Professional Documents
Culture Documents
blackmail material.
A cyber or cybersecurity threat is a malicious act
that seeks to damage data, steal data, or disrupt Hacktivists: Hacktivists activities range across
digital life in general. Cyber threats include political ideals and issues. Most hacktivist groups
computer viruses, data breaches, Denial of Service are concerned with spreading propaganda rather
(DoS) attacks and other attack vectors. than damaging infrastructure or disrupting services.
Their goal is to support their political agenda rather
Cyber threats also refer to the possibility of a
than cause maximum damage to an organization.
successful cyber-attack that aims to gain
unauthorized access, damage, disrupt, or steal an Disgruntled insiders: Disgruntled insiders are a
information technology asset, computer network, common source of cybercrime. Insiders often don't
intellectual property or any other form of sensitive need a high degree of computer knowledge to
data. Cyber threats can come from within an expose sensitive data because they may be
organization by trusted users or from remote authorized to access the data. Insider threats also
locations by unknown parties. include third-party vendors and employees who
may accidentally introduce malware into systems or
Where do cyber threats come from?
may log into a secure S3 bucket, download its
Cyber threats come from numerous threat actors contents and share it online resulting in a data
including: breach. Check your S3 permissions or someone
else will.
Hostile nation-states: National cyber warfare
programs provide emerging cyber threats ranging Hackers: Malicious intruders could take advantage
from propaganda, website defacement, espionage, of a zero-day exploit to gain unauthorized access to
disruption of key infrastructure to loss of life. data. Hackers may break into information systems
Government-sponsored programs are increasingly for a challenge or bragging rights. In the past, this
sophisticated and pose advanced threats when required a high level of skill. Today, automated
compared to other threat actors. Their developing attack scripts and protocols can be downloaded
capabilities could cause widespread, long-term from the Internet, making sophisticated attacks
damages to the national security of many countries simple.
including the United States. Hostile nation-states
Natural disasters: Natural disasters represent a
pose the highest risk due to their ability to
cyber threat because they can disrupt your key
effectively employ technology and tools against the
infrastructure just like a cyber attack could.
most difficult targets like classified networks and
critical infrastructure like electricity grids and gas Accidental actions of authorized users: An
control valves. authorized user may forget to correctly
configure S3 security, causing a potential data leak.
Terrorist groups: Terrorist groups are increasingly
Some of the biggest data breaches have been
using cyber-attacks to damage national interests.
caused by poor configuration rather than hackers or
They are less developed in cyber-attacks and have
disgruntled insiders.
a lower propensity to pursue cyber means than
nation-states. It is likely that terrorist groups will What are examples of cyber threats?
present substantial cyber threats as more
Common cyber threats include:
technically competent generations join their ranks.
Malware: Malware is software that does malicious
Corporate spies and organized crime
tasks on a device or network such as corrupting
organizations: Corporate spies and organized
data or taking control of a system.
crime organizations pose a risk due to their ability
to conduct industrial espionage (Links to an Spyware: Spyware is a form of malware that hides
external site.) to steal trade secrets or large-scale on a device providing real-time information sharing
monetary theft. Generally, these parties are to its host, enabling them to steal data like bank
interested in profit based activities, either making a details and passwords.
profit or disrupting a business's ability to make a
profit by attacking key infrastructure of competitors,
Phishing attacks: Phishing is when a Drive-by downloads: A drive-by download attack
cybercriminal attempts to lure individuals into is a download that happens without a person's
providing sensitive data such as personally knowledge often installing a computer virus,
identifiable information (PII), banking and credit spyware or malware.
card details and passwords.
Malvertising: Malvertising is the use of online
Distributed denial of service (DDoS) advertising to spread malware.
attacks: Distributed denial of service attacks aim to
Rogue software: Rogue software is malware that
disrupt a computer network by flooding the network
is disguised as real software.
with superfluous requests to overload the system
and prevent legitimate requests being fulfilled. Unpatched software: Unpatched software is
software that has a known security weakness that
Ransomware: Ransomware is a type of malware
has been fixed in a later release but not yet
that denies access to a computer system or data
updated.
until a ransom is paid.
Data centre disrupted by natural disaster: The
Zero-day exploits: A zero-day exploit is a flaw in
data centre your software is housed on could be
software, hardware or firmware that is unknown to
disrupted by a natural disaster like flooding.
the party or parties responsible for patching the
flaw.
