If a user in your organization accidentally installs keylogging malware onto his or her computer, every keystroke entered on that computer – including login names and passwords – could be sent directly to hackers’ command and control servers.
This nightmare scenario could involve the exposure of a limited amount of sensitive data; however, if the malware has been installed on multiple computers, and the infections have not been discovered for a number of days or weeks, a considerable amount of data could be obtained by criminals.
Keylogging malware infection discovered by OH Muhlenberg Community Hospital
A hospital in Kentucky recently discovered that not only have multiple computers been infected with keylogging malware, those infections occurred in 2012. For three years, every keystroke entered on each of those computers was recorded and transmitted to the hackers responsible for the attack.
The computers in question were used by healthcare providers, employees, and contractors. Due to the length of time the computers were infected, it is not even possible to ascertain the data that may have been exposed and copied. Patient health information was entered, Social security numbers, health insurance information and other highly sensitive Protected Health Information. Providers would have entered their Drug Enforcement Administration numbers, state license numbers, National Provider Identifiers and other sensitive data.
Employees who logged into healthcare systems using the computers, could have had their login credentials recorded. Access to web services similarly would have involved credentials being compromised.
Such an extensive, long term keylogging malware infection could place many patients at risk of suffering identity theft or fraud, and physicians could have their identities stolen. Criminals could have used the data to commit medical fraud, insurance fraud or file false tax returns. The fallout from this cyberattack could therefore be considerable, and may cost the hospital dearly.
The danger of keylogging malware
Once keylogging malware has been installed on a computer, any data entered via the keyboard can be recorded. That information is then exfiltrated to a hacker’s server until communications with unauthorized IP addresses is blocked. In the case of the hospital, the malware was only discovered after a tip-off was received by the FBI. Agents had noticed suspicious communications between the hospital and third party servers. When the alert was issued and a security audit performed, a number of computers were discovered to have been infected.
Even when cybersecurity protections are installed, it is unfortunately all too easy for these to be bypassed. All it takes is for one user to inadvertently install malware. In the majority of cases, this action will not be noticed by the person responsible. No warning is issued about a potential infection and no flags raised by anti-virus software.
How are keyloggers installed on computers?
How can a hospital that has invested in cybersecurity defenses be attacked and fail to notice for three years? If regular scans of the hospital’s computers had been conducted, the infections may have been identified sooner. However, not all keylogging malware is easy to detect. Hackers are developing ever more sophisticated malware that is capable of evading detection.
There are a number of ways the malware could have been installed without being detected by anti-virus and anti-malware software. Since multiple computers were infected, it suggests that either an insider had installed the keylogging malware on multiple machines, via a USB for instance, or that multiple members of staff had fallen for a phishing campaign.
Phishing emails are sent out in the millions in the hope that some individuals will respond and download malware. Multiple infections suggest that an organization has been targeted using spear phishing emails. These are emails that are sent to a particular group of individuals within an organization. The subjects are researched and links to malicious websites are sent that are likely to entice the users to click. They are then directed to websites containing malicious code that installs files on their computers. Keylogging malware can also be installed via infected email attachments.
By targeting users, hackers and other cybercriminals are able to bypass robust security controls. Users are the weakest link, and it is far easier to target them than break through multi-million-dollar security defenses.
Cost-effective protection against phishing emails and malicious websites
There are two cost-effective solutions that can prevent staff members falling for phishing campaigns that install keylogging malware. The first works by ensuring phishing emails are never delivered to an organization’s employees. If the emails are blocked and are not delivered, they will not be able to respond. A powerful anti-spam solution will catch the vast majority of spam and phishing emails. In the case of SpamTitan, over 99.7% of spam emails will be captured.
Since hackers and spammers are constantly changing their tactics, and new malware is continually being developed, it is not possible for all spam emails to be captured 100% of the time. Occasionally, even the most powerful Anti-Spam software will miss the occasional email.
To ensure staff members do not respond to a request to visit a malicious website or open a malware-infected email attachment, it is essential to provide training. Training will help end users to identify the occasional spam email that sneaks past a spam filter.
An anti-spam solution will not prevent a user from clicking on a social media link to a malicious website. Ad networks can similarly contain links to malicious sites. Clicking on one of those links could result in keylogging malware being downloaded.
The second cost-effective solution to offer protection from phishing websites is web filtering software. A web filter can be implemented that will prevent adverts from being displayed or potentially harmful websites from being visited. WebTitan offers these protections and will keep end users safe when surfing the Internet. If end users cannot visit phishing websites and other dangerous sites, they will be prevented from inadvertently installing malware.
Alongside other cybersecurity protections, and the development of internal policies covering internet and email usage, organizations can reduce the probability that a cyberattack will be successful. If regular malware and virus scans are also conducted, when computers are infected, the severity of the security breach will be reduced.
In order to manage cybersecurity risk effectively, data protection policies must be developed. However, a new research study conducted by risk and business consulting firm Protiviti, suggests that a third of companies have not yet developed data protection policies. When data protection policies have been implemented, many are insufficient and leave the company vulnerable to a cyberattack.
Data protection policies are inadequate or non-existent in many cases
Over 700 information security professionals and executives were polled and asked about their company’s efforts to keep data secure. Questions were asked about data retention, storage and secure disposal, as well as governance, privacy policies and a wide range of cybersecurity controls. It would appear that many firms were not managing cybersecurity risk effectively, leaving them vulnerable.
Information security solutions may have been implemented, but basic controls such as the development and issuing of data protection policies had been neglected. When policies had been written and implemented, many were insufficient and did not cover even a fraction of the elements necessary to keep systems and data secure. Many security holes were allowed to persist.
To manage cybersecurity risk, start at the top
The board must become involved in cybersecurity decisions and should take a greater interest in keeping their organizations secure. Policies must be developed that set rules for the entire organization, and awareness of data and network security must be improved. All members of staff must be made aware of the current threat levels and a culture of security awareness developed. Best practices must be defined and all users monitored to make sure that those practices are being followed.
The study indicates that board level involvement in cybersecurity issues is becoming more common, yet only 28% of survey respondents indicated there was a current high level of board engagement in such issues. What is even more worrying is there has actually been a fall of 2% in high-level engagement year on year. 15% of respondents said board engagement in cybersecurity matters was low, while a third said engagement was at a medium level, better than in previous years.
You must identify the most critical assets to effectively manage cybersecurity risk
In order to protect assets, they must first be identified. This may sound obvious, but many companies are unsure what their critical assets are according to the study. A number of companies had failed to identify the data that cybercriminals were most likely to try to obtain. Appropriate protections were therefore not being put in place to keep the most sensitive data secure.
Confidence in repelling cyberattacks is low
The majority of organizations are not particularly confident that a targeted attack could be repelled, even though cybersecurity protections had been put in place. Companies were believed to be better at protecting their assets and keeping sensitive data secure than in recent years, although considerable efforts still need to be made.
According to the researchers, a lack of confidence is actually good news, as it should spur companies to keep on developing their security protections.
Think you have to open an infected email attachment or download a file to your computer to acquire a malware infection? Not with the latest memory based malware. Drive-by attacks are taking place that do not need any user-interaction. These file-less malware infections use malware that resides in the computer memory, and RAM memory is not scanned by most anti-virus programs.
The good news is attacks of this nature are rare. The bad news is the malware is being increasingly used by cybercriminals.
Fortunately, malware that resides in the memory doesn’t survive a reboot. Unfortunately, by the time your computer is rebooted, you may have already lost your sensitive data. How often do you reboot? At the end of your working day? That could potentially give a hacker a full 8 hours to record your keystrokes or download files to your computer. A lot of damage can be done in 8 hours.
There is another problem. Hackers are now creating memory-based malware that actually survives a reboot. The malware has been configured to hook into an API. When the computer is restarted, the malware is reloaded back into the RAM.
Memory-based malware exploits security vulnerabilities in outdated software
If a user is convinced to visit a malicious website, or responds to a spam email containing a link to one of those sites as part of a phishing campaign, their computer can be infected almost immediately. A user is usually directed to a web page containing an exploit kit: The Angler exploit kit for example. Code on the website probes the users’ browser for security vulnerabilities. Security vulnerabilities in Adobe Flash or Adobe Reader could be exploited, or Java, Silverlight or any number of plug-ins that the user has installed.
However, instead of the vulnerability being used to download a file to the hard drive, code is inserted into the memory. This does not trigger an Anti-Virus program because no files are downloaded to the computer. This allows the hacker to perform a drive-by cyberattack, stealing information quickly and silently. That information could include login names, passwords, bank account information, or anything entered via the keyboard.
These types of cyberattacks are not new. They have been possible for a long time, but cybercriminals have not favored memory based malware. Unfortunately, memory based malware is being used in exploit kits that are widely available online.
Sometimes a fast and stealthy attack is preferable to a long-term malware infection. If the aim is to avoid detection at all costs, then this is one of the easiest ways to gather intel or data without setting off any alarms. High-profile targets such as governments could be targeted, and they would be none the wiser as next to no trace of an attack is left by memory based malware.
Is an attack inevitable? Can nothing be done to prevent the installation of memory based malware?
The solution is not anti-virus software, but to prevent users from visiting a website that contains the exploit kit. It may not be possible to prevent a drive-by attack once a malicious site has been visited, but it is possible to avoid visiting that site in the first place. Hackers must still direct a user to the malicious site in order for an attack to be possible. There must also be security vulnerabilities in the browser that can be exploited.
To protect your computer from memory-based malware, you must ensure that your web browser and software are kept up to date with the latest security patches. As for avoiding malicious websites that contain the exploit, a web filtering solution should be used. A web filter can block users from visiting malicious sites, or from web ads from being displayed. Website adverts are often used as a method of getting users to visit a malicious website.
Phishing and spam emails containing links to malicious sites can be prevented from being delivered using a powerful spam filtering solution. SpamTitan Technologies offers both solutions. SpamTitan Anti-Spam software protects users by blocking spam emails from being delivered, while WebTitan software can be configured to prevent users from visiting malicious websites.
The threat landscape may be constantly changing, and new exploits used to compromise computers and steal data, but fortunately the risk can be effectively managed.
Using a Mac is safer than using a computer running Windows. That’s not to say it is not possible to inadvertently install a virus or malware on a Mac. It is just that hackers tend to focus more on PCs. From a hacker’s perspective, it is better to try to infect as many devices as possible and more people own PCs than Apple devices.
According to research conducted by IDC, sales of Macs have increased by just over 16% this year. However, while accurate figures are difficult to find, approximately 90% of computers use Windows software. This makes the operating system much more likely to be attacked. If you were a hacker would you concentrate on the 90%?
That does not mean that Mac users are immune to attack: BlackHole RAT, OS X Pinhead, Mac Flashback, and Mac Defender all targeted Mac users.
Mac users do face risks and must be cautious when using the Internet. They may not face such high risks, but they can just as easily fall for scams. Phishing websites will also work just as well on Macs users as they will on everyone else. That’s because phishing techniques are employed to fool the user of the device. It doesn’t matter what device is being used to access the Internet.
New phishing scam alerts iTunes users to account limitations
Mac users have recently been targeted by a campaign claiming iTunes accounts have been compromised. Most recently a phishing scam has been launched advising iTunes account holders that their accounts have been limited for security reasons.
They are informed of this by email and are provided with a link. If the link is clicked they are directed to a scam site and must enter information to lift the account limitation. A number of data fields must be completed and a credit card number entered.
This is an easy scam to identify as, even when accounts have been compromised, a service provider would not typically ask for a credit card number for identity verification.
If in doubt, just access your Apple account directly and check to see if there is a problem with your account. Never use the link supplied in an email.
Mac Internet scam reported offering urgent tech support
A Mac internet scam warning was recently issued after the discovery of a new tech support scam. A woman visited a webpage which flashed a warning that her Mac had been infected with malware. She was required to call a phone number to call to speak with tech support. On calling the number she was told she was speaking to an Apple employee, and she was required to pay for tech support to remove the infection. When asked for payment she tried to pay by AMEX, but was told American Express could not be used. This alerted her to the scam. Apple doesn’t have a problem taking AMEX as payment.
If you are warned of a virus infection, you can always visit an Apple store. They will be able to confirm if your Mac has really been infected.
Mac Internet scam warning! Your Mac is Infected with Malware!
Phishing scams targeting Mac users are far more common than malware infections targeting their devices, but malware is always a risk no matter what device is used. However, this year Apple has been targeted. A Mac Internet scam warning was issued earlier this year, again relating to Mac malware infections.
The scam is common with PC users, especially those using illegal file sharing websites, streaming services, and porn sites. However, a number of legitimate websites have been hijacked and are displaying pop-up windows announcing a virus infection has been detected.
The warnings come as a shock to Mac users and many will be convinced to click on the links. They direct the user to malicious websites offering fast and effective disinfection using Anti-Virus/Anti-Malware solutions. A click of a link will download a program called MacDefender that will conduct a full system scan.
The MacDefender Anti-Virus program is nothing of the sort. Instead of removing malware from the Mac, it is a form of malware. The fake Anti-Virus software appears to conduct a scan of the system and identifies apps that have been infected. Popup windows are launched to porn sites and other websites as a scare tactic.
In order to remove the infections, the user is required to purchase a license for the software. To do that a credit card is required. Once the license has been purchased the program stops launching browser windows. It also advises the user that the malware has been removed.
Unfortunately for the victim, they have just given their credit card details to the scammers. Card purchase can be made and the criminals can run up thousands of dollars of debt.
No matter what device you use to access the Internet or email, you are always at risk of falling for a phishing scam or inadvertently installing malware. Fortunately, the risk can be easily managed. WebTitan is available for Windows and OS X, and offers protection from malware, malicious websites and phishing campaigns.
To find out how WebTitan can protect you and your company’s employees, call the sales support team today.
If you want your employees to browse the Internet safely you should try to restrict access to websites that have a valid SSL certificate. It is now common knowledge that SSL certification means a website is secure and can be trusted; but is that true?
Does a SSL Certificate mean a website is safe to use? The answer is a definite no. The HTTPS or a SSL certificate alone is not a guarantee that the website is secure and can be trusted.
Many people believe that a SSL Certificate means a website is safe to use. Just because a website has a certificate, or starts with HTTPS, does not guarantee that it is 100% secure and free from malicious code. It just means that the website is probably safe. In the vast majority of cases the sites will be. Just not always.
Unfortunately, phishers and other cyber criminals have discovered how to exploit trust in SSL certificates. Some phishing websites have valid SSL Certificates in place. This means even when you think your employees have been restricted to safe websites, they are still not protected from phishing sites. Relying on a block on sites that do not use SSL certification is a mistake, and potentially a very costly one.
It is a good idea to restrict access to unsecure websites, but further protections will be required if you want to be sure that your employees and your network are properly protected.
What is a SSL Certificate?
In short, an SSL Certificate is a file that permanently binds a key to a company’s website. When an SSL certificate is installed on a company’s web server, connections with that website will be secure. Information will be sent via port 443 using the https protocol.
SSL Certificates are used by websites to secure sessions with web browsers. You will be able to tell which websites have an SSL certificate in place because they will have a padlock next the web address. This means that the connection with that website is via a secure connection. The information you enter when connected to the website can be used with confidence, and most importantly, it gives an indication that the site is not malicious.
The SSL Certificate lets a website visitor know that the site is trustworthy and informs those who look that the site belongs to a specific organization. It is important never to enter credit card details or bank information if a website does not have a valid SSL certificate. That would be an unacceptable risk to take.
Facebook, Twitter, and Google use SSL certification. When you visit those sites you will see a padlock next to the URL. If you click on the padlock, you will see the owner of the site and will know that ownership has been verified.
Some phishing websites have obtained SSL Certificates – How is this possible?
Unfortunately, it is possible to obtain a SSL Certificate for a phishing website and to operate that website for a short period of time. Many certificate authorities do not have a particularly strict vetting process. There have recently been a number of banking websites set up that use the certificates even though the sites are not genuine.
One recent scam involved the Halifax Bank in the UK. A phishing website was set up using a variation of the real website which is halifax-online.co.uk. The phishing site in question was halifaxonline-uk (do not visit this website). A very similar name, that would likely fool many account holders. Similar scams have been operated using variants of PayPal, and even Symantec has issued 30-day certificates to phishing websites.
The certificates are valid for long enough to allow a phishing campaign to be conducted. The phisher can then repeat the process with a different website, hosted with a different provider with a different SSL certificate.
Unfortunately, these certificates are one of the main ways of checking whether a website can be trusted. With a domain name that looks close enough to the real thing and an SSL Certificate and a padlock, many visitors will be fooled into thinking the website is genuine. When they enter in their login information, the data will be recorded by the site owner and can be used to login to the real website.
Some certificate authorities are better than others and can be trusted more, but unless they can all be trusted it makes a mockery of the SSL certificate. Unfortunately, all the SSL certificate does is confirm that the certificate owner owns the website, not that the particular website can be trusted.
Blocking access to websites without a valid SSL Certificate
A website with a valid SSL certificate means the website can be trusted more than a site without one. All employers should implement controls restricting access to websites that do not have a valid SSL Certificate, or at least configure settings to alert the user that they are about to connect to a website with an invalid certificate or without one entirely.
It is a simple process to block access to websites that do not have a valid SSL certificate. You can do this through your browser settings or you can modify the hosts file for instance. The former option would be fine for individuals or small businesses with just a few computers. It is not practical do this if you have 1,000 computers, run BYOD, or if your end users have multiple browsers installed.
Make your life easier by implementing a cost effective web filtering solution
By far the easiest solution to protect yourself and your network is to use a web filtering tool. There are many to choose from, but WebTitan from SpamTitan Technologies is one of the best and a highly cost effective solution for SMEs.
Since some disreputable sites have SSL certificates in place, it can be virtually impossible for end users to tell if they are safe or at risk. WebTitan offers the additional protection your business needs to ensure access to malicious websites is blocked, phishing scams are avoided and malware is not downloaded. Without a powerful web filter in place, blocking access to malicious websites will be an uphill battle, and it will only be a matter of time before your network is compromised.
Critical security vulnerabilities in browser plugins have been widely reported in recent months. As soon as one has been found and patched, more are discovered. Zero-day Adobe Flash vulnerabilities (Shockwave Flash) have been some of the most publicized, due to the sheer volume discovered in 2015.
Earlier this year a number of companies pulled the plug on the Flash plugin, deeming it not to be worth the security risk. While it was once the most commonly used way of displaying videos and animations on webpages, the critical vulnerabilities that have been discovered have made it simply too risky to use. There have been many calls for Flash to be retired.
Google Chrome and Firefox stopped supporting Adobe Flash and many companies are moving over to HTML5 which offers the ability to display the same multimedia items without requiring a browser plugin to be used. One of the main problems with a plugin from a security perspective, is it will only be secure if the latest version is installed. Even then, as we have seen with the sheer number of security vulnerabilities found in Adobe Flash, the latest version many not be very secure at all.
If a user has not updated the plugin to the latest version, and an older version is still in use, criminals will be able to take advantage. A visitor to a website containing malware could result in the vulnerabilities being exploited. Exploit kits can be used by hackers to probe for security vulnerabilities in browsers to find out which software can be exploited. Other Adobe plugins can be exploited, such as PDF Reader.
Numerous critical security vulnerabilities in browser plugins discovered
It is not only Adobe plugins that are a problem of course, others company’s plugins also contain vulnerabilities that can be exploited. Even HTML5, which is seen by many as a more secure way of showing multimedia items on websites than Flash, is far from immune and also contains security vulnerabilities. No plugin is even required with HTML5.
In mid-October, Oracle released a security update for its Java software to deal with over twenty new security vulnerabilities that had been discovered. Oracle announced that an update was necessary on all computers as “all but one of those flaws may be remotely exploitable without authentication”. That means that a hacker could potentially exploit the vulnerabilities on any computer with an older version of Java installed, without the need to use a password.
Once critical security vulnerabilities in browser plugins have been announced and details of the flaws released online, the information is out there and available to hackers. Assuming hackers have not already discovered the vulnerabilities themselves.
A website link may not be as genuine as it appears (hovering your mouse arrow over it will not reveal a potentially malicious link!)
There are easy ways to check to see if a web link is legitimate or if the text has been changed so that it appears genuine. If you hover your mouse arrow over the link, the correct URL will be displayed. If end users get into the habit of checking every link before clicking, it will become second nature. Many phishing websites and other nasty web pages can thus be avoided.
Unfortunately, it is not always that simple. There are ways to make a URL appear genuine, even when the mouse arrow is used to check the link.
Some Japanese characters appear to be very similar to a forward slash, while certain Cyrillic characters are displayed as letters. This makes links appear genuine, and can be virtually impossible to spot. If one of these characters is present in a link and is displayed as a standard letter, the webpage could be a fake but would be indistinguishable from the genuine page.
An apparently genuine link could well be a link to a webpage containing malware. Many malicious websites can probe for critical security vulnerabilities in browser plugins.
These worrying issues were recently discussed at the SC Congress in New York, with Salesforce.com’s product security director Angelo Prado and senior product security engineer Xiaoran Wang demonstrating these and other worrying security flaws. They pointed out a particularly scary feature in HTML5 that allows a link to automatically download a file to a computer without the user being taken to the webpage used to host the file.
Protection is required and vigilance is key to avoid becoming a victim
The latest discoveries may make it exceptionally difficult to tell if a link is genuine. Even changing from the security flaw ridden Flash to HTML5 will not necessarily make the Internet a safer place. Fortunately, it is possible to take steps to ensure that end users are better protected, and stopped from visiting malicious websites. That said, it is essential that critical security vulnerabilities in browser plugins are addressed.
IT professionals should also install a web filtering solution such as WebTitan. Links can be blocked and users stopped in their tracks before they reach a malicious website. This type of protection is vital for businesses, schools, colleges and charities.
A visit to a malicious website can result in keyloggers being installed that can record and send passwords and login credentials to a hacker’s command and control center. Devices can become part of botnets and be used to send out huge volumes of spam emails, or computers could be hijacked and used for Bitcoin mining. Worse still, an infected computer, tablet, or Smartphone could be used to launch an attack on a corporate network.
It is also essential to be more security conscious. It may be difficult, or even impossible, to identify all online threats (and those delivered via email or social media networks), but many are obvious if you know what to look for. Staff training on security threats and online/email best practices must be provided if networks are to be kept secure.
It really does pay to take the advice offered by the FBI. Stop. Think. Connect. If in doubt. Do not connect. This should now be a common practice that is second nature. The current volume of data breaches now being reported suggest that for many employees it is not.
British mobile phone and broadband provider TalkTalk discovered it had been hacked late last month; however further information has emerged that suggests TalkTalk hacking scams are increasing in number. Over a million customers’ data are apparently being offered for sale on the dark net, with criminals already using the data to defraud victims.
Over four million customers were believed to have been affected by the hacking scandal at first, although not all of the company’s customers are now understood to have been affected.
A criminal investigation was launched a few days after the hack was discovered. Initial reports suggested an Islamic terrorist group from Russia were behind the attack, having publically claimed responsibility. This claim appears to be false.
The Metropolitan Police Cyber Crime Unit acted fast and just a few days after the attack was announced, a 15-year old teenage boy was arrested in Northern Ireland on suspicion of being behind the attack. A few days later, a second arrest was made, this time a 16-year old boy from West London. A 20-year old was arrested in Staffordshire in connection with the hack, and now a fourth individual has been arrested: A 16-year old boy from Norwich has been detained.
1.2 million email addresses obtained by the hackers
The official figures released by TalkTalk are much lower than the initial estimates, but the hack still ranks as one of the biggest UK hacking scandals to be reported in recent years.
A statement released by the company revealed that approximately 1.2 million email addresses had been obtained in the attack, customer names and phone numbers were also stolen, and 21,000 bank account numbers and sort codes were accessed, presumed stolen. A later press release indicated that 156,959 individuals had been affected, and the earlier figure was “bits of data,” including email addresses, names, and phone numbers.
Credit card numbers were compromised, but since they did not contain complete numbers there does not appear to be a risk of them being used inappropriately. However, that is not to say that the data will be useless. Phishers may well devise campaigns to obtain the remaining digits from unwary TalkTalk customers.
It is not clear how the attack was performed as reports have not been confirmed, but it would appear that the attack was made using a blind SQL injection which exploited a vulnerability in a video on a page of the TalkTalk website. The specific vulnerability was not disclosed, although Adobe Flash has been found to contain vulnerabilities that could be exploited by SQL injection. These vulnerabilities were addressed in a recent patch issued by Adobe. SQL injection is the insertion of code that allows access to be gained to a company database. It is a very common technique used by hackers to gain access to corporate databases.
What is clear is that the security staff were distracted dealing with a DDoS (Distributed Denial of Service) attack that was conducted by one of the team of hackers. A DDoS attack bombards a company’s website with huge volumes of traffic, overwhelming it. This is made possible by using systems that have been compromised with a Trojan or have been infected by a botnet.
It would appear that while TalkTalk was dealing with the DDoS attack, the criminals were able to gain access to the company’s data by exploiting the website security vulnerability. A report in the Daily Mail indicates one of the team of hackers behind the attack made a mistake and accidentally disconnected from a service that was being used to hide his real IP address.
Some sources have reported that a ransom demand was issued in which £80,000 was demanded in Bitcoin. If the ransom was not paid the criminals behind the attack would release the data or sell it on dark net websites to criminals. That appears to have already happened, with at least one individual appearing to have clocked up over 500 sales via dark net marketplace, AlphaBay.
Another online criminal was reportedly negotiating a deal to sell details of 500,000 accounts on the dark net, and claimed to have over a million records in his possession.
