Category: Blog

There is a reason why phishing is usually at the top of the list for security awareness training. For the last decade or two, it has been the main delivery method for all types of attacks. Ransomware, credential theft, database breaches, and more launch via a phishing email. 

Why has phishing remained such a large threat for so long? Because it continues to work. Scammers evolve their methods as technology progresses. They use AI-based tactics to make targeted phishing more efficient, for example. 

If phishing didn’t continue working, then scammers would move on to another type of attack. But that hasn’t been the case. People continue to get tricked. They open malicious file attachments, click on dangerous links, and reveal passwords. 

In May of 2021, phishing attacks increased by 281%. Then in June, they spiked another 284% higher. 

Studies show that as soon as 6 months after training, phishing detection skills wane. Employees begin forgetting what they’ve learned, and cybersecurity suffers as a result. 

Want to give employees a “hook” they can use for memory retention? Introduce the SLAM method of phishing identification 

What is the SLAM Method for Phishing Identification? 

One of the mnemonic devices known to help people remember information is the use of an acronym. SLAM is an acronym for four key areas of an email message to check before trusting it. 

These are: 

S = Sender 

L = Links 

A = Attachments 

M = Message text 

By giving people the term “SLAM” to use, it’s quicker for them to check suspicious email. This device helps them avoid missing something important. All they need to do use the cues in the acronym. 

Check the Sender

It’s important to check the sender of an email thoroughly. Often scammers will either spoof an email address or use a look-alike. People often mistake a spoofed address for the real thing. 

In this phishing email below, the email address domain is “@emcom.bankofamerica.com.” The scammer is impersonating Bank of America. This is one way that scammers try to trick you, by putting the real company’s URL inside their fake one. 

You can see that the email is very convincing. It has likely fooled many people into divulging their personal details. People applying for a credit card provide a Social Security Number, income, and more. 

Doing a quick search on the email address, quickly reveals it to be a scam. And a trap used in both email and SMS phishing attacks.  

It only takes a few seconds to type an email address into Google. This allows you to see if any scam warnings come up indicating a phishing email.  

 

Hover Over Links Without Clicking

Hyperlinks are popular to use in emails. They can often get past antivirus/anti-malware filters. Those filters are looking for file attachments that contain malware. But a link to a malicious site doesn’t contain any dangerous code. Instead, it links to a site that does. 

Links can be in the form of hyperlinked words, images, and buttons in an email. When on a computer, it’s important to hover over links without clicking on them to reveal the true URL. This often can immediately call out a fake email scam. 

 

When looking at email on a mobile device, it can be trickier to see the URL without clicking on it. There is no mouse like there is with a PC.  In this case, it’s best not to click the URL at all. Instead go to the purported site to check the validity of the message. 

Never Open Unexpected or Strange File Attachments

File attachments are still widely used in phishing emails. Messages may have them attached, promising a large sale order. The recipient might see a familiar word document and open it without thinking. 

It’s getting harder to know what file formats to avoid opening. Cybercriminals have become savvier about infecting all types of documents with malware. There have even been PDFs with malware embedded.  

Never open strange or unexpected file attachments. Use an antivirus/anti-malware application to scan all attachments before opening. 

Read the Message Carefully

We’ve gotten great at scanning through text as technology has progressed. It helps us quickly process a lot of incoming information each day. But if you rush through a phishing email, you can miss some telltale signs that it’s a fake. 

Look at the phishing example posted above in the “Links” section. There is a small error in grammar in the second sentence. Did you spot it? 

It says, “We confirmation that your item has shipped,” instead of “We confirm that your item has shipped.” These types of errors can be hard to spot but are a big red flag that the email is not legitimate 

Get Help Combatting Phishing Attacks

Both awareness training and security software can improve your defenses against phishing attacks. Contact us today to discuss your email security needs. 

 

Article used with permission from The Technology Press.  

A torn-down virtual infrastructure creates risks for any business. And it can have a significant impact on how quickly you can retrieve your data and resume operations following an attack.  

These days, many businesses use virtualized infrastructure for more straightforward data storage. It’s because this approach is superior to physical solutions due to enhanced flexibility, straightforward provisioning, and affordable pricing.  

However, this model also requires a comprehensive approach to security.  

There’s a much greater risk of data loss, as many tools and practices for physical data protection are nearly useless in the virtual setting. Virtual threats are different, that’s why you need to think beyond traditional perimeter protection.  

So, if you’re using a virtualized infrastructure for data storage, keep reading.  

This article discusses the risks of improper virtualized infrastructure security and talks about ways you can improve it.  

