By Todd Swartzman
Chief Information Security Officer

As you might imagine, RealTime fields a fair number of questions regarding cybersecurity that range from “How can we be better protected” to “I’m scared that we might be hit like that <insert business name here> was.” As part of answering this real need for our clients, RealTime is now offering an end user training program as part of our Advanced Cybersecurity Services.

 But, if you aren’t a client (yet) or you’d just like to try this on your own, you can train some of the basics of cybersecurity awareness just by spending a little time online, especially Youtube. This is not intended to replace formalized training, or make you an expert. What these videos can do is help you address some of the most likely threats that the average person encounters just because they use the internet and email in the course of doing their job. These tips are excellent for anyone who just wants to reduce their risks online.

TOOLKIT FOR SMALL BUSINESS

The Global Cyber Alliance is soon releasing a toolkit for small business to better educate and protect themselves from the most common threats in an easy to understand format. RealTime has access to this content early (it will be available to the public soon) and will post about that once it becomes publicly available. For now, here is a compilation we have put together that anyone can use to be better informed and help protect from common cyber threats we all get exposed to on a daily basis at work and at home.

SECURITY AWARENESS VIDEOS

Our Chief Information Security Officer, Todd Swartzman, has watched all of the videos below and recommends taking the the four minutes or less each needed to watch the them for your DIY education.

The links are current as of August 24th, 2020.

• Phishing explained with some education, by SANS - https://www.youtube.com/watch?v=sEMrBKmUTPE

•  How to spot a phishing email, report by Fortune Magazine - https://www.youtube.com/watch?v=jfnA7UmlZkE – best tip in this video: If the email looks suspicious, it probably is.

• If you only watch one video, make it this one – An excellent video spotting phishing scams that is well worth the almost 4 minutes of your time. Loaded with realistic examples and tips - https://www.youtube.com/watch?v=0GwWTjz6txU – best tip: Think before you click.

• Office 365 phishing attack types with some examples, this is not a video - https://betanews.com/2019/04/03/office-365-phishing-attacks/ Note that these threats are not unique to  Office 365 email – we’ve seen attempts against all web based email systems. Just more confirmation that if something asks you to confirm credentials or enter your logon info to access an attachment – be wary! It’s better to ask questions before you click than after.

 TODD’S TIP

“The best single tip that I can provide to help you avoid being hooked by phishing: Microsoft, Google, Apple, Verizon, Bank of America, SSA, IRS, and thousands of legitimate, big, public businesses just like them will NEVER, ever, send an email to you asking you to confirm your password.” 

HERE ARE SOME OTHER THREATS WE FEEL EVERYONE SHOULD BE ABLE TO RECOGNIZE:

• Tech support scam, by USAGov - https://www.youtube.com/watch?v=UGBLjPKSUeU – If you have older parents who use email and the internet, please ask them to watch this video! I have helped too many older, and not so older people, who have been scammed in this way, including my own parents more than once.  

•  Tech support scams can start just as easily with a pop up on the computer telling you something bad happenned that you need to call a number… or else something bad will happen.

•  Spot a bad URL or Link, by Symantec - https://www.youtube.com/watch?v=YIeS7sJ_Llw

•  Better passwords, Local CBS news report - https://www.youtube.com/watch?v=oakITDBYElw

• Better password management using a password manager. This post explains LastPass, but all the password manager applications work pretty much the same - https://lifehacker.com/the-beginners-guide-to-setting-up-lastpass-1785424440  One important detail – you want to be sure that whatever application you use has their security act together and stores the passwords properly. 1 Password, 

•  Mobile device security from SANS Security Awareness - https://youtu.be/WEfWFA4xdd4

Hackers stole millions from Wisconsin Republican Party

Original Article By Scott Bauer
October 29, 2020
AP News

PHISHING ATTACK STOLE MONEY; NO DATA.

The Wisconsin Republican Party had a suspected phishing incident that couldn’t have come at a worse time. An estimated $2.3 million was stolen by cybercriminals from the party’s reelection fund after at least one staffer interacted with a phishing email, impacting operations just as the races were coming down to the wire. The FBI and local officials are investigating the incident.

There have been more than 800 attempted phishing attacks for financial gain targeting the Wisconsin Democratic Party this campaign cycle, but none has been successful, said party spokeswoman Courtney Beyer. The Wisconsin Republican Party, however, was not so lucky.

Hackers manipulated invoices from four vendors who were being paid for direct mail for Trump’s reelection efforts as well as for pro-Trump material such as hats to be handed out to supporters. Invoices and other documents were altered so when the party paid them, the money went to the hackers instead of the vendors, Republican Party Chairman Andrew Hitt.

It appears the attack began as a phishing attempt and no data appears to have been stolen, said party spokesman Alec Zimmerman. The party noticed the suspicious activity on Oct. 22 and contacted the FBI on Friday after it was discovered that an invoice was generated that shouldn’t have been there.

The alleged hack was discovered less than two weeks before Election Day, as Trump and Democratic rival Joe Biden made their final push to win Wisconsin and its 10 electoral votes. Trump won the state by fewer than 23,000 votes in 2016 and was planning his third visit in seven days on Friday. Biden also planned to campaign in Wisconsin on Friday. Polls have consistently shown a tight race in the state, usually with Biden ahead by single digits and within the margin of error.