Businessinsider.com.au claims to have had been in contact with individuals who claim there were part of the attack, with figures of 1.3 million records mentioned. When asked why they carried out the attack, one person claimed it was for “sh*ts and giggles”, another for “lolz”, and “purely to like, own the ISP.” One of the persons behind the attack said it wasn’t for the money. The claim that a ransom was demanded were also denied.
While the total number of records exposed is not clear, and none of the reports from conversations with those claiming to have had a part in it have been confirmed, what is clear is that the security in place at TalkTalk was poor in some cases. One of the boys claims that one account had a password with just three digits. One quote obtained by Business Insider, from an individual operating under the name “Vamp”, claimed that the security in place was “terrible, that’s being honest with you, horrible.”
Reports in the press suggest that the vulnerability was shared, and between 20 and 25 people had access – although 5 individuals were reportedly behind the attack, including two in the UK and two in the U.S.
Beware of TalkTalk hacking scams
TalkTalk hacking scams have already been reported, with some customers having complained about being bombarded with phone calls following the security breach, as criminals attempt to use the contact information obtained to defraud victims. One victim was called after apparently having his internet connection slowed down, and was directed to a website, presumably containing malicious code.
TalkTalk hacking scams could be launched via email since 1.2 million email addresses were compromised in the attack. Phishing campaigns are often used by criminals to get users to reveal sensitive information, visit malicious websites or install malware on computers. The type of information obtained by the hackers, and subsequently sold to online criminals, could easily be used to launch highly convincing campaigns.
All of the company’s customers are advised to be exceptionally cautious, and not to reveal any personal information over the telephone, Internet or via email. TalkTalk hacking scams could be in operation for many months to come so it is vital that all customers remain vigilant and be on their guard.
Being hacked can have serious implications for a brand
A data breach such as this can have a major effect on an organization. Customers will lose trust in the brand, and it is difficult to regain trust once it has been lost. Many of the company’s 4 million customers are expected to change mobile phone/broadband provider as a result.
This is a highly competitive market and there will be no shortage of competitors looking to snap up new customers as a result of the security breach. Following the news of the hack, the company’s share price fell by 10%.
It will not be known for many weeks or months how much of an effect this, and other TalkTalk hacking scams, will have on the company’s brand image, but what is certain is it will certainly have a major financial impact. Many customers are also likely to lose out as scammers seek to take advantage.
Personal losses may not be suffered after responding to a phishing email sent to a work email address, but that does not mean an employer is the only victim. A U.S. stockbroker has just discovered that falling for a phishing campaign can result in loss of employment, as well as being barred from gaining employment as a stockbroker for a year.
Responding to a phishing email can have serious consequences
In this case, the ban was not issued for simply responding to a phishing email, but for the actions taken by the stockbroker. The phishing email response occurred last year, and resulted in $160,000 in funds being transferred from a client’s account into the bank account of a scammer.
The stockbroker, David P. Santos, received an email that had apparently been sent by his client. However, the client did not make the transfer request. The email was sent by a hacker who had managed to gain access to the client’s email account. The email requested a transfer of funds to a third party bank.
Santos obliged, but in order to do so, forged the signature of his client. He did this on 10 separate documents and made a series of transfers. According to a report issued by the Financial Industry Regulatory Authority (FINRA), in order to obtain the necessary funds, Santos liquidated holdings and conducted improper trades.
The matter has recently been back in the news as it was incorrectly tied to another security incident at the bank involving the theft of a laptop computer. According to the Pioneer Bank of Troy, Santos’s former employer, the matters are totally unrelated.
This may be an extreme example of an employee falling for a phishing scam, but the incident does highlight the need for employers to be vigilant, and to implement multi-layered security controls to protect against scam emails and phishing campaigns.
Proven phishing prevention strategies to minimize risk
If enough spam and phishing emails reach the inboxes of employees it is only a matter of time before someone responds and opens an infected attachment, visits a malware-ridden website, or exposes sensitive information to hackers. In some cases, even accountants fall for scams and make bank transfers from corporate accounts.
There are a number of measures employers can take to reduce the risk from spam and phishing emails. If no action is taken, it is just a matter of time before users fall for a scam. Once that happens, a network can be compromised or fraudulent bank transfers made.
Develop a culture of security awareness in the workplace
- Ensuring all new employees receive security awareness training as part of their induction program
- Conducting regular refresher training to keep data privacy and security matters fresh in the mind
- Place notices of the latest security threats on company noticeboards
- Issue email alerts warning of current threats, new scam emails and phishing campaigns as soon as they are discovered
Purchase software solutions to reduce the risk of employees falling for phishing scams
- Invest in a robust and effective spam filter to prevent spam and phishing emails from being delivered
- Employ a web filtering solution to stop employees visiting known malware-infected websites
Check for intrusions and malicious software that has bypassed security controls
- Use Anti-Virus software and ensure virus definitions are set to update automatically.
- Schedule full system scans during periods of low network activity
- Install Anti-Malware software, keep definitions updated, and regularly schedule malware scans
- Use an AV engine to protect end users and a separate one for servers. Two engines will maximize the chance of catching all viruses and malware
A new study conducted by CompTIA has highlighted the risks that are being taken by end users, and suggest low awareness of security threats. End users’ lack of knowledge of basic security measures continually frustrates IT security professionals. End users are usually seen as the weakest link in the security chain, and the results of this study are unlikely to see many minds changed. The study also suggested the persons most likely to take risks and jeopardize security are in their early twenties: Gen Y.
Gen Y Has Low Awareness of Security Threats
One of the tests conducted was a relatively straightforward but ingenious test of risk awareness. CompTIA researchers dropped 200 unmarked thumb drives in locations that received high volumes of foot traffic. The researchers wanted to find out how many individuals would pick up the drives and plug them into their computers.
Thumb drives can be purchased cheaply, but are extremely useful. Finding one in the street may be seen as a lucky find. However, plugging such a drive into a computer carries a huge risk. There is no knowing what software is installed on the drive, and simply plugging it into a computer could easily result in malware or viruses being installed.
In this case, doing that just resulted in a pop up message being displayed which prompted the new owner of the thumb drive to send an email to the researchers to let them know that the device had been found and plugged in. In total, 17% of the 200 thumb drives resulted in a response being received by the researchers. Not all of the individuals who picked up the thumb drive will have responded to pop-up request to send an email to the study organizers, so the number of individuals who did plug in the drive may well have been higher.
The company also conducted a survey to discover more about end user awareness of security threats. Over 1200 completed surveys were collected by the company, and the results show that many end users are taking considerable security risks. Those risks could result in laptops, computers, and mobile phones being compromised. If IT security professionals were worried about end user risk taking before, they are likely to be even more worried now.
Numerous questions were asked; however, the most worrying statistics for security professionals is the volume of individuals who use the same passwords for personal accounts as they do for their work computers. The study revealed 38% of respondents did this, while 36% used their work email address for personal accounts.
Gen Y end users were most likely to take risks, with 40% saying that they would pick up and use a flash drive they found in the street, and 94% of respondents connect either their laptop computer or mobile to public Wi-Fi networks. Nearly seven out of ten individuals said they use their laptops for work purposes or to handle work-related data and 6 out of ten employees used employer-supplied mobile devices for personal applications.
While IT security professionals reading the CompTIA’s statistics may break out in a cold sweat at the excessive risks being taken by end users, there is a solution. That is to provide more security awareness training to staff. End users may be the weakest link, but with training, risk can be managed.If awareness of security threats increases, organizations will be better protected from cyberattacks.
Less than half of respondents reported having received any cyber security training, so consequently awareness of security threats was understandably low. Employees were not aware of the level of risk they were talking. Unless end users are shown how to be more security conscious, risky behavior is unlikely to decrease.
A new security report issued by leading Anti-Virus firm Kaspersky Labs has highlighted the growing mobile malware risk, with Adware (intrusive mobile advertising) seeing a huge increase since last quarter.
The third quarter report shows a 3.1% increase in the number of new mobile malware programs discovered by Kaspersky Labs’s Q1, 2015 figures, with a 1.1% increase since last quarter. In total, Kaspersky products detected 323,374 new mobile malware threats over the past three months. The mobile malware risk appears to be growing.
Only a small increase in mobile malware was recorded since last quarter, but the same cannot be said of mobile malware installation packages. 1,583,094 new installation packages were detected in Q3, which is one and a half times the total discovered in Q2.
There have been some significant changes in the types of mobile malware discovered, with some vectors seeing a fall in prevalence. Trojan Downloaders, Backdoors, Trojans, Trojan-Spy’s and Trojan-SMS’s all decreased in prevalence in Q3. The most significant reduction was in Trojan-Spy and Trojan-SMS malware, which dropped by 1.6 and 1.9 percentage points respectively.
However, the biggest drop since last quarter was recorded for RiskTool, which fell by 16.6 percentage points since the last quarterly report was issued. The RiskTool category includes legitimate mobile programs which are not malicious in nature, but can be manipulated by hackers. This makes them particularly risky to have installed on mobile devices. These programs are capable of terminating processes (such as security applications), hiding processes from the user, and concealing files within the Android system.
There were marginal increases in Trojan-Dropper, Trojan-Banker and Trojan-Ransom detections. The biggest rise by a considerable margin was Adware. Mobile Adware jumped from 19% of detections in Q2 to 52.2% in Q3: An increase of 33.2 percentage points.
Huge Hike in AdWare Highlights Increasing Mobile Malware Risk
Cybercriminals manage to install malware on mobile devices, but how do they actually make money from those infections? Many items of malware log keystrokes and capture passwords and logins used to access Internet banking websites but, the majority of mobile threats involve monetization via advertising. This quarter over half of all mobile malware threats came from Adware.
While the main form of monetization comes from the adverts served, that does not mean that is the only threat to users. Adverts are certainly annoying, and can contain links to malicious websites, but there could well be much worse things happening on your mobile device.
Malware is installed that can root the device and elevate privileges. Hackers can then take full control of the entire device. With superuser privileges, hackers can make changes which even the user of the device would not be able to make. Once this happens, it can be nigh on impossible to eradicate the malware and take back control of the device. It may also be virtually impossible to tell if a device has actually been attacked.
This quarter, the malicious software capable of doing this accounted for over half of the most popular malware items affecting mobile devices. The most common malicious program recorded by Kaspersky Labs, by some distance, was DangerousObject.Multi.Generic. This malware item accounted for 46.6% of attacks. The next biggest threat came from Trojan.AndroidOS.Rootnik.d which accounted for 9.9% of attacks in Q3.
How did Kaspersky Labs Produce the Report?
The latest Kaspersky report was compiled from data collected from the Kaspersky Security Network (KSN), which includes multiple anti-malware products and components. Kaspersky collected data from over 213 countries from users who had provided consent to send data from their devices to KSN. This global information exchange allows current threats to be accurately monitored. Data sharing is vital in the fight against cybercrime.
Countering the Mobile Malware Risk
Anti-Virus software such as that produced by Kaspersky Labs can be used to reduce the mobile malware risk and prevent mobile devices from being attacked. An additional control that should be considered, especially by companies allowing the use of personal devices in the workplace, is to install a web filtering solution to prevent users from accessing websites known to contain malware. This will reduce the mobile malware risk considerably.
SpamTitan web filtering software offers excellent protection and compliments AV software programs. The web filter prevents users from visiting risky websites, even when phishing links are clicked.It is one of the best ways to reduce mobile malware risk levels, although to reduce mobile malware risk to a minimal level, a multi-layered risk management strategy should be adopted.
Liability for Employee Internet Usage: Can an Employer be Liable for an Employee’s Online Activity?
There are numerous benefits to be gained from allowing employees access to the Internet. Information can be found quickly, contacts can be easily developed, new suppliers easily located, products purchased, research conducted and many more benefits can be realized.
Unfortunately, the provision of Internet access to employees does occasionally lead to abuse. An employee could use the Internet to access personal gambling accounts and play online poker at work, or social media websites could be used excessively. Individuals can and do view pornography at work. Threats and disparaging comments may be posted online. You can also add the illegal file sharing, hacking of other corporations, and illegally accessing databases to that list.
There are plenty of other ways of abusing Internet access and, if it is possible to be done, an employee somewhere will have already done it.
The majority of these acts are committed only by a minority of employees. They rarely cause an employer, co-worker or other individual to come to any harm. However, this is not always necessarily the case. Should harm occur, or an employee breaks the law, the employer could be found to be liable for the employee’s actions.
There have been a number of cases when employers have been found to be liable for the actions of employees, such as when actions have adversely affected work colleagues. Some of the most common reasons for lawsuits have been sexual harassment of co-workers, threats of violence, racial harassment, and discrimination.
Respondeat superior – Employer Liability for the actions of an employee
The legal term for vicarious liability of an employer for actions committed by an employee is Respondeat superior. This is nothing new. It has been written into the law for over 100 years. Today, Respondeat superior does not only apply to verbal actions, it also applies to actions committed using email and abuse of the Internet. It is not limited to actions against co-workers either. Liability for employee Internet usage may result from comments posted on forums.
Typically, an employer would only be liable for an act committed by an employee while furthering the purpose of an employer. For instance, if an employee of the marketing department was posting links to a company website via Internet forums, an employer could be found liable for harm caused to a third party if those links defamed the character of a third party or were deemed to be slanderous.
In recent years, Internet abuse by employees does not necessarily have to have been conducted to further the purposes of an individual employee. Simply providing an employee with the opportunity to cause harm may come back on the employer. It doesn’t even matter if the employer is aware of the activity in many cases, it will not protect them from liability for employee Internet usage.
How can employers protect against liability under Respondeat superior?
There are four easy ways that employers can protect themselves from liability stemming from employees misusing the internet at work. The first is one of the simplest measures and the cheapest to implement. The other three controls involve software solutions.
Implement clear policies covering acceptable uses of the Internet and email at work
This measure is the simplest to implement, yet even this basic control has not been put in place by many SMEs. If an employer has not written clear and precise policies on allowable uses of the Internet and email in the workplace, employees cannot be expected to know whether they are committing acts that the company finds unacceptable.
If an employee is not informed that an activity is unacceptable they cannot be expected to guess. Accessing pornography at work and being fired for doing so could see that decision overturned in an employment tribunal if the employee was not informed that accessing porn would result in the immediate termination of his or her work contract. It is also essential that a signed copy of Internet usage policies is obtained from each employee.
Implement a system that monitors Internet and email usage in the workplace
Policies are only the first step. There must be a method of monitoring access to the Internet, otherwise there will be no way of telling if employees are adhering to company policies. It may not be necessary to constantly monitor Internet access, but regular audits should be conducted. Any individual found to have abused access rights must be subject to disciplinary procedures. There is no point implementing policies that are not enforced.
Liability for employee Internet usage is more likely if a web filter is not employed to control Internet access
Many employers choose not to take chances and restrict the websites that can be viewed in the workplace. There are many methods of achieving this, such as setting rules in browsers or on proxy servers used to access the Internet. Many of these methods can be implemented cheaply, and some without any cost other than the time it takes to set them up.
In some cases, the man-hours required to set up these rules makes it impractical. It is often far quicker, easier, and more cost effective to employ a powerful web filter. This will allow a system administrator to centrally control Internet access for individuals, groups, or the entire organization. A web filtering solution with a high degree of granularity will allow a wide range of controls to be applied for different roles within an organization and can be used to restrict access to pornography for the whole organization, limit the time that can be spent on social media websites, and set specific privileges for each individual if required.
Use an Anti-Spam solution to prevent email abuse at work
Internet abuse must be tackled, but it is important not to forget email. Email is used by virtually every company employee and is just as easy to abuse. It is difficult to control the content of messages to protect employees from sexual harassment, but it is possible to prevent individuals from emailing certain file types outside the company.
Anti-Spam products include a filter to protect users from incoming spam, but products such as SpanTitan also offer control over outgoing emails. The spam filter can be configured to prevent individuals from using company email accounts to conduct personal spamming campaigns.
If you put the controls in place to prevent Internet and email abuse, monitor activity, and make sure Internet and email usage polices are in place, it is possible to protect the business from liability. Liability for employee Internet usage will be avoided. It will be the employee, not the employer, that is likely to be found liable.
Operators of websites running on the popular Joomla CMS have been alerted to a remote takeover risk following the discovery of a critical Joomla vulnerability. Approximately 2.8 million websites use the Joomla Content Management System, with the CMS second only to WordPress in terms of market share.
Joomla version 3.4.5 has now been released and contains a patch to plug the security hole that has existed for close to two years, although any site still running on previous versions will be particularly vulnerable to attack. Should a hacker successfully exploit the vulnerability, it would be able to obtain administrator privileges for the website, allowing full control to be handed over to the hacker. It would be possible for all data and content to be stolen and for the owner of the website and all other site users to be locked out.
The vulnerability, discovered by Trustwave SpiderLabs, affects version 3.2 and above and can be exploited using a hacking technique known as SQL injection. All users of versions 3.2 to 3.4.4 are at risk since this critical Joomla vulnerability affects as core module of the CMS, not an extension. Two other security flaws were also patched by the new release.
SQL injection is a common technique used by hackers to gain access to websites. The attacks are conducted by entering in SQL commands into text fields on the front end of website. These commands are misinterpreted by the web application. Instead of treating the input as plaintext, it is interpreted as executable code. As such, if the right commands are entered, the websites can be hijacked. Numerous cyberattacks have been successfully conducted using this very straightforward technique, including the recent hack of mobile and broadband provider TalkTalk.
Critical Joomla vulnerability can be used to gain access to the administrator control panel
Once access has been gained, files can be downloaded including confidential customer information. Since Joomla is used to create e-commerce websites, customers who have previously purchased products through Joomla websites could have their confidential information stolen.
This critical vulnerability can be exploited to extract a browser cookie which can be used to provide the attacker with administrator privileges. If that cookie is loaded into the browser, the hacker can gain access to the back end of the website and can access the administrator control panel. The code required to exploit the vulnerability has already been posted online.
It is therefore imperative that all administrators of Joomla sites update their website software immediately and patch the critical Joomla vulnerability in order to secure their sites.
The importance of updating software patches as soon as they are released
Zero-day vulnerabilities are frequently discovered in popular website applications and content management systems. A failure to install patches promptly leaves websites particularly vulnerable to attack. Code used to exploit the vulnerabilities can easily be found online, and is commonly shared by hackers, white hat and black hat – via online hacking and software development communities. Once an announcement has been made, there will be many amateur and professional hackers willing to exploit the vulnerability. Should that happen, data can be deleted, access rights changed, and customer data stolen.
Organizations face a growing risk of sensitive data being compromised by ad injection malware. The latest figures released by Google suggest that an organization employing 100 individuals is likely to have at least five computers infected with ad injection malware.
This form of malware causes adverts to be displayed to the user that would not normally appear when visiting websites. The malware infects their browsers and results in annoying adverts being displayed, some of which contain links to legitimate retailers. Others contain much more sinister content. With little control exerted over the individuals placing the ads, cybercriminals are able to take advantage and place adverts containing links to malicious websites.
However, that is not the only security risk. When the malware infects a browser it causes changes to how websites are displayed. A connection to a website would be secured under normal circumstances, preventing third parties eavesdropping on the session. Unfortunately, when a browser is infected, the process used to encrypt the connection is broken. Sessions are no longer encrypted, and any data entered by the user could potentially be seen by a hacker or cybercriminal monitoring their connection.
When accessing a webpage via an open Wi-Fi network, an eavesdropper could quite easily listen in on the session. Usernames and passwords could be revealed as well as other confidential information.
Lenovo laptops were pre-installed with ad injection software
Potentially a user could avoid having their browser infected with the malware, but not if they bought a Lenovo laptop. Even brand new, straight-out-of-the-box laptops had been “infected”. In this case, by Lenovo. They have been shipping brand new laptops with legitimate software installed that inserts adverts into Google searches. The software in question is called Superfish and it functions as an image search engine.
Superfish is able to show adverts by using a root certificate which replaces a trusted website’s security with its own. This is how it is able to display adverts. Unfortunately, the security used by Superfish can easily be cracked. In fact, it already has been, so any Lenovo computer with Superfish installed cannot be used to securely browse the Internet. On an open Wi-Fi network, even a secure website such as an online banking site would not be secure.
Anyone not wishing to lose their privacy could uninstall Superfish. Unfortunately, if the software is uninstalled the security hole remains. The owner of the laptop will be permanently at risk of having their privacy violated and their internet surfing monitored. A problem for any employer allowing Lenovo laptops to be used for BYOD.
Google takes action to protect Chrome users
This type of “malware” is not new of course. The problem is the number of new applications and browser extensions that allow this form of advertising. Google has recently removed approximately 200 Chrome extensions from its web store that are capable of injecting ads into otherwise secure sites. Unfortunately, Google has discovered approximately 34,000 standalone applications that are able to inject ads when users browse the internet. There are approximately 50K Chrome extensions that allow ad injection according to Google researchers.
The solution for now, for employers at least, is to ensure that they do not use open Wi-Fi networks in the workplace. This will prevent any eavesdropping even if a user’s browser has been infected. BYOD participants should be instructed on the risk of using open Wi-Fi networks and told never to use their devices to access work accounts using public Wi-Fi hotspots.
Visiting a coffee shop for a caffeine fix usually means having the opportunity to save some bandwidth by connecting to a free Wi-Fi network. In fact a coffee shop without free Wi-Fi is unlikely to be anywhere near as busy and those offering patrons the opportunity to connect to the Internet for free.
Even airports, restaurants, shopping centers and many pubs allow visitors to connect to their Wi-Fi for free. Many freelance workers even head to cafes to a full day’s work, while others just check email or surf the Internet. The ability to connect to someone else’s Wi-Fi is convenient and saves money. However, as many people discover, it may not be quite as free as they think. Connecting to free Wi-Fi hotspots carries considerable risks. There may actually a considerable cost. Identity theft and the emptying of a bank account!
The importance of a secure Wi-Fi connection
Many free Wi-Fi networks allow any user within range to connect without even having to register. These open networks really are open to anyone, and that means open to criminals as well. When users connect to these networks they allow any individual who is also connected to see a considerable amount of their data. Should a person with the inclination and a modicum of technical skill choose to inspect network traffic, they could potentially see the websites that are visited, read the emails that are sent, and even view login names and passwords. Installing malware on every device that connects is also pretty straightforward.
Not all Wi-Fi networks are open. Some coffee shops and free Wi-Fi hotspots require users to identify themselves. Access can only be gained if users logon. This requires the use of a token or password which is only provided to people who create accounts. These Wi-Fi networks use encryption that prevents data from being intercepted. That does not mean that these networks are entirely secure, only that additional security controls have been employed to make them safer.
If operators of public Wi-Fi networks really want to protect their users from the myriad of viruses and malware on the Internet, additional security controls should be employed. One of the best options in this regard is a web filter (often referred to as an Internet filter or content filter).
The importance of installing a web filter to protect users
A web filter will restrict the websites that can be visited while connected to a network. Many businesses have web filters in place to restrict the websites that employees can access while at work. Many homes have a parental filter in place that stops children (and adults!) from accessing pornographic content, gambling websites, dating sites and other types of website that contain inappropriate or potentially harmful content.
Coffee shops and cafes rarely have these web filters in place. They may filter the coffee, but they certainly do not filter the Internet. This means visitors could access pornographic material, gambling sites, and streaming services, and many of those websites contain really dangerous material – malware, viruses, and malicious code that could result in the users’ devices being infected. In some cases, their device could be compromised to the point that all data entered could be transmitted to a hacker.
Insecure or secure Wi-Fi – The choice is yours
When setting up a Wi-Fi network, the system administrator or operator of that network has a choice: Secure or insecure. The reality is that there is very little difference in terms of time when setting up a secure or insecure network, but there is a world of difference for users.
Even if an insecure network is chosen and kept totally separate from other networks, there is a risk that the insecure Wi-Fi network will be used by hackers to launch an attack on other networks that have been secured. Insecure Wi-Fi should therefore never be chosen.
Would you want your patrons or employees to be infected? What impact would that have on your business?
Are you waving a flag and shouting at hackers to come and attack your network?
Set up an insecure network and you might as well place a sign above your door saying hackers welcome! Attack our visitors and steal from our employees!
Fail to protect your network and your employees and loyal customers could have their privacy violated, devices compromised, and their most sensitive information revealed. The decision not to secure Wi-Fi, which is illegal in some parts of the world, could also be leaving you wide open to a lawsuit. It could also seriously damage your brand’s reputation and end up driving customers away.
Providing the public with free Wi-Fi access? Make sure you…….
Set up a secure password
An insecure password does not really offer much more protection than an open network. If your password is easy to guess, hackers will guess correctly before very long. Don’t use your shop name, use numbers and letters, include capital letters and even some symbols. Never use a name with a date appended to the end, or a number sequence such as 1234. Also do not use common words with a few specific characters replaced with numbers. You may think they are hard to guess, but not for a bot that tries many different common combinations.
Block the content that can be accessed through your network
Would you like a child to accidentally see the screen of someone viewing hardcore pornography while connected to your network? Would you like to deal with law enforcement officers when they visit you to find out why one your visitors are downloading terrorist manuals from your establishment? Of course not!
The answer is to restrict the content that can be viewed, and to do that you need to install a web filter such as WebTitan Wi-Fi. Its low cost, easy to set up, and it will restrict the websites that can be accessed through your network.
Filtering Wi-Fi should be as important to you as filtering your water and coffee. More so in fact. It protects you and it protects your customers. If your focus is providing a quality service for your customers, the provision of a web filter is essential. It could be the difference between a customer visiting your establishment or going to a more secure competitor.
