CloudOgre

844-OGRE-NOW

When Cybersecurity gets Physical

by

Knuckle Up! Guard your space and be digitally safe 

Shoulder surfing is often overlooked. Pun intended!

Keeping safe digitally requires physical protections. The cloud is a physical place, servers in data centers, not some magical mist out in the ether. In fact, the physical nature of the cloud is so important that we provide low latency connections direct to cloud providers like AWS and Microsoft. Edge computing is bringing storage and processing closer to places where it’s needed much like CDN (Content Delivery Networks) and caching which brings content like webpages and videos to you faster.  

Data center location is not the only thing to be aware of in your cybersecurity strategy. Users are both your greatest ally and adversary. Keeping your end user aware of his or her surroundings and the impact it can have on organizational health is crucial. Making sure they know the impact of their safety on others including compliance is crucial. Leaving behind wallets, purses, and phones can expose sensitive company data which could be prevent through mindful awareness.  

Today, we discuss a lot about oversharing on social media because knowledge is power. Sharing on social media can give the bad guys the info they need to successfully commit a crime like a home break in when you’ve posted about your vacation. Shoulder surfing and tailgating are issues that are frequently overlooked and can have negative impacts like fines, reputational damage, and worse. In fact, the goal of Security Awareness Training is to highlight the little things and how impactful they can be, not to scare end users. Keeping folks safe in day to day life keeps business safe. 

Texting and Walking – Sounds silly but this is a big problem. Living in your phone leaves you vulnerable in the real world. Can you believe that in 2017 nearly 6,000 people died from texting and walking. This also makes you a potential target of would be wrongdoers, robbers, purse snatchers, etc. Making eye contact with a thief is one of the best deterrents from the crime. Walking on the other side of the street, repositioning your purse, tucking in your jewelry… all of those work but only if you’re paying enough attention to be aware of the potential threat.  

Screen Position & Voice Volume – Whether you’re talking too loudly on the phone while discussing sensitive data or have your screen positioned in a way that others can see, inadvertently exposing data is not cool! Have you ever heard your dentist speaking to another client or saw banking information on a screen that you shouldn’t be able to view? If you have, you’ve witnessed one of cybersecurity’s biggest party fouls. *When aging people tend to use larger font to see text and have the volume higher on phones during conversation. Just because you can’t see or hear it well doesn’t mean others can not. Basically, Yes! I can hear you when your phone isn’t on ‘speaker’ but the volume is all the way up… I hear it loud and clear and can make out every word without having superhuman hearing abilities.  

Image result for mantrap security
Use of Mantraps are crucial to restricting access to important areas.

Shoulder Surfing and Tailgating – Ever cheat on a test by looking over a classmate’s shoulder? Ever follow someone in the turnstile at the subway to get the 2-for1 special? These are prime examples of shoulder surfing and tailgating, giving unauthorized people access to data or areas they don’t have the permission to obtain. In data centers, government buildings, and other sensitive sites, mantraps are used to prevent tailgating by making sure only one person has access at a time. Sound proofing and sound masking helps muffle sounds so unauthorized users can’t hear sensitive data.  

Sound like overkill? Probably not if you knew the fines for not being compliant with HIPAA, DFS 500, SOX, SAE, etc. Those fines can absolutely crush a small business. Keeping files secured safely and backed up is just as important as someone being able to see a screen where sensitive information is displayed. I’m shocked how many banks, doctors, and dentist offices I walk by and can see information that I should not see. To report a violation or learn more about that process you can visit the Department of Health and Human Services.  

Three factor authentication requires something you know, something you have, and something you are. What you know can be a password. What you are can be biometric like a fingerprint or retina scan. What you have can be a key, fob, or phone. Passwords should always be complex and kept secret. Unless you’re in a James Bond movie carrying a suitcase handcuffed to your wrist, something you have and something you are should be kept separate. Together, these three can be used to not only secure files digitally but to secure locations like a data center or office.  

Be aware of your physical surroundings, whether planning out a data center strategy or walking to your car, it is important to be mindful of your environments including any possible threats. The old school methods are tried and true. Don’t let people into buildings that you don’t know. Make sure nobody is looking over your shoulder when you’re accessing sensitive information, in fact, don’t even do it unless you’re in a safe place   Be aware of your physical surroundings, whether planning out a data center strategy or walking to your car, it is important to be mindful of your environments including any possible threats. The old school methods are tried and true. Don’t let people into buildings that you don’t know. Make sure nobody is looking over your shoulder when you’re accessing sensitive information, in fact, don’t even do it unless you’re in a safe place   

Keep your iPhone secure from Spying Apps

by

Use your Battery and Siri to help protect your privacy !

