Cybersecurity for Beginners

How to prevent
Phishing & Social Engineering Attacks

Volume 1

Mike Miller
 Copyright
All rights reserved. No part of this book may be reproduced in any form or by any electronic, print or
mechanical means, including information storage and retrieval systems, without permission in
writing from the publisher.

Copyright © 2020 Mike Miller

Disclaimer

This book is produced with the goal of providing information that is as

accurate and reliable as possible. Professionals should be consulted as
needed before undertaking any of the action endorsed herein. Under no
circumstances will any legal responsibility or blame be held against the
publisher for any reparation, damages, or monetary loss due to the
information herein, either directly or indirectly. This declaration is deemed
fair and valid by both the American Bar Association and the Committee of
Publishers Association and is legally binding throughout the United States.
The information in the following pages are considered to be a truthful and
accurate account of facts, and as such any inattention, use or misuse of the
information in question by the reader will render any resulting actions
solely under their purview.
 Table of Contents
Introduction              
Chapter 1 The Ultimate Goal of Cybersecurity              
Chapter 2 Understanding the CIA Triad & Defense in Depth              
Chapter 3 Understanding Threats, Exploits and Risks              
Chapter 4 Understanding Malware              
Chapter 5 Malware & General Countermeasures              
Chapter 6 How to Report Malware              
Chapter 7 Attacks on Portable Devices              
Chapter 8 Intercepted Communication & Countermeasures              
Chapter 9 Introduction to Social Networking              
Chapter 10 Social Networking Threats from Cybercriminals              
Chapter 11 Understanding Cross-site Request Forgery              
Chapter 12 Social Engineering Countermeasures              
Chapter 13 Understanding Metadata              
Chapter 14 Comprehending Outside and Inside Threats to Businesses              
Chapter 15 Introduction to Phishing              
Chapter 16 Phishing, Social Engineering & Vishing              
Chapter 17 How to Prevent Phishing Attacks              
Chapter 18 How to Report a Phishing Attack              
Chapter 19 Phishing Countermeasures              
Chapter 20 How to Report Phishing Attacks              
Chapter 21 Tips to Avoid Phishing Scams              
Introduction

There are always news reports about cyber-attacks and while they're
providing a lot of information; still many people not sure how it impacts
them, their business or the company that they work for. You're perhaps not
too sure what you're supposed to do about cyber-attacks? Partly because of
all the confusing vocabulary or the types of attacks, and perhaps unsure
what this mean to you? Well, that's precisely what we are going to cover in
this book. We are going to focus on the basic concepts of security and the
terminology used for cyber-attacks. At first, let's get started with the
vocabulary. We are going to take a look at why this is so important, what's
the impact of having better knowledge of security and what the challenges
are that your business faces when dealing with cyber-attacks. We are trying
to prevent the loss or corruption of confidential data and that directly
impacts your business. If there's a loss of customer data, this can impact not
only the operations of the business, but its future financial outlook and
there's going to be a personal impact from cyber-attacks that can affect you
such as loss of your identify, loss of money or loss of property that might be
an impact as well. This is an important concept. Security is everybody
responsibility. It's a phrase that you hear all the time, but it's not often
practiced. The more active you are in doing this, the better you can improve
everyone's security, not just your personal security, but the security of your
business too. Your business needs to try to prevent attacks from happening.
That's to protect that corporate confidential information and they also have
to be able to respond to attacks when they occur and most likely they'll have
specialized security professionals who will do that. Also as part of that is to
educate the employees or help you out as well because it helps the business.
If you notice something that is wrong and you can report it, is great. That
might be a great way to get started on responding to a possible attack.
Notifications about data loss or corruption if it occurs can help the business
to make sure that it's doing everything it can to prevent an attack. The term
Cybersecurity is a common term used by the government, but there are a
couple of other terms I just want you to be familiar with. I'll use the term
Cybersecurity as We are talking about the different types of attacks, but
there's also a common term used in the private sector called information
security or just known as InfoSec. These are general terms and I will switch
between them from time to time. But something else I want you to keep in
mind is that you'll hear other term like computer security or network
security or software security. The idea is that there are people in place that
are trying to make sure that if something were to fall under attack, they
could help prevent it, then respond to the attack. There might be very
specialized categories that each person follows through, but in general,
people refer to it as Cybersecurity or InfoSec. First of all, we are going to
take a look at what are you have to protect, what information some
malicious person might want to get hold off, and who is going to help you
do this protection. Then we want to dive into the different types of attacks,
threats, exploits and risks that these are all means to you. This is what’s
most important and understanding the definitions which will give you a
general idea of what you're looking for when something might happen. And
what is a proactive approach, both; what your business should do to
proactively fight against these attacks and what you can do to help and how
to report an attack. We will also discuss who you should report an attack
including both; at your business and in your own personal life. This is
important but there are many challenges because we want to protect both
the business and our own personal information. If you are ready, let’s get
started.
Chapter 1 The Ultimate Goal of Cybersecurity

