Professional Documents
Culture Documents
Clean Inbox
14.5 billion spam messages are sent every day in the U.S.
2.5%
That’s 45%
36%
Advertising Adult-Related
of all emails sent. 31.7%
CLOUD FI LE S H A R I N G
DOCUS I G N
FA KE I N V OI CE
DELI V E R Y N OTI FI CA TI ON
• Appears to come from a popular delivery service (FedEx, UPS, etc.) or online
retailer and includes a delivery notification with a malicious link or attachment
• TIP: Do not click links or open attachments in unexpected delivery notifications.
Instead, visit the delivery service's official website and enter the tracking
information, or call the delivery service's official phone number.
T AX SCA M
• Appears to come from a government tax revenue agency (e.g., IRS in the U.S.)
• Claims you are delinquent on your taxes and provides a means to fix the issue before
additional fines or legal actions are pursued
• TIP: Never share personal or financial information via email. Only use official
communication channels to contact revenue agencies.
SHARED TRAITS
Unsolicited
You didn’t ask for the email
Harmful
Both either attempt to steal your information or waste your time
Illegitimate
Use techniques like spoofing to make it to your inbox
© 2019 Infosec. All rights reserved.
HOW T O R EC O G N I Z E A
MALICIOUS ATTACHMENT
You received an email with an attachment. Do you download it?
Follow these steps to make a safe decision.
READ WARNINGS
»» If your email service or antivirus software warned the attachment is dangerous, DO NOT DOWNLOAD!
»» Some hackers will "warn" you that you should ignore such alerts. This is a trick!
NEVER IGNORE MALWARE ALERTS
EXAMINE MESSAGE
Take a look at the file extension (the part that follows the dot). Be suspicious of the following extensions:
.EXE
»» DO NOT DOWNLOAD! This is an executable file
»» Most email clients block .EXE attachments
.ZIP, .7z, .RAR and other archived files
»» Archiving is a common way to hide malware from antivirus
»» Be extra suspicious of password-protected archives
DOCM, XLSM, PPTM
»» These documents contain MACROS, or scripts hackers often use to run malicious code
UNKNOWN or MISSING EXTENSIONS
»» If you don't recognize the extension DO NOT TRY OPENING THE FILE!
USE CAUTION
»» Even if a file is a simple DOC or PDF document, think twice before opening it
»» If you can, contact the sender using an alternative channel (email or IM) to verify
»» Use your email client Preview feature before downloading
»» Make sure that all software you use for viewing documents has the latest
security patches installed
Jane Doe
to you
2
from: JaneDoe@gmail.com
reply-to: JoePhish263@gma
JULY
0000
10
00
0
0000
101
0010
0101 3 4
Requests for payment at
Vendor payment requests with new routing the end of the day, or before
numbers and/or account numbers weekends and/or holidays
5
6 MovieFLix
<FlixMove_@gmail.com>
to you
Please update your payment
method immediately.
Click Here
7 8
$$$
???
Requests for payment
without justification Requests for payment to
a personal account
1 2
Don’t click that link! Use two-factor
What to do: Don’t click links in authentication
emails. Instead, type the URL you
What to do: Use a second
want directly into the browser.
factor for logging into accounts.
Why: According to Microsoft, phishing
Why: If you have a robust two
is still the number one favorite method
or multi-factor in place, you are
of cyber-attacks.
much less likely to lose personal
data due to phishing.
3 4
Delete recorded conversations Keep it clean — delete old files
What to do: Regularly delete any recorded What to do: Make sure you keep data replication to a
conversations used by your personal assistant. minimum. Delete old files you don’t use.
Why: There have been cases where Alexa Why: There can never be 100% security,
revealed personal data to unknown persons but reducing the places that can be
without consent. compromised helps lessen your risk.
5
Be less social
6
What to do: Minimize the
amount of personal data you
have on social media platforms.
Don’t sync for sync’s sake
What to do: Disable automatic file and
Why: Information like your pet’s
media sharing whenever possible.
name or mother’s maiden name is
sometimes used to recover Why: A lot of devices set up cloud syncing
account logins. Don’t give hackers an easy when you first configure the device. Check if you really
way into your online accounts! want to store these data in the cloud.
