Welcome to Cyber Security Today, the Week in Review edition. I’m Howard Solomon, contributing reporter on cybersecurity for IT World Canada. Today I’ll be looking back at some of the big news stories in the past seven days with Dinah Davis of Arctic Wolf Networks.
To hear the podcast, click on the arrow below:
First, here’s what happened:
The Department of Human Services of the American state of Georgia admitted email accounts of some employees were hacked five months ago. Apparently it only learned about the incident in August, when it realized the attackers had copied names of children and adults involved in child protection cases. Some of the data copied may have included dates of birth, ages, phone numbers, email addresses, social security numbers, Medicaid or insurance information. Psychological or medical reports on 12 people were included. One person’s bank account number was copied.
Unity Health Toronto, a network of three hospitals in the city, is warning people that someone is sending phony text messages claiming to be from the group and asking for personal information from patients. These messages are fake and should be ignored.
Companies and government departments around the world using applications from a German company called Software AG are likely anxious. This is because it acknowledged last week that hackers had copied data from Software AG servers and employee computers. One news service says it was a ransomware attack, and that the attackers are demanding $23 million.
Organizations are being urged to tighten their email protection and increase employee security awareness training after the discovery of a business executive scam believed to have netted cybercriminals $15 million from one hack alone. According to one news service the email account of an executive is hacked and read, giving the gang details on a business deal being discussed. The deal would involve a bank transfer of money from one company to another. At the right time the hacker creates an email message that looks like it came from one of the executives asking the payments be sent to a different bank. Then the gang takes the money from that account. It’s thought there have been 150 victims, mostly in the U.S.
And people who buy clothes online from the women’s fashion store called Moda Operandi should carefully watch email accounts for spam and phishing lures. This after a security researcher found an open database with customer information for orders made in the spring of 2019. Information that could have been copied includes customers’ names, shipping addresses, phone numbers and email addresses.
This being the 16th year Cyber Security Awareness Month has been observed, I started by asking guest analyst Dinah Davis of Arctic Wolf Networks if the event still needs to happen or is it merely a reminder to managers that cybersecurity is something to think about only once a year?
“I absolutely think this is something that needs to happen,” she said. It’s like being reminded once a year to check the smoke detectors in our homes. alarms. Organizations have security systems, but they also need to be checked. Are new processes needed? Is more awareness training needed? People start to forget what they have learned after only six months, she pointed out.
The biggest mistakes organization make in awareness training is not refreshing content, and not making training relate to the firm. Â “You really have to tailor your awareness training to the industry that you are in and to the problems that your people face on a day to day basis, ” she said.
And everyone can learn something new. Davis admitted that at her company’s recent training she learned about consent phishing, where attackers trick users into granting a malicious app access to sensitive data or other resources by asking for permission to access different parts of their systems. The attack starts with the victim receiving an email with a link to an app. Clicking on the link brings up a form asking the user to consent to the app being installed.
IT departments can stop this by only allowing users to install pre-approved apps. End users also have to be suspicious of email that asks to install an app.
As for the news stories, Davis saw a pattern: Many seem to start with users falling for phishing email. “Anytime you get asked to do anything of significance through email, you need to double-check that,” she said, especially email from the CEO or an executive asking you to do something like transfer money. Either phone or message them directly to check.
IT departments can help screen phishing messages by tagging email either with an “External” tag or a colour as a warning to end users. If the message is from the CEO but is marked as coming from an External network, it’s probably fake.
To hear the full conversation click on the Play arrow.