Cybercriminals are going to try a variety of attacks. Those are the malicious
people. They're going to try to attack you and your business to gain
information or just steal money. They're going to use creative ways. They're
going to use all kinds of different communication methods to try to cheat
you out of providing information you shouldn’t. They'll use emails, they'll
use websites that you may have clicked on and you get malicious software.
They might even use phone calls. There are all sorts of attacks they're going
to use, but first of all, what are we trying to protect in the first place? Well,
that's what our focus is. What is it in our business that someone would want
to take from us and also personally what is it that they want to take from us
and where might some of that information be stored. We want to take a look
at what the challenge is for the business in protecting this information and
what the fix might be. Let's get started with data in your business. Your
business wants to ensure that what’s confidential stays confidential. In other
words, no unauthorized users, no cybercriminals, not even you can see what
you're not supposed to see and you that's going to be a lot of customer
information. For example what orders your customers have placed, or their
intellectual property or any business dealings that are going on. If you work
at a medical institution for example then there are certain requirements for
patient records that must be followed. All of this is very important and this
is going to be stored in things like databases and files. These are going to be
stored on computers referred to as servers, your desktop computer or your
laptop, but also keep in mind that this information could be on tablets and
phones too if they're used for the business. Things like USB drives, USB
sticks, in backups that may contain this information that you don't want to
share to someone else. This is very similar to your personal information. All
the data that you want to have confidential, you don't want somebody else
to get a hold of, such as your bank information, your medical records,
anything that is personally identifiable to you like your Social Security
number. Not everything needs to be confidential, but quite a bit of it does to
protect your identity and that's what you're focused on both with the
business and yourself. What's interesting about this is that where's this data
going to be stored in your home. It's going to be stored in databases, in files.
It's going to be stored on your desktop computer, your laptop, your tablets
or your phones. It's pretty much the same list, very similar to what your
business is storing these data on and many times when you learn about how
to protect yourself, you're also learning about what the business needs to
protect itself and vice versa; the protection your business need, you also
probably need as well. Part of what makes this so challenging is that new
weaknesses and later I'll define this as vulnerabilities, are discovered all the
time. While you build a better safe, there's a better safe cracker who learns a
new way into that safe. Then there are old weaknesses that still haven't been
prevented. One of the main reasons for that is that the computer systems
such as your tablet or mobile phone didn’t get updated. You're preventing it
from getting updated or someone's preventing it from getting updated,
which means that the security patches that are coming out aren't fixing
some of those old weaknesses. More commonly, some businesses don't
focus on security until after they've had their first major breach. In fact, a
study was done recently where most companies didn't even know that they
had been attacked for six to eight months after the attack, while many had
insufficient security policies. In other words, things like the length of your
password or the system's logging connections. Also, are we doing any end
user training? Are we helping employees understand what they can do to
provide better security? Those things are part of the challenge. How you fix
those issues? Well, it comes down to you. One of the phrases you're going
to hear quite often is that humans are the weakest link. Well, I like to think
as humans as also possibly the best solution because you can have an
impact. Everyone is responsible for security. The more you know about
this, the more you understand what attacks you can have. The more you
understand the terminology, the better you can report it if you notice
something happening. Humans have made all of this possible. We have
made all of the hardware and all of the software. Humans wrote the code,
humans administered all the security tools to protect the data, humans can
make mistakes, but they can also make the difference, so keep in mind this
knowledge. You'll be able to spot it when something is wrong. Both, at your
business and report it appropriately and in your personal life. Not only is
part of the challenge understanding what confidential data you want to
protect, but all of the locations where it might be such as your tablet device
or phone. Maybe a tablet you haven't used in two years may contain that
information and that's what you want to start thinking about, not only for
yourself, but for your business. People have to think about those very same
things and the challenges that we go through are numerous. But together we
can fix those and we can help both; your business to improve its security
and yourself to improve your security to prevent things such as identity
theft. Once you learn the basic concepts, you will have a better
understanding of who is trying to attack us and what are some of the
countermeasures that we can take. The idea of my personal information
being attacked and stolen or at the business site losing customer information
is a pretty frightening aspect to think about. However, you're not alone in
this and this is what we are going to talk about is some of the people around
you that can help you and how they think about the basic concepts of
security. We are going to take a look at how your business can provide
assistance in this and what a security professional starts to think about when
they think about protecting data. Something called the CIA security triad
and those are going to have concepts doing with confidentiality, integrity,
and availability. When you think about both data that you're storing at the
office or at home we are also using another concept called defense in depth,
where we layer multiple defensive mechanisms.  Your business and the
security professionals that work in it often rely upon industry organizations
to give guidance when needed such as the National Institute of Standards
and Technology known as NIST. You're going to see more about NIST later
on, but they provide policies and procedures and guidance and terminology
to the industry overall. Most organizations, most companies are going to
have security experts that are going to follow these standards and try to
secure the business as best they can. These security professionals may be
part of several different teams. You might hear of somebody responsible for
network security or computer security, server security or application
security. They're all part of security working together as a common goal to
protect confidential information. At your business, if you have a security
department, they often offer employee training. The reason they're doing
this is that they want to know more about what's going on to protect both
yourself and the actions that you take in the business and be alerted when
things might go wrong. This comes back down to you and how much you
can affect the overall security profile of your business. Just by being alert
and by reporting something might have gone wrong might just be enough to
save the day.
Chapter 2 Understanding the CIA Triad & Defense in Depth

