by Kathleen L | Jan 20, 2022 | Compliance, Cybersecurity
The Federal Trade Commission (FTC) released an alert, warning companies that they may face legal penalties if they aren’t taking the proper steps to mitigate Log4j vulnerabilities to protect consumer information. Earlier this month, FTC officials said there is a “severe risk” to consumer products, software, and applications caused by a vulnerability in the Java logging package. This vulnerability is being exploited by hackers and it is critical that vendors who rely on Log4j take the proper precautions to reduce their likelihood of an attack.
An example of this is the Equifax breach, which was caused by failing to patch a known vulnerability. Because of this vulnerability, the personal information of 147 million consumers was left exposed. Equifax paid $700 million to settle actions taken by the FTC. The FTC intends to pursue any companies that fail to take steps to protect consumer data from exposures caused by Log4j, or similar vulnerabilities that may occur in the future.
The FTC advises companies to keep your Log4j software package updated to the most recent version, and reference Log4j Vulnerability Guidance provided by CISA. This FTC alert is a wake-up call to many companies that cyber threats are evolving, and so are security requirements and legal actions that will be taken if they do not take the proper steps to protect consumer information.
by Kathleen L | Jan 5, 2022 | Human Factor
A company’s employees can often be seen as a weakness in terms of cybersecurity. In fact, according to the Verizon Data Breach Investigations report, 3 out of the top 5 threat actions involve human risk. We all have biases in our thinking that can create risky behavior. Some even argue that there is a connection between employee personalities and security.
The traits with the highest correlation to information security behavior (positive or negative) are risk taking, openness, agreeableness, and conscientiousness. For example, employees who score high on conscientiousness are less likely to engage in risky behaviors and vice versa. Employees who are natural risk takers and tend to engage in sensation-seeking activities may take chances when it comes to security.
Personality tests like Meyers-Briggs and DISC, have been used by organizations for screening and training purposes for years. How should an organization use these tests for cybersecurity purposes? There are no definitive answers, but here are a couple of thoughts:
- Build processes that create healthy behaviors. Well documented procedures for systems administration or development with a solid change management process, automated testing tools and peer review are an example of methods to ensure that proper behaviors are deployed consistently and minimize non-compliance. Pilots with decades of experience still use checklists to inspect planes, take-off, land and taxi; your IT team should as well.
- Install tools that minimizes impact of non-compliance. Tools such as Multi-factor authentication, email and web filters and endpoint detection and response (EDR) can go a long way to mitigate non-compliant employee behavior.
- Conduct role- and behavior-based security awareness training. Best practice security awareness training states that an organization should provide security awareness training particular to the role the individuals plays in the organization. Consider paying particular attention to training those with non-compliant tendencies.
- Ensure that there are proper incident response procedures in place. Even with a fully “compliant” staff from a cybersecurity perspective, stuff happens. Make sure you have a solid incidence response plan and are testing it on at least an annual basis.
Finally, the most important area the organization should focus on is leadership and governance. Spend some time thinking about the personality of the organization’s culture and how it can positively or negatively impact risk behavior. Remember, people will tend to mimic the leadership’s style in everything they do, including cybersecurity behavior. Whether that’s a good thing or not, is up to you.
by Kathleen L | Dec 24, 2021 | Uncategorized
The holidays are a huge time for buying and giving to loved ones. Unfortunately, this increase in purchasing means there is an increase in phishing and other holiday scams. Phishing is typically targeted towards consumers aiming to collect credentials, credit card or financial information, although companies are also affected since many employees now use their personal devices for business reasons.
The most common forms of scams this time of year are non-delivery; where you pay for something online and never receive it, or non-payment; where the product is being shipped but the seller is never paid. Some tips to avoid this: do not click any suspicious links or emails in attachments or on other platforms/websites and be wary of any websites asking you to update account information.
While you’ve all heard of phishing, don’t forget about smishing this holiday season. SMS phishing is only the first step in these types of attacks. Once the system has been successfully compromised, scammers can then install malware on the targeted devices. This enables them to control device functionality and makes you vulnerable to other attacks. To avoid this, be diligent in your research of any websites you purchase from and be wary of emails or text messages relating to purchases.