Advanced persistent threats: An advanced Why is it necessary to protect against cyber
persistent threat is when an unauthorized user threats?
gains access to a system or network and remains
there without being detected for an extended period Cybersecurity risks pervade every organization and
of time. aren't always under direct control of your IT security
team. Increasing global connectivity, usage of cloud
Trojans: A trojan creates a backdoor in your services, and outsourcing means a much larger
system, allowing the attacker to gain control of your attack vector than in the past. Third-party
computer or access confidential information. risk and fourth-party risk is on the rise,
making third-party risk management, vendor risk
Wiper attacks: A wiper attack creates a backdoor
management and cyber security risk
in your system, allowing the attacker to gain control
management all the more important for reducing
of your computer or access confidential information.
the risk of third-party data breaches.
Intellectual property theft: Intellectual property
Pair this with business leaders making technology-
theft is stealing or using someone else's intellectual
related risk decisions every day, in every
property without permission.
department, without even knowing it. Imagine your
Theft of money: Cyber-attacks may gain access to CMO trials a new email marketing tool that has
credit card numbers or bank accounts to steal poor security practices, this could be a huge
money. security risk that could expose your
customers' personally identifiable information
Data manipulation: Data manipulation is a form of
(PII) causing identity theft. Whether you work in the
cyber-attack that doesn't steal data but aims to
public or private sector, information security cannot
change the data to make it harder for an
be left to your Chief Information Security Officer
organization to operate.
(CISO), it must be an organizational wide initiative.
Data destruction: Data destruction is when a
cyber attacker attempts to delete data.
Importance of Security Planning
Man-in-the-middle attack (MITM attack): A MITM
attack is when an attack relays and possibly alters What is an Information Security Plan?
the communication between two parties who
believe they are communicating with each other. An information security plan is documentation of a
firm's plan and systems put in place to protect
personal information and sensitive company data.
This plan can mitigate threats against your become a top priority for businesses around the
organization, as well as help your firm protect the world.
integrity, confidentiality, and availability of your
data. While there’s no surefire way to prevent a
cybersecurity attack, there are a variety of methods
Why Do Firms Need an Information Security Plan? and software tools that can be implemented to
improve security and lessen the chances of being
In today's changing regulatory and investor targeted. This lecture will cover nine security tools
landscape, information security plans are critical for every security analyst and professional should
firms to comply with SEC regulations, due diligence know about.
requests from investors and state
laws. Additionally, cybersecurity threats are Security Planning Tools
increasingly becoming more common and more
sophisticated. Aside from protecting the integrity of 1. Vulnerability Management Software
your data and keeping it confidential, there are These software tools allow you to identify network
other legal requirements: any firm registered with threats such as hackers, viruses, or malware, so
the SEC must have a plan in place, and there may you can immediately begin work to prevent or
be other state or industry specific regulations that combat them. Vulnerability management tools
require your firm to have a formal plan. enable you to constantly test your network’s
Steps to Create an Information Security Plan: security. Since vulnerability management tools are
primarily focused on the identification and
Step 1: Perform a Regulatory Review and management of threats, they can take a few
Landscape different paths if one is detected. Upon recognizing
a vulnerability, the software can either alert
Your firm must first perform a regulatory review, as administrators, remedy the issue itself, or install a
all businesses have requirement coming from patch to alter security policies.
oversight bodies. There are also self-imposed
industry standards and expectations that come Example:
from external stakeholders.
SpyBot
Step 2: Specify Governance, Oversight &
Responsibility SpyBot is a vulnerability management software tool
by Safer-Networking Ltd. It combines antivirus and
Create a CIRT (Computer Information Response its unique technique to protect your organization
Team) or CISRT (Computer Information Security from spyware, keyloggers, trojans, adware, and
Response Team). This group will be responsible for more. Since finding a solution to fit your company’s
ensuring the firm follows the policy and procedures unique needs is a must, it’s important to find tools
around the information security plan. Though these with flexible plans. SpyBot makes this easy, with
specialized teams have responsibility to oversee multiple plans for both private users and business
policy, all members of the firm have a role in users, all coming with various features and costs.
information security.