Security professionals are all about data protection. This is often referred to
as the CIA security triad or sometimes the CIA triad. It's not the CIA like
Central Intelligence Agency. It stands for confidentiality, integrity, and
availability in regards to your data. Let's break this down. We are going to
add a fourth piece called privacy to this, but let's start with confidentiality.
First of all, we need to make sure that data is confidential. In other words,
unauthorized users do not have access to the data. We are going to do that
through a variety of mechanisms that you've already experienced. We are
going to ask you to log on with your username and a password, something
that you know. We are also going to look at encrypting this data. For
example if somebody steals your laptop, they may not have your password,
but if they pull the hard drive out, they might be able to get data off of it.
Well, not if we encrypt that data as well, and this requires training and a
good example is printers. In the office, if you've had a print job, printed
something out and forgot about it and left it on the printer. Well, imagine for
a moment that you printed out confidential information that you left on the
printer and anybody who walked to the printer could suddenly see it.
Confidentiality is a very important piece to this when protecting data, but
it's not the only piece. There's also integrity. Integrity means that the data
itself is good. It's consistent and accurate and we can trust the data. In other
words, nobody or no malicious software has gotten in and corrupted that
data or altered that and we do that by auditing the data, tracking changes on
the data, and see who's the last person that made changes to it? Besides
integrity, another important aspect is availability. What we want to make
sure is that the data is available to authorized users when they need to have
access to that data, which means that we may have some fault tolerance or
redundancy measures, which we are going to talk about later, to ensure that
the data is available. If we lose a server, I can still access that data. With
availability, will require ongoing maintenance such as backups and updates,
disaster recovery plans, but availability is important and this affects you
even in your personal life when we start to talk about one type of malicious
software called ransomware. Your data's there, it's not available to you and
you might need it. This also then takes us to privacy. This is the fourth leg
of the three legs of the CIA triad and privacy relates to you and your
personal identifiable information or PII. This is whether it's at a business
site or if it's with you personally, your personal information, your medical
records or your Social Security number. Perhaps you don't want people to
know your address. Whatever this is, is with you or it could be with a
business that you've done business with, if you've purchased products. That
information needs to be protected. Not everything, but the things that we
want protected. Also, organizations may have very specific legal
requirements. A couple of them commonly known are the Health Insurance
Portability and Accountability Act or HIPAA for medical institutions to
protect patient records. Also the Payment Card Industry for credit cards and
debit cards. There are compliancy levels on how those transactions have to
be made. Can credit card numbers be stored? How about information about
a person? The products that they purchased, the dates, the times, when they
got these products, how is that stored and is it available to anyone and who
are the authorized people that it would be available to? These combine into
how we think about protecting data. Confidentiality, integrity, availability
and privacy. Security professionals don't only think about the data. In other
words, is the data confidential? Does it have integrity? Is it available? They
also think about how to protect that data. Imagine for yourself that you have
some important confidential information on a piece of paper and you put it
into a locked safe. Well, the safe is one mechanism, but if you have a good
safe cracker it's pretty easy to get into that safe and steal that information.
The concept is this. Can we build layers of security and that's referred to as
defense in depth. Using multiple security processes to protect that data.
Think of it this way. You've that locked safe, but let's say you put it in a
room that's also locked that requires a fingerprint scanner in order to get
into, and that room is located in a building that has security guards that they
have to scan a badge to see if you can get through. See how we are building
layers on that? That's what a security professional wants to do with the data
and it's the same thing that you can help with in your business which you
can also do in your own personal life. Therefore security professionals
spend a lot of time organizing, planning, and figuring out ways to mitigate a
variety of attacks. They might do things called penetration testing or pen
testing, which is testing their own environment to see if there are points of
attack that they can do. They'll also come up with plans to recover and
analyze and repair situations after an attack. Security departments will also
offer employee training and I would encourage you to find out whether they
do. If they do, take advantage of it because you are the ultimate impact. You
can expand your knowledge and you will be able to perform security related
tasks that are helping the situation both at your business and at home. Best
of all, you'll start to notice if something isn't right and then you can let
someone else know, which we will talk about at the end of this book. Who
can you go and explain that there might be an issue? All of these are
security in the business. How to think about your data? Is the data truly safe
from unauthorized users? Is its integrity good? How you can protect against
that data? Well, now it's time to finally dig in and start to see what you're
protecting it from, the different types of threats and exploits that you might
face.
Chapter 3 Understanding Threats, Exploits and Risks

