Security Threats
blackmail material.
A cyber or cybersecurity threat is a malicious act
that seeks to damage data, steal data, or disrupt
digital life in general. Cyber threats include
computer viruses, data breaches, Denial of Service
(DoS) attacks and other attack vectors.
Cyber threats also refer to the possibility of a
successful cyber-attack that aims to gain
unauthorized access, damage, disrupt, or steal an
information technology asset, computer network,
intellectual property or any other form of sensitive
data. Cyber threats can come from within an
organization by trusted users or from remote
locations by unknown parties.  include third-party vendors and employees who
Where do cyber threats come from?
Cyber threats come from numerous threat actors
including:
Hostile nation-states: National cyber warfare
programs provide emerging cyber threats ranging
from propaganda, website defacement, espionage,
disruption of key infrastructure to loss of life.
Government-sponsored programs are increasingly
sophisticated and pose advanced threats when
compared to other threat actors. Their developing
capabilities could cause widespread, long-term
damages to the national security of many countries
including the United States. Hostile nation-states
pose the highest risk due to their ability to
effectively employ technology and tools against the
most difficult targets like classified networks and
critical infrastructure like electricity grids and gas
control valves.
Terrorist groups: Terrorist groups are increasingly
using cyber-attacks to damage national interests.
They are less developed in cyber-attacks and have
a lower propensity to pursue cyber means than
nation-states. It is likely that terrorist groups will
present substantial cyber threats as more
technically competent generations join their ranks. 
Corporate spies and organized crime
organizations: Corporate spies and organized
crime organizations pose a risk due to their ability
to conduct industrial espionage (Links to an
external site.) to steal trade secrets or large-scale
monetary theft. Generally, these parties are
interested in profit based activities, either making a
profit or disrupting a business's ability to make a
profit by attacking key infrastructure of competitors,
stealing trade secrets, or gaining access and
Hacktivists: Hacktivists activities range across
political ideals and issues. Most hacktivist groups
are concerned with spreading propaganda rather
than damaging infrastructure or disrupting services.
Their goal is to support their political agenda rather
than cause maximum damage to an organization.
Disgruntled insiders: Disgruntled insiders are a
common source of cybercrime. Insiders often don't
need a high degree of computer knowledge to
expose sensitive data because they may be
authorized to access the data. Insider threats also
may accidentally introduce malware into systems or
may log into a secure S3 bucket, download its
contents and share it online resulting in a data
breach. Check your S3 permissions or someone
else will.
Hackers: Malicious intruders could take advantage
of a zero-day exploit to gain unauthorized access to
data. Hackers may break into information systems
for a challenge or bragging rights. In the past, this
required a high level of skill. Today, automated
attack scripts and protocols can be downloaded
from the Internet, making sophisticated attacks
simple.
Natural disasters: Natural disasters represent a
cyber threat because they can disrupt your key
infrastructure just like a cyber attack could.
Accidental actions of authorized users: An
authorized user may forget to correctly
configure S3 security, causing a potential data leak.
Some of the biggest data breaches have been
caused by poor configuration rather than hackers or
disgruntled insiders.
What are examples of cyber threats?
Common cyber threats include:
Malware: Malware is software that does malicious
tasks on a device or network such as corrupting
data or taking control of a system.
Spyware: Spyware is a form of malware that hides
on a device providing real-time information sharing
to its host, enabling them to steal data like bank
details and passwords.
Phishing attacks: Phishing is when a Drive-by downloads: A drive-by download attack
cybercriminal attempts to lure individuals into
providing sensitive data such as personally
identifiable information (PII), banking and credit
card details and passwords.
Distributed denial of service (DDoS)
attacks: Distributed denial of service attacks aim to
disrupt a computer network by flooding the network
with superfluous requests to overload the system
and prevent legitimate requests being fulfilled.
Ransomware: Ransomware is a type of malware
that denies access to a computer system or data
until a ransom is paid.
Zero-day exploits: A zero-day exploit is a flaw in
software, hardware or firmware that is unknown to
the party or parties responsible for patching the
flaw. 
Advanced persistent threats: An advanced
persistent threat is when an unauthorized user
gains access to a system or network and remains
there without being detected for an extended period
of time.
Trojans: A trojan creates a backdoor in your
system, allowing the attacker to gain control of your
computer or access confidential information.
Wiper attacks: A wiper attack creates a backdoor
in your system, allowing the attacker to gain control
of your computer or access confidential information.
Intellectual property theft: Intellectual property
theft is stealing or using someone else's intellectual
property without permission.
Theft of money: Cyber-attacks may gain access to
credit card numbers or bank accounts to steal
money.
Data manipulation: Data manipulation is a form of
cyber-attack that doesn't steal data but aims to
change the data to make it harder for an
organization to operate.
Data destruction: Data destruction is when a
cyber attacker attempts to delete data.
Man-in-the-middle attack (MITM attack): A MITM
attack is when an attack relays and possibly alters
the communication between two parties who
believe they are communicating with each other.
is a download that happens without a person's
knowledge often installing a computer virus,
spyware or malware.
Malvertising: Malvertising is the use of online
advertising to spread malware.
Rogue software: Rogue software is malware that
is disguised as real software.
Unpatched software: Unpatched software is
software that has a known security weakness that
has been fixed in a later release but not yet
updated.
Data centre disrupted by natural disaster: The
data centre your software is housed on could be
disrupted by a natural disaster like flooding.
 
Why is it necessary to protect against cyber
threats?
Cybersecurity risks pervade every organization and
aren't always under direct control of your IT security
team. Increasing global connectivity, usage of cloud
services, and outsourcing means a much larger
attack vector than in the past. Third-party
risk and fourth-party risk is on the rise,
making third-party risk management, vendor risk
management and cyber security risk
management all the more important for reducing
the risk of third-party data breaches.
Pair this with business leaders making technology-
related risk decisions every day, in every
department, without even knowing it. Imagine your
CMO trials a new email marketing tool that has
poor security practices, this could be a huge
security risk that could expose your
customers' personally identifiable information
(PII) causing identity theft. Whether you work in the
public or private sector, information security cannot
be left to your Chief Information Security Officer
(CISO), it must be an organizational wide initiative.
Importance of Security Planning
What is an Information Security Plan?
An information security plan is documentation of a
firm's plan and systems put in place to protect
personal information and sensitive company data.
This plan can mitigate threats against your
organization, as well as help your firm protect the
integrity, confidentiality, and availability of your
data.
Why Do Firms Need an Information Security Plan?
In today's changing regulatory and investor
landscape, information security plans are critical for
firms to comply with SEC regulations, due diligence
requests from investors and state
laws. Additionally, cybersecurity threats are
increasingly becoming more common and more
sophisticated. Aside from protecting the integrity of
your data and keeping it confidential, there are
other legal requirements: any firm registered with
the SEC must have a plan in place, and there may
be other state or industry specific regulations that
require your firm to have a formal plan.
Steps to Create an Information Security Plan:
Step 1: Perform a Regulatory Review and
Landscape
Your firm must first perform a regulatory review, as
all businesses have requirement coming from
oversight bodies. There are also self-imposed
industry standards and expectations that come
from external stakeholders.
Step 2: Specify Governance, Oversight &
Responsibility
Create a CIRT (Computer Information Response
Team) or CISRT (Computer Information Security
Response Team). This group will be responsible for
ensuring the firm follows the policy and procedures
around the information security plan. Though these
specialized teams have responsibility to oversee
policy, all members of the firm have a role in
information security.
Step 3: Take Inventory of Assets
In simplest of terms: know what you have. Create
an inventory of both hardware and software and
identify existing safeguards and controls you have
in place. This step is crucial, as you can't properly
assess your firm's level of risk or adequately protect
data and information unless you understand what
systems you have and what data they hold.
Security Planning Tools
As security breaches continue to affect companies
big and small, taking preventative measures has
become a top priority for businesses around the
world.