Especially during this holiday season look out for any suspicious text messages or emails and employ email filtering. Companies can reduce these threats by patching, using multi-factor authentication whenever possible and incorporating security awareness training to better spot scams. Be extra diligent this time of year, as hackers are becoming more sophisticated and making their scams look more legitimate.
by Doug Kreitzberg | Dec 14, 2021 | Cybersecurity, Uncategorized
With increasing requests from clients regarding their cybersecurity controls, companies are looking to us to help in a number of areas, with questions about written security policies, vulnerability and penetration testing, risk assessments, and security awareness training. These questions and concerns, which were mainly targeted towards large companies are now also crucial for small and medium-sized businesses.
In addition to the previously mentioned topics, clients are looking to see that companies have certain security tools in place such as:
- Multi-Factor Authentication (MFA): MFA is a keyway to provide an extra layer of security to prevent hackers from accessing your system. MFA is when an alternate means of identification, in addition to a password is necessary to log in.
- Endpoint Detection and Response (EDR): EDR is a cyber security solution that continuously monitors, collects data, and responds to help mitigate cyber threats.
- Backup: Companies should be sure to include multiple forms of backup with at least one stored off-site. Backups should also be regularly tested to ensure they can be restored as needed.
- Patching: Patches are software and operating updates that help address any vulnerabilities and keep your system up to date.
If your company is getting overwhelmed by client requests about your security posture, you are not alone. If you think your current measures may not be up to par or do not have the time, Designed Privacy created a program that provides you with a guide to cybersecurity and the tools you need to keep your company and your clients protected and stay competitive.
by Doug Kreitzberg | Dec 10, 2021 | Cyber Awareness, Cybersecurity, Data Breach, Human Factor
This Fall, the personal health information of over 170,000 dental patients was exposed in a data breach associated with the Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group. According to the Professional Dental Alliance, patient information was exposed due to a successful phishing attack against one of their vendors, North American Dental Management. The phishing campaign gave attackers access to some of NADM’s emails, where the personal information of patients were apparently stored.
While the Professional Dental Alliance has said their electronic dental record system and dental images were not accessed, an investigation found that the protected health information of patients such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information were accessed by the attackers.
This is not the first time dental offices have found themselves the target of a data breach. In 2019, a ransomware attack against a managed service provider resulted in the exposure of patient information from over 100 Colorado dental offices. A year later, the information of over 1 million patients was exposed after an attack against the Dental Care Alliance.
These incidents reveal just how vulnerable professionals can be against cybersecurity attacks and data breaches. One of the reasons for this is because many professionals are small businesses who don’t have the time or expertise to deal with everything that goes into cybersecurity. So, many professionals rely on vendors and associations to ensure they are protected. The issue is, if those vendors and associations experience a breach, professionals are also at risk.
To keep their patient information safe, it’s vital that dental offices and all professional businesses pay attention to some of the human risks that can lead to cybersecurity incidents. The attack this week, for instance, was the result of a phishing attack that tricked an employee into handing over account credentials. Here are a few things all professionals can easily do on their own to stay secure:
Endpoint detection and prevention
Endpoint detection and response (EDR) is a type of security software that actively monitors endpoints like phones, laptops, and other devices to identify any activity that could be malicious or threatening. Once a potential threat is identified, EDR will automatically respond by getting rid of or containing the threat and notifying your security or IT team. EDR is vital today to stay on top of potential threats and put a stop to them before they can cause any damage.
Multi-Factor Authentication
Using multi-factor authentication (MFA) is a simple yet powerful tool for stopping the bad guys from using stolen credentials. For example, if an employee is successfully phished and the attack gets that employee’s login information, having MFA in place for that employee’s account can stop the attacker from accessing their account even if they have the right username and password. If possible all users accessing your system should have multi-factor authentication set up for all of their accounts. At minimum, however, it is extremely important that every user with administrative privileges use MFA, whether they are accessing your network remotely or on-premise.
Patching
Hackers are constantly looking for vulnerabilities in the software we rely on to run our businesses. All those software updates may be annoying to deal with, but they often contain important security features that “patch up” known vulnerabilities. At the end of the day, if you’re using out-of-date software, you’re at an increased risk for attack. It’s therefore important that your team stays on top of all software updates as soon as they become available.
