[BreachExchange] How to limit risks from phishing threats

Audrey McNeil audrey at riskbasedsecurity.com
Fri Apr 8 15:17:30 EDT 2016


http://www.nhbr.com/April-29-2016/How-to-limit-risks-from-phishing-threats/

Email phishing and spear phishing are quickly becoming more sophisticated,
and more targeted, than ever before. It is critical that you understand
these threats to your network. Awareness of key threats will enable you to
employ practices and behaviors that limit your risks.

Email phishing is the attempt to acquire sensitive information such as
usernames, passwords and credit card details (and sometimes, indirectly,
money), often for malicious reasons, by masquerading as a trustworthy
entity in an electronic communication.

Email spear phishing is similar, but the difference is that the attack is
targeted toward a specific key person or group. Spear phishers thrive on
familiarity. They typically already know your name, email and other
information, which is easily gathered from social media.

The Sony, Anthem and Target breaches all began with a phishing scam. Once a
malicious link is clicked on, cybercriminals use techniques like hiding
downloads of malware on your system, placing keyloggers on your PC to
capture keystrokes, or using different forms of ransomware to extort cash
from victims by encrypting your data and demanding cash for the data back.

Awareness training

Unfortunately, even the best security technology in the world can't help
you unless employees understand their roles and responsibilities in
safeguarding sensitive data and protecting company resources.

If you are already patching applications, keeping anti-virus software up to
date, monitoring and preventing access to malicious websites, then you are
already screening out the majority of malicious attacks, But cybercriminals
are always developing new tactics, and some will still get through to your
inbox. Therefore, the end-user/employee is the last, and most important,
layer of defense against phishing attempts.

That is why employee awareness training is so important. This will involve
putting practices, and policies in place that promote security, and
training employees to be able to identify and avoid risks.

Tips for prevention

Here are some tips for avoiding malware, provided by the Federal Trade
Commission:

 • Keep your security software updated. At a minimum, your computer should
have anti-virus and anti-spyware software, and a firewall. Set your
security software, internet browser, and operating system to update
automatically.

 • Instead of clicking on a link in an email, type the URL of the site you
want directly into your browser. Criminals send emails that appear to be
from companies you know and trust. The links may look legitimate, but
clicking on them could download malware or send you to a spoof site
designed to steal your personal information.

 • Don’t open attachments in emails unless you know who sent it and what it
is. Opening attachments — even in emails that seem to be from friends or
family — can install malware on your computer.

 • Download and install software only from websites you know and trust.
Downloading free games, file-sharing programs and customized toolbars may
sound appealing, but free software can come with malware.

 • Minimize "drive-by" downloads. Make sure your browser security setting
is high enough to detect unauthorized downloads. For Internet Explorer, for
example, use the "medium" setting at a minimum.

 • Use a pop-up blocker and don't click on any links within pop-ups. If you
do, you may install malware on your computer. Close pop-up windows by
clicking on the "X" in the title bar.

 • Resist buying software in response to unexpected pop-up messages or
emails, especially ads that claim to have scanned your computer and
detected malware. That's a tactic scammers use to spread malware.

 • Talk about safe computing. Tell your kids that some online actions can
put the computer at risk: clicking on pop-ups, downloading "free" games or
programs, opening chain emails, or posting personal information.

 • Back up your data regularly. Whether it's text files or photos that are
important to you, back up any data that you'd want to keep in case your
computer crashes.

Creating awareness with your employees is a critical element of security.
They need to understand the value of protecting customer and colleague
information and their role in keeping it safe. They also need to know the
basics about how to make good judgments online.

Most importantly, they need to know the policies and practices you expect
them to follow in the workplace regarding Internet safety.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160408/fc41e12d/attachment-0001.html>


More information about the BreachExchange mailing list