732-926-0112
Login

According to research by the Ponemon Institute, approximately 80% of business data breaches result from human error.

Breaches are becoming increasingly common as cybercriminals continue to advance their skills and tactics to trick their victims into falling for their scams.

With human-error being the most common reason for a cyber intrusion, employee security training is crucial to ensuring employees know how to spot a hacking attempt.

“ It only takes one careless employee to cause a big issue.”

Entrepreneur provides a great example of how one employees’ simple mistake could cost an entire business.

Sally is checking her personal email at work and opens one that promises she will lose 10 pounds within the next week. She clicks the link inside of the email and without her realizing it, this action installs a virus on to her computer. Not only is the virus now on her computer, it is also infiltrating the network.

This example shows just how quickly and simply an employee can fall victim to a data breach. Since human error is the leading cause of a data breach, business owners must educate their employees on security awareness.

Since it is possible to reduce your odds of getting hacked through employee security training, October has become the National Cybersecurity Awareness Month.

In this month, Cybersecurity programs, training, and breach prevention are highlighted. Hence, companies of all sizes grasp how important it is to invest in Cybersecurity protection and training programs for their employees.

We share 15 myths about Cybersecurity that companies have believed for years and that can increase the probability of them falling victims to cybercriminals:

15 Myths About Cybersecurity

Myth #1: We don’t need cybersecurity training

Fact: Every organization and employee that has access to, or could come into contact with sensitive data, should receive cybersecurity training. Threats are continuously evolving, making ongoing training critical for all.

Myth #2: We’ll just deal with a breach when it happens

Fact: Paying for proper security and training is much cheaper than trying to recover from a single breach. In fact, many organizations that suffer a data breach don’t recover at all. Preventative breach measures will go a long way to help protect you.

Myth #3: Cybersecurity threats only enter through the internet

Fact: You don’t need to be connected to the internet to experience a data breach. For example, your organization’s entire IT system could become infected just by one employee using an infected USB drive. Threats come in many forms.  

Myth #4: A strong password alone will protect your business

Fact: A strong password is certainly important, but it is not enough to protect your organization entirely. Multi-factor authentication will help protect your account a step further, along with many other necessary security measures.

Myth #5: Small & medium-sized businesses aren’t targeted by cybercriminals

Fact: A majority of data breaches happen at small businesses. Often times, small and medium-sized businesses lack the proper security measures and training to defend against cybercriminals, making them a major target.

Myth #6: Only certain industries are vulnerable to cyber attacks

Fact: While some industries are targeted more fiercely than others, no business is off-limits when it comes to a cyber-attack. If your organization has access to or stores sensitive data, you are vulnerable to a cyber-attack.  

Myth #7: Anti-virus & anti-malware software keep you completely safe

Fact: Anti-virus and anti-malware software are incredibly important when it comes to protecting your system, but that doesn’t mean you’re in the clear. This software can’t protect against all cybersecurity risks, many of which involve human error.

Myth #8: Cybersecurity threats only come from the outside

Fact: Many cybersecurity threats do come from the outside, but insider threats are just as likely. Insider threats can have malicious intent or could be the result of an honest mistake. Either way, these insider threats are often difficult to detect.

Myth #9: You can’t be attacked on social networking sites

Fact: Many attacks can stem from social networking sites. For example, if your friend gets breached, you could get a private message from them with a link telling you to “click here to watch a funny video!” when in reality, it’s a malicious link. 

Myth #10: If wi-fi has a password, it’s secure

Fact: All public Wi-Fi can be compromised, even with a password. Anyone who has access to the Wi-Fi password could abuse the connection. That means that if your information isn’t encrypted, it could fall into the wrong hands.

Myth #11: You’ll know immediately if your device is infected

Fact: Many times, nothing visually happens when a device or network is infected. Often, the attacker’s goal is to go undetected, however, there are directed attacks such as ransomware that will be immediately visible.

Myth #12: Personal devices can’t impact your organization

Fact: Personal devices can compromise a company’s network. This makes it so important for organizations to have strong Bring Your Own Device (BYOD) policies that outline security protocols for personal devices.

Myth #13: Complete cybersecurity is achievable

Fact: Although it would be nice if complete cybersecurity were a “one and done” kind of thing, there’s no such thing as being completely cyber-secure. New threats emerge every day, making cybersecurity an ongoing process.

Myth #14: My data or the data I have access to isn’t valuable

Fact: All data is valuable. Whether your organization is a start-up business or large corporation, your data is worth something to a cybercriminal. The same rules apply to your personal data, as even a password can lead to a goldmine.

