Every day at Quatrashield we help clients detect and prevent data breaches, hacking etc. In the Hack Free Zone we try to demystify some of the industry news so that you can stay informed of what you need to know about cybercrime prevention.
A research study authored by North Carolina State University has indicates specific characteristics that make it easier to identify people susceptible to a phishing attack. The research indicates that people who are overconfident or introverted are less likely to distinguish between a legitimate email and a fraudulent phishing email. Other findings include:
Women are less likely to distinguish between a phishing email and a legitimate email.
89 percent of the participants indicated they were confident in their ability to identify malicious emails but 92 percent misclassified phishing emails.
52 percent of participants misclassified more than half of the phishing emails
Lloyd’s has just released the Lloyd’s Risk Index for 2013. The survey of more than 500 of the world’s more senior business leaders around the world indicated that cyber security is the 3rd highest rated risk. This compares with 12th place when the survey was conducted in 2011. The number of high-profile cyber attacks over the last couple of years has resulted in heightened awareness for this issue.
Many companies collect endless amounts of private customer data which then needs to be stored and protected. In many cases, this data is not even used or perhaps it is used only once. Do you really need a customer’s credit card information to be stored? If you aren’t going to be phoning or mailing a customer, then maintaining a database with phone numbers and mailing addresses has no business value. Other customer information such as social security numbers should also be avoided.
The simple rule of thumb is to limit the amount of customer information that you keep on your system. The more you have, the more damage can be caused by a data breach.
Screenshot from Acunetix Web Application Vulnerability Scanner
Leading providers of web application vulnerability scanners such as Qualys and Acunetix are inadvertently helping hackers attack your site. How? By allowing anyone with an email address to register for the product demo and then scan your site for vulnerabilities. This is a serious flaw and can easily be exploited. Here is an example of a scan that we performed for a website using a gmail address.
The report contains detailed information about your website that can be used in a hack attack.
This series addresses how SMB’s can take precautionary steps to minimize the likelihood that they will be the phishing (or inadvertent enabler) of a phishing attack. Phishing is a sophisticated hacking attack where the cyber-criminal misrepresents their identity and impersonates a legitimate entity (individual or corporation that would be trusted by the victim). Phishing attacks are often very sophisticated because they are designed to mimic the user experience of a trusted commercial entity such as a bank or credit card company.
How does phishing work? Here are some of the ways that hacker use phishing:
Installing spyware that monitors for the transmission of post data such as password and username.
Sending unsuspecting users with urgent messages stating that their accounts have been attacked and they need to provide information in order to reactivate
Installing spyware that triggers a popup that is activated when certain URL’s are entered. The popup asks for valuable account information that is then used for nefarious purposes.
Sending emails that appear to be from legitimate sources. These links often ask for private information that is used for “account reactivation” or “account validation.”
OWASP has published specific guidance on how to minimize phishing which we have modified for SMB’s:
User Education: Users are the first line of defense against a phishing attack. Train your users to be vigilant and institute policies such as prescribing the installation of anti-virus software.
Make it easy for your users to report scams: Set up an email for users to send in order to alert that a phishing scam has occurred.
Communicating with customers via e-mail: Remind them that they must type your URL into their browser to access your site, that you don’t provide links and that you never ask for confidential information.
Radio Five Live covered a report this morning which has ‘unveiled’ the fact that hackers and cyber-criminals can now buy a range of online services (made by other hackers) which are aimed at making their malicious activities easier to carry out…..and also make the spread of the hack more effective.
The promotion of these services is surprisingly sophisticated. To help get your head around this level of cyber-crime, it’s worth watching this brief video of James Lyne of Sophos talking about HaaS – or Hacking as a Service – at a TSG event earlier this year:
The expert they spoke to on Five Live also mentioned the importance of keeping your software up to date with the latest patches – one of a number of simple, common sense steps that you can take to protect your business.
For more of these steps we’ve posted some ‘top tips’ videos on our
A recent survey by WhiteHat Sentinel contains some industry data on factors that inhibit companies from remediating vulnerabilities. Here is a summary of the research
1) Lack of understanding and/or responsibility for maintaining the code
2) Lack of knowledge, understanding or respect for the vulnerability
3) A third party vendor is responsible for the effected code and that vendor is unresponsive
4) Insufficient budget to address vulnerability
5) The risk of exploitation is acceptable and/or it is not a priority based on compliance
6) The solution conflicts with the business use case
Riaan Gouws
HACK FREE ZONE - SMB RESOURCES 