Highlights of the April 26, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, and featuring Greg Kelley, BS, EnCE, DFCP, Chief Technology Officer and Founder, Vestige Digital Investigations.
Watch On Demand.
Today’s Cybersecurity landscape:
Over 37 billion records exposed in 2020; typically someone’s name, address, email account, or more secretive information like a Social Security number.
Until recently the U.S. military protected four domains: air, land, sea, and space. They have added cyber as another domain, which indicates the seriousness and pervasiveness of the issue.
The U.S. is the most targeted country because we have more wealth than anywhere else—and we are the most online nation: Average cost of a compromise/breach: $3.9 million and 95 percent of breaches caused by human error
With the Russia-Ukraine war, there was an increase in cyber attacks, most of which on each other. There was a dip in Russia attacks on the U.S., but they are back up.
63 percent of confirmed breaches involved weak, default, or stolen credentials.
30 percent of recipients open phishing emails and 12 percent click on attachments within an average of 4 minutes.
Typically hackers will capitalize on an exposed vulnerability, such as something in Microsoft Windows, within 10 to 100 days. But we’re seeing attacks that are exploiting vulnerabilities that were discovered in 2007. People are still not patching their systems. Once they have stolen your credentials and they are in your environment, it’s a matter of exploiting the machines in that environment and enhancing their credentials to become administrators in that environment.
You are a target just because you are on the internet.
Top 10 threats
Social networks: Common practices like getting someone to respond to a survey.
Third-party attacks: From such activity as sharing data with vendors and other trusted connections, as well as by employees using their home computers to tie into your network.
Internet: Through applications not designed to be attentive to security, such as for the home.
Open sessions: Live connections not turned off, which hackers can use to get information and steal credentials. Advice is to always log off when you’re done.
Failure of MFA/2FA (multi-factor and two-factor authentication): One way to circumvent protection is spoofing. Another is MFA bombing, repeat notifications to enter a code that allows the hacker to gain access and compromise your password. “Trust this device”: never click to trust, but enter using your MFA.
Account takeovers: hackers are adept at taking over one account then jumping to another, for example, your email address, which you use to log it to other accounts, like banks, investment funds. They can issue passwords resets once they have taken over your email account.
Business email compromises: Spoofing of a known connection of yours to get you to pay money, buy something, divert account payments.
Ransomware: Can result in the shutdown of your entire network. Costs include getting your network back up and running, buying back your data, damage to your reputation, and loss of business.
Phishing: Plays on unaware victims who fail to scrutinize where email is coming from.
Can appear to be from vendor, like Apple or Microsoft.
Common ploy: Tell you that you have emails you didn’t yet receive and need to download; but it will steal your credentials and have access to your mailbox if you connect.
Updates: Telling you that you need you to confirm your credentials on an account.
Have to understand how to read the URL. It is important to identify the top level domain, the last set of characters after the period like “.org” or “.com,” etc. Everything ahead of the domain is a location, a server.
Spelling and grammar errors are an indication of an attack email.
Hover over the email address to identify fake emails. Hackers will generate a domain that looks similar by use of character substitutions, like a number for a letter.
Poor passwords/credential stuffing: Use complex, long passwords with uppercase, lowercase, symbols, and numbers.
Don’t use same password over and over again. By having your password for one account, they’ll get into other accounts with the same password.
How to remember them all: Use password managers, password vaults that let you use one password for safe access to all your other account passwords.
Good cyber hygiene
Think before you click; look at the URL.
If it seems too good to be true, it probably is.
Check your social media privacy settings to make sure they are secure.
Use multiple passwords and change default passwords.
Use two-factor authentication; it’s a life saver.
Traveling? Be careful with Wi-Fi. Consider using a dedicated laptop and cell phone. Connect with your company via the VPN.
Don’t download unapproved or unknown software.
Perform software updates on a regular basis.
Perform and test backups and keep important information on the server.
Report anything suspicious.
Relative to financial and identity theft, do a credit freeze at credit report agencies; monitor and reconcile bank accounts frequently.
9-step program for good cyber hygiene
Change in attitude: you must accept that you are a target just because you are on the internet. They are shopping randomly; once they’re in, they look for what is of value to them.
The price of not being secure: Hard costs: remediation, investigation, notification, litigation. Soft costs: loss of reputation and business
It isnt’ easy: Give up the belief that cybersecutity is easy, can be solved with money, and is a one-time initiative. You have o build a culture and understand that human error is the biggest source of access to hackers.
Commit to becoming vigilant: question the out-of-the–ordinary.
Establish a cybersecurity program, top down, to understand and prioritize risks. Ensure people are following the program. Usually involves input of outside resource to scrutinize the environment and your protection.
Hold people accountable: it’s everyone’s issue.
Educate your people on good cyber hygiene and why it’s important.
Provide resources for cybersecurity.
Plan for the inevitable. Don’t wait for the incident to happen to plan. Need to know what steps to take when there is an incident, and create an incident response/data breach plan, including your first points of contact.