While there’s no surefire way to prevent a
cybersecurity attack, there are a variety of methods
and software tools that can be implemented to
improve security and lessen the chances of being
targeted. This lecture will cover nine security tools
every security analyst and professional should
know about.
Security Planning Tools
1. Vulnerability Management Software
These software tools allow you to identify network
threats such as hackers, viruses, or malware, so
you can immediately begin work to prevent or
combat them. Vulnerability management tools
enable you to constantly test your network’s
security. Since vulnerability management tools are
primarily focused on the identification and
management of threats, they can take a few
different paths if one is detected. Upon recognizing
a vulnerability, the software can either alert
administrators, remedy the issue itself, or install a
patch to alter security policies.
Example:
SpyBot
SpyBot is a vulnerability management software tool
by Safer-Networking Ltd. It combines antivirus and
its unique technique to protect your organization
from spyware, keyloggers, trojans, adware, and
more. Since finding a solution to fit your company’s
unique needs is a must, it’s important to find tools
with flexible plans. SpyBot makes this easy, with
multiple plans for both private users and business
users, all coming with various features and costs.
Qualys
Qualys was awarded the 2017 Global Vulnerability
Management Market Leadership Award by Frost &
Sullivan. It offers a variety of tools in various
categories, including asset management, IT
security, cloud security, compliance, and more.
Qualys VM (the company’s vulnerability
management tool) scans and identifies
vulnerabilities with 99.9 percent accuracy,
according to its website.
Atera
Atera is a vulnerability management software tool
that provides real-time status updates on system
resources, logged-in users, network and IP
monitoring, SNMP monitoring, Windows updates,
and more. The tool’s customizable options let users
decide which alerts they receive via email
notification. It also includes IT automation, patch
management, asset and inventory tracking,
reporting and analytics, and more.
2. Password Managers
These software tools generate, retrieve, and
manage entirely random passwords for all of your
accounts, plus keep track of other critical
information, like bank account numbers, PIN codes,
answers to security questions, and more. You just
need to remember one password–the one that gets
you into this lockbox of secure information.
Example:
1Password
1Password’s name is certainly fitting. With this
password manager, you only need to remember–
you guessed it–one password. The software tool
offers two plans (a pro plan and a standard plan)
that enable businesses to securely share
passwords and other important items. It offers
features like zero knowledge, meaning information
is fully encrypted before it’s sent to 1Password, and
a secret key, an effort that combines a randomly
generated key with the master password to ensure
each user has an unbreakable master password.
Keeper
Keeper is a password manager that auto-generates
strong and secure passwords, protects sensitive
files, and enables you to securely share records
and critical information with team members. This
tool can be great for businesses, as managers are
able to enforce password policies and monitor
password compliance. Keeper also offers the ability
to quickly and securely autofill login credentials to
save time.
LastPass
LastPass aims to help businesses save time,
achieve stronger security, and uncover process
efficiencies. It’s a brand of LogMeIn and helps
companies enforce a meaningful password policy
with an enterprise-ready solution, although it’s
suitable for businesses of all sizes. The enterprise
version offers advanced security features,
automated provisioning options, and additional
integrations so that customers can personalize their
experience.
4. Antivirus Software
Antivirus software helps businesses prevent or
detect malicious software within an endpoint
device. These tools host a variety of detection
features that enable security teams to identify
potential malware and viruses that may attempt to
breach your devices.
Signature-based antivirus software scans files
(from any source) to make sure that there aren’t
any hidden threats. And if it finds something shady
or scary, it can often remove or quarantine the
affected file. While antivirus software certainly isn’t
bulletproof — especially when it comes to zero-day
threats (i.e. vulnerabilities that hackers have found
before software vendors have a chance to patch
them and/or users have a chance to install
updates) — it’s still a critical piece of the cyber
security puzzle. There are many options to choose
from that range in price from free to hundreds of
dollars a year.
Example:
Malwarebytes
Malwarebytes is an endpoint protection software
tool that helps your team actively protect against all
forms of malware. Malwarebytes offers a variety of
different security solutions, but this particular tool
brings all of their technologies together into one
multi-layer defense solution. Malwarebytes can
scan for and remediate malware, which reduces
dwell time and the need for endpoint re-imaging.  
Webroot Endpoint Protection
Webroot Endpoint Protection is an endpoint
protection and antivirus software that helps to
protect against sophisticated online
threats without sacrificing your system
performance. The tool offers a multi-layered
protection that helps to prevent threats across a
variety of mediums, including email, web browsing,
files, URLs, ads, apps, and more.
ESET Endpoint Security
ESET Endpoint Security is an antivirus software
tool that leverages a multilayered approach to
constantly balance performance, detection, and
false positives. It’s supported on multiple operating
systems, including Windows, MacOS, Linux, and
Android. Based on G2 Crowd reviews, the tool
hosts feature like asset management, device
control, application control, and more.
 What is Data Privacy
There are various privacy definitions online. Data
privacy or Information privacy is concerned
with proper handling, processing, storage and
usage of personal information. It is all about the
rights of individuals with respect to their personal
information.
The most common concerns regarding data
privacy are: managing contracts or policies,
applying governing regulation or law (like General
Data Protection Regulation or 
What is GDPR?
The GDPR or General Data Protection
Regulation is an EU regulation on data protection
and data privacy that applies to all data processing
done by organizations and institutions operating in
the EU, and outside of the EU if they are
processing personal information of the citizens or
residents of the European Union or European
Economic Area (EEA).
https://dataprivacymanager.net/glossary/gdpr-fines/
https://dataprivacymanager.net/solutions/third-
party-management/
Privacy, in general, is an individual’s right to
freedom from intrusion and prying eyes or the right
of the person to be left alone.
It is guaranteed under the constitution in many
developed countries, which makes it
a fundamental human right and one of the core
principles of human dignity, the idea most people
will agree about.
Any risk assessment conducted for the purpose of
enhancing the privacy of individuals’ personal data
is performed from the perspective of protecting
the rights and freedoms of those individuals.
What is Data Security
Data security is focused on protecting personal
data from any unauthorized third-party access or
malicious attacks and exploitation of data. It is set
up to protect personal data using different
methods and techniques to ensure data privacy.
Data security ensures the integrity of the data,
meaning data is accurate, reliable and available
to authorized parties.
Data Security methods practices and
processes can include:
 - activity monitoring
 - network security
 - access control
 - breach response
 - encryption
 - multi-factor authentication
Similarities and differences between Data security
and Data privacy
In short, data privacy and data security are, by no
means, the same terms. Data privacy is about
proper usage, collection, retention, deletion, and
storage of data. Data security is policies, methods,
and means to secure personal data.
Think for example of a window on a building;
without it being in place an intruder can sneak in
and violate both the privacy and security of the
occupants.
Once the window is mounted it will perform a pretty
decent job in keeping unwanted parties from
getting into the building. It will, however, not
prevent them from peeking in, interfering thus
with the occupants’ privacy. At least not without a
curtain.
In this (oversimplified) example the window is a
security control, while the curtain is privacy
control.
The former can exist without the latter, but not vice
versa. Data security is a prerequisite to data
privacy. And information security is the main
prerequisite to data privacy.
Cybersecurity
When it comes to cybersecurity (i.e. computer,
digital), we can agree that it refers to protective
measures that we put in place to protect our
digital assets from harmful events such as human
and technical errors, malicious individuals and
unauthorized users.
However, for the sake of completeness, we have
to admit that even in this day and age not all
information is digital.
We still deal with numerous paper documents,
which in turn hold very valuable information worth
protecting.
This is exactly where the term information
security comes in handy, denoting the practice of
preventing unauthorized access, use, disclosure,
modification or destruction of information in
whatever form.
The three pillars of information security:
Confidentiality – prevents sensitive information
from reaching wrong people, while making sure that
the right people can use it;
Integrity – maintains the consistency, accuracy,
and trustworthiness of information over its lifecycle;
and
Availability – ensures that the information is
available when it is needed.
Privacy Policy Development
Today's business world is largely dependent on
data and the information that is derived from that
data.