The question is who's attacking you and what are they attacking you with?
Finding ways that you might be able to help mitigate this, both attacking
you personally and your company for data and information. We are going to
look at a list of different types of attacks, but it's important to get you
comfortable with the terminology and what to watch out for. In this section
we are going to look at threats and threat sources and the weaknesses,
vulnerabilities in your system. These vulnerabilities that are in your system,
the weaknesses they have will create exploits that a person of malicious
intent can then use against you. They can also automate these exploits by
writing malware, which is malicious software to do the entire exploit for
them. Attackers don't even have to be present when it occurs. There's
malware, but there are also other activities like social engineering that I
want to mention before we continue on. Before we get started, something I
want to point out to you, where you can get more information. I'm not going
to be giving you all the terms there are, but the major important ones. A
website you can visit to get additional information is called NIST or
National Institute of Standards and Technology. You can find by visiting
https://www.nist.gov/ .
Once you visit the site, there's a lot of great information, especially for
security professionals, but there's also a vocabulary list. If you hear
something and you want to know what it means, you can either search for it
with your favorite search engine or go right to NIST and find out what the
key definitions are. With that being said, let's get started defining what a is
threat, what is a vulnerability and what is an exploit.

Threat
Here's a definition by NIST on what a threat is. Any human or piece of
software that could adversely impact you, your company, any of your data,
anything that would impact you in a negative way is considered a threat.
When we look at this from a security aspect like Cybersecurity, it really
comes down to what a threat source is. A threat source is the person or
means by which a threat is being exposed to you. One of the most common
ones you'll hear the most about is malicious software, also known as
malware. But malware is not the only thing though that you're going to hear
about other threat sources. Well, the term hacker is a general term for
someone that could be causing a threat. In the old days, the term hacker was
an endearing term, it was somebody like a tinkerer that could go through
and figure out complicated things and how things worked. However, today
there's so much negativity around hacker that I just use it as a general
malicious term for a person that is trying to do something wrong. We also
the term Script Kiddie, which is a very inexperienced perhaps future hacker
that's using a lot of pre-built tools. Unfortunately, this happens a lot and it
can happen with any age range from somebody that's 8 years old to
somebody who's 100 years old. There are also threat sources like Certified
Ethical Hackers, but in a good way. They do authorized penetration testing
and they can do authorized vulnerability scans. They could be hired to help
you make sure that your business is properly protected. Hactivists are
people that do exploits for their own agenda. They're not necessarily doing
it for money or even for data but to show that they can do it and one of the
hardest ones to fight against is an insider, some attacker or hacker inside
that's disgruntled and that is going to do something to affect the business.
All of these are threat sources that can generate threats, but these threats,
what are they going after? Those are vulnerabilities.

Vulnerability
Earlier I referred to weaknesses that could expose your system to a threat
like an attacker or a hacker that is going to try to steal that information.
Well, weaknesses are technically referred to as vulnerabilities.
Vulnerabilities aren't just weaknesses to perhaps your operating system, but
they could be weaknesses to your procedures. Think about this. What good
is it having the most secured operating system with all of the updates if you
don't have a password on it, or if you don't lock it when you walk away to
go to the restroom or go to lunch? These are vulnerabilities, not just in a
particular device or product, but in the procedures being used. Many times
these vulnerabilities, well, they're due to simple things like weak passwords
or reusing your password over and over. It could be as simple as there is no
anti-malware software on a particular system. What you're going to find out
if you don't already know is that malware is very prevalent; it's easy to get
infected. Not having malware protection software doesn't make a whole lot
of sense. That in itself is vulnerability. What if the system is not being
properly updated? Operating systems and applications need updates. These
updates often contain security updates that will help strengthen that
software. Still, if the updates aren't being performed, it's an increase in
vulnerabilities. Also, poor security management and the assessments that go
with it. Some companies do not have professional security teams, therefore
none of that's getting done. They're not scanning for vulnerabilities, which
means the impact is even higher and I relate this to the most simplest of
things. If you get up in the morning and you're headed out to go to work,
are you going to leave your doors and your windows unlocked? That's a
vulnerability. You want to have those locked and if you have a security
system, you want to have the security system enabled. These are ways that
you close those vulnerabilities or you mitigate the threats that might be
coming at you.

Exploit
We have a threat or a threat source, a hacker, and the hacker knows that you
have some data that they want. They're going to try to understand you more.
They're going to try to understand the computer systems that you're using
and what processes you follow so they can look for vulnerabilities. Once
they find vulnerability, whether it’s a technical or a routine one, now they're
going to exploit that vulnerability. What they'll do is sometimes they'll
either use a software tool or even write their own automated process so that
they physically don't have to be trying this at that time. They could just
have the software exploit the vulnerability to get towards your data. One of
the other reasons that it's automated is they may not be exploiting this just
for you. They may go after a bunch of people or your entire company.
That's how these three work together. Let's take a look at what some
common exploits are.
Chapter 4 Understanding Malware

