Phishing Training is a Critical Component of Any Security Strategy
Phishing attacks are some of the most common threats out there. Hackers will craft messages or web pages designed to harvest information from your employees, be it through suspicious requests for credentials via email or through false websites that look so much like the real thing that it’s no wonder they were tricked. How can you make sure that your employees don’t fall for these dirty tricks? It all starts with comprehensive phishing training.
So, what goes into a successful phishing training program? Let’s take a look.
Phishing training involves exposing your team to simulated real-world scenarios in which they might encounter a phishing scam. It’s worth mentioning here that phishing can potentially involve much more than just a simple email containing requests for sensitive information or forms on websites asking for credentials. Phishing can come in the form of phone calls, text messages, and other communication mediums. Therefore, it becomes of critical importance that your staff have the skills needed to identify these phishing scams in whichever form they take.
As for what this phishing training might look like, it depends on the context. Training might take a more passive approach with videos, but it also takes on more active approaches with interactive workshops and hands-on training exercises.
One of the best ways to get a feel for how well your employees understand phishing attacks is to test them without them knowing it using these simulated attacks to see who takes the bait and who doesn’t. In this way, you can get a sense for how they would react under normal everyday circumstances. This type of threat awareness is important to gauge where your employees are in regards to cybersecurity, and it can give you an idea of which employees need further training.
We want to emphasize that phishing training is not about calling employees out on reckless behavior; rather, it’s about corrective practices that can help your business stay as secure as possible long-term. It is better to find out which of your employees struggle with identifying phishing attacks in simulated situations than when the real deal strikes, after all.
Look, we all want to trust our employees to do the right thing and know better than to click on suspicious links in emails, but at the end of the day, wanting something and actually getting it are two entirely different things. We need to accept reality and admit that hackers can and will succeed in their phishing attempts if we don’t do anything to prevent them. The best way to keep phishing attacks from becoming a nightmare scenario for your business is to implement comprehensive training practices and consistently reinforce them with your staff.
Point North Networks, Inc., can give your employees the training they need to keep from falling victim to phishing attacks. After working with our trusted IT professionals, your employees will know how to identify phishing attacks and how to appropriately respond to them without risking your organization’s security. To learn more about our phishing training and other security services, reach out to us at 651-234-0895.
Privacy Engineering is the Key to a More Secure Future
Minimise Your Organization’s Privacy Risk Through Privacy Engineering
Data privacy is a bit of a hot topic in today’s business environment, especially with high-profile hacks and ransomware attacks emerging and putting organizations at risk. In particular, the emerging concept of “privacy engineering” has a lot of businesses thinking about how they can secure their organization and future-proof their data privacy infrastructures.
Let’s discuss what privacy engineering is, as well as what some big names in the industry have to say about the future of data privacy.
What is Privacy Engineering?
The International Association for Privacy Professionals, or IAPP, defines privacy engineering as “the technical side of the privacy profession,” which can mean any number of things. For some, it is making sure that the processes involved in product design take privacy into consideration.
For others, it might mean the technical knowledge required to implement privacy into the products. At the end of the day, it seems there is a general consensus that privacy engineering is the consideration of privacy, from a user’s standpoint, throughout the production process, from conception to deployment. Simply put, it concerns the personal data collected as well as what happens when an organization or a hacker can access personal data.
This is notable for a couple of reasons. Systems and products that take privacy into consideration at every stage of development, and incorporate consent management and data subject access requests will be much more consumer-friendly.
Users can be more confident that their privacy has been considered through each stage of the process and that their personal data is safe, making them much more likely to buy the product. When products have a reputation for avoiding personal data collection for their own benefit, it would be no surprise to see profits increase.
This sets off a chain reaction for businesses that create these products which have privacy management at their core, increasing their bottom line. When businesses achieve this level of success simply by means of averting privacy risks, the value of the company increases, leading to more investors and the production of similar goods or services.
Furthermore, since data protection, privacy controls, and security are such an important part of modern computing, these types of investments are relatively safe from a shareholder’s point of view, as organizations that invest in products that meet specific regulations and set these high standards are more likely to persist into the future.
