October 2015 – Axiom Cyber Solutions

Social Engineering – Even the CIA Director is Not Immune

What is social engineering?

Social engineering refers to the concept of psychologically manipulating people in order to trick a person into revealing critical information. Cyber criminals will attempt to do this in many ways. For example, an employee may have their computer accessed by a hacker who has installed malware into their system. Another example is tricking an employee into giving them accessibility, it could be a password or crucial banking information. Human nature and trust feeds into this concept and cyber criminals are counting on this. There has even been reports of attractive women befriending IT security professionals, thereby gaining entry and infecting the network with malware.

In another example, how easy would it be to simply call up an employee of a business and pretend to be the company’s IT department, convincing them to handover a password? At this point, a company’s security is compromised and the cyber criminal has exactly what they need to do some real damage. By acquiring this confidential information, the cyber criminal is able to avoid using the internet or hardware to hack.

These days, you’d be hard pressed to find someone who isn’t a member of one social media outlet or another. In fact nearly two-thirds of 50-64 year olds and 43% of those aged 65 and over are now on Facebook according to a recent study done by Pew Research Center.

As shown in recent headlines, even the CIA’s Director is not immune to social engineering. On October 21st, 2015, WikiLeaks published their second batch of CIA Director John Brennan’s confidential AOL emails. The teen hacker admitted that he obtained access to Brennan’s emails by posing as a Verizon employee. So, how can you help yourself stay safe?

According to the Department of Homeland Security, the following tips can help you avoid the above scenario.

Email Awareness – Cyber criminals will send massive amounts of fake e-mails, with hopes that people will open the email and then become infected by malware. By installing and maintaining security protections such as firewalls, antivirus software, and email filters, you can greatly reduce your unwanted email traffic. Employees must be trained on email and browser best practices, including the following tips.

Resist the urge to click links in a suspicious email – visit websites directly.
Be cautious of email attachments from unknown sources.

Website and Software Security – Eighty-six percent of all websites have at least one serious vulnerability, and most of the time, they contain more than one, according to the 2015 Website Security Statistics Report. Hackers will target websites that have Flash or Java to trigger vulnerabilities. By using an antivirus program with software such as firewalls and malware and spyware detection, you can improve your chances against cyber criminals. Making it a priority to check for security patches and updates and following the below tips will assist with your security.

Only install approved applications.

Be sure you’re at the right website when downloading software or an upgrade. Even when using a trusted site, double-check the URL before downloading to make sure you haven’t been directed to a different site.
Recognize the signs that your computer is affected, and contact IT if you believe you have been the victim of an incident.

Password Protections – “Password1” was the most common password used by corporate environments in 2014. How unsafe and unimaginative is that? This prime example of lethargy points out a huge security gap in the industry and is exactly what cyber criminals are looking for when breaking into a system by using unauthorized usernames and passwords. Follow the tips below to safeguard against this.

Change the passwords on computers and point-of-sale systems (including operating systems, security software, payment software, servers, modems and routers) from the default ones the products came with to passwords that are easy for you to remember but difficult to guess. Long, strong passwords incorporate upper- and lowercase letters, numbers and symbols and should consist of “passphrases.”

Update system passwords regularly and especially after outside contractors do hardware, software or point-of-sale system installations or upgrades.
Educate employees and users on choosing strong passwords and changing them frequently.

Use two-factor authentication. Many of these attacks rely on getting a password one way or another. Requiring another form of ID, such as a security token, will make it harder for hackers to falsify an account.

Taking the time to learn more about cybersecurity requires the openness to learn and even change the way you do business. Social engineering is one of the easiest ways a cyber criminal can gain access to critical information. All levels of employees can be vulnerable to social engineering attacks and all it takes is one click.

Axiom’s solutions come in different sizes and all our solutions are designed to deal with the attack vectors of today while being adaptive and flexible enough to continue to secure your network for years to come. For more information, give us a call us at (800) 519-5070.

Top 5 Cyber Crimes All CPA’s Should Be Aware Of

The U.S. Intelligence Service puts cyber crime as the number one threat that we face, moving past terrorism. In 2014, 39% of all cyber attacks affected financial institutions compared to 17% found in other industries, according to professional consultancy group, PwC.

These financial institutions include banks, mortgage lenders, insurance companies, and brokerage firms. A recent report by the AICPA (American Institute of Certified Public Accountants), the world’s largest member association with over 400,000 members representing the accounting profession, has identified the top five cyber crimes that CPA’s should be aware of.