Data is critical for businesses that process that
information to provide services and products to
their customers. From a corporate context, in a
company - from the top executive level right down
to the operational level - just about everyone relies
heavily on information.
In a complex environment where so much depends
on the data that businesses collect and process,
protecting that information becomes increasingly
important. Among the steps business owners take
to protect the data of their users, drafting a clear
and concise Privacy Policy agreement holds
central importance.
What is a Privacy Policy?
A Privacy Policy is a statement or a legal document
that states how a company or
website collects, handles and processes data of
its customers and visitors. It explicitly describes
whether that information is kept confidential, or is
shared with or sold to third parties.
Personal information about an individual may
include the following:
 Name
 Address
 Email
 Phone number
 Age
 Sex
 Marital status
 Race
 Nationality
 Religious beliefs
For example, an excerpt from Pinterest's (Links to
an external site.) Privacy Policy agreement clearly
describes the information Pinterest collects from its
users as well as from any other source that users
enable Pinterest to gather information from. The
information that the user voluntarily gives includes
names, photos, pins, likes, email address, and/or
phone number etc., all of which is regarded as
information.

Additionally, Pinterest also states that it collects
user location data from mobile devices, and if
someone makes a purchase on Pinterest, payment
and contact information - including an address and
phone number - will be collected. If users buy
products or services for others, Pinterest gathers
their contact information and shipping details, too.
Users may also give Pinterest permission to access
information that is shared with other websites like
Facebook and Twitter by linking their Pinterest
account with them. This information would also
include information about their friends and
followers. The account settings have information
about how much access Pinterest has to their
users' data.
In sum, a Privacy Policy is where you let your users
know all about how you make sure their privacy is
respected by your business practices.
Why you Need a Privacy Policy
Privacy is not a new concept. Humans have always
desired privacy in their social as well as private
lives. But the idea of privacy as a human right is a
relatively modern phenomenon.
Around the world, laws and regulations have been
developed for the protection of data related to
government, education, health, children,
consumers, financial institutions, etc.
This data is critical to the person it belongs to. Data
privacy and security binds individuals and
industries together and runs complex systems in
our society. From credit card numbers and social
security numbers to email addresses and phone
numbers, our sensitive, personally identifiable
information is important. This sort of information in
unreliable hands can potentially have far-reaching
consequences.
Companies or websites that handle customer
information are required to publish their Privacy
Policies on their business websites. If you own a
website, web app, mobile app or desktop app that
collects or processes user data, you most certainly
will have to post a Privacy Policy on your website
(or give in-app access to the full Privacy Policy
agreement).
There are several reasons for a website to post its
Privacy Policy agreement on its website.
Here are some of the main reasons:
 Required by the law
 Required by third party services
 Increases Transparency
A Privacy Policy is Required by the Law
For individuals to feel comfortable sharing their
personal information on the internet, there should
be some sort of legal responsibility
Countries around the world have realized the need
to protect their citizens' data and privacy.
Businesses and websites that collect and/or
process customer information are required to
publish and abide by a Privacy Policy agreement.
A majority of countries have already enacted laws
to protect their users' data security and privacy.
These laws require businesses to obtain explicit
consent from users whose data they will store or
process.
A few of these laws include the following:
 CalOPPA (Links to an external
site.) in the USA
 GDPR (Links to an external site.) in
the EU
 PIPEDA (Links to an external site.) in
Canada
For a business or a website that collects and
processes user information in a certain region or
country, it is very important to have complete
knowledge of the data and privacy protection laws
enforced in that region and the region your
customers and end users are in. Non-compliance
with these laws can result in hefty fines or even
prosecution against the violator.
In some cases, businesses have to follow laws
specific to states or regulations specific to
industries.
For example, here's how General Motors (Links to
an external site.) complies with CalOPPA in the US
by including a California-specific section in its
Privacy Policy:
General Motors informs its California users of their
rights through its Privacy Policy as required by
CalOPPA.
If your website/app reaches users around the
world, regardless of where you're located or
headquartered, you'll need to make sure you
follow privacy laws in all applicable countries
you reach.
While data protection and privacy laws differ from
region to region, a Privacy Policy must
comprehensively inform its users about how their
data will be used.
For example, the GDPR is currently the most
robust privacy legislation in the world and one of its
main requirements for any business that falls under
its jurisdiction is to have a GDPR-compliant Privacy
Policy (Links to an external site.) that contains
some very specific information and is written in an
easy-to-understand way.
Whether your website is a self-help blog or a game
hosted at Google Play, it is your responsibility to
give your end users complete information about
how any associated third-parties will collect and
process their data and (if possible) to what
purpose.
A Privacy Policy is Required by Third Party
Services
Apart from governing laws, some websites like
Apple, Amazon, and Google require website and
app owners to post a Privacy Policy agreement if
they use any of their services.
Many websites and apps use in-page/in-app
advertising by third parties to generate revenue. As
these ads also collect user data, third parties
require the websites or apps to ask their users'
permission for sharing their personal data.
For example, if you're using Google
Analytics (Links to an external site.) on your
website, the Google Analytics Terms of Service
requires that you post a Privacy Policy agreement.
In addition to this, you must also disclose that
you're using Google Analytics and some
information about how it collects and processes
data:
If you are a Google app developer, the Privacy
Policy Guidance requires that you inform your
users (Links to an external site.) about what data
you collect, why you collect it, and what you do with
it.
Some of the most popular third party services
require website and app owners to post Privacy
Policy agreements on their websites. Some of
these services include:
 Amazon Affiliates
 ClickBank
 Google Play Store
 Google Analytics
  Google AdSense
 Google AdWords
 Facebook Apps
 Twitter Lead Generation
 Apple's App Store
Third party vendors like Google, Facebook, and
Amazon require their users (website and app
owners) to explicitly inform their users if they're
using advertising features, cookies, or tracking
services on their websites/apps in order to deliver
better user experiences based on prior browsing
behavior.
Here's how Ookla (Links to an external site.) - a
fixed broadband and mobile network testing
company - informs its users in its Privacy Policy
agreement that it uses cookies, log files, flash
cookies, local storage, etc., in its website-based
and mobile applications in order to (1) improve
performance, (2) to better understand how Ookla's
software functions, and (3) to give the user a
personalized experience.
A Privacy Policy For Increased Transparency
Companies whose business models revolve around
handling sensitive customer information find it
incredibly important to establish trust with their
users. A clear and comprehensive Privacy
Policy agreement that tells users exactly what
information the company collects and what it
does with that information inspires confidence
in a business. It gives users a sense of security
knowing how much control they have over their
personal data under the conditions they sign up for.
Your Privacy Policy agreement should inform your
users about how your website or app handles their
personal information. Your users must be also be
informed about the reason for the collection of
information, as well as how long their data will be
stored on your servers.
Even if you don't collect personal information,
you should disclose this fact in a Privacy Policy.
It helps with transparency because users expect
to see a Privacy Policy. If you don't have one at
all, users may assume you're collecting a lot of
personal information and not disclosing it rather
than not collecting any.
The DuckDuckGo (Links to an external site.) search
engine does not track user searches or store online
browsing history in any way. Its Privacy Policy
agreement states that it does not collect or share
any user information.
To make your Privacy Policy transparent and
accurate, conduct a privacy law self-audit (Links to
an external site.). This will allow you to find out
what your business' privacy practices are and what
information you need to disclose to your users in a
Privacy Policy.
Example of a Website Privacy Policy
To be transparent with your users about what
personal information you collect and what you do
with it, you are required to publish a Privacy Policy
agreement on your website or give in-app access to
it.
Websites usually post a link to the complete
Privacy Policy agreement from the footer of the
website, whereas apps generally add the Privacy
Policy to an "About" or "Legal" menu.
Another popular location for ecommerce store apps
and websites is the checkout page, or account
registration page if you don't have an ecommerce
component but allow users to create accounts.
