Cybersecurity Staff Training Session – Part 2

Welcome to the second part of the AGIX Cybersecurity training course. This course is focused on staff related matters. Organisationsare under constant attack. Some attacks are “testing the water” while others are organized, local and effective.

Organisations are constantly defending against cyber-threats.

Targets

1. All organisations are targets.
   1. Online businesses.
   2. Physical businesses.
   3. Small businesses.
   4. Large businesses.
   5. Not-for-profit.
   6. Government.
   7. Defense.

Objectives of criminals

1. Financial gain.
2. Disruption.
3. Intellectual property theft.
4. Ransoms.
5. Embarrassment.

Methods

1. Phishing emails and phone calls:
   1. Sometimes forged phone numbers.
   2. Sometimes real phone numbers.
2. Invoice payment redirections:
   1. Forged emails sent to clients with new/fraudulent bank details.
3. Fake websites:
   1. Story about website cloning combined with phishing emails.
   2. Access to email and social media.
4. In person interactions:
   1. Site visits.
   2. Door to door.  (opportunistic)
   3. Coffee shop.
5. Common scams to be aware of:
   1. Over payment scams.
   2. Late bill scams.
   3. Account cancellation scams.
      1. Story about gift-card scams.
   4. Opportunity scams.
      1. New ideas.
      2. Product import.
         1. Story about import scams.
      3. Work from home.
      4. High pay for low effort.
6. Emotional attack:
   1. Start of as normal relatable interactions.
   2. Commonalities such as work focus.
   3. Work status.
   4. Living city.
   5. Offers to solve financial problems.

Exposure points

1. Email.
2. SMS.
3. Social media.
4. Phone.
5. Mail (post).
6. Office (visit).
7. Home (visit).

Solutions

1. Policies:
   1. Ensure a suitable and regularly update policy set exists.
   2. Staff should read and agree to the policies.
   3. Policies should reflect best practices, but customized to the organisations.
2. Verify visitors:
   1. Site visits are common.
   2. Assume entrusted before trusted.
   3. Checks and balances:
      1. Involve multiple people if unsure/new/suspicious.
      2. Ensure multiple people are involved in impacting matters.
3. Secure environments:
   1. Locked doors.
   2. Fences.
   3. Security cameras.
   4. Guard dogs.
   5. Security guards.
   6. Neighbors / Workmates.
4. Secure environment:
   1. Ensure that firewalls:
      1. Block untrusted countries and regions.
      2. Block inappropriate websites (by domain or content).
   2. Secure WIFI networks.
   3. Secure Remote Access systems (VPNs and Remote Desktop).
   4. Monitor for rogue devices.
   5. Ensure staff devices:
      1. Are encrypt (laptops, desktops, phones and tablets).
      2. Automatically lock after a short period of non-use.
      3. Are backed up regularly or in real-time.
5. Secure online:
   1. Ensure websites are “https://”.
   2. Ensure websites are “real”.
   3. Use a “password manager” and/or your web browsers built-in password manager.
6. Set requirements based on risk:
   1. Require additional checks if thresholds are met or exceeded.
7. 2FA:
   1. If a system allows 2FA, use it.
   2. It’s very effective.
   3. Authentication Apps are the best form.
   4. Email is a less acceptable form.
   5. SMS is the weakest form.
8. Strong passwords:
   1. Use complex and meaningful passwords.
9. Unique passwords:
   1. Don’t reuse passwords for different systems/services (social media, email, work).
10. Incident reporting:
    1. Can be embarrassing.
11. Protect your email accounts at all costs:
    1. Email is a recovery system.
    2. Email holds sensitive information.

Example Email

The following two images are real emails received. One is a legitimate, while the other is now.

Resources

• https://www.fireeye.com/cyber-map/threat-map.html

 

Similar Posts:

• Cybersecurity Staff Training Session – Part 1
• Small Business IT Bible – This is the right way.
• Small business IT security