Siri is always listening for “Hey Siri!” but she hears everything else too

Siri is great! She’s informative and funny at parties to ask silly questions like “Hey Siri, What does Siri mean?”. Truth be told Siri is not your friend. She is always listening and telling other what you’re talking about. You’d kick any other friend like that to the curb. So why do you let Siri listen to everything you do? Did you read Orwell’s 1984 and think, “Hey that’s a great idea!”? 

Back in August of 2019, Apple issued a formal apology for allowing humans to listen to Siri recordings. It is tough to stay ahead of all of the changes in technology and their impact on privacy and user’s lives. Companies have to walk a fine line between what is functional versus an invasion of privacy.  

Recently, at a training event I was asked about ads that were appearing in people’s feeds whose content came, not from what was typed into a Google search, but what was said aloud in conversation. How could an ad for French Onion pop up when you were just discussing it?  

Siri not only operates independently but also within each app. In order to have Siri stop listening to you’ll need to disable Ask Siri, Siri Suggestions, and go into each app to make sure Siri is disabled.  

If you read through the Siri Privacy Statement you’ll see that Siri is trying to learn how you use your device including your browsing history, emails, messages, contacts, and other information. You shouldn’t be shocked by this and if you are, be aware that most apps operate this way. They need the data to operate and be improved yet some companies share that data to improve their advertiser’s experience.  

In order to turn off Siri you’ll want to go into Settings, Siri & Search, then disable ‘Listen for Hey Siri’ as well as ‘Press Side Button For Siri’, ‘Suggestions in Search’, ‘Suggestions in Lookup’, and ‘Suggestions in Lock Screen’. Below that you’ll see a listing of all your apps that use Siri Suggestions.  

Siri & Search
Use Siri & Search Settings to keep maintain privacy

My suggestion is to go into each app and disable Learn from this App, Show in Search, and Show App. Next, go to Settings and then Privacy and scroll to the bottom to click on Analytics & Improvements to turn off Share iPhone Analytics, Improve Siri & Dictation, as well as, Share iCloud Analytics.  

Apps are constantly running in the background mining data and using your battery power. If you go to ‘Settings’ on your iPhone and then click on ‘Battery’ and scroll down past ‘Low Power Mode’, and ‘Battery Health’ to ‘Battery Usage by App’ which will show percentage of battery usage by app plus the time the app was active including time the app was operating in the background. You can click on both ‘Show Activity’ or ‘Show Usage’. 

Apps running in the background
What apps are running in the background after you’ve stopped suing them?

You’ll always need to negotiate between functionality and privacy so it’s up to you to determine what you’re willing to share and what you want to get for it. Some people choose to post a lot of their information to social media and make it publicly available while others have their profiles set to private and rarely post if at all. That’s your decision to make but the goal of Security Awareness Training is to make you mindful of the trade-offs that come with your decisions.  

What is GPS Spoofing – Security Vulnerability Threatens Personal Safety

by


GPS Spoofing

 

GPS spoofing can probably make your self driving car go right off the cliff! What is GPS Spoofing? Its when the GPS information going to you device does not reflect your current location because its been hacked and given the wrong info. 

Picture you’re this, you’re at work in the middle of an important meeting and get a call from the landline at your house. You’re thinking, “how can this be?”. After all, you live alone and haven’t given anyone your landline number because you only got it because it came with your cable bundle. You answer the call and its a robocall from whatever the latest scam is. For a brief second that telephone number spoof caused chaos. 

 

Imagine if the spoof wasn’t focused on your phone and was instead focused on your GPS. The potential chaos is enormous. Whether redirecting customers to competitors, causing maritime traffic on shipping routes, accidents in self driving vehicles, or any of a wide variety of technology issues for systems reliant upon GPS. Today, more and more systems are reliant upon GPS and these are physical systems that dictate basic logistical functions so this is likely the to be the security vulnerability with the greatest danger to your physical well being. 

