RSS Feed
Latest Updates
Apr
12
Tips from Virsage: Social Engineering - April 2018
Posted by Andrea Montgomery on 12 April 2018 10:03 AM

Tips from Virsage: Social Engineering - April 2018

 

Social Engineering

A common misconception most people have about cyber attackers is that they use only highly advanced tools and techniques to hack into people’s computers or accounts.  This is simply not true. Cyber attackers have learned that often the easiest way to steal your information, hack your accounts, or infect your systems is by simply tricking you into making a mistake. In this newsletter, you will learn how these attacks, called social engineering, work and what you can do to  protect yourself.

 

What Is Social Engineering?

Social engineering is a psychological attack where an attacker tricks you into doing something you should not do. The concept of social engineering is not new; it has existed for thousands of years. Think of scammers or con artists, it is the very same idea. What makes today’s technology so much more effective for cyber attackers is you cannot physically see them; they can easily pretend to be anything or anyone they want and target millions of people around the world,  including you. In addition, social engineering attacks can bypass many security technologies. The simplest way to understand how these attacks work and protect yourself from them is to take a look at two real-world examples.

You receive a phone call from someone claiming to be from a computer support company, your ISP, or Microsoft Tech Support. The caller explains that your computer is actively scanning the Internet. They believe it is infected and have been tasked with helping you secure your computer. They then use a variety of technical terms and take you through confusing steps to convince you that your computer is infected. For example, they may ask you to check if you have certain files on your computer and walk you through how to find them. When you locate these files, the caller assures you that these files prove that your computer is infected, when in reality they are common system files found on almost every computer in the world. Once they have tricked you into believing your computer is infected, they pressure you into buying  their security software or giving them remote access to your computer so they can fix it. However, the software they are selling is actually a malicious program. If you purchase and install it, not only have they fooled you into infecting your computer, but you just paid them to do it. If you give them remote access to your computer, they are going to take it over, steal your data, or use it for their bidding. 

Common sense is your most powerful defense in identifying and stopping most social engineering attacks.

 

Another example is an email attack called CEO Fraud, which most often happens at work. This is when a cyber attacker researches your organization online and identifies the name of your boss or coworker. The attacker then crafts an email pretending to be from that person and sends the email to you. The email urgently asks you to take an action, such as conducting a wire transfer or emailing sensitive employee information. Quite often, these emails pretend there is an emergency that urgently requires you to bypass standard security procedures. For example, they may ask you to send the highly sensitive information to a personal @gmail.com account. What makes targeted attacks like these so dangerous is the cyber attackers do their research beforehand. In addition, security technologies like anti-virus or firewalls cannot detect or stop these attacks because there is no malware or malicious links involved.

Keep in mind, social engineering attacks like these are not limited to phone calls or email; they can happen in any form, including text messages on your phone, over social media, or even in person. The key is to know what to look out for--you are your own best defense.

 

Detecting/Stopping Social Engineering Attacks

Fortunately, stopping such attacks is simpler then you may think—common sense is your best defense. If something seems suspicious or does not feel right, it may be an attack. The most common clues of a social engineering attack include:

  • Someone creating a tremendous sense of urgency. They are attempting to fool you into making a mistake.
  • Someone asking for information they should not have access to or should already know, such as your account numbers.
  • Someone asking for your password. No legitimate organization will ever ask you for that.
  • Someone pressuring you to bypass or ignore security processes or procedures you are expected to follow at work.
  • Something too good to be true. For example, you are notified you won the lottery or an iPad, even though you never even entered the lottery.
  • You receive an odd email from a friend or coworker containing wording that does not sound like it is really them. A cyber attacker may have hacked into their account and is attempting to trick you. To protect yourself, verify such requests by reaching out to your friend using a different communications method, such as in person or over the phone.
  • If you suspect someone is trying to trick or fool you, do not communicate with the person anymore. If the attack is work related, be sure to report it to your help desk or information security team right away. Remember, common sense is often your best defense.

https://www.sans.org/security-awareness-training/ouch-newsletter/2017/social-engineering