Medium (Links to an external site.) links its Privacy
Policy agreement to its website footer:
Protection of Data from the Internet
The Internet has blurred the lines between real
world and the virtual one. Technology is barreling
into our hands through smartphones at an
unbelievable pace. This is good for productivity and
progress, but it makes it easy for thieves to do their
job.
The anonymity and location independence that
comes with the Internet muddles the moral
character of even the most ethical person. There’s
no assuming your phone and the information it
stores is safe from the malicious intentions of the
human mind.
Remember, the first line of defense in protecting
your data is you. Learn about new threats, stay
current and take the necessary precautions to keep
your data safe.
These 10 tips to protect data from the Internet.
1. Create strong passwords and change them
often. Never save passwords on your device. Yes,
it’s convenient. Yes, it saves time. If you need to
safely store passwords, look into a secure
password manager. Criminals are getting smarter
and need just one chink in the armor to get into the
system to rob you blind.
2. Be conscious of privacy settings. Most apps offer
privacy settings for users. This gives you the
freedom to know how much and what kind of
information is shared. Always choose the least
amount of data sharing.
3. Obtain reliable security for your phone. Phones
need as much protection as any other device, if not
more. There are many security providers that offer
free services. These can be risky as they mine data
from your phone. Always go for a well-known
service provider. Norton Mobile Security has a
gamut of features that can protect your phone from
most threats.
4. Back up your data via reliable hardware
or software. Backing up data is often overlooked,
but remains a very important aspect of data
protection. Ransomware is a type of attack where
hackers hold your data hostage for a ransom.
There are cloud-based services that offer backup,
or you can opt for Norton Security Premium, which
includes backup capabilities.
5. Anti-theft your device. If your gadget is lost or
stolen, tracking apps will help you find it. But how
do you protect your confidential data before it gets
into the wrong hands? Norton Mobile Security
allows you to perform a “factory reset” to
completely erase your lost/stolen Android device.
This includes your confidential contact lists, text
messages, call history, browser history, bookmarks
and any other personal data.
6. Be careful what you do with your phone, and use
a password. Entering a password every time you
want to use your phone may be tedious, but it’s
also the first line of defense if your phone gets lost
or stolen. Additionally, when you consider the vast
amount of malware (Links to an external site.),
Trojans and worms finding sneaky ways to get into
your device, it is better to stay protected with a
security system that does the work for you. App
Advisor is a special feature provided by Norton
Mobile Security. It prompts privacy risks, intrusive
behavior of apps, excessive battery drainage and
data plan usage.
7. Watch out for Bluetooth vulnerabilities. Bluetooth
technology offers incredible convenience. It also
opens doors for security weaknesses. Make sure
you turn off your Bluetooth when you are not using
it. While there are options to place your Bluetooth
activity in an invisible or undetectable mode, there
are some malicious apps that can change that
mode and expose your device to threats. That’s
one more reason to have a security system in
place.
8. Keep your operating system up to date. “A
hindrance” is what many people call operating
system updates. They are annoying and sometimes
time-consuming but are very important. Besides
improving the functionality of the device, updates
and patches contain critical security updates. Make
it a point to update as soon as possible.
9. Beware of public Wi-Fi. Most home Wi-Fi
connections are encrypted. Some public Wi-Fi
connections are not. This means you’re at risk of
people monitoring your online activity. Sometimes,
malware from someone else’s device can infect
your device. Ensure you’ve turned on your firewall,
and have up-to-date malware protection, or you
could run into problems. Delete data that you no
longer use.
10. Close down any online service that you no
longer use. There are many social networks that
come and go. If you have signed up for any of
these, they may have a wealth of your personal
information that you willingly gave. But eventually
when these services disappear, they take with them
your information that can be sold as an asset.
No protection method is 100% foolproof, but there’s
clearly plenty you can do to keep your information
safe. Educate yourself on the latest security tactics
and tricks, use good ‘ol common sense, and use
Norton’s advanced protection products to protect
what’s yours.
Security Layers
In Computer Security, layers is a well-known
practice which was taken from military techniques.
The aim of this is to exhaust the attacker when he
succeeds to penetrate the first layer of security by
finding a hole, then he has to find a hole in the
second layer and so on, until he arrives at the
destination if he succeeds.
That's why there are 7 layers of Security. They'll
show you how to protect your system and your
data-and why you need to take action now to make
sure your information is there when you need it.
1. Information Security Policies
These policies are the foundation of the
security and well-being of our resources.
They can help you increase the
awareness of information security within
your organization. And they'll
demonstrate to your clients that you're
serious about protecting their
information.
2. Physical Security
We secure our valuables under lock and
key and we monitor our homes with
security cameras. It shouldn't be any
different for our servers and offices.
We'll provide ways to keep your system
safe, with solutions that include
everything from lockable racks to
password-enabled screen savers.
3. Secure Networks and Systems
EGiS builds networks and systems with
your company's security in mind. Our
mission: to manage, monitor and protect
the perimeter of your network-that
crucial intersection where your private
network connects to the public Internet.
We'll make sure your DNS and domain
name is safe, provide e-mail filtering,
firewall and Internet content security and
more.
4. Vulnerability Programs
Every system has inherent
vulnerabilities. But by maintaining anti-
virus, anti-spyware, anti-spam and
Windows® and firewall updates-as well
as updates to your industry programs,
we can help you mitigate these risks.
5. Strong Access Control Measures
We safeguard against unauthorized
access to your system by limiting and
controlling access. We recommend
using complex passwords that change
often. And, when possible, we
implement Multi-Factor Authentication.
We also support the least privilege
model, so only the people who should
have access to your sensitive data do.
6. Protect and Backup Data
An important key to keeping your data
safe is to encrypt it where it's stored and
when it's transported. Using Continuous
Data Protection, we'll make sure your
servers back up data as it changes. We
can also replicate your critical data to a
secure, off-site location.
7. Monitor and Test Your Systems
Repeat after us: Always be vigilant.
EGiS is here to test your internal and
external systems for risks, review your
policies with you, and continually
monitor, log, report and alert you to
potential problems.
Data Loss and Theft Planning
Data Loss
In order to understand shortcuts to losing your data,
the first thing we need to do is understand the most
common reasons that data is lost.
The primary causes of data loss are:
 Human failure
 Human error
 Software corruption
 Theft
 Computer viruses
 Hardware destruction
The results of the two best studies regarding data
loss in the real world are depicted as follows:
Root Cause: Incident %
Hardware failure: 40%
Human error: 29%
Software corruption: 13%
Theft: 9%
Computer viruses: 6%
Hardware destruction: 3%
Source: David M. Smith, Ph.D., Pepperdine
University
 
Root Cause:
Customer Perception: Actual Incident %
Hardware or system problem: 78%: 56%
Human error: 11%: 26%
Software corruption: 7%: 9%
Computer viruses: 2%: 4%
Natural disasters: 1%: 2%
Source: Kroll OnTrack Data Recovery Services
What is Data Loss Prevention (DLP)?
Data loss prevention (DLP) is a set of tools and
processes used to ensure that sensitive data is not
lost, misused, or accessed by unauthorized users.
DLP software classifies regulated, confidential and
business critical data and identifies violations of
policies defined by organizations or within a
predefined policy pack, typically driven by
regulatory compliance such as HIPAA, PCI-DSS, or
GDPR. Once those violations are identified, DLP
enforces remediation with alerts, encryption, and
other protective actions to prevent end users from
accidentally or maliciously sharing data that could
put the organization at risk. Data loss prevention
software and tools monitor and control endpoint
activities, filter data streams on corporate networks,
and monitor data in the cloud to protect data at rest,
in motion, and in use. DLP also provides reporting
to meet compliance and auditing requirements and
identify areas of weakness and anomalies for
forensics and incident response.
Ways to Prevent Data Loss
1.  Always back up your data
Prevention is the best protection. Create a
structured backup strategy and consistently back
up your files. Your backup plan should include the
different levels of data you maintain in your
company and the schedule for their back ups.