Myth #15: Phishing scams are easy to detect

Fact: Cybercriminals are continuously advancing their tactics to make phishing scams more difficult to detect. Many phishing emails use social engineering techniques to make them more personalized, resulting in a higher success rate for the attacker.

With the rise in dependability on technology and on the internet, cybercrime is also on the rise. To meet the demand, there is a rising trend of social engineering sites on the dark web, which make malicious hacking a point-and-click exercise. You read correctly, you can now pay for a service to help you commit crime and a new report describes two more sites that were discovered by security researchers.

Cybercrime-as-a-service platforms

The first is Ovidiy Stealer, found by Proofpoint, which steals passwords and is marketed on Russian-language website for 7 bucks. It's regularly updated and the sales seem to skyrocket.

ovidiy stealer-hacking-as-a-service

The Ovidiy Stealer malware currently has several versions in the wild, targeting people around the world. It is believed that the malware is currently being spread via email as executable attachments, compressed executable attachments, and links to an executable download. It is also likely spread via file hosting / cracking / keygen sites, where it poses as other software or tools.

Since it has been discovered, the content of this site has been removed. The site itself however, appears to still be online. Below is a list of some of the observed filenames that disguise the malware:

Ovidiy Stealer is written in .NET and most samples are packed with with either .NET Reactor or Confuser. Upon execution the malware will remain in the directory in which it was installed, and where it will carry out tasks. Somewhat surprisingly, there is no persistence mechanism built into this malware, so on reboot it will cease to run, but the file will remain on the victim machine.

Ovidiy Stealer is modular and contains functionality to target a multiple applications -- primarily browsers -- listed below.

The second is Hacksh*t, discovered by the Netskope Threat Research Labs, and is a Phishing-as-a-Service (PhaaS) platform that offers low cost, "automated solution for the beginner scammers."

hackshit-hacking-as-a-service

This platform offers free trial accounts to test their hacking tutorials and tricks to make easy money. "The marketplace is a portal that offers services to purchase and sell for carrying out the phishing attacks," Netskope researcher Ashwin Vamshi says.

The Hacksh*t website had a video demonstration appealing users to learning hacking, meeting hackers online and making money. It allows wannabe hackers (subscribers) to generate their unique phishing pages for several services, including Yahoo, Facebook, and Google's Gmail. "The attacker then generates a phished page from the page/generator link and logs into the email account of the compromised victim, views all the contacts and sends an email embedded with the phished link."

According to Proofpoint, "Like many other markets with many choices, the malware market is competitive and developers must market the strengths and benefits of their products in order to attract buyers. To help drive sales, the development team includes statistics on the progress of certain modules, and other plans for future releases of the malware.  In addition, the site includes “testimonials" from satisfied customers, presumably to demonstrate to other would-be criminals that they can be profitable when using Ovidiy Stealer."

Below is a screen capture of the reviews and development progress of Odiviy Stealer. The user ACE’s comments translate to English as: “I only need the stealer for burglary on order. I explain what it is: I accept an order for the hijacking of a certain person's account. After I work with him and install the stealer. That's all, for one order I get 300-500 rubles. Without this project it would be impossible! Thank you!”

It is inevitable that more and more software engineering services will surface. With the internet connecting people worldwide, it certainly comes with its challenges. This is a huge risk for businesses, because they are usually the targets of malware and phishing attacks.

This is why it is important to implement corporate policies and security services to protect company data. Backup and disaster recovery is also a huge component and a requirement in many instances to become operational after an infection.

Of course proactive measures are the first line of defense. Therefore, it is critical for companies to hire knowledgeable IT providers and staff to ensure their data is protected. QWERTY Concepts includes essential security services, such as anti-virus, anti-malware, inbound and outbound email security, backup & disaster recovery, and network security with web content filtering as part of its monthly managed services offering. Schedule a free technology assessment today!

The credentials leaked by an alleged hacker online were likely stolen from other services, the company said

dropbox

Hackers claim to have stolen a database of almost 7 million Dropbox log-in credentials, but the company says its service was not hacked and that unrelated websites are the data source.

The first data dump appeared Monday in an anonymous post on Pastebin.com and contained 400 username and password pairs. The author said that it's only the "first teaser" of 6,937,081 hacked Dropbox accounts and asked for community support in the form of Bitcoin donations. The user also claimed to have access to photos, videos and other files from the compromised accounts.

"As more BTC [Bitcoin currency] is donated, more pastebin pastes will appear," the post says.

At least five additional "teaser" posts appeared Monday and Tuesday on Pastebin, containing between 100 and 900 credentials each.

