The FBI’s New Stance on Ransomware

The FBI’s New Stance on Ransomware

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money, or ransom, is paid. Though now primarily known by this definition as a cybercrime, ransomware has been around since before the internet gained its popularity. The first instance of the threat occurring in 1989 was actually via postal mail and it was known as AIDs Trojan. This original variant spread via floppy disks and involved sending $189 to a post office box in Panama as payment for the ransom. Since then, the threat has grown drastically with the flourishing of the internet, not only in its complexity but in its reach as well.

Ransomware has attacked millions of victims across a multitude of industries with education, healthcare, and government among some of the most highly targeted sectors. Instances of the cyber-threat have increased by over 53% in the past 12 months, with projections set to rise even more significantly by the end of 2016. Not only have ransomware scam artists been able to infect millions of people’s computers and hold their files for ransom, often after encrypting them, but they have made a lot of money doing so. Last year alone, the cyber threat brought in upwards of $325 million for cybercriminals, and it appears as though their paydays are growing in number and in ransom amount paid. Evolving from the checks sent to that P.O. box in Panama to difficult-to-trace bitcoin transactions that are so predominant in ransomware today, the threat and its multiple different creators are getting harder and harder to stop.

Throughout the years, there have been varying opinions on how to handle this cyber-crime. Of course you don’t want to fund cybercriminals’ vacations by paying the ransom, but you also need to regain access to your precious files that mean so much to your business. What do you do in this case? Well the FBI has come out with a clear stance on what they think needs to be done in order to stop, or at least slow down, ransomware in its tracks.

Contradictory to their opinion last year where they encouraged companies to just pay the ransom in order to regain access to important files that were encrypted by ransomware variants including Cryptolocker, Cryptowall and other malware, the FBI now says that you should not pay the ransom and you should report any instance of the cybercrime to them directly. This change of heart on the matter was not made lightly. The FBI’s goal in all of this is to be able to better assess the magnitude of the threat that ransomware poses. In a public service announcement on September 15th, 2016, the FBI explains why they are asking for ransomware victims’ help:

“Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims.”

While reporting an incident will help the FBI be able to keep track of the number of ransomware attacks out there, they are looking for some specific data that will be of extreme help in finding these ransomware scam artists. Here are some specifics that the FBI is looking for:

  1. Date of Infection
  2. Ransomware Variant (identified on the ransom page or by the encrypted file extension)
  3. Victim Company Information (industry type, business size, etc.)
  4. How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
  5. Requested Ransom Amount
  6. Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
  7. Ransom Amount Paid (if any)
  8. Overall Losses Associated with a Ransomware Infection (including the ransom amount, if paid)
  9. Victim Impact Statement

While the FBI is eager to receive all of these reports in an attempt to stop the cyber-crime, in its September 15th PSA, the FBI also stresses the importance of strong cyber-defenses in order to avoid the threat in the first place. A few common key elements to this security include the installation of a secure firewall and regularly backing up data. If you find that you are the victim of ransomware, please contact the FBI immediately and provide them with as much of the information above as possible. If you would like to prepare your defenses against such an attack, please contact Axiom Cyber Solutions to learn more about how to get and stay protected. Our patented ransomware algorithm and team of managed cybersecurity experts will make sure you and your business are taken care of.

Hailey Carlson | Axiom Cyber Solutions | 9/30/2016

Cybersecurity Skills Gap: Will it improve or widen further?

Cybersecurity Skills Gap: Will it improve or widen further?

There is a fast approaching shortage of workers in the workforce across a multitude of industries—and while many think of the healthcare industry as being the most threatened by this shortage as there has been a recent lack of future qualified nurses, there is an alarm being sounded by the cybersecurity industry for fear of the same thing happening within it as well. As the number of cyber threats facing internet users globally increases daily, so does the demand for qualified individuals to combat these risks. While demand for cybersecurity jobs is expected to grow by 53% over the next two years, there are not enough adequately qualified people expected to be available to fill all of these positions. This is what is known as the cybersecurity skills gap.