You can see how this all shakes out; in the end, the concept of privacy engineering is beneficial to both the consumer and producer. Therefore, placing your bets on technology that facilitates, and privacy engineers who can enable the design of such products is a great way to invest in your own company’s future.
What Does the Future Hold?
Back in 2020, Gartner made some predictions for where the constantly evolving discipline of data privacy was heading in the years to come. Here are some insights from their report:
Proactive Security and Privacy Are Better
When you take measures to build security and mitigate privacy risks in operations, you are more likely to build trust and adhere to regulations. We preach this all the time; it is easier to prevent issues from emerging than reacting to those that are already here. If that’s your default setting.
Increased Reach of Security Regulations
According to Gartner, 65% of the world’s population will have their privacy governed by some sort of data privacy laws or regulations by the year 2023. This is notable, especially with the rise of regulations like GDPR.
The Rise of a Privacy Officer
By the end of 2022, 1 million organizations will have appointed a data privacy officer or dedicated privacy engineering teams. Having someone within your organization whose sole responsibility is to keep you compliant with legal requirements and legal considerations means that you can rest easy knowing that you are doing all you can to make sure it stays that way.
Don’t Wait to Get Started
Point North Networks, Inc., can help your business ensure it is implementing adequate data privacy and security standards to protect the privacy and ensure risk-free data operations all across your infrastructure. To get started, reach out to us at 651-234-0895.
Frequently Asked Questions About Privacy Engineering
What are the 3 primary issues in privacy?
When it comes to data systems, the most pressing privacy issues include Data Tracking, Data Hacking, and Data Trading.
How can Privacy Engineering help Technology Companies?
Modern day technology companies are going out of their way for embedding privacy as a core feature in their products as well as business processes, while still enabling faster and more extensive access to data. In doing so, their ability to anonymize the data stored, build processes for data mapping without divulging personally identifiable information, and innovation all accounts for a competitive advantage!
Are there any disadvantages of Privacy Engineering?
As is the case with any new technologies, even privacy engineering comes with certain limitations, including the following –
- It has numerous legal requirements, some of which aren’t completely formulated yet
- The onset of newer technologies may cause unwanted and unforeseen violations
- The need for specialized privacy engineers and other privacy professionals, may make this endeavour rather expensive
Hackers Use the Pandemic to Send Out Phishing Threats
The first half of this year has seen its fair share of ups and downs, especially on a global scale. With a global pandemic still taking the world by storm, it’s despicable that hackers would take advantage of the opportunity to make a quick buck using phishing tactics. Yet, here we are. Let’s take a look at how hackers have turned the world’s great misfortune into a boon, as well as how you can keep a lookout for these threats.
According to reports from SecureList, spam and phishing trends in Q1 of 2021 relied heavily on COVID-19 and the buzz generated by it. Let’s take a look at some of the major threats that took advantage of the pandemic.
Stimulus Payment Scandals
The first couple months of 2021 saw businesses and individuals receiving payments from governments, such as economic impact payments or business bail-outs. Hackers took advantage of this opportunity to try to convince users to hand over their credentials through the use of messages that both looked and sounded professional. As is often the case with phishing messages, some users of specific banks were targeted through the use of near-identical websites designed to steal credentials and fool users. Others tried to convince users to enter information by convincing them that the latest details on the bank’s COVID-19 practices could be found on the other side of links or sensitive information forms.
The Vaccine Race
For a while, the COVID-19 vaccine was a bit tricky to get your hands on. While things have improved significantly in recent months, the initial rush to get vaccinated triggered many would-be hackers to try their hand at vaccination phishing emails that replicated the look and language of communication from health officials. Users would have to click on a link in the message, which would then redirect them to a form for plugging in personal information and, in some cases, banking credentials. Even those who already received vaccinations were not safe, as there were fake surveys circulating urging people to fill them out and claim prizes for doing so.
What You Can Do
Don’t let hackers take advantage of the cracks in your business’ defenses. Phishing attacks can come in countless forms, so it is your responsibility to protect your business from them. Here are some ways that you can make sure your organization is secured from phishing attempts.