If you're under attack and somebody's trying an exploit, one of the most
common ways that's going to happen is through malware. We have already
talked about that malware means malicious software. This is a very
common way. You can get this from websites, you can get this from your
email or you can get this from downloading software. There's a lot of
different ways you can be convinced to get malware even if you're trying to
protect yourself. There are a couple of older terms out there, worm and
virus. Today we use the term malware; it's a more updated term and means
more than just these older ones, but a worm was something a program that
could attach itself and replicate through a network. We had some of the first
internet worms in the 80s. Viruses are unauthorized programs that can do
malicious things that were attached to files, pass through disks or when you
copied those files, but today we refer to them all as malware. A couple of
other things that malware can have that were commonly known with
viruses, malware has its own signature. This is how we identify if a file may
be infected or that you have malware on your system is by tracking that
signature. This is one of the reasons it's so important to update your anti-
malware software so that you get the latest known signatures. Stealth
viruses and stealth malware are also malicious programs that look just like a
legal program. It's hard to tell the difference sometimes; that comes back to
those signatures and one of the challenges that has been overcome, but is
polymorphic viruses and malware. They know how to change their own
signatures as they replicate, becoming harder to trace them. The latest anti-
malware with the latest updates can go a long way to helping you with these
types of exploits. In addition to some additional malware, you may hear of
time bombs or logic bombs. These have a fuse to go off on a specific day or
event. When you're listening to the news you might hear that, be careful;
make sure you're scanning your systems for a specific malware as it's
supposed to go off on the next Friday. If you were infected, you may not
even know about it until the day it goes off, but up-to-date anti-malware can
help that. Time bombs are famous for insider attacks, but not only inside
attacks. You also have something called Trojan horses where attackers put
their payload in a program that's already trusted to an average end user.
Then the malicious code goes into something that you expect to exist on
your system. There's also a lot of spyware, payload that monitors what you
do and what your system activity is to gather information about you. One of
the worst things in my opinion is ransomware. Ransomware is diabolical
and to be infected by ransomware, means that you're about to have a bad
day or a week. Ransomware infects your system and then it has a time
bomb on it that will trigger a specific event on a certain day at a certain
time. Once it goes off, it will encrypt your files so that you cannot access
them anymore. But before it would go off, your screen will have a message
explaining that if you pay some Bitcoin to a specific wallet address
(provided on the ransomware screen), you can get access to your files. If
you think it’s a joke and you just don’t care because you think you can go to
Netflix and carry on watching MR Robot or whatever is your favourite TV
show, well think again. Once you have ransomware, not only your files will
be encrypted, but your whole laptop will be completely useless. I know
what you are thinking! You are thinking that you can just turn your
computer or laptop off and then back on right? Well, once your laptop turns
back on, the ransomware will be there waiting for you. The only option a
ransomware will allow you to do is to make the Bitcoin payment.
Now you are thinking what a hell is Bitcoin, where to get it and how to
transfer it? Well, most ransomware screens are kind enough to provide
information about Bitcoin, where to get it and how to make the payment
with it.  