As of March of 2015, there were more than 209,000 cybersecurity jobs in the US that went unfilled and the number has grown drastically since then. Most experts believe this to be caused by a lack of interest by future workers, meaning that not only is there a lack of attention towards this industry among college-aged students who are not picking cyber-related majors such as Computer Information Systems and Computer Science, but K-12 children as well. In an attempt to increase interest, there are programs such as STEM (science, technology, engineering, and math) that are designed to peak a young tech guru’s curiosity about the possibility of pursuing a career in the IT industry. While some may be interested in a career in cybersecurity, not everyone who tries is adequately qualified for the position which they are applying; for this reason, experts in the field are divided on whether or not the cybersecurity skills gap will improve or be widened further.

Will the gap improve or widen further?

Experts are torn on their opinions as to whether or not the cybersecurity skills gap will be improved or widened in the coming years.

Those who believe that there is no hope for the industry’s workforce to improve argue that while many people may be applying for IT jobs, they are not properly qualified for these positions. Sixty-seven percent of IT professionals do not have any certification that would make them qualified for their jobs—they must simply learn while they are on the job. These naysayers also argue that most of the executives that prioritize cybersecurity are only CIOs and senior IT leaders, prioritizing the threat about 73% compared with CEOs and CTOs who reportedly only consider security approximately 55% of the time on average between the two positions. The experts on this side of the issue believe that if these high ranking executives don’t take the threats that face their companies seriously, how can the gap be improved properly?

Those who believe that the gap will be decreased have two main approaches to improving the industry’s lacking workforce. First, is a people-centric approach that focuses on training our next generation of workers in cybersecurity skills. This requires teamwork between industry professionals and higher education establishments who must not only share the responsibility, but are required to have a cohesive action plan. In May of 2016, IBM security professionals volunteered their time to teach at the University of Warwick to discuss things like security solution design processes as well as endpoint security among others. By educating those interested in a career in IT, the gap will surely be lessened over time.

The second approach that supporters of the skills gap being closed might utilize, primarily as a backup plan (for now), is the use of cybersecurity robot workers. This approach is a little bit less conventional because though it fulfills the needs of companies to have qualified workers, it negatively impacts unemployment rates, so many experts favor the people-centered approach over this one.

Important Cybersecurity Skills Needed

There are many traits that a qualified cybersecurity professional should have, but among the most important of these are (1) intrusion detection, (2) secure software development, and (3) attack mitigation. These are the three essential skills that will aid the cybersecurity industry in lessening the gap in qualified workers. “These skills were in greater demand than softer skills, such as the ability to collaborate, manage a team, or communicate effectively,” reports a researcher with the Center for Strategic and International Studies. While this may contradict what some people have previously thought, knowledge of these three main skills will ensure properly educated workers are placed in positions for which they are appropriately capable of fulfilling.

Because of its unpredictability, it is hard to say just exactly who will be right about the cybersecurity skills gap; however, peaking young people’s interest early and utilizing team work to bring together higher educators as well as industry giants might help for this gap to be lessened in the near future. If you are interested in a career in IT, visit us at https://axiomcyber.com/ to learn more about a small-business-centered cybersecurity career.

Hailey R. Carlson | Axiom Cyber Solutions | 9/23/2016

Image Source

S.T.E.M Careers: Growing Towards the Future

S.T.E.M Careers: Growing Towards the Future

S.T.E.M. Education

Many people have heard of the STEM program but not everyone knows exactly what it entails. STEM is a curriculum based on the idea of educating students in four specific and critical areas — science, technology, engineering, and math — however, STEM does not separate these subjects to be taught individually, rather they are integrated into a cohesive program that teaches the subjects together as compliments to one another. One key point that the program is praised for is its use of real-world applications to train these students for their future careers — making it one of the most successful programs resulting in some of the best-prepared students facing the workforce upon graduation.