Qualys
Step 3: Take Inventory of Assets
Qualys was awarded the 2017 Global Vulnerability
In simplest of terms: know what you have. Create Management Market Leadership Award by Frost &
an inventory of both hardware and software and Sullivan. It offers a variety of tools in various
identify existing safeguards and controls you have categories, including asset management, IT
in place. This step is crucial, as you can't properly security, cloud security, compliance, and more.
assess your firm's level of risk or adequately protect Qualys VM (the company’s vulnerability
data and information unless you understand what management tool) scans and identifies
systems you have and what data they hold. vulnerabilities with 99.9 percent accuracy,
according to its website.
Atera
Security Planning Tools
Atera is a vulnerability management software tool
As security breaches continue to affect companies that provides real-time status updates on system
big and small, taking preventative measures has resources, logged-in users, network and IP
monitoring, SNMP monitoring, Windows updates, 4. Antivirus Software
and more. The tool’s customizable options let users
decide which alerts they receive via email Antivirus software helps businesses prevent or
notification. It also includes IT automation, patch detect malicious software within an endpoint
management, asset and inventory tracking, device. These tools host a variety of detection
reporting and analytics, and more. features that enable security teams to identify
potential malware and viruses that may attempt to
breach your devices.
2. Password Managers
These software tools generate, retrieve, and Signature-based antivirus software scans files
manage entirely random passwords for all of your (from any source) to make sure that there aren’t
accounts, plus keep track of other critical any hidden threats. And if it finds something shady
information, like bank account numbers, PIN codes, or scary, it can often remove or quarantine the
answers to security questions, and more. You just affected file. While antivirus software certainly isn’t
need to remember one password–the one that gets bulletproof — especially when it comes to zero-day
you into this lockbox of secure information. threats (i.e. vulnerabilities that hackers have found
before software vendors have a chance to patch
Example: them and/or users have a chance to install
1Password updates) — it’s still a critical piece of the cyber
security puzzle. There are many options to choose
1Password’s name is certainly fitting. With this from that range in price from free to hundreds of
password manager, you only need to remember– dollars a year.
you guessed it–one password. The software tool
Example:
offers two plans (a pro plan and a standard plan)
that enable businesses to securely share Malwarebytes
passwords and other important items. It offers
features like zero knowledge, meaning information Malwarebytes is an endpoint protection software
is fully encrypted before it’s sent to 1Password, and tool that helps your team actively protect against all
a secret key, an effort that combines a randomly forms of malware. Malwarebytes offers a variety of
generated key with the master password to ensure different security solutions, but this particular tool
each user has an unbreakable master password. brings all of their technologies together into one
multi-layer defense solution. Malwarebytes can
Keeper scan for and remediate malware, which reduces
dwell time and the need for endpoint re-imaging.
Keeper is a password manager that auto-generates
strong and secure passwords, protects sensitive Webroot Endpoint Protection
files, and enables you to securely share records
and critical information with team members. This Webroot Endpoint Protection is an endpoint
tool can be great for businesses, as managers are protection and antivirus software that helps to
able to enforce password policies and monitor protect against sophisticated online
password compliance. Keeper also offers the ability threats without sacrificing your system
to quickly and securely autofill login credentials to performance. The tool offers a multi-layered
save time. protection that helps to prevent threats across a
variety of mediums, including email, web browsing,
LastPass files, URLs, ads, apps, and more.
LastPass aims to help businesses save time,
achieve stronger security, and uncover process
efficiencies. It’s a brand of LogMeIn and helps
companies enforce a meaningful password policy
with an enterprise-ready solution, although it’s
suitable for businesses of all sizes. The enterprise
version offers advanced security features,
automated provisioning options, and additional
integrations so that customers can personalize their
experience.
ESET Endpoint Security It is guaranteed under the constitution in many
developed countries, which makes it
ESET Endpoint Security is an antivirus software a fundamental human right and one of the core
tool that leverages a multilayered approach to principles of human dignity, the idea most people
constantly balance performance, detection, and will agree about.
false positives. It’s supported on multiple operating
systems, including Windows, MacOS, Linux, and Any risk assessment conducted for the purpose of
Android. Based on G2 Crowd reviews, the tool enhancing the privacy of individuals’ personal data
hosts feature like asset management, device is performed from the perspective of protecting
control, application control, and more. the rights and freedoms of those individuals.
What is Data Security
Amazon Affiliates
ClickBank
Google Play Store
Google Analytics
Google AdSense information, as well as how long their data will be
Google AdWords stored on your servers.
Facebook Apps
Twitter Lead Generation Even if you don't collect personal information,
Apple's App Store you should disclose this fact in a Privacy Policy.
