3 Daily Habits for Information Security Practitioners to Stay Updated

  1. Stay Informed with Industry News:
    • Why? The cybersecurity landscape is ever-evolving. New threats, vulnerabilities, and attack vectors emerge daily.
    • How?
      • Subscribe to cybersecurity news websites and blogs like KrebsOnSecurity, The Hacker News, or Dark Reading.
      • Join forums and online communities like Reddit’s r/netsec or Stack Exchange’s Information Security.
      • Set up Google Alerts for specific cybersecurity keywords to get real-time updates.
  2. Engage in Continuous Learning:
    • Why? Technologies and tools in the cybersecurity domain are constantly advancing. To remain effective, professionals must keep up with the latest techniques and methodologies.
    • How?
      • Dedicate time each day to learn something new, whether it’s a new programming language, a cybersecurity tool, or a security protocol.
      • Enroll in online courses or webinars. Platforms like Coursera, Udemy, and Cybrary offer many courses tailored for cybersecurity professionals.
      • Participate in Capture The Flag (CTF) challenges or cybersecurity simulations to hone your skills in a practical environment.
  3. Network with Peers:
    • Why? Networking helps share knowledge, learn about real-world challenges, and understand best practices from experienced professionals.
    • How?
      • Attend local or virtual cybersecurity meetups, conferences, and seminars.
      • Join professional organizations such as (ISC)², ISACA, or the Information Systems Security Association (ISSA).
      • Engage in discussions on LinkedIn groups or Twitter threads related to cybersecurity.

Remember, the field of information security is vast and dynamic. By integrating these habits into your daily routine, you’ll be better equipped to stay ahead of the curve and safeguard your organization’s digital assets.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

 

IT/OT Convergence and Cyber-Security

Today, I spoke at ComSpark as a part of a panel with Chris Nichols from LucidiaIT and David Cartmel from SMC. 

We talked extensively about convergence and the emerging threats stemming from the intertwined IT/OT world. 

If you missed it, check the ComSpark event page here. I believe they are making some of the content available via recording, though a signup might be required. 

Our virtual booth also had this excellent video around the topic. Check it out here.

Thanks and hit me up on Twitter (@lbhuston) and let me know your thoughts.

Tips For Recognizing a Phishing Email

Below are some common tips for helping to identify phishing emails at work or at home. The same rules apply.

Most Phishing Emails Originate at Common Domains

The first way to recognize a phishing email is that most originate from a public email domain.

There are few legitimate organizations that will send emails from an address that ends in @gmail.com, not even Google does this.

To check an organization’s name, type it into a search engine.Most of the time, organizations have their own email and company accounts and don’t need to use an @gmail.com address.

Check the Spelling of the Domain, Carefully!

There is another clue hidden in domain names that shows a strong indication of the scam.

Anyone can purchase a domain name from a website. There are many ways to create addresses that are easily confused with the official domain of a brand or company. The most common ways include slight mis-spellings of the domain name, or by changing one character to a number or letter that resembles the original. Be extra vigilant for these types of spoofing attempts.

Grammer and Spelling Counts

It’s often possible to tell if an email is a scam if it has poor spelling and grammar. Odd terminology or phrasing is also a clue. For example, your bank is unlikely to misspell the word checking or account, and they would not usually call an ATM machine a “cash machine”. These clues can be subtle, but often indicate that an email is not what it claims to be.

Beware of Potentially Malicious Links and Attachments

Sometimes, the wording in an email might be right, but the links send you to somewhere unexpected on the web. You can check this out in most clients and browsers by simply hovering the mouse cursor over the link without clicking on it. That’s an easy way to know where the link is taking you, and note that it might be somewhere other than what the links says it is.

You should always beware of attachments in emails. Everyone knows that malicious code and ransomware can be hiding in documents, spreadsheets and such, but they can also appear to be image files, presentations, PDFs and most types of documents. If you aren’t expecting the attachment, delete it!

Too Good To Be True

Lastly, if the offer is too good to be true, it probably is. Few people have won the lottery and been notified by email. Even less have been chosen for random gifts or to receive inheritance from Kings and Queens. Don’t be gullible, and remember, scammers are out there, and they want to trick you.