Some data is so critical that it may require you back
it up every week.  Also, be sure you periodically
test your backups to make sure that your data is
being backed up properly.
2. Diversify your backups
You always want more than one backup system.
The general rule is 3-2-1. You should have 3
backups of anything that’s very important. They
should be backed up in at least two different
formats, such as in the cloud and on a hard drive.
There should always be an off-site backup in the
event that there is damage to your physical office.
3. Encrypt sensitive data
Data is not always encrypted even when it’s on a
backup tape. Invest in a backup system or service
that automatically encrypts all backups to ensure
that no matter who gets their hands on your data,
they cannot access
4. Address data security
Mobile devices are powerful business tools but they
can leave your data vulnerable. Ensure your
devices can be wiped if they are lost with a remote
device management system and use hardwares or
mobile device systems that encrypt data.
5. Use anti-virus and email security
Email threats such as hacking, phishing or
ransomeware can be some of the biggest threats to
data. Use a thorough anti-virus and security system
to prevent malicious emails from getting through to
your company. Also be certain to offer continuing
education to your team about the importance of
email security.
6. Trust the professionals
Data is too valuable to be left alone. If you do lose
it, do not try to recover it by using any type of
diagnostic tools. You don’t want to cause further
damage by trying to fix the situation on your own.
Instead, work with a trusted backup and data
recovery expert to ensure your data is safe.
 
Data Theft
Data theft is the act of stealing information stored
on computers, servers, or other devices from an
unknowing victim with the intent to compromise
privacy or obtain confidential information. Data theft
is a growing problem for individual computer users
as well as large corporations and organizations.
Data theft occurs both outside and inside
companies, and reducing the risk of insider data
theft at the corporate level is anything but easy.
This is especially true because system
administrators and employees have access to
technology such as database servers, desktop
computers, and external devices including USBs,
smart phones, and other removable and mobile
devices.
Ways to Prevent Data Theft
1. Get rid of paper.
If you have to keep paper files, shred them as soon
as they are no longer needed. According to John
Rowan of Advantage Business Equipment, there
are nine things businesses should shred:
 Any mail with a name and address
 Luggage tags
 Trip itineraries
 Extra boarding passes
 Credit offers
 Price lists
 Vendor payment stubs and paid invoices.
 Cancelled checks
 Receipts
2. Assess which data you need to protect most.
“Have an audit or assessment on your data,” says
Greg Kelley, EnCE, DFCP, of Vestige Digital
Investigations (Links to an external site.).
“Everyone company is different. They have different
regulations, different types of data, different needs
for that data and a different company culture. Hire
an outside expert to assess what data you have,
how you are protecting it (not how you think you are
protecting it) and where that data is going. While
you may think it is an unnecessary cost, if you
report to clients and potential clients that you have
had an outside data assessment, you may find it
puts you at an advantage over your competitors.”
3. Restrict access to your sensitive data.
“Not everyone in the company needs access to
everything. Does the project manager need pricing
information? Does the sales person need
operations information? By restricting what data
each person has access to, you limit your exposure
when an employee decides what they want to steal
or when the employee’s account is compromised
by an outsider,” says Kelly.
4. Enforce data privacy controls inside and out.
Hold third parties and contractors your company
engages to the same strict data privacy controls
you implement in your own organization. Audit
them periodically to ensure compliance with your
security standards.
5. Use strong passwords to protect computers
and devices.
Make it difficult for outsiders to access your
company’s and employees’ devices and computers
if they are lost or stolen by protecting them with
strong passwords and by enabling remote wipe on
all devices.
6. Install or enable a firewall.
Even small companies with few employees have
valuable data that needs to be protected. Ensure
you have a firewall in place to keep outsiders from
accessing your company network.
7. Secure your wireless network.
Use a strong password and use encryption and
security to hide your wireless network from
outsiders. Don’t let neighbors or passers-by hop
onto your network, or even see that it exists. You’re
just inviting trouble.
8. Use encryption to prevent data theft.
Ensure all sensitive information that is being
transferred or emailed is encrypted. Encryption
should also be installed on all company laptops,
mobile devices and removable media.
9. Use a proxy.
“That free internet at the airport or the cafe is
actually shared with dozens or hundreds or other
users who might be sniffing your traffic,” says
Roberto Arias Alegria, IT Security Consultant
at Metaluxo IT Security (Links to an external site.).
“Since encrypted connections (SSL) are far from
universal, an easy to use proxy service can save
you from prying eyes (e.g. Zenmate, or
TunnelBear).”
10. Activate two-factor authentication.
“No matter how secure is your password, there’s
more than one way to get it. Consider using 2FA
whenever you can, Google, Yahoo, Twitter and
many popular services already have support for
2FA,” says Arias.
11. Restrict movement of information.
“Do not permit the transfer of personal information
(names, Social Security numbers, Medicare
numbers, employee or medical data etc.) to a
portable medium, like a laptop or mobile
device. This data should be processed in-house,
not on an airplane or a commuter train or at home,”
says Robert Ellis Smith, Publisher, Privacy Journal.
12. Take extra steps to protect your most
sensitive data.
“Truncate Social Security numbers, or remove them
from the data base and store them elsewhere apart
from the original data file, with a means to link the
two later if necessary. Regularly remove sensitive 18. Implement social media policies.
personal data from online databases or “the cloud”
and process it off-line,” says Smith.
13. Use anti-virus software and anti-spyware.

Update all software on your company’s network

whenever updates become available. This includes
security software, browsers, and operating
systems. Don’t use free security software as
sometimes these contain “scareware” that can fool
employees into compromising your network.
14. Require strong passwords for all
employees.

“More than 70 per cent of breaches are due to

weak passwords or poor password management,”
says Darren Guccione, CEO and co-founder
of Keeper Security, Inc. Make sure you use
passwords that are at least eight characters in
length and utilize a combination of uppercase and
lowercase letters, numerals and symbols.”
15. Have a “clean desk” policy.
Implement and enforce a policy prohibiting
employees from keeping working papers,
passwords or any sensitive documents in view
while they are away from their desks. Every
workstation should have a lockable drawer for
employees to secure sensitive information.
16. Guard against social engineering.
Teach employees to recognize and report attempts
by outsiders to get information. Train them on the
various techniques used by fraudsters, such as
“phishing” and “smishing” and to never open
attachments or download anything from an
unknown source.
17. Beware of personal devices.
“Make sure that you have policies and technology
to address the risk of people bringing personal
devices to work,” says Joseph Steinberg, CEO
of SecureMySocial. “All access to the Internet from
such devices – or from devices brought by visitors
to your office – should be done via a separate
network than is used for company computers. Many
routers come equipped with such a capability.
Personal devices can be infected with malware that
can steal data if the devices are connected to
corporate networks.”
“Create, and enforce with technology, appropriate
social media policies. Don’t pretend that policies
alone will ensure that employees don’t make
inappropriate social media posts – you need
technology to help with this task as people make
mistakes – and they can be costly to your business.
Many breaches start with criminals crafting spear
phishing emails based on overshared information
on social media,” says Steinberg.
19. Be prepared for mistakes.
“Employees are humans, and humans make
mistakes,” says Quinn Kuzmich, adjunct professor
of software security and computer forensics
at Colorado Technical University, founding partner
at NagaSec Information Security and a Senior IT
Security Analyst for Skillsoft. “Mistakes leave your
system vulnerable. And when it comes to data
security, these mistakes happen all the time. Data
gets saved in the wrong folders, which weren’t
configured in the right way – this means the wrong
people have access to the data. If you forget this
important rule, the wrong people will remind you.”
20. Be nice to others.
A disgruntled individual can be the most dangerous
vulnerability in your company’s data protection
program.
Social Engineering Recognition
What is social engineering

Social engineering is the term used for a broad

range of malicious activities accomplished through
human interactions. It uses psychological
manipulation to trick users into making security
mistakes or giving away sensitive information.
