Cell Number Security

cyber-crime

Digital privacy goes hand-in-hand with digital security … and there’s an increasingly-used piece of information which you control which the bad guys are after … it’s your cell phone number. More and more they are being used by the bad guys as a way to personal information that’s kept by nearly all corporations, financial institutions, and, yes, social media networks.

Your cell phone number is a gateway to your identity. It provides an entrance to all the data contained on your phone, and can connect your other information to you – your email address, physical address—everything. In a company’s database, your phone number becomes another piece of personally identifying data. But unlike our Social Security numbers, the number is not regulated, and no companies are mandated to keep it private.

Mobile phone numbers them become a target for attackers. Most of us have gotten wise to phishing and email breaches. Now there is SMiShing (pronounced “smishing”) … the act of sending a text message containing questionable links to harmful websites. Once the bad guys get your credentials, they can log into your banking site as you. Then, we all know what can be done: Monies transferred. Checks written. Stocks sold.

Even seemingly innocuous requests like the one from a sales clerk can lead to trouble. The fact that they now have it means it could be hacked. Customer phone numbers have been stolen from Anthem, Citigroup, JPMorgan Chase, Walgreens, and Yahoo.  

What you can do: 

  1. Use common sense: If you’re asked for your phone number, ask why.
  2. Get a virtual phone number: Google Voice gives you a free phone number for calling, text messaging, and voicemail. It works on smartphones and computers, and syncs across your devices so you can use the app while on the go or at home. Check out https://voice.google.com
  3. Enable two-factor or multi-factor authentication on all your devices:
  4. Sign up for the “do not call” lists, which are helpful for run-of-the-mill solicitations.
  5. Choose which private data you are willing to share: Maybe an email address, zip code or just your name as a way to identify you. It’s worth asking about with the person asking for data.

Steganography 101

images

Steganography is the practice of hiding secret messages in otherwise non-secret mediums. It has been used in various ways for years – writing Revolutionary War messages in invisible ink, as an example. In the digital world, even something as benign as an image may be stealthily encoded with information. As an example, the pixel values, brightness, and filter settings can be manipulated by a hacker using a secret code to embed a message.

Through this technique hackers are deceiving internet users and smuggling malicious payloads past security scanners and firewalls. Steganography’s goal is to hide the fact that the content exists at all by embedding it in something else. The hidden code can then be used in all sorts of malicious attacks.

Various reports indicate that steganography is being used more than ever … although it is possible that the good guys are just getting better at detecting it. Steganography is being detected not only in sophisticated hacks, but in the attacks of low-level cyber criminals as well: malvertising; phishing; and malware distribution. This may be in part to the sale of steganographic instructions, allowing the technique to trickle down to the bad guys who may not have thought of a particular attack.

For individuals and small businesses, the way to protect yourself from steganographic attacks is to continuously work on security overall. Whether a phishing or a malvertising attack incorporates steganography or not, it still requires you to click on a link or download a file. If you’re aware of these types of attacks, looking out for them, and securing your accounts with protections like two-factor authentication, you’ll reduce your risk and have defenses in place if you are attacked.

Overwhelming, isn’t it? The Network Division at 2-Way communications can help. We’ll provide you with the integrated Security Awareness Training and Simulated Phishing platform used by more than 8,000 customers nation-wide. Contact The Network Division for more information or to set an appointment today. Give them a call (603-431-6288) or send an email to NetworkSolutions@2-Way.biz.

Staying Safe – Protect Your Company Against Ransomware

imagesI recently read “4 Ways to Protect Against the Very Real Threat of Ransomware” by Kim Zetter, published in WIRED on 5/13/2017. Given the recent WannaCry ransomware event (200,000 computers in 150 countries infected, and a new version called “Uiwix” which does not have the kill switch used by Malware Tech, according to C/NET), I thought the article was a good one to share. The article is not only timely, but provides good advise for staying protected.

The article initially identifies ransomware’s prime targets. They cover the characteristics of organizations that could reasonably expect to be subject to a ransomware attack.

Then the author then provides four ways to protect your organization against a ransomware attack. They are:
1. Back up important data on a daily basis so you’re not vulnerable to the attack in the first place. This includes disconnecting any external hard drive in use.

2. Recognizing and correctly reacting to suspicious emails and links. Phishing attacks and malvertising are the primary means of infection. If your employees are not up to speed with security 101 basics, stand by for trouble.

3. Patch software security holes to prevent malicious software from exploiting them.

4. Disconnect – If you do get an infection, shut down most of the organizations network to prevent infection spread – this includes Wi-Fi and Bluetooth. After that, ID the type of strain and reach out to anti-virus companies for a decryptor.

Getting back to security 101 basics, the Network Division at 2-Way communications can help. We’ll provide you with the integrated Security Awareness Training and Simulated Phishing platform used by more than 8,000 customers nation-wide. Contact The Network Division for more information or to set an appointment today. Give them a call (603-431-6288) or send an email to NetworkSolutions@2-way.biz.

Phishing Attack Results in $400,000 HIPAA Breach Fine

images

 

A Denver, Colorado area network of public health clinics paid a $400,000 HIPAA breach penalty after a phishing attack let a hacker gain access to employee email accounts and obtain electronic protected health information of 3,200 patients.  Investigators found the organization violated the HIPAA Security Rule by failing to do proper risk assessments or implement adequate cyber security measures and procedures. The official resolution agreement noted in part ” … The clinics have failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

Across the country employees are frequently exposed to advanced phishing and ransomware attacks. Your employees, then, may be the weak link in your IT security.
From worst to best, these are 5 ways often used to train end-users:

“Do Nothing”: rely on filters and count on users to not click on phishing links. 25% of organizations still use this tactic. No kidding.

“The Break Room”: herd all users once a year into the break room. Keep them awake with donuts and coffee during the death by PowerPoint slide deck.

“The Monthly Security Video”:  users are given short videos that each cover a topic related to keeping the network secure, but causing training fragmentation.

“The Phishing Test”:  select a group of high-risk users and send a mock phishing attack. Employees that fail are asked to do a short remedial training.

“The Human Firewall”:

1) Pre-test all users to find out your organization’s Phish-prone percentage and  get your baseline.
2) Train all your employees on-line, on-demand to resist important attack vectors.
3) Schedule monthly phishing attacks to all users year-round — Fully automated, super simple, highly effective, and very little time required.

What’s best? The Human Firewall. How do you create it? Baseline testing, training, downloadsimulated phishing attacks, reports and data analysis. But you don’t do it … you call The Network Division at 2-Way Communications.

We’ll provide you with the integrated Security Awareness Training and Simulated Phishing platform used by more than 8,000 customers nation-wide. Included in the training is world-class, user-friendly Security Awareness Training, along with self-service enrollment, pre-and post-training and a phishing security tests that show you the percentage of end-users that are Phish-prone. Additionally there are effective, frequent, random Phishing Security Tests with several remedial options in case an employee falls for a simulated phishing attack. The result is a platform to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks.

Contact The Network Division for more information or to set an appointment today. Give them a call (603-431-6288) or send an email to NetworkSolutions@2-way.biz.