News

2021’s Most Successful Phishing Ploys (So Far)

Posted in: phishing, Security - May 20, 2021

Fishing competitions take place all over the world. Anglers attempt all kinds of strategies in their attempts to land the big one. Phishing plays a similar game. Cybercriminals devise and constantly revise their strategies to land their big fish of their own – access to financial data, the ability to lock users out and hold them to ransom, or disrupt societal infrastructure.

The latest ploys are laid out in the Q1 2021 top-clicked phishing report by KnowBe4. Here are the winners of the phishing competition based on email subject lines:

General Email Subject Line 
Password Check Required Immediately31%
Revised Vacation & Sick Time Policy15%
COVID-19 Remote Work Policy Update13%
COVID-19 Vaccine Interest Survey10%
Important: Dress Code Changes7%
Scheduled Server Maintenance -- No Internet Access6%
De-activation of [[email]] in Process5%
Test of the [[company name]] Emergency Notification System5%
Scanned image from MX2310U[[domain]]
4%
Recent Activity Report4%
Source: KnowB4.com

As you can see, businesses are very much in the crosshairs as they are likely to bear the most fruit in the form of data and personally identifiable information. Predictably, password scams top the list. This makes sense given the insanity of endless passwords for a litany of sites. Once users get comfortable with current rules, it is not uncommon for users to receive a rash of emails from different sites expressing changes to password and security policies. That, in turn, leads to passwords being changed more often, and of course, more characters of growing complexity being added. No wonder this is a big area of user annoyance, disagreement, and frailty. The bad guys are latching onto it.

Think about it for a moment. Your average techie may be enamored by the idea of unbreakable passwords that are impossible to guess. But the average user would rather use a simple password that is easy to remember and is never changed. Regular prodding to change passwords or add more obscure characters has some users up in arms, and others in a state of despair. In such a state of mind, they may lower their guard and click on something malicious, thinking it to be just the latest meddlesome interference from IT. It is up to IT to ensure their actions and password enforcements don’t antagonize users and force them into that frame of mind. Otherwise, IT will continue to be overworked by phishing flaps.

Read more: Check out eSecurity Planet’s comparison of top password managers in Dashlane vs. 1Password and Dashlane vs. LastPass

“The bad guys go with what works and in Q1, nearly a third of the users who fell for a phishing email clicked on one related to a password check,” said Stu Sjouwerman, CEO, KnowBe4. “Always check with your IT department through a known good phone number, email address or internal system before clicking on an email related to checking or changing a password because it only takes one wrong click to cause monumental damage.”

Further targets for cybercriminals include HR traffic. HR departments have been busy during the pandemic. Many attempted to make up for lack of onsite presence by sending far more email traffic than before. Hackers have realized this and have achieved phishing success with subject lines about vacation and sick time, remote work policy changes, vaccine information, and dress codes. If HR traffic is high, a phishing attempt posing as an email from HR may strike gold.

IT department traffic is another area of phishing success. With so much remote work being done, IT departments have been forced to be more vocal than before. The bad guys are tapping into this area with subject areas about server downtime, email account deactivation, and various tests being conducted. Scanned images and package delivery notifications are further sources of phishing success, as are social media messages – LinkedIn phishing messages dominate in social media email subjects.

The motto is clear: Think Before You Click.

The post 2021’s Most Successful Phishing Ploys (So Far) appeared first on CIO Insight.

top

2021’s Most Successful Phishing Ploys (So Far)

Posted in: phishing, Security - May 20, 2021

Fishing competitions take place all over the world. Anglers attempt all kinds of strategies in their attempts to land the big one. Phishing plays a similar game. Cybercriminals devise and constantly revise their strategies to land their big fish of their own – access to financial data, the ability to lock users out and hold them to ransom, or disrupt societal infrastructure.

The latest ploys are laid out in the Q1 2021 top-clicked phishing report by KnowBe4. Here are the winners of the phishing competition based on email subject lines:

General Email Subject Line 
Password Check Required Immediately31%
Revised Vacation & Sick Time Policy15%
COVID-19 Remote Work Policy Update13%
COVID-19 Vaccine Interest Survey10%
Important: Dress Code Changes7%
Scheduled Server Maintenance -- No Internet Access6%
De-activation of [[email]] in Process5%
Test of the [[company name]] Emergency Notification System5%
Scanned image from MX2310U[[domain]]
4%
Recent Activity Report4%
Source: KnowB4.com

As you can see, businesses are very much in the crosshairs as they are likely to bear the most fruit in the form of data and personally identifiable information. Predictably, password scams top the list. This makes sense given the insanity of endless passwords for a litany of sites. Once users get comfortable with current rules, it is not uncommon for users to receive a rash of emails from different sites expressing changes to password and security policies. That, in turn, leads to passwords being changed more often, and of course, more characters of growing complexity being added. No wonder this is a big area of user annoyance, disagreement, and frailty. The bad guys are latching onto it.