Filter Out Spam
A spam filter can keep the majority of threats out of your inbox, but the unfortunate fact is that most phishing emails are probably going to make it past the spam filter. Therefore, you will want to take more advanced tactics against these threats.
Train your Employees
Training your employees on how to identify threats gives them the power to avoid threats that do manage to get past your defenses. Teach them what to look for and you’ll be giving yourself a better chance of overcoming them.
Implement Unified Threat Management
No matter how well trained your employees are, it helps to have just a little bit of reassurance that you have done all you can to secure your business. This is what a UTM does; it’s a single security solution that can optimize your network’s protection.
Point North Networks, Inc., can help your business keep itself secure. Not only can we implement great security solutions, but we can also help to train your employees, including regular “tests” where we send out fake phishing emails to see who is and is not paying attention. To learn more about how this can help your organization, reach out to us at 651-234-0895.
Hackers Spark Major Gas Crisis Throughout the Southern U.S.
You’ve probably heard by now, a Russia-based hacking collective by the name of DarkSide targeted Colonial Pipeline, a company that supplies nearly 45 percent of the fuel used along the Eastern Seaboard of the United States, with a ransomware attack. Not only does this hack have an effect on fuel prices and availability, it highlights just how vulnerable much of the nation’s energy infrastructure is. Let’s discuss the details of the hack and the raging discussion about cybersecurity that’s happening as a result.
The Facts Surrounding the Hack
On Friday, May 7, 2020, Colonial Pipeline had to shut down operations after a ransomware attack threatened to spread into critical systems that control the flow of fuel. Almost immediately gas prices started to jump in the region, averaging around six cents per gallon this week. The pipeline, which runs from Texas to New York, transports an estimated 2.5 million barrels of fuel per day. The shutdown has caused some fuel shortages and caused panic buying in some southern U.S. states. Administrators said that the ransomware that caused the precautionary shutdown did not get into core system controls but also mentions that it will take days for the supply chain to get back up and running as usual again.
Who Is DarkSide?
The hacker group DarkSide is a relatively new player, but it has set its sights high. The group claims to be an apolitical hacking group that is only out to make money. In fact, they put out the following statement after the FBI started a full-scale investigation of the group:
“Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
DarkSide seems to be a professionally-run organization that deals in ransomware. They follow what is called the Ransomware-as-a-Service model, where hackers develop and sell their ransomware to parties looking to conduct operations like the one that stymied Colonial Pipeline. They also are known for their “double extortion” methodology, where they threaten to take the data they encrypt public if their demands aren’t met. Their ransom demands are paid through cryptocurrency and have only been in the six-to-seven figure range.
What’s interesting is that the group seems to have its own code of ethics, stating that they will never attack hospitals, schools, non-profits, or government agencies. Either way, their current attempt at extortion has made a mess for millions of Americans.
Problems Securing Infrastructure
Even before the world completely changed, cybersecurity analysts were recommending that more had to be done to protect aging utility systems around the world. Back in 2015, hackers took down a power grid in Ukraine and left 250,000 people without electricity, and it caused some movement to improve system security, but nowhere near as much as is required. Now, with the push to use renewable energy and more efficient systems of deployment, more technology has been added to these systems than at any time in history. These smart systems, coupled with a resounding lack of security, means that the next cybersecurity catastrophe is just around the corner.
The pandemic didn’t help matters. Systems that are being updated are increasingly being connected to public and private networks for remote access. All it takes is one vulnerability and hackers can exploit and take control of systems that affect the lives of millions of Americans. Hackers causing a gas shortage is scary, but hackers taking down power grids or other systems that the public depends on to live could be looked at as an act of war.
The scariest part is it seems as though no system is immune to these problems. According to CISA, the Colonial Pipeline hack is the fourth major cyberattack of the past year. You have the Solar Winds breach that allowed Russian Intelligence to infiltrate thousands of corporate and government servers; an attack where Chinese nationals rented servers inside the U.S. to invade a still unnumbered amount of Microsoft Exchange servers; and a still-unknown hacker that hijacked a tool called Codecov to deploy spyware on thousands of systems.
Microsoft is widely renowned as being at the forefront of cybersecurity and Solar Winds is itself a cybersecurity company. This tells you a little bit about where we are about protecting essential systems. It’s not a good situation.