I know few people who had to deal with ransomware in the past,
specifically with the one called WannaCry ransomware. Ransomware is
very difficult to get rid of. It's very difficult to clean off. Or I should say you
cannot do anything other than make the payment if you want your files
back. Or get a new laptop. This gets back to the importance of good
practices and procedures, but also good anti-malware. Last in our list, but
not quite complete is I hope you don't have to deal much with this, but
adware. These are pop-up messages. Many times you'll see this with
browsers when people install a lot of random toolbars. They'll start getting
all these pop-ups all over the place. Something else you'll hear about is SQL
Injection attacks, which are attacks that go against a database, usually
through a website that goes against a database to try to open up that
database to gain data from it. This impact could be not just at your
company, but you at home as well. One of the worst attacks are called zero-
day attacks. Not to overstress the point like ransomware, but zero-day
attacks means that your anti-malware doesn't have signatures for this. We
don't know what it is. It got released, it's brand new, and nobody has figured
out how to clean it up or even that it may exist on your system and how it
even got on your system. Zero-day attacks have already occurred and they
will occur going forward; the question is how far can they spread and
release their payload before they are detected. This brings up if you have
the latest updates to your operating system and your anti-malware. Zero-day
attacks might affect you, but you also still might be ahead enough of the
curve that they won't. There's more out there than malicious software. There
are other types of attacks that you may face, things that might happen that
you might be exploited for. Let's take a look at some of those other types of
attacks. There are other activities, things that can happen that could push
you towards and putting malware voluntarily on your system. Yes,
voluntarily, believe it or not. One of the ones that I like to focus in on is
social engineering. Social engineering is the ability to one human to trick
another human into doing something that gives them access. Pretend for a
moment that I call you on the phone and you're in your office. I say I'm
from DHL and I give some credentials from DHL about who I am and I
have packages for today delivery that has to occur. But I need a customer
signature, so if you could please go to this website and just mark here for a
signature, we will get the driver right out and have it delivered to you. Well,
if you do that, when you go to that website, it won't be the DHL website,
it'll be some website that I've set up and when you click on the authorization
to have those packages delivered, I'll install malware on your system. In
other words, I've tricked you into doing something. I might be able to trick
you in resetting somebody's password or giving me more information about
yourself than you probably wanted to. That's social engineering. Human
interaction is difficult to prevent, and a lot of companies spend a lot of time
extensively in training employees on what they can and cannot say to help
prevent that. Some other human interaction called pharming is an attempt to
get credentials or other personal identifiable information in a way this is
where you might see something that redirects you to a website that you
thought was trusted. Key loggers are software or pieces of hardware that
collect keystrokes. One of the things that I'm going to want to try to do
through social engineering is to get you to install malware that will then
track information about you, maybe something like a key logger. There are
some additional activities as well. Distributed Denial of Service or just
Denial of Service. They are also known as DOS and DDOS. Denial of
service means that we are going to have a bot or a zombie or a botnet that is