Most system administrators have a rather long to-do list. As soon as one item is cleared, another two seem to take its place. Oftentimes there are simply not enough hours in the day to deal with all of the issues. There are software problems, hardware problems, user problems, and it can be hard to find time to be proactive instead of reactive.
We would like to make your job easier and reduce the number of items on your future to-do lists. With this in mind we have listed five issues that you should avoid to prevent future headaches. They are basic, but that is why many system administrators forget them.
Network Security No No’s
Never host more than Windows Active Directory on a domain controller
Active Directory looks after the identities and relationships of your network. It will allow you to provide all employees with SSO (Single Sign-On) access. However, it is important that Active Directory is isolated and the machine you use is not used for anything else. Don’t mix up your assets, as in the event of one being compromised, anything else hosted on the same machine is also likely to be affected. After all, hackers are likely to have a snoop around and see what else is running on a server they have managed to gain access to. Keep everything separate, and you will be limiting the damage that can be caused in the event of a security breach.
Don’t access a workstation using your administrator credentials
Your administrator login credentials, if compromised, would allow a malicious insider or outsider to gain access to systems where a lot of damage can be caused. If you login to a compromised workstation using your administrator login, you could be giving your access rights to a hacker. Cached login credentials are not difficult to obtain. Github offers code that will allow anyone to change Local Admin privileges to Domain Admin privileges. If that happens, a hacker really can unleash hell.
Don’t ever reuse passwords
One of the most elementary data security measures is to ensure passwords are impossible to guess. In the unlikely event that your password is guessed, or is somehow compromised, it is essential that the password cannot be used to access any other systems, servers or workstations. Setting different access passwords for everything is a pain, but it is an essential security measure.
Don’t leave default logins active
Default logins are often exploited. Many can be obtained with a very quick search on the Internet. This applies for all networked devices, routers, and equipment. It is usually the first thing that will be attempted in order to gain access. How easy is this? Take hospital drug pumps as an example. There have been instances of patients searching online for the manufacturer’s website, obtaining the default login details, and then logging in to up their morphine doses. If patients can do it, it would not be too hard for a hacker.
Never, ever use an open Wi-Fi network
In a business environment, it is not possible to justify using an open Wi-Fi network. The risks that insecure Wi-Fi creates are simply too high. If you need to provide guest access, set up a guest login and password and make sure it is changed regularly. You may get a few complaints, but not as many as you will get when your system is compromised, data is exfiltrated, or heaven forbid, data is deleted or encrypted with ransomware.
It may be more convenient to share passwords, allow anyone to access Wi-Fi, share servers and use the same login to access everything, but it is a recipe for disaster. If anything goes wrong, and it eventually will, you must ensure that the damage caused is limited as far as is possible. Convenience should never jeopardize system security.
There has been a lot of talk recently about Social Engineering scams, but what is social engineering?. Social engineering is a term used in social science to describe the psychological manipulation of people into taking a particular action and influencing large groups of people. It is a technique used for good and bad. Politicians and governments use social engineering, and advertisers are known to use social engineering to convince the public to purchase products.
In recent months, most talk of social engineering has been about information security. Hackers and other online criminals are now using social engineering techniques to get Internet users to reveal their sensitive information, such as login names and passwords, and even credit card numbers and bank account details. The majority of large scale data breaches caused by hackers and malicious outsiders are usually discovered to include an element of social engineering.
How can you protect yourself from being manipulated into revealing information? How can you protect yourself and your company from employees falling for social engineering scams?
How is Social Engineering Used by Cybercriminals?
The commonest methods employed by cybercriminals to manipulate users into taking certain actions are detailed below. Being aware of how social engineering is used will help you to protect yourself and your employees from becoming victims of scams and phishing campaigns.
Abuses of Trust:
Online criminals know that if they want to get something from people, it is far easier to get what they want if they pretend to be someone that person trusts. People are wary of strangers after all. If a total stranger came up to you in the street and asked for your PIN number or email address and password, you would naturally not tell them. However, on the Internet it is not always so easy to tell if someone is actually a stranger. Seemingly legitimate reasons are also provided for disclosing such information.
Emails sent from colleagues, friends and family members
If you receive an email from someone you trust, chances are you will be more likely to respond to a request than if the same email had been sent by a stranger. If a family member sent you a link asking you to click, you may not even think twice before you click your mouse.
If your best friend, brother or sister sends you a URL saying, “You have got to see this, it is so funny!” You click the link, you see a video, and you wonder what on earth they were thinking about. The video wasn’t very funny at all!
Unfortunately, the reason the link was sent was not because it contained side-splitting humor, it was because clicking on the link caused malware being downloaded to your computer. The email was, of course, not sent from the person you thought it was, but by a hacker who was pretending to be someone you know.
It is not just “must see” images, jokes and videos that are sent. Many emails are sent that manipulate individuals by taking advantage of compassion or a desire to help a friend or family member in need. Emails are supposedly sent from individuals that find themselves in a spot of bother. A friend traveling abroad has had his wallet stolen and is stuck and can’t get home. He needs money transferred so he can buy a plane ticket to get home. In actual fact he is on the beach, and a hacker has gained access to his email account, not his wallet.
Phishing: Manipulating people into revealing confidential information
There has been a huge increase in the volume of phishing emails being sent in recent years. This is because these social engineering scams can be incredibly effective. They are used to get individuals to reveal highly confidential information that under normal circumstances they would never divulge.
Some of the most common social engineering scams used by online criminals to obtain sensitive information are detailed below. Be particularly wary if you receive one of these emails:
Urgent Charity Donation Required
Nothing brings out the scammers faster than a natural disaster. When people are suffering, have lost their homes, been flooded or hit by a hurricane, criminals take advantage and try to take their share of donations. If you get an email request money to help people in need, don’t respond to the email. Find the website of the charity and make a donation directly through the website or follow the instructions listed on the website. Don’t click the link provided. Criminals do not care about taking money from the needy, hence the huge volume of social engineering scams after a natural disaster.
You have won a prize draw, lottery or other prize
Don’t let the thrill of potentially receiving a large sum cash get the better of common sense. In order to win a prize draw, you first need to have entered. Don’t call the number supplied in the email and do not visit the link. You will need to supply bank information for a transfer (or your credit card details). There will only be one winner, and it will not be you.
Package or mail cannot be delivered
Courier companies do send emails informing you that you were out and they have not been able to deliver a parcel, but are you actually expecting one? Even if you have a birthday approaching or Christmas is just around the corner, do not respond to the email request directly. Use the tracking/consignment number to check, but check via the company website by entering in the URL into your browser. The links contained in emails could take you to a phishing website, and the information you enter will be collected by criminals.
Upcoming Elections – Party donations required
Want to do your bit for the Democrats or Republicans? Does the Green Party urgently need your cash for their campaign? Want to show your support for Labor or the Conservatives? Good on you! Just make sure that your donation goes to the right place. For that, you must find the official website and follow the instructions provided. Never click on a link in an email. Social engineering scams are very common in the run up to elections.
Summary of Good Practices to Avoid Social Engineering Scams
These tips will reduce the likelihood of you falling for social engineering scams. You need to be security aware and always be cautious about revealing any information, opening attachments or clicking on links.
- The first rule to avoid becoming a victim of a phishing campaign is never to click on an email link
- The second rule avoid becoming a victim of a phishing campaign is never to click on an email link
- Stop and think before you respond to any email request
- If you are not 100% sure of the genuineness of an email, mark it as junk or delete it
- If you are at work, and think an email may be a scam, seek advice from your IT department
- If you are asked to reveal login information or other sensitive data, report it. Do not respond
- If you want to respond to a request for a donation, search on google and find the official site. Get information on how to make a donation. Don’t trust the information provided in the email
- Never open an email attachment unless you are 100% sure it is legitimate
- If you have accidentally fallen for a scam (or think you may have) seek professional advice immediately, and change all of your passwords.
Beware the threat from within: How to deal with insider threats
IT security professionals and C-suiters are well aware of the threat from hackers. Cyberattacks have been all over the news recently. Major security breaches have resulted in millions of files being stolen. Patient health records have been targeted with the cyberattack on Anthem Inc., the largest ever healthcare data breach ever recorded. That cyberattack, discovered in February this year, involved the theft of 78.8 million health insurance subscriber records.
Target was attacked last year and hackers managed to obtain the credit card details of an estimated 110 million customers. The finance industry was also hit hard in 2014, with 83 million J.P. Morgan Chase accounts compromised by hackers.
Cybersecurity defenses naturally need to be put in place, monitored, and bolstered to deal with the ever changing threat landscape. However, it is important not to forget the threat from within. Malicious insiders can be just as dangerous, and often more so than hackers. Just ask the NSA. They know all too well how dangerous insiders can be. Edward Snowden managed to steal and release data that has caused considerable embarrassment. In his case, he wanted the world to know what the NSA was up to. The NSA had gone to great lengths to make sure that what occurred behind its walls stayed secret.
Malicious insiders are often individuals who have been given access to patient and customer records, as well as the intellectual property of corporations, company secrets, product development information and employee databases. They are therefore potentially able to steal everything. The harm that can be caused by malicious insiders is therefore considerable.
It is not just theft of data that is a problem. Insiders may use their access to computer systems to defraud their employers, destroy data, or install malware and ransomware. Unfortunately, tackling the threat from within is a much more difficult task than preventing external attacks.
Bear in mind that insiders are not necessarily employees. They can include business partners and associates, contractors and past employees.
Which insiders pose the biggest threat
Unfortunately, any employee can steal corporate secrets and data; but the potential for damage increases as privilege levels increase. In a hospital, a physician may only have access to his or her caseload of patients. It may be possible for that physician to access the records of other patients of the facility, but not without triggering alarms. Those alarms may not be klaxons, but a flag would be raised that would alert anyone checking access logs that there may be some inappropriate activity.
A member of the IT department may have the highest level of privileges, and could potentially access huge quantities of data. One member of the IT department may not have access to everything, but in theory – and sometimes in practice – they could elevate their privileges for long enough to gain access to the data they require.
Recent research conducted by the United States Computer Emergency Readiness Team (CERT) shows that half of insider security breaches are conducted by individuals who have access to data. These individuals already have the authority to access systems containing valuable data. If you do not deal with insider threats, it is only a matter of time before a security breach is suffered.
It can be difficult to identify insider threats. Some say “it’s always the quiet ones,” but in reality, there is no way of being 100% certain which employees will steal data or sabotage systems. There are many potential reasons why an individual may decide to steal or delete data. Employers must therefore be aware of the risk and take action to mitigate that risk as far as is possible.
CERT research is useful in this regard. Studies have shown that that security breaches and data theft are most likely to occur in the time leading up to an employee leaving employment, and shortly after that employee has left – typically, a month either side of leaving a company.
As soon as an employee hands in his or her notice, place alerts on their accounts and conduct audits. If a worker is disgruntled or is unhappy at work, this could be a sign that they are looking for employment elsewhere and it would be wise to keep a close check on data access. It is a wise precaution to lower account privileges shortly before an employee leaves and to ensure that access is blocked as soon as they do. Many companies are a little lax when it comes to closing accounts and may not block access immediately.
Fortunately, risk can be managed. Adopt the following best practices to help you deal with insider threats and you will limit the opportunity for an insider to steal or delete data. You will also limit the damage that can be caused.
Best practices to deal with insider threats
- Minimum necessary information – Only give access to data critical for an individual to perform regular work duties
- Provide temporary access as appropriate – If tasks need to be conducted to perform atypical duties, temporarily escalate privileges to allow the task to be conducted and then lower those privileges when the task has been completed
- Monitor access to resources – Implement a system that monitors and logs access to data and regularly audit access logs to check for inappropriate activity
- Control access to physical resources – Restrict access to confidential files, stored backups, old computer equipment, and servers. Keep them under lock and key.
- Separation of duties – Restrict access as far as is possible: Do not assign full access to one individual, only allow part of a system to be accessed by a single employee. Use Privileged Access Management (PAM). This will limit the damage that can be caused.
- Implement policies and controls – Make sure these are communicated to all staff members.
- Restrict file transfers – As far as is possible, put controls in place to prevent data from being copied or exfiltrated. Prevent certain file types from being emailed outside the company and block peer-to-peer file sharing websites
- Encryption – Employ encryption for all stored data and control who is able to unencrypt files. Always protect data at its source.
Not all habits are bad. Sure you should ease up on the alcohol, give up smoking, and stop biting your nails, but make sure you take some time to develop some good habits. Take a look at the best practices below, ensure you perform them regularly, and before long they will become second nature. You will then be able to legitimately rank yourself alongside the best system administrators. Even better, you should find you have far fewer bad days and even some when everything runs smoothly without a hitch.
Develop a ticket system and keep on top of requests
You are likely to receive more requests for assistance than you can deal with in a single day. If you are regularly flooded with requests, some will invariably be forgotten. Sometimes you will deal with an issue only for a user to complain that you have not. It is useful to be able to prove that you have dealt with a problem in a timely manner. A ticketing system will allow you to do this, as well as help you prioritize tasks and never forget a single reported system or computer issue.
Your system need not be expensive or complicated. If you work on your own in a small business, you can set up a very simple MS Access database to log all requests. Even a spreadsheet may suffice. A word document would also work. The important thing is that all requests are logged.
If there is more than one system administrator employed in your company, it is probable that you may need to have a more complex system. Helpdesk software is likely to be required if you are having to deal with hundreds of requests. They will need to be allocated to staff members, and follow-ups will be required. Making sure all queries have been answered and all reported problems resolved will be a nightmare without such a system in place.
Keep a log of your activity
If you ever have to justify what you have spent all your time doing, your ticketing system is your friend. You can show the volume of requests you have received/resolved on a daily basis, and use that information to show that your time has been well spent.
One clever way of reducing the requests you get is to log the requests and send the user (and his or her line manager) an email detailing the request received and the likely timescale for resolution. If a manager is involved, you may find the number of requests you are given will decrease. A formal request process and confirmation procedure is a wonderful way of cutting back on many of the requests for support that are usually sent to the desk of a Sys Admin.
Be proactive and avoid power/cooling issues
Overheating servers and power fluctuations cause many headaches and waste a lot of a Sys Admin’s time. It sounds obvious, and it is, but managing power and ensuring server rooms are effectively cooled are well worth the effort. Being proactive in this regard will save a great deal of time in the long run.
Power issues can be largely solved by installing an Uninterrupted Power Supply unit (UPS) on each of your servers. When purchasing a UPS, make sure it has sufficient power to last for an hour and that it will shut down the server properly, not just give up when it runs out of juice. The latter is particularly important as it will ensure files are not corrupted and will mean fewer reboots are required.
Are your routers, switches and servers locked away in a closet without any cooling systems installed? If you work in a small organization, this may well be the case. If your equipment frequently overheats, consider investing in a small air conditioning unit. Does your server overheat frequently at the weekend, yet is fine in the week? Oftentimes, air con systems are shut down at the weekend when there is no one in the office. A separate unit will solve this problem, just make sure it vents into the ceiling.
Monitor your network and devices connected to it
It is vital to monitor your network and systems. This will allow you to take action before they crash and services are lost. Install a system to monitor everything, and then install a system to monitor your monitoring system. Get the system to send you alerts, and you can prevent a lot of problems from occurring and avoid time consuming (and expensive) system outages.
If your Monday mornings are usually spent dealing with system crashes that have accumulated over the weekend, you can make the start of the week a lot easier if you put a monitoring system in place. Do you have a service level agreement in place with your ISP? If so, you may be able to add in a monitoring function on your switches and router as part of your service level agreement. This may not be possible though if you have a highly complex system or atypical network configuration. Fortunately, in most cases, monitoring systems are inexpensive, yet can save a lot of time, money, and hair loss from stress.
Cut back on time consuming manual chores
Repeating the same tasks over and over again wastes and extraordinary amount of time, plus each time a task is performed there is the possibility of mistakes being made. Use the automation and scripting controls on servers and other devices, and updates and installations can be performed automatically.
If you use Powershell for instance, Windows 2012 Server support will be streamlined. It may take a little time to set up, but it will save you hours in the long run. If you cannot do this, create a detailed checklist containing all of the settings for different applications to reduce the possibility of errors being made.
Don’t let users waste your time
OK, this is much easier said than done, but there are ways to reduce the time spent dealing with user issues. For instance, create a website page that lists the correct contact numbers and persons responsible for dealing with particular IT problems. Remember that users are non-technical individuals, so the language used must also be non-technical. “Server problems” rather than “Windows NT problems” for example.
Instruct all users visit the webpage before contacting you. You can then place updates on the webpage that may answer many of their questions. Also include a self-help section. (have you tried turning your computer off and on again?)
Include sections for changing passwords and the common problems you are asked to deal with that can easily be resolved by following a simple set of instructions. You will find the volume of helpdesk calls will reduce considerably. Also create a login banner to advise of maintenance schedules etc., to avoid being bombarded with calls when a planned outage takes place.
Get involved in the business
It is your job to deal with technical aspects of the business, yet you will need to be aware of how the business operates. In order to get authorization for IT upgrades or new equipment, it helps if you can explain, concisely, why the purchases are necessary, the impact they will have on the business, and the consequences if purchases are not made. Work on your communication skills and learn how to communicate effectively with non-technical staff members. It requires practice, and a great deal of patience sometimes, but it will make your life easier in the long run.
When it comes to cyberattacks and the resultant data breaches, not all organizations are affected to the same extent. Larger organizations store greater quantities of data and a security breach may end up costing the company over $100 million to resolve, but such breaches are not suffered very often. In fact, when you compare the cost of breach resolution to the annual turnover of a company, the cost is actually very small indeed.
Even the huge data breaches that have affected Sony and Target have not cost the companies very much in the grand scheme of things. Compared to the annual turnover of both companies, the costs incurred are very low. As low as 1% of total turnover. The security breaches will be embarrassing, but the actual losses can be easily absorbed.
Benjamin Dean from Columbia University’s School of International and Public Affairs recently pointed out in a post that the cost to large companies may not be insignificant, but it is nowhere near as high as many people would believe.
Consequently, there is little pressure on many large organizations to invest more heavily in cybersecurity defenses. This may not be true for heavily regulated industries such as finance and healthcare, where heavy fines can be issued for non-compliance with data security regulations, but for some companies the costs can be easily absorbed.
Many of these companies are covered by insurance policies that pay for the majority of the cost and the resolution costs are tax-deductible.
He points out that while there will be fallout as a result of a data breach, this may not be nearly as high as many companies are led to believe. Many Sony employees had their data exposed in the cyberattack but how many will leave their employment as a result? Sure, they will be unhappy, but will they leave in droves? Probably not.
Customers may incur losses, but Sony will not have to cover the cost. How about cases of identity theft? Can a customer determine with any degree of certainty that they have become a victim because of the data breach at Target or Anthem, or any number of other companies that have suffered cyberattacks?
In many cases, losses are not suffered by the company but by the banks. The data breaches that have affected Target and Home Depot are estimated to have cost the providers of credit and debit cards, not the retailers. The cost of replacing the stolen cards has been estimated to have cost credit unions around $60 million in September. Those costs were covered by the credit unions, not the retailers.
The same cannot be said for small to medium sized businesses
The larger the corporation, the easier it is for losses to be absorbed, but when it comes to small to medium sized businesses the losses from a data breach can be catastrophic. Will movie-goers avoid a Sony Entertainment film because of the data breach? Unlikely. Will customers change to a rival printing company because their preferred provider has breached their financial data? Much more likely.
For SMBs it is essential to invest in robust data security systems. The loss of customers will really be felt, and many SMBs do not have the budgets to cover data breach insurance premiums. The resolution costs, in many cases, simply cannot be absorbed.
Data breaches do not affect all departments equally
If you work in IT security, you will be very keen to get a budget increase to protect your company’s systems. If a breach is suffered, your department will have to perform a great deal of extra work. You are likely to be blamed for allowing the breach to happen. You may even be criticized for failing to explain the risks adequately.
It is therefore in your best interests to implement the best possible security controls to protect the business, but often getting the funding is problematic. Cybercriminals are developing ever more sophisticated methods of breaking through defenses and consequently the defenses that must be installed must also be sophisticated. That usually means they cost a lot of money. Getting a sufficient budget to cover the cost can therefore be a difficult task.
To make it easier, you will need to know how managers assess budget requests.
Risk Analysis – How managers decide on budgets
Before a potentially expensive cybersecurity measure is given the go-ahead, a cost analysis will be performed. Managers will assess threats separately and will calculate the Annualized Rate of Occurrence (ARO) – the probability that security will be breached in any given year. Then they will calculate the costs from such a breach: The Single Loss Expectancy or SLO. Multiply both of those figures and they will arrive at the Annual Loss Expectancy (ALO). Based on that figure, a decision will be made about the best way to deal with the threat and whether it is worthwhile doing so.
There are a number of measures that can be put in place to address the risk. These will also be assessed:
The biggest costs fall into this category. These include installing robust firewalls, anti-virus and anti-malware solutions, spam and web filters, and employee training.
It may be possible to reduce the cost of dealing with a breach, and this may prove to be more cost effective than installing security measure to reduce risk. An insurance policy may be purchased so the company doesn’t have to cover the full cost of a security breach.
It may be possible to reduce risk by preventing certain activities from taking place. For instance, banning the use of social media websites at work to combat the threat from malware. Sometimes risk cannot be avoided. Maintaining an online presence is essential, so a company cannot remove the risk of a data breach by not operating a corporate website.
These measures can be cheap and effective. Legal disclaimers and internal policies can be developed to tackle insider theft. They may warn of prosecution for anyone found to be inappropriately accessing corporate data. This may be sufficient to put some individuals off snooping.
Some risks cannot be avoided and must be accepted. However, a company must be aware of the risk in order to make a decision about whether it can be accepted, as well as the cost of mitigating that risk and the potential for damage.
It is essential that security professionals are consulted before these calculations are made. Their input will be required to gain an accurate estimate of the probable costs and level of risk faced.
If you, as an IT security professional, can provide accurate figures that can be used in the cost/benefit analysis, your company will be able to determine which security measures are essential and will allocate budgets accordingly.
Make sure you are an asset to your company and create your own risk analysis. As an IT security professional, you are in the best position to do this. If budgets are subsequently not forthcoming, it will not be your department that is blamed when security breaches are suffered.
Hackers and malicious insiders are trying to break through security defenses to get their hands on sensitive data, but what data are they actually looking for? Which data needs to be better protected?
There are federal laws that require physical, technical and administrative controls to be put in place to keep data secure. Fail to protect certain data types and there could be serious trouble, regardless of whether a hacker actually manages to compromise your network.
Some data types are obvious, others less so. Credit card numbers, bank account information, Social Security numbers and healthcare data all require robust security measures to keep the information secure. Have you made sure that each of the following 9 data types have appropriate controls in place to prevent unauthorized individuals from gaining access.
The goal of many hackers and cyber criminals is to gain access to bank account information, and the logins and passwords used to access online accounts. Once they have this information they can use it to make transfers and empty accounts. Credit/debit card numbers are also sought in order to make online purchases and create fake cards. PIN numbers, if stored, along with answers to security questions must similarly be protected with robust controls.
The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to put physical, technical and administrative controls in place to keep medical data secure. In the wrong hands, medical data can be used to discriminate and defame. It is also used in spear phishing campaigns, and used with other data to commit fraud. Failure to secure these data is a violation of HIPAA Rules, and financial penalties are sure to follow. Criminal charges can even be filed against individuals for failing to secure highly sensitive data.
Driver’s License Numbers
A valid driver’s license number can be used to create fake driving licenses. These are not only useful for people who are not legally allowed to drive, they can be used to obtain other forms of identification and commit identity theft and fraud.
Student data is increasingly being sought by criminals in order to commit fraud and identity theft. Universities and schools are required to protect data under the Federal Educational Rights and Privacy Act (FERPA), which restricts the individuals who are allowed to access student records. Personal data, education information and test results must all be protected. Student Social Security numbers and dates of birth are highly sought after and often targeted by hackers.
Social Security Numbers
Social Security numbers (together with a limited amount of personal information) can be used to commit medical fraud, file false tax returns and steal identities. They are highly sought after by cyber criminals and often sold on darknet websites for big money. The SSNs of minors are particularly valuable, as they can be used for longer before fraud is identified. Social Security numbers are also covered by HIPAA rules and numerous other state and federal laws.
Health Insurance ID numbers
With health insurance information criminals are able to file claims for medical services that are not provided, and allow criminals to make fraudulent insurance claims. This data are highly sensitive and must be kept secure.
Intellectual Property Data
Your company’s secrets, product development information, computer codes, bespoke software, new product designs and blueprints are highly valuable to competitors. If your company has an edge, or is developing a new product or service, a competitor could use these data to develop similar products, and even bring a product to market first.
Human Resources Data
Human resources databases contain detailed information on employees such as salary information, bonuses, and confidential personal data. Criminals seek personal information of individuals in order to conduct convincing spear phishing campaigns. These data can also be used to blackmail individuals and discriminate.
Emails can contain highly sensitive information. When hackers gain access to an email account, they can obtain personal information, company secrets, and even many of the above data types. If an email account is compromised, it can be used to spread viruses and malware. Telephone records and text messages are also valuable.
Data must be secured at rest and in motion
Controls must be put in place to secure all forms of these data, whether they are in Word documents, PDFs, JPEGS, spreadsheets, EHRs or other databases. Just as paper files must be shredded when they are no longer required, the same applies to electronic data. Records must be securely and permanently erased when no longer required. It must not be possible to reconstruct any of these data once deleted.