Back in July the Department of Homeland Security reported that our power grid had been infiltrated by state sponsored actors showing their advanced capabilities to gain access to  mission critical infrastructure systems. GPS Spoofing adds a new layer of danger. GPS receivers are able to access the Global Positioning System which uses DOD satellites to provide information. Those receivers are vulnerable to attack.

GPS Spoofing

The Wall Street Journal’s Adam Janofsky published an article yesterday claiming that with a $223 device, a team from Microsoft Research and the University of Electronic Science and Technology of China were able to redirect 40 drivers, sending them to destinations of the hacker’s choice. 95% of people followed the route to a place they did not want to go.

This ability, as you can imagine, that GPS Spoofing provides hackers doesn’t have an easy solution and hackers are continuing to develop their attacks as we patch vulnerabilities. The Department of Homeland Security has produced an unclassified document that shows organizations and individuals and organizations 22 specific recommendations to protect themselves from GPS Spoofing. 

Some of their recommendations are to obscure antennas, provide decoy antennas, introduce redundancy, practice good cyber hygiene, use whitelists, and enhance anti jam capabilities. The report is pretty in-depth and is recommended if you want to learn more information on GPS Spoofing.  

GPS Spoofing

GPS Spoofing

If you’re worried about employees and/or contractors engaging in GPS Spoofing to fool your timecard and telemetry systems adding billing dollars onto your bottom line, its a real concern. This shows that cyber security is a concern that has wide stretching implications that all of the departments across your organization should weigh in on to develop the right strategy to protect your organization. 

So, the next time you hop into an Uber or Lyft, make sure your driver is taking you directly to your destination and not GPS Spoofing you to add a few dollars onto your fare. 

Three Strategies to Prevent Vishing Attacks

by

Wishing is Voice phishing

Voice phishing

Phishing comes in many forms, whether via email, telephone, or text, the point is to get you to hand over important information like usernames and passwords. It’s a form of social engineering that convinces people to provide data by manipulating their confidence.

 

Both Vishing and SMishing are on the rise. A call may come in from what appears to be your front desk, your bank, your credit card company, etc. They’ve Spoofed their outbound Caller ID so that you think the call is originating from a place that you trust.  These tactics can be used on anyone but are also prevalent in Whale Phishing where the target is much higher profile. These attacks are much more effective because for years, folks have been focusing on emails, however, with VoIP’s rise and development the technology has been used to attack user’s confidence. This is the same tactic used with SMishing which is a text message from a number you’d trust, that prompts you to click a link which installs malware on your device.

 

How do you prevent Vishing and SMishing attacks? You can block the number from coming in right? Wrong. When someone from that actual number calls, and you need to take the call, it won’t get through. There’s no SPAM filtering for a voice platform. A best practice is to use your auto attendant to filter humans from bots. Dial by name directories will allow human traffic. The bots aren’t very sophisticated just yet so that along with the tips below will help fight against negative effects that stem from Vishing and Phishing. Hear more of what we have to say on voice services here.

 

  1. Don’t Publish Direct Line Telephone Number

Keep this for your business card. Security starts as an ideology. That said, your cell phone number should be held at a higher secrecy level than your direct line. After all, you can turn off your desk line after hours. If your phone number is published on your website it’s much more likely to get calls you don’t want. Using the power of Unified Communications effectively could really give you a lot of your day back.

  1. Use Your Auto-Attendant

Some say that its unfriendly or impersonal but today’s auto-attendant can be really innovative and cool. With music on hold choices, multiple message options, time of day settings, you can give folks a more personal feel by using your phone’s basic features to provide real time updates to humans while avoiding bots and unwanted callers. Need to know what your system is capable of? Learn more about voice equipment here.

Don’t flush your budget down the toilet

  1. Voicemail-as-a-Defense

Yes! At times it is best to use good ole human interaction as a line of defense. There are a ton of options with voicemail these days but this tip is for sticking to basics. Calls from unknown numbers should be sent to voicemail, this way when you check your voicemail you’ll know if it’s a call you need to take. Today’s business phone systems have voice transcription features that can text you the voicemail if you’re not immediately available to listen to the message.