REALTIME CYBER SECURITY SOLUTIONS

The most dangerous attack is used to do everything from steal money to deploy malware; more than just compromising data. Our Chief Information Security Officer, Todd Swartzman, can meet with you personally and do a gap assessment on your business to see where you could use extra protection. Learn more now about our Cyber Defense program…

RealTime IT is located in Dothan, Alabama and services the entire Wiregrass area and across the U.S.

HOW EASILY CAN YOU BE FOOLED BY AN EMAIL?

Credential harvesting websites are dangerous and sneaky!

Phishing emails seem to be getting harder to spot! Recently, several employees received a phishing email from a legitimate sender! The “senders” Office 365 mailbox was breached the same morning this email was sent.

If you hover over the links in the email asking you to “Click Here” or “More Info”, they would lead you to this page (screenshot is pictured). This is a credential harvesting website that has the intention of trying to get you to fill it out… providing your email credentials!

If you (the recipient) opened this link in Chrome, it would warn you that this may be a deceptive site - but you cannot count on that always being the case with these threats.

The link checker built into email protection didn’t see this as a threat because it came from a known user, and web filters and DNS filter didn’t see a problem either. So, this threat bypassed four layers of protection! Scary!

THE HUMAN FIREWALL SAVED THE DAY!

As always, people are the last line of defense for threats like this one! The employee at this company used reasoning and noted the url (see the top that says “Whackinggrowers.com/CD/out/) was not a Microsoft location and was phishing. This person immediately notified our Chief Information Security Officer (CISO) about the email, which was the right thing to do! They saved their business from allowing potential bad actors to steal their information. Humans are the last line of defense for threats like this one! Even though systems are smart and can catch most suspicious emails; our common sense, risk awareness, and responsiveness will ultimately save your company from disaster!

GUEST BLOG POST BY OUR FRIENDS AT PRemployer

HR's Role in Data Security

A common misconception in many businesses seems to be that IT, whether in-house or managed, is the only department responsible for cybersecurity. After all, it ultimately falls on  IT to set the standard when it comes to cybersecurity, from setting policies that other employees throughout the company must follow to tracking and dealing with potential breaches and challenges. 

In reality, however, Human Resources and IT work hand in hand to implement the company’s cybersecurity programs - all while ensuring that each member of the team has the knowledge necessary to help protect the company as a whole. 

Ensuring Confidentiality

Over half of external attempts at infiltrating computer systems aim to uncover private customer or employee information. Hackers want access to that vital data to work their way deeper into your company or to take advantage of private information for their own purposes. In cases like these, HR and IT join forces to ensure confidentiality across the company. 

Setting Expectations

When it comes to data management, HR policy should reflect IT's cybersecurity best practices. When the HR team communicates clear policies in support of IT security measures, they’re much easier to implement company-wide. For example, regulations might include:

• How often the company will make data backups and who is responsible for ensuring that those backups are made each day;

• How often employees will change passwords and specific password regulations;

• Encouraging and implementing regular employee training so that employees know how to maintain security across the organization;

• Establishing which devices can connect to the company network; and

• Creating an expectation of how to respond in the event that an employee notices a potential breach or comes into contact with a phishing scam directed at the company.

Balancing Access and Security

Each individual and department within the company may have different information they need to be able to access. Some employees need full access to as much information as possible, while others may need relatively limited access. 

For example, the sales team might not need to have access to the same data as the team responsible for implementing contracts or checking compliance. Likewise, the average employee does not need to have access to other employees' records. 

Both HR and IT departments should work together to determine what information needs to be kept secure and who should have access to it. Ideally, your company should segment its access so that employees who do not need to access private or confidential information cannot simply pull that information up. This helps to ensure that if one employee's account is compromised, much of the data throughout your company will still remain protected.  

Conduct Training

Your employees are your most effective defense against many cybersecurity threats, especially phishing campaigns. By partnering with IT to identify cybersecurity best practices, the HR team can then train employees to provide a vital level of protection throughout the company. 

Anti-spearphishing training, for example, can provide employees with the information they need to recognize phone calls and emails from a hacker determined to piece together enough information to threaten the company. When they know how to recognize a scam, employees can help protect your company. 

Beyond training, HR helps to implement security awareness throughout the company by actively promoting IT best practices to employees. Cybersecurity should not be a one-time event for your company. Instead, it needs to be an ongoing campaign dedicated to keeping your company as secure as possible.

When HR and IT work together, you can set the tone throughout your business and provide employees with the security-minded tools and training they need to help decrease cybersecurity threats.

Be vigilant when it comes to emails that you receive that are notifying you that your subscription will be cancelled, or your payment information needs confirmed or updated, or that your account needs verified – these are a few examples of common ploys to trick you into giving up personal information, credentials, or even credit card info.

Here is what the phishing email contains “Important: Cancellation of your Netflix subscription” as its subject line, the email stated that Netflix had failed to successfully process the recipient’s last membership payment. At that point, those responsible for creating the spam email made the following threat: “If you do not update your information within 72 hours we will limit what you can do with your account.” The email then directed the recipient to click on an embedded button called “My Account” so that they could continue to enjoy their Netflix membership.

 As always, when presented with emails like this, do not click on any of the links contained within the email. If you received such a message and you were concerned that it might be legit, instead of using their suspect links, just open a web browser and logon to your Netflix account that way – if payment info isn’t correct, you’ll be notified by the webpage.

If you are concerned with the risks that these phishing threats bring to your business and you’d like to do more to protect your business and employees, give RealTime a call.

 Full writeup by our email security partner Zix: https://zix.com/resources/blog/august-2020/fraudsters-abusing-legitimate-services-phish-netflix-users-credentials