Back-ups
Having a backup of your systems could allow you to quickly restore your systems and data in the event of an attack. This is especially important if you are hit by ransomware, in which the attackers remove your data from your networks. However, it’s essential to have an effective backup strategy to ensure the attackers don’t steal your backups along with everything else. At minimum, at least one backup should be stored offsite. You should also utilize different credentials for each copy of your backup. Finally, you should regularly test your back-ups to ensure you will be able to quickly and effectively get your systems online if an attack happens.
Security Awareness Training
As this latest data breach shows, phishing and social engineering attacks are common ways attackers gain access to your systems. Unfortunately, phishing attacks are not something you can fix with a piece of software. Instead, its essential employees are provided with the training they need to spot and report any phish they come across. Sometimes it only takes one wrong click for the bad guys to worm their way in.
by Doug Kreitzberg | Dec 3, 2021 | Behavior, Cyber Awareness, Human Factor
A recent article in The Wall Street Journal highlights some of the big changes that businesses have made to their employee training programs since the start of the pandemic. Typically, these trainings are formal, multi-hour in-person meetings. According to Katy Tynan, research analyst at Forrester Research, “formal, classroom-delivered training was easy to plan and deliver, but organizations didn’t always see the intended results.” Once the pandemic came along, trainings moved online and offered fun, informal bitesize trainings that employees take overtime. These changes to classical training programs echo many of the behavior-design principles that we incorporate into our cybersecurity awareness training.
Let’s break down some of the key changes the Journal article discusses and how they related to behavior-design principles:
1. Keep it Simple
Instead of hours-long trainings, businesses are starting to break down their trainings into small pieces for employees. In behavior-design terms, this represents an important element towards creating change: making sure users can easily do what we are asking them to do. Simply put, you can’t throw a ton of information at someone and expect them to keep up with it all. What’s more, employees will be a lot more willing to go through with a training if they know it will only take 5 minutes instead of 5 hours. Keeping trainings short and easy to do are therefore important steps towards ensuring that your desired outcome aligns with your employees’ abilities.
2. Consistency is key
Most traditional training programs are a one-and-done deal. Once it’s over, you never have to worry about it again. However, this is exactly what we don’t want employees to take away from training. Instead, consistency is key for any changes. With short lessons, employees can go through the program in small, daily steps that are easy to manage while also keeping the training in their mind over an extended period of time.
3. Make it Interesting
The final piece of the behavioral puzzle is ensuring that employees actually want to do the trainings. Most traditional training programs may involve some small group discussions, but overall employees are shown videos and made to listen to someone talk at them for long periods of time. Employees are only taking in information passively. Instead, trainings should be fun, interesting, and engaging to keep users coming back for more.
The pandemic has brought about so many changes to our lives. While some of the changes have been for the worse, it’s also forced us to start thinking differently about how we do things and come up with creative solutions. The new trend in training programs is one such change. And what makes these changes so successful is the way it incorporates some of the basic behavior-design principles. This is an approach we’ve taken when we developed The PhishMarket™, our cyber awareness training program. By offering engaging and interactive 2-4 minute lessons given daily over an extended period of time, our program has shown success in reducing employee phish susceptibility 50% more than the industry standard.
by Doug Kreitzberg | Nov 12, 2021 | Uncategorized
Earlier this week, the trading app Robinhood announced a data breach in which a mixture of email addresses and full names of 7 million of their users were stolen. It is still unclear what impact this may have for Robinhood’s entire userbase. However, at the very least, this breach could provide attackers with enough information to carry out phishing and other social engineering attacks against those whose data was stolen. While on the face of it, this may appear to be your standard data breach, a closer look reveals how human factors lead to the breach.
While we don’t have all the details yet, according to Robinhood’s statement, the attack was carried out after someone called the company’s customer support line and tricked an employee into handing over access to “certain customer support systems.” From there, the attack was likely able to access customer information or gain additional access to other parts of Robinhood’s network. This form of attack is commonly known as a “vishing” attack, in which the attacker impersonates someone over the phone rather than through a traditional phishing email.
This form of attack is not uncommon and highlights a number of key questions that business leads need to consider when it comes to digital risk. First, it’s important to take a broad view of all the different avenues attackers could use to gain access to your systems. While your customer support channels may not come first to mind, any outward-facing platforms can pose a risk. Second, business leaders and their employees need to start thinking about how their own digital behaviors can be leveraged against you. Traditional security awareness programs do a good job at explaining issues and in some cases testing for the presence of negative digital behaviors. But, to start to see real change, security awareness training needs to focus on designing for the positive, more secure behaviors that are strong enough to override the bad online habits we develop.