Read more »



Apr
10
Tips from Virsage: Securely Using Mobile Apps - March 2018
Posted by Andrea Montgomery on 10 April 2018 09:43 AM

Tips from Virsage: Securely Using Mobile Apps

March 2018

Securely Using Mobile Apps

 

Overview

Mobile devices, such as tablets, smartphones, and watches, have become one of the primary technologies we use in both our personal and professional lives. What makes mobile devices so versatile are the millions of apps we can choose from. These apps enable us to be more productive, instantly communicate and share with others, train and educate, or just have more fun. However, with the power of all these mobile apps comes risks. Here are some steps you can take to securely use and make the most of your mobile apps.

 

Guest Editor

Joshua Wright is the technical director at Counter Hack and a senior instructor with the SANS Institute. He is the author of SEC575: Mobile Device Security and Ethical Hacking and Hacking Exposed: Wireless. Reach Josh on Twitter @joswr1ght.

 

Obtaining Mobile Apps

The first step is making sure you always download mobile apps from a safe, trusted source. Cyber criminals have mastered their skills at creating and distributing infected mobile apps that appear to be legitimate. If you install one of these infected apps, criminals can take complete control of your mobile device. By downloading apps from only well-known, trusted sources, you reduce the chance of installing an infected app. What you may not realize is the brand of mobile device you use determines your options for downloading apps.

For Apple devices, such as an iPad or iPhone, only download mobile apps from the Apple App Store. The advantage to this is Apple does a security check of all mobile apps before they are made available. While Apple cannot catch all the infected mobile apps, this managed environment helps to dramatically reduce the risk of installing an infected app. In addition, if Apple does find an app in its store that it believes is infected, it will quickly remove the mobile app. Windows Phone uses a similar approach to managing applications. 

Android  mobile  devices  are  different. Android  gives  you more flexibility by being able to download a mobile app from anywhere on the internet. However, with this flexibility comes more responsibility. You have to be more careful about which mobile apps you download and install, as not all of them are reviewed. Google does maintain a managed mobile app store similar to Apple’s, called Google Play. The mobile apps you download from Google Play have passed some basic security checks. As such, we recommend you download your mobile apps for Android devices only from Google Play. Avoid downloading Android mobile apps from other websites, as anyone--including cyber criminals--can easily create and distribute malicious mobile apps and trick you into infecting your mobile device. As an additional protection, install anti-virus on your mobile device when possible.

Regardless of which device you are using, an additional step you can take is to avoid apps that are brand new, that few people have downloaded, or that have very few positive comments. The longer an app has been available, the more people that have used it, and the more positive comments it has, the more likely that app can be trusted. In addition, install only the apps you need and use. Ask yourself, do I really need this app? Not only does each app potentially bring new vulnerabilities, but also new privacy issues. If you stop using an app, remove it from your mobile device. (You can always add it back later if you find you need it.) Finally, never jailbreak or root your mobile device. This is the process of hacking into it and installing unapproved apps or changing existing, built-in functionality. This not only bypasses or eliminates many of the security controls built into your mobile device, but often also voids warranties and support contracts.

 

Permissions

Once you have installed a mobile app from a trusted source, make sure it is safely configured and protecting your privacy. Always think before allowing a mobile app access: do you want to grant the app the permission it asks for, and does the app really need it? For example, some apps use geo-location services. If you allow an app to always know your location, you may be allowing the creator of that app to track your movements, even allowing the app author to sell that information to others. If you do not wish to grant the permissions, deny the permission request or shop around for another app that meets your requirements. Remember, you have lots of choices out there.

 

Updating Apps

Mobile apps, just like your computer and mobile device operating system, must be updated to stay current. Criminals are constantly searching for and finding weaknesses in apps. They then develop attacks to exploit these weaknesses. The developers that created your app also create and release updates to fix these weaknesses and protect your devices. The more often you check for and install updates, the better. Most devices allow you to configure your system to update mobile apps automatically. We recommend this setting. If this is not possible, then we recommend you check at least every two weeks for updates to your mobile apps. Finally, when your apps are updated, always make sure you verify any new permissions they might require.