It is essential to protect stored data, especially if it is housed on portable devices such as zip drives, laptop computers, portable hard drives and Smartphones. These devices are all too easily misplaced, lost or stolen. Data encryption should be considered to protect all stored sensitive data. Data must similarly be protected when in transit. Emails should be encrypted, as should SMS messages. A number of companies provide SMS and email encryption services to allow communications to be sent securely, with authentication controls to ensure only the desired recipient can view the messages.
You are faced with an insurmountable problem: Your job requires you to keep the business secure from external attacks, and you must take action to deal with the threat from malicious insiders. It is your responsibility, and your job may well be on the line if something goes wrong and data is stolen, or your network is infected with a virus or malware.
Unfortunately, you have not had a budget increase and cannot afford to purchase the software solutions necessary to protect your business from attack.
This is a problem faced by many IT professionals. Management understands there is a risk and knows the risk is considerable, yet they expect you to work your magic with your hands tied behind your back.
You are not a magician; so, if management wants to be properly protected, it is your job to convince the powers that be that you need a bigger budget. We know you have already tried this. What you therefore need to do is improve your communication skills. You need to find a way to convince the management that additional funding is absolutely essential. One of the best ways of doing this is to explain that security risk is actually business risk.
You are not alone – 50% of IT professionals work with inadequate security measures
IT department funding is almost always limited. It is not possible to purchase the highest quality equipment, the best possible security measures, and have enough staff members to perform all of the required work. So if you are stressed, are suffering a critical lack of funding, or are desperately understaffed – you are not alone.
The situation has recently been assessed by the Ponemon Institute. Its latest survey probed IT security professionals and asked them about the level of security in their organization. It would appear that when it comes to cybersecurity protections, the management and IT department heads are often not on the same page.
The survey was large. Over 5,000 IT professionals send back responses to the survey and more than 2,500 of those respondents said their cybersecurity measures were inadequate. The problem for many was the fact that the upper management simply did not understand just how important it was to improve network security. Sure they understood there was a risk of attack, but they didn’t understand just how serious that risk was.
If a cyberattack occurs, it is their fault right? Unfortunately, you may have explained risk until you became blue in the face, but how well did you communicate?
A survey conducted two years ago by Ponemon suggests that when it comes to communicating with management, IT security professionals often have problems. In fact, 64% of IT staff were discovered not to have effectively communicated the seriousness of the threats, or had only started to communicate them properly following a data breach. Nearly half of the IT professionals taking part in the 2013 survey said communication between the IT department and management was “poor, nonexistent or adversarial”.
IT budgets rarely reflect the seriousness of security risks
When budgets for IT security are calculated, they are rarely sufficient to allow all risks to be effectively neutralized. Spending is often misaligned with the needs of the business. According to the Ponemon study, only 11% of the average security budget is devoted to protecting the application layer. Interestingly, 37% of organizations believe that the application layer poses the businesses threat to data security.
Why is this the case? According to Larry Ponemon, founder and CEO of the Ponemon Institute, it is because management has not been provided with the right information. He says that few organizations have actually performed a full security audit and that security risks have therefore not been identified. As a result, management is not aware of the level or risk, and budgets are not set accordingly.
Any organization that fails to invest in IT security is likely to have to cover far higher costs in the long term. Take Target for example. The money spent on resolving its data breach is far higher than the cost of implementing solutions that would have prevented the attack from being possible in the first place. The company now has to cover the cost of data breach resolution, in addition to investing in better security. The expected cost of the Target data breach is expected to top $1 billion!
If security intelligence technologies are implemented, companies are much better equipped to detect intrusions and contain attacks when they do occur. According to the study, the security breach resolution cost savings are, on average, $1.6 million less when security intelligence technologies are implemented prior to a security breach occurring.
IT security should not be an afterthought. Proper investment will see more security breaches prevented and the cost of resolution significantly reduced. It is therefore essential to communicate the need for investment. The most effective way to get your voice heard is to provide facts and figures to back up your argument and to explain security risk in the context of the financial cost, operational problems that will be suffered, and the likely damage to the company’s reputation if a breach is suffered.
Security tools are not cheap. Understand the business drivers that generate the funds that will cover the cost of security software and become more effective at communicating credible risk. Give management the information it needs to understand why greater investment is needed. You are then likely to be given the funding you need to effectively manage security risk.
To put it mildly, 2014 was bad year for many IT security professionals. The number of threats to network security increased significantly, more computer systems were breached than in previous years, and more confidential records exposed than in the previous 12 months.
The threat landscape is constantly changing, but 2014 saw incredible volumes of new malware released and a considerable number of zero day exploits succeed. Many IT security professional will be glad to see the back of 2014. Unfortunately, 2015 doesn’t look like it will be any better. Many predict it will even be worse.
2014 started badly with the discovery of a number of cyberattacks. Hackers had gained access to computer systems in 2013, or even earlier in many cases, but 2014 was when the attacks were discovered and a large volume of brown substance hit the fan.
The discoveries were shocking. Incomprehensible amounts of data had been compromised and listed for sale. The country was still reeling from the cyberattack on Target, and then came the announcement of mega data breaches at Neiman Marcus and Home Depot. P.F. Chang’s had customer credit card details exposed from 33 of its restaurants, JP Morgan was affected by a major data breach, as was Michael’s. The healthcare industry was also badly hit. Community Health Systems suffered a major data breach exposing 4.5 million records and even the U.S. Postal service was targeted. 800,000 employee records were exposed in that attack.
Then there was the attack on Sony. That data breach caused an incredible amount of damage, with the hacking group responsible not apparently looking for money. The attack was carried out by a group called “Guardians of the Peace,” supposedly located in North Korea and backed by Kim Jong-Un. As a result of the breach, Sony Pictures even stopped the Christmas release of the “The Interview” movie. The film parodied the North Korean leader and even depicted his death. The leader of the Democratic People’s Republic of Korea was reportedly none too happy about the film and the content of the movie was allegedly a motive behind the attack.
Now that “The Year of the Data Breach” (as it has been dubbed) has finally come to an end, it is a time to look forward to the New Year. Unfortunately, many industry experts have predicted an increase in the number of hacking incidents over the coming 12 months. 2015 is unlikely to be any better for IT security professionals.
The reason? Despite efforts being made by many organizations to address security vulnerabilities, many still exist. We are also no longer dealing with individual hackers operating out of bedrooms in their parents’ houses. International groups of hackers are targeting organizations in the United States and are receiving funding from foreign governments. Some of the world’s most talented hackers are being funded to attack the United States, U.K., and just about every other company in the Western world.
So with the increasing threat, how is it possible to defend against cyberattacks, block malware, and beat malicious insiders. Fortunately, there have been a number of lessons learned from the data breaches suffered in 2014. Security trends have been identified and it is possible to implement a range of security solutions to prevent corporate networks from attack. Being forewarned is being forearmed! Here are SpamTitan’s cybersecurity predictions for 2015
Cybersecurity Predictions for 2015
Expect more mega data breaches
The more data that is held by an organization, the bigger target it becomes. The aim of many hacking groups is not to obtain money, but to use cyberattacks to cause financial havoc. Successful cyberattacks cause companies to incur incredible losses and can affect the financial markets. The data breaches have a huge effect on the economy, one of the aims of foreign-government backed hacking groups. These attacks will not only continue; they are likely to get a lot worse.
Healthcare and education sectors will be major targets
Expect to see data breaches the like of which have never been seen before. The financial and retail sectors will continue to be targeted, but 2015 is likely to see healthcare and education hit particularly hard. Student and medical records are particularly valuable to cybercriminals. The data contained in medical and student records can be used to commit a multitude of fraud: medical fraud, insurance fraud, and tax fraud for example. Identities can be stolen allowing credit to be obtained in the victims’ names. Universities were targeted in 2014, as were healthcare institutions. Expect more of the same in 2015.
Email will continue to be used as an attack vector
Virtually everyone now has an email account. Many have a separate email address for work and for personal use. Email is one of the easiest ways of getting in contact with people, and spammers are well aware how easy it is to get an account holder to click on a link to a malicious website, or to open an email attachment that has been infected with malware.
Email is used to “phish” for sensitive information that allows criminals to gain access to credit card numbers and bank accounts. Computers and mobile phones can all too easily be compromised, and the potential rewards for criminals are high. Phishing emails and other spam and scam emails are expected to increase during 2015.
Vulnerabilities in web applications will be targeted
2014 saw a number of zero day vulnerabilities discovered in popular software applications and we can expect more of the same in 2015. There was Heartbleed, which was a potentially catastrophic vulnerability. Shellshock was also particularly worrisome. It is likely that these are just the tip of a very large iceberg.
At first it was thought that these security vulnerabilities had not been found and exploited by hackers. Unfortunately, this would appear not to be the case. The hack of healthcare provider Community Health Systems exposed 4.5 million patient records. It is believed that the cyberattack was made possible because of Heartbleed.
Attacks on mobile devices are likely to increase
Ownership of Smartphones and tablets has increased considerably and so has the volume of personal data stored on those devices. Smartphones permit the user to access email accounts, bank accounts and social media networks. Many people track their movements using the devices and record exercise data. If a device can be accessed, a considerable amount of personal data can be obtained.
Unfortunately, many of the applications downloaded to the devices contain numerous security vulnerabilities. Even the platforms themselves (Android and iOS) contain many security holes. Hackers and cybercriminals are well aware that mobile devices can contain a goldmine of data and, with the increasing popularity of Bring Your Own Device (BYOD) schemes, mobiles can even be used to launch attacks on corporate networks. Expect mobile devices to be implicated in more corporate security breaches and millions of users’ data to be plundered in 2015.
The threat landscape is constantly changing and there are more malicious attacks being reported than ever before. The seriousness of those attacks has also increased. Consequently, organizations must invest more heavily in network and cybersecurity defenses. The companies that fail to increase cybersecurity spending are likely to become the next targets.
May is not yet over. There are still seven months to go before 2015 arrives, yet Internet security experts are already calling 2014 the year of the data breach. The situation is bad and it is expected to get worse. Before the year draws to a close, many millions of Internet and email users will discover they have had their computers infected with viruses or have become victims of Internet fraud.
The U.S. Healthcare industry has been hit particularly hard this year. In February, Anthem Inc. discovered a hacker had infiltrated its computer network and stole 78.8 million insurance records. Just days later, Premera Blue Cross, another U.S health insurer, uncovered a similar cyber attack that exposed the records of 11 million subscribers. The month of February was just over halfway through, but more confidential healthcare records had been exposed than in the whole of 2012 and 2013 combined.
Then there was the cyberattack on Target. Up until February 1, Bloomberg BusinessWeek calculated the retailer had spent approximately $61 million to cover data breach resolution costs. All three of these data breaches were suffered by large organizations who had invested heavily in data and network security systems. Yet despite the investment they still suffered massive data breaches.
What makes the Target data breach stand out though is the fact that the company’s security system actually detected the intrusion. For some reason, Target decided to do nothing about it. To state the obvious, this was a mistake. So far over 100 separate lawsuits have been filed against the retailer, in the most part citing negligence for failing to protect customer data and not taking action quickly enough when the breach was discovered.
The attack exposed the records of over 110 million customers and the banks have already been forced to spend in excess of $200 million as a result. When the lawsuits are resolved, the final cost of the data breach doesn’t even bear thinking about. Typically, data breach victims seek damages of around $1,000 a head.
Then there was Heartbleed. For those who somehow missed it, this was one of the biggest and potentially most serious security vulnerabilities ever discovered. It would appear that the bug was identified in time to allow companies to prevent it from being exploited. However, that is difficult to ascertain with any degree of certainty. If the security vulnerability was exploited, there would be no way of telling whether data had been stolen.
The cost of plugging this security hole was considerable. Companies were forced to take rapid action to secure their networks and computers before hackers could take advantage. The same cannot be said of consumers. It would appear that little has been done to protect against the bug. Following the announcement very few individuals have even changed their passwords or taken other steps to protect themselves. A recent survey conducted by MarketWatch indicates that little has been done because consumers are not even aware of the Heartbleed bug. Half of those surveyed had never even heard of it, let alone the actions they need to take to protect themselves from attack.
Many of the major data breaches suffered this year did not actually occur in 2014. Hackers first gained access to networks last year or even earlier. This was the case with Anthem, Premera, and also Neiman Marcus, another major data breach uncovered this year. That attack was also discovered in February 2014, which could become known as “the month of the data breach”.
For the past eight months, Neiman Marcus’s systems have been open to hackers. Such a breach should have triggered the company’s security system. Which it would have approximately 60,000 times had that security feature not been inadvertently turned off. Suspicious server activity was unfortunately not being monitored.
These data breaches have proved very costly indeed. According to the Ponemon Institute, the cost of resolving data breaches has increased again this year making matters worse for companies attacked by hackers.
Security systems are excellent, but what about the security staff?
It is all very well installing multi-million-dollar cybersecurity defenses, but if skilled staff are not employed to interpret the data, when networks are infiltrated by hackers intrusions may not be discovered until many months later. This was certainly the case at Neiman Marcus, but also at Target. Had the system been checked, Target would have been made aware that its defenses had been turned off. It took a full post-breach audit to determine this was the case. This should have been checked on a regular basis. Doing so may not have prevented the breach, but it could have reduced the damage caused.
The problem for many IT departments, CISOs and CIOs is a lack of funding. Organizations appreciate that money must be allocated to counter the cybersecurity threat, but too little is being spent. This was highlighted by the Ponemon Institute study. Respondents indicated that a doubling of the security budget is necessary to counter the threat, install better security, allow audits to take place, and to employ the staff necessary to monitor systems for signs of attack. If security budgets do not increase, data breaches certainly will.
The Heartbleed security vulnerability was announced recently and had IT security professionals rapidly taking action to plug security holes. System passwords were changed and alerts sent to end users telling them to do the same.
Heartbleed is a highly serious data security vulnerability that was discovered in the OpenSSL cryptographic software library. It is so called because it affects a SSL extension commonly known as Heartbeat. Over half a million websites are believed to have been affected by the Heartbleed vulnerability.
The Internet is normally secured with SSL/TLS encryption. This allows information to be exchanged securely by a wide range of Internet applications, including Instant Messaging (IM) services, email, and even Virtual Private Networks (VPNs). Unfortunately, the Heartbleed bug allows anyone to steal passwords even with SSL/TLS encryption in place. According to American cryptographer Bruce Schneier, Heartbleed is a potentially catastrophic security vulnerability. He recently said, “On the scale of one to 10, this is an 11.”
IT departments have been frantically issuing alerts to change passwords
Sensitive data is protected by passwords; however, Heartbleed has potentially allowed passwords to be compromised. The security vulnerability may have only just been discovered, but it has existed for at least two years. Hackers are not understood to have used the vulnerability to gain access to sensitive data, but it is actually rather difficult to tell even if they have. As a security measure, IT staff have been sending emails to all users advising them to change their passwords just in case.
Unfortunately, they are not the only individuals sending password change requests to users. Online scammers have been piggybacking on the major data security event and have been sending emails of their own. Conveniently, also including links to allow users to rapidly address the huge security hole.
Any individual who has heard about the security issue will be keen to protect themselves against hackers and cyber criminals. Emails telling them to change their passwords are likely to be clicked. Unfortunately, clicking those links will take users to a website where they enter their current passwords. By doing so they will be giving them to criminals. They may think they are protecting themselves, but their actions will be doing the exact opposite.
Beware of Heartbleed Protection Scams
Piggybacking on major news events is a common tactic used by phishers to get computer users to reveal their sensitive information. News of a major IT security flaw is music to phishers’ ears. Computer users are fearful of a cyber attack and phishers play on those fears. The response rate to emails of this nature is typically high.
Many IT professionals have been busy securing their networks and have performed security audits to address the latest vulnerability and search for others that may exist. Software companies are taking advantage and are offering products that will perform full system security checks. After all, there is no better time to boost sales than when the public is keen to improve online security.
Scammers have been taking advantage by sending links to websites that will perform security checks. The scam emails and adverts appear genuine. They offer a free system check to determine whether vulnerabilities exist and they have even promised to clean systems and install the required patches to secure devices. By accepting these checks, users will just be guaranteeing their devices are compromised. It is therefore a time to be extremely vigilant for online scams. Efforts must be made to check that any request to improve security is actually genuine before it is accepted
How to Beat the Scammers, Spammers and Phishers
Fortunately, it is relatively easy to avoid becoming a victim of one of these scams. Receiving an email with a link or an attachment will not automatically compromise a computer. Action is required by the user for that to happen. If the phishing email is deleted, so is the threat. However, not all users know how to identify a phishing email. If one does reach an inbox, a user may end up infecting their computer or, worse still, the network to which that computer connects.
It is important to give computer users the information they need to protect themselves. They must be advised of the tell-tale signs of a phishing email. Only then will they know how to determine if an email is genuine. Training is therefore important, and now is a good time to ensure that the staff is well informed.
It is also an ideal time to install some additional safeguards to prevent spam and scam emails from reaching users’ inboxes. SpamTitan Technologies offers two excellent security solutions. The first is a robust and highly effective spam filter that prevents spam and scam emails from being delivered. The second solution prevents users from clicking links to scammers websites.
SpamTitan web filtering works like a business version of a parental control filter. Instead of just blocking gambling, dating, and pornographic websites from being visited, it also blocks users from visiting known phishing websites and even genuine websites that have been infected with malware.
By installing both of these anti-phishing solutions, IT professionals can sleep easy. The Heartbleed vulnerability will still need to be addressed, but they will be able to relax a little knowing that end users will not be falling for the myriad of piggybacking phishing campaigns that have been developed over the past few days since the Heartbleed announcement was made.
Consumers are spending less in bricks and mortar stores, and more people are looking for goods and services online. On top of this some major retailers have suffered data breaches which have tarnished their reputation. For Target, the data breaches it suffered have had a serious impact. Sales have been lost to competitors as a result.
According to a Cowen & Co.’s tracking survey, there has been a decrease in customer satisfaction. The survey indicates there has been a fall in satisfaction in the overall shopping experience and ratings for customer service have also declined.
The data show that reputation and brand image do have an impact on shoppers’ behavior. They will go elsewhere if they do not trust a retailer.
Target is one of the biggest retailers in the United States. What would be the impact on a small to medium sized organization? Would it be possible to weather the storm after a massive data breach has been suffered?
Data Breaches Can Cost SMBs Dearly!
The cost of a data breach can be considerable. The Ponemon Institute has recently quantified this. In a recent survey, 850 executives were asked about reputation damage following a data breach. 44% of respondents said it would take between 10 months and 2 years to recover from damage to reputation following a data breach. For some companies the effect will be felt for much longer. If they manage to stay in business that long!
Not all breaches have the same effect on a company’s reputation. Consumers are aware that security breaches are now a fact of life, but they are likely to be unforgiving if their Social Security numbers, credit card numbers, or bank account details are obtained by criminals.
The potential financial losses for a company can be considerable. Ponemon’s study suggested that brand image damage can cost between $184 million and $330 million. Best case scenario? You are likely to lose 12% of your brand’s value.
Your Competitors are Waiting to Take Advantage
All companies are likely to suffer a data breach of some description, yet many are ill prepared to deal with a security breach when it occurs. If a breach response plan is developed prior to a security incident being suffered, this can reduce the damage caused.
It is possible to win back the trust of customers after a breach, but it can be a long and difficult process. It is not actually clear whether a company’s reputation can ever fully recover. After all, today’s marketplace is particularly unforgiving. There is simply too much competition and plenty of competitors who will be ready to take advantage.
If your reputation is damaged, it will have an impact on your bottom line. Customers will change brands and there will be class-action lawsuits filed as plaintiffs try to recover damages. Revenues are likely to fall, and regulators may also issue costly financial penalties.
Fortunately, there are a number of actions that can be taken to reduce the risk of a data breach being suffered. Should the unthinkable happen, they can also reduce the severity of the breach. Think of data security investment as an investment in your brand image. That must be protected at all times.
LinkedIn is one of the fastest growing social networks and is now used by employers to build contacts and find new customers and suppliers. The number of LinkedIn users has been swelling, and now the site boasts nearly 1 billion accounts. The professional network is an essential sales and marketing tool for many companies, and recruitment firms would find it very difficult to stay competitive without it.
The website extends a company’s reach and can be used for a variety of purposes. Company news can be announced, new products marketed, new employees found, and the site contains many interesting industry articles, providing hints and tips for busy professionals. Many users now search LinkedIn for information before using the search engines.
Companies now use the social network as well as their employees. In fact the boundary between the two has become somewhat blurred. For instance, if an individual spends personal time building up contacts, are those contacts connecting with the person or the company? In many cases it is a mixture of the two. So who actually owns those contacts? The employee or the employer? A recent court case in the UK sided with the company. However, without social media usage policies in place, a court case could go either way.
Recruitment consultant discovers his LinkedIn contacts are not his own
A recruitment consultant at Hays Recruitment had been building up contacts via his professional account. When he decided to leave his employer and set up his own business, he copied contacts to his personal account. These were people he had been dealing with frequently as his job demanded.
Hays objected to this activity and took the ex-employee to court over the matter. The judge agreed with Hays and ruled that LinkedIn contacts built during employment at Hays be handed over. The employee was also required to disclose all of the emails that had been sent to those individuals.
The employee, Mark Ions, maintained that by connecting with individuals they had disclosed their contact information and were no longer confidential. Hays maintain that Ions stole business contacts.
This landmark case highlights the potential problems with the use of social media accounts at work. Many companies actively encourage employees to the use LinkedIn to build up contacts, but then claim that those contacts are confidential and cannot be used by the employee for personal purposes.
Court cases such as this are likely to become much more common as the use of professional social networking sites increases. Another case went to the courts in July of last year. Whitmar Publications discovered that some former employees had used the company’s LinkedIn network to market the services of a rival business. Again the courts ruled in favor of the company. The former employees had breached an implied duty of good faith by using the list.
Other problems can arise from the use of the professional network. What happens if an employee of a company wants to find a new job? Can an employee upload a CV and tick the career opportunities box indicating he or she is in the market for a job?
The matter was taken before the courts recently, although the ruling did not exactly clear up the matter. While employed at BG Group, HR manager John Flexman indicated on his LinkedIn CV that he was assisting his current employer reduce its attrition rate. This was deemed to be a breach of confidentiality by BG Group. The company also claimed Flexman had breached its social media usage policies by indicating he was in the market for a job.
BG Group demanded that Flexman remove all details of the company from his profile, other than the company name and his job title. Flexman did not agree. The situation deteriorated and Flexman eventually felt he had no alternative but to resign. He then claimed constructive dismissal. In this case the court ruled in favor of the employee.
Social media usage policies must be developed by businesses
Some companies may have already introduced social media usage policies to cover the use of personal Facebook and Twitter accounts in the workplace, banning staff from spending company time accessing their own accounts. These legal cases highlight the importance of developing comprehensive policies covering all uses of social media websites at work, including contacts that are developed as a result of employment.
Employees must be informed about contact ownership. Any information that is in the public domain – i.e. could be found in a business directory or phone book – cannot be classed as confidential information. However, other information that has been obtained by employees during employment is different. This includes the email addresses of those contacts and their direct dial telephone numbers.
Since LinkedIn is a relatively new website, and legislation on employment law has yet to be introduced to address the issue, there are many gray areas; in particular, when personal accounts are used by an employee. Employers are advised to ensure that LinkedIn accounts are set up and maintained by the company, and employees are not told to create their own accounts for work purposes. All contact information then belongs to the company not the employee.
Policies on the use of LinkedIn and other social media websites should be clearly stated. These could be included with general Internet and email usage policies that are issued to all employees.
Social media usage policies are required to cover use and ownership of accounts, but it is important not to ignore the security aspect. Employees must also be told about acceptable use of the sites from a data security perspective, and instructed what can be uploaded and downloaded to accounts.
Web visitors can be ultra-cautious and avoid websites that commonly contain malware. Don’t visit pornographic, gaming, betting, file-sharing, and streaming websites, and you will be able to reduce the risk of encountering malware. However, that doesn’t mean that you will never come across phishing websites and malware-ridden webpages.
Even very large, reputable websites are sometimes infected. How large? How about Yahoo: One of the biggest search engines and webmail providers on the Internet. Recently Yahoo was found to contain adverts that attempted to install malware on users’ computers.
Code was installed that examined users’ computers and checked to find out if the latest Java version was installed. Earlier versions of Java contained vulnerabilities that could be exploited. The latest version has fixed the security holes, but many users have not yet installed the latest version.
It is estimated that as many as 2 million people visited Yahoo and had their computers infected. A great many more individuals would also have had their computers compromised had they visited the website instead of Google. In this case, the individuals behind the infections – malvertisers – were putting users’ computers to work performing bitcoin calculations: a very profitable business if you have 2 million or more computers at your disposal.
Of course this is nothing new. Many websites are infected with malware. They just are usually not as big as Yahoo. However, hackers are getting bolder, and are now succeeding in infecting large websites with very good security measures in place.
Advertising networks are increasingly being infiltrated by malvertisers
Legitimate advertisers use advertising networks to syndicate their adverts across many thousands of websites. They are able to put their adverts in front of tens of millions of potential purchasers. Malvertisers, individuals or disreputable companies, are now doing the same. They make their adverts look respectable and get accepted by an advertising network. However, their ads contain links to malware-ridden websites, or code that probes for security vulnerabilities in users’ computers. They then inject their malware and put it to work.
Unfortunately, it is not a difficult process. In fact one doesn’t even need to be a hacker in order to do this. All that is required is an exploit kit that can be rented online. Take the Black Hole exploit kit for example. Using this kit, online criminals are able to inject code into the web browsers of site visitors. The renting of exploit kits is now commonplace and developers will even show people how to use the exploit kits to achieve their aims. Even people with very little knowledge of programming are able to use the kits to infect computers with malware.