While you can’t always worry about cybersecurity everywhere you are, you have to prioritize it for your business. If you want to talk to one of our security experts about your cybersecurity, give Point North Networks, Inc., a call today at 651-234-0895.
A Company’s Boss Needs to Take the Lead on Cybersecurity
Cybersecurity is critically important to businesses of all sizes, which means that all businesses need to put forth a concerted effort to ensure their security is locked down. This, in turn, will require someone to take point on developing a cybersecurity-focused internal culture.
Who better to do this than the boss?
Here’s the deal: it doesn’t matter how advanced your cybersecurity solutions are, or how recently your team updated their passwords. No amount of cybersecurity safeguards will protect you if your team members aren’t behaving in a security-conscious way.
The Importance of a Cybersecurity-Centric Company Culture
Have you ever heard of social proof? While it is more often a term associated with marketing, describing how people can be convinced by testimonials from their peers and contemporaries, it can play a significant role in shaping your workplace environment… although this can be a double-edged sword.
Basically, the culture around your cybersecurity will reinforce itself over time.
Let’s say that John Doe gets a job with a company, and is busy getting set up with network access and permissions to everything he will need to do his job. With a poor cybersecurity culture in place, his coworkers may suggest he just repeat his username as his password, or take some similar shortcut. If the whole department insists that this practice is okay and accepted, it’s likely that John will do just that. What’s more, old Johnny boy will likely amplify this message to Jane, the next person hired, and so on and so forth.
However, if we take this same scenario and change just one detail—the message that the team shares with their new coworker—the outcome could be much, much different. If company policies outline the expectation that passwords will meet a set of best practices and the employees emphasize this in their day-to-day, it is far more likely that they will be upheld.
The Boss is the One Who Sets the Tone in the Business
So, apart from turning your employee handbook into a glorified cybersecurity dream journal, what can you do to infuse security awareness into your day-to-day? There are a few things, actually:
- In addition to implementing password policies, you can enforce them by only permitting passwords that meet these policies to be accepted.
- In addition to establishing access controls, you need to audit your protections at regular intervals to identify any overlooked weak points, civilly calling attention to these shortfalls as you encounter them.
- In addition to adding security training into your onboarding processes, you should periodically have your employees go through a refresher training course on occasion.
As the business’ leader, it is on the boss to take the lead in all things. Security is not where you want to make an exception. Point North Networks, Inc., is here to facilitate your improvements to your cybersecurity. Reach out to us today by calling 651-234-0895 and find out the many ways that we can assist you in improving your business—whether it’s regarding your security, your processes, or any other IT considerations.
Patch Management and How It Can Save Your Business
Software runs our lives. It certainly runs your business. What if I told you that this essential cog in your business’ operations can also be the thing that is most susceptible to being exposed by outside attackers? It’s true, software can be the very door that hackers and scammers need to get into your network and run amok. Let’s take a look at the unsung service that is patch management and why it is so important.
For the first years of managed IT services, patch management was more of a value proposition than it was a crucial part of the offering. Today, the script has officially flipped and it is no longer perfunctory, but crucial. This is because threats have changed. In fact, they’ve changed for both the business and its IT service provider.
MSPs and IT departments use software known as Remote Monitoring and Management (RMM) tools to cover all the ends of a business’ IT infrastructure and network. As the core software that allows IT experts to keep a watchful eye over their domain, IT providers were horrified to learn that hackers with a keen eye for opportunity, hacked into unpatched RMM software and were able to not only able to access that company’s information, but other companies that were being managed by the platform. These hackers exploited these vulnerabilities and injected malware into all managed systems. We don’t have to tell you, that’s not a good look for any service provider.
That’s just an anecdote, sure, but it goes to show what can happen if your software isn’t patched and updated properly.
Challenges of Patch Management in 2021
Managing software updates isn’t a very easy process anyway, but with all that has happened recently, patch management has become extremely difficult. With growing complexities of remote workers, cloud platforms, the immense amount of software that an organization uses, and the rapid-fire updates being developed, it isn’t as simple as signing in and updating eight files once a month. You really have to stay on top of it to ensure that your network and infrastructure are properly protected.
