Tag: Social Engineering

Categories
Casserly Consulting Blog

5 Security Analogies to Help You Better Understand Hacking

digital_house_400.jpg

How often do you read a blog article about network security only to be blown away by all of the overly complicated and confusing jargon of the industry? We know that it’s not necessarily your specialty, but it’s still important that you understand how network security works for your organization. While the complicated details should be left to IT professionals, we can help you better understand the general idea of security by comparing it to a locked door.

Brute Force Attacks
Let’s say that a robber wants to break into your home. He will try to go through a door, but he might not have the keys required to get in. In this case, he will have to use everything at his disposal to get in. He might try to kick the door down or smash a window. In other words, he’s getting into your house by brute force.

Brute force in computing can consist of a hacker trying to use as many passwords as possible in a short period of time to get in. There are programs that can randomly generate countless passwords in seconds, making this method of attack quite devastating when it’s effective.

Social Engineering
Let’s say that you have a new neighbor on your street. They ask you over for dinner and you get to know them. You feel like you are getting along with them quite well–well enough to trust them to water your plants while you’re out of the state on vacation for a few weeks. You give them a key, but when you come home, all of the plants are dead and you’re missing some furniture or technology. Yup, they’ve robbed you–you’re sure of it.

Social engineering takes a calculated approach to hacking and data theft. Hackers will make personalized attempts to steal your passwords and information by taking on the identity of someone you think you can trust with this information, like an “old friend” or “your elderly grandmother.”

Security Exploits
Robbers may try to find weak points in your front door. Maybe the door doesn’t quite lock all the way due to a defect in the manufacturing process. In this case, the robber may research what the weak points of the door are so that they can know the best and most efficient way of getting past your defenses.

Security exploits are weaknesses in software on your computer that allow hackers to sneak into your system and get into all sorts of trouble. These can range from weaknesses in the way that sensitive information is handled, to particular lines of code that create problems for your organization. Ultimately, it only takes a single crack in your defenses–a security exploit–to allow a hacker into your infrastructure.

Trojan Horse
Someone might knock on your door and tell you that something within your household is in need of repair. Maybe they know that you have a leaky faucet that needs to be addressed, or they know that you have some concerns about your furnace. They are then invited into your home and go about their business. You may then notice that you’re missing important items afterward, hinting that the off-the-street good Samaritan was, in reality, a scammer.

Trojans work like this in many ways. Just like the Greek horse of old, a Trojan sneaks onto your system and plants a backdoor, allowing for secret re-entry at a later date. Often times, a Trojan will use a larger data breach to mask its presence, and then continue to steal information in small doses as time goes on.

Two-Factor Authentication
Two locks are better than one in most circumstances. For example, you can have one lock on the doorknob and another on the deadbolt, which keeps the door fastened in place even if the door is forced open near the doorknob. Basically, having two types of locks makes it twice as hard to get to anything of value.

Two-factor authentication can be used to provide this secondary credential to your digital assets, including online accounts or network logins. A secondary code can be sent to an email address or mobile device, which allows your employees to access important information only when both of these are present.

Does your organization need help with network security? COMPANYNAME can help. To learn more, reach out to us at PHONENUMBER.

Categories
Casserly Consulting Blog

Would Your Users be Tricked by Social Engineering?

social_engineer_earth_400.jpg

The term social engineering may not seem nearly as intimidating as other cybersecurity terms like ransomware or denial of service. Don’t be deceived! Some of the biggest threats to your company’s data and network security use social engineering to manipulate targets into taking a specific action – like disclosing personal information that can be stolen and exploited.

Often overlooked by the media in favor of major data breach events, there are few types of social engineering hacks that have the capability to devastate a business.