It helps with transparency because users expect
Third party vendors like Google, Facebook, and to see a Privacy Policy. If you don't have one at
Amazon require their users (website and app all, users may assume you're collecting a lot of
owners) to explicitly inform their users if they're personal information and not disclosing it rather
using advertising features, cookies, or tracking than not collecting any.
services on their websites/apps in order to deliver The DuckDuckGo (Links to an external site.) search
better user experiences based on prior browsing engine does not track user searches or store online
behavior. browsing history in any way. Its Privacy Policy
Here's how Ookla (Links to an external site.) - a agreement states that it does not collect or share
fixed broadband and mobile network testing any user information.
company - informs its users in its Privacy Policy
agreement that it uses cookies, log files, flash
cookies, local storage, etc., in its website-based
and mobile applications in order to (1) improve
performance, (2) to better understand how Ookla's
software functions, and (3) to give the user a
personalized experience.
To make your Privacy Policy transparent and
accurate, conduct a privacy law self-audit (Links to
an external site.). This will allow you to find out
what your business' privacy practices are and what
information you need to disclose to your users in a
Privacy Policy.
Example of a Website Privacy Policy
Human error: 11%: 26% Data is not always encrypted even when it’s on a
backup tape. Invest in a backup system or service
Software corruption: 7%: 9% that automatically encrypts all backups to ensure
Computer viruses: 2%: 4% that no matter who gets their hands on your data,
they cannot access
Natural disasters: 1%: 2%
4. Address data security
Source: Kroll OnTrack Data Recovery Services
Mobile devices are powerful business tools but they
What is Data Loss Prevention (DLP)? can leave your data vulnerable. Ensure your
devices can be wiped if they are lost with a remote
Data loss prevention (DLP) is a set of tools and device management system and use hardwares or
processes used to ensure that sensitive data is not mobile device systems that encrypt data.
lost, misused, or accessed by unauthorized users.
DLP software classifies regulated, confidential and 5. Use anti-virus and email security
business critical data and identifies violations of
policies defined by organizations or within a Email threats such as hacking, phishing or
predefined policy pack, typically driven by ransomeware can be some of the biggest threats to
regulatory compliance such as HIPAA, PCI-DSS, or data. Use a thorough anti-virus and security system
GDPR. Once those violations are identified, DLP to prevent malicious emails from getting through to
enforces remediation with alerts, encryption, and your company. Also be certain to offer continuing
other protective actions to prevent end users from education to your team about the importance of
accidentally or maliciously sharing data that could email security.
put the organization at risk. Data loss prevention 6. Trust the professionals
software and tools monitor and control endpoint
activities, filter data streams on corporate networks, Data is too valuable to be left alone. If you do lose
and monitor data in the cloud to protect data at rest, it, do not try to recover it by using any type of
in motion, and in use. DLP also provides reporting diagnostic tools. You don’t want to cause further
to meet compliance and auditing requirements and damage by trying to fix the situation on your own.
identify areas of weakness and anomalies for Instead, work with a trusted backup and data
forensics and incident response. recovery expert to ensure your data is safe.
Ways to Prevent Data Loss
1. Always back up your data Data Theft
Prevention is the best protection. Create a Data theft is the act of stealing information stored
structured backup strategy and consistently back on computers, servers, or other devices from an
up your files. Your backup plan should include the unknowing victim with the intent to compromise
different levels of data you maintain in your privacy or obtain confidential information. Data theft
company and the schedule for their back ups. is a growing problem for individual computer users
Some data is so critical that it may require you back as well as large corporations and organizations.
it up every week. Also, be sure you periodically Data theft occurs both outside and inside
test your backups to make sure that your data is companies, and reducing the risk of insider data
being backed up properly. theft at the corporate level is anything but easy.
2. Diversify your backups This is especially true because system
administrators and employees have access to
You always want more than one backup system. technology such as database servers, desktop
The general rule is 3-2-1. You should have 3 computers, and external devices including USBs,
backups of anything that’s very important. They smart phones, and other removable and mobile
should be backed up in at least two different devices.
formats, such as in the cloud and on a hard drive.
Ways to Prevent Data Theft
1. Get rid of paper. strong passwords and by enabling remote wipe on
all devices.
If you have to keep paper files, shred them as soon
as they are no longer needed. According to John 6. Install or enable a firewall.