A big challenge for IT teams concerning patch management is actually downtime. When software is patched, systems typically need to reboot. This can be a real hindrance to productivity if it is done while someone is working. Most IT administrators won’t make people restart in the middle of the workday, but then they have to remember to reboot these machines when they are not in use. Forgetting is just like not patching the system in the first place, so coordinating patches and reboots at a time when people aren’t working is its own challenge.
It’s a fact that most vulnerabilities that are exploited are over six months old. This tells you that somewhere along the way that either patches and updates were overlooked, or they weren’t properly coordinated in the first place. Combine all that wrangling with the fact that sometimes patches simply don’t “play nice” with corresponding systems and cause more headaches and hand wringing and you have a complicated and often frustrating task list that is just a fraction of the IT admins’ responsibilities.
Some MSP Patch Management Tips
Of course, the best way to get comprehensive patches and updates is to outsource your patch management to a managed IT services provider like Point North Networks, Inc. Any business can save time and money by relying on our certified technicians to ensure that your systems are up-to-date and patched correctly. Furthermore, we won’t cause any downtime as we will schedule patches for times when traffic is low or non-existent.
If you insist on doing your own software maintenance, a couple of tips that you should adhere to include:
The first thing you should consider is to understand all the software your company is using officially and ensure that you are up to date with all the relevant patches. Missing software updates, while probably not the end of the world for an individual, is a horrible practice for any business.
You’ll also want to schedule maintenance on some machines as soon as possible after official software updates are released and if there are no problems, schedule maintenance on all other machines the following week. The test group will go a long way toward exposing any possible hiccups you may be facing.
Software is extremely important to your business, and your business is extremely important to your employees and customers. In order to keep it that way, you will need to ensure that your software systems are patched and updated regularly. To talk to one of our It professionals about patch management, co-managed IT services, or comprehensive managed IT services, give us a call today at 651-234-0895.
Companies Need to Keep Their Vendors’ Security In Mind
Data breaches have a tendency to destabilize relationships. With so many data-related problems befalling businesses nowadays, it is important that each side of every data-driven relationship understands their role in the protection of other organizations’ data. Today, we’ll take a look at the issue and how to determine if your partners are putting in the effort required to keep your data secure.
Are Your Vendors Properly Protecting Your Information?
We’ve seen businesses have a litany of challenges protecting their sensitive data over the past several years, and as threats get more sophisticated it poses more problems. Additionally, many businesses outsource a fair amount of their operational and support efforts and that can have a negative effect on their security.
So, how do you know that your vendors are protecting your information?
You ask them, of course.
Before you onboard any new vendor, you should come up with a questionnaire that asks the right questions about how they handle their own cybersecurity, and more specifically (and importantly) how they go about handling your information.
At Point North Networks, we do this for all of our clients to ensure that they are partnering with reliable companies that, at the very least, are attempting to do the right things to protect sensitive information.
Questions You Should Ask Your Vendors
The first thing you should consider when making up some questions to ask your vendors about security is: do you understand the answers? If you don’t know what you are doing, you could just assume any thoughtfully answered response would be sufficient. This is far from true and is a liability, especially in trying to ascertain what risk your business is facing by doing business with a company. We can’t stress enough that if you don’t have someone that knows what they are doing, you need to find someone, as this will serve you much better in times like this.
Let’s go through a couple of important questions you should ask if you do have the competence available to sufficiently measure risk from the answers:
- Do you collect, store, or transmit personally identifiable information (PII)?
- If so, do you store your PII onsite or in the cloud?
- How do you provide users access to the PII you store?
- Can PII be accessed remotely?
- Do you constantly monitor all services, systems, and networks?
- What regulatory bodies does your business operate under? Do you have proof of compliance?
- What kind of encryption do you use for data-at-rest? Data-in-transit?
- Do you consistently patch your software?
- Do you have mobile device management and IoT management systems?
- Do you utilize legacy systems that aren’t supported by manufacturers?
- What cybersecurity tools do you use?
- Do you have language in your agreements about vendor cybersecurity?
- How are your continuity systems?
- How would you go about the situation in the event of a data breach?