 

Subscribe To OUCH!

Receive OUCH! monthly in your email inbox. Join the community and subscribe to the OUCH! security awareness newsletter at  https://securingthehuman.sans.org/ouch.

 

Resources

Social Engineering:                                  https://securingthehuman.sans.org/ouch/2017#january2017

Disposing Your Mobile Device:                https://securingthehuman.sans.org/ouch/2016#december2016

Securing Your New Tablet:                      https://securingthehuman.sans.org/ouch/2016#january2016

OUCH Archives & Translations:               https://securingthehuman.sans.org/ouch/archives

Mobile Device Security Course:               https://sans.org/sec575

License

OUCH! is published by SANS Securing The Human and is distributed under the  Creative Commons BY-NC-ND 4.0 license. 

You are free to share or distribute this newsletter as long as you do not sell or modify it. For past editions or translated versions,

visit securingthehuman.sans.org/ouch/archives. Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Bob Rudis, Cheryl Conley

 

securingthehuman.sans.org/blog          /securethehuman           @securethehuman       securingthehuman.sans.org/gplus

 

 

Find this article online at:  https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201703_en.pdf



Read more »



Feb
19
Tips from Virsage: Gaming Online Safely & Securely - February 2018
Posted by Andrea Montgomery on 19 February 2018 11:33 AM

Tips from Virsage: Gaming Online Safely & Securely

February 2018
Gaming Online Safely & Securely

 

Overview

Online gaming is a great way to have fun; however, it also comes with its own set of unique risks. In this newsletter, we cover what  you and your  family  can do to protect yourselves when gaming online.

 

Securing Yourself

What makes online gaming so fun is that you can play and communicate with others from anywhere in the world.  Quite often you may not even know the people you are playing with.  While the vast majority of people online are out to have fun just like you, there are those who want to cause harm.  Here are some steps you should take to stay secure:

    • Be cautious of any messages that ask you to take an action, such as clicking on a link of downloading a file.  Just like email phishing attacks, bad guys will attempt to fool or trick you in online games in to taking actions that can infect your computer of steal your identity.  If a message seems off, urgent, or too good to be true, be suspicious that it may be an attack.
    • Many online games have their own financial markets where you can trade, barter, or even buy virtual goods.  Just like in the real world, there are fraudsters on these  games, make sure you download the add-ons from trusted locations. In addition, if any add-on requires you to disable your anti-virus or make changes to your security settings, do not use it. 
    • Underground  markets have sprung up to support cheating activity. Besides being unethical, many cheating programs are themselves malware that will infect your computer. Never install or use any type of cheating software  or websites.
    • Check the website of whatever online gaming software you are using. Many gaming sites have a section on how to secure yourself and your system.
    • Finally, always be just as careful playing games on your mobile devices as you would your computer. Cyber attackers are beginning to target mobile devices.

 

Guest Editor

Steve Armstrong is the founder of Logically Secure, a certified SANS instructor, and the architect of CyberCPR, an Incident Management Platform. He is active on Twitter as  @Nebulator and works with many big gaming companies around the world, fulfilling his childhood and professional dreams. 


For Parents or Guardians

Children require extra protection and education when gaming online. Education and an open dialogue with your kids are two of the most effective steps you can take to protect them. One of our favorite tricks to get kids talking is to ask them to show you how their games work; have them walk you through their online world and show you what a typical game looks like. Perhaps you can even play the game with them. In addition, have them describe the different people they meet online. Quite often, online gaming can be a big part of your child’s social life. By talking to them (and having them talking to you), you can spot a problem and protect them far more effectively than any technology. Some additional steps include:

  • Know what games they are playing and make sure you feel the games are age appropriate for your child.
  • Limit the amount of information your kids share online. For example, they should never share their password, age, phone number, or home address.
  • Consider having their gaming computer in an open area where you can keep an eye on them. In addition, younger children should not game in their rooms or late at night.
  • Bullying, foul language or other antisocial behaviors can be a problem. Keep an eye on your kids. If they seem upset after playing a game, they could have been bullied online. If they are bullied online, have them stop playing the game and play in more kid-friendly environments, or have them play online games with only trusted friends.
  • Learn if your child’s games support in-app purchases and what sorts of parental overrides they provide.