The threat from these wannabe online criminals is considerable. If your company’s employees visit websites while at work, they could inadvertently click on an advert that directs them to a site containing malware, or one with advertising code on the page that probes for vulnerabilities. Even viewing an advert may result in a computer being infected.
There is a solution that protects against rogue adverts
There may be a high risk of infection, but that doesn’t mean that the risk cannot be effectively managed. In fact, managing risk is surprisingly easy. All that is required is software that contains an ad-blocker, and there is plenty of choice (NoScript, AdBlock and ScriptSafe for example). All of these are capable of blocking adverts and, if no adverts are displayed, users will not be able to click on malvertiser’s adverts.
Unfortunately, with all of these ad-blockers there is a problem. First of all, they are all browser-specific. That means every browser in an organization will need to have the ad-blocker installed to offer protection. They are also only available as plug-ins. This poses another problem for Sys Admins. Plug-ins are only safe if the latest version is installed, and updates are frequently released. Even these “safe” plug-ins contain vulnerabilities that can be exploited.
That means that every browser on every computer that connects to the network must have the plug-ins installed and then be frequently updated. On a small network of 20 computers this would be a considerable task. On a network with 1,000 desktop computers, 500 laptop computers, numerous tablets and mobile phones, it could potentially be a full time job for a small team of Sys Admins. Not a very practical solution it has to be said.
Is there a less labor-intensive alternative?
Fortunately, there is. The solution is to install a web filtering solution that contains an Ad-blocker. SpamTitan web filtering solutions for the enterprise contain an ad-blocker that will block adverts on all users’ devices, which includes mobile devices as well as desktops. A Sys Admin can configure the web filter to protect all users, but the software is not only about blocking adverts.
SpamTitan’s web filter will also prevent users from visiting websites known to contain malware and will block undesirable content such as pornography, gambling and file-sharing sites. SpamTitan’s web filter has been developed to give Sys Admins an exceptional level of control. Permissions can be set for the entire organization, groups of users or individuals.
A user in the IT department could be allowed to view any site, while a member of the accounts department could be prevented from visiting virtually all websites. Different web filtering settings can even be assigned for different times of the day, if required.
Such a granular approach is important as each member of staff may require different levels of access. Social media websites could be blocked for all members of staff except those in the marketing and IT departments for example.
Having all of these controls could potentially require a Sys Admin to spend hours learning how to operate the system, and weeks configuring it. Not with SpamTitan. The controls are intuitive, easy to set up, there is no steep learning curve, and configuring users’ settings is a relatively quick process. Protecting a network from malware, and users from viewing undesirable content, has never been easier.
Certain types of websites are known to contain malware and carry a high risk of infecting visitors. Video streaming websites, those providing adult content, and sites run by individuals who lack an understanding of basic security controls. However, it is not only these websites that carry a risk of infecting visitors with malware. Even large sites – we are talking Yahoo and YouTube here – have allowed malware to be installed. How is this possible with websites that generate huge revenues can also be infected?
The problem is not the websites themselves, but the content that is displayed on them. Malware is delivered indirectly, via the ad networks site owners sign up to or fail to block. There are a lot of unscrupulous advertisers out there, and many do not vet their customers very well. Some ad networks allow anyone to sign up. They also serve just about any kind of advert, even those containing malware or malicious links. Any visitor to those sites could potentially have their device infected. If one of those visitors is an employee of yours, your network could be in serious trouble.
Ad networks can allow malware to be delivered to users’ devices
An advert on a website could direct the visitor to a phishing website or one that contains multiple pieces of malware. That is not to say that the advertisers are deliberately phishing for information or want to infect visitors. They may not even be aware that their websites have been hijacked by hackers.
Advertising is often a necessary evil to make websites profitable. Without advertisers, many websites would simply go out of business. To generate revenue, site owners place code on their websites that third party servers can access. Adverts are then shown to visitors to that website via text, image, or even video ads. Those third party servers potentially syndicate adverts to tens of thousands of websites, including many legitimate and well known websites.
With the potential to send adverts to so many websites, ad networks are frequently targeted by cybercriminals. If they are successful, their malware can be very quickly syndicated and placed in front of tens or hundreds of thousands of individuals. In some cases, millions.
Even if the ads direct you to a legitimate website, they often result in pop up browser windows being launched which can slow down your computer. Those pop ups may also contain links to many dangerous websites.
As a system administrator do you want your company’s employees to be presented with adverts telling them to update their software themselves?
What can IT managers do to prevent networks being compromised by employees
Recent research conducted by Cisco Systems has revealed that employees and other Internet users are much more likely to suffer a malware infection as a result of shopping online at legitimate websites than they are by visiting file sharing websites. How much more likely? 21 times apparently, according to Cisco Systems researchers.
Hackers often target industry and business websites and infect them with malware. This is because business network infiltration can be extremely profitable. These websites are often targeted through the ad networks they use to generate additional revenue from their sites.
As an IT Manager you will be expected to protect your network from malware. Due to the high risk of third party ads serving malware, is the answer to block all third party adverts from being displayed? Many IT security pros do just that, and block adverts. These individuals believe there is actually no benefit at all to be gained from allowing the adverts to be shown. They just add an unnecessary risk to surfing the Internet. They also waste bandwidth and employees time.
Blocking third party adverts from being displayed is straightforward. A firewall policy can be introduced to prevent the adverts from being displayed. This functionality is also included with WebTitan’s enterprise content filtering solutions. With the latter, certain types of website can also be blocked to protect employers and employees. It is also possible to block adverts and even apply specific controls for certain groups of users or even individual employees.
You may feel ad blocking is an unnecessary restriction and would prefer to instruct members of staff not to click on the website adverts. Unfortunately, there will always be one employee who breaks the rules and that could result in malware being delivered. Are you prepared to take that risk?
In September, WebTitan launched a competition offering charities the chance to win a free WebTitan Cloud Security Solution to keep their networks protected when workers access the Internet and email.
The solution is highly effective at preventing users from inadvertently accessing web contact that could cause networks or computers to be infected with malware, while protecting users from objectionable content. It also allows an organization to see what websites individual workers are attempting to access. For charitable organizations the WebTitan Cloud Security Solution offers exceptional protection, and can prevent data breaches and costly cyberattacks.
The competition attracted a great many entries. All that was required to enter was for the participant to be a charity, and provide a brief answer to a very simple question: Why the organization would benefit from winning a free WebTitan Cloud Security Solution
The WebTitan Cloud Competition Winner Is… Touch Life of Uganda
The first prize in the competition was well worth winning: A WebTitan Cloud web security license valued at $8,000!
The prize could not have gone to a worthier winner. Touch Life is a Non-Government Organization (NGO) operating in Uganda. The charitable organization performs important and incredibly valuable work, assisting families that have been torn apart by war, famine, disease, and have been forced to live a life of extreme poverty. The charity empowers those families to take control of their lives and gives them hope.
In an ideal world, the websites of charities would be exempt from cyberattacks. Yet sadly their websites are no different to global corporations earning profits in the billions. Cybercriminals often conduct random campaigns, and the reality is charities are often targeted simply for having poor security controls. If there is money to be made from attacking a website, those websites will be attacked. In fact, cybercriminals often take advantage of natural disasters, famine, and war to obtain donations intended to help victims.
However, the Internet is vital for charities to spread news about the excellent work they perform and attract donations. Without those donations they could not continue with their missions. It is therefore essential that the websites have cybersecurity protections in place to protect from attack and ensure that donations make it to the victims, rather than be diverted to cover data breach costs. WebTitan Cloud security offers that protection.
Second Prize awarded to… New Zealand’s Framework Mental Health and Intellectual Disability Service
The second prize in our Cloud Security Competition was a brand new iPad. The winner of the prize is Framework of New Zealand, a provider of mental health and intellectual disability services in the Greater Auckland region. The organization conducts important work and helps to improve the lives of the mentally and physically disabled, teaching them a range of vocational skills, offering training, education and support. The charitable organization was first established in 1984 and has helped thousands of individuals lead more fulfilling lives.
Additional prizes have been awarded to a number of competition participants. A $50 Amazon voucher has now been sent to NGOs around the world, including Australia’s YMCA.
We would like to take this opportunity to thank all participants in our Cloud Competition and encourage all charities to check our blog frequently for news of further competitions. Be sure to sign up to receive our blog posts to make sure you never miss a chance to win. Our blog posts will also keep you abreast of the latest security threats to allow you to protect your websites, networks and data from cybercriminals.
Without anti-phishing controls in place, your organization is likely to face a high risk of end users falling for scams. How good do you think your employees are at spotting phishing emails?
How good are you at spotting phishing emails? Are you a Grammar-Nazi who can spot a misplaced semi-colon from 50 paces? Are you a former Spelling Bee champion or an amateur super-sleuth?
Sometimes phishing emails are so obviously fake they are laughable. You would think that a scammer who goes to the trouble of sending out millions of emails claiming to be from a reputable company would actually check the spelling of the company name. Many don’t. Error-ridden phishing emails are common, and they are easy to identify.
However, don’t believe for one second that all phishing campaigns are that easy to identify. I write about Internet security and I have nearly fallen for one in the past. Admittedly, it was a very convincing one and in the early days I was a little naïve!
I tell you this as even the security conscious can fall for phishing campaigns from time to time. Sometimes scams and phishing emails are virtually impossible to distinguish from legitimate emails. Unless a software security solution is used, it is all too easy to inadvertently become a victim.
It used to be a rarity to be emailed a phishing email that was convincing, free from errors, and looked like it had been sent by a legitimate company. Today, scammers are much wiser. They know that a little time spent preparing a campaign properly will result in far more clicks and even more victims.
When you consider the money that can potentially be made from targeting business users, investing some time into creating highly convincing campaigns is well worth the investment. Spending a few hours or even a couple of days on a campaign could make the difference between getting no clicks and netting millions of dollars. Unsurprisingly, email spammers have realized this.
Spear phishing emails are becoming increasingly common
IT security professionals will be well aware that their end-users will be sent phishing emails that can be identified with one eye closed. These emails are sent out randomly in the millions. Fake PayPal receipts, Better Business Bureau warnings, potential lawsuits, and requests for money to help victims of natural disasters. These emails are very common. Unfortunately, they claim many victims. If they didn’t, the spammers would stop sending them.
However, there has been an alarming rise in spear phishing emails in recent months. These are more worrying as they have been expertly written and use personal information gained from the recipient to convince them to click on a link or open an attachment. They can even appear as if they have been sent by a friend, or contain information that has been gained from a social media account.
Sometimes an email will be sent to a number of individuals in a company. Other times the email targets one person. In the case of the latter, these insidious emails can be highly effective. An attacker gains access to the target’s Facebook account, either by being accepted as a friend, viewing pages that have been indexed in the search engines, or by guessing passwords. Then information posted to the user’s account can be used to construct a convincing email.
For example, you attended a school function, such as a sports day, and you post some pictures to your Facebook account. If someone had access to your account or could view your pictures (a friend of a friend of a friend for example) and they then sent you an email with a JPEG attachment, would you be likely to open it if they said they enjoyed speaking to you at the event and said they had attached a great picture of your child? How about if they mentioned your son by name? All of that information could be easily gained from Facebook without even having your password!
Simple anti-phishing controls will protect your network from spear phishing campaigns
Fortunately, defending against well researched and expertly written phishing emails is not difficult. There are a number of anti-phishing controls that can be used to prevent the emails from being delivered, as well as controls to stop users from visiting phishing websites.
The first line of defense is to prevent the emails from being delivered. To do that you need to install a spam filter, such as that offered by SpamTitan. SpamTitan Anti-Spam solutions prevent 99.98% of spam and scam emails from being delivered. It is one of the best anti-phishing controls you can implement to protect your workers and network.
Secondly, all members of staff, from the CEO down, should receive security awareness training so they know how to identify a phishing email. Training need not involve day-long courses. A little information can go a very long way. It is better to have face to face training but an email explaining how a phishing email can be identified is better than nothing. Remember to put training to the test by sending staff members fake phishing emails to see how their training is being applied at work. This will identify the weakest links, and further training can be provided.
Thirdly, it is possible to block users from clicking links to malware-infected websites. Employ a web filter and these and other potentially dangerous links can be blocked. SpamTitan’s web filtering solutions are ideal for this.
Along with Anti-Virus software and Anti-malware protection, users can be properly protected by using anti-phishing controls. All small to medium businesses should use each of the above solutions to minimize risk. A little investment in anti-phishing security measures can safe a fortune in data breach remediation costs. It could also prevent ransomware and other potentially catastrophic malware infections.
Ever since the advent of social media networks, employers have been trying to devise ways to prevent employees from using the sites in the workplace. Employers see the sites as a huge drain of the staff’s time and believe they are one of the biggest killers of productivity. It is true that a lot of time is spent on the websites instead of performing work duties, and some employees spend far too much time checking posts. However, new research has now been released suggesting social media site usage may not actually be that bad. In fact, there could even be major benefits for employers.
Do you Ban Social Media Site Use at Work? You Could be Causing More Harm than Good!
A new study conducted by Warwick Business School shows that banning the use of social media access in the workplace is more likely to kill productivity than allowing staff access. Any employer believing the opposite is true needs to have a rethink. Some downtime in the workplace is a good thing.
Employees cannot work for 4 hours straight without a break and be expected to be as productive at the end of that 4-hour stretch as they were at the start. Taking a few minutes here and there to check Facebook can mean employees’ productivity actually increases.
Warwick Business School’s Professor of Information Systems, Joe Nandhakumar, ran the investigative study. He believes that some workers are better at organizing their workflow if social media site access is allowed. Knowledge workers in particular can perform better at work if access is provided.
Rather than social media being a distraction, Nandhakumar believes the opposite to be the case. Employers just need to find the positives and not concentrate on the negatives. He has also pointed out that the use of social media may be a new issue for employers to deal with, but they have faced a similar situation in the past with the use of email. That was thought to be a huge drain of time, yet evidence suggests that not to be the case. Take it back even further, and the use of the telephone was believed to be a killer of productivity. In actual fact, social media, email and the telephone make workers more productive, and allow them to achieve much more during their working day.
Social media use has been shown to increase productivity
If employers believe that employees should be spending 100% of their working day dealing with working matters, they will naturally see social media use as a drain on productivity. However, employees are not necessarily goofing off when they access Facebook. Many check the sites intermittently while performing work duties. The younger generation especially is particularly skilled at multi-tasking, and can keep an eye on Twitter, update Facebook, send emails and answer the phone at the same time.
These workers are able to cope with highly varied workloads, and banning social media use may actually kill productivity. Without some entertainment provided by Facebook, workers become bored, less productive, and less willing to work hard for their employers. Taking a short break from work can actually help to increase mental focus when they are working.
Studies have shown that it is not possible for people to concentrate for more than an hour at a time. Others suggest 45 minutes is more realistic, or even 20 minutes depending on which study you read. What is clear is concentration drops off after time, and simply taking 5 minutes an hour to check Twitter will actually have a positive effect. Workers will also be more creative and efficient. Clear benefits in certain industries.
Market research firm Ipsos was contracted by Microsoft to conduct a study into social media usage in the workplace. The study showed that 46% of workers felt that they were more productive if they took a few minutes off to check Facebook. There were some surprising differences between workers from different countries. Workers in India for example, found they were much more productive at work if their employers allowed some social media time. 71% of respondents from the Indian subcontinent agreed they were more productive if allowed access to Facebook, Twitter and other popular social media websites
The best approach? Use common sense!
There will always be workers who are overactive on social media websites and spend more time on those sites than they do working. Clearly these employees must be advised that the time they spend on the sites is unacceptable. However, not all workers will abuse the good nature of an employer.
How can social media site use be managed? There are some technical solutions that are highly beneficial in this regard, not just for curbing social media use, but also preventing personal Internet use from becoming problematic.
By installing a web filter – such as SpamTitan – the use of social media websites can be blocked entirely. A better tactic is to block access to the sites at specific times of the day. By doing this an employer can be more relaxed about usage of the sites, yet still ensure that employees are controlled. An example would be to block use of the sites during busy times, or in the mornings and directly after lunchtime.
The management can decide on an acceptable level and then configure the web filter accordingly. Controls can even be defined by employee or department. The marketing department and other groups of individuals who need to be creative could be set different limits than other workers in the business.
Data entry staff may need a break every few hours. Providing some access could therefore improve the level of work that is achieved each day. With a configurable web filter, employers can easily experiment and find the right balance. This may take a little time, but if it results in improvements to productivity and efficiency, this will be of great benefit to the organization.
Twitter, like many other social media platforms, is a target for hackers and cybercriminals. The company has recently become the victim of a number of cybersecurity incidents that have resulted in the account names and passwords of users being obtained by criminals.
Each attack spells bad news for the company, and even worse news for users of platform. They face an increased risk of suffering identity theft and fraud as a result of having their login credentials compromised. Twitter security measures were simply not good enough to prevent a data breach from occurring.
Twitter security bolstered with two-factor authentication
To address the situation, Twitter security has been improved with two-factor authentication. This is an important security measure to implement as it makes it harder for accounts to be hacked.
Two-factor authentication uses two means of identification to help ensure that accounts are only accessed by the correct individuals. In addition to entering a username and a password, Twitter now requires an extra element to verify the identity of the person trying to access an account.
A number of websites and online services have now added two-factor authentication to provide better protection for users of their online services. Google, for instance, added two-factor authentication in 2010.
Google’s reputation would be tarnished if it was hacked. The company proactively added the security measure to offer more protection to its account holders. Users of its services must supply a mobile phone number when opening an account. A unique code is then sent by SMS to the phone when a new device tries to access the account. Users can alternatively choose to have an email alert sent to advise them when a new device is used to access the account. This ensures that if someone tries to login to an account on an unknown device, they will be prevented from gaining access, even if they supply the correct login name and password.
This is a vital security measure to keep accounts secure and it has been adopted by a number of websites and social media platforms, although it appears to have taken a major data breach for Twitter security to have been improved with this fundamental security protection.
Social media accounts contain a considerable amount of data about the user. Should a criminal be able to gain access to an account, they would be able to gather a considerable amount of personal information that could be used to conduct a highly effective spear phishing campaign.
Two recent high-profile cyberattacks involved compromised Twitter accounts. They affected the UK’s Guardian newspaper and the American Associated Press. Hackers gained access to the accounts and released links to fake news items. Since the messages came from a trusted source, and contained click-bait links, the fake websites received hundreds of thousands of visitors.
The links were to fake articles detailing explosions at the White House – a potential terrorist attack – and a fake story about President Obama. Unsurprisingly, when news of the hacks emerged stock prices plummeted.
Oftentimes, the hacking of a company’s social media accounts causes permanent damage to the brand image. The compromising of a social media account could even allow hackers to launch further attacks, especially if passwords are shared across multiple platforms.
Two-Factor Authentication – An Essential Security Control
If you want to improve the security of your website or online services, setting up two-factor authentication is one of the best protections to implement.
Login names are easily obtained by cybercriminals, and passwords can all too easily be guessed. Many people still use “password” for example, or their data of birth. 1234567890 is also a surprisingly common password and one that is very easily guessed.
Enforcing secure passwords is essential. Force users to include capital letters, numbers, and special characters when creating passwords. Then add a second step that needs to be completed. Make sure the user registers an email address or a mobile phone number, and then verify these by sending an email or SMS text.
Whenever an access attempt occurs using a different device to that used during the registration process, a code should be sent via email or SMS. If that code cannot be provided by the user, the account should be blocked.
This will ensure that even if a password is obtained by a cybercriminal, access to the account will not be possible unless the person has also managed to gain access to the email account used to register, or has the victim’s mobile phone.
Twitter has suffered two major security breaches that have exposed the login credentials of hundreds of thousands of its users. In response to the incident, a number of additional security controls have been considered. The best solution was deemed to be the addition of a two-step authentication process.
This will not guarantee another data breach will be prevented, but it will make sure that it becomes a lot harder for hackers to gain access to login credentials. The new controls are likely to put off all but the most skilled and determined cybercriminals from attacking Twitter in the future. There will be much easier targets they can attack.
Two-step authentication is an important security control. In order to create an account, a user must sign up and create a login name and a password. The second step in the process, which will shortly be added to Twitter, is the requirement to have a code sent to an email address, mobile phone or the Twitter app.
The additional control will log the user’s device. If another device is used to login, another code will be sent to the app, phone or email account used to register. If the code is not entered, access to the account will not be permitted.
Wired.com has recently reported that Twitter is in the process of testing the new security measure before making it live. Once testing has been completed it will be rolled out to all accounts. This will not come a moment too soon. Cybercriminals are targeting social media networks, and if security measures are inadequate, data breaches will be suffered.
Social Media Networks are an Attractive Target for Cybercriminals
The networks are a big target for hackers and cybercriminals. The data stored in user accounts can be considerable. The data can be used to conduct highly effective spear phishing campaigns. With detailed information about each user, those campaigns can be very convincing.
Criminals can use stolen data to craft emails that the user is likely to respond to. They can find out who their contacts are, and make an email appear that it has been sent by a friend. That makes it far more likely that the target will click a phishing link or open an infected attachment.
Not only that, passwords are often shared across websites. Many people use the same password for Twitter as they do for their online banking and for work. One single password could potentially give a criminal access to much more than a social media account.
Phishing emails are being sent with increasing regularity
In the first half of 2012, phishing attacks are estimated to have increased by 19%. Many criminals still use email as the vector of choice, but many are now targeting social media networks. Criminals are finding it is easier to use Facebook and Twitter to get users to click on links to phishing websites. People even unwittingly share phishing links with their friends, helping the attacker infect more machines and steal more passwords.
Phishers are targeting individuals, but many are after a much bigger prize. If a user’s work computer is compromised, it can allow access to be gained to a corporate network. In fact, businesses are now being increasingly targeted using phishing campaigns.
These campaigns are far more sophisticated than in years gone by. The emails and social media posts are much harder to identify, and many employees are convinced to (unwittingly) download malware and viruses.
Unfortunately, many businesses are still not addressing the risk and have failed to implement adequate security controls. Some employees have not even been trained how to identity a phishing email!
Unless greater investment goes on improving security protections, and further training is provided to the staff, it will only be a matter of time before a network is compromised, customer data is stolen, and corporate secrets sold to the highest bidder.
Terrorist attacks are occurring with increasing regularity around the world, but it is still rare for one to happen on American soil. However, on Monday an attack took place at the Boston Marathon. The tragedy claimed the lives of three people.
It is at times like this that vigilance must be increased. Criminals often use events such as this to infect computers with malware. Big news events are often used to lure victims into clicking on links to websites infected with malware or convince them to open malware-infected email attachments. The Boston bombing is no exception. Criminals have seized the opportunity already and have started sending emails about the tragedy which contain links to infected sites.
SpamTitan is alerted when spam and phishing emails are captured. The quarantine reports are collected and analyzed, and some of the recent crop of captured messages contain titles such as “Explosion at Boston Marathon” and “Boston Explosion Caught on Video.” When news breaks, people want to find out what has happened, and images and videos of the event are sought online. Videos of the Boston bombing are being searched for on Google and social media, and emails including links to videos are likely to be clicked.
Anyone clicking one of the links in the emails will be directed to YouTube where a range of videos are listed. No harm is immediately caused.
However, after 60 seconds the visitor will be notified of a file called “boston.avi____exe”, and are asked to download it. If the file is run, it will install malware which will connect to servers in three locations: Argentina, Taiwan and Ukraine. Data from the infected machine will then be sent to those servers. SpamTitan software will prevent the email from being delivered using a variety of methods, thus protecting the user. Individuals without this software installed are unlikely to even be aware that their computers have been compromised.
Be wary about emails containing news alerts
Cybercriminals often use news events to spread malware and gain access to computers and servers. Each major news story, whether it is a terrorist attack, election result, natural disaster or celebrity wedding, will see numerous phishing and spam campaigns launched. Many of these campaigns see emails sent out randomly, often in the millions.
Any company that does not have a spam filtering solution in place is likely to see many of these emails delivered, and all it takes is for one end user to click on a link and download a file for a network to be compromised. It is not only malware that is a problem.
There have been a number of new websites registered in the past two days related to the Boston bombing. New domains have been purchased by individuals looking to capitalize on the attack. Some have been bought and are currently just parked. Some individuals have purchased the domains to prevent them from being used by scammers. Others have been activated and are seeking donations to help the families of the victims. Of course, any donations made through those websites will just go into the criminal’s pocket.
In addition to installing a spam filter to catch email spam, and employing a web filter to block links to malicious websites, be sure to adopt the following best practices and make sure that staff members do the same:
Don’t become another victim of a scam!
- Check the email address of the person sending the email even if it appears to be from someone you know
- Never click on a link in an email unless you are sure that link is genuine
- Do not open attachments contained in emails from strangers
- Be wary about opening attachments sent from friends. Their account may have been compromised or they may not realize they are sending an infected file
- Never open executable files (those that end with .exe)
- Never respond to an email request for money. If you want to donate, do so via a trusted, registered charity. Always visit the website via the search engines, not the link contained in the email
- Make sure a charity is registered before making a donation
- Be wary of any email sent to you containing information about a news event – who is sending it? How did they get your email address?
- Do not forward or share suspicious emails or links
What is a hacker?
Hackers are commonly referred to in print media and Internet reports, and are often viewed as either criminal masterminds intent of wreaking havoc and causing chaos, or bored (but highly skilled) teenagers with nothing better to do with this time.