DON’T LEAVE YOUR VIRTUALIZED INFRASTRUCTURE TO CHANCE

Virtualization security is crucial for every business’s security strategy. After all, we now live in a world of virtualized environments and need to apply security to all its layers.  

Let’s explore three of the most common virtualization security issues. 

ISSUE #1. EXTERNAL ATTACKS

These are a real threat to virtualized infrastructure.  

If hackers enter your host-level or server management software, they can easily access other crucial parts of your system. They can create a new user, assign admin rights, and then use that power to extract or destroy your company’s sensitive data.  

ISSUE #2. FILE SHARING AND COPY-PASTING

Host and virtual machine (VM) sharing is normally disabled. The same goes for copy-pasting elements between the remote management console and the VM. You can tweak the default settings by tweaking the ESXi host system, but this action isn’t recommended.  

Why? 

Because if a hacker gains access to your management console, they’d be able to copy data outside your virtual environment or install malware into your virtual machine. 

ISSUE #3. VIRUSES

Virtual machines, or VM, are prone to many attacks, with ransomware being among the most popular ones. For this reason, it’s crucial to keep regular backups of your website data and store them off-site at a place where they can’t be encrypted by hackers.  

If you fail to perform backups, you may find yourself in a situation where hackers could ask you for money to decipher your data.  

Restoring a VM is quite tricky even if you perform regular backups. Therefore, you need to educate your team members on alleviating the risk of getting ransomware and other viruses. 

Optimizing Your Virtualized Infrastructure Security 

Now that you’re aware of the 3 common issues a business can face if they have an unprotected virtual infrastructure, here are 4 tips on bolstering its security. 

TIP #1. MANAGING VIRTUAL SPRAWL

Virtual sprawls are often associated with growing virtual environments. The concept simply means that the more you expand, the bigger the need to keep your VMs secure. However, the number of machines can outgrow your ability to do so.  

To manage your virtual sprawl, consider doing the following: 

• Create an inventory of all your machines at all times 
• Set up lookouts featuring multi-location monitoring 
• Monitor IP addresses that have access to your VMs 
• Look for table locks 
• Don’t use database grant statements to give privileges to other users 
• Keep both on- and off-site backups 
• Assess your virtual environment regularly and determine which machines you need and which ones aren’t necessary 
• Have a central log of your systems and log all hardware actions 
• Create a patch maintenance schedule for all machines to keep them up to date 

TIP #2. FOCUSING ON VIRTUAL CONFIGURATION SETUP

If you use virtual servers, you risk major configuration defects.  

That’s why it’s essential to make sure initial setups are free from security risks. This includes unnecessary ports, useless services, and similar vulnerabilities. Otherwise, all your virtual machines will inherit the same problems.  

The truth is that many businesses have poor virtual network configurations. You can avoid being one of those by ensuring all virtual applications that call the host (and vice versa) have proper segmentation. This includes databases and all web services.  

It’s also worth mentioning that most virtualization platforms only offer three switch security settings: forged transmits, MAC address changes, and promiscuous mode. There’s no protection for virtual systems that connect to other network areas.  

So, make sure to investigate each virtualization platform that allows this kind of communication, including all memory leaks, copy-paste functions, and device drivers. You can also tweak the system monitoring assets to look out for these pathways.  

TIP #3. SECURING ALL PARTS OF THE INFRASTRUCTURE

It’s imperative that you properly secure all of your infrastructure’s parts. This includes its physical components (switches, hosts, physical storage, routers) and virtual and guest systems. Don’t forget about all your cloud systems as well.  

When it comes to protecting different infrastructure parts, here are some things you can do: 

• Install the latest firmware for your hosts. Virtualized infrastructure needs to have the latest security patches. So, keep all your VMware tools updated.  
• Your active network elements such as routers, switches, and load balancers should use the latest firmware. 
• Patch all operating systems with automatic updates. Schedule patch installations outside of your work hours and include automatic reboots.  
• All virtualized environments should have reliable anti-malware and antivirus software installed (and regularly updated).  

TIP #4. HAVING A ROBUST BACKUP PLAN

Proper disaster recovery (DR) and backup plans are crucial in ensuring your business can continue operating after an attack. It’s because both your physical and virtual components can equally suffer from damage done by hacker attacks, hurricanes, etc.  

Ideally, you want to have a DR site located at a faraway data center or in the cloud. This way, you’ll alleviate the risk of being shut for a long time if your vital data gets compromised.  

Also, make sure to back up your VMs and your physical servers. Fortunately, you can back up your physical systems that operate on Windows or Linux, as well as your VMs that run on any OS.  

Additionally, you want to make at least three copies of your data and store two of them in different virtual places. And make sure to keep one backup off-site.  