 

2017 Security Awareness Report

It’s here! Get your copy of the 2017 SANS Security Awareness report, It’s Time to Communicate. It’s jam-packed with data on security awareness, giving you tips and tricks to keep you safe. Download your free copy: https://securingthehuman.sans.org/resources/security-awareness-report-2017 


Resources

Securing Your Home Network:                 https://securingthehuman.sans.org/ouch/2016#february2016

Social Engineering:                                  https://securingthehuman.sans.org/ouch/2017#january2017

Passphrases:                                            https://securingthehuman.sans.org/ouch/2017#april2017

Password Manager:                                 https://securingthehuman.sans.org/ouch/2015#october2015

 

Two-step Verification:                               https://securingthehuman.sans.org/ouch/2015#september2015

 

License

OUCH! is published by SANS Securing The Human and is distributed under the  Creative Commons BY-NC-ND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it. For past editions or translated versions, visit  securingthehuman.sans.org/ouch/archives. Editorial Board: Walt Scrivens, Phil Hoffman, Cathy Click, Cheryl Conley

securingthehuman.sans.org/blog          /securethehuman           @securethehuman       securingthehuman.sans.org/gplus

 

 

Find this Article online at :  https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201707_en.pdf

 

 

Contacting Virsage:

View/Submit Tickets Online, Find Answers Online

Register at support.virsage.com so that you can submit tickets, view/update your existing tickets, and search the knowledge base.   

  • Click here for information about registering to use the online ticketing portal.  
  • Click here for information on using our knowledge base. 
  • Click here to see how to view and update your support tickets.
  • Rate our service and subscribe to the newsletter to get updates from Virsage Support.

Read more »



Dec
13
Tips from Virsage: Passphrases - December 2017
Posted by Andrea Montgomery on 13 December 2017 01:02 PM

Tips from Virsage: Passphrases

December 2017

 

Passphrases

 

Background

Passwords   are   something   you   use   almost   every day, from accessing your email or banking online to purchasing goods or accessing your smartphone. However,  passwords  are  also  one  of  your  weakest points;  if  someone  learns  or  guesses  your  password they can access your accounts  as you, allowing them to transfer your money, read your emails, or steal your identity. That is why strong passwords are essential to protecting yourself. However, passwords have typically been confusing, hard to remember, and difficult to type. In this newsletter, you will learn how to create strong passwords, called  passphrases,  that  are  easy  for  you  to remember  and  simple  to type.

 

Guest Editor

My-Ngoc  Nguyen  (pronounced  Me-Nop  Wynn)  is a Certified SANS instructor and CEO/Principal Consultant for Secured IT Solutions. She brings expertise with top certifications and 14+ years of developing, maturing, and managing cyber security programs for various industries and sectors. Follow her on Twitter @MenopN and on LinkedIn at My-Ngoc “Menop” Nguyen.

Passphrases

The challenge we all face is that cyber attackers have developed sophisticated and effective methods to brute force (automated guessing) passwords. This means bad guys can compromise your passwords if they are weak or easy to guess. An important step to protecting yourself is to use strong passwords. Typically, this is done by creating complex passwords; however, these can be hard to remember, confusing, and difficult to type. Instead, we recommend you use passphrases--a series of random words or a sentence. The more characters your passphrase has, the stronger it is. The advantage is these are much easier to remember and type, but still hard for cyber attackers to hack. Here are two different examples:

Sustain-Easily-Imprison

Time for tea at 1:23

What makes these passphrases so strong is not only are they long, but they use capital letters and symbols. (Remember, spaces and punctuation are symbols.) At the same time, these passphrases  are also easy to remember and type.  You can make your passphrase even stronger if you want to by replacing letters with numbers or symbols, such as replacing the letter ‘a’ with the ‘@’ symbol or the letter ‘o’ with the number zero. If a website or program limits the number of characters you can use in a password, use the maximum number of characters allowed.