More often than not58, people think of high school or even college as the starting point for such technical and complex education to begin, but many schools have incorporated STEM into classes to some degree from kindergarten on up through high school! Of course, it is much more basic at the lower grades, but by including it in the curriculum in students’ education from the beginning and adding to it incrementally as they grow, students will be much more interested in the subjects included in STEM. In addition to this, they will be able to notice the correlation between these subjects, which will possibly result in higher numbers of these individuals choosing STEM-related careers. As you can see to the left, 58% of people currently working in STEM decided on this career path prior to graduating high school, meaning that early teaching is critical in creating future workers interested in STEM.

 

S.T.E.M. Careers

STEM is the second fastest-growing industry, second only to healthcare, with an expected 8.6 million jobs available in the field by 2018. Not only are graduates of STEM-related majors some of the highest paid young professionals right out of college, but they also get those high-paying jobs rather quickly following graduation. While these facts may be enticing, it is important for individuals to know about some of the potential successful careers they could have in their main area of interest when it comes to STEM.

Science & Engineering

Science and engineering careers are the most related when it comes to the workforce and make up 6 of the top 10 careers in STEM including civil engineering, environmental engineering technology, nuclear engineering technology, computer engineering (also related to technology), petroleum technology, and marine sciences. Among the requirements for these careers are strong problem solving skills, chemistry, basic math skills, and deductive and mathematical reasoning.

Mathematics

Mathematics itself, while an integral element in each of these careers, is not well represented in this top 10 list, making up only one of the listed STEM jobs. Despite this face, Mathematics encompasses a multitude of industries such as statistics, actuarial sciences, economics, and more that differentiate it from its fellow STEM categories. Required skills for mathematically related jobs include deductive and mathematical reasoning, problem solving skills, and facility with numbers. If you love numbers and are interested in STEM, this might be the career path for you.

While science, engineering, and mathematics combine to make up the majority of the top jobs in STEM, technology is one of the fastest growing of these already rapidly rising industries and it affects its STEM counterparts significantly.

Technology

Advancements in existing technology, like smart-phones and computers, as well as the development of new technologies, such as IoT devices and connected car security, make it very apparent that a career in technology has a bright outlook for the future. Jobs are becoming much more technical now and require a better understanding of technology, so STEM programs have been more heavily emphasizing this segment of STEM in recent years.

Of Monster’s top 10 most valuable STEM careers, there are four related to technology: computer and information services, computer engineering (also related to engineering), computer programming, and the #1 most valuable STEM career: information technology. For these careers, there are multiple job titles including Information Security Analyst, Computer Systems Analyst, and Web Developer, among others. These jobs not only require knowledge of the latest technology, high analytical and developmental skills, and logical thinking, but a person seeking one of these jobs must be goal-oriented, passionate, and dedicated to advancing technology and growing the industry as he or she rises throughout a career in tech.

A common misconception about STEM is that it is all about the technical and analytical side of these complex careers, but STEM workers are also creators, innovators, and ground-breakers for the futures of each of their industries. Another fallacy surrounding STEM is that a student must receive traditional training and education in order to gain a successful career in STEM; however, there are alternative ways into a career in these fields.

Alternative Routes to a career in STEM

Many people may look at the training and schooling necessary to attain a STEM-related degree and think that it is not affordable for them or the resources necessary to achieve such certifications required for their future careers are out of reach; however, there are companies out there that try and alleviate these fears by offering alternative routes for those individuals who are interested in a career in technology, but choose to go a different route to get there.

Axiom had the privilege earlier this year to work with IT Works, a Tech Impact program that offers free, immersive IT training to young adults– motivated high school graduates, age 18-26 years old, who have not yet completed a Bachelor’s degree. As part of the 16-week training program, an IT Works student named William Lewis, completed a 5-week internship with Axiom and you can read about his experience interning for Axiom through IT Works here. A career in STEM is not necessarily about going to the highest ranked technology school, but being motivated enough to find your own way to where you want to be in your career, with them help of some companies out there who can get you where you’re headed.