- What authentication procedures do you use?
- Do you train your employees on the best practices of cybersecurity?
There are many more questions you can ask, and you should ask them if you find them necessary. Vetting your vendors is a great way to know if they have your best interests in mind.
If you would like to partner with a company that not only has your best interests in mind, but also can help you ascertain if your other partners do as well, give Point North Networks, Inc., a call at 651-234-0895 today.
Your Guide to the Modern Varieties of Cybercriminal
There is an entire litany of stereotypes that are commonly linked to the term “hacker”… too many for us to dig into here, especially since they do little but form a caricature of just one form that today’s cybercriminal can take. Let’s go into the different varieties that are covered nowadays under the blanket term of “hacker,” and the threat that each pose to businesses today.
To give this list some semblance of sensible order, let’s go from the small fish up to the large players, ascending the ladder in terms of threats.
The Ethical Hacker
First and foremost, not all hackers are bad. Certified Ethical Hackers are high-profile cybersecurity experts that are designed to think like a cybercriminal. They can be employed to determine how secure your organization is.
The Unintentional Hacker
We all make mistakes, and we can all get a little bit curious every now and then. Therefore, it stands to reason that this curiosity could get people into trouble if they were to find something—some mistake in its code or security—on a website. This is by no means uncommon, and the question of whether this kind of hacking should be prosecuted if the perpetrator reports their findings to the company has been raised by many security professionals.
Regardless, if someone can hack into a website without realizing what they are doing, what does that say about the security that is supposed to be protecting the website… or, by extension, a business’ network? Whether or not you take legal action, such events should never be glossed over and instead be addressed as growth opportunities for improving your security.
The Thrill Seeker
Each of the hackers we’ll cover here has their own motivation for hacking into a network. In this case, that motivation ties directly back to bragging rights (even if the hacker only ever brags about it to themselves). While these hackers were once far more common, the heightened accountability and legal consequences that such behaviors now bring have largely quashed the interest in such hacking. Many of those that would have once been interested in this kind of hacking are now focused on modifying hardware over software, turning to interest-based kits like the Raspberry Pi and others to scratch their “hacking” itch.
The Spammer
Adware—or a piece of software that hijacks your browser to redirect you to a website hoping to sell you something—is a real annoyance, as it wastes the user’s valuable time and energy. It also isn’t unheard of for otherwise well-known and legitimate companies to use it in their own marketing, despite the risk they run of having to pay regulatory fines due to these behaviors.
While the real damage that adware spamming can do may seem minimal, it is also important to put the nature of these efforts into perspective. An adware spammer will use the same tactics that other serious threats—things like ransomware and the like—are often spread through. If you’re finding your workstations suddenly inundated with adware, you are likely vulnerable to a much wider variety of threats than you might first assume.
The Botnet Recruiter
Some threats to your network aren’t even technically directed toward your business itself. Let me ask you this: would you see it as a threat to have your computing resources taken over and co-opted for another purpose? After all, the result is effectively the same as many more directly malicious attacks—greatly diminished productivity and efficiency.
This approach is quite literally how a botnet operates. Using specialized malware, huge numbers of otherwise unassociated machines can be taken under control and have their available resources directed toward some other means. A particularly famous example of a botnet’s power came just a few years ago, when a botnet was utilized to disrupt the services of Dyn, a DNS provider. This took popular websites like Twitter and Facebook down for several hours.
Missing or neglected patches are one of the simplest ways for a botnet to claim your resources as its own—particularly when login credentials haven’t been changed.
Hacktivists
While political activism can be a noble cause, the hacktivist goes about supporting their cause in a distinctly ignoble way. Operating in sabotage, blackmail, and otherwise underhanded tactics, a hacktivist that targets your company could do some serious damage—despite the good that most of these groups are truly attempting to do.
Of course, the law also doesn’t differentiate between different cybercrimes based on motive, making this form of protest particularly risk-laden for all involved.