Any way you cut it, the Robinhood data breach is yet another example that highlights the vital importance of taking a human-factored approach to cybersecurity. Business leaders need to actively invest in not just security tools, but also in training and controls that help employees understand human factors threats and what they need to do to ensure they don’t fall for social engineering scams.
by Doug Kreitzberg | Oct 26, 2021 | Cyber Awareness, Human Factor
In many cases, our employees are our first line of defense against cyber-attack. However, for employees to start developing habits that are in line with cybersecurity practices, it’s essential business leaders need to understand effective strategies for getting these habits to stick. One of the main tenants of behavioral science is that the new habit you want to see needs to be easy to accomplish.
Ideally, you and your IT team can put in place effective cybersecurity controls that make developing secure habits easier for your employees. But what happens when these security features make it more difficult for users to perform the positive and secure behaviors you want to see?
This is the topic of new research on cybersecurity risk management and behavior design. In “Refining the Blunt Instruments of Cybersecurity: A Framework to Coordinate Prevention and Preservation of Behaviors,” researchers Simon Parkin and Yi Ting Chua highlight the importance of making sure that cybersecurity controls that limit malicious or negative behaviors don’t also restrict the positive behaviors your employees are trying to accomplish. For example, it’s common practice for companies to require their employees to change their passwords every few months. However, not only does this put the burden on employees for keeping their accounts secure, research has shown that users who are required to create new passwords frequently tend to use less and less secure passwords over time. While you may think having employees change their passwords will help keep your network more secure, doing so might actually have the opposite effect.
To ensure security controls aren’t restricting users from engaging in positive behaviors, Parkin and Chua emphasize the need to more precisely target malicious behaviors. To do so, they outline three steps business leaders and IT teams should take to more precisely define their cybersecurity controls.
1. Create a system to identify positive behaviors
To ensure you are preserving the positive behaviors your employees are doing, you first have to figure out how to track those behaviors. Unfortunately, it can be a lot easier to identify behaviors you don’t want to see, than those you do want to see. An employee clicking a malicious link in an email address, for example, can be identified. But, how do you identify when an employee doesn’t click the link in a phishing email? One solution is to give users access to a phish reporting button direct within their email client.
Whatever you decide, it’s essential to both identify the positive behaviors you want to see and create a system to track when those behaviors are used by employees.
2. Find linkages between negative and positive behaviors
Now that you can track both positive and negative behaviors, the next step is to look at your security controls and identify possible linkages between the negative behavior the control is defined to restrict and positive behaviors you want employees to engage in. If a control affects both positive and negative behaviors, there is a linkage the control is creating — a linkage you want to break.
3. Better define controls to prevent negative behaviors and promote positive behaviors.
Once you’ve identified linkages between positive and negative behaviors, the next step is to find ways to ensure your controls are only affecting the negative behaviors. For example, instead of requiring users to create new passwords every few months, system monitoring tools can be used to detect suspicious activity and block access to a user’s account without the user having to do anything.
At the end of the day, if the habits you want your employees to form aren’t easy to accomplish, it’s not going to happen. And it’s definitely not going to happen if your security controls are actively making things harder for your employees. It’s essential for you and your IT team to take the time to review your current controls and actively identify ways to maintain your security without affecting your employee’s ability to form secure habits at work.
by Doug Kreitzberg | Oct 12, 2021 | Phishing
Spotting phish is not always easy. Sure, there are some phish you get that are easy to spot, but over the years scammers have worked hard to create more convincing emails. By more convincingly spoofing common emails we see every day in our inbox and by leveraging cognitive biases we all have, more sophisticated phishing emails can be pretty difficult to catch. In a recently published research paper, Rick Walsh, professor of Media and Information at Michigan State University, takes a closer look at how IT experts spot the phish they get and highlights the ways even the experts can fall prey to sophisticated phishing campaigns.
How Experts Spot Phish
Interviewing 21 IT experts, Walsh found 3 common steps they use to spot phish that come into their inbox.
Step 1: Sense Making
First, experts simply try to understand why they are receiving this email and how it relates to other things in their life. They look for things that seem to be off about the email, noting discrepancies like typos or things they know to be untrue. They also try to understand what the email is trying to get them to do. If they see a lot of discrepancies and are being urged to take quick action, they move on to the next step.