7 8
Keep off the beaten track Let sleeping Bluetooth lie
What to do: Disable location tracking What to do: If you are not using Bluetooth, switch it off.
on each app.
Why: Bluetooth vulnerabilities can allow data to be
Why: A recent study of almost 1 siphoned off your device.
million Android phones demonstrated
that apps regularly harvested tracking
data.
9 10
Encrypt stored data Patch your devices
What to do: Encrypt any data you store on hard drives and What to do: Keep your
use an email encryption tool if you share personal data. computers and mobile devices
Why: Encryption is a layer of protection patched and up to date.
that can prevent lost or stolen data from Why: Software vulnerabilities allow
being exposed. malware to infect your device, which can steal
data and login credentials.
Sources 6. Woman says her Amazon device recorded private conversation, sent it
1. Stolen PII & Ramifications: Identity Theft and Fraud on the Dark Web, out to random contact, KIRO 7
Armor Blog 7. Binns, R., et.al., Third Party Tracking in the Mobile Ecosystem,
2. Identity Fraud Hits All Time High With 16.7 Million U.S. Victims in 2017, Association for Computing Machinery
Javelin Research 8. The Attack Vector “BlueBorne” Exposes Almost Every Connected
3. Security Intelligence Report (SIR), Microsoft Device, Armis
4. 2018 Data Breach Investigations Report, Verizon 9. Breach Level Index, Gemalto
5. Alexa user gets access to 1,700 audio files from a stranger, TechCrunch
20
Know your guidelines Longer is better
Your organization has its own policies for New research says longer passwords
password security. Know them and push are harder to guess. “Wine” is short;
them to the limits! If they allow passwords “1998dontdrinkwinewithbadchee$e-
of 8-20 characters, always make it 20. 2002worstweddingEVER” is long.
Don’t repeat
Never share passwords
Don’t reuse passwords. If you’ve already
Passwords are like toothbrushes.
used a password for another account, or
Change them regularly and never
used it previously for the same account,
share them with anyone!
invent a new password.
If it hasn’t
worked before … Don’t use common substitutions
Password1
Know your common passwords. E 3 It’s become common practice to replace
123456 “Password1,” “123456,” “admin” letters with similar-looking numbers and
L 1
and “qwerty” are all common symbols. These are known substitutions
admin
passwords that hackers will and will not help make a password stronger.
always guess.
Determine your priorities Be familiar with the Encrypt files and devices
Know what devices and media hold the
rules and regulations Encryption encodes data so that it can’t
most sensitive information, and stack Your organization and industry may have be read without a special password.
your priorities accordingly. Some may special regulations related to information Even if an attacker steals the whole
need more protection than others. handling. It’s important to follow the special device, they won’t be able to read an
rules related to the devices, media and encrypted file.
information you deal with.
Back up
your files Don’t download carelessly
Backups save your Files can contain malware, and websites aren’t always
information if your device breaks or is what they appear to be. Always verify sender identity
taken over by an attacker. Back up files to a before downloading files and remember: If it comes
removable device that can be locked away from an oddly-spelled email or is hosted on a site that
safely, such as a CD or flash drive. makes your browser generate a warning, stay away!
1 6
LOCK DOWN DEVICES DON’T LET PEOPLE FOLLOW YOU IN
Place tablets and phones in a locked Entering the building is the first step for
drawer when not in use. Never leave many attackers. Everyone who needs to
unsecured devices unattended! be there has their own key card; don’t let
strangers persuade you to let them in!
2 USE ENCRYPTION
BE AWARE OF SOCIAL ENGINEERING
Many devices will offer the option
to encrypt a file or the whole device.
Encryption means that even if someone
7 Social engineers deceive people in
order to manipulate them into giving
steals the device, they can’t read your out valuable information or making
files. mistakes. Be aware of the common social
engineering tricks, such as pretending to
be a delivery person to access a building.
8
sensitive information. Keeping everything
locked up and out of sight will help keep Mistakes or accidents will happen,
that information out of an intruder’s and something will get lost, broken or
hands. destroyed. Keeping regular backups will
save you from having to redo your work.