"Recent news articles claiming that Dropbox was hacked aren't true," Anton Mityagin, a Dropbox security engineer said Monday in a blog post. "Your stuff is safe."

According to Mityagin, the usernames and passwords posted were likely stolen from other services, but since the reuse of credentials for different online accounts is common among users, attackers tried to use them on different sites, including Dropbox.

"We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens," he said.

In an update Tuesday to the blog post, Mityagin added that credentials on a new list that was leaked were checked and are not associated with Dropbox accounts.

The incident is somewhat similar to the dumping of 5 million Gmail addresses and passwords online in September. Many initially assumed those credentials were for Google accounts, but it turned out that they likely originated from other services where people used their Gmail addresses as usernames. Google concluded that less than 2 percent of the leaked credentials might have worked to log into Google accounts.

Mityagin encouraged Dropbox users not to reuse passwords across different services and to enable two-step verification for their Dropbox accounts.

"This was either a novel attempt at scaring people into setting up two factor authentication on accounts which allowed it, or a quick and dirty grab for Bitcoins," said Chris Boyd, a malware intelligence analyst at security firm Malwarebytes, via email. "Given Dropbox's claim there's been no compromise and all of the 'sample' accounts were already expired, it's looking more like the latter."

"Anyone can post extravagant claims to Pastebin and while there's no harm in changing a password once word of a potential breach gets out, we shouldn't panic and wait until more concrete information comes to light," Boyd said.

Using separate passwords for different online accounts might sound inconvenient, but it's easy to do with a password management application, as long as it's used securely.

View Original Article Here

us-senate-icThe U.S. Senate Intelligence Committee approved Tuesday a cybersecurity bill that would pave the way for sharing of information between government and the private sector on security threats.

Senate Intelligence Committee Chairwoman Dianne Feinstein, a Democrat from California, and Vice Chairman Saxby Chambliss, a Republican from Georgia, said that the committee had approved the bill in a 12-3 vote.

The Cybersecurity Information Sharing Act has been criticized by civil liberties and privacy groups because of the potential privacy implications of the sharing of data by companies with the government. Information including communications content shared with the government could potentially be used in various law enforcement investigations, including the investigation and prosecution of government whistle-blowers, the groups wrote in a letter in June to the Senate Committee.

Senators Ron Wyden and Mark Udall, both Democrats who voted against the bill, said Tuesday that there was a need for sharing of information by the government and companies on cybersecurity threats, but demanded that there should first be strong protections for Americans' constitutional privacy rights.

"....we have seen how the federal government has exploited loopholes to collect Americans' private information in the name of security," the senators said in a statement, in an apparent reference to disclosures by former National Security Agency contractor Edward Snowden about bulk surveillance by the agency of people in the U.S. and abroad.

The bill seems to disregard the revelations about NSA surveillance and includes no new civil liberties protections, wrote Greg Nojeim, senior counsel at the Center for Democracy & Technology in a blog post ahead of the committee decision. "As with most Intelligence Committee mark ups, this one will be held secretly, thus depriving the public of much information about the matters the Committee considered," he added.

The bill requires the director of national intelligence to increase the sharing of classified and unclassified cyberthreat information with the private sector, and authorizes companies and individuals to share voluntarily cyberthreat information with each another and the government for cybersecurity purposes only, and after taking measures to prevent sharing of personally identifying information, according to a statement Tuesday by Feinstein and Chambliss, who also authored the bill.

It also provides liability protections for individuals and companies that appropriately monitor their networks or share cyber information.

"To strengthen our networks, the government and private sector need to share information about attacks they are facing and how best to defend against them," Feinstein said in the statement. "This bill provides for that sharing through a purely voluntary process and with significant measures to protect private information." One of the amendments to the bill adopted Tuesday further strengthens privacy protections in the bill, the senators said, without providing details.

A similar bill, called the Cyber Intelligence Sharing and Protection Act, was passed by the U.S. House of Representatives but did not make it through the Senate after the White House stressed the importance of having privacy protections built into the legislation.

Mike Rogers, chairman of the Permanent Select Committee on Intelligence of the U.S. House of Representatives, and ranking member C.A. Dutch Ruppersberger on Tuesday welcomed the decision of the Senate Intelligence Committee and urged the full Senate to move quickly to pass "this important legislation." The House has its own bill on cybersecurity and the two representatives hoped the House and Senate would come together to "craft a final bill that secures our networks and protects privacy and civil liberties."

View the original article here

Copyright © 2024 QWERTY CONCEPTS, Inc   |   All Rights Reserved   |   Sitemap   |   Managed IT services provider for New Jersey and New York City businesses