The Miners
The recent cryptocurrency boom has seen a precipitous uprising in attacks that try to capitalize on the opportunity, using tactics that we have seen used for good and bad for many years now. Above, we discussed the concept of a botnet—where your computing resources were stolen to accomplish someone else’s goal. However, the practice of utilizing borrowed network resources is nothing new. The NASA-affiliated SETI (Search for Extraterrestrial Intelligence) Institute once distributed a screen saver that borrowed from the CPU of the computers it was installed on to help with their calculations.
Nowadays, cybercriminals will do a similar thing, for the express purpose of exploiting the systems they infect to assist them in hashing more cryptocurrency for themselves. The intensive hardware and utility costs associated with mining cryptocurrency often prohibit people from undertaking it on their own—so enterprising hackers will use their malware to find an alternative means of generating ill-gotten funds.
The Gamers
Despite the dismissive view that many have towards video games and their legitimacy, it is important to remember that the industry is worth billions (yes, with a “B”) of dollars, massive investments into hardware and hours poured into playing these games. With stakes that high, it is little wonder that there are some hackers that specifically target this industry. These hackers will steal in-game currency from their fellow players or launch their own distributed denial of service attacks to stifle the competition.
The Pros-for-Hire
The online gig economy has become well-established in recent years—where a quick online search can get you a professional to help you take care of your needs, whether that be for childcare or for car repairs or any other letter of the alphabet. Similar services exist for directed cybercrime efforts as well.
Using a combination of home-developed malware as well as examples that they’ve bought or stolen themselves, these professionals will license out their services for a fee. Whether it’s a governmental body seeking sensitive intel or a business seeking to undermine a competitor, these mercenaries can pose a significant threat against anyone who lands in their crosshairs.
The Thief
On a related note, a lot of modern cybercrime is simply a digitized version of crimes we have seen in years past. Without another stagecoach to hold up, highway robbery has simply been shifted to the information superhighway, the stick-‘em-up translated to ransomware, dating scams, or denial-of-service attacks. The overarching motivation behind most of these efforts is simple: illegitimate fiscal gain.
The Corporate Crook
Corporate spying is a decidedly more direct version of the pro-for-hire trend that we discussed above, where a hacker will target a business’ documents and resources to help their competition in any way they can. While there may not be honor among thieves, there can be amongst the businesses that these thieves will try to sell stolen data to, as some companies have reported the theft after being approached.
The Nation State
Finally, we come to perhaps the biggest threat out there to many: massive teams of professional, government-employed hackers working to undermine the operations and machinations of other nations—both in their governments and their industries. This is generally intended to put the other nation in a diminished position should hostilities ever erupt.
If you remember the 2014 satirical movie The Interview—and more pertinently, the hack that Sony Pictures suffered in retaliation for the film—you’re aware of a very recognizable example of this kind of threat actor.
Clearly, the idea of a hacker that so many have is far too minimalistic to be relied upon anymore… especially if you’re staking your company’s cybersecurity preparedness on it. That’s why Point North Networks, Inc., is here to help. Our professionals are well-versed enough in best practices to help prepare you to deal with a much more realistic cyberattack. You just have to reach out to us at 651-234-0895 to get started.
How’s Your Password Hygiene?
I’m not sure we need to tell you how important passwords are: they are the front-line defense to most of the accounts you create. What is often overlooked is the strategy of how to use a password to successfully protect accounts and data. Today, we will discuss best practices when creating and managing your passwords and how you are likely approaching your password strategy improperly.
Creating Strong Passwords
It’s true that passwords can be a pain to manage. Anyone who has been locked out of an account because they can’t remember their password knows this all too well. That’s why it is important to create passwords that are both easy to remember and that are secure enough to protect you. Cybercriminals have tools at their disposal that do a pretty good job of being able to crack passwords, so you need to keep that in mind when you are choosing yours.
As you set out to create your passwords, you should keep the following two points of emphasis in mind.
- A hacker may try to brute force attack any password that cannot be guessed or cracked, rapidly trying each combination possible.
- A password’s security and its resistance to brute force attacks are two different things.
Brute force attacks can really be devastating, but when you create your passwords, you have to keep in mind that any hacker with the will to brute force your computing network and left with the time to complete their hack, will likely find a way into your network. What you are doing when you are selecting a strong, memorable password is trying to make certain that the only way they are cracking your password is through brute force.