Social engineering attacks happen in one or more
steps. A perpetrator first investigates the intended
victim to gather necessary background information,
such as potential points of entry and weak security
protocols, needed to proceed with the attack. Then,
the attacker moves to gain the victim’s trust and
provide stimuli for subsequent actions that break
security practices, such as revealing sensitive
information or granting access to critical resources.
What makes social engineering especially
dangerous is that it relies on human error, rather
than vulnerabilities in software and operating
systems. Mistakes made by legitimate users are
much less predictable, making them harder to
identify and thwart than a malware-based intrusion.
Social engineering attack techniques
Social engineering attacks come in many different
forms and can be performed anywhere where
human interaction is involved. The following are the
five most common forms of digital social
engineering assaults.
Baiting
As its name implies, baiting attacks use a false
promise to pique a victim’s greed or curiosity. They
lure users into a trap that steals their personal
information or inflicts their systems with malware.
The most reviled form of baiting uses physical
media to disperse malware. For example, attackers
leave the bait—typically malware-infected flash
drives—in conspicuous areas where potential
victims are certain to see them (e.g., bathrooms,
elevators, the parking lot of a targeted company).
The bait has an authentic look to it, such as a label
presenting it as the company’s payroll list.
Victims pick up the bait out of curiosity and insert it
into a work or home computer, resulting in
automatic malware installation on the system.
Baiting scams don’t necessarily have to be carried
out in the physical world. Online forms of baiting
consist of enticing ads that lead to malicious sites
or that encourage users to download a malware-
infected application.
Scareware
Scareware involves victims being bombarded with
false alarms and fictitious threats. Users are
deceived to think their system is infected with
malware, prompting them to install software that
has no real benefit (other than for the perpetrator)
or is malware itself. Scareware is also referred to
as deception software, rogue scanner software and
fraudware.
A common scareware example is the legitimate-
looking popup banners appearing in your browser
while surfing the web, displaying such text such as,
“Your computer may be infected with harmful
spyware programs.” It either offers to install the tool
(often malware-infected) for you, or will direct you
to a malicious site where your computer becomes
infected.
Scareware is also distributed via spam email that
doles out bogus warnings, or makes offers for
users to buy worthless/harmful services.
Pretexting
Here an attacker obtains information through a
series of cleverly crafted lies. The scam is often
initiated by a perpetrator pretending to need
sensitive information from a victim so as to perform
a critical task.
The attacker usually starts by establishing trust with
their victim by impersonating co-workers, police,
bank and tax officials, or other persons who have
right-to-know authority. The pretexter asks
questions that are ostensibly required to confirm
the victim’s identity, through which they gather
important personal data.
All sorts of pertinent information and records is
gathered using this scam, such as social security
numbers, personal addresses and phone numbers,
phone records, staff vacation dates, bank records
and even security information related to a physical
plant.
Phishing
As one of the most popular social engineering
attack types, phishing scams are email and text
message campaigns aimed at creating a sense of
urgency, curiosity or fear in victims. It then prods
them into revealing sensitive information, clicking
on links to malicious websites, or opening
attachments that contain malware.
An example is an email sent to users of an online
service that alerts them of a policy violation
requiring immediate action on their part, such as a
required password change. It includes a link to an
illegitimate website—nearly identical in appearance
to its legitimate version—prompting the
unsuspecting user to enter their current credentials
and new password. Upon form submittal the
information is sent to the attacker.
Given that identical, or near-identical, messages
are sent to all users in phishing campaigns,
detecting and blocking them are much easier for
mail servers having access to threat sharing
platforms.
Spear phishing
This is a more targeted version of the phishing
scam whereby an attacker chooses specific
individuals or enterprises. They then tailor their
messages based on characteristics, job positions,
and contacts belonging to their victims to make
their attack less conspicuous. Spear
phishing requires much more effort on behalf of the
perpetrator and may take weeks and months to pull
off. They’re much harder to detect and have better
success rates if done skillfully.
A spear phishing scenario might involve an attacker
who, in impersonating an organization’s IT
consultant, sends an email to one or more
employees. It’s worded and signed exactly as the
consultant normally does, thereby deceiving
recipients into thinking it’s an authentic message.
The message prompts recipients to change their
password and provides them with a link that
redirects them to a malicious page where the
attacker now captures their credentials.
Social engineering prevention
Social engineers manipulate human feelings, such
as curiosity or fear, to carry out schemes and draw
victims into their traps. Therefore, be wary
whenever you feel alarmed by an email, attracted
to an offer displayed on a website, or when you
come across stray digital media lying about. Being
alert can help you protect yourself against most
social engineering attacks taking place in the digital
realm.
Moreover, the following tips can help improve your
vigilance in relation to social engineering hacks.
 Don’t open emails and attachments
from suspicious sources – If you don’t
know the sender in question, you don’t
need to answer an email. Even if you do
know them and are suspicious about
their message, cross-check and confirm
the news from other sources, such as
via telephone or directly from a service
provider’s site. Remember that email
addresses are spoofed all of the time;
even an email purportedly coming from
a trusted source may have actually been
initiated by an attacker.
 Use multifactor authentication – One
of the most valuable pieces of
information attackers seek are user
credentials. Using multifactor
authentication helps ensure your
account’s protection in the event of
system compromise. Imperva Login
Protect is an easy-to-deploy 2FA
solution that can increase account
security for your applications.
 Be wary of tempting offers – If an offer
sounds too enticing, think twice before
accepting it as fact. Googling the topic
can help you quickly determine whether
you’re dealing with a legitimate offer or a
trap.
 Keep your antivirus/antimalware
software updated – Make sure
automatic updates are engaged, or
make it a habit to download the latest
signatures first thing each day.
Periodically check to make sure that the
updates have been applied, and scan
your system for possible infections.
Online Fraud Protection
What is “online fraud”?
Fraud that is committed using the internet is “online
fraud.”  Online fraud can involve financial fraud and
identity theft.
Types of Online Fraud
The most common types of online fraud are called
phishing and spoofing.   Phishing is the process of
collecting your personal information through e-mails
or websites claiming to be legitimate.   This
information can include usernames, passwords,
credit card numbers, social security numbers, etc.  
Often times the e-mails directs you to a website
where you can update your personal information.  
Because these sites often look “official,” they hope
you’ll be tricked into disclosing valuable information
that you normally would not reveal.   This often
times, results in identity theft and financial loss.
Spyware and viruses are both malicious programs
that are loaded onto your computer without your
knowledge.   The purpose of these programs may
be to capture or destroy information, to ruin
computer performance or to overload you with
advertising.   Viruses can spread by infecting
computers and then replicating.   Spyware
disguises itself as a legitimate application and
embeds itself into your computer where it then
monitors your activity and collects information.
Fraudulent “Pop-up Windows” are a type of online
fraud often used to obtain personal information.  
They are the windows or ads that appear suddenly
over or under the window you are currently viewing.
Fraudulent websites or pop-up windows are used to
collect your personal information.   Other terms for
the fraudulent process of gathering your personal
information include “Phishing or “Spoofing.”
Additional links to real websites can be
incorporated into the email to lead you to believe
the email is legitimate.
Fraudulent websites, e-mails or pop-up
windows will often:
 Ask you for personal information
(Account number, Social Security
Number, Date of Birth, etc.).
 Appear to be from a legitimate source
(Retail Stores, Banks, Government
agencies, etc.).
 Contain prizes or other types of
certificate notices.
 Link to other real or counterfeit
websites.
 Contain fraudulent phone numbers.
Pop-up windows are often the result of programs
installed on your computer called “adware” or
“spyware.”   These programs look in on your Web
viewing activity and regularly come hidden inside
many free downloads, such as music-sharing
software or screen savers.  Many of these
programs enable harmless advertisements, but
some contain “Trojan horse” programs that can
record your keystrokes or relay other information to
an unauthorized source.
 
Protection Against Online Fraud
1. Know the Scams
 Phishing, Spoofing, Pop-up Fraud –
types of online fraud used to obtain
personal information.