 

Using Passphrases Securely

You must  also  be  careful  how  you  use  passphrases. Using a passphrase  won’t help if bad guys can easily steal or copy it

  1. Use a different  passphrase  for  every  account  or device you have. For example, never use the same passphrase for your work or bank account that you use for your personal accounts, such as Facebook, YouTube, or Twitter. This way, if one of your accounts is hacked, your other accounts are still safe. If you have too many passphrases  to remember (which is very common), consider using a password manager. This is a special program that securely stores all your passphrases for you. That way, the only passphrases you need to remember are the ones to your computer or device and the password manager program.
  1. Never share a passphrase or your strategy for creating them with anyone else, including coworkers or your supervisor. Remember, a passphrase is a secret; if anyone else knows your passphrase it is no longer secure. If you accidentally share a passphrase with someone else, or believe your passphrase may have been compromised or stolen, change it immediately. The only exception is if you want to share your key personal passphrases with a highly trusted family member in case of an emergency. One approach is to write down your key personal passphrases (make sure they are not work related), store them in a secure location, and share that location with a highly trusted family member. That way, if something happens to you and you need help, your loved ones can access your critical
  1.  Do not use public computers, such as those at hotels or Internet cafes, to log in to your Since anyone can use these computers, they may be infected and capture all your keystrokes. Only log in to your accounts on trusted computers or mobile devices. 
  1. Be careful of websites that require you to answer personal These questions are used if you forget your passphrase and need to reset it. The problem is the answers to these questions can often be found on the Internet, or even on your Facebook page. Make sure that if you answer personal questions you use only information that is not publicly available or fictitious information you have made up. Can’t remember all those answers to your security questions? Select a theme like a movie character and base your answers on that character. Another option is, once again, to use a password manager. Most of them also allow you to securely store this additional information.
  1. Many online accounts offer something called two-factor authentication, also known as two-step This is where you need more than just your passphrase to log in, such as a passcode sent to your smartphone. This option is much more secure than just a passphrase by itself. Whenever possible, always enable and use these stronger methods of authentication.
  1. Mobile devices often require a PIN to protect access to Remember that a PIN is nothing more than another password. The longer your PIN is, the more secure it is. Many mobile devices allow you to change your PIN number to an actual passphrase or use a biometric, such as your fingerprint.
  1. If you are no longer using an account, be sure to close, delete, or disable

Subscribe to OUCH!

Receive OUCH! monthly in your email inbox. Join the community and subscribe to the OUCH! security awareness newsletter   at    https://securingthehuman.sans.org/ouch.

 

Resources

Password Manager:                    https://securingthehuman.sans.org/ouch/2015#october2015

Two Step Verification:                 https://securingthehuman.sans.org/ouch/2015#september2015

Lock Down Your Login:               https://lockdownyourlogin.com

SANS SEC301 - Five day course on cyber security basics:          https://sans.org/sec301

 

License 

OUCH! is published by SANS Securing The Human and is distributed under the  Creative Commons BY-NC-ND 4.0 license.

You are free to share or distribute this newsletter as long as you do not sell or modify it. For past editions or translated versions,

visit  securingthehuman.sans.org/ouch/archives. Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Cathy Click, Cheryl Conley

securingthehuman.sans.org/blog          /securethehuman           @securethehuman       securingthehuman.sans.org/gplus

 

Find this article online at:  https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201704_en.pdf


Read more »



Nov
15
Tips from Virsage: Shopping Online Securely - November 2017
Posted by Andrea Montgomery on 15 November 2017 10:31 AM

Tips from Virsage: Shopping Online Securely

 

  November 2017

 

 Shopping Online Securely

 

‘Tis the Season to Be Cautious

The holiday season is close upon us and soon millions of people around the world will be looking to buy the perfect gifts. Many of us will choose to shop online in search of a great deal and avoid long lines and impatient crowds. Unfortunately, this is also a criminal’s favorite time of the year to commit online or financial fraud. This month, we explain the dangers of shopping online and ways you can protect yourself.