Rowan of Advantage Business Equipment, there
are nine things businesses should shred: Even small companies with few employees have
valuable data that needs to be protected. Ensure
you have a firewall in place to keep outsiders from
Any mail with a name and address
accessing your company network.
Luggage tags
Trip itineraries 7. Secure your wireless network.
Extra boarding passes
Credit offers Use a strong password and use encryption and
Price lists security to hide your wireless network from
Vendor payment stubs and paid invoices. outsiders. Don’t let neighbors or passers-by hop
Cancelled checks onto your network, or even see that it exists. You’re
just inviting trouble.
Receipts
8. Use encryption to prevent data theft.
2. Assess which data you need to protect most.
Ensure all sensitive information that is being
“Have an audit or assessment on your data,” says
transferred or emailed is encrypted. Encryption
Greg Kelley, EnCE, DFCP, of Vestige Digital
should also be installed on all company laptops,
Investigations (Links to an external site.).
mobile devices and removable media.
“Everyone company is different. They have different
regulations, different types of data, different needs 9. Use a proxy.
for that data and a different company culture. Hire
an outside expert to assess what data you have, “That free internet at the airport or the cafe is
how you are protecting it (not how you think you are actually shared with dozens or hundreds or other
protecting it) and where that data is going. While users who might be sniffing your traffic,” says
you may think it is an unnecessary cost, if you Roberto Arias Alegria, IT Security Consultant
report to clients and potential clients that you have at Metaluxo IT Security (Links to an external site.).
had an outside data assessment, you may find it “Since encrypted connections (SSL) are far from
puts you at an advantage over your competitors.” universal, an easy to use proxy service can save
you from prying eyes (e.g. Zenmate, or
3. Restrict access to your sensitive data. TunnelBear).”
“Not everyone in the company needs access to 10. Activate two-factor authentication.
everything. Does the project manager need pricing
information? Does the sales person need “No matter how secure is your password, there’s
operations information? By restricting what data more than one way to get it. Consider using 2FA
each person has access to, you limit your exposure whenever you can, Google, Yahoo, Twitter and
when an employee decides what they want to steal many popular services already have support for
or when the employee’s account is compromised 2FA,” says Arias.
by an outsider,” says Kelly. 11. Restrict movement of information.
4. Enforce data privacy controls inside and out. “Do not permit the transfer of personal information
Hold third parties and contractors your company (names, Social Security numbers, Medicare
engages to the same strict data privacy controls numbers, employee or medical data etc.) to a
you implement in your own organization. Audit portable medium, like a laptop or mobile
them periodically to ensure compliance with your device. This data should be processed in-house,
security standards. not on an airplane or a commuter train or at home,”
says Robert Ellis Smith, Publisher, Privacy Journal.
5. Use strong passwords to protect computers
12. Take extra steps to protect your most
and devices.
sensitive data.
Make it difficult for outsiders to access your
company’s and employees’ devices and computers “Truncate Social Security numbers, or remove them
if they are lost or stolen by protecting them with from the data base and store them elsewhere apart
from the original data file, with a means to link the
two later if necessary. Regularly remove sensitive 18. Implement social media policies.
personal data from online databases or “the cloud”
and process it off-line,” says Smith.
13. Use anti-virus software and anti-spyware.
Social engineering attacks come in many different Here an attacker obtains information through a
forms and can be performed anywhere where series of cleverly crafted lies. The scam is often
human interaction is involved. The following are the initiated by a perpetrator pretending to need
five most common forms of digital social sensitive information from a victim so as to perform
engineering assaults. a critical task.
This more targeted phishing email attack relies on “Evil Twin” Wi-Fi
data that a cybercriminal has previously collected
about the victim or the victim’s employer. Typically This occurs when free Wi-Fi access points are
spear phishing emails use urgent and familiar spoofed. Victims unknowingly log into the wrong
language to encourage the victim to act Wi-Fi hotspot. Wi-Fi access points that are
immediately. commonly spoofed include those available in coffee
shops, airports, hospitals, shopping malls, public
Link Manipulation parks, and other public gathering locations.
