats came from Adware.
While the main form of monetization comes from the adverts served, that does not mean that is the only threat to users. Adverts are certainly annoying, and can contain links to malicious websites, but there could well be much worse things happening on your mobile device.
Malware is installed that can root the device and elevate privileges. Hackers can then take full control of the entire device. With superuser privileges, hackers can make changes which even the user of the device would not be able to make. Once this happens, it can be nigh on impossible to eradicate the malware and take back control of the device. It may also be virtually impossible to tell if a device has actually been attacked.
This quarter, the malicious software capable of doing this accounted for over half of the most popular malware items affecting mobile devices. The most common malicious program recorded by Kaspersky Labs, by some distance, was DangerousObject.Multi.Generic. This malware item accounted for 46.6% of attacks. The next biggest threat came from Trojan.AndroidOS.Rootnik.d which accounted for 9.9% of attacks in Q3.
How did Kaspersky Labs Produce the Report?
The latest Kaspersky report was compiled from data collected from the Kaspersky Security Network (KSN), which includes multiple anti-malware products and components. Kaspersky collected data from over 213 countries from users who had provided consent to send data from their devices to KSN. This global information exchange allows current threats to be accurately monitored. Data sharing is vital in the fight against cybercrime.
Countering the Mobile Malware Risk
Anti-Virus software such as that produced by Kaspersky Labs can be used to reduce the mobile malware risk and prevent mobile devices from being attacked. An additional control that should be considered, especially by companies allowing the use of personal devices in the workplace, is to install a web filtering solution to prevent users from accessing websites known to contain malware. This will reduce the mobile malware risk considerably.
SpamTitan web filtering software offers excellent protection and compliments AV software programs. The web filter prevents users from visiting risky websites, even when phishing links are clicked.It is one of the best ways to reduce mobile malware risk levels, although to reduce mobile malware risk to a minimal level, a multi-layered risk management strategy should be adopted.
Nov 2, 2015 | Cybersecurity Advice, Web Filtering
Liability for Employee Internet Usage: Can an Employer be Liable for an Employee’s Online Activity?
There are numerous benefits to be gained from allowing employees access to the Internet. Information can be found quickly, contacts can be easily developed, new suppliers easily located, products purchased, research conducted and many more benefits can be realized.
Unfortunately, the provision of Internet access to employees does occasionally lead to abuse. An employee could use the Internet to access personal gambling accounts and play online poker at work, or social media websites could be used excessively. Individuals can and do view pornography at work. Threats and disparaging comments may be posted online. You can also add the illegal file sharing, hacking of other corporations, and illegally accessing databases to that list.
There are plenty of other ways of abusing Internet access and, if it is possible to be done, an employee somewhere will have already done it.
The majority of these acts are committed only by a minority of employees. They rarely cause an employer, co-worker or other individual to come to any harm. However, this is not always necessarily the case. Should harm occur, or an employee breaks the law, the employer could be found to be liable for the employee’s actions.
There have been a number of cases when employers have been found to be liable for the actions of employees, such as when actions have adversely affected work colleagues. Some of the most common reasons for lawsuits have been sexual harassment of co-workers, threats of violence, racial harassment, and discrimination.
Respondeat superior – Employer Liability for the actions of an employee
The legal term for vicarious liability of an employer for actions committed by an employee is Respondeat superior. This is nothing new. It has been written into the law for over 100 years. Today, Respondeat superior does not only apply to verbal actions, it also applies to actions committed using email and abuse of the Internet. It is not limited to actions against co-workers either. Liability for employee Internet usage may result from comments posted on forums.
Typically, an employer would only be liable for an act committed by an employee while furthering the purpose of an employer. For instance, if an employee of the marketing department was posting links to a company website via Internet forums, an employer could be found liable for harm caused to a third party if those links defamed the character of a third party or were deemed to be slanderous.
In recent years, Internet abuse by employees does not necessarily have to have been conducted to further the purposes of an individual employee. Simply providing an employee with the opportunity to cause harm may come back on the employer. It doesn’t even matter if the employer is aware of the activity in many cases, it will not protect them from liability for employee Internet usage.
How can employers protect against liability under Respondeat superior?
There are four easy ways that employers can protect themselves from liability stemming from employees misusing the internet at work. The first is one of the simplest measures and the cheapest to implement. The other three controls involve software solutions.
Implement clear policies covering acceptable uses of the Internet and email at work
This measure is the simplest to implement, yet even this basic control has not been put in place by many SMEs. If an employer has not written clear and precise policies on allowable uses of the Internet and email in the workplace, employees cannot be expected to know whether they are committing acts that the company finds unacceptable.
If an employee is not informed that an activity is unacceptable they cannot be expected to guess. Accessing pornography at work and being fired for doing so could see that decision overturned in an employment tribunal if the employee was not informed that accessing porn would result in the immediate termination of his or her work contract. It is also essential that a signed copy of Internet usage policies is obtained from each employee.
Implement a system that monitors Internet and email usage in the workplace
Policies are only the first step. There must be a method of monitoring access to the Internet, otherwise there will be no way of telling if employees are adhering to company policies. It may not be necessary to constantly monitor Internet access, but regular audits should be conducted. Any individual found to have abused access rights must be subject to disciplinary procedures. There is no point implementing policies that are not enforced.
Liability for employee Internet usage is more likely if a web filter is not employed to control Internet access
Many employers choose not to take chances and restrict the websites that can be viewed in the workplace. There are many methods of achieving this, such as setting rules in browsers or on proxy servers used to access the Internet. Many of these methods can be implemented cheaply, and some without any cost other than the time it takes to set them up.
In some cases, the man-hours required to set up these rules makes it impractical. It is often far quicker, easier, and more cost effective to employ a powerful web filter. This will allow a system administrator to centrally control Internet access for individuals, groups, or the entire organization. A web filtering solution with a high degree of granularity will allow a wide range of controls to be applied for different roles within an organization and can be used to restrict access to pornography for the whole organization, limit the time that can be spent on social media websites, and set specific privileges for each individual if required.
Use an Anti-Spam solution to prevent email abuse at work
Internet abuse must be tackled, but it is important not to forget email. Email is used by virtually every company employee and is just as easy to abuse. It is difficult to control the content of messages to protect employees from sexual harassment, but it is possible to prevent individuals from emailing certain file types outside the company.
Anti-Spam products include a filter to protect users from incoming spam, but products such as SpanTitan also offer control over outgoing emails. The spam filter can be configured to prevent individuals from using company email accounts to conduct personal spamming campaigns.
If you put the controls in place to prevent Internet and email abuse, monitor activity, and make sure Internet and email usage polices are in place, it is possible to protect the business from liability. Liability for employee Internet usage will be avoided. It will be the employee, not the employer, that is likely to be found liable.