 Trojan Horse – Virus that can record
your keystrokes. It can live in an
attachment or be accessed via a link in
the email, website or pop-up window.
 Counterfeit Websites – URLs that
forward you to a fraudulent site. To
validate a URL, you can type or cut and
paste the URL into a new web browser
window and if it does not take you to a
legitimate web site or you get an error
message, it was probably just a cover
for a fraudulent web site.
2. Activate a pop-up window blocker. 
There are free programs available online that will
block pop-up windows.  Be sure to perform an
Internet search for “pop-up blocker” or look at the
options provided by major search engines.   You
will need to confirm that these programs are from
legitimate companies before downloading.   Once
you have installed a pop-up blocker, you should
determine if it blocks information that you need to
view or access.   If this is the case, you should
consider turning off the blocker when you are on
Web sites you know use pop-up windows to
provide information you need or want to view.
3. Scan your computer for spyware regularly.
You can eliminate potentially risky pop-up windows
by removing any spyware or adware installed on
your computer.   Spyware and adware are
programs that look in on your Web viewing activity
and potentially relay information to a disreputable
source. Perform an Internet search for “spyware” or
“adware” to find free spyware removal programs.  
As with a pop-up blocker, you will want to be sure
that your removal program is not blocking, or
removing, wanted items, and if it is, consider
turning it off for some websites.
4. Avoid downloading programs from unknown
sources.
Downloads may contain hidden programs that can
compromise your computer’s security.  Likewise,
email attachments from unknown senders may
contain harmful viruses.
5. Keep your computer operating system and
Internet browser current.

6. Keep anti-virus software up-to-date.
Anti-virus software needs frequent updates to
guard against new viruses.   Select a reputable
provider. Download the anti-virus updates as soon
as you are notified that a new program update is
available, or flag your program to download and
install the updates automatically if that option is
available.
7. Keep your passwords secret.
Change them regularly, using a mixture of numbers
and characters.
Phishing Protection
Phishing is a cybercrime in which a target or
targets are contacted by email, telephone or
text message by someone posing as a
legitimate institution to lure individuals into
providing sensitive data such as personally
identifiable information, banking and credit card
details, and passwords.
The information is then used to access
important accounts and can result in identity
The data doesn’t lie – phishing is still alive and
well in 2020, even if your web connection or
email client is secured.
According to a 2019 Verizon report (Links to an
external site.), 32% of all data breaches
involved phishing in one way or another. In
addition, 90% of confirmed (Links to an
external site.) phishing email attacks took place
in environments that used Secure Email
Gateways (SEGs).
Being able to consistently detect and avoid
phishing email attempts that land in your inbox
is a key component of strong cyber security. To
do that, it’s important to understand the
different types of phishing emails and the
warning signs to look for in each scenario.
What is a Phishing Email?
A phishing email is a cybercrime that relies on
deception to steal confidential information from
users and organizations.
Phishing victims are tricked into disclosing
information they know should be kept private.
However, because they trust the source of the
information request and believe that party is
acting with the best intentions, phishing email
victims respond without thinking twice about it.
In a phishing email, cybercriminals will typically
ask for your:
 Date of birth
 Social security numbers
 Phone numbers
 Credit card details
 Home address
 Password information (or what they
need to reset your password
This information is then used by cybercriminals
to impersonate the victim and apply for credit
cards or loans, open bank accounts, and other
fraudulent activity.
Some cybercriminals use the information
collected by a phishing email to start a more
targeted cyber attack, such as a spear
phishing (Links to an external site.) or business
email compromise incident, that relies on
knowing more about the victim.
How Does Phishing Happen?
Phishing happens when a victim replies to a
fraudulent email that demands urgent action.
Examples of requested actions in a phishing
email include:
 Clicking an attachment
 Enabling macros in Word document
 Updating a password
 Responding to a social media
connection request
 Using a new wi-fi hot spot.
Every year, cybercriminals become savvier
with their phishing attacks and have tried-and-
tested methods to deceive and steal from
innocent victims. Because phishing attacks
come in many different forms, differentiating
one from a valid email, voice mail, text
message, or information request can be
difficult.
This is why phishing simulations are an ideal
way to measure phishing awareness. Using
a phishing simulation (Links to an external
site.) to test users is instrumental in increasing
organization-wide levels of phishing and cyber
security awareness
Examples of Different Types of Phishing
Attacks
Just like everything else on the internet,
phishing email attacks have evolved over the
years to become more intricate, enticing, and
tougher to spot.
To successfully pinpoint and flag suspicious
messages in their inbox, all your users must be
familiar with the different forms a phishing
email can take on.
Phishing Email
Phishing emails still comprise a large portion of the
world’s yearly slate of devastating data breaches.
Phishing emails are designed to appear to come
from a legitimate source, like Amazon customer
support, a bank, PayPal, or another recognized
organization. Cybercriminals hide their presence in
little details like the sender’s URL, an email
attachment link, and more.
Spear Phishing
This more targeted phishing email attack relies on
data that a cybercriminal has previously collected
about the victim or the victim’s employer. Typically
spear phishing emails use urgent and familiar
language to encourage the victim to act
immediately.
Link Manipulation
Relying on carefully worded phishing emails, this
type of attack includes a link to a popular. This link
takes victims to a spoofed version (Links to an
external site.) of the popular website, designed to
look like the real one, and asks them to confirm or
update their account credentials.
Fake Websites
Cybercriminals send phishing emails that include
links to fake websites, such as the mobile account
login page for a known mail provider, asking the
victim to enter their credentials or other information
into the fake site’s interface. The nefarious website
will often leverage a subtle change to a known URL
to trick users, such as mail.update.yahoo.com
instead of mail.yahoo.com.
CEO Fraud
This example of a phishing attack uses an email
address that is familiar to the victim, like the one
belonging to the organization’s CEO, Human
Resources Manager, or the IT support department.
The email urgently asks the victim to act and
transfer funds, update employee details, or install a
new app on their computer.
Content Injection
Savvy cybercriminals hack a familiar website and
include a fake website login page or pop-up that
directs website visitors to a fake website.
Session Hijacking
With this advanced phishing attack, criminals gain
access to a company web server and steal the
confidential information stored on the server.
Malware
All it takes to install malicious software on a
computer or company network is clicking an email
attachment. These attachments look valid or may
even be disguised as funny cat videos, eBook
PDFs, or animated GIFs.
“Evil Twin” Wi-Fi
This occurs when free Wi-Fi access points are
spoofed. Victims unknowingly log into the wrong
Wi-Fi hotspot. Wi-Fi access points that are
commonly spoofed include those available in coffee
shops, airports, hospitals, shopping malls, public
parks, and other public gathering locations.
Mobile Phishing (Smishing)
A fraudulent SMS, social media message, voice
mail, or other in-app message asks the recipient to
update their account details, change their
password, or tells them their account has been
violated. The message includes a link that is used
to steal the victim’s personal information or installs
malware on the mobile device.
Voice Phishing (Vishing)
This occurs when a caller leaves a strongly worded
voicemail that urges the recipient to respond
immediately and to call another phone number.
These voicemails are urgent and convince the
victim for example, that their bank account will be
suspended if they don’t respond.
Man-In-The-Middle
This sophisticated phishing email attack tricks two
people into believing that they’re emailing each
other. However, the phisher is sending fake emails
to each person asking them to share information or
to update confidential corporate information.
Malvertising
This phishing technique uses online advertisements
or pop-ups to compel people to click a valid-looking
link that then installs malware on their computer.
Real-World Examples of Phishing Email Attacks
One common thread that runs through all types of
phishing emails, including the examples below, is
the use of social engineering tactics. Like most
phishing attacks, social engineering preys on the
natural human tendency to trust people and
companies.
This leads to many users failing to carefully review
phishing email details and automatically trusting the
sender’s request. Email phishing victims believe
they’re helping their organizations by transferring
funds, updating login details, or providing access to
proprietary data.