Relying on carefully worded phishing emails, this Mobile Phishing (Smishing)
type of attack includes a link to a popular. This link
takes victims to a spoofed version (Links to an A fraudulent SMS, social media message, voice
external site.) of the popular website, designed to mail, or other in-app message asks the recipient to
look like the real one, and asks them to confirm or update their account details, change their
update their account credentials. password, or tells them their account has been
Fake Websites violated. The message includes a link that is used
to steal the victim’s personal information or installs
Cybercriminals send phishing emails that include malware on the mobile device.
links to fake websites, such as the mobile account
login page for a known mail provider, asking the Voice Phishing (Vishing)
victim to enter their credentials or other information This occurs when a caller leaves a strongly worded
into the fake site’s interface. The nefarious website voicemail that urges the recipient to respond
will often leverage a subtle change to a known URL immediately and to call another phone number.
to trick users, such as mail.update.yahoo.com These voicemails are urgent and convince the
instead of mail.yahoo.com. victim for example, that their bank account will be
suspended if they don’t respond.
Man-In-The-Middle victim to fake PayPal website and the stolen credit
card information is used to commit further crimes.
This sophisticated phishing email attack tricks two
people into believing that they’re emailing each Compromised Credit Card
other. However, the phisher is sending fake emails
to each person asking them to share information or The cybercriminal knows the victim made a recent
to update confidential corporate information. purchase at Apple for example, and sends an email
disguised to look like it is from Apple customer
Malvertising support. The email tells the victim that their credit
card information might have been compromised
This phishing technique uses online advertisements and to confirm their credit card details to protect
or pop-ups to compel people to click a valid-looking their account.
link that then installs malware on their computer.
Transfer Funds
Real-World Examples of Phishing Email Attacks
An urgent email arrives from the company CEO
One common thread that runs through all types of who is currently traveling. The email asks the
phishing emails, including the examples below, is recipient to help out the CEO by transferring funds
the use of social engineering tactics. Like most to a foreign partner. This phishing email tells the
phishing attacks, social engineering preys on the victim that the fund request is urgent and necessary
natural human tendency to trust people and to secure the new partnership. The victim doesn’t
companies. hesitate to transfer the funds, believing she is
helping both the company and the CEO.
This leads to many users failing to carefully review
phishing email details and automatically trusting the Social Media Request
sender’s request. Email phishing victims believe
they’re helping their organizations by transferring A Facebook friend request arrives from someone
funds, updating login details, or providing access to who has the same Facebook friends as you. You
proprietary data. don’t immediately recognize the person but assume
the request is legitimate because of the common
friends. This new friend then sends you a Facebook
message with a link to a video which when clicked
installs malware on your computer and potentially
the company network.
Fake Google Docs Login
Make sure your colleagues are aware of these
common examples of phishing emails:
Account Deactivation
Malware Protection
Malware is the collective name for a number of
malicious software variants, including viruses,
ransomware and spyware. Shorthand for malicious
software, malware typically consists of code
developed by cyberattackers, designed to cause
extensive damage to data and systems or to gain
unauthorized access to a network. Malware is
typically delivered in the form of a link or file over
email and requires the user to click on the link or
Company Tech Support Request open the file to execute the malware.
Employees receive an email from corporate IT Malware has actually been a threat to individuals
asking them to install new instant messaging and organizations since the early 1970s when the
software. The email looks real, however a spoofed Creeper virus first appeared. Since then, the world
email address is used support@acme.com instead has been under attack from hundreds of thousands
of internalsupport@acme.com. When employees of different malware variants, all with the intent of
install the software, ransomware is installed on the causing the most disruption and damage as
company network. possible.
Each of these phishing attack examples highlights What Can Malware Do?
how easy it is to be tricked by an email. The more
familiar people are with how phishing happens, the Malware delivers its payload in a number of
easier it is foster a cyber security aware culture. different ways. From demanding a ransom to
stealing sensitive personal data, cybercriminals are
becoming more and more sophisticated in their
methods.
How To Protect Against Phishing Emails
Types of Malware:
To protect against phishing emails, you need to
raise awareness of how phishing happens. When Virus
people experience first-hand how easy it is to be
tricked by what looks like a valid email, they are Possibly the most common type of malware,
more likely to carefully review email details before viruses attach their malicious code to clean code
automatically clicking Reply, an embedded link, or and wait for an unsuspecting user or an automated
downloading an attachment. process to execute them. Like a biological virus,
they can spread quickly and widely, causing
To protect against phishing emails, remember damage to the core functionality of systems,
these five keys to building a cyber secure aware corrupting files and locking users out of their
culture: computers. They are usually contained within an
executable file.
1. Educate: use security awareness
training and phishing microlearnings to Worms
educate, train, and change behavior.
