Cybersecurity Staff Training Session – Part 1

Welcome to the first part of the AGIX Cybersecurity training course. This course is focused on staff related matters. Cybersecurity relates to people as much as organisations, and as such we’ll ensure home and work perspectives are covered. We discuss the methods and solutions, and we discuss what to look out for.

Scammers are the biggest threat to staff. Anyone can be scammed.

Targets

1. Everyone is a target:
   1. Businesses.
   2. Individuals.

Objectives of criminals

1. Identity theft (which leads to),
2. Financial gain.

Methods

1. Phishing emails and phone calls:
   1. Sometimes forged phone numbers.
   2. Sometimes real phone numbers.
2. Fake websites:
   1. Story about website cloning combined with phishing emails.
   2. Access to email and social media.
3. In person interactions:
   1. Site visits.
   2. Door to door.  (opportunistic)
   3. Coffee shop.
4. Common scams to be aware of:
   1. Over payment scams.
   2. Late bill scams.
   3. Account cancellation scams.
      1. Story about gift-card scams.
   4. Opportunity scams.
      1. New ideas.
      2. Product import.
         1. Story about import scams.
      3. Work from home.
      4. High pay for low effort.
5. Emotional attack:
   1. Start of as normal relatable interactions.
   2. Commonalities such as work focus.
   3. Work status.
   4. Living city.
   5. Offers to solve financial problems.

Exposure points

1. Email.
2. SMS.
3. Social media.
4. Phone.
5. Mail (post).
6. Office (visit).
7. Home (visit).

Solutions

1. Verify visitors:
   1. Site visits are common.
   2. Assume untrusted before trusted.
   3. Checks and balances:
      1. Involve multiple people if unsure/new/suspicious.
      2. Ensure multiple people are involved in impacting matters.
2. Patching (install the latest updates):
   1. Patch Windows (home and at work).
   2. Patch Web Browsers (Firefox, Chrome, Edge, etc).
   3. Patch Android phones and tablets (Samsung Galaxy, Pixel, etc).
   4. Patch iPhones and iPads.
3. Secure online:
   1. Ensure websites are “https://”.
   2. Ensure websites are “real”.
   3. Use a “password manager” and/or your web browsers built-in password manager.
   4. Verify contact details in emails (including the footer).
   5. Verify the true identify of callers (phone, SMS).
4. Backup important information:
   1. Keep copies of important data in two physically different locations.
   2. Wherever information is kept, ensure access is restricted.
5. Keep passwords safe:
   1. Use a password manager.
   2. Don’t share passwords with anyone.
   3. Change passwords regularly.
6. Set requirements based on risk:
   1. Require additional checks if thresholds are met or exceeded.
7. 2FA:
   1. If a system allows 2FA, use it.
   2. It’s very effective.
   3. Authentication Apps are the best form.
   4. Email is a less acceptable form.
   5. SMS is the weakest form.
8. Strong passwords:
   1. Use complex and meaningful passwords.
9. Unique passwords:
   1. Don’t reuse passwords for different systems/services (social media, email, work).
10. Incident reporting:
    1. Can be embarrassing.
11. Protect your email accounts at all costs:
    1. Email is a recovery system.
    2. Email holds sensitive information.

Example Email

The following two images are real emails received. One is a legitimate, while the other is now.

Resources

• https://www.scamwatch.gov.au/types-of-scams