Why S.T.E.M.?

In case you’re still on the fence as to whether or not STEM education and careers are important, the National Science Foundation has this to say on the subject:

“In the 21st century, scientific and technological innovations have become increasingly important as we face the benefits and challenges of both globalization and a knowledge-based economy. To succeed in this new information-based and highly technological society, students need to develop their capabilities in STEM to levels much beyond what was considered acceptable in the past.”

With such a revolution in science, technology, engineering, and mathematics, the modern world is in great need of such advanced, pioneering minds as those interested in having an impact on these crucial subjects.

If you’re interested in learning more about STEM careers, please contact Axiom at https://www.axiomcyber.com/ to speak to one of our IT professionals about a career in tech. If you are in need of a different route of gaining technological experience and qualifications, please visit http://techimpact.org/ to learn more about their available programs for innovative and motivated individuals.

Hailey R. Carlson | Axiom Cyber Solutions | 9/16/2016

Image Source

Don’t Get Baited by Phishing Scams

Don’t Get Baited by Phishing Scams

It seems that every day there is another company being hit with a new phishing scam—PayPal and Dropbox being some of the more notable of the recent victims. Because it is all over the news, we assume that we know exactly what phishing is; but do we really?

What it is & How it works

phishing-attacks

Phishing is a scam where cyber-criminals, sometimes referred to as ‘phishers’, impersonate seemingly trustworthy sources in order to send out electronic communication to their contacts (usually customers) in order to do one of two things: (a) to steal credentials and personally identifiable information (PII) from employees and clients, or (b) to infect the computer or company system with malware. The way they are able to do this is a systematic process that includes planning, setup, attack, and collection.

  1. Planning. First, phishers determine which businesses they want to target and how to get their email address list. This is usually by either stealing information from the social media accounts of finance and HR employees from networks such as LinkedIn, or by guessing employee email addresses, which they then use to infiltrate the company. It is easy for hackers to guess some employee emails if the company uses the standard formatting of ‘firstname.lastname@companyname.com.’ While this is easy for employees to remember, it is also easy for phishers to guess.
  2. Setup. Once they have decided their targeted businesses, phishers determine their delivery method for the scam. Most of the time this is through email, however the PayPal phishing scam is an example of one that uses social media as a means of tricking customers. Two fraudulent Twitter accounts were made to appear as though they were legitimate customer service accounts with an urgent message for users of the site. Targets have been lured into entering their PayPal credentials into the seemingly legitimate, but fake pop-up page. This gives these cyber-criminals the information they need to steal PII from the users as well as transfer funds out of their PayPal accounts straight into the scammers’ pockets.
  3. Attack. This is the stage that most people think of when they think of a phishing attack. This is where the phishing message is actually sent out via whichever means the scammer previously chose, again, appearing to be from a reputable source.
  4. Collection or Infection. Not everyone will click on the phishing message, however, 39% of employees click on emails that they originally believe to be suspicious. Those who do end up taking the bait by either clicking on a link in an email or entering in their information into a pop-up, unfortunately have their information recorded by the phishers who can then use this information for their own personal gain. The collection of information is the goal for one type of phishing scam, but as mentioned above, there are some phishing scams whose goals are to infect the computers or systems of the affected individuals. Ransomware, one of 2016’s hottest cyber-threats, is a very popular malware to be included in a phishing scam–now included in 93% of the phishing emails sent out.

How to Identify a Phishing Message

email-computer

Before any company can protect against a phishing scam, they must first be able to identify one. Here are a few telltale signs that can help you determine a phishing email from a legitimate one (note that these are also included in a previously Axiom blog article on phishing, Gone Phishing: Who’s really on the other end of the line?).

