AGIX Discussion Cyber-Security

Cybersecurity Staff Training Session – Part 2

Welcome to the second part of the AGIX Cybersecurity training course. This course is focused on staff related matters. Organisationsare under constant attack. Some attacks are “testing the water” while others are organized, local and effective.

Organisations are constantly defending against cyber-threats.

Targets

  1. All organisations are targets:
    1. Online businesses.
    2. Physical businesses.
    3. Small businesses.
    4. Large businesses.
    5. Not-for-profit.
    6. Government.
    7. Defense.

Objectives of criminals

  1. Financial gain.
  2. Disruption.
  3. Intellectual property theft.
  4. Ransoms.
  5. Embarrassment.

Methods

  1. Phishing emails and phone calls:
    1. Sometimes forged phone numbers.
    2. Sometimes real phone numbers.
  2. Invoice payment redirections:
    1. Forged emails sent to clients with new/fraudulent bank details.
  3. Fake websites:
    1. Story about website cloning combined with phishing emails.
    2. Access to email and social media.
  4. USB disks:
    1. Story about “stuxnet”.
    2. Left around storage devices.
  5. Hacker tools – Anyone can use them with some Youtube guidance:
    1. Youtube has thousands (or more) video demonstrations providing guidance for hacking.
    2. Tools are freely available and downloadable to everyone.
    3. Ready-to-use Ransomware tools are available for purchase around the $US10 mark.

Exposure points

  1. Email.
  2. SMS.
  3. Social media.
  4. Phone.
  5. Mail (post).
  6. Office (visit).
  7. Home (visit).

Solutions

  1. Policies:
    1. Ensure a suitable and regularly update policy set exists.
    2. Staff should read and agree to the policies.
    3. Policies should reflect best practices, but customized to the organisations.
  2. Working on documents:
    1. Ensure documents are stored where they’re backed up. Usually a network drive.
    2. Ensure documents don’t run Macros unless you a confident they’re trustworthy. If not sure, ask.
  3. Workstation good practices:
    1. Lock your computer when you leave your chair. (Windows + L).
    2. Don’t leave laptops in cars or similar locations.
    3. Don’t plugin USB disks that you don’t trust.
    4. Report any strange USB devices attached to your computer.
  4. Verify visitors:
    1. Site visits are common.
    2. Assume entrusted before trusted.
    3. Checks and balances:
      1. Involve multiple people if unsure/new/suspicious.
      2. Ensure multiple people are involved in impacting matters.
  5. Secure physical environments:
    1. Locked doors.
    2. Fences.
    3. Security cameras.
    4. Guard dogs.
    5. Security guards.
    6. Neighbors / Workmates.
  6. Secure IT environment:
    1. Ensure that firewalls:
      1. Block untrusted countries and regions.
      2. Block inappropriate websites (by domain or content).
    2. Secure WIFI networks.
    3. Secure Remote Access systems (VPNs and Remote Desktop).
    4. Monitor for rogue devices.
    5. Ensure staff devices:
      1. Are encrypt (laptops, desktops, phones and tablets).
      2. Automatically lock after a short period of non-use.
      3. Are backed up regularly or in real-time.
  7. USB disks:
    1. Antivirus should/does scan newly attached storage devices.
    2. Disks are/should be encrypted when written to, to prevent unauthorized access if lost or stolen.
  8. Public WIFI:
    1. It should not be used. Essentially allowing un-trusted computers to communicate.
  9. Home and Office WIFI:
    1. Hacker tools are plentiful and can result in your WIFI credentials being stolen.  If those credentials match the domain credentials, the hacker has your access.
    2. Rogue access points (WIFI networks that look like yours/legitimate) allow hackers to steal credentials.
  10. Procedures need to be followed:
    1. Finance related departments have high risks of scams and fraudulent requests.
    2. Generally, policies are designed to protect the business, staff and shareholders.
  11. Secure online:
    1. Ensure websites are “https://”.
    2. Ensure websites are “real”.
    3. Use a “password manager” and/or your web browsers built-in password manager.
  12. Set requirements based on risk:
    1. Require additional checks if thresholds are met or exceeded.
  13. 2FA:
    1. If a system allows 2FA, use it.
    2. It’s very effective.
    3. Authentication Apps are the best form.
    4. Email is a less acceptable form.
    5. SMS is the weakest form.
  14. Strong passwords:
    1. Use complex and meaningful passwords.
  15. Unique passwords:
    1. Don’t reuse passwords for different systems/services (social media, email, work).
  16. Incident reporting:
    1. Can be embarrassing.
  17. Protect your email accounts at all costs:
    1. Email is a recovery system.
    2. Email holds sensitive information.

Example Email

The following two images are real emails received. One is a legitimate, while the other is now.

Scam email
Scam email
Legitimate email

Resources

  • https://www.fireeye.com/cyber-map/threat-map.html
  • https://haveibeenpwned.com/

 

Leave a Reply

Your email address will not be published. Required fields are marked *