Think about it for a moment. Your average techie may be enamored by the idea of unbreakable passwords that are impossible to guess. But the average user would rather use a simple password that is easy to remember and is never changed. Regular prodding to change passwords or add more obscure characters has some users up in arms, and others in a state of despair. In such a state of mind, they may lower their guard and click on something malicious, thinking it to be just the latest meddlesome interference from IT. It is up to IT to ensure their actions and password enforcements don’t antagonize users and force them into that frame of mind. Otherwise, IT will continue to be overworked by phishing flaps.

Read more: Check out eSecurity Planet’s comparison of top password managers in Dashlane vs. 1Password and Dashlane vs. LastPass

“The bad guys go with what works and in Q1, nearly a third of the users who fell for a phishing email clicked on one related to a password check,” said Stu Sjouwerman, CEO, KnowBe4. “Always check with your IT department through a known good phone number, email address or internal system before clicking on an email related to checking or changing a password because it only takes one wrong click to cause monumental damage.”

Further targets for cybercriminals include HR traffic. HR departments have been busy during the pandemic. Many attempted to make up for lack of onsite presence by sending far more email traffic than before. Hackers have realized this and have achieved phishing success with subject lines about vacation and sick time, remote work policy changes, vaccine information, and dress codes. If HR traffic is high, a phishing attempt posing as an email from HR may strike gold.

IT department traffic is another area of phishing success. With so much remote work being done, IT departments have been forced to be more vocal than before. The bad guys are tapping into this area with subject areas about server downtime, email account deactivation, and various tests being conducted. Scanned images and package delivery notifications are further sources of phishing success, as are social media messages – LinkedIn phishing messages dominate in social media email subjects.

The motto is clear: Think Before You Click.

The post 2021’s Most Successful Phishing Ploys (So Far) appeared first on CIO Insight.

top

What Lessons Can CIOs Learn from the Colonial Pipeline Hack?

Posted in: colonial, hacking, Security - May 20, 2021

A welder works on a pipeline.The news angles and repercussions of the Colonial Pipeline hack just keep multiplying. It’s a story that serves to emphasize that a data breach bringing down a database or website is one thing – but crashing key infrastructure is quite another.

No ransomware attack has captured the imagination of the public like the Colonial Pipeline debacle. Millions paid in ransom, long lines at gas stations, soaring prices, federal government dallying, even a public explanation from CEO Joseph Blount as to why the company paid the ransom – this one has so many avenues to explore.

Investigators are delving into the exact causes. Whatever the specifics in the Colonial Pipeline hack, the contributing factors are unlikely to fall outside of these familiar vulnerabilities, each of which CIOs need to pay close attention to.

Phishing

Problem: All it takes is one gullible employee clicking on a malicious email link or attachment and the bad guys are inside. And while most know not to click open the email from the overseas banker who needs your help repatriating millions in krugerrands, phishing at the enterprise level still works.

Solution: Invest heavily in security awareness training to teach employees how to avoid being hoodwinked by social engineering ploys. All the security technology in the world and the best IT team in the universe can be utterly defeated by one inattentive staffer.

Backups

Problem: In the event of a ransomware attack, it is vital to have to hand a clean backup so you can get effected systems back up and running rapidly.

Solution: As well as good backup software, ensure you have the capability to test backups regularly, and scan then to make sure that your backups don’t contain ransomware.

Read more about why Tape Remains a Critical Part of Enterprise Storage.

Air Gaps

Problem: Any system that is online such as a disk-based backup is susceptible to attack. If bad actors get in there, they can lock you out and hold you to ransom. All the regular security measures can and should be used to thwart such attacks.

Solution: The only sure way is to have an air gap, which is a physical barrier that is offline between the web and the data. This can be achieved via modern tape archiving and backup systems that keep tapes offline, yet they remain accessible within minutes if needed due to their automated nature.

