Skip to content

Category: securityhygiene

Published on

Security is in your hands image

Human Error and Information Security Hygiene

95%  of all successful cyberattacks start with human error according to the IBM Cybersecurity Intelligence Index. That would make it pretty important to periodically evaluate and increase your own awareness of Information Security hygiene and awareness. 

Information security is one of the fastest-changing fields in the world. New technologies emerge every day that change the way people attack and defend systems and networks. While professionals in information security are required to be in a constant state of learning to keep up with the field as a whole, those without day to day dealings tend to be the primary targets and the least informed. Being aware and informed enables everyone to protect themselves. 

Awareness Companies

Security awareness training should be a high priority for any organization. To facilitate effective awareness training, a number of companies focus on providing awareness training as a professional service, often using computer based training. Companies such as Habitu8, SANS, KnowBe4, and Security Ninja focus on providing awareness training packages to organizations who want to inform and educate their employees.
These packages are frequently integrated into something called a learning management system (LMS). An LMS is something like Blackboard.

Other free resources are also essential to reach people both inside and outside the Information Security community, such as:

On the Web

While organized and mandatory awareness training can be effective, it isn’t the only way to reduce risk and stay up to date on cybersecurity. There are an abundance of websites, blogs, and other informational pages freely available to all. Cybersecurity is often in the news, and the following websites can help users stay up to date:

  • Have I Been Pwned (run by Troy Hunt) lets users check if their email has been associated with a data breach and stay informed on breaches happening worldwide.
  • Krebs on Security: Brian Krebs’ site offers in-depth coverage of ongoing security stories without overwhelming less technical readers.
  • Credit Karma and Equifax offer credit monitoring services that can track your exposure to identity fraud or credit data breaches.

Social Media in Security

As social media has gained popularity, more and more professionals are turning towards it to keep informed and spread their message. It may come as a surprise to some that there is a large information security community on twitter. The #infosec community on Twitter is one of the best places to keep up with the latest security news. Professionals and organizations share news, tips, and resources.
Key accounts to follow:

These accounts provide invaluable resources for staying aware of current security trends, free webinars, blogs, and more.

Published on

Information Security Photo Collage

People have a lot of pre-conceived notions about security teams and practices. While some misconceptions may be grounded in truth and others fairly outlandish, there is a lot going on behind the scenes that users may not see. From claims that we are all hackers wearing hoodies and doing nefarious deeds to the perception that we are here to get in your way, we will help you understand what is true, what is not, and why these perceptions might exist.

Myth #1: Security is just here to say no

Being at a university presents the unique challenge of providing the tools and technology necessary for students and faculty to research, learn, and achieve their goals. We must strike a difficult balance between the availability of those resources and the security of the university and our community. As security professionals, we do everything we can to enable safe and reliable access to the tools that the GW community needs to reach their goals. We are here to facilitate a safe IT environment in which all students, faculty, and staff can access the resources that they need, sometimes it sounds like, “no”, but what we are really requesting is modifications that reduce risk of exposure or breaches at GW.

Myth #2: Security only deals with technology

Many people believe that IT security only works on securing servers, reading logs, and other highly technical tasks. On the contrary, the security team has a wide range of responsibilities of which technology is only a part. The security team is continuously engaging with people and data in a multitude of ways. Often trying to help people protect themselves and the organization through a security awareness program or working directly with other teams to enhance security within their operations. They are constantly trying to improve way to protect the GW community’s data by updating policies, implementing best practices, and assessing security processes.

Myth #3: The security team is just a bunch of hackers

Just as many people think that the security team is nothing but hackers. This is far from the truth. Information security is a wide field with many specializations and it takes all sorts to be effective. While some members of the team might be highly technical penetration testers, their counterparts are security professionals focused on defensive security and protecting the GW network and assets from outside threats. Not to mention that members of the IT Security team range from awareness professionals working with people and outreach to analysts focused on identifying and reducing risk.