 

Most SPAM filters will keep this content out of your inbox but some emails will leak through. The same will go for Vishing and Smishing scammers. Calls wil get through but your best bet is to use the steps above to reduce the issue. Recently we’ve seen Phishing attacks that appears as if it’s coming from Apple. They ask for users to sign in threatening that their Apple account will be locked within 24 hours. There are also the Vishing calls that claim to be the IRS with a threat of arrest if you don’t pay some fee. The sense of urgency is present in all Vishing and Phishing attacks we’ve seen. Never give out any account information and always pay attention. These are ever evolving social engineering hacks that are morphing with our changing behavior. Training all end-users on best practices and keeping them updated is certainly a best practice until someone comes up with a better idea. Think you have an idea or want to spend some time discussing how to better protect your business? Connect with the Ogre

 

 

 

Security Awareness Training

by

 

Security Awareness Training is the first step in preventing a data breach.

Imagine you walk into your doctor’s or dentist’s office and as you sign in you hear the person at the front desk reading a patient’s confidential information aloud for anyone in the general vicinity to hear. What do you do? Cyber Security is a philosophy and not just a practice. That practice stems from the company’s security philosophy and permeates all pieces of the organization. Security Awareness training is of the utmost importance to prevent the negative impacts of a breach.

When this happened to me recently I was shocked. I’m not sure if I was more shocked by the fact that confidential information was being thrown around with no regard for the potential impact or that the patients in the room seemed to not be concerned. My first thoughts were either this person at the desk was malicious or negligent. Had the company provided security awareness training? Their philosophy was clear within the verbiage of their patient paperwork allowing for “the release of health information to banks and financial institutions”

Again, security starts as a philosophy and although there are compliance regulations to govern PCI, HIPAA, SOX, PII, etc., a more general philosophy around protection of key data should be adopted to address breaches proactively. The example above is around personal information however analogous situations exist within the corporate environment. Intellectual property like customer data, CPNI in telecom, pricing, or even properly performed exit interviews can have a negative impact on an organization if not secured properly.SECURITY AWARENESS TRAINING

Security Awareness Training is the first line of defense. If your people don’t know that they need to keep the information secret, they won’t. Fines for data breaches are the least of your worries so you want to explain exactly why data needs to be held so tightly. According to the National Cyber Security Alliance as reported by Entrepreneur Media, 60% of small businesses go out of business six months after an attack. Brand equity and finances suffer, as well as, key people responsible may lose their job. Read more here about what happens when your small business is hacked.

Common sense approaches to security couple devices like door locks with training to remind employees to make sure they don’t allow unauthorized people into a locked facility after opening a door with their key card or ID. Required password changes should be implemented to keep systems safe but it can do more harm than good if employees aren’t trained on how dangerous it can be to leave these passwords on Post-It notes on their desk. Here is a list of the 6 threats to keep an eye out for in 2018 according to MIT Technology Review.

Cyber security concerns are also present within the government sector. When the Sheriff is paying the ransom to get their data back, we have a huge problem. This happens more often than most think. Organizations have to decide if and when they release information about a hack. Equifax didn’t release that data for about six months. Sometimes you can’t immediately release that information since it could cause additional harm. This is part of Security Awareness Training for higher level IT folks within an organization.

The increase in need for Cyber Security professionals, especially the CISO, is indicative that companies know they need to address these issues. Their inability to find the right talent to put in place shows that the philosophy of security doesn’t always make its way to the top. Most know the dangers of cyber security but don’t understand the nuance. A firewall is great but the weak link is people. If a thumb drive is put into your network by an unsuspecting employee, your firewall is useless.

Chief Information Security Officer jobs are on the rise!

There is a shortage of cyber security professionals. There are a predicted 3.5 million cyber security positions that will be open in 2021 according to Cisco. Cross training others within companies will have a big impact on securing data. Security Awareness Training is imperative, across all internal organizations, to make those professional’s jobs easier and keep data secure.

In sum, companies need to train their employees to use common sense approaches to securing confidential data. That person at the front desk obviously needs to be trained not to read confidential information aloud and why. They need to be taught that the patient’s finances could be compromised and the company can be fined. The three things that can be done are simple. Regularly scheduled training and reinforcement is necessary to keep employees aware of their role and the possible negative impacts they can prevent. Looking at security from a high-level as a philosophy is a crucial first step to addressing your company’s security concerns. Throwing money at it isn’t the answer. Finally, risks need to be properly assessed proactively to create a plan of action and limit potential harm to the organization.

For help with these and other issues, contact us here to schedule a discussion.

 

Want an ogre in your inbox?

1615 S Congress Ave, Suite #103
Delray Beach FL 33445
↑ Top of Page