Don’t pay the ransom.

Problem: FBI directives make it clear that ransoms should not be paid as it encourages the criminals to continue attacking. Plus, those paying have no guarantee they will regain access or that the bad guys have retained some kind of backdoor or malicious code that can allow them to attack again.

Solution: Unless the financial cost of being denied access make the ransom demands seem like chickenfeed, don’t pay. But you have a stronger hand if you have implemented points 2 and 3 above so that you have all or most of the data available for relatively rapid recovery.

Segmentation

Problem: “One network to rule them all” is a bad idea. Period. One way to prevent ransomware from taking over enterprise resources it to internally segment the network. By doing so, malware can’t freely move around from one infected machine to the another.

Solution: Ask your IT department what they are doing about micro-segmentation. Insist they institute some form of granular segmentation within the IT infrastructure in order to limit the visible attack surface. Yes, one segment may become compromised and subject to ransomware. But the others will remain secure as they are walled off.

Zero-trust security

Problem: Part of the problem is that one compromised user account may be enough for cybercriminals to enter the network. And if they gain admin privileges, it’s game over.

SolutionImplement zero-trust security frameworks and technologies as they enforce proper authorization and validation and limit access to applications, data, and networks. As part of this approach, all resources are micro-segmented so as to allow only the amount of access privileges absolutely needed. Many of the latest firewalls come with micro-segmentation and zero-trust features.

Read more on Rise of Zero-Trust Network Access.

Digital transformation:

Problem: Most companies have submitted to the allure of digital transformation. This basically updates all systems so that they can integrate fully, gets rid of old analog and legacy systems, and brings the world of operational technology (OT – essentially building systems, cooling, heating, mechanical systems, etc.) into the world of IT. The downside is that with everything connected, the bad guys can shut anything down – like a pipeline or a hospital.

Solution: Enforce multi-factor authentication, and data encryption at rest and in transit, as well as the implementation of zero trust security, better endpoint protection, and faster incident response. And adopt a cautious approach to digital transformation so that your digitization initiatives don’t run far ahead of the need to secure them.

Patches:

Problem: Next to phishing, uninstalled patches are the next biggest security hole in the enterprise. It’s shocking to note that urgent security patches from months ago are still deployed in many enterprises.

Solution: Relieve the burden on IT by implementing automated and centralized patch management, and ideally turning the entire function over to a trusted vendor. The sad truth is that this function tends to get neglected as IT has other urgent priorities and firefights going on.

With breaches like the Colonial Pipeline hack making regular appearances in the headlines, CIOs have never been in a potentially stronger position to advance their companies’ security and infrastructure hardening goals. Zero-trust network access and segmentation might not close all the security gaps. But they’re certainly a good place to start.

The post What Lessons Can CIOs Learn from the Colonial Pipeline Hack? appeared first on CIO Insight.

top

What Lessons Can CIOs Learn from the Colonial Pipeline Hack?

Posted in: colonial, hack, hacking, Security - May 20, 2021

A welder works on a pipeline.The news angles and repercussions of the Colonial Pipeline hack just keep multiplying. It’s a story that serves to emphasize that a data breach bringing down a database or website is one thing – but crashing key infrastructure is quite another.

No ransomware attack has captured the imagination of the public like the Colonial Pipeline debacle. Millions paid in ransom, long lines at gas stations, soaring prices, federal government dallying, even a public explanation from CEO Joseph Blount as to why the company paid the ransom – this one has so many avenues to explore.

Investigators are delving into the exact causes. Whatever the specifics in the Colonial Pipeline hack, the contributing factors are unlikely to fall outside of these familiar vulnerabilities, each of which CIOs need to pay close attention to.

Phishing

Problem: All it takes is one gullible employee clicking on a malicious email link or attachment and the bad guys are inside. And while most know not to click open the email from the overseas banker who needs your help repatriating millions in krugerrands, phishing at the enterprise level still works.

Solution: Invest heavily in security awareness training to teach employees how to avoid being hoodwinked by social engineering ploys. All the security technology in the world and the best IT team in the universe can be utterly defeated by one inattentive staffer.

Backups

Problem: In the event of a ransomware attack, it is vital to have to hand a clean backup so you can get effected systems back up and running rapidly.

Solution: As well as good backup software, ensure you have the capability to test backups regularly, and scan then to make sure that your backups don’t contain ransomware.