  1. Links- The best way for a hacker to access your information is by making you come to him. Many links in suspicious emails can be verified by hovering your mouse over it; if the link is taking you to an .exe file for example, do not click on it, as these have been known to be the source of various malicious software in other cyber crime situations.
  2.  Threats– When there is a threat in an email, such as forcefully taking down an account or being fined if you do not take instant action, this is usually an indicator of phishing. This can come in the form of both email and phone solicitation and threats are easily identifiable by the request of immediate action or otherwise facing the hacker’s consequences.
  3. Posing as a popular company- Seeing a familiar logo or name on an email or other electronic communication can give you a false sense of security that what you are receiving is a legitimate connection from an accredited company. An indicator that a message is phishing is when the hacker includes the company title in a way that is slightly different from the actual company name (i.e. Twitter Co. instead of Twitter Inc.). Also, if you regularly get emails from a reliable company and you receive one that looks different than usual, this is a sign that it may be a phishing scam.
  4. Spelling and Grammatical errors- If there are clear spelling or grammatical errors throughout the email, it is obvious that this email was not carefully looked over by a member of an authentic company and is likely phishing. This not only includes spelling and grammatical errors, but also when key parts of an email, such as the subject line or a signature, are missing or strangely worded.

How your company can combat phishing, Employee Education

employee-education

Now that we know how to identify a phishing scam, it is important to take the proper steps in protecting businesses everywhere from this type of threat. Companies are the primary targets of phishing attacks, and consequently, they need to amp up their cybersecurity defenses in preparation for combating phishing threats. While employees are some of a company’s greatest assets, they are also the greatest threat to its cyber-defenses. This is why employee education is the most important defense against phishing.

  1. Educate employees—Informing your employees of the indicators listed above will help them to be able to identify a phishing threat.
  2. Take care to assess emails—Encourage your employees to take the time to assess an email before clicking on it or any embedded links it make include. Michele Fincher of Social Engineer, Inc. says, “Adding a couple of seconds on to what you normally do when you receive an email will go a long way (toward safety).”
  3. Utilize checks and balances—Utilizing checks and balances can help to prevent what is known as spear phishing—when hackers pretend to be executives emailing upper level employees in order to gain access to valuable information like financial numbers, wire transfers, and employee information. By having multiple people needed to sign off on something, it is likely that the scam will be caught among them.
  4. When in doubt, ask—Let your employees know that if they are questioning an email, they should ask someone else before clicking on it. It is better to be safe than sorry, and most of the time, if they are questioning it, it is likely a fraudulent email.

If you believe an electronic communication to be malicious or suspicious, do not open it, delete it, and report the incident to your IT department. For small businesses that may not have an IT department or think that cybersecurity is out of reach for your company’s budget, please go to www.axiomcyber.com to learn more about our affordable managed cybersecurity solutions and how we can help your business get and stay secure.

Hailey R. Carlson | Axiom Cyber Solutions | 9/9/2016

Image Source

Protect Your Kids When They Go Online

Protect Your Kids When They Go Online

Children today are amazingly advanced when it comes to technology. They are able to navigate tablets with ease—from flipping through photos to watching surprise egg videos on YouTube, kids have adapted to know exactly how to use your smartphone, tablet, or other electronic devices. In Figure 1, it is apparent that children’s competency levels in regards to tablet functions alone are extremely high—some of which they can do completely unassisted. With their high capability levels as well as the threats the internet poses to them, it is important to ensure they are using these devices safely.

Figure 1_Parents

Figure 1: Dubit/University of Sheffield Tablet Use Competence February 2015

As a parent, there are many conversations you’ll have with your child at some point in his or her life. And while some may be more uncomfortable than others, most all of these conversations are necessary and important to your child’s safety and overall well-being. One of the most important of these conversations, and one of the discussions that parents in general do not have much experience in delivering because of its newness, is on cybersecurity.

