Highlights from the September 27th episode of the 2023 HBK Risk Advisory Services webinar series hosted by HBK Manufacturing Solutions and Bill Heaven, CPA/CITP, CISA, CSCP, Senior Director, HBK Risk Advisory Services. This episode’s featured presenters: Vertilocity Executives Justin Krentz, Principal; Chris Bowman, Director of Security Services; and Josh Prager, virtual Chief Information Officer
Watch On-Demand.
How to Succeed
The three elements required for an organization to be successful, and the areas were you need protection: people, process, and technology. All three need to work in harmony and be proficient.
Key to cybersecurity protection is educating staff and having them buy into the security plan and process. Everyone in the organization must understand the need for security, that there are real threats. All must be educated on these issues on a continuous basis or adoption will fizzle. People are most important to maintaining security and as well as provide the greatest threat.
The Risks
Many of the threats on modern landscape we face are not new:
Spam and phishing have existed since the advent of email.
Social engineering existed before even computers.
The first incident of rasomware was in 1989.
However, there has been a remarkable advance in toolsets that enable these attacks on businesses and governments, in fact, on everyone who uses a computer.
Cyber attacks have become a multi-billion dollar industry.
Biggest threats are phishing and social engineering: 90 percent of small business attacks.
They are trying to get your identity, any information they can use to impersonate you.
Emails and text messages used to be riddled with misspelling and bad grammar, but they are much more sophisticated now.
Starting to see impact from Artificial Intelligence (AI). AI is sending and receiving messages that look more real, plus convincing audio and video, as well calls that sound like the person they’re impersonating.
Insider threats are a growing concern
Defined as: A user has legitimate access to a network device and that access is exploited.
Is a growing problem with the increase in mobile workforces; can’t create a perimeter around your internal network.
Hackers are beginning to use X and LinkedIn to send phishing messages.
The messages might look like they’re coming through those services but they’re not.
Go to LinkedIn webpage and look for the message there.
Also targeting legitimate LinkedIn accounts to gather personal information, then doing things like making them a job offer that isn’t legitimate.
Addressing Risks
Multiple activities to put in place:
User training: only way to reliably control whether someone gets caught up is making sure users are making smart decisions: Have to teach people to be skeptical. Looking for speech patterns that would tip you off that it isn’t the person they’re impersonating. Do I know the person who’s sending this message or is it someone else? For example, why would I need to sign in with my Microsoft credentials to get a donut shop coupon, or why would I need to provide my phone number to a fraud alert from Amazon?
Enhanced email protection: analyzes links in emails, checks where an email is going to ensure the server is safe
Attachment protection: opens the attachment to ensure it contains nothing malicious
Anti-spoofing: analyzing emails to ensure they aren’t from a different email account
Identity and access management (another change with a mobile workforce): A shift in security focus to prove who you are and that you should have access to this resource before you get it.
Multifactor authentication (MFA): User should have a password and something additional, like a biometric fingerprint, to verify the user is who they say they are.
Multi-factor authentication types and benefits:
Defined as: something you have, something you know, or something you are in addition to password. Passwords are for sale everywhere on the dark web.
Message based MFA – the text message you receive to put back in to prove you’re you.
MFA tokens: a more robust and newer type of MFA, a FIDO2 key essentially says that if you have this key and it’s in your phone or computer, you can use it to prove you are who you say you are. It is a single-session MFA, so when you log in it works throughout your session. You can’t steal the key and it’s only good for that computer session.
Other ways to control access:
Conditional access controls: like geo-location access.
Application access: like people using the VPN are using approved devices.
Mark devices as compliant by requiring them to meet certain criteria.
By protocol, only allowing certain types of ports or devices to communicate with certain types of services.
MFA Do’s:
Only approve logins when you’re actually trying to login. If you’re getting multiple push notifications reach out to IT because someone probably has your password and is trying to hack you.
Keep authentication apps updated. Update phone security just like your computer to maintain level of security.
Back up somewhere safe.
Let IT know if you’re getting strange pushes at odd hours.
MFA Don’ts:
Never give someone your one-time code.
Don’t approve sign-ins at odd hours.
Don’t get complacent. If you’re not actively doing something, don’t approve.