However, a hacker is just an individual who is familiar with computer software and who is able to find and exploit security weaknesses in computer systems. Should you conduct a search on the internet for HTML Injection, you would find a great many websites that explain how to use this technique to gain access to websites. If you were to follow the instructions, you would essentially be a hacker. Just, not a very good one.
Not all hackers are bad, not all lack a conscience, and many are not motivated by money. Some are highly talented individuals who want recognition for their computer skills or just want to protest about something. Hackers have been known to break in just to prove a point. It is morally reprehensible that board members are taking huge amounts of cash out of the business, but are jeopardizing the privacy of their customers and leaving them exposed to Identity theft.
Some companies even employ hackers to test their systems. These “ethical hackers” or “white hat hackers” perform an extremely valuable job. It is far better to have an employee attempt to hack a computer network to find vulnerabilities in order to fix them, rather than have a malicious outsider break in and steal data. Facebook has, and does, hire programmers for this purpose, and even runs an annual hack-a-thon.
The rise of the everyday hacker
The leading company in the field of application security testing, Veracode, produces an annual security report that assesses the state of software security. The company’s researchers investigate security trends and makes predictions about how vulnerabilities could potentially be exploited.
In this year’s State of Software Security Report the company has predicted there will be a rise in the number of “everyday hackers” over the next few years. These “have-a-go-hackers” will not be highly skilled computer geniuses. They will be normal people who decide to have a go at hacking. As previously mentioned, there is a lot of information on the internet, and many techniques do not require a great deal of computer skill to pull it off.
A “SQL injection” search on Google will reveal 1.74 million search results. Not all of those websites will give step by step instructions on how to do it, but some do. Currently, according to the Veracode security report, 32% of web applications contain security flaws that could be exploited by SQL injection. These flaws are not hard to identify, and are actually quite easy to fix. Many companies do not even test for them.
Hacking is increasing and data breaches are occurring much more frequently
More than half of data breaches are caused by hackers breaking into systems to steal data (or stealing data once they have broken into a system for other reasons). In 2011 and 2012, Veracode calculated that 52% of data breaches came as a result of web intrusions.
Interestingly, software is now being installed to tackle these vulnerabilities and far fewer security holes typically exist. The problem is more people are now looking for vulnerabilities to exploit.
Veracode found that unsecure software was the largest root cause of data loss. Its researchers discovered that 70% of software used by organizations does not even comply with enterprise data security policies.
Unless organizations take a more proactive approach and address these vulnerabilities as a priority, hackers will exploit the security holes and sabotage systems, hold companies to ransom, and steal data. To prevent data breaches, action must be taken and taken fast.
Many people are willing to use the Internet to commit fraud. Identity thieves try to get website surfers to reveal their personal information, hackers break through defenses to steal credit card numbers and bank account information, and scammers head online in the tens of thousands. Saboteurs spread viruses and criminal gangs are using spear phishing campaigns to get the information they need to empty corporate bank accounts. The Internet can be a very dangerous place indeed.
There were more than 1 million victims of online identity fraud in 2012
A recent study conducted by market research firm Javelin Strategy and Research, indicates more than 1 million victims of identity fraud were created in 2012 than the previous year. That means one in three Americans have now become victims of online fraud. An incredible 12.6 million people have been affected by online fraud in the United States alone. In fact, a new victim of identity fraud is created every three seconds.
Cybercrime is extremely profitable. In 2012 alone, more than $21 billion was lost to cybercrime.
People are engaging in high risk activities online
One of the main reasons why we have experienced such a dramatic upturn in cases of identity fraud is a lack of security awareness. When connecting to the Internet, many individuals fail to realize they are entering a potentially dangerous place. Because of ignorance of the risks, many people fail to take precautions and do not protect themselves.
Would you walk down a street in New York City waving a big bundle of cash in front of you? Would you leave your credit card in a phone booth? Of course not. Yet people do equally risky things online. They provide their bank account details to criminals and enter their credit card details into online forms without checking whether the website is legitimate. They even store all of their intimate information on their laptops, Smartphones and tablets, and then leave those devices in cafes, unlocked automobiles, on trains and on buses.
These things can and do happen, but when it comes to online fraud, the biggest threat to security comes from social media websites.
Social media websites carry a major risk of identity fraud
Most of us have done it. Uploaded a photo to Facebook, posted intimate details of our personal lives, accepted a request from a “friend” we barely know. Some people post virtually every aspect of their lives online: What they had for breakfast or cooked for dinner, where they have been, who they bank with, etc. All of this information is incredibly valuable. Just ask Facebook. The company doesn’t charge users for having an account. Facebook makes money from selling your data to advertisers. They are not the only people who are interested to find out about you. Identity thieves also want your information.
It is easy to get a name from a social media account, also an address. Your birth date is not hard to obtain. What other information have you posted online since you joined Facebook and Twitter?
If someone had access to your accounts, do you think you would be an easy or hard target for an identity thief? How about the complexity of your password? Is that shared across websites? Is it easy to guess if someone knows the name of your pet? Or your child’s date of birth?
The fact is that most people are easy targets and engage in risky behavior. Even celebrities are major targets for hackers and thieves and have had their accounts hijacked. There is a lot of information in cyberspace about you that can easily be obtained by a hacker or criminal with a little time and a modicum of skill.
Fortunately, it doesn’t take much effort to protect yourself. All you need to do is adopt some basic “best practices” when using social media websites and while surfing the net.
Best practice tips to avoid becoming a victim of identity fraud
With a new case of identity fraud happening every three seconds it is vital that you take steps to protect your identity. Otherwise it will only be a matter of time before you become a victim. Possibly only 3 seconds!
Don’t reveal your private and confidential information on Facebook or Twitter
Think before posting. Does the information in your post reveal a little too much about you? Do you trust ALL of your Facebook friends? Do you even know the people who follow you on Twitter? Is your post appropriate for everyone on your friend list? Ask yourself these questions and make sure you use your restricted lists carefully and regularly check your Facebook privacy settings.
Have you made yourself an easy target?
Have you locked all of your devices with a password? Do you store passwords and login information on your computer? Are those files protected with a password? Do you ever access PayPal or your bank accounts via an insecure network? Do you always check that a website starts with https:// (not http://) before entering sensitive information? Remember, the Internet can be a dangerous place!
A Play Store mobile app is not necessarily safe
When you download an app to your mobile phone, do you read the list of data that you are giving that app access to? Do you trust the manufacturer of that app to keep your data secure? It is a pain reading all of the small print, but make sure you know what data you are potentially providing.
Your Smartphone is an encyclopedia of information
Be careful about the data you share online via your Smartphone, and for heaven sake don’t leave it anywhere where it can be stolen. In case of theft, you may compromise your entire email account, your WhatsApp conversations, access to your bank account and much more. Make sure you use a strong password, activate the lock function, don’t automatically connect to Wi-Fi networks and never leave Bluetooth on when it is not necessary.
Mobile phones are insecure
Be exceptionally careful about divulging any information via a mobile phone. That means text messages and phone calls, not only apps and Internet sites. Before disclosing information ask yourself why does the person or company need it? Who are they? How will your data be used? Are you volunteering data? If so, why?
How quickly would you know that you had become a victim of online fraud?
Do you check your bank account frequently? How about PayPal? Your credit card balance? How long would thieves have before you realized you had become a victim. It is not only financial information that can be used to commit fraud. Do you check your health insurance Explanation of Benefits (EoB) statements for signs of fraudulent insurance claims? Do you obtain free annual credit reports from Experian, Equifax and TransUnion?
It is easy to become a victim of online fraud but many people do not regularly check to find out if they have become a victim.
You have become a victim of online fraud! What do you do?
A quick response can limit the damage caused. Act fast.
- Call your bank and credit card provider and place a credit freeze on your accounts
- Change all of your passwords
- Report social media account hacking to the provider of the service
- Obtain credit reports to find out how badly you have been affected
Report all cases of online fraud to the relevant government and law enforcement agencies.
Bring Your Own Device (BYOD) is increasing in popularity. Employers love it: They can leverage the power of Smartphones, tablets and laptops, without having to pay the huge cost of supplying the devices to all staff members. BYOD can lead to a major increase in productivity, improve efficiency, and the devices facilitate better collaboration. They make communication so much easier.
That said, they do raise a number of security concerns, so much so that many security experts believe the acronym should stand for “Bring Your Own Doom”, or “Breach Your Own Data.” By running such a scheme are you just introducing unnecessary data security risks? Would it be better to bite the bullet and supply mobile devices to exercise greater control?
Employees are not necessarily careful with corporate data stored on their devices
Employees engage in risky online behavior. They fail to implement even basic security controls on their own devices and are prone to losing them. If the devices are used to store corporate data, this is a major security risk.
Even with the risks posed by allowing the devices to be used at work, a Fortinet survey recently revealed 74% of organizations in the United States have adopted BYOD.
The survey was conducted on 3,800 employees, half of whom believed bringing their own devices to work was a basic human right. In actual fact is it a privilege. The figures would be surprising were it not for the fact that all of the respondents were in their early twenties, many of whom had only just started their first job.
Young adults, often referred to as Generation Y, are tech-savvy and have grown up in an environment with a myriad of electronic devices at their disposal. They are heavily reliant on this technology. This is good news as it means they are able to use a wide range of devices competently; they know their way around a computer and are easy to train. On the downside they are perhaps too reliant on their mobile devices and use them too much to communicate. Take those devices away and they are at a loss.
Employers have realized that this technical expertise can be leveraged to improve efficiency in the workplace. They are also the CEOs, CISOs and senior executives of the future, and their understanding of how technology can be used in the workplace is far better than current industry heads. Their knowledge of technology can be used to increase profits, connect with customers, and tap into new, lucrative markets.
It is no surprise that even with the considerable security risks, Generation Y is encouraged to use mobile electronic devices at work. There are, after all, great benefits to be had. Companies that do not allow use of the devices could well find themselves falling behind their competitors.
What is the real cost of BYOD?
Improved efficiency and productivity does come at a cost. BYOD has a major drawback. It can make it far easier for hackers and malicious outsiders (and insiders) to gain access to corporate data. This is a major problem, especially for smaller organizations that lack the big budgets of the likes of Sony, Microsoft, IBM and Facebook. They cannot devote as much money to improving cybersecurity defenses.
Large companies may be targets for cybercriminals and hacktivists, but smaller businesses are now being targeted with increasing regularity. The data they store may not be worth as much, but it is far easier to gain access to. Small to medium-sized businesses are fast becoming the primary targets for many online criminals.
How robust are your BYOD Internet and email security controls?
Interestingly, the Fortinet study revealed that 66% of respondents thought it was their own responsibility to keep their devices secure. Only 22% believed device security was the responsibility of their employer. While it is good news that BYOD participants believe they should take care of their mobiles and ensure they are kept secure, this does not let organizations off the hook. If the devices are not properly controlled and managed, they could all too easily lead to a data breach.
One problem highlighted by the research is Generation Y is happy to break the rules. Policies can be put in place, but it does not mean they will be followed 100% of the time. One of the most effective ways of managing BYOD is to focus on BYOD participants rather than the devices that are used to connect to corporate networks. A user-centric approach has been shown to work very well. If the user is effectively managed, they are empowered to keep their devices secure.
That said, security controls must be implemented by an organization. Policies must be developed covering data security, and users must be reminded of the risks posed by the devices.
It will probably come as no surprise to discover the use of personal devices at work carries significant network security risks. Chances are your company may even have a BYOD policy in place that permits the use of personal devices in the workplace.
In an effort to quantify the level of risk posed by the use of these devices, a survey was conducted by Virgin Business Media. Respondents were asked questions about BYOD and the potential pitfalls. Network security was one of the main worries, and alarmingly, 51% of respondents revealed they had already suffered a security breach as a result of personal devices being used to access corporate networks.
The number of devices connecting to the network has an impact on the level of risk faced. The more devices that are allowed to connect, the greater the risk of one of those devices being used by a hacker to launch an attack on the network. Small to medium sized businesses tended to suffer fewer breaches as a result. The survey suggests 25% fewer.
These figures should not be taken to mean that small businesses are unlikely to suffer a cyberattack or experience a security breach. The risk from mobile devices will be reduced, but cybercriminals are now attacking small businesses with increasing regularity. Small to medium sized businesses may not store such large volumes of data, and they may not be as valuable to criminals, but the security defenses used to protect networks are much easier to circumvent. SMEs also tend not to employ as highly skilled IT security staff as the likes of IBM, Facebook and Google.
Take a Proactive Approach to Internet and Email Security
Many small to medium sized enterprises only implement robust security controls after they have suffered a major security breach. Many CEOs believe that they will not be targeted by criminals and do not require particularly sophisticated defenses. Unfortunately, many attacks are random, so SMEs actually face the same threats as larger corporations. They may not be targeted by teams of foreign government-backed hackers, but they are at risk of attack by other hackers and Internet criminals.
The FBI and National White Collar Crime Center formed the Internet Crime Complaint Center (IC3) as a single point of contact for victims of internet crime. IC3 receives reports from businesses and individuals who have become victims of online criminals. In 2011, IC3 received over 400,000 separate complaints from small to medium sized companies that had become victims of online criminal activity. The threat of attack is actually very real.
Given the high risk and the increase in internet crime, business owners need to face the facts. It is no good burying your head in the sand and hoping that it will never happen. It is time to implement security defenses to ensure that it doesn’t.
You may not want to introduce BYOD and have to deal with the risks, but if you do want to leverage the benefits of personal mobile devices and want to enjoy the increase in efficiency and productivity that BYOD promises, you will have to make sure appropriate security measures are installed. Otherwise you could be making your network a lot easier to breach.
Unfortunately, IT security professionals have to deal with business managers. This is a problem that will never go away, but there is some good news. They may still be intent of slashing budgets and increasing the productivity of the workforce, but they are less keen about slashing IT department budgets. Many are now suggesting increases in operational budgets to deal with the increased risk of attack.
We are also finally seeing CEOs making the decision to implement good security measures to protect against malicious insiders and hackers. The days of having “good enough” security measures may finally be coming to an end. Attitudes on cybersecurity are changing at last, in no small part due to the cost of not doing so being hammered home. Highly publicized cyberattacks have helped in this regard. So have reports of stock prices tumbling after security breaches are suffered.
It is not only lone hackers that are attempting to break through firewalls and cybersecurity defenses. Groups of incredibly talented hackers are being recruited by nation states and are being put to work on highly sophisticated hacks on U.S. enterprises. With the backing of nation states, the threat level increases considerably. Robust defenses must be implemented to repel the attacks. Any organization that implements minimal cybersecurity defenses may as well place an advertisement in the Washington post inviting hackers to attack.
Cybersecurity attacks have been receiving a lot more press, in no small part due to the huge volume of data that hackers have been able to obtain. Corporate secrets, company accounts, information on personnel, customer data, medical records, Social security numbers, and much more have all been obtained. This information is subsequently sold to the highest bidder or, in some cases, simply posted online for all to see.
The potential damage caused can be catastrophic. Many small to medium sized businesses would not be able to survive such an attack, and even enterprise organizations feel the effect. The threat from these attacks has seen a much needed change in attitudes of the upper management and, while IT departments are not yet given all the money they need, the situation is certainly improving.
A recent survey conducted by ESG research suggests information security situational awareness and strategy is something that business leaders are getting much more involved with, according to 29% of respondents. This is a major improvement year on year. Furthermore, 40% of respondents said that over the past year, the executive management has become “somewhat more engaged” with these matters.
As more mega data breaches are reported in the news, and the true cost of resolving security incidents is calculated, we can expect engagement to increase more. Bigger IT security budgets should also be allocated to improve protection.
It is now possible to search the internet more securely and also avoid objectionable content without having to install a web filtering solution or parental controls. Google has added greater protection to its search engine to filter out undesirable webpages. Users of Google.com will no longer have the option of choosing a moderate level of content. The choice is now a yes or no. They can “filter explicit content” or not, and account holders can also lock the setting in place.
This will undoubtedly please many parents who will be able to easily add a filter to prevent their children from being displayed content of an adult nature, but not everyone is happy. The news broke via Reddit and many internet users have reacted angrily over the censorship that is now placed on searches by Google SafeSearch.
Google SafeSearch is not sufficient protection for businesses, schools and colleges
The major search engines are well aware that there are a lot of websites containing adult or otherwise explicit content on the Internet and most now offer an option to filter search results to prevent certain sites from being displayed. When set to their various safe modes, they will limit the search results for general search terms. This is fine for home use but it is not sufficient protection for schools, colleges and business use.
The function can be used of course, but it will need to be set on each individual computer or browser, and the controls are easy to navigate around. They will only prevent content from inadvertently being displayed in the search results. If a student or member of staff wants to access explicit content, it is easy to bypass the controls or turn them off.
Oftentimes these filters are overactive and prevent some legitimate websites from being displayed. It may not be possible for students or teachers to view classic literature or works of art. Some will be deemed to be sexually explicit. The answer in this case is not to use the search engine functions to filter content, but to employ a powerful web filtering solution such as WebTitan.
WebTitan allows a system administrator to fine tune the web filter to ensure that adult and other objectionable content cannot be viewed on a school, college or business network. There is no bypassing the controls. The sites will not be viewable. The filter is highly flexible and can be fine-tuned with ease to suit an organization’s needs. System administrators will also be able to see who is attempting access to certain websites that are not permitted under Internet usage policies.
This will not only protect students and employees from viewing content that is inappropriate; it will also help employers avoid legal action.
It is not just an individual that faces legal action from inappropriate online activity
If an employee accesses illegal content, that individual is likely to face criminal charges. However, an employer who does not take steps to prevent the content from being viewed could face legal action. Criminal charges may not be filed, but it is possible claims for damages will be filed.
A court case in New Jersey has highlighted the risk. In the case of Doe v. XYC Corp., a company was sued for damages after an innocent third party discovered child pornography images on a work computer. An employee of the company had downloaded them and was dealt with accordingly, but a legal case was filed against the employer none the less.
The employer may not always be found to be liable, but it is possible that legal claims will be filed. The negative publicity from such a case can be particularly damaging for a company. Questions will be asked about why efforts were not made to prevent that sort of content from being viewable in the workplace.
If you want to play it safe and have total control over what your employees/students can access via a work or college computer, a web filtering solution should be employed. You should not rely on the search engines to filter out explicit content.
The festive period is almost upon us and, aside from having to deal with the wave of Christmas and New Year cybersecurity threats, it is a time to relax, reflect on the major security events of the year, and plan for 2013.
Lessons have been learned in 2012 and it is up to IT security professionals to ensure that the same mistakes are not made next year. 2013 is likely to see a wave of attacks, a great deal more threats, and many companies’ security defenses breached. Prepare adequately and your company is likely to avoid becoming another security breach statistic.
Online Security Threats from 2012
2012 was an exciting year, certainly as far as data mobility was concerned. Many companies have enjoyed the benefits that come from being able to access data from any location; on any device. Unfortunately, so have cybercriminals.
Widespread adoption of Bring Your Own Device (BYOD) schemes have made workforces much more productive, efficient, and happy. Unfortunately, mobile devices are being attacked with increasing regularity. Personal Smartphones, laptops, and tablets may represent the future of business, but they often lack the necessary security controls to ensure corporate networks remain protected. Cloud computing has also been adopted by many organizations, but not all have made sure their cloud applications are appropriately secured.
There has been an explosion in the number of social media websites. Use of the sites are more popular than ever before, and so are the threats from using the sites. As user numbers have increased, so have the types of malware being developed to exploit users of Facebook, Twitter, Pinterest and the myriad of other sites that have enjoyed an increase in popularity.
Up and coming platforms are being targeted as user numbers increase and established platforms such as Facebook and Twitter are honeypots for cybercriminals. Social media channels and mobile devices are likely to remain problematic for IT professionals charged with keeping their corporate networks secure. Unfortunately, IT security professionals have little control over personal devices, and it is very difficult to stop end users from using their social media accounts at work.
As cybercriminals start using new attack vectors with increasing regularity, security professionals must be alert to the new risks. Listed below are our security threat predictions for 2013. some of the trends that are likely to develop further over the course of the coming year.
Security Threat Predictions for 2013
SQL Injection attacks will continue to increase
There was a rise in the number of successful cyberattacks last year, many of which involved SQL injection – the use of Structured Query Language to gain access to corporate databases. Hackers were able to use this technique to hack into web servers and obtain user names and passwords from corporate databases.
Small to medium size companies are particularly vulnerable as they often do not have the resources available to address all vulnerabilities that can be exploited by SQL injection. However, even very large companies are at risk. In 2012, Wurm Online, a hugely popular online multi-player game, was hacked using SQL injection resulting in the site being taken offline. Yahoo Voices was also hacked using this technique and over 450,000 user logins were obtained by hackers. This attack was caused by “union-based SQL injection”. These attacks were made possible as basic web server mistakes had been made by the companies in question. Both attacks were avoidable.
Ransomware attacks will increase
The past 12 months have seen a rise in cyberattacks using ransomware. Users are fooled into installing malware on computers and networks which subsequently encrypts all company data. Company operations have ground to a halt, with no data accessible without a security key. Those keys will only be provided by the criminals if a ransom is paid. Companies have found they have no choice but to pay the criminals to unencrypt their data. In 2012, a number of hacked GoDaddy websites were discovered to be infecting users with ransomware.
Defenses against this type of malware must be improved. Install spam and web filters to prevent users from installing this malware, and ensure that all data is backed up and policies are developed to recover backed up files. A data breach response plan should be developed to ensure business-critical data is restored promptly.
Increase in amateur cybercriminals using attack toolkits
As we saw this year, you do not need to be a hacking genius to pull off a successful cyberattack. It is possible to rent an attack toolkit with a host of premium features to make it easy to use by virtually anyone. The Black Hole exploit kit is a good example.
Investment in these kits has helped improve their usability and many now include APIs, scriptable web services, reporting interfaces, and even mechanisms to protect the users of the toolkits. By improving the quality of the kits, talented computer programmers have been able to increase the number of individuals able to launch attacks on corporations. There is no shortage of takers, and the investment spent has been well rewarded. Expect more individuals to use these kits and the volume of email malware to increase.
Less damage from security vulnerability exploits
Security vulnerabilities are being discovered with increasing regularity and this is enabling security holes to be plugged before they can be exploited. Protection against exploits is also improving and the next 12 months is likely to see even more advancements in this area. A number of protections have already been developed and implemented to prevent attacks of this nature, such as address space layout randomization, sandboxing, data execution protection (DEP) and trusted boot mechanisms. It is expected to become harder for hackers to exploit security vulnerabilities, although the risk of attack will certainly not be eradicated.
New privacy and security challenges that need to be addressed
The rise in popularity of mobile devices, and the adoption of BYOD by many organizations, has seen data security risk increase substantially. Mobile devices contain numerous security flaws. The devices can be used to track victims with GPS systems and near field communication (NFC) allowing criminals to physically locate their targets. The growth in social media applications for mobile devices is likely to see even more devices compromised. Expect 2013 to see a wave of new attacks on mobile devices and security vulnerabilities in new technologies exploited.
Do you agree with our security threat predictions for 2013?
Small to Midsize Businesses (SMBs) have a lot to gain from joining the social media revolution, and even by allowing employees some personal Facetime at work. There are a number of drawbacks though, and some can be very serious.
Many SMBs are well aware of the potential risks as evidenced by a recent survey conducted by Forrester. Businesses were sent surveys as part of the security study and were asked about social media risk. It was named as one of the biggest security concerns.
If social media accounts are accessed at work, they pose a considerable risk to network security. There is a major risk of suffering a malware infection from social media websites. Accounts can be hijacked and there are issues with staff accessing inappropriate content or posting sensitive information about the company. Data leakage is a concern, and highly regulated industries face greater risks. Healthcare professionals could all too easily violate HIPAA rules.
With all of these serious risks, why would any business permit members of staff to access personal social media accounts at work? Why not just implement a zero tolerance policy, and take action against any employee found to be using social media sites at work? Better still, social media sites could be blocked entirely to prevent all employees from having a sneaky peek at their Facebook accounts!
There are benefits to be gained from allowing social media access in the workplace
Social media access by employees is not all bad news. There are many positive benefits to be gained from allowing staff a little time to access their Facebook, Twitter and LinkedIn accounts at work. Even some YouTube time can be very beneficial. Here are four reasons why a total ban on social media use at work is not necessarily the best option for employers.
A little social media access can improve the productivity of staff!
Employees may be seen to “waste” a little time each day accessing Facebook or other social media websites at work, but the time is not necessarily totally wasted. In fact, some downtime can improve the productivity of employees. How productive would you be if you worked 8 hours straight each day without taking a break? You may be able to do it for a few days each week, but burnout awaits those who try to do too much.
Recent research shows that allowing workers access to their social media accounts can actually increase productivity, and not just a little. A study conducted by the Harvard Business Review showed that productivity increases of 20-25% are possible with a little Facetime allowed each day. Employees can actually get answers to questions much more quickly by using social media and professional networking websites than trawling through websites!
LinkedIn can be used to find new staff members, or encourage the best people to apply for a job. If business accounts are opened and managed, it is much easier to connect with customers, and customer service standards can be improved. The cost of providing those services can also be reduced thanks to social media. The websites are also a great way of communicating with customers and staff.
Social media can give a business a competitive edge
There are reasons why the likes of Google and Facebook give their staff ping pong tables, napping chairs, video games and use bright and bold color schemes in their offices. They improve staff morale, they make employees happier at work and, consequently, staff complain less about having to work incredibly long hours.
OK, we are not saying you should turn your office into an amusement arcade, but allowing employees some time off to use social media sites is not that bad. It is a selling point as well, especially for Gen Y staff. They expect to be able to have some social media time at work.