There are multiple topics of discussion surrounding cybersecurity safety because unfortunately, there are so many threats to people of all ages today. However, there are some key points to keep in mind when battling cybersecurity risks including device safety, web filtering and monitoring, as well as knowing about specific threats like online predators.

Device Safety

As mentioned above, toddlers and other children can navigate electronic devices with surprising ease. While this is incredible, kids do not necessarily know the threats that using these devices can pose and it is important that parents educate them and take action against these threats.

One way to combat this is by turning your devices into safe mode when children are using them. Most tablets and phones have a safe mode including Android and Apple, where you can restrict the apps, internet usage, and even length of time the device can be used in an attempt to help protect your child. By restricting what they have access to in the settings of a device, your children will be protected without you having to sit there and monitor their device usage in person. Parents have too much to juggle, and cannot always be right there with their child while he or she is using this type of device.

In addition to these measures, it is important for you to talk to your child about why they cannot access certain features on their devices. Explaining the reasons why something is not safe rather than just stating that it is in fact dangerous will help your child better understand the preventative actions you’ve taken as well as remind them to keep safety in mind when using electronic devices.

Web Filtering & Monitoring

Whether they are using tablets, phones, or some other devices, if your kids have access to the internet they are exposed to an unimaginable amount of threats. Malware and phishing are especially rampant cyber-threats for people of all ages and children often have a hard time deciphering between legitimate and fake links while online.

The internet in general is pretty scary and malicious for people of any age, let alone children. Merely misspelling a word can send you to a completely wrong address that you never intended on visiting. One way to help protect your children’s online usage is to set up parental controls through web filtering applications such as OpenDNS which gives you the ability to decide which sites your child can and cannot access. By taking this simple measure, you can stop your child from accessing websites that may have inappropriate or malicious information on them.

In addition to setting up filtering defenses, monitoring your child’s internet usage is important as well. For some children who are a little bit older, there are things like homework and social media that they use daily on the internet. But how do you know if they are doing what they are supposed to be doing while online?

One simple way is to check their internet history. While this is an effective way to see where your child has been looking online, there are some tech savvy teens and tweens that may be able to figure out how to clear their histories. In this case, you can also use a monitoring software such as SafetyWeb or SocialShield which will give you a detailed list of where your kids have gone while surfing the net.

Again, communication is key here. Talking your child about the dangers of going to unfamiliar sites as well as possibly letting them know you are monitoring their online activity will keep your child aware of their actions online and remind them of the safety threats that you are trying to protect them from.

Cyber experts tell their kids, in regards to social media security, that once they’ve posted something online, it can never truly be deleted. This helps to remind children to be careful about what they are saying. In the same vein, with regards to cyber-bullying and ‘trolling,’ they tell their children not to say anything online that they would not say face-to-face. Oftentimes, the somewhat anonymity of the internet can bring out the cruelest words from even the nicest people, so reminding your children that their words still have meaning even if they are posted online is a very important conversation to have.

Online Predators

Unfortunately, even with all of these defenses set in place, there are malicious online predators who are actively trying to get to children of all ages. Twenty-five percent of children online have been exposed to unwanted pornographic material and only 25% of children who are exposed to this type of material notify an adult about the situation.

While this is the scariest cyber-threat of them all that your children might face, this crime really only has one defense. Education. This is where the talking really needs to be serious because if predators can somehow get passed your defenses, your child needs to know how to deal with this. Let your child know that it is okay to talk to an adult about any online situation that makes them uncomfortable. In addition, make sure they know not to put out any of their important information online. This information, otherwise known as personally identifiable information, can lead these bad people directly to your child’s computer—or worse, straight to your home.

While there is no surefire way to make sure your child is safe from the bad guys on the internet, talking to them, setting up what defenses you can, and making sure that you all are keeping up to date on current threats can help to strengthen the open dialogue needed to keep families safe from the threats that the internet poses.

Hailey R. Carlson | Axiom Cyber Solutions | 9/1/2016

Image Source