What to Do When You Spot a Phish

The first thing is to delete the email and attachments. If it is a work email, you should also notify the security team that you received it. They can investigate, as needed. In some firms, they may want you to forward it to a specific email address for the security team, but most security teams can recover the email information even if you delete it. Follow their instructions.

At home, just delete the email and tell your family and friends about it. The more folks are aware of what’s going around, the less likely there are to fall into the trap.

More Information

We’d love to discuss phishing attacks, emerging threats or common security controls for organizations. Reach out to info@microsolved.com or give us a call at 614-351-1237 for help.

Thanks for your attention, and until next time, stay safe out there.

 

 

How to Make InfoSec Infographics

Infographics are everywhere! And people either love them or hate them.

That said, many security teams have been asking about building infographics for awareness or communicating threat data to upper management in quick easily-digestible bites. To help with that, we thought we would tell you what we have learned about how to make infographics – as a best practice – so you won’t have to suffer through the mistakes we and others in the security field have already made. 🙂

So, at a high level, here is what you need to know about making infographics on security topics:

What are infographics & why are they useful?

Infographics are a visual representation of data and information; it is a quick way to look at a lot of in-depth information and get a clear understanding of it. They are used to communicate data in a way that is compact and easy to comprehend and also provide an easy view of cause and effect relationships. Infographics are visually appealing and are composed of three elements:
– visual (color, graphics, reference icons)
– content (time frame, statistics, references)
– knowledge (facts)

Best practices for building infographics: 

– Simplicity: clean design that is compact and concise with well organized information
– Layout: Maximum of 3 different fonts
– Colors: choose colors that match the emotions you are trying to convey. The background should blend with the illustrations
– Boundaries: limit the scope of your information. Attention span is short so try to answer only one question per infographic

The main best practice we have learned is: Keep It Simple! Focus on just a few salient points and present them in interesting tidbits. Use templates, they are available all over the web for your publishing or office platform. Remember, the purpose of infographics is to peak interest in a discussion, not serve as the end-all, be-all of presenting data to the audience.

Let us know your success stories or tell us what you have learned about infographics on Twitter (@lbhuston or @microsolved). Thanks for reading!

How to Avoid Getting Phished

It’s much easier for an attacker to “hack a human” than “hack a machine”.  This is why complicated attacks against organizations often begin with the end user.  Although e-mails with malicious links or attachments are often dismissed and referred to as “spam”, these messages are often the beginning of a sophisticated hack against a company.  Unfortunately there is no “silver bullet” that can prevent these attacks from taking place.
 
I recently had the opportunity to give a presentation during one of our client’s all-staff meeting.  Despite the fact that our client’s company resides in a relatively niche market, I was able to discuss several data breaches that took place in their industry within the last year.  Not only did the hacks all take place recently, they were all the direct result of actions taken by an end-user.  A majority of these attacks were caused by an employee opening a malicious e-mail.  I gave our customer the following advice to help them avoid becoming a victim of Phishing e-mails and felt that it was worth sharing on StateOfSecurity.com.
 
Verify link URL:  If the e-mail you received contains a link, does the website URL match up with the content of the message?  For example, if the e-mail indicates you are about to visit a website for FedEx, is the address actually FedEx.com?  A common tactic used by attackers is to direct a user to a similar URL or IP address.  An example of this would be to direct the user to FedEx111.com or FedEx.SE as opposed to the organization’s actual URL.
 
Verify e-mail address of sender: If the e-mail message you received came from a friend, colleague or vendor, did it actually come from their e-mail address?  It’s worthwhile to take a few extra seconds to ensure that the e-mail actually came from the aforementioned colleague, friend or vendor.  Also, avoid opening e-mails from generic senders such as “Systems Administrator” or “IT Department”.
 
Exercise caution from messages sent by unknown senders: Be cautious if a message comes from an unknown sender.  Would you provide your checking account number or password to a random person that you saw on the street?  If not, then don’t provide confidential information to unknown senders.
 