Guest Editor

Jonathan Homer (@JonathanLHomer) is a recognized leader in the Cyber Security Awareness industry and is active within both the government and private sectors. Jon specializes in audience engagement and leading edge training techniques.

 

Fake Online Stores

While most online stores are legitimate, some are not; they are fake websites set up by criminals. Criminals create these fake websites by copying the look of or using the name of well-known stores. They then use these websites to prey on people who are looking for the best deal possible. When you search online for the absolute lowest prices, you may be directed to one of these fake websites.

 When selecting a website to purchase a product, be wary of websites advertising prices dramatically cheaper than anywhere else or offering products sold out nationwide. The reason their products are so cheap or available is because what you will receive is not legitimate, is a counterfeit or stolen item or, in some cases, you never even receive anything. Protect yourself by doing the following:

  • Verify the website has a legitimate mailing address and a phone number for sales or support-related If the site looks suspicious, call and speak to a human.
  • Look for obvious warning signs like poor grammar and spelling.
  • Be very suspicious if a website appears to be an exact replica of a well-known website you have used in the past, but the website domain name or the name of the store is slightly different. For example, you may be used to going to the website https://www.amazon.com for all of your Amazon shopping. But be very suspicious if you were to find yourself at a website pretending to be Amazon with the URL http://www.store-amazon.com.
  • Type the store’s name or URL into a search engine and see what other people have said about the website in the past. Look for terms like “scam,” “never again” or “fake.” A lack of reviews is also not a good sign, as it indicates that the website is very new. Remember, just because the site looks professional does not mean it’s If something about the site sets off warning bells, take time to investigate. If you aren’t comfortable with the website, don’t use it. Instead, find a well-known website you can trust or have safely used in the past. You may not find quite as great a deal or find that hot ticket item, but you are much more likely to end up with a legitimate product and a clean credit report.

 

Your Computer/Mobile Device

In addition to shopping at legitimate websites, you want to ensure your computer or mobile device is secure. Cyber criminals will try to infect your devices so they can harvest your bank accounts, credit card information and passwords. Take the following steps to keep your devices secured:

  • If you have children in your house, consider having two devices: one for your kids and one for the adults. Kids are curious and interactive with technology. As a result, they are more likely to infect their own device. By using a separate computer or tablet just for online transactions, such as online banking and shopping, you reduce the chance of becoming infected. If separate devices are not an option, then have separate accounts on the shared computer and ensure your kids do not have administrative privileges.
  • Only connect to wireless networks you manage, such as your home network, or networks you know you can trust when making financial transactions. Using public Wi-Fi networks, such as at your local coffee shop, may be great for reading the news, but not for accessing your bank account. Securely
  • Always install the latest updates and run up-to-date anti-virus software. This makes it much harder for a cybercriminal to infect your device.

 

Your Credit Card

Keep an eye on your credit card statements to identify suspicious charges. You should review your statements regularly, at a minimum at least once per month. Some credit card providers give you the option of notifying you by email or text messages every time a charge is made to your card or when charges exceed a set amount. Another option is to have one credit card just for online purchases. That way, if it is compromised, you can easily change the card without impacting any of your other payment activities. If you believe fraud has been committed, call your credit card company right away and explain the situation. This is also why credit cards are better for online purchases than debit cards. Debit cards take money directly from your bank account, and if fraud has been committed, it can be far more difficult to get your money back.

Finally, there is new technology that enables you to pay without exposing your credit card number. Consider credit cards that generate a unique card number for every online purchase, or use well-known payment services, such as PayPal, which do not require you to disclose your credit card number to the vendor.

 

License

OUCH! is published by SANS Securing The Human and is distributed under the  Creative Commons BY-NC-ND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it. For past editions or translated versions, visit https://www.securingthehuman.org/ouch/archives.  Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Bob Rudis

securingthehuman.org/blog             /securethehuman          @securethehuman           securingthehuman.org/gplus


Find this article online:  https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201511_en.pdf



Read more »