Phishing attacks: defending your organisation

 How to defend your organisation from email phishing attacks.?

 

 

Phishing attacks: defending your organisation contains advice on how organisations can defend themselves against malicious emails that use social engineering techniques. It outlines a multi-layered approach that can improve your resilience against phishing, whilst minimising disruption to user productivity. The mitigations suggested are also useful against other types of cyber attack, and will help your organisation become more resilient overall.

 

>>>> This guidance is aimed at technology, operations or security staff responsible for designing and implementing defences for medium to large organisations. This includes staff responsible for phishing training.

  • >>>> This guidance concludes with a real-world example that illustrates how a multi-layered approach prevented a phishing attack from damaging a major financial-sector organisation.

 

 

What is phishing?

Phishing describes a type of social engineering where attackers influence users to do ‘the wrong thing’, such as disclosing information or clicking a bad link. Phishing can be conducted via a text message, social media, or by phone, but these days most people use the term ‘phishing’ to describe attacks that arrive by email. Email is an ideal delivery method for phishing attacks as it can reach users directly and hide amongst the huge number of benign emails that busy users receive.

What is Cyber Security

Why do we use it?

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.

Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative.

 

What is cybersecurity all about?

A successful cybersecurity approach has multiple layers of protection spread across the computers, networks, programs, or data that one intends to keep safe. In an organization, the people, processes, and technology must all complement one another to create an effective defense from cyber attacks.

People

Users must understand and comply with basic data security principles like choosing strong passwords, being wary of attachments in email, and backing up data. Learn more about basic cybersecurity principles.

Process

Organizations must have a framework for how they deal with both attempted and successful cyber attacks. One well-respected framework can guide you. It explains how you can identify attacks, protect systems, detect and respond to threats, and recover from successful attacks. Watch a video explanation of the NIST cybersecurity framework.

Technology

Technology is essential to giving organizations and individuals the computer security tools needed to protect themselves from cyber attacks. Three main entities must be protected: endpoint devices like computers, smart devices, and routers; networks; and the cloud. Common technology used to protect these entities include next-generation firewalls, DNS filtering, malware protection, antivirus software, and email security solutions.

 

Why is cybersecurity important?

<<Click here to read more>>

The Social Engineer

Michael Macpherson

Helping businesses look at cyber security from a different perspective.

 

Security professionals are continually harping on about how “security is everyone’s responsibility” and we all play a part in ensuring we protect our personal and business information.

Why should you care about security?

“That’s why we have Firewalls, Intrusion Detection and Antivirus, that’s what Bill the IT guy gets paid to look after, Right?

To some degree this is true, Bill and his team would look after the installation, maintenance and troubleshooting of all System and Network related incidents to ensure that the internal and external facing infrastructure remains secure.

This is all fine, until your organisation is faced with a breach and then it quickly becomes apparent that the problem was not due to Bill having a bad day and leaving a firewall wide open, it originated from a targeted social engineering campaign which resulted in Ted being subject to a Phishing attack and unwittingly transferring 20k to what he thought was the CEO.

Humans are still the weakest link in the IT Security domain, its human error and lack of security awareness that causes the majority of breaches within an organisation. At least 33 percent of breaches originate from ex-employees who still have access to the internal infrastructure. It is not their fault if you don’t have a defined process to disable accounts and revoke active directory privileges when they leave.

There is no getting away from the fact that as a society we have come to rely on the Internet, more of us have succumb to the lure of social media, online shopping, streaming entertainment and online gaming. All of these leave a massive footprint of information within the virtual web spread across the globe.

Are you aware of how much information you have shared ? Either by choice or unknowingly.

<Click here to read the entire blog>

Indian companies are on a desperate hunt for cybersecurity experts

By Sushma U N

India saw at least one cybercrime every 10 minutes during the first half of 2017.

But Indian companies are struggling to beef up their cybersecurity teams as there’s hardly enough talent around.

There are currently around 30,000 cybersecurity vacancies in India, recruitment experts say, including several for C-suite leaders who can overhaul the overall security strategy of a firm. Other openings include managers who can oversee cybersecurity projects and engineers with impeccable domain knowledge.

The required skills are analytics, engineering, and software development, and also highly specialised functions such as intrusion detection (monitoring suspicious activity on the network), access management, risk auditing, cryptography, forensic sciences, and network security.

And because demand far outstrips supply, those with the skills can potentially make a killing.

In their desperation to hire, companies are willing to pay nearly twice as much as they do to other tech professionals. For instance, engineers with cybersecurity chops and more than three years of experience can make up to Rs25 lakh a year, HR experts said. On the other hand, a software developer with five years at a multinational firm would earn only around Rs10 lakh a year.

<Read full article>

5 Key Reasons Why Banks Must Adopt Automated Mobile App Security Testing

In this article, we take a look at how automated mobile app security testing help keep banks secure and also help them perform faster security testing cycles, which in turn enables faster time to market.

 

Banks have evolved over time to become more than what we use to consider just a safe house for all our money. With innovation and the power of technology, we now have options to do more and at a much faster pace. We’re seeing multiple disruptive technologies that are taking the world of business and most importantly banks by storm. One such technology is the introduction of mobile.

 

Almost every bank now has an application and encourage their users to adopt mobile banking. Yes, it’s easy, it’s convenient but it has also become more of a necessity due to the turn that the business world has taken.

 

As more and more users adopt mobile technology, more data such as personal information and financial credentials of users are acquired by the banks in order to make transacting simpler. This huge collection of data, wherever it’s stored, becomes a hot favorite hunting ground for cybercriminals. I’m aware that this is quite a blanket statement that a lot of cybersecurity businesses use but that is the reality of danger that all banks and mobile banking users face.

 

#1. Security threats, especially for financial institutions, are never constant

#2. Security right from the Get-Go

#3. Ensure you are compliant with industry security compliances

#4. No need for change in security strategy

<Click here to read more>