Follow up with a phone call: In the event you receive a message requesting that you validate information or need to reset your password, take some time to follow up with the sender with a phone call.  Trust me, your IT department will be happy to spend a few seconds confirming or denying your request as opposed to dealing with a malware infection.  Also, if your “bank” sends any type of e-mail correspondence requesting that you perform some sort of action, it’s worthwhile to give them a call to confirm their intentions.  Always be sure to use a number that you found from another source outside of the e-mail.
Spot check for spelling/grammar errors: It is extremely common that malicious e-mails contain some sort of spelling mistake or grammatical error.  Spelling mistakes or grammatical errors are great indicators that you have received a malicious e-mail.
 
Do not open random attachments: If your e-mail messages meets any of the above criteria, DO NOT open the attachment to investigate further.  Typically these attachments or links are the actual mechanism for delivering malware to your machine.
 
This blog post by Adam Luck.

The Big Three Part 4: Awareness

Cyber-attacks are a simply a part of reality now, and are very much like home burglaries. We can install locks and lights, cameras and alarm systems, and despite our best efforts at protection and prevention, a certain number of robberies are still bound to happen. That is the reason we need to steel ourselves to this fact and prepare ourselves to resist cyber-attacks the best way that we can. And the Big Three; incident detection, incident response and user security education and awareness are some of our best tools for meeting this problem.

The importance of user education and awareness to information security cannot be over emphasized. Of all the firewalls, IPS systems and other security sensors available, none can compare to human beings in their ability to detect cyber-attacks and security risks. But to take advantage of this resource, it is necessary that users know how to recognize security problems and it is necessary that they want to be engaged in the security process. To accomplish this, companies need to do several things.

First, they should provide all of their personnel with information security training both as new hires, and then periodically thereafter. This training should include the company information security policies that apply to all, plus information security training that is specific to each users particular role in the organization. Providing extra information security training for individuals such as code developers, system administrators and help desk personnel is particularly beneficial.

Next, it is also very important to provide all company personnel with information security awareness reminders. These serve two purposes. First, they help keep the need for good security practices fresh in usersminds. But more importantly than that, good security awareness tips let your personnel know exactly what kind of attacks are out there and how they take place. Thats why it is important to base your awareness reminders on cutting-edge, real-world information security threats. For example, perhaps your employees gets a perfectly legitimate-looking email message from one of their co-workers that solicit them to check out a certain website and give an opinion on it. So they innocently click on the embedded link and wham! Suddenly their machines have been infected with malware and they dont have a clue that anything is wrong. Awareness reminders can help keep such things from happening.

On top of good information security training and awareness, we think that there is one more element that is needed to really make the process pay off. It is important to engage the interest of your employees and make them feel that they are an essential part of the information security effort. This

isnt really hard or expensive to do either. Explain their importance in the program to your personnel and ask for their help. Most everyone really likes to help out, and it makes them feel good inside. In addition, recognize those that have contributed to the information security cause and give them some kind of reward. This can be as simple as a little praise at the weekly staff meeting, or can include things like days off or preferred parking spaces. It doesnt have to be big, just visible. One thing is sure, it makes better business sense to utilize this free and effective security resource to the hilt than spend a million dollars on a vaunted new IDS/IPS system! 

This post by John Davis.

Social Engineering Even Exists in the Animal World

OK, so we have all read about birds that social engineer other birds into raising their young, and maybe you’ve even seen the TV special about it. But, this picture brings to mind a lesson in social engineering, thanks to our friends in the animal world. It all comes down to confidence, doesn’t it? 🙂

I am pretty sure that one of these things is not like the other. Would your security team spot the difference? How about your users?

Credit: The first time I saw the pic, it was here, just in case you want to use it for awareness training. — Thanks to @robertjbennett for the pic!

NewImage

Touchdown Task: Gear Up for Holiday Coverage

GlobalDisplay Orig

Just a quick note to remind you that it’s a good time to check your coverage schedule for the holidays. With so many events and vacations, make sure you know who is available to cover important tasks and who can handle security incidents during this busy time.