If you want to take things to another level, you can replicate your VMs to a different data center for emergencies.  

PRIORITIZE THE SECURITY OF YOUR VIRTUAL INFRASTRUCTURE

If you never gave much importance to virtualized infrastructure security, doing so should be your priority now. Given the number of possible threats, protecting your VMs from unauthorized data sharing, viruses, and other types of attacks is crucial.  

All aspects of your physical and virtual components need to be protected to avoid issues. If this topic is all Greek to you, you’re not alone. The reality is that many business owners have struggled with the same problem.  

However, you can reach out to us for a 10-15-minute chat where we can discuss how you can bring the security of your virtualized infrastructure to the next level.  

 

Article used with permission from The Technology Press.  

You’ve completed your annual phishing training. This includes teaching employees how to spot phishing emails. You’re feeling good about it. That is until about 5-6 months later. Your company suffers a costly ransomware infection due to a click on a phishing link. 

You wonder why you seem to need to train on the same information every year. But you still suffer from security incidents. The problem is that you’re not training your employees often enough. 

People can’t change behaviors if training isn’t reinforced. They can also easily forget what they’ve learned after several months go by. 

So, how often is often enough to improve your team’s cybersecurity awareness? It turns out that training every four months is the “sweet spot.” This is when you see more consistent results in your IT security. 

Why Is Cybersecurity Awareness Training Each 4-Months Recommended?

So, where does this four-month recommendation come from? There was a study presented at the USENIX SOUPS security conference recently. It looked at users’ ability to detect phishing emails versus training frequency. It looked at training on phishing awareness and IT security. 

Employees took phishing identification tests at several different time increments: 

• 4-months 
• 6-months 
• 8-months 
• 10-months 
• 12-months 

 

The study found that four months after their training scores were good. Employees were still able to accurately identify and avoid clicking on phishing emails. But after 6-months, their scores started to get worse. Scores continued to decline the more months that passed after their initial training.  

 

To keep employees well prepared, they need training and refreshers on security awareness. This will help them to act as a positive agent in your cybersecurity strategy. 

 

Tips on What & How to Train Employees to Develop a Cybersecure Culture

The gold standard for security awareness training is to develop a cybersecure culture. This is one where everyone is cognizant of the need to protect sensitive data. As well as avoid phishing scams, and keep passwords secured. 

This is not the case in most organizations, According to the 2021 Sophos Threat Report. One of the biggest threats to network security is a lack of good security practices.  

The report states the following, 

“A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.” 

Well-trained employees significantly reduce a company’s risk. They reduce the chance of falling victim to any number of different online attacks. To be well-trained doesn’t mean you have to conduct a long day of cybersecurity training. It’s better to mix up the delivery methods. 

Here are some examples of engaging ways to train employees on cybersecurity. You can include these in your training plan: 

• Self-service videos that get emailed once per month 
• Team-based roundtable discussions 
• Security “Tip of the Week” in company newsletters or messaging channels 
• Training session given by an IT professional  
• Simulated phishing tests 
• Cybersecurity posters 
• Celebrate Cybersecurity Awareness Month in October  

When conducting training, phishing is a big topic to cover, but it’s not the only one. Here are some important topics that you want to include in your mix of awareness training. 

Phishing by Email, Text & Social Media

Email phishing is still the most prevalent form. But SMS phishing (“smishing”) and phishing over social media are both growing. Employees must know what these look like, so they can avoid falling for these sinister scams. 

Credential & Password Security

Many businesses have moved most of their data and processes to cloud-based platforms. This has led to a steep increase in credential theft because it’s the easiest way to breach SaaS cloud tools. 

Credential theft is now the #1 cause of data breaches globally. This makes it a topic that is critical to address with your team. Discuss the need to keep passwords secure and the use of strong passwords. Also, help them learn tools like a business password manager. 

Mobile Device Security

Mobile devices are now used for a large part of the workload in a typical office. They’re handy for reading and replying to an email from anywhere. Most companies will not even consider using software these days if it doesn’t have a great mobile app. 

Review security needs for employee devices that access business data and apps. Such as securing the phone with a passcode and keeping it properly updated. 

Data Security

Data privacy regulations are something else that has been rising over the years. Most companies have more than one data privacy regulation requiring compliance.   

Train employees on proper data handling and security procedures. This reduces the risk you’ll fall victim to a data leak or breach that can end up in a costly compliance penalty.  

Need Help Keeping Your Team Trained on Cybersecurity?

Take training off your plate and train your team with cybersecurity professionals. We can help you with an engaging training program. One that helps your team change their behaviors to improve cyber hygiene. Get in touch to learn how BDS can help!  

Article used with permission from The Technology Press.