Myth #4: The security team takes care of security so I don’t have to

The security team works tirelessly to ensure that the GW community, information, and assets are as well protected as possible, but the team is not always the first line of defense. Security is your responsibility too. Our community is often the first line of defense when it comes to attacks from outside GW. Social engineering (aka tricking people and deceiving them) is a common tactic employed by attackers and encompasses phishing, piggy backing, and taking advantage of users in the workplace. All of this means that you, the user, needs to play a vital role in protecting the university, or, as we call it #SecuringGW. Protecting your own information is an essential puzzle piece to overall security of GW.  Catching phishing emails and forwarding them to abuse at GW may seem like a small task, but it is small actions like this that alert the team and protect GW from large breaches. Being aware of people trying to enter buildings where they don’t belong, and maintaining a clean desk free of sensitive materials are all security measures that you can take to do your part in #SecuringGW.

Fact: GW Information Security – Your Trusted Advisor

The information security team strives to facilitate access to the resources that the GW Community needs in as secure a manner as possible. Security affects everyone; data loss, lack of availability, and compromised systems impede day to day business functions, which means it affects the day to day lives of everyone on campus. In order to help prevent this, the security team acts as a Trusted Advisor to everyone in the GW Community. Whether you want to implement a new system, service, or application, or begin a new project, involving the GW security team as Trusted Advisors from the start enables us to aid in proper project oversight and completion while maintaining and promoting the confidentiality, integrity, and availability of GW’s data, systems, and services.

 

Published on
Learn Social Engineering
OZKAYA, E. (2018). LEARN SOCIAL ENGINEERING

 

Previously, we discussed Social Engineering in the form of Phishing, a typically untargeted attack type that focuses on quantity over quality. However, not all Social Engineering attacks cast a large net, some get up close and personal. Attacks that involve pretexting are typically more focused and can be well planned and highly targeted; making them a credible threat to information security at any company.

Whether used in person or through other means of communication, pretexting is a dangerous method used by attackers to worm their way into systems and financial profit. Pretexting can be relatively simple and recycled constantly, but can also be well thought out, researched, and specifically tailored to each target. Ultimately, pretexting involves an attacker impersonating someone or having a “legitimate” reason to gain access where they do not belong.  Pretexting relies heavily on an attacker having convincing and effective aliases, stories, identities, and credibility.

The research conducted to carry out a pretexting attack is typically all open source. They might scour an organization’s web pages to understand the size, structure, and relationships, or they might look for company login portals such as HR sites, mail hosting, and VPN portals. Often times, attackers will try to find information on specific employees like email addresses, position within the company, and any other information that can be used to impersonate or manipulate them. Gathering all of this information about an organization helps attackers in understanding how the business operates and what type of attacks might work. If the target is a large company with thousands of employees then an attempt to impersonate someone is more likely to be successful than if the target is a small close knit business that would easily recognize an imposter.

Thorough research enables attacker to determine the best methods to gain unquestioned access to money transfers, systems, and other restricted areas. A tactic that attackers frequently use is to impersonate a target’s boss, an executive, or other important figure, and then urgently request money transfers to specified accounts. The hope is that the targeted individual will panic due to the urgency and fail to verify the transaction with anyone else. Other attack types include impersonating vendors, internal departments, or other entities who might have an already established relationship with the organization. The attacker may try to call the victim and using their false identity and back story, then get them to visit a fake company login page and input their credentials. With those credentials, attackers can now access potentially sensitive systems and data.

Whether a Social Engineer uses a relatively general pretext, or a highly targeted and well planned one, users should be aware of and able to prevent the danger that they pose. Preventing these kinds of attacks is not necessarily difficult, it just takes a bit of time and diligence. If someone asks you to complete a wire transfer, take the time to confirm that they are the ones that sent the email or made the phone call. Reach out with another form of communication to verify. Always confirm any backstory that is offered to you, if you have been asked to log into a portal to accept new compliance documents or policies, contact your compliance office to double check. If someone visits the office and claims to work for a maintenance company but they aren’t on your schedule, call the corporate office and verify that their employee is supposed to be there. Confirm package deliveries from delivery people you have never seen before. Be highly suspicious of anyone who contacts you and asks for login credentials, personal information, or financial details over the phone or through email. Always be wary of strangers trying to access systems, data, and even your office building. Take the time to protect yourself and your organization from attackers who try to manipulate you with convincing and well thought out back-stories and personas.

-

Kennedy, D. (2014, March 05). Pretexting Like a Boss. Retrieved June 20, 2019, from https://www.trustedsec.com/2014/03/pretexting-like-boss/

Nadeem, M. (2019, April 17). Pretexting: Definition and examples | Social engineering. Retrieved June 20, 2019, from https://blog.mailfence.com/pretexting/

Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.