Step 2: Suspicion
In this step, the experts move away from trying to make sense of the email and starting asking themselves if this email is legitimate or not. To determine this, they start looking for evidence, like hovering over the link to see where it directs them and checking the sender’s name and address. After collecting evidence, they move to the final step.
Step 3: Decision
By this step, the experts have concluded whether or not the email is legit or not. If they believe it’s a phish, they now take some form of action. In some cases, they simply deleted the email, others however took proactive steps like reporting the phish or alerting other employees of the potential scam.
Even The Experts Can Fail
After discussing the ways experts typically spot phish, Walsh highlights a number of ways even the experts could mess up when spotting phish. Here are 3 of the most important failures Walsh highlights.
1. Automation Failure
Automation failure happens when we’re not engaging in enough sense making. We all get a lot of emails every day, so sometimes we go into auto-pilot as we go through our inbox. However, this means we’re not engaging in enough sensemaking. It’s therefore essential to take a moment to pause before opening our email and make sure we are in acting with awareness.
2. Accumulation Failure
Accumulation failure refers to the process of identifying discrepancies in emails but only looking at them one by one instead of as a whole. It can be easy to find any number of explanations for a discrepancy we see, so if you’re only thinking about each of these discrepancies in isolation, you may not become suspicious. However, if you start to add up all the issues your seeing in the email, it becomes a lot easier to tell when you need to be suspicious of what you’re seeing.
3. Evidence Failure
Lastly, evidence failure means when you make the wrong judgment on the evidence you see in an email. If, for example, you hover over the link in the email and it shows you a spoofed link that looks similar to a common website you use, you may not realize the link is bad.
What’s important about this research is, when it comes to social engineering, even the experts can get tripped up. It’s therefore vital that security awareness training goes beyond simply teaching you what to look for in an email. Awareness training should also teach you how to spot who an email plays on your own cognitive bias and the ways we sometimes fail to take account of important information when we look at our inbox.
by Doug Kreitzberg | Sep 28, 2021 | ransomware
The debate over whether or not to pay the ransomware demand has gone on for a while now. The FBI has long urged businesses to refuse all demands for a ransom payment. And while most businesses aren’t exactly excited to shell out a ton of money to criminals, if their backups are corrupted or they are facing extended downtime, paying the ransom may start to feel like the only option. Adding to the debate, last week the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) released updated ransomware guidelines, reinforcing the FBI’s stance and possibly opening the door to imposing fines on organizations that pay up.
In the updated guidelines, the OFAC states that the U.S. government “strongly discourages businesses from paying ransom demands, arguing these payments may help fund future attacks against the U.S. The OFAC also makes the point that paying the ransom in no way guarantees you will ever see your data again or that the attackers didn’t make a copy of your sensitive information to use against you later.
However, the OFAC is doing more than strongly discouraging payments, they may also start imposing civil fines on those who do pay. “U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially
Designated Nationals and Blocked Persons List (SND list).” And just last month the OFAC added SUEX, a cryptocurrency exchange service, to that list. According to OFAC, over 40% of transactions on SUEX are more illegal purposes, include ransomware payments.
These new guidelines, therefore, give the U.S. government to fine businesses who decide to pay the ransom. However, Treasury Department is careful to clarify that other, preventative measures businesses take against ransomware may save businesses from dealing with public civil fines. Such mitigating measures include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.
Incident response plans are essential for mitigating the effect of any form of cyber attack. A good plan involves not only having a detailed roadmap for how to respond to various cyber attacks but also includes bringing in a team of employees how are responsible for carrying out different parts of the plan, running test scenarios with that team, then making any necessary adjustments from what didn’t work during the tests. When it comes to incident response, a quick, competent, and efficient response is essential to mitigating risk and limiting damage.
Backups are also critical for dealing with a ransomware attack, potentially allowing you to get your data back without ever having to deal with the attackers. And because these backups are so important, it’s essential to be smart about how you do it. First, use the 3-2-1 approach to backups. You want to have 3 backups on hand so you have multiple options in case one gets corrupted. 2 backups should be kept on-site for easy access, but 1 should be stored off-site and offline, to ensure the attackers can’t get a hold of that too. And because ransomware attackers often steal administrative credentials, you should use separate passwords for your backups.