Many incidents occur during the holiday period, so make sure you have a plan for handing them when you are rushed, short staffed and on the run.

We hope you have a safe and joyous holiday season. MicroSolved is here if you need us, so never hesitate to give us a call or drop us a line.

YAPT: Yet Another Phishing Template

Earlier this week, we gave you the touchdown task for July, which was to go phishing. In that post, we described a common scam email. I wanted to post an example, since some folks reached out on Twitter and asked about it. Here is a sample of the email I was discussing.

<paste>

Hi My name is Mrs. Hilda Abdul , widow to late Dr. Abdul A. Osman, former owner of Petroleum & Gas Company, here in Kuwait. I am 67 years old, suffering from long time Cancer of the breast.

From all indications my condition is really deteriorating and it’s quite obvious that I won’t live more than 3 months according to my doctors. This is because the cancer stage has gotten to a very bad stage.

I don’t want your pity but I need your trust. My late husband died early last year from Heart attack, and during the period of our marriage we couldn’t produce any child. My late husband was very wealthy and after his death, I inherited all his businesses and wealth .The doctor has advised me that I will not live for more than 3 months ,so I have now decided to spread all my wealth, to contribute mainly to the development of charity in Africa, America,

Asia and Europe .Am sorry if you are embarrassed by my mail. I found your e-mail address in the web directory, and I have decided to contact you, but if for any reason  you find this mail offensive, you can ignore it and please accept my apology. Before my late husband died he was major oil tycoon in Kuwait and (Eighteen Million Dollars)was deposited  in a Bank in cote d ivoire some years ago, that’s  all I have left now,

I need you to collect this funds and distribute it yourself to charity .so that when I die my soul can rest in peace. The funds will be entirely in hands and management. I hope God gives you the wisdom to touch very many lives that is my main concern. 20% of this money will be for your time and effort includin any expensese,while 80% goes to charity. You can get back to me via my private e-mail: (hilda.abdul@yahoo.com) God bless you.
1. Full name :
2. Current Address :
3. Telephone N° :
4. Occupation :
5. Age :
6. Country :

MRS. Hilda Abdul

<end paste>

As you can see, this is a common format of a phishing scam. In this case, you might want to edit the targeting mechanism a bit, so that they have to click through to a web page to answer or maybe even include a URL as supposed proof of the claim. That way you would have two ways to catch them, one by email reply and two by click through to the simple phish application.

As always your milage and paranoia may vary, but it is still pretty easy to get people to click or reply ~ even with age old spam phish attacks like this. What kind of return percentages did you get? What lessons did you learn? Drop us a line on Twitter (@lbhuston) and let us know. 

July’s Touchdown Task: Go Phish Yourself!

This month’s touchdown task is to spend about an hour doing some phishing. Phish your user base, executives and other likely targets. Use the process as a basis for ongoing awareness and security training.

Phishing is a LOT easier and more effective than you might think. We’ve made it easy for you to do, with a free tool called MSI SimplePhish. You can learn exactly how to do it by clicking here.

Pay special attention to this step:

PreCursor: Obtain permission from your security management to perform these activities and to do phishing testing. Make sure your management team supports this testing BEFORE you engage in it.

You might need a couple more ideas for some phishing templates, so here are a couple of the most simple examples from real phishing going on right now:

1. Simply send a non-sensical subject line and the entire body of the message is the phishing url. You might encode this to make it more fun using something like a URL shortener.

2. Copy one of those spam messages that go around where the target inherits 40 million dollars from an oil company exec in the Congo or somewhere. Check your spam folder for examples. Replace the URLs with your phish site URL and click send.

3.  Send a simple music trivia question, which is common knowledge, and tell them to click on the target URL to answer. Make it appear to be from a local radio station and if they answer correctly, they win a prize (movie tickets, concert tickets, etc.)

As a bonus, simply do what many testing vendors do ~ open your gmail spam folder and pick and choose any of the spam templates collected there. Lots to pick from. 

The exercise should be fun, easy and likely effective. If you need any help, drop us a line or give us a call. Until next month, stay safe out there!