Open Forum

In the first two parts, we covered basic tactics and techniques hackers use in phishing attacks. I can't stress enough the importance of password hygiene. The reality of the modern world is a majority of security incidents and breaches affected vendors do not publicize. So, if you are using the same or permutation of a password with multiple services, eventually, it will leak and end up for sale on the Darkweb. You are putting yourself at unnecessary risk. Password managers are a very mature market. They are relatively inexpensive insurance you will use a unique password for every website/service you use. The second most important item in 2023 is multifactor authentication (MFA). It is something you know (i.e., username and password) and something you have (i.e., keyfob, mobile phone), and/or something you are (i.e., biometric - finger or retina scan). Many services won't even ask you to set up MFA. Once you register an account and provide your mobile number, they will send you a code to your mobile phone every time you log in. It is the weakest type of MFA but still provides a level of protection in case your account credentials are stolen or compromised because an attacker will need that code that only you have. The next and recommended level of MFA is an application you install on your phone. Both Google and Microsoft have their version of the app. The most popular vendor-agnostic app on the market is Authy. All these apps are more resistant to SIM-swapping and other attacks than text. The last and most secure type of MFA is the FIDO2 security key.
Keeping your system updated is also very important-many malicious attachments and websites look for known vulnerabilities in unpatched operating systems and auxiliary tools. Adobe Acrobat and Java top the list and are widely exploited by hackers. When patching, remember your browser and any add-ons. If you are using a default browser that came with your operating system, in most cases, it will be patched when you update your OS. You are responsible for patching all other browsers. Use browser add-ons sparingly. Remember, they can read and intercept the URL you are visiting and the data you are typing in the forms or fields on a website. Don't install add-ons unless you are confident you will use them and they are from reputable sources. Some add-ons are designed to lure a user by sounding context but use to spy or even deliver malware behind the scenes. 
Maintaining good hygiene for your mobile phone or tablet is as important. Mobile devices are becoming primary targets for attacks. They are easier to circumvent with sender's address spoofing in phishing emails and caller ID spoofing in wire fraud and MFA attacks. URL shorteners are also dangerous because you never know the final destination by looking at the URL. 
Now you are versed in some tactics and techniques used in wire fraud. Be diligent when you receive an email portraying it to be from any of your partners. Remember, the sender's email address can be easily spoofed or replaced, signature and context of the email can be easily replicated, including pictures and links to authentic sources. We even see wire fraud disclaimers our escrow officers put in their signatures get added to fraudulent transactions with replaced wiring instructions.
Be safe.

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------

Great thoughts.

We believe here at Kloud9 IT minimal best practices on IT security are the following. If you do these, your chance of getting breached are highly minimalized.

These three things must be done first before advanced security tools come into play.

1.       Good User and Password Management

a.       Having a centralized company directory to control authentication (Active Directory) across devices and applications.

b.       Central directory integrated into IT systems as much as possible for Single Sign On

c.       Password manager to manage and share passwords and access across an organization efficiently and securely.

d.       Multifactor authentication for everything possible.

e.       Regular Security Training that is Tracked

f.        Corporate polices to enforce

2.       Good Device Management

a.       All corporate and BYO devices integrated with corporate directory for authentication

b.       All corporate and BYO devices with access to company data managed with a Device Management Platform

c.       Mobile BYOD usage minimized

d.       Device management ensures devices are tracked and patched

e.       Least privileged access practiced

                                                               i.      All employees run as users on their devices especially high-level executives

                                                             ii.      Applications approved for installation

f.        Corporate policies to enforce

3.       Good Data Management

a.       All corporate data locations are accounted for

b.       Data archiving policy for archiving data not in use, including emails (100 GB mailboxes really?)

c.       Backup and Disaster Recovery Plan is followed and checked, including "cloud" systems.

d.       Sharing of data requires processes and approvals

e.       Least privileged access practiced

                                                               i.      Permission structure on data has been defined and implemented

                                                             ii.      Employees have permissions to only what they need

f.        Corporate policies to enforce

Are you managing your Users, Devices, and Data well? If you are not, no advanced security tool is going to do much.

I hate to say this, but maybe 1 in 50 SMB's we bring on as clients are doing these very basic IT security items. A good Internal IT Team or Managed Services Provider backed with Managements blessings (Because these things need managements blessing), should be doing these things.

In the end, IT Security at its core.. is doing IT right.

------------------------------
Nicole Milliron
Director of Operations
Kloud9 IT
Cleveland OH
+1 (844) 556-8394
------------------------------

Original Message:
Sent: 04-28-2023 09:29
From: Genady Vishnevetsky
Subject: Security BUZZ - Wire Fraud at Glance Part 3 of 3

In the first two parts, we covered basic tactics and techniques hackers use in phishing attacks. I can't stress enough the importance of password hygiene. The reality of the modern world is a majority of security incidents and breaches affected vendors do not publicize. So, if you are using the same or permutation of a password with multiple services, eventually, it will leak and end up for sale on the Darkweb. You are putting yourself at unnecessary risk. Password managers are a very mature market. They are relatively inexpensive insurance you will use a unique password for every website/service you use. The second most important item in 2023 is multifactor authentication (MFA). It is something you know (i.e., username and password) and something you have (i.e., keyfob, mobile phone), and/or something you are (i.e., biometric - finger or retina scan). Many services won't even ask you to set up MFA. Once you register an account and provide your mobile number, they will send you a code to your mobile phone every time you log in. It is the weakest type of MFA but still provides a level of protection in case your account credentials are stolen or compromised because an attacker will need that code that only you have. The next and recommended level of MFA is an application you install on your phone. Both Google and Microsoft have their version of the app. The most popular vendor-agnostic app on the market is Authy. All these apps are more resistant to SIM-swapping and other attacks than text. The last and most secure type of MFA is the FIDO2 security key.
Keeping your system updated is also very important-many malicious attachments and websites look for known vulnerabilities in unpatched operating systems and auxiliary tools. Adobe Acrobat and Java top the list and are widely exploited by hackers. When patching, remember your browser and any add-ons. If you are using a default browser that came with your operating system, in most cases, it will be patched when you update your OS. You are responsible for patching all other browsers. Use browser add-ons sparingly. Remember, they can read and intercept the URL you are visiting and the data you are typing in the forms or fields on a website. Don't install add-ons unless you are confident you will use them and they are from reputable sources. Some add-ons are designed to lure a user by sounding context but use to spy or even deliver malware behind the scenes. 
Maintaining good hygiene for your mobile phone or tablet is as important. Mobile devices are becoming primary targets for attacks. They are easier to circumvent with sender's address spoofing in phishing emails and caller ID spoofing in wire fraud and MFA attacks. URL shorteners are also dangerous because you never know the final destination by looking at the URL. 
Now you are versed in some tactics and techniques used in wire fraud. Be diligent when you receive an email portraying it to be from any of your partners. Remember, the sender's email address can be easily spoofed or replaced, signature and context of the email can be easily replicated, including pictures and links to authentic sources. We even see wire fraud disclaimers our escrow officers put in their signatures get added to fraudulent transactions with replaced wiring instructions.
Be safe.

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------