Read more about why Tape Remains a Critical Part of Enterprise Storage.

Air Gaps

Problem: Any system that is online such as a disk-based backup is susceptible to attack. If bad actors get in there, they can lock you out and hold you to ransom. All the regular security measures can and should be used to thwart such attacks.

Solution: The only sure way is to have an air gap, which is a physical barrier that is offline between the web and the data. This can be achieved via modern tape archiving and backup systems that keep tapes offline, yet they remain accessible within minutes if needed due to their automated nature.

Don’t pay the ransom.

Problem: FBI directives make it clear that ransoms should not be paid as it encourages the criminals to continue attacking. Plus, those paying have no guarantee they will regain access or that the bad guys have retained some kind of backdoor or malicious code that can allow them to attack again.

Solution: Unless the financial cost of being denied access make the ransom demands seem like chickenfeed, don’t pay. But you have a stronger hand if you have implemented points 2 and 3 above so that you have all or most of the data available for relatively rapid recovery.

Segmentation

Problem: “One network to rule them all” is a bad idea. Period. One way to prevent ransomware from taking over enterprise resources it to internally segment the network. By doing so, malware can’t freely move around from one infected machine to the another.

Solution: Ask your IT department what they are doing about micro-segmentation. Insist they institute some form of granular segmentation within the IT infrastructure in order to limit the visible attack surface. Yes, one segment may become compromised and subject to ransomware. But the others will remain secure as they are walled off.

Zero-trust security

Problem: Part of the problem is that one compromised user account may be enough for cybercriminals to enter the network. And if they gain admin privileges, it’s game over.

SolutionImplement zero-trust security frameworks and technologies as they enforce proper authorization and validation and limit access to applications, data, and networks. As part of this approach, all resources are micro-segmented so as to allow only the amount of access privileges absolutely needed. Many of the latest firewalls come with micro-segmentation and zero-trust features.

Read more on Rise of Zero-Trust Network Access.

Digital transformation:

Problem: Most companies have submitted to the allure of digital transformation. This basically updates all systems so that they can integrate fully, gets rid of old analog and legacy systems, and brings the world of operational technology (OT – essentially building systems, cooling, heating, mechanical systems, etc.) into the world of IT. The downside is that with everything connected, the bad guys can shut anything down – like a pipeline or a hospital.

Solution: Enforce multi-factor authentication, and data encryption at rest and in transit, as well as the implementation of zero trust security, better endpoint protection, and faster incident response. And adopt a cautious approach to digital transformation so that your digitization initiatives don’t run far ahead of the need to secure them.

Patches:

Problem: Next to phishing, uninstalled patches are the next biggest security hole in the enterprise. It’s shocking to note that urgent security patches from months ago are still deployed in many enterprises.

Solution: Relieve the burden on IT by implementing automated and centralized patch management, and ideally turning the entire function over to a trusted vendor. The sad truth is that this function tends to get neglected as IT has other urgent priorities and firefights going on.

With breaches like the Colonial Pipeline hack making regular appearances in the headlines, CIOs have never been in a potentially stronger position to advance their companies’ security and infrastructure hardening goals. Zero-trust network access and segmentation might not close all the security gaps. But they’re certainly a good place to start.

The post What Lessons Can CIOs Learn from the Colonial Pipeline Hack? appeared first on CIO Insight.

top

What Are CIOs Looking for in Current IT Grads?

Posted in: business skills, Careers, github, IT grads, IT interviews, IT Management, IT project management, Leadership, new graduates, programming languages, Project Management, soft skills, technical skills - May 19, 2021

Few industries are experiencing the growth and role diversification happening in computer and IT professions. IT roles, particularly in the areas of cloud computing, big data, and information security, are expected to grow by 531,200 jobs from 2019 to 2029, which bodes well for IT graduates entering the job market.

But in a booming IT job market, are IT graduates truly prepared for the work that they’re heading toward? Do they possess both the technical and pragmatic skills to succeed when pitted against more experienced IT professionals? We connected with more than 50 CIOs and other IT leaders to learn more about what they’re looking for in new hires. Here’s what they had to say.

Read Next: The Post-COVID Future of IT Remote Work

Best Professional Practices for New IT Grads

Develop a strong technical backbone and aptitude for more.

New IT graduates rarely have all, or even most, of the skills that CIOs want. Especially since most computer and data science university curriculums focus on theoretical over practical application, many graduating students have not yet developed the real-world skills that will make their knowledge relevant to a business. 

