What’s a Phish?

What’s a Phish?

I was reviewing my junk mail folder the other day, looking for “false positives”. You know, those emails that get caught by your SPAM filter, the one that you’ve been waiting on to finish a project. Well, I came across one in particular that made my heart jump up into my throat. It started out with my username and listed an old password that I hadn’t used in years, but it was enough to catch my attention. How easy it is to fall for these types of phishing attempts. They scare you just enough that you’ll click on the link to see what they really have.

According to a recent article that I read, 91% of cyberattacks begin with phishing emails. So what exactly is “phishing”? Well, as the name implies, it’s not much unlike regular fishing. A hacker will entice you with bait (aka click bait), hoping you’ll bite. Phishing takes place when a malicious email or attachment is sent to you with the hope that you’ll fall for their cleverly crafted prose and interact with them on some level with the belief that the email has come from someone you know or trust.

We all get busy and are rushed to complete projects, or respond to important emails and get information out as quickly as possible. I’ve been there, done that, and I’ve already lost several of the t-shirts. Believe it or not, hackers know this, in fact they are COUNTING on it. They want you to breeze over and click or respond out of habit, rather that taking to time to verify the source.

Unfortunately, there really isn’t a “silver bullet” to prevent malware attacks such as these. Large organizations can spend hundreds of thousands of dollars to implement cyber-security hardware and other prevention systems. Hackers know this and are bypassing the locked gate, to find someone who can unknowingly let them in by other means, and it’s working.

But there are steps they can take to greatly reduce the risk:

  • Consistent periodic training – Enable your team with consistent cyber security awareness training to keep them up to date on the latest threats and how to identify them.
  • Internal phishing tests with immediate training feedback – What better way to train than by testing? It’s better to learn from a harmless phishing attempt that provides immediate feedback on what to look for to help your team identify and avoid malicious emails.
  • Sandboxing or similar 3rd party service – Sandboxing service detect and monitor email with attachments and links, opening them within a secure environment to verify their authenticity, before they reach your inbox!

Cynergy Technology can provide these services and more! Don’t face these threats alone. Let us help you find the right solution for your business.

Cyber Security Awareness… “Month”?

Cyber Security Awareness… “Month”?

With Halloween just around the corner, I thought it might be a good opportunity to discuss what scares business leaders most. As you may or may not have heard, October is Cyber Security awareness month. A bit ironic since October is also the month of ghouls, goblins and compromised credentials posted on the dark web. But in all seriousness, dusting the cobwebs from your cyber security policies one month out of the year is never a good habit to develop.

I spend a lot of my time scouring through articles and blog posts relating to data security, breaches and new threats that are on the constant rise. Malicious hacking has become a 6 trillion dollar industry. (Yes, that’s “Trillion” with a “T”.) Believe it or not, there are organizations making a lucrative business from mining and reselling compromised user credentials.

In the majority of the articles I have read, initial access into what was thought to be secure network always begins by some type of internal user initiated compromise. These people are smart, very smart. They’re not going to waste their time attempting to breach a system that will take them months to gain access. Remember they’re in this business to increase profit. Just like in any legitimate organization, the goal is to lower cost and increase revenue. Or, find and easier more efficient way to accomplish a goal. If you wanted to gain access to a secure building, how would you get in? Dig a tunnel? Blow a hole in a wall? Why not make it easy, find someone that can let you in from the inside.

Speaking of things that go bump in the night; here’s something scary. On what’s known as the “Dark Web” there are sites that contain lists of compromised credentials that are for sale. Usernames, passwords, addresses, you name it, it can be found and purchased fairly inexpensively. You see it all the time on the news; this site compromised, that service had a data breach. Information gained from these breached services is then sold for a profit. Even better if your organization houses client data that can be gained by the breach.

How do I protect Myself?

I’m sure you’ve heard the old cliché that “a chain is only as strong as its weakest link”. This could not be more relevant when it comes to cyber security. These same malicious organizations that have become profitable gaining access to company data and selling it to the highest bidder, are also using these profits to find new and creative ways to circumvent the new security features developed by those attempting to keep them out.

Knowing that my information could potentially be compromised, how do I protect my most critical data?

Simple, make sure that any information that they may have is irrelevant by ensuring that it’s no longer valid. In essence, change your passwords regularly!

Keep Your Critical Data Safe

Never use the same password that you use for your social media accounts to access your on-line banking accounts. In fact your banking password or ‘pass phrase’ should be only used for that service alone and nothing else. If the same password that you used for any social media service that may have just been breached is the same that you use for your on-line banking, you’ve basically just created a ‘skeleton key’ that can unlock any account.

This also applies to your work credentials. Keep your work pass word/phrase unique and unused anywhere else. Just like your banking passwords, your organization is counting on you to keep your work credentials safe and secure. Your work credentials are the sole method that company data is made accessible to you. Make sure your passwords are safe. Remember, the harder it is to gain access by guessing using your credentials the better.

A recent article I read stated that an 8 character password can be cracked in less than 10 minutes. Adding a “space” to a pass phrase increased this exponentially, meaning they’re going to move on to a softer target. (I’ll get more in depth about pass phrases in a later post.)

Keep Safe, It’s a Jungle Out There!

Secure 365 Strategic Services

As an organization we take cyber security very seriously. We’re continuously researching products and services that can help monitor and protect your organization. If you would like more information on these services, I can provide this for you.

Brent Hudson, MBA-ITM

vCIO-Managed Services

Cynergy Technology