2. Monitor: use phishing simulation tools Worms get their name from the way they infect
to monitor employee knowledge and to systems. Starting from one infected machine, they
identify who is at risk for a cyber attack. weave their way through the network, connecting to
3. Communicate: provide ongoing consecutive machines in order to continue the
communications and campaigns about spread of infection. This type of malware can infect
entire networks of devices very quickly.
Spyware Get an ad-blocker! Malvertising –
where hackers use infected banners or
Spyware, as its name suggests, is designed to spy pop-up ads to infect your device – is on
on what a user is doing. Hiding in the background the rise. You can’t know which ads are
on a computer, this type of malware will collect bad: so it’s safer to just block them all
information without the user knowing, such as with a reliable ad-blocker.
credit card details, passwords and other sensitive
information. Careful where you browse! Malware
can be found anywhere, but it’s most
Trojans common in websites with poor backend
Just like Greek soldiers hid in a giant horse to security, like small, local websites. If you
deliver their attack, this type of malware hides stick to large, reputable sites, you
within or disguises itself as legitimate software. severely reduce your risk of
Acting discretely, it will breach security by creating encountering malware.
backdoors that give other malware variants easy
access. Identity Theft Prevention
Ransomware What is Identity (ID) Theft?
Also known as scareware, ransomware comes with Identity theft occurs when an unauthorized party
a heavy price. Able to lockdown networks and lock uses your personally identifying information, such
out users until a ransom is paid, ransomware has as your name, address, Social Security
targeted some of the biggest organizations in the Number (SSN), or credit card or bank
world today — with expensive results. account information to assume your identity
in order to commit fraud or other criminal acts.
How Does Malware Spread?
How does identity theft occur? Identity thieves can
Each type of malware has its own unique way of steal your personal information directly or indirectly
causing havoc, and most rely on user action of
by:
some kind. Some strains are delivered over email
via a link or executable file. Others are delivered via • Stealing your wallets and purses containing
instant messaging or social media. Even mobile identification cards, credit cards and
phones are vulnerable to attack. It is essential that bank information.
organizations are aware of all vulnerabilities so they
can lay down an effective line of defense. • Stealing your mail including credit and bank
statements, phone or utility bills, new checks,
How to protect against malware
and tax information.
When it comes to malware, prevention is better • Completing a “change of address form” to redirect
than a cure. Fortunately, there are some common
the destination of your mail.
sense, easy behaviors that minimize your chances
of running into any nasty software. • Rummaging through your trash for discarded
personal data in a practice known as
Don’t trust strangers online! “Social
engineering”, which can include strange “dumpster diving.”
emails, abrupt alerts, fake profiles, and • Taking personal information that you share or post
curiosity-tickling offers, are the #1 on the Internet.
method of delivering malware. If you
don’t know exactly what it is, don’t click What can ID thieves do with your information?
on it.
• Call your creditors and change your mailing
Double-check your downloads! From address on your credit card account.
pirating sites to official storefronts,
malware is often lurking just around the • Open new lines of credit using your personal
corner. So before downloading, always identification information.
double-check that the provider is
trustworthy by carefully reading reviews • Establish phone services using your name which
and comments. are charged to you.
• Open bank accounts in your name and write bad
checks.
• Forge checks to wipe out your bank account.
• Apply for auto loans taken out in your name.
• Commit other crimes and then give your name,
instead of their own, to the police during
their arrest.
What you can you do to prevent ID theft?
Identity theft is on the rise. While there are no
guarantees that your identity will not be stolen there
are steps you can take to minimize your risk.
• Use passwords on all your credit card, bank, and
phone accounts.
• Never keep passwords, “PINs” or your SSN card
in your wallet or purse.
• Learn about security procedures in your
workplace.
• Never give out personal information on the
phone, through mail, or over the internet unless you
know the receiver and have initiated the contact.
• Guard your mail and trash from theft.
• Shred or destroy discarded financial statements in
your trash.
• Give your SSN only when absolutely necessary.
• Keep your purse or wallet in a safe place at work.
How can you protect your personal computer from
ID theft?
SSNs, financial records, tax information, birth
dates, and account numbers may be stored on you
personal computer.Follow these tips to help keep
your personal information safe.
• Update your virus protection software regularly,
especially when a new virus alert is brought to your
attention.
• Do not download files from strangers or click
hyperlinks from people you don’t know. This could
expose your system to a virus.