Highlights of the July edition of the HBK Risk Advisory Services webinar series hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, HBK Risk Advisory Services.
Practical advice for protecting yourself and your company from cybersecurity attacks.
How hackers obtain personal identifiable information (PII): the most sensitive personal informatio.n
Credential stuffing and stealing (stuffing account credentials like combinations of user i.d.s and passwords, which they can sell for use on the dark web)
Malware (malicious software)
Password spraying: looking for other accounts for same person because people use the same password for multiple accounts (similar to credential stuffing)
Data breaches: information stolen that is held by another organization, like a retailer or medical insurance firm
www.haveibeenpwned.com – Use the site to check for breaches from data bases and learn where you might have compromised data or what has been compromised, such as email or phone number. The site also provides recommendations.
Biggest takeaway about responding to emails, etc: Be skeptical.
Key takeaways from the 2023 Verizon Data Breach Investigations Report (DBIR).
Key components of a data breach:
Exploitation of vulnerabilities
95 percent motivated by financial gain
Espionage, a very distant second, less than 2 percent
Pretesting on the rise:
Half of all social engineering incidents in 2022 used pretesting – a script to gain entrance
Business email compromises: almost all pretending be a vendor
Ransomware involved in 24 percent of cyber attacks in 2022:
External actors looking for money and data involved in 83 percent of braches
Internal actors cause 19 percent of data breaches
Errors (intentional or unintentional) down in 2022 but continue to be a trend
The PII Market
Surface Internet equals about 5.5 billion pages, only 4 percent of total internet.
The Deep Web: typically not searchable by general public, such as healthcare or academic records, legal documents; equals 90 percent of data on internet.
Dark Web: about 6 percent of internet pages
Difficult to get to; need special browsers
Don’t want to go there because likely to pick up malware or viruses
What you can get there: credit card data; social media user accounts; forged documents (scans); forged documents (physical); email database dump (can buy 10 million U.S. based email addresses for $120); online bank account login for U.S. banks; and hacking tools, including malware and DDOS attacks
Hygiene Habits to Mitigate Risk
Composition and length (to make it harder to crack)
Brute force password cracking
Use a unique password for each login
Use password manager to store passwords and gain access without remembering them
Turn off “save password” feature in your internet browser
Password composition and length:
Don’t use a single word or numbers in sequence
The more characters in your password, the longer it will take for a hacker to crack it
Averages: Most corporate passwords use 8 to 10: 8 character takes a day; 10 characters takes 5 years
Recommend using a passphrase combining numbers, symbols, uppercase, and lower case characters
Phishing: a social engineering attack via email
Smishing: a social engineering attack via text
Vishing: a social engineering attack via phone/voicemail
Ways employed to trick you:
Domain name is misspelled or spoofed
Use of cryllic alphabet
Antivirus and antimalware:
Top antivirus solutions in 2023: Bitdefender, McAfee, Malwarebyes, Norton
Run one of these programs to make sure you’re clean
Using out-of-office attendants: don’t give where you’re going, dates you’re traveling, any contact information
Replying to unsubscribe links: similar risks as out-of-office attendant
Using social media: giving too much information
Regularly monitor the account and sign up for alerts by email or text
Log in regularly to bank accounts to make sure your balances are accurate
Use your free annual credit report (annualcreditreport.com); one free report from each of three credit bureaus
Freeze your credit (even though you can’t get your annual free report)
Use mutifactor identifications
Shred documents containing PII
Use fictitious answers to security questions to avoid giving away personal information (have to remember the answers you make up)
If you are hacked, report it to the Internet Crime Complaint Center at www.ic3.gov.