The average emailer knows that a Nigerian Prince doesn’t really have $12 million sitting in a bank account somewhere ready to give to you, but in today’s digital world, threats to your business and personal data are getting more sophisticated.
Phishing emails, Ransomware, social engineering – eVAL CEO Nicholas Hinsch outlined these and other information security threats facing businesses today at a recent Capital Crossroads SID event on Information Security & Big Data.
There’s a recipe behind every enacted threat – the bad stuff and the person who activates it.
“One of the largest threats to your business and personal security right now is people,” Hinsch says.
The biggest risk mitigation factor a business can take is to not just rely on technology, but to educate its employees on security threats and what not to do. Hinsch outlines three major threats on which to educate employees.
Phishing emails are one of the most common entry points for a data breach. Hinsch notes a statistic from a Verizon Data Breach Investigations Report that found 23 percent of recipients open phishing messages and 11 percent click on the attachments. Those attachments capture data like log-in credentials and personally identifiable information.
While some phishing emails seem very obvious (does Nigeria even have princes?), scammers are getting more creative.
“This is what the scammers are doing now, they’re taking legitimate emails, changing a link, potentially a few things in the message and the visual is identical,” Hinsch says.
It’s getting harder to tell if that suspicious sign-in email is really from Google or a scammer trying to nab your info.
If you have seen any of those images on your computer before – that’s Ransomeware.
“This is basically a piece of malware that you would download either by clicking on an attachment or visiting a site on the internet that has been poisoned,” Hinsch says.
More than just an annoyance, a Ransomware infection hast an actual cost.
“Ransomware uses encryption mechanisms to hold data hostage, generally for a small amount of Bitcoin,” Hinsch says. “There is no guarantee that the bad actors will send the decryption key, even if you pay the ransom. In some cases, the only course of action is to restore from offline backups.”
If your business doesn’t have a backup, that can mean big trouble. (Barnes & Thornburg also has some tips on why your business needs a data management program.)
Social engineering is similar to phishing but done over the phone or in person. During a hack, a scammer convinces a person to divulge personal information, often by asking questions or directing the individual to enter information online.
Hinsch says there are often signs that a call is not legit – think about the websites the scammer might direct you to, and most of the time a company would never call you and ask for personal information over the phone. What happens if you ask to call back? If the caller is adamant that you answer now or gives odd instructions for getting back in touch, that can be another sign something ins’t right.
While educating employees is one of the biggest steps a business can take to save their data, Hinsch has several other tips to mitigate risk both for your business and individual users.
Risk Mitigation Tips for Businesses
Own all of your data
– Cloud data storage can be secure as long as you own the cloud, the data, and encrypted with a private key known only by you
– Sensitive businesses should consider hosting private cloud data in a HIPAA / PCI DSS compliant data center
BYOD (bring your own device) may not be a good idea
– Any device allowed on the trusted network that is not under strict management is a potential threat
Create a security assessment policy
– Have your systems/networks audited for vulnerabilities at a frequency that fits your industry sensitivity
– Businesses should audit their internal and external security to identify and mitigate potential attack vectors before a breach happens
Use an information-centric approach to data security
– The more you know about the way information moves through your company network, and where it’s stored, the more likely you can prevent exfiltration
Create a multi-layered network
– Use a strong perimeter security firewall
– Monitor the internal network for malware on all servers and endpoints
– Store your critical systems deep within the network, use VLANs and jump-boxes to limit access
Risk Mitigation Factors for Individuals
Use good password policies
– Frequent changes to sensitive accounts, unique, alpha numeric with symbols, no dictionary words
– For less sensitive accounts, non-unique, greater or equal to 18 characters, alpha numeric with symbols, no dictionary words OR alpha numeric key-phrase with many dictionary words, the longer the better (try a full sentence with punctuation)
Use a local password manager
– KeePass is a great local password manager application (data is limited to one location with a local manager)
– Do not trust online password storage utilities with sensitive accounts
Use “throw-away” email accounts for online use where possible
– Use an email address that is not publicly linked to you for online banking sites, etc.
Keep social profile information limited and restricted to public view
– Share personal details only with trusted individuals, but keep in mind…
– Assume anything you share online can still be read by anyone
Don’t trust public wifi
– Always assume a man in the middle is sniffing all of your traffic (this includes secure connections)
– Encryption is your friend – VPN is absolutely necessary for public wifi (a VPN allows for secure confidential access to network resources from outside the local network, while connected to an untrusted or hostile network)
Do not click on links or attachments sent from strange sources
– Phishing scams can drain your bank account, take your data hostage, or infect you with any other variety of malware
Consider using a low-limit credit card or pre-loaded gift credit card for all online transactions
– In the event a retailer you patronize is breached, your exposure is limited
For more information, visit eval.agency.