You probably ban social media access at work, but your competitors might not. One of them almost certainly allows some Facetime at work. It could be the difference between attracting the best workers or just the mediocre ones!
Blocking access to social media websites is not easy
So you want to ban social media use at work. How do you plan to implement that ban? Just tell staff it is inappropriate to access the sites and then turn a blind eye to a little use? Get HR to bring employees in who access Twitter during work time? Purchase a web filter to block access?
A ban must be enforced, access to the sites needs to be monitored, and action taken against offenders. If you have a lapse in adherence to the policy, how will you deal with it? It could well be more trouble that it is worth!
If you operate a BYOD scheme and allow the use of personal laptops or tablets at work, you can’t ban employees from using their own devices to access social media websites outside of office hours. You will still need to implement policies covering use of the sites, even if they are blocked in the office.
Regardless of controls, if employees want to use social media, a ban will not stop them
Implementing a ban does not mean employees will stop using social media at work, it will just be harder to control. Even if you purchase a web filter, such as that offered by SpamTitan, and block access to the sites for all staff members, employees will still access their accounts if they want to. They will just use their Smartphones. You will then lose all control and it will be impossible to monitor how much time your employees are spending on the sites. In fact, a ban could well lead to employees taking more risks, or posting disparaging remarks about your company.
Instead of implementing a total ban, why not look for ways to leverage the use of social media websites, and develop policies to control usage. Even implement software solutions to minimize security risks and give you control over what is accessed via the websites.
The rise in popularity of social media websites such as Facebook, Twitter, LinkedIn and Google+ has had a significant impact on employers. Many employees would rather spend their entire working day on these websites than completing work duties. Many employees waste an extraordinary amount of time on Facebook, YouTube and similar websites.
Employees will always find a way of wasting time, so the increase in use of social media at work is unsurprising. However, employers who ban employees from accessing the websites – such as by using a web content filter – may find that they are actually shooting themselves in the foot. Allowing employees to spend a little time on social media websites can actually be beneficial for a company, resulting in employees being happier at work. Happy staff are actually more productive.
If an organization does not implement a total ban on employees accessing social media and social networking websites, it is essential that staff usage of the sites is monitored. Most employees will use the websites responsibly, but there will always some cases of social media abuse at work. The aim must be to keep that to a minimal level.
Installing a Web Filter to Block Social Media Abuse at Work
The installation of a web filter and Internet monitoring software lets employers block access to certain websites and monitor usage of others. Web filters can be configured to block a specific website for an entire organization, for groups, or for specific individuals. If an individual is excessively using social media at work, it may be appropriate to block them from accessing the sites from their work computer. Access to the websites can be made a privilege, which can be taken away if an individual is found to be abusing the good nature of their employer.
Some employers prefer to ban all employees from using the websites, but there is a problem with this. This tells the staff that you do not trust them to be able to achieve a good balance. Also blocking social media usage at work can have a significant negative impact on staff morale. The more restrictions are put in place at work, the less happy staff members are likely to be, and unhappy staff means low productivity.
The banning of social media site access at work isn’t always about stopping staff members from wasting time online instead of working. Use of the websites carries a data security risk. Phishers, scammers and spammers use Facebook and other social networking websites. If employees use the sites at work, view posts, click links or even download files from the sites, they could inadvertently install malware on their computers. If malware or viruses are installed, hackers and other cybercriminals could easily gain access to a corporate network and steal confidential data or gain access to corporate bank accounts.
It is therefore essential that actions are taken by employers to prevent social media abuse in the workplace, to prevent a fall in productivity and to ensure that risks are not taken by staff members that could potentially result in networks being compromised.
Tips to Prevent Social Media Abuse at Work
Purdy Fitzgerald Solicitors have recently issued some advice to organizations that are concerned about the use of social media websites by employees. Two of the most important elements have been detailed below:
1. Monitor Employees’ Use of the Internet and Email in the Workplace
If employees are allowed access to the Internet at work, then the websites they visit must be monitored. The same applies to email. It is now standard practice to monitor Internet use at work to ensure that risky or dangerous sites are not visited. Websites containing offensive material must not be viewed and email must be monitored to make sure it is not being abused. To avoid social media abuse at work, site usage should be monitored, although care must be taken, especially if personal information is being entered into these websites. Data protection laws may apply.
The Article 29 Working Party, an advisory group comprising members of data protection authorities in the European Union, has produced a document which can help employers not fall foul of the law. Even though employees choose to use their work computer to access social media websites and send email, they have privacy rights. They have a legitimate expectation that employers will not violate those rights. That said, employers must take steps to prevent abuse, and they are allowed to do so by law. They are permitted to monitor the activities of employees to ensure their businesses are being run efficiently.
It is important that the right balance is achieved between monitoring computer usage to ensure employees do not abuse Internet access, but not to monitor to the point that employees’ privacy is violated.
2. Develop Internet and Email Usage Policies to Prevent Social Media Abuse at Work
If access to the Internet is provided to staff members, they must be informed of company policies covering the use of the Internet; the websites that cannot be visited, what information can be entered on websites; the type of material that can and cannot be downloaded, and the acceptable use of social media and other web 2.0 sites. These policies must be concise and easy to read, but should also be comprehensive.
Polices should cover chat rooms, blogging, social media websites, and the permitted and prohibited use of the Internet and email. Polices should also detail the types of devices that can be used to access email and the Internet.
There have been a number of cases of employees having had their contracts terminated due to Internet and email abuse at work. However, some of those employees have taken their cases to Employment tribunals. Employers who terminate work contracts for Internet and email abuse are likely to have those decisions overturned if they have not issued staff members with policies covering allowable and prohibited uses of the Internet. In some cases, employers have been found to have unfairly dismissed staff members and have had to pay damages simply because company policies on usage have not been explained.
What Should be Included in Social Media Policies?
Each company’s Internet, email and social media usage policies will be unique. When writing usage policies, each company must carefully assess the advantages and disadvantages of allowing employees to access social media websites, surf the net for personal reasons, and use email accounts to send personal email. The aim should be to restrict usage, but to make policies workable. It is important that all members of staff are provided with the policies and that they are put on display in a highly visible location.
Social media usage must be stated in the policies,and they should stipulate whether accessing websites such as Facebook is prohibited or permitted in moderation. Policies should detail which departments are permitted to use the sites and the allowable uses and general conduct of employees while on these websites should also be stated.
For instance, a policy may be put in place that prohibits employees from posting disparaging remarks about their employer on social media websites, or that employees are not permitted to upload material or download files from social media websites while at work.
Since everyone may have a different understanding of “social media” it is advisable to specify this in the usage polices. Employees may not think they are using the sites inappropriately, whereas managers may consider usage levels to equate to social media abuse at work.
It is also essential that usage policies advise employees of the consequences of breaching company rules. Employees conduct online should be treated in the same manner as general conduct in the workplace, and the disciplinary policies must similarly be stated. For instance, employees found to have viewed, downloaded, or even uploaded pornographic material while at work will face instant dismissal and termination of their work contract. Get your policies right and it will help you to prevent social media abuse at work. Fail to issue policies and you will be asking for trouble.
If you want to access the Internet, you will need a web browser. Unfortunately, the very program you use to gain access to the Net, access your email, and logon to social media sites and online bank accounts could be your downfall.
A vulnerability in Firefox, Safari, Chrome or IE could be placing your data straight into the hands of hackers. Cyber criminals can – and do – take advantage of out of date web browsers to steal data and gain access to computers, mobiles, laptops, and tablets.
It is therefore essential to ensure that your browser is kept up to date. Fail to install updates as soon as they are released and you could become the next data breach statistic.
Insecure web browsers could leave you exposed to a cyberattack
When you purchase a new device, chances are it will come with a browser preinstalled. You should bear in mind that when purchasing a new device, it is unlikely to come with the browser correctly configured, and you will most likely need to install the latest version. Updates are now being issued on a regular basis.
Fail to keep your browser up to date and tweak the security settings is a recipe for disaster. Out of date or insecure browsers can result in malware, spyware, ransomware, and viruses being installed on your device without your knowledge. Even your anti-virus software program may not pick up the infection.
Kaspersky Labs, one of the world’s leading providers of anti-virus software, has recently investigated browser security and has discovered almost a quarter of browsers are out of date. The company assessed the browsers of close to 10 million Internet users from all over the world in 2012, with the data drawn from the Cloud-based Kaspersky Security Network. Over 700 million browser launches were logged by Kaspersky during the period of study.
Kaspersky Labs browser study produces worrying results
Kaspersky Labs analyzed five different web browsers as part of the study and discovered 36 different versions in use. Only five versions were up to date and installed with the latest security patches. Users of Kaspersky Anti-virus solutions were reasonably well protected, with 77% using the latest version of their chosen browser. Unfortunately, 23% were using out of date versions, making them vulnerable to a cyber attack or malware infection. Worse still, 8.5% of test subjects were still using versions that had long since become obsolete. Millions of individuals are therefore at risk of succumbing to web-borne threats.
The process of upgrading a browser to the latest version is a quick and straightforward process, and will ensure the user is better protected against hackers. Why are users not upgrading their browsers? There are many possible answers. Simply putting it off and forgetting is one of the main reasons; however, some users are fearful that they might lose data or bookmarks by updating. Others are worried about losing some of the features they like. Sometimes, the new versions contain bugs and make viewing the Internet that little bit harder (at least initially).
Unfortunately, the reality is that failing to update a browser will leave you vulnerable. It is therefore not really a choice but a necessity, certainly if you care about the security of your device, data stored on it, and the network it connects to.
On November 1, 2012, SpamTitan Technologies will be releasing WebTitan 4.0, the latest version of the powerful web filtering solution for business customers. The new version includes a host of additional features to make it easier than ever before for system administrators to manage Internet usage in the workplace and protect their networks from malware, viruses and cyberattacks.
The latest version includes new controls to manage bandwidth, with advanced reporting features, delegated administration, full transport authentication, and SNMP support. SpamTitan Technologies WebTitan 4.0 also boasts improved white labeling options.
Proxy mode now offers full transparent authentication
When developing WebTitan 4.0, product developers took on board comments from users and incorporated a host of new features to make management easier. The result is the most user-friendly version released to date and includes augmented controls to ensure businesses are better protected.
WebTitan 4.0 offers full transparent authentication when using the product in proxy mode. Users are able to generate advanced reports, as opposed to previous versions when reporting options for transparent proxies was IP based.
Administration functions can be easily configured
New delegated administration functionality has been added to reduce the burden on system administrators. Now the administration of WebTitan can be passed over to any stakeholder in the organization. All controls can be easily configured and individual users can be granted reporting rights, policy management privileges with the option of setting reporting rights to allow individuals to issue Internet usage reports for specific users or user groups.
When administrator rights have been configured, it is possible for reporting and policy management responsibilities to be delegated to individuals who have a better understanding of the best web filtering policies for specific groups of users, ensuring much improved cross-organizational participation.
Ensure enough bandwidth is available for business-critical applications
The latest version offers a host of improved corporate Internet policy functions to ensure that sufficient bandwidth is always available for business critical applications, with the option of setting quotas to prevent wastage. A host of Internet services are now available which can suck up bandwidth, such as video streaming, Internet radio and other media-rich applications.
These services can cause Internet access to slow considerably and often bottlenecks are created that reduce productivity. The new version has far greater granularity that allows users to allocate resources more efficiently and make considerable cost savings.
As Internet functions have evolved, the management of web filtering has become much more complex. Managing users and user groups can therefore be a major headache for system administrators. One of the main aims with the new release was to ease the administrative burden on system administrators. Web filtering can now be managed much more efficiently.
SpamTitan Technologies WebTitan 4.0 includes more complex functions, yet the user interface and controls are more intuitive and easier to learn. CEO of SpamTitan, Ronan Kavanagh, said the latest version has been created to “ensure our customers get the best end user web experience while organizations are fully protected from all malware as it emerges.”
The latest version makes it easier to add company branding to WebTitan. White label versions can be supplied to allow businesses to add their own branding and create a web filtering solution that matches the look of other systems used by their organization. Full SNMP support is also now included.
Competitive Pricing and a 30-Day No-Obligation Trial
Licenses for WebTitan 4.0 can be purchased to suit the needs of the business. There is no need to pay for IP addresses that will never be used. WebTitan 4.0 has a flexible banded pricing structure. Businesses can just pay for the number of end users who require Internet access.
The new version of WebTitan is now available for download with the option of a 30-day no obligation demo license for new customers.
The full licensed product starts from only $850 (WebTitan for Vmware 4.0 /WebTitan ISO). Previous purchasers with current licenses are able to upgrade to the latest version for no extra cost.
SpamTitan Technologies is a provider of web filtering and email security solutions for the enterprise. The company, based in Galway, Ireland, offers a comprehensive suite of software options for small to medium sized organizations that offer protection from spam, phishing and other email and web-based data security threats. Customers can implement solutions that can be tailored to the unique needs of their businesses and receive excellent protection from malware, viruses, phishing, Trojans, and spambot attacks. Users can also be prevented from viewing undesirable web-content using WebTitan secure Internet filtering solutions.
The company uses next-generation virtualization software that can be easily implemented, operated and maintained, without the need for expensive and unwieldy hardware. The latest versions of the company’s popular software give system administrators excellent versatility and flexibility. The enhanced functionality and protection capabilities of WebTitan 4.0 can also be provided at an extremely competitive price.
A recent survey conducted by SpamTitan Technologies indicates the vast majority of companies are prepared to terminate the contracts of employees for inappropriate social media use, such as exposing confidential data on social media networks. The corporate social media usage study showed that 87% of respondents would consider firing an employee for inappropriate social media use if company policies were violated.
Only 16% of companies think social media use at work is acceptable
The use of social media channels during work time is frowned upon by most companies. Many turn a blind eye to a little social media time during the working day, but only 16% of organizations taking part in the study said that they actually think it is acceptable for the staff to spend some time on Facebook, Twitter, LinkedIn and other social media networks.
The threat of termination of employment contracts for misuse of social media, in particular the posting of confidential information or disparaging remarks about an employer, is not an empty one. According to a study conducted by Osterman Research, one company in six has already made the decision to terminate at least one employee’s contract for inappropriate use of social media in the workplace.
With the rise in popularity of websites such as Facebook, Twitter and LinkedIn, it is understandable that members of staff with Internet access are tempted to spend a little of their working day checking their accounts. For many employers the main issue is not the loss of productivity that occurs as a result of inappropriate social media use. It is the security threat that inappropriate social media use introduces.
Malware is rife on Facebook
Social media websites are a honeypot for cybercriminals and malware is rife on the sites. Online criminals trawl Facebook, Twitter and LinkedIn looking for corporate data, while phishers seek information that can be used to conduct spear phishing campaigns.
Twitter now has 145 million active users and Facebook has 845 million users around the world. Many of these users are accessing their accounts during working hours too. Osterman discovered that 36% of employees use part of their working day to check Facebook and that figure has increased by 28% over the course of the past year. Twitter and LinkedIn are also being used at work. There has been a 6% jump in Twitter use and a 7% hike in LinkedIn use in the workplace over the course of the past 12 months.
With so much social media use, it is clear that any company that has yet to develop a policy on acceptable use of social media networks during working hours will have to do so soon. Interestingly, while almost one in nine companies would be prepared to fire an employee for inappropriate social media use, only 22% actually have a policy in place covering the use of social media sites at work.
Facebook, Twitter, LinkedIn and YouTube use carry major risks
The loss of productivity resulting from personal Internet time is considerable. A recent ISACA survey conducted on “Shopping on the Job” revealed that 40% of companies said the loss of productivity as a result of employees using websites for personal reasons was costing them at least $10,000 a year.
There is also the potential for damage to a company’s reputation. Take Domino’s Pizza for example. The company has just been forced to fire employees for posting a video of them playing with customer’s food at work. Even the clergy is not immune. A bishop was recently issued with a suspension for posting disparaging comments online – in this case the comments related to the Royal wedding of the Prince of Wales and Kate Middleton.
Perhaps the most damaging aspect of inappropriate social media use at work is the threat to corporate security. Facebook in particular is being used by unscrupulous individuals to spread viruses and malware. A link contained in a post about the latest viral video is sure to attract a lot of clicks. If that link directs people to a website containing malware, malicious software could easily be downloaded to a work computer. Installed malware could then be used to launch an attack on a corporate network.
How to control social media usage and protect corporate networks
There is no single solution to the problem of inappropriate social media use that can be adopted by all companies. Banning social media use entirely may be neither practical nor appropriate. Use of the networks can offer advantages, but the cons will outweigh the pros unless usage is monitored, managed and controlled. An Internet security policy is therefore essential to combat the increasing risk from viruses and malware. Companies are also advised to install a web filter. This will at least prevent users from visiting malware-ridden websites. It can also be used to block access to social media websites at work, should that be required.
Unsurprisingly, the launch of the iPhone 5s has had seen people queuing outside Apple stores for hours upon end in the hope they will be one of the first to get a new Apple device. Apple aficionados do get excited about the launch of a new device, and the Apple iPhone 5s is no exception. The company has reportedly sold 2 million units, and that was in the first 24 hours after the release.
Interest in the devices has been so high that buying a new iPhone 5s means a long wait is required. Many early purchasers will have to wait a number of weeks before their new phone is delivered. Apple couldn’t make enough available for the launch. Unfortunately, cybercriminals are taking advantage and have launched a number of iPhone 5 phishing scams.
Many iPhone 5 phishing scams have now been launched
Cybercriminals also love Apple devices. In particular, the launch of a new Apple device. They take advantage of the hysteria and send huge volumes of spam and phishing emails to would-be purchasers, advising of special offers and discounts, must read information about the new device, and news of fake competitions. In the run up to the launch we have seen many new email scams aimed at Apple fans. Scammers have used the media hype surrounding the iPhone 5 launch to their advantage.
Apple knows how to launch a new product. Few companies do it better in fact. In the run up to the launch, only a limited amount of information on the device was issued. Just enough to get Apple fans salivating. As the launch date drew closer, more information was released. They built interest in their product, anticipation was high, and when the launch date arrived, the product sold by the million.
Scammers take advantage of the anticipation, supply shortages, and long wait times. Spam email campaigns have accompanied the launch of this year’s hottest new product, with a number of spam and phishing emails already captured by SpamTitan’s spam and web filtering software. Some of the iPhone 5 phishing scams include:
- Fake delivery notifications
- Phishing websites set up to coincide with the iPhone launch
- Fake special offers and discounts on the new iPhone 5s
- Bogus competitions to win a new iPhone
We are expecting many more over the coming weeks.
Not everyone is good at identifying a phishing email
If you are in charge of your company’s email security, or if you work in an IT department, you will probably have a very good understanding of spam and phishing emails and can probably identify even the most convincing campaign. Unfortunately, the same probably cannot be said of the end users in your company, many of whom will be so excited about the launch that they will click any email link about the new device.
There is a high risk of end users clicking on links to websites containing malware and of opening infected attachments. It is therefore a time to be ultra-cautious. If one employee falls for a scam, it will not just be their computer that is infected. They may inadvertently compromise your network.
In order to address the risk, employees must be warned about the new scams and training should be provided to make sure they know how to recognize spam, phishing emails and iPhone scams. Even if training has already been provided, it is a good time to send out some refresher emails. You may even want to test their knowledge and send out spoof phishing emails to find out just how many people click the links. This is the best way to determine if your training has been effective, and which employees need some extra tuition.
Have you fallen for one of the iPhone 5 phishing scams? Have you identified any new iPhone 5 phishing scams? Please let us know!
New research indicates the threat from phishing is growing at an alarming rate, with thousands of new malicious websites being created every week. Detection rates of new phishing sites are also increasing, thanks to new software introduced by the Anti-Phishing Working Group (APWG).
APWG is a pan-industrial not-for-profit organization dedicated to improving Internet security. The organization works alongside law enforcement to reduce identity theft and make it harder for online criminals to operate. One of the ways it achieves its aims is by finding new websites set up by cybercriminals to obtain login names, passwords and other sensitive information from Internet surfers.
A recent report issued by APWG shows an alarming rise in the number of new phishing websites, indicating cybercriminals are concentrating on this attack vector to obtain the data necessary to commit fraud and steal identities.
In the month of February alone, 56,859 new phishing websites were detected. This rate of detection has not been achieved since August 2009. February’s count of new phishing websites was 1% higher than the organization’s August 2009 figures. While this suggests there has been a major increase in cybercriminal activity, the company’s new detection software may account for the rise in detection. That said, the threat from phishing is certainly growing.
What does a phishing website look like?
The reason that phishing websites are so dangerous is they look exactly the same as legitimate websites. Criminals are investing a considerable amount of time and money into creating spoof sites that are highly convincing. Big brand name websites are now being spoofed, with Amazon and E-bay just two of the major retail sites that have had fake versions created to fool users.
It is not only the retail industry that is being affected. Criminals have created phishing websites that look the same as those of major banks and financial institutions. If users can be fooled for long enough to attempt to login to the websites, criminals will obtain their credentials and be able to make bank transfers. Huge sums of money can be transferred and withdrawn by criminals before the victims even realize.
The majority of the fake websites discovered by APWG were located in the United States. Over half of those websites used the brand names of large organizations to fool users into revealing their sensitive information. This is achieved by creating a website that looks very similar to the brand being spoofed, with the domain name also featuring the brand name.
Security software identifies phishing websites and neutralizes the threat
There may now be more phishing websites than ever before, but fortunately action is being taken. When new sites are identified, the companies hosting those sites are alerted and the websites are closed down. Hackers and other cyber criminals may be devising more sophisticated ways of obtaining sensitive information from businesses and consumers, but detection software is also becoming more sophisticated. Companies such as SpamTitan Technologies have devised software that can rapidly identify phishing websites, allowing the threat to be neutralized. However, the volume of these malicious sites is such that even with rapid identification, it is not possible to totally eliminate the threat they pose. All that can be done is to use a web filter to prevent Internet users from visiting these websites.
Employees are not reporting phishing emails and websites to their IT departments
Many companies have developed policies which require members of staff to report suspicious emails and websites to their IT departments. By sending a quick email, the IT department can ensure that the threat is neutralized. Unfortunately, despite these policies existing, they are not being followed by all members of staff.
SpamTitan conducted a survey earlier this year which revealed that 70% of organizations had suffered losses as a result of phishing and spear phishing emails that had not been reported to their IT department. If staff members receive security awareness training, and report attempted phishing attempts, the emails can be deleted promptly to neutralize the threat. A failure to report those emails is likely to see some members of staff fall for the scams.
Many of these phishing scams seek to obtain access to sensitive data in order to commit fraud against individuals. If criminals can gain access to a business network, they can potentially obtain sensitive information from the entire workforce. The loss of data and system downtime can cost companies millions of dollars. When customer or healthcare data is stolen, the costs of resolution can be even higher. Theft of customer and patient data can trigger a wave of class-action lawsuits and result in regulatory bodies issuing heavy financial penalties.
What is the solution?
The cost of data breach resolution is considerable, but it does not cost a small fortune to take proactive steps to reduce the likelihood of a data breach being suffered. If organizations are proactive and implement a range of security measures, the risk of cyberattacks and data breaches can be effectively managed.
It may not always be possible to prevent phishing emails from reaching inboxes, but it is essential that employees are security aware and know how to identify suspicious and malicious emails in case they are delivered. There must also be an easy way of reporting such emails so that prompt action can be taken to neutralize the threat.
What security measures can be implemented to reduce the risk of a data breach?
Robust, multi-layered security defenses can be implemented to protect data and networks from attack, although there is no single solution that will work for all organizations.
Some of the measures that can be implemented to keep networks and data secure include:
- Encrypt all customer, client and patient data stored on networks
- Devise a secure password policy and ensure that it is enforced
- Make sure users change their passwords every 3 months
- Conduct security awareness training
- Issue cybersecurity bulletins to alert employees to new risks
- Purchase a robust email spam filter to stop phishing emails from reaching inboxes
- Use web filtering to restrict the websites that can be visited by employees
- Perform regular risk assessments to identify new security vulnerabilities
- Ensure anti-virus and anti-malware solutions are installed on all devices connected to a network
- Make sure all software and virus/malware definitions are updated regularly
- Conduct periodic security audits to check for malware and viruses that have inadvertently been installed
Social networking websites are here to stay. They may have been created to give people an easy way to stay in touch with friends, family and meet new people, but there are considerable benefits for businesses. In fact, any business that has not yet embraced the social media revolution is likely to be losing customers to competitors.
However, social media use at work does carry security risks and employees may spend a lot of their working day posting status updates, reading articles, and communicating with their contacts.
A study was recently conducted by Proskauer Rose that set out to explore some of the problems businesses are having with social media website use by employees. It would appear that social media access is not being effectively managed by some businesses, and employees are spending too much time accessing the likes of Facebook, LinkedIn, Twitter and Pinterest.
Key findings of the Proskauer Rose social media study
- Social media misuse was reported as being a problem for 43.4% of respondents
- 3% of companies have taken disciplinary action against employees for misusing social networks
- Surprisingly, 45% of companies do not have a social media or Internet policy covering usage at work
There are benefits to be gained from allowing employees to have some time each day to access the websites, should they wish to do so. Unfortunately, the drawbacks can outweigh the advantages if care is not taken and usage is not effectively managed.
In addition to time being spent on the websites instead of work being performed, there is a considerable risk to network security. Malware and phishing schemes are rife on social media networks. Then there is the issue of wasted bandwidth. On the plus side, employee productivity can be increased by allowing some time to access accounts each day, and businesses can harness the potential of social media and get closer to their customers.