Make sure your colleagues are aware of these
common examples of phishing emails:
Account Deactivation
An email from PayPal arrives telling the victim that
their account has been compromised and will be
deactivated unless they confirm their credit card
details. The link in the phishing email takes the
victim to fake PayPal website and the stolen credit
card information is used to commit further crimes.
Compromised Credit Card
The cybercriminal knows the victim made a recent
purchase at Apple for example, and sends an email
disguised to look like it is from Apple customer
support. The email tells the victim that their credit
card information might have been compromised
and to confirm their credit card details to protect
their account.
Transfer Funds
An urgent email arrives from the company CEO
who is currently traveling. The email asks the
recipient to help out the CEO by transferring funds
to a foreign partner. This phishing email tells the
victim that the fund request is urgent and necessary
to secure the new partnership. The victim doesn’t
hesitate to transfer the funds, believing she is
helping both the company and the CEO.
Social Media Request
 A Facebook friend request arrives from someone
who has the same Facebook friends as you. You
don’t immediately recognize the person but assume
the request is legitimate because of the common
friends. This new friend then sends you a Facebook
message with a link to a video which when clicked
installs malware on your computer and potentially
the company network.
Fake Google Docs Login
A cybercriminal creates a fake Google Docs login
page and then sends a phishing email hoping to
trick someone into logging into the faked website.
The email might read “We’ve updated our login
credential policy, please confirm your account by
logging into Google Docs.” The sender’s email is a
faked Google email address, for
example accountupdate@google.org.com.

Company Tech Support Request
Employees receive an email from corporate IT
asking them to install new instant messaging
software. The email looks real, however a spoofed
email address is used support@acme.com instead
of internalsupport@acme.com. When employees
install the software, ransomware is installed on the
company network.
Each of these phishing attack examples highlights
how easy it is to be tricked by an email. The more
familiar people are with how phishing happens, the
easier it is foster a cyber security aware culture.
How To Protect Against Phishing Emails
To protect against phishing emails, you need to
raise awareness of how phishing happens. When
people experience first-hand how easy it is to be
tricked by what looks like a valid email, they are
more likely to carefully review email details before
automatically clicking Reply, an embedded link, or
downloading an attachment.
To protect against phishing emails, remember
these five keys to building a cyber secure aware
culture:
1. Educate: use security awareness
training and phishing microlearnings to
educate, train, and change behavior.
2. Monitor: use phishing simulation tools
to monitor employee knowledge and to
identify who is at risk for a cyber attack.
3. Communicate: provide ongoing
communications and campaigns about
phishing emails, social engineering, and
cyber security.
4. Incorporate: make cyber security
awareness campaigns, training, support,
education, and project management part
of your corporate culture.
Malware Protection
Malware is the collective name for a number of
malicious software variants, including viruses,
ransomware and spyware. Shorthand for malicious
software, malware typically consists of code
developed by cyberattackers, designed to cause
extensive damage to data and systems or to gain
unauthorized access to a network. Malware is
typically delivered in the form of a link or file over
email and requires the user to click on the link or
open the file to execute the malware.
Malware has actually been a threat to individuals
and organizations since the early 1970s when the
Creeper virus first appeared. Since then, the world
has been under attack from hundreds of thousands
of different malware variants, all with the intent of
causing the most disruption and damage as
possible.
What Can Malware Do?
Malware delivers its payload in a number of
different ways. From demanding a ransom to
stealing sensitive personal data, cybercriminals are
becoming more and more sophisticated in their
methods.
Types of Malware:
Virus
Possibly the most common type of malware,
viruses attach their malicious code to clean code
and wait for an unsuspecting user or an automated
process to execute them. Like a biological virus,
they can spread quickly and widely, causing
damage to the core functionality of systems,
corrupting files and locking users out of their
computers. They are usually contained within an
executable file.
Worms
Worms get their name from the way they infect
systems. Starting from one infected machine, they
weave their way through the network, connecting to
consecutive machines in order to continue the
spread of infection. This type of malware can infect
entire networks of devices very quickly.
Spyware
Spyware, as its name suggests, is designed to spy
on what a user is doing. Hiding in the background
on a computer, this type of malware will collect
information without the user knowing, such as
credit card details, passwords and other sensitive
information.
Trojans
Just like Greek soldiers hid in a giant horse to
deliver their attack, this type of malware hides
within or disguises itself as legitimate software.
Acting discretely, it will breach security by creating
backdoors that give other malware variants easy
access.
Ransomware
 Get an ad-blocker! Malvertising –
where hackers use infected banners or
pop-up ads to infect your device – is on
the rise. You can’t know which ads are
bad: so it’s safer to just block them all
with a reliable ad-blocker.
 Careful where you browse! Malware
can be found anywhere, but it’s most
common in websites with poor backend
security, like small, local websites. If you
stick to large, reputable sites, you
severely reduce your risk of
encountering malware.
Identity Theft Prevention
What is Identity (ID) Theft?

Also known as scareware, ransomware comes with Identity theft occurs when an unauthorized party
a heavy price. Able to lockdown networks and lock uses your personally identifying information, such
out users until a ransom is paid, ransomware has as your name, address, Social Security
targeted some of the biggest organizations in the Number (SSN), or credit card or bank
world today — with expensive results. account information to assume your identity
in order to commit fraud or other criminal acts.
How Does Malware Spread?
How does identity theft occur? Identity thieves can
Each type of malware has its own unique way of steal your personal information directly or indirectly
causing havoc, and most rely on user action of
by:
some kind. Some strains are delivered over email
via a link or executable file. Others are delivered via • Stealing your wallets and purses containing
instant messaging or social media. Even mobile identification cards, credit cards and
phones are vulnerable to attack. It is essential that bank information.
organizations are aware of all vulnerabilities so they
can lay down an effective line of defense. • Stealing your mail including credit and bank
statements, phone or utility bills, new checks,
How to protect against malware
and tax information.
When it comes to malware, prevention is better • Completing a “change of address form” to redirect
than a cure. Fortunately, there are some common
the destination of your mail.
sense, easy behaviors that minimize your chances
of running into any nasty software. • Rummaging through your trash for discarded
personal data in a practice known as
 Don’t trust strangers online! “Social
engineering”, which can include strange “dumpster diving.”
emails, abrupt alerts, fake profiles, and • Taking personal information that you share or post
curiosity-tickling offers, are the #1 on the Internet.
method of delivering malware. If you
don’t know exactly what it is, don’t click What can ID thieves do with your information?
on it.
• Call your creditors and change your mailing
 Double-check your downloads! From address on your credit card account.
pirating sites to official storefronts,
malware is often lurking just around the • Open new lines of credit using your personal
corner. So before downloading, always identification information.
double-check that the provider is
trustworthy by carefully reading reviews • Establish phone services using your name which
and comments. are charged to you.
• Open bank accounts in your name and write bad
checks.
• Forge checks to wipe out your bank account.
• Apply for auto loans taken out in your name.
• Commit other crimes and then give your name,
instead of their own, to the police during
their arrest.
What you can you do to prevent ID theft?
Identity theft is on the rise. While there are no
guarantees that your identity will not be stolen there
are steps you can take to minimize your risk.
• Use passwords on all your credit card, bank, and
phone accounts.
• Never keep passwords, “PINs” or your SSN card
in your wallet or purse.
• Learn about security procedures in your
workplace.
• Never give out personal information on the
phone, through mail, or over the internet unless you
know the receiver and have initiated the contact.
• Guard your mail and trash from theft.
• Shred or destroy discarded financial statements in
your trash.
• Give your SSN only when absolutely necessary.
• Keep your purse or wallet in a safe place at work.
How can you protect your personal computer from
ID theft?
SSNs, financial records, tax information, birth
dates, and account numbers may be stored on you
personal computer.Follow these tips to help keep
your personal information safe.
• Update your virus protection software regularly,
especially when a new virus alert is brought to your
attention.
• Do not download files from strangers or click
hyperlinks from people you don’t know. This could
expose your system to a virus.