10
KEEP AN EYE OUT
Be aware of your surroundings. Intruders
may eavesdrop or spy on you over your
shoulder! If entering a PIN on a pad, shield
the pad with your hand.
CYBERCRIMINALS YOU
Look out for social engineering Be aware that urgency is a red flag
Don’t use their contact methods
The attacker’s goal is often to convince you Attackers want you to react fast, without thinking about
the consequences. Their phone calls and texts are made If you suspect SMS phishing or voice phishing, don’t
to talk to them so they can trick you into
to provoke — claiming importance, danger or disaster. contact them back using the methods they provide.
sharing sensitive information.
Use an official phone number or website.
THEM YOU
May be anyone Act out of the ordinary Report suspicious behavior Trust but verify
It’s not just the everyday employees They seek to work unusual hours, If someone is acting suspicious or If you suspect someone is an insider,
or higher-ups! An insider threat may ask for access to restricted dangerous, management needs to know. be cautious. Verify their claims and
be a contractor, a consultant, a information or brag about sudden, Share your concerns with your supervisor. maintain security until you can be
vendor or a former employee. mysterious financial windfalls. By reporting small signs, you could stop a certain of the situation: never share
problem before it becomes a disaster. your password or access with a
potential insider.
May have different Violate policies Practice good physical Know the signs of a
motivations Insiders violate policies by definition, security and cybersecurity disgruntled employee
Money may not be the only obvious either knowingly or unknowingly. Maintain a clean environment, Is someone picking fights with
motivation. Malicious insiders may Policies are put in place to protect lock up sensitive documents and coworkers or angling to get fired?
be motivated by perceived slights, customers, data and the company, password-protect and encrypt A disgruntled employee is one who
political or religious leanings, job and an insider’s damage to the important files. may become an insider threat.
dissatisfaction or revenge. company will violate those policies.
Hooked again? Not so fast! Phishing emails want you to take the bait, but all it takes is one person
to spot the hook and this phishy specimen has to cut it out. He’s gonna offer you money, fame,
fortune — but he can’t give you straight answers, so send this phish back to the deep end.
PASSWORD
SECURITY
When it comes to security, one password does a lot of heavy lifting. Pump up your password by picking long, uncommon
words that other people won’t think of, and let that strong password take some of the weight off your shoulders.
MOBILE
SECURITY
It’s out of control! If an enemy hacks into your phone or mobile device, the information they get from it can cause destruction
and danger much bigger than your pocket-sized phone. Practice smart mobile security by using antivirus and never sharing
your passwords, and trip this monster up before its rampage can begin.
E B
B
A
SSA F
F E
E W
W E
O W S I N G
B R
Tricks and traps! In the maze of the internet, exploring may reveal wonders or lead you into dangerous depths.
As you search, move slowly and don’t let yourself be tricked by dead ends and f ake friends — or your computer
may be caught in a trap you never saw coming.
REMOVABLE MEDIA
They’re already inside! Removable media devices can be planted for unsuspecting employees to take. Stop these
infiltrators in their tracks by turning over discovered CDs and USB drives to your security or IT departments.
SOCIAL ENGINEERING
They want you to dance to their tune. Social engineers know what they want from you and your company, and
they’ll tell any lie they need to in order to make it happen. But you can cut the strings. Never take anything at
face value and always double-check the story they’re telling you, and there’s nothing this puppeteer can do.
PHYSICAL SECURITY
What if you saw someone struggling to open a restricted door? Or asking to use your login
just for a minute? Keep your office and building secure by never opening the door
for unauthorized personnel … Because it only takes one mistake to let in danger.
M A LWA R E
It’s dangerous … and it’s spreading. Before you know it, your system is infected by the newest and most destructive
computer virus. The only weapon that can fight it is the human brain! Use your smarts and caution to avoid suspicious
downloads and phony browser warnings, and this infection will have no one to infect.
When work comes home with you, it can cause a mess. Remote workers can still be targeted by attackers going after
company data, and that could mean you fighting dangers coming in through your own network. Kick out the intruders by
using strong Wi-Fi and router passwords, and lock the door with a VPN. Then you can be sure you’re really home alone.