Tag Archives: security 101

Phishing for beginners – Image #133

image

This originally appeared over at http://easycyber.net and I thought it would be worth providing this beginner’s guide here.  I’m guessing that you’ve heard of phishing, and I thought I’d provide some words around related topics. Let’s start at the beginning though.

Phishing

Most people with email will have received a phishing email at some point. Essentially, it’s a mass mail sent to a lot of people indiscriminately, in the hope that one or more of the recipients will reply or click on a link in the message. The bad guys have either provided a link to a compromised website, or which will download and install malware, or something like that, or they note the replies they receive and build a list of people to target with the sort of fake IT support calls you’ve probably read about. These types of attack are relatively simple and unsophisticated. They don’t target individuals and are effectively a random attempt, a bit like fishermen on a trawler using a net: their catch is indiscriminate.

Spear Phishing

This type of attack is a bit more sophisticated. It follows the same sort of approach as above, but focuses on specific individuals. These emails typically include your name and may also include a little bit of information about you, and will likely be more targeted around some of your likes and interests. Because they are specifically directed at you, and you are they prey, you become the fish that the bad guys try to get without looking at others around you: hence “spear phishing”.

Whaling

This is really just a version of Spear Fishing, but targeted at the biggest fish (OK, so I know that whales are mammals, not fish, but that’s beside the point). As these are the big fish, you can imagine that these are the biggest prize. Typically the bad guys try to get their hands on large sums of money, and may involve more skillful techniques like phoning an employee (a technique sometimes called voice phishing, or vishing) in finance and pretending to be one of the big fish, saying that they’ll be emailing shortly to request immediate payment of a bill. Who queries the boss, right? This type of attack is definitely on the increase.

So how do you protect yourself from these sorts of attack? The following tips may help:

  • If it seems too good to be true, it probably is
  • Don’t click on unknown links in email
  • Don’t reply to messages from people you don’t know
  • If at work and you get an email from senior management which eg doesn’t follow normal processes, ask for confirmation / clarification – but not by replying to the mail
  • Be vigilant – phishing and related attacks are on the increase

New Security Blog – Image #122

image

As I’ve mentioned before, I will shortly be starting a new job. I’ve decided to make use of the free time before I start to set up a more professional web presence, which includes a new Twitter account and a new blog site. If you’re interested in Information Security matters and want to know more, but get confused by all the jargon being used these days, please check out https://easycyber.net and follow it.

SPOILER ALERT – I’ve copied some of the posts from this site to the new one, just to get things started lol. There will be lots more to come over time.

Certification – what does it mean? Image #75

I’ve told you I used to work in IT, right?  And now I work in security.  Across both disciplines, and in much of life, there’s a lot of pressure and in some cases kudos to be obtained by becoming certified in one thing or another.  I just heard today that I can now add another bunch of letters after my name professionally, which is great, but what does it all mean?

image

The cartoon above is one of my favourite Dilbert cartoons.  (I know, Dilbert is geeky and to have a favourite must mean I’m uber-geeky, but that’s the way the bits flow.). And it brings to mind a brilliant example which might have been the root of the cartoon.

In one of our offices one day, this guy came up to me (I was in management at the time) and said “I’ve just passed both the Novell (now you know how long ago this was) and Microsoft certifications. I want a 30% pay rise or I’m leaving.” I told him I’d find out what we could do for him and sent him on his way. Fast forward a day or two, and the same guy called me up.  He wanted to know how to do something with a network card on a system he was working on. I asked him why he didn’t know, as I knew for a fact that it was something covered on both of his certifications in their basic classes – because I’d done them both.  He didn’t have an answer, didn’t get his raise and didn’t stay with the company for long.

I guess the moral of that little story is, in my experience, having a bit of paper to say you can do something is not as valuable as having spent the time doing the things the paper said you were qualified to do.  I’d choose an experienced professional ahead of a well qualified one any day.

Oh, and the certification I won today?  I had to be able to demonstrate at least 5 years experience in a number of different security related disciplines.  Qualified AND experienced? You bet!

What are backups, when and why are they needed?

As I’m keeping this simple, I guess I should start by explaining what a backup is, and why it’s necessary. (Apologies to those who know, but if my blog item on Patching was Security 101, then this is surely part of IT 101!)

A backup is simply a copy of one or more files kept on a different device than your working version. You need one so that if the original file is lost, damaged or deleted, then you won’t have to recreate it from the beginning. Some files are irreplaceable e.g. family photos in the digital age (because we no longer get film negatives with our snaps) so we need to be careful.

Here’s a question: do you backup your home PC, laptop, smartphone, tablet etc on a regular basis?

  • Those of you using the iCloud or something similar – well done. (As an aside, and not part of this discussion – have you thought about how secure the data is there: after all, you don’t control who has access do you?) You probably just need to worry about how often you back up to that cloud storage and whether you have an Internet connection at the time you need it.
  • Those using iTunes or similar – that’s great, your device is backed up, but what if the place you backing up to e.g. your home PC dies?
  • As for the rest – do you use a thumb drive or external hard drive of some sort?

Another question to consider is: how often do your files change? If you have a document which you work on regularly e.g. accounts for a social club, it may be something you need to backup regularly. If it’s a treasured family photograph, or an invoice for an online purchase, the file won’t change but you should really have at least one backup copy.

There are many backup solutions available. Perhaps the simplest is to use an external hard drive or a thumb drive (also called a memory stick, USB drive, pen drive etc) and simply copy the files you want across to it. Make sure you keep the drive in a safe place (not next to your computer though: if the computer goes up in flames during a house fire, having files copied on a device sitting next to it probably won’t be any use) and, if the data on it is sensitive you may want to encrypt it. (Hmm, I think I’ll need to write a separate post on encryption!)

As you can infer from above, there are many cloud based services like the Apple iCloud or Microsoft’s Office 365 where you can hold all your files and not have to worry about messing around with thumb drives etc. Personally, if I was going to use them for some of my own sensitive files, I’d ensure I used some of their more secure services like two factor authentication.

That sounds scary and technical, but it’s basically a combination of a password and a code generated on a separate device (as they say in the trade, it’s something you know and something you have, which “proves” you are you). That device may be software on a phone, a pin code that’s sent to your phone or email, or it may be a physical thing like a fob which your bank provides: I have one which looks a bit like a small calculator which I have to slide my bank card into, and it gives a code which I have to type in on the website before I can access my account details.

There’s another time when you should seriously consider making sure you have backed up your data properly, and if you don’t do it at any other time then you should make sure you do it when … upgrading your device and / or the operating system software on it. Apple tend to force the backup if you use iTunes, because that’s the first thing they do before upgrading the software. Given that right now many people will be eligible to upgrade their Windows version for free (if it’s a personal device which is compatible and running specific earlier versions, it’s worth making sure your essential files are backed up before you start.