Tax Refund Fraud: All a cybercriminal needs is a name and Social Security number in order to go through with his crime. This information can be accessed by either purchasing on the black market, e-mail phishing, or social engineering. The cybercriminal can then fill out the tax return and generate a large refund. The ACIPA encourages CPAs engaged in tax work to assess their privacy and security policies, and establish internal controls to keep client data secure.

Corporate Account Takeover: This is the most stealthy and costly type of attack. An electronic funds transfer such as ACH (Automated Clearing House) fraud or wire transfer fraud involved three key steps.

Log-in credentials are acquired illicitly. It may come as an email attachment or file transfer. When the user allows this malicious program to be downloaded and executed, the cybercriminal moves onto the next step.

Now that the cybercriminal has access to the victim’s computer, they can avoid the bank’s security features, allowing the criminal to move onto their third step.

The cybercriminal can transfer the funds from their victim’s account to an account of their own. A ‘money mule’ may be used to transfer the funds to a protected account, likely overseas and away from U.S. law and jurisdiction.

CPAs can help educate their clients about this type of cybercrime. CPAs in management accounting who hold a key position of responsibility for this kind of fraud must learn the vulnerabilities that come with online banking.

Identity Theft: This is a gateway to other cybercrimes and frauds. Once a criminal has a person’s information, they can financially benefit by the following ways:

Opening a line of credit
Purchase goods or services
Rent or buy a home/apartment
Receive medical care
Obtain employment

Identity theft can be tricky because cybercriminals will sit on that information for some time before using it. According to the AICPA, 50% of identity theft goes undetected for at least one month and 10 percent remains undetected for two or more years. Due diligence must be practiced or lawsuits may occur. The AICPA found that ‘forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws regarding security breaches of personally identifiable information’.

Theft of Sensitive Data: Businesses may have sensitive data such as unencrypted credit card information, personal information, trade secrets, codes, customer, and employee information that lure cybercriminals. The theft of sensitive data can be costly for businesses, in both financial costs and public-image. Legal fees and increasing security measures are sure to follow.

Theft of Intellectual Property: Intellectual property, includes commercial, copyrighted materials like music, movies and books. These are at risk of being stolen. According to the FBI, preventing intellectual property theft is a priority for its criminal investigative program and they are focusing on theft of trade secrets and product infringements, such as counterfeit parts and other products that threaten safety. AICPA encourages CPA’s to work with their clients on being up to date on privacy and security reviews.

The AICPA encourages financial institutions to focus on earlier detection of cyber crimes by implementing monitoring systems and technologies for cyber security.

Axiom’s solutions come in different sizes and all Axiom solutions are designed to deal with the attack vectors of today while being adaptive and flexible enough to continue to secure your network for years to come. For more information, give us a call us at (800) 519-5070

Cyber Security: Not a Priority in Nuclear Power Plant Facilities

October is National Cyber Security Awareness Month. In our past articles, we’ve mentioned cyber security vulnerabilities ranging from both small to large businesses, healthcare organizations, and more. Recently, a report was published by the International Policy Institute, Chatham House, on cyber security in nuclear power plants.

The fifty-plus page report was released this past September and detailed numerous shortcomings found in worldwide nuclear power facilities, including the United States. The report was extremely critical of vulnerabilities found in these facilities. Many of these infrastructures are ‘insecure by design’, because of their age and are not as well prepared as they may believe. In fact, many of these infrastructures were built before cyber attacks were even considered.

Recent high profile cyber attacks have brought to light these cyber security vulnerabilities in nuclear facilities. Couple that with the present rising number of crimes perpetrated by cyber criminals and terrorist groups and the very real fear of releasing radiation, you have a real cause for concern.

The report states that their focus is on when a plant’s control systems are “disrupted or even captured and harnessed by saboteurs acting either inside or outside the facilities where these systems are located.”

The range of threats could vary from stealing confidential corporate data for financial profit or stealing operational information to be used in an attack at a later time. Considering a plant’s industrial control system, the report states,
“A cyber attack that took one or more nuclear facilities offline could, in a very short time, remove a significant base component to the grid, causing instability.”
However, the worst case scenario according to Chatham is an attack on a nuclear plant’s backup power system could cause a release of ionizing radiation.

Chatham studied nuclear power plants worldwide over an 18 month time period. They found several factors for these vulnerabilities and we have narrowed down the following four industry-wide cyber security challenges.

1. Employees and Human Nature: In general, poor IT practices and the very human nature of finding shortcuts at work can contribute to security breaches. For example, employees may want to charge their smartphones by directly charging them in a control computer but if these devices lack antivirus software, systems are particularly vulnerable.