  1. Vishing: Given the fact that the number of people who fall for phishing attacks and other email scams has declined significantly, it was only a matter of time before hackers found an alternative avenue to exploit their targets. After abandoning it a few years ago in favor to digital scams, vishing – a fraudulent voice call that seeks personal information – have once again returned as a favorite among hackers and thieves.
  2. HTTPS: SSL certificates used to ensure that a website was legitimate and secure enough to protect your personal information. Websites that have ‘https’ no longer signifies security, as hackers have begun using websites that give away SSL certificates for free and using them to lull victims into a false sense of security. To make sure a website is secure, you’ll want to look for indication of an extended validation SSL (EV-SSL) which are not offered for free! EV-SSLs are signified with a green bar.
  3. Website Copy-Cats: Scammers have become very skilled at making spoof websites that look and feel just like the authentic website but are actually littered with all typesof malware. For example, after the Equifax data loss event in June 2017, Equifax set up a website to help their clients who had their information compromised with the URL: equifaxsecurity2017.com. A spoof of that website, with the domain securityequifax2017.com, was so convincing – it even tricked Equifax themselves! A few things to keep an eye out for when trying to determine if a website is legitimate, include:
    1. Make sure the URL is correct.
    2. Avoid giving out information unless a site has an EV-SSL.
    3. Look for seals of trust from other IT security websites.
    4. Beware of misspellings, typos and broken English.
  4. Every Word Password Theft: There are a lot of hacking tools that will scan through databases – including every word in the dictionary. These tools significantly increase the likelihood that a password that includes an actual word will be cracked and exploited. The best practices are ones that mix numbers, letters and symbols that make no sense.

When it comes to digital threats, for every exploit or hack that is prevented, a few, more advanced ones are developed. The best way to keep your business, and it’s data, safe is to take proactive measures and execute safe internet practices all times – and that goes for your employees, as well! Would you like to learn more about how you can stay ahead of hackers? Call us at COMPANYNAME.

Categories
Best Practices

Tip of the Week: How to Be Active and Proactive With Your Network Security

b2ap3_thumbnail_net_security_tips_400.jpg Security troubles have many causes, but the only way to protect your business from any of them is to implement a comprehensive enterprise-level security solution. There are two other ways that you can work to protect your business, implementing software patches, and avoiding social engineering attempts.

Applying Software Patches
It should be clear that software patches are designed to fix security problems and improve the functionality of the software, but some organizations simply don’t have time to implement them manually, or they simply don’t understand the purpose for them. Part of the problem is that sometimes the developers aren’t necessarily clear that patches are available, while other times those within your organization may not even know how to administer them. Regardless of the reason, there are usually problems on a network that will go unattended for extended periods of time.

Most hackers only want to take advantage of the issues they can detect. Thus, there could be countless threats out there designed to target countless unpatched vulnerabilities on your network that not even the hackers can know about. It makes sense for a hacker to use just one exploit to target a handful of vulnerabilities. Therefore, it’s important to make sure that all software that you use is updated and patched.

Additionally, your systems shouldn’t be running unused programs. The more software you have, the more ways hackers can take advantage of your organization’s network vulnerabilities. Moreover, you might even be wasting revenue on renewing software licenses that you don’t even need, so it’s best perform a network audit from time to time to get the worthless software off your infrastructure.

Dodging Social Engineering Attempts
Social engineering is broadly categorized as any method that takes advantage of unprepared users or those who are ignorant of solid network security practices. Examples include a phone call or email message claiming that the network has been breached by a foreign entity and that “tech support” needs to remote into the computer and resolve the issue. There are other, more subtle methods as well, such as targeted spear phishing attacks that go after specific users with personal information that convince them that the hacker is someone in authority.

These types of attacks vary in sophistication, but they can range anywhere from an employee receiving a message claiming that they’ve won a prize, to the intruder physically following your employees into the office and stealing sensitive data manually. In instances like these, a little bit of employee training can go a long way. Teach them to look for anything suspicious, and inform them that vigilance is incredibly important in the workplace.

These two security improvements barely scratch the surface of what your organization should be focusing on for network security. If you want to fully protect your business to the best of your ability, give us a call at PHONENUMBER.