an automated piece of software that is going to continuously try to
communicate with your website. Botnet stands for roBOT-NETwork. It's
going to continuously try to open up your website. In fact, it's going to
continuously do it so much that it won't let anybody else get into the
website. A Distributed Denial of Service attack is where I'm going to have
multiple bots in multiple locations all attacking a website. This can often
take down much larger scale websites and the whole idea is to stop that
website from performing its job. If this was to happen to you at your
company, all of a sudden you couldn't sell products. Customers couldn't go
out and look for things or look at reviews or give you their credit card
because they cannot get to the website to buy anything because it's been
shut down. Spoofing is something where an attacker is going to try to
imitate someone or something that's trusted. This is often done on networks
with something we call Mac spoofing where my device normally would not
be allowed to even connect to your network because your network security
team has locked it down. But I've come up with a way where I can make my
device look like an authorized one and therefore use the network by
changing my Mac address to an address that is trusted by the network. Mac
address is also known as a physical address of an end device such as a
laptop, computer, tablet, mobile phone or even a CCTV camera. Mac
addresses are not changeable such as IP addresses. But if you are using the
right tools such as Kali Linux or any Mac changer application really, you
can change your physical address and appear as a trusted device and you
will be allowed access to the network. Phishing is an exercise in trying to
get you to do something to give up confidential information. Phishing is a
broader category and I want you to think of it just like fishing. You cast
your pole out and your line goes into the water and somewhere along the
line, a fish may grab hold and snag it and then we have dinner. That's what
this attack is; sometimes you see it as an email. Let me give you an
example. I get an email what looks like from my bank that says, “Hi, there's
been a transfer to your account of $10,000, you just need to click here, sign
into the website to complete and authorize this transaction.”
That's an email wanting me to click that's going to go not to my bank's
website, but to something that looks just like my bank's website and then
have me sign in, therefore getting my credentials to my actual bank. You
would be amazed at how many people fall for this and that's a challenge.
Phishing is that I'm going to get all of you if I send out this email. Instead
I'm only going to get a little percentage of you, but that percentage is
enough. There's another term with phishing called spear phishing which is a
more targeted, directed attack to a specific person instead of sending the
email to a wide range of people. This isn't a complete list of other activities,
but it's some of the big ones that are out there to make you aware of the
attempts that will be made to try to gain information from you. When you
start to think about all of the types of threats and threat sources, the
vulnerabilities, the exploits, all of the things that someone might try to do to
gain your data or the data at your company, it can become fearsome. Things
like all of the malware and all of the other activities, but keep something in
mind. We do have ways to fight back and we have ways to fight against
this. We can even take a proactive approach, trying to make sure that we
stay ahead of the game and you do that by learning stuff like this and
learning some of the vocabulary and learning how you can communicate
with other people in your environment so that you can cut down on these
types of attacks. In fact, let's talk about next a more proactive approach to
security; let's do a proactive security approach.
Chapter 5 Malware & General Countermeasures