One source goes on to describe how in some US nuclear power plants, engineers will bring in their personal computers into work, plugging them directly into the computer interface of the PLC (Programmable logic controller). If the engineer’s personal computer is infected with malware, it can and will affect the PLC in the process.

2. Passwords: Default passwords are commonly found at plant facilities, according to Chatham’s report.

“The failure to change default passwords is another challenge at nuclear facilities. In some instances, nuclear facilities fail to take basic ‘good IT hygiene’ security measures, such as changing the factory default passwords on equipment.”

It’s incredible how such a simple safety measure is being overlooked. This is part of a bigger problem, which leads us to our next item.

3. Culture of denial: One source explained that there is a ‘culture of denial; found in many nuclear facility personnel,

“It remains a movie scenario, maybe in the future. They think it is just states against states, not everybody wants to hack us, and also it won’t happen here.” Although many personnel feel it’s unlikely, cyber attacks need to be considered as a real threat. Harmful radiation would have everlasting effects.

Chatham found that cyber security training lacks a cohesiveness in drills between regular plant personnel and the IT security personnel. Training includes focusing on more reactive than proactive solutions, so in many cases, cyber attacks are occurring before an employee is aware of it.

4. Air gaps myth: An air gap is a network security measure, employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. Many in the industry believe that ‘air gaps’ will keep them safe from cyber attacks but in reality, all nuclear plants are not ‘air gapped.’

The issues is that employees want those ‘commercial benefits’ that the Internet can offer, and don’t consider that they are connected to the internet.

“A number of nuclear facilities now have VPN connections installed, which facility operators are sometimes unaware of,” the report says. VPNs can be used to introduce malware onto the industrial control network.
Something as tiny and simple as a flash drive is all it takes to gain access into a plant’s system, personal computers are used frequently enough and because they can be directly connected to a plant’s control system, it is by no means a guarantee.

Chatham concludes that “plants must develop guidelines to measure cyber security risk in the nuclear industry, including an integrated risk assessment that takes both security and safety measures into account as well as fostering partnerships between vendors and cyber security companies to enable the development of more robust cyber security products.” Getting a handle on practicing ‘good IT hygiene’ as we mentioned earlier is also an element that needs to be addressed at all of these facilities.

October is Cyber Security Awareness Month

2015 has been the year of cyber crime, data breaches, and cyber attacks. We live in a world where we are all unified with our smartphones, tablets, and laptops. Although this constant connection has changed many people’s lives in many ways for the better, it also poses a huge risk for a company’s data such as financial information and health records.

As we have learned from the Office of Personnel Management to Home Depot , no organization is immune to these breaches. All it takes is one click for an organization to become compromised and lose their data and their customers data. These breaches can be incredibly costly to these organizations, whether it’s due from the downtime a website experiences or the potential fines that the Federal Trade Commission (FTC) may impose. Cyber security is so vital, it even has its own month dedicated to it.

October is National Cyber Security Awareness Month. This October marks the 14th year since its inception by President Obama in 2004. National Cyber Security Awareness Month (NCSAM) encourages vigilance and protection by all computer users, promoting cyber security as “our shared responsibility.”

President Obama stated in his Executive Order on Promoting Private Sector Cybersecurity Information Sharing Proclamation,

“Cyber threats pose one of the gravest national security dangers the United States faces. They jeopardize our country’s critical infrastructure, endanger our individual liberties, and threaten every American’s way of life. When our Nation’s intellectual property is stolen, it harms our economy, and when a victim experiences online theft, fraud, or abuse, it puts all of us at risk. During National Cybersecurity Awareness Month, we continue our work to make our cyberspace more secure, and we redouble our efforts to bring attention to the role we can each play.”

The month long awareness program is sponsored by the National Cyber Security Division (NCSD), which is part of the Department of Homeland Security and the non profit organization, the National Cyber Security Alliance (NCSA). NCSAM’s mission is to engage and educate the public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.

Axiom Cyber Solutions would like to share the following cyber security tips from the Department of Homeland Security. These tips can help keep your personal information and assets safe online.

Set strong passwords and don’t share them with anyone.

Keep your operating system, browser, and other critical software optimized by installing updates.

Maintain an open dialogue with your family, friends, and community about Internet safety.

Limit the amount of personal information you post online and use privacy settings to avoid sharing information widely.

Be cautious about what you receive or read online – if it sounds too good to be true, it probably is.

If you are interested in seeing what National Cyber Security Awareness Month activities are near you, please visit: https://www.staysafeonline.org/ncsam/events.

If you or your organization needs further help on security, please contact Axiom Cyber Solutions at 800-519-5070