IT leaders recognize this gap in experience, but still want new hires to demonstrate skills in the basic building blocks of the industry, with background or coursework in coding languages and relevant data science courses.

Arthur Iinuma, the cofounder and president of ISBX, explained in detail the technical skills that IT grads need to get noticed by hiring managers: 

“We expect IT graduates to have coding skills in at least one of the main languages: Java, HTML, CSS and C++. Ideally, they should have some familiarity with one of the more exotic languages like C#, Python, AngularJS, Ruby or React.”

Beyond relevant coursework and knowledge, tech leaders look for IT grads who have applied this knowledge to real-world problems prior to entering the job market. 

Iinuma offered another solution for current students and new IT grads who want to build their experience in the industry:

“Regarding technical skills, we are looking for experience with contributing to open source projects like GitHub. Candidates must have a firm understanding of systems architecture and database management. As the future of IT is data, strong data analysis skills are a must.”

Read Next: What Key Lessons Can CIOs Take from COVID?

Work on problem solving and business acumen skills early.

Many IT professionals start in hands-on, daily, problem-solving roles for their company or clients, which requires them to understand technical resolutions, people skills, and team collaboration skills. 

CIOs will often use a problem-solution interview technique to assess a candidate’s skills in this area. What is a possible problem scenario the new hire could encounter in this role and how could they fix it? Consider several areas spanning from technical errors to interpersonal diplomacy, and determine what solution would help a new hire succeed in that scenario.

Several IT leaders also recommended that aspiring IT professionals gain project management experience before they search for an IT role. 

Thilo Huellmann, CTO at Levity.ai, offered these project management suggestions for inexperienced IT professionals to build their skills:

“Project management isn’t technically a skill, but without it, even the most skilled programmer wouldn’t be able to achieve much. IT graduates who are employed by reputable tech firms are those who have shown the ability to see projects through from start to finish. Being a CTO, I think fresh IT grads should take project management classes or volunteer with tech projects that they can credit in interviews or applications. It’s a surefire way to set fresh IT grads apart to stand out from the crowd.”

Project management isn’t technically a skill, but without it, even the most skilled programmer wouldn’t be able to achieve much.

-Thilo Huellmann, CTO at Levity.ai

IT students learned a wide variety of technical skills in school, but probably very few business and project management skills. Like web development and coding, project management skills can be learned online in courses like The Junior Project Manager – Learning Project Management Through Stories

Build on soft skills and propensity for learning constantly.

Technology is always changing, so IT grads should always consider themselves students of their craft and their line of business. Hiring managers look for evidence that a prospect is committed to continuing to learn, staying up-to-date with tech trends, and learning emerging technologies. More importantly, CIOs want to be sure new hires arrive ready on day one to contribute to the team both professionally and personally, offering solutions and a collaborative spirit on all team projects.

Rich Temple, Vice President and CIO at Deborah Heart and Lung Center, offered these words of wisdom about the soft skills and culture fit that the right candidate needs to succeed early on in their career:  

“I place a particular emphasis on the so-called “soft skills”. How would this person interact with colleagues and end users? Building constructive and collaborative relationships is extremely important, even in the most technically complex roles. Ensuring that we aren’t hiring someone who could be toxic to a positive team environment or would work in a “bubble,” not being cognizant of the larger impact of their work, is exceedingly important to me.” 

Candidates who ask good questions will more than likely maintain that curiosity and willingness to learn as they grow in their role. IT leaders can assess an applicant’s aptitude for the position based on the quality of questions that they ask during the interview. Are they interested in continued learning opportunities at the firm? Are they curious about the team culture and what the company is looking for? Do their questions show a true passion for the position’s or company’s goals? All of these questions point to a candidate who will absorb their training and apply it as a new hire.

Temple shared these final words about why curiosity can help the new IT graduate to land into a new role successfully:  

“What I can safely say is that, while specific technical skills or certifications are welcomed and valuable, that is only a piece of the puzzle. I like to see individuals who are eager to learn, have an understanding of the world around them, and seem as though they would be able to understand the business and operational contexts of the technical work they would be doing.” 

Read Next: 6 Insightful CIO Interview Questions

The post What Are CIOs Looking for in Current IT Grads? appeared first on CIO Insight.

top

Daman News and Events

This showcases our company news and upcoming events. Please check back as this page will change frequently.