Provided use is managed, the benefits can outweigh the disadvantages. The solution is to implement policies to control usage in addition to software solutions to block access if necessary.
Protecting networks from attack and controlling social media use at work
Simply implementing a ban on accessing the websites is rarely an effective strategy. Staff morale can fall, and end users will carry on accessing the websites if they want to. They may just use their Smartphones to do it instead. The best methods to use to keep networks secure and control access are:
Implement Web technology solutions to protect corporate networks
Many companies use a web filtering solution to prevent employees from accessing websites that are inappropriate for the workplace. Gambling websites for instance, pornography, and bans of file-sharing sites are common. It may be tempting to use web filters to block all social media websites as well, but this would prevent the company from maintaining a social media presence.
Some web filters offer much more granular controls. They can quickly and easily be configured to block certain user groups from accessing the websites.
SpamTitan Technologies offers such a solution. The web filter means that HR departments can work with IT to implement appropriate controls that allow employees some time to access the sites, while ensuring that the social media needs of the business can be met.
Role based settings can be implemented and can even be set by at an individual level. If misuse becomes a problem, an individual can lose the right to access the sites at work. If one employee misuses Facebook, the whole workforce, including those who use the sites responsibly, should not be penalized.
Implement an Internet and Social Media Usage Policy
Regardless of your decision on social media use at work, you must implement a policy to cover usage. Your policies should cover acceptable use of the Internet, the types of web content that cannot be viewed, and the repercussions for attempting to view objectionable or banned content. If you do not have policies in place, from a legal standpoint you may have difficulty taking action against individuals for inappropriate use.
It is important that Internet and social media restrictions are explained to staff members in terms of the risk they pose to the business. Restricting access is not only about ensuring time is spent productively. Cybercriminals are targeting businesses using malware, viruses and phishing campaigns. It is all also easy to inadvertently infect a computer with malware or become part of a botnet.
Develop policies to cover usage, explain the risks and they can be effectively managed without implementing an unpopular and counterproductive social media ban.
Someone posts a comment about you or your company that is slanderous, racist, or simply causes offense. It may be possible to sue them for their actions. This is nothing new of course. However, what about if that comment is posted anonymously? That does not necessarily mean you cannot file a lawsuit and sue the poster for damages. An Idaho politician is doing just that. Anonymity is no protection any more.
The Idaho Spokesman Review hosts a blog just like many newspapers. Blogs attract comments and sometimes spark heated debates between people with very different opinions. They attract visitors and are great for publicity, plus they have much a bigger reach than a newspaper. Sometimes comments are posted that cause offense.
One blog commenter recently posted comments that seriously offended politician Tina Jacobson, chair of the Kootenai County Republican Central Committee.
The comments, which were posted anonymously, are now the subject of a lawsuit in which Jacobson seeks $10,000 in damages. Only a couple of comments were posted by the person who identified themselves as “Almost a Bystander,” but that was enough for legal action to be taken. Jacobson had posted an article on the website and on February 14, 2012, the comments were added. They allege Jacobson had been embezzling funds: Serious allegations. The owners of the website promptly deleted the comments, together with the entire post.
Whatever happened to free speech?
The newspaper maintains that readers should be allowed to post comments on articles, and that it should not be necessary for individuals to identify themselves. The paper also does not believe that commenters should have their identities revealed if they have chosen to post anonymously.
If the newspaper continues to protect the identity of “Almost a Bystander,” it is probable that the paper will have to cover the cost and pay the damages. The case could well set a precedent, which could have a serious effect on other newspapers, blogs and websites that allow comments to be posted anonymously.
If the company hosts a website that allows social interaction, they may have to reveal the identities of anonymous comment posters. But to do that they would have to include that in their website terms and conditions. Revealing the identity of an anonymous individual could well result in that person suing the newspaper for damages. What do you think?
Is free speech a right only for people who choose to identify themselves?
Should a company be held responsible for comments posted by an individual who chooses to remain nameless?
Many employees want to use their personal devices in the workplace. Personally owned devices are usually faster than the desktops supplied by employers. Employees know how to use the operating system, they have the software they need already installed, and it allows them to be more flexible about when and where they work.
These are all great benefits for employers. The power of new technology can be harnessed without expense, and productivity can increase.
Some may believe technology vendors are the driving force behind BYOD. It is true that vendors have embraced the BYOD movement and are pushing for their new devices to be used in the workplace. However, it is employees that are really driving the movement. They want to use their own devices in the workplace as it makes their lives easier.
Unfortunately for IT security professionals, keeping control of the devices is thought to be virtually impossible. The security risks introduced by personal tablets, Smartphones and laptops are numerous. BYOD is seen as a data security nightmare and a security breach just waiting to happen.
But what are the risks introduced by the devices? Are they as problematic as security professionals believe?
What are the problems with Bring Your Own Device (BYOD) programs?
- Many IT professionals dislike BYOD, but it is not only for data security reasons. Managing BYOD requires a considerable amount of planning and time. IT staff are usually pressed for time as it is, and that is without having to manage personally owned networked devices. Budget increases to manage BYOD are rarely sufficient and extra staff are often not employed to cope with the additional workload.
- Devices owned by employees must be allowed access to corporate networks. They are also used to store sensitive corporate data, yet those devices are taken outside the control of the company, used at home, taken to bars and are often lost or stolen.
- The devices can cause problems with compliance, especially in highly regulated industries.
- IT professionals must ensure data can be remotely erased, and protections are put in place to prevent the devices from being infected with malware.
- Another problem is how to make sure data can be removed from the device when an employee leaves the company. Controls must therefore be put in place to ensure data can be deleted remotely, and access to corporate networks and data must be terminated.
- If data is stored on the device, it must be configured to store personal data and work data separately. The IT department cannot remotely delete all data on the device. Some will belong to the user!
There are solutions to make BYOD work effectively. Work data can be stored in the cloud, instead of the device. This makes data management much easier. Policies can be developed to ensure security vulnerabilities are not allowed to develop. Management may be complicated, but software does exist to make the process much more straightforward and less labor intensive. Many software security solutions have been developed specifically for BYOD.
BYOD may require a considerable amount of planning, and will require budgets to be allocated to ensure the devices can be effectively managed; but, if the result is a happier and more productive workforce, the benefits than can be gained by employers are too numerous to ignore.
The threat posed by hackers and online criminals is very real, but reports of instances of cybercrime may not be very reliable. When cyberattacks are announced the data can be used to estimate the current threat level. Unfortunately, not all cybercrimes are reported by companies, and even IT departments are often unaware that employees have become victims of phishing campaigns.
In certain industries, the reporting of cybersecurity incidents and data breaches is mandatory. Take the U.S healthcare industry for example. Legislation has been introduced – The Health Insurance Portability and Accountability Act (HIPAA) – which makes it a criminal offense not to report a breach of patient data. If an organization is discovered to have violated the HIPAA Breach Notification Rule, a heavy fine can be issued by the Department of Health and Human Services’ Office for Civil Rights.
The Federal Trade Commission and state attorneys general can also issue fines. Criminal charges can also be filed against individuals for willful neglect of HIPAA Rules. Consequently, it is in the best interests of organizations to report cybersecurity incidents. The data breach reports submitted to the OCR can therefore be relied upon to be reasonably accurate, and it is possible to build up an accurate picture of the state of data security for the healthcare industry.
However, not all industries are so well regulated. A similar data breach suffered by a software company or mining operation may see the organization keep the crime quiet. Announcing a security breach has potential to seriously tarnish a brand.
If you had a choice between one company that had suffered a data breach that exposed sensitive customer data, and one that had not, which company would you choose (all other things being equal)?
Should the reporting of cybersecurity breaches be mandatory for all businesses?
Many privacy and security professionals believe it is essential to report cyber threats and security breaches as the sharing of information can be invaluable in the fight against cyber crime. Intel sharing could make the difference between a threat being rapidly neutralized and many other organizations suffering data theft. This is an ethical responsibility. Should it also be a legal responsibility as well?
The United States has been proactive in the fight against Internet crime. The government and law enforcement agencies are well aware of the importance of sharing intelligence in order to tackle the increasing cybercrime threat.
In 2000, the Federal Bureau of Investigation, the National White Collar Crime Center, and the Bureau of Justice Assistance formed a task force which was dedicated to fight Internet crime. The Internet Crime Complaint Center (IC3) serves as a centralized hub that receives complaints about Internet crime and processes threat intel received from American citizens and U.S businesses. All leads received are passed on to the appropriate federal and state-level law enforcement agencies. The data received by IC3 has been instrumental in bringing thousands of Internet criminals and fraudsters to justice.
IC3 also ensures that individuals and companies suffering losses as a result of the actions of online fraudsters have someone to contact to report the crime. Other countries have started to develop task forces that perform a similar function. Victims of cyber crime are being given a single point of contact to report fraud, scams, identity theft and online extortion, and the intelligence gathered can be used to bring the perpetrators of these crimes to justice.
Harsh Penalties await Online Fraudsters and Cybercriminals
In the United States, online criminal activity carries stiff penalties. New legislation is introduced regularly to increase the punishments for individuals who turn to the Internet to commit crimes. These include:
Spamming: Under the CAN-SPAM Act, spamming is punishable with a minimum fine of $11,000. Depending on the method used to send email spam, the penalties can be much more severe. The use of spambots to collect email addresses can result in jail time, as can the unauthorized use of a computer to send spam emails.
Hacking: Hacking is a federal crime that carries stiff penalties. These are linked to the seriousness of the crime, but a spell of up to 20 years is jail is possible, as well as very heavy fines.
Identity Theft: The penalty for identity theft has recently been increased, with individuals able to be sentenced to 5 years in jail. Aggravated identity theft sentences must be served consecutively to any other sentence issued.
Make sure employees are aware of procedures to follow if a security incident is suffered
Employees falling for phishing campaigns – if they are even aware that they have – may also choose not to report the incident to their managers or IT departments. Individuals may be worried about looking stupid or, worse still, losing their jobs.
However, it is essential that all potential security incidents are reported internally. Organizations should make sure the staff is aware that the reporting of security breaches, email scams and phishing campaigns is essential to protect the business. Internal security policies must exist, and members of staff must be made aware of the correct actions to take if they have fallen for a scam, revealed sensitive information, or have received a suspicious email. Oftentimes, fast action can make the difference between huge financial losses being suffered and the threat being neutralized before any damage is caused.
While law enforcement bodies may need to be alerted to instances of identity theft and phishing campaigns, employees should have a single person within their company to whom security incidents can be reported. Every employee in an organization must be made aware of the urgency required and the individuals who must be alerted to suspicious emails and potential criminal activity. If the staff is security aware and acts appropriately, major cybersecurity losses can be prevented.
You can purchase the most sophisticated software, implement multi-layered security systems, conduct regular system scans and use a host of other security products to keep your network protected from cyberattacks. Unfortunately, all it takes is for one individual to accidentally install malware and all of your good work has been undone. That individual is likely to be one of your company’s employees, not a hacker.
Common sense is one of the best defenses
You may not be able to install defenses that offer 100% protection against intrusions, insider threats, and malicious software, but we are sure you do your best with the resources you have available. You should install software systems to protect your network, email system and web browsers, but it is all too easy to forget that one of the best ways of protecting a computer, or the network it is connected to, is to use common sense. Unfortunately, when it comes to internet and web security, many employees have very little. Consequently, they must be taught how to act appropriately.
Some employees think they have a very secure password, but oftentimes is nowhere near as secure as they believe. It doesn’t contain any special characters, it lacks capital letters, and while it does contain numbers, only a 1234 has been added on the end. If you do not instruct employees how to create secure passwords, they will not.
You must also inform them that they must not share passwords across platforms. Sure, it is a pain remembering lots of different passwords, but if one is compromised they all will be. A recent survey conducted by Trusteer, a provider of fraud protection systems, highlighted how common this practice is. Their survey revealed that 73% of computer users use the same password to access their online bank account as they do for other online services.
You may have installed a spam filter to reduce the risk of employees falling for a phishing email. The spam filter catches virtually all spam and dangerous emails, and places them in a quarantine folder. The risk of a malware infection via email will be reduced to the minimal level.
Then not just one, but a number of employees go into the quarantine folder, and open an excel spreadsheet that has been quarantined as it is actually malware. Sometimes common sense disappears entirely. One company discovered that is exactly how hackers managed to gain access to a corporate network in 2011.
Not all scams and phishing campaigns are easy to identify
Sometimes a clever campaign is devised by cybercriminals to phish for information. Social media websites contain many examples of these. The British Royal Wedding last year saw one cybercriminal launch an interesting campaign to help access accounts with two-factor authentication. The scam was launched on Facebook, and you may even have seen it, or something about it.
The page helped you create your “Royal Name”. All you needed to do was enter in the name of your first pet, your grandmother or grandfathers name, and the name of the street where you grew up. The result could have been Tiddles Arthur Beddington. Not a particularly amusing name it has to be said, but the creator of the campaign would find it funny. Not only would those answers be helpful when attempting to guess passwords, they are also the likely answers to security questions used to gain access to internet banking websites. If your password and login name had already been compromised, you could have just given full account access to a hacker.
The importance of providing common sense training on internet security
You either have some common sense or you don’t, but when it comes to internet security, there will always be one individual who appears to have none. Make sure all of your employees are trained on the basics of internet security. Some will not know to act in a secure manner online.
A new study recently published by Osterman Research indicates there are major Facebook malware risks that many companies are not aware of. Furthermore, those risks are very real. 24% of companies have discovered malware has affected their corporate Facebook pages.
The risk of malware affecting corporate social media pages is considerable, with Facebook the main social media network that has been attacked by criminal gangs. LinkedIn and Twitter can also be risky, but only 7% of companies have had their Twitter and LinkedIn accounts infected.
The problem could actually be far worse. The study revealed that many IT security professionals were not even aware if their social media accounts had been hacked or infected with malware because they never check.
Employees social media use during working hours has increased significantly
Researchers at Osterman discovered the use of social media sites by employees during working hours had increased significantly over the past year. The survey results revealed that 36% of employees of corporations were accessing their Facebook accounts during office hours. Last year the figure stood at just 28%.
Use of Twitter during working hours is also increasing. Last year, 11% of employees were using Twitter at work, while this year the figure has risen to 17%. The same is true for LinkedIn, with employee use rising from 22% to 29% over the same period.
Employees are a major risk to corporate network security
It is clear is that social media accounts are being targeted by hackers and cybercriminals; and, as the sites grow in popularity, the problem is only likely to get worse. Furthermore, when employees access social media sites at work they could be placing corporate networks at risk.
As more employees use social media sites during working hours, and more time is spent by individuals on those sites, the risk to data security increases. Personal information is being shared on the sites, but some employees are also sharing corporate information. Sometimes this is deliberate, other times potentially sensitive data is unwittingly shared.
Criminals trawl social media websites looking for information to launch spear phishing campaigns
A great deal of information is being posted on social media accounts. Some users choose to share their posts only with their nearest and dearest. However, friends of friends can also view posts in many cases, and even individuals who are careful about who they accept as friends, may find their content read by friends who have a much more carefree attitude when it comes to accepting new friend requests. Oftentimes, posts are made public and can be viewed via the search engines by anyone with Internet access.
Criminals are now using the wealth of information that is freely available on these social media sites to build up a considerable amount of knowledge on individuals. That information can then be used to launch highly convincing spear phishing campaigns. Those campaigns can result in user accounts being compromised, and malware being installed on the devices used to access the sites. If the site is accessed on a work computer, corporate networks could also be threatened.
Many Facebook posts contain links to phishing and malware-ridden websites
Facebook posts and pages contain useful information, details of great products, excellent jokes (occasionally), funny memes, and cool viral video content. Unfortunately, there are also links to very nasty websites. The content may be great, but they can be a serious security hazard. Just clicking on the links could result in malware being downloaded. The problem is, it can be very difficult to tell which websites malware-free and which should carry a public health hazard warning.
An administrative assistant may click on a link, but so could an account executive, IT security professional or even a CEO. All business users could potentially fall for a scam, or be convinced to visit a website as a result of reading a post, only to end up downloading a Trojan, keylogger or nasty piece of ransomware.
Many users are not particularly security aware and end up sharing passwords between personal online accounts. Unfortunately, many also use the same passwords to access their work computers as their own personal accounts.
Even when password policies exist that force employees to use strong passwords, if malware has been downloaded onto their work PC’s that contain keystroke loggers, even unguessable passwords will be revealed. Once this information has been sent to hackers’ control and command center, attacks on corporate networks can easily be launched. Should the password and login of a member of the accounts department be obtained, company bank accounts could well be emptied.
Social media malware and phishing protection is essential
All users of corporate social media accounts must exercise caution when visiting social media websites and employees must take care not to inadvertently place their employer’s network at risk of a cyber attack. Due to the high security risk, it is essential that social media use (and email for that matter) is monitored closely.
Companies that develop policies covering the use of social media websites at work are likely to be better protected from malware. Employees must also receive training on acceptable uses of social media at work and must be informed of the potential risks and social media best practices. They may be using their personal accounts at work and this could impact work computers and networks. If they are not made aware of the risks, they are likely to continue to engage in risky online behavior.
Fortunately, there are a number of tools that can be used to reduce the risk of malware infections via social media websites. Spam filters can be used to protect users from phishing campaigns sent via email and web filters can be employed to prevent users from visiting websites that are known to be risky.
Alongside training of the staff on good security practices such as archiving old emails, risks can be kept to a minimal level. If little effort is put into security, and use of social media websites is not overseen, organizations will be leaving themselves wide open to cyberattacks. Those attacks are likely to cost far more to resolve than it would have cost to pay for security training and a spam and web filtering solution.
Recent research shows that the use of social media websites at work is on the increase, with many employers seeing Facebook and Twitter usage at work as being particularly problematic. A new study from Palo Alto suggests that since 2010, the use of Facebook at work has tripled. Twitter use is also increasing, and at a far higher rate. The study showed that usage has increased by 700% during the same period.
Facebook and Twitter usage at work: Is it really a problem?
The increase in time spent on social networking websites is not all about employees accessing their personal accounts at work. Many companies have started using social media websites to connect with clients and customers. The sites are an incredibly useful way of getting closer to customers. Corporations can use social media to find out what customers really want and what they really think of the organization. They are now essential for many businesses, allowing customer service standards to be improved, while the sites can also be used to effectively promote goods and services. The latter is arguably far cheaper than TV adverts and newspaper and magazine adverts.
Nowadays, it is actually a rarity for a business not to have a Facebook and Twitter account. In many cases, companies provide employees with a range of tools to manage social media accounts to send Tweets on Twitter or post content to Facebook.
Social media introduces security risks
There is no denying that social media is useful for businesses. In fact, having corporate accounts is now sometimes considered essential. Unfortunately, the use of these websites is not without risk. Operating a Facebook page and running a Twitter account potentially exposes a company to malware, viruses, and cyberattacks. The sites take up a lot of valuable bandwidth. Social media websites can also take up a huge amount of time and produce little in the way of additional revenue. The productivity of employees can be seriously reduced if they are spending too long accessing their personal accounts.
While companies are using social media sites more, there is a concern that employees are spending too much time on the sites for non-work related matters. Many employees do spend a considerable amount of work time maintaining their own personal presence on Facebook, Twitter and Google+.
The researchers have acknowledged that employees do spend time on their own accounts, but say that much of the extra time spent on the sites is in fact work-related. Consequently, it has been suggested that employers should not be overly concerned about the rise in reported social media use at work.
While it is a fairly easy process to determine how long is spent on social media sites, it is not quite so easy to calculate how much time is spent on work-related matters and how long employees are spending on their own accounts. Any company concerned about personal use of social media accounts should develop clear policies on acceptable use of social media websites. That is arguably the easiest first step to take to address personal use.
Personal use of the sites must be monitored and managed, and it is vital that policies are developed to tackle personal use. That includes the time spent on the sites as well as the information that is posted. Facebook and Twitter usage at work is likely to be a problem if controls are not put in place to limit access, or if policies are not developed to determine acceptable levels of Facebook and Twitter usage at work.
Get the balance right and social media can be of great benefit to your business, but get it wrong and it will just be a huge drain on time, resources and money. It could also result in your systems being compromised. Social media sites contain a considerable amount of malware, and phishers use posts to trick users into revealing personal and corporate information.
Some employers may feel the security risk from Facebook and Twitter usage at work warrants a company-wide ban on site access in the workplace. If that is the case, a web filter is the easiest way to block usage. A flexible product will also allow usage for certain departments to ensure that corporate accounts can still be accessed, or can be used to block malware without blocking access to the actual websites.
Last week, SpamTitan issued a press release about its new social media cost calculator. The calculator was developed to help companies estimate the amount of man hours (and therefore money) they are losing as a result of employees accessing social media websites at work. The SpamTitan social media cost calculator has proved popular and attracted a great many online comments.
Calculating the true cost of social media site use by employees
In order to calculate the true cost of social media, SpamTitan took a close look at social media usage statistics. An average profile for a typical organization was created and data was extrapolated to provide an estimated annual cost.
The results of the calculations showed that a typical company loses approximately $65,000 every year as a result of employees spending time checking and posting information on Facebook, Twitter, LinkedIn and the myriad of other social media and social networking websites. SpamTitan calculated that the figure corresponds to 5% of every employee’s salary being wasted on personal social media use.
Many of the comments came from individuals who thought we were suggesting that all organizations should install a web filter and implement a company policy that bans the accessing of all social media sites at work. This was not our intention. There are advantages to allowing members of staff access to social media sites at work. There are also many disadvantages to banning access. Managers will be well aware that social media websites are being accessed by employees, and that employees spend a considerable amount of time those websites. What they perhaps do not know is how much time is spent, and how much this is costing them. That is information they need to know.
Should social media site access be banned at work?
Companies should make a decision about the use of social media at work. They will need to assess the benefits of allowing the staff some “Facetime”, and the disadvantages from the loss of access rights. There are also many legal considerations to consider and the accessing of these sites also raises a number of privacy and security concerns.
Many organizations may like to ban the accessing of the websites; but, in reality, doing so is complicated. It is not possible to implement a web filter that blocks all social networking and social media sites for everyone in the organization. The marketing department will need to access those websites. The IT department may do too for work purposes. A company-wide ban may not be realistic.
Some employees may only spend a few minutes a day on the sites, or may access them when they do not have work duties to complete. Some may only use the websites during coffee breaks. Should those individuals be banned from using the sites when it doesn’t impact on their work duties?
Something else worth considering, is whether it is better to allow staff to use their work computers to access the sites than have employees access them surreptitiously on their Smartphones. Is it better to be able to monitor use of the sites?
One of the most workable solutions is to put policies in place covering the use of social media websites and to instruct employees that the use of the sites must be kept to a minimum. If used in moderation, social media site usage need not result in a major cost to the business. However, it must be possible to control use of the sites and, for that, a web filter can be highly beneficial.
Provided that the chosen web filtering solution is flexible, and can allow controls to be put in place for the entire organization, departments´ – or individuals´ – usage can be effectively controlled without implementing a blanket ban. The same web filter should can also be used to block other websites – those containing malware.
Would a social media site ban work in your organization? Would productivity fall further due to unhappy staff?
There was a buying frenzy following the release of the new .xxx suffixed domains. Pornographers, Internet marketers and entrepreneurs competed to secure the hottest and rudest of them. The first of the .xxx websites have now gone live, there has been further talk about compartmentalization of the Internet, with the possibility of all pornographic websites being confined to those sites with a .xxx suffix. However, will the .xxx domains make web filtering pornography any easier?
ICAN releases .xxx domains for sale
The Internet Corporation for Assigned Names or ICANN as it is better known, created the new top-level Internet domain specifically for websites of an adult nature. The long term view was to eventually move all pornographic websites to the xxx domains. This could clean up the Internet and make it much easier for parents and businesses to block pornographic websites. It is, after all, much easier to block a single domain type than to implement web filtering to prevent all websites containing pornographic material from being viewed. IT security professionals and individuals who want to stop porn from being accessible via their computers, phones, and tablets could therefore just block the xxx extension.
There is a problem of course. Owners of adult websites have been buying up new domain names in the thousands, but will they redirect their current .com, .co.uk, .org and .net sites to the new .xxx domains?
Of course they won’t. They’ve just been given even more domain names to fill with pornography, and any redirects are likely to come from the .xxx domain names back to their main, well-established websites.
Unless laws are introduced to force purveyors of adult content over to the new domains, the online adult entertainment industry will simply not make the switch. Some firms will undoubtedly activate their new xxx websites, but unless everyone does, the initiative will be seen to have failed and web filtering pornography will be no easier.
Will the XXX domains make web filtering pornography any easier?
Potentially, the creation of the new domain will make it easier to filter some adult sites, so it will make the job of web filtering a little easier. Advocates of the new domain claim that the creation of these sites is a step in the right direction. The .xxx domains will make it easier to filter adult content (and easier for people who want access to the sites to remember the correct suffix). At some point in the future, laws can be introduced to force adult content into an easily blocked section of the Internet.
However, cynics will quite rightly point out that current website owners who have invested a considerable amount of time, resources and money into promoting their .com sites and building links are not going to let all that effort and investment go to waste. The new domain suffix may therefore just have given pornographers the opportunity to create a lot more websites.
There is another problem. Many individuals and companies make a living out of buying up domain names in the thousands. These cybersquatters purchase domain names at a low price, at $10 a pop for instance, and then list them for sale for hundreds or thousands of dollars. They buy up existing companies’ brands and will only sell them on if their asking price is met. Many companies will therefore not be able to buy the .xxx equivalent of their current site.
Do you think the creation of the new domains will help with web filtering pornography any easier? Will Internet surfers still be bombarded with pornography?