Typically we like to encourage that your passwords meet the following metrics:
- Are longer, typically over 16 characters
- Use a combination of numerals, letters (with upper and lower case characters), and symbols
- Don’t use privileged or personal information, or any information that can be tied to you through online searches
- No common words or numbers
- No consecutive letters or numbers
So How Do You Optimize Your Password’s Effectiveness?
With those practices, you will be pretty far along, but you also have to understand that the hackers’ tools are extremely powerful. That’s why on top of those suggestions, you will also want to add some complexity to your passwords. Studies have shown that about 41 percent of all passwords are composed exclusively of lowercase letters. If we have access to this information, it stands to reason that someone who makes a living breaking into networks and stealing data knows it as well. Therefore, along with adding symbols, varying cases, and numerals, one strategy is to use a passphrase of random words.
The reason for this is that, with a password that looks like this “7i&3RkIn&4L1f3” the chances that you remember it if you use the account sparingly is pretty low. Besides, it is not that secure, as it is effectively a complex sentence. Remember, the hacker has to get your password completely correct to effectively gain access, so instead of trying to come up with intricate ways of typing statements that can be easily guessed, try taking three words that don’t have any natural connection, incorporating numbers and some varying capitalization, and padding either side with symbols.
A process like this makes the password more usable. It very likely won’t be guessed, is long enough to protect your account, is effective against the brute force attack, and will be easier for you to remember.
Speaking of which, since you shouldn’t use the same password for multiple accounts, you will end up with dozens of passwords. Keeping them straight, especially over the long haul (as you will likely have to reset passwords from time to time), is difficult. That’s why we recommend using a password manager. Many people take advantage of the password saving feature inside their browser. This is effective, but we recommend using a third-party manager that features encryption. This tool will be the most secure and reliable; and, you won’t have to worry about remembering every password.
At Point North Networks, Inc., we consider cybersecurity one of the most important parts of a business’ IT strategy. Give us a call a 651-234-0895 to see how we can help you keep your IT assets safe
Dangerous Android App Masquerading as System Update
Let’s face it, most people are glued to their phones when they have downtime. Many don’t look up to cross the street. With this much dedication to their individual mobile devices you’d think that people would be more careful about what they download.
Apparently, that Instagram feed is just too distracting to worry about individual data security.
Researchers from the mobile security firm Zimperium have discovered a malicious app that pretends to update your Android device, but is just spyware that can steal almost all of your data and monitor your search history and your location. Simply called “System Update” it has tricked many unsuspecting Android users as of this writing.
What Can “System Update” Do?
The spyware, or officially Remote Access Trojan (RAT), attached to this malicious download can only be downloaded outside of the Google Play store, which is fortuitous for many would-be victims of a malware attack like this. The spyware can effectively steal messages, contacts, device information, browser bookmarks, user search history, and can gain access to the microphone and the camera.
What’s more, it continuously tracks a user’s location, which can be really dangerous for anyone. The app starts spying every time the device receives new information, which for any heavy user is constant. After stealing your data, the app will work to erase the evidence of it’s activity, effectively covering its tracks indefinitely.
All-in-all, it is a pretty tough cookie.
How Are People Accessing This Malware?
You won’t be surprised to learn that phishing is the number one way people are being exposed to the corrupt “System Update” app. Google continuously warns people to not install apps from outside the Google Play app store, but as people’s devices age, they aren’t always compatible with older operating systems found on these devices and start looking for options outside of the Google Play app store. This can lead to people downloading apps that seem useful, but are completely nefarious. “System Update” seems to be one of those apps.
What You Can Do to Protect Yourself
While there have been nefarious apps found on the Google Play store in the past, the malicious app rate is extraordinarily low when sticking to the official app store. Users should also consider questioning any situation where an app is suggested for you outside of the app store, even if it seems to redirect you to the Google Play apps store. You just never know what you are going to get when you trust third parties on the Internet.
If you need a comprehensive plan to protect your business data from employee impulse and mobile negligence, give our technicians a call today at 651-234-0895. We can help you with mobile device management (MDM) and Bring Your Own Device (BYOD) which can have all types of benefits for your business.