If you've been following along this far then you know that there's a whole
bunch of scary things out there. Well, now let's start to take a look at what a
security professional and you yourself can do as more of a proactive
approach, some basic general guidelines to think about and the terminology
that goes along with it. What we are going to look at here are things such as
what do security teams do to be more proactive. Also, what are some of the
proactive things that you can do as countermeasures to malware and some
of those other things that were out there that could be a problem. Let's get
started first with what security teams might do to be more proactive.
Security professionals and security teams for that matter do their best to
remain proactive as much as possible when they're looking at defense
against new attacks because new things happen every day. Because there's
new software being installed that we have to check for vulnerabilities, this
is an important part of the job and oddly enough you can do the same thing.
Some of the things that they'll do is a risk analysis and assessment.
Determine that if they install a new application for example, what types of
risks might they be opening themselves up to. Are they opening holes or
vulnerabilities to the system and how best to protect against those. They'll
also do intensive vulnerability scanning and this also means penetration
testing where they themselves may do penetration testing. What that means
is that they're going to try to break into the system or they may even hire an
outside company known as a Certified Ethical Hacker or a white hat that
works in the industry that does this professionally. One of the interesting
things that security teams will sometimes do is mock testing on their own
people such as mock phishing attacks. This has to be something that
recently my company did and it's an interesting exercise, but some people
take it the wrong way. In other words, my IT department sent out an email
that looked so real that was a phishing attack email. It didn't install
malicious software, but it is recorded who clicked on the link. This is to try
to understand how effective was the end users training. These style of
phishing attacks through email are getting better all the time. Security
professionals want to see what the impact would be. This can also lead to
more employee training, which is good. This is going to happen to you too
if didn’t happen already.  You're going to get an email asking you to do
something you shouldn't do. If you get an email from your bank, go and call
your bank, don't click the email and go to something that could be the
wrong type of thing. Along with this are some additional things that a
security team will do. Disaster recovery and business continuity revolves
around if we are under attack or an attack does hit, how can I ensure that the
business can recover from the attack, but even more importantly, stay open
for business. This is business continuity. A lot of things like cloud
technologies and a variety of fault tolerant technologies have made it
possible that if we should lose a particular database due to an attack, well,
we still have another copy of that database that could be running and
available so that customers can still buy products. This is a very important
part of the process to maintain business continuity. Something else that a
security team might implement is intrusion detection and an intrusion
prevention system. This is very common in many environments. What it
does is it scans all of the traffic on your network to detect for common types
of attacks. If it detects it, it alerts us to it. In a prevention system, it cannot
only detect the attack, but shut it down. These are common systems that are
put on to networks in your business to help support and protect your
environments from attack.
When it comes to malware, you and a professional security team are pretty
much going to be doing the same things. When you're trying to prevent
malware, you want some anti-malware software, also known as anti-virus
software. What you want that software to do is be installed on your system.
It needs to perform periodic scans. It needs to be up to date and this is one
of the things that people seem to forget. If the software is not up to date it
doesn't have the latest signatures for the malware, and without the latest
signatures, we cannot detect it. That's why it needs to be up to date. It
should be able to scan your email attachments. It should be able to clean
and quarantine threats, which means remove them from your system, not
just tell you about the threat. If you're doing this as a security professional
you're going to want to have the configuration protection from users. In
other words, as a user, we don't want you going into a system computer and
changing how the anti-malware software operates. Also always make sure
that you have a backup. For example if you look at the WannaCry
ransomware, the only way to get out of it in his particular case, other than
pay the Bitcoin to get a password for it, is to wipe the system and restore it.
If you didn't have a backup, that means you're going to lose data. Always,
just like any security professional, make sure that you personally have
backups on a network or at your business. You as a security professional
must ensure that you have backups and one of the most important things is
patches and updates. Not just to the anti-malware software, but to
everything such as your operating system, your tablets, your phones, they
all need updates. Many times people think, well those updates are just
giving me extra features I don't need. That's not the case. A lot of those
updates are security updates to help protect you from a malicious attack. In
general, there are many things that you can do to help yourself and to help
your company move forward in trying to prevent sudden attacks. First of
all, user awareness. This is the idea of both the company and you yourself
keeping informed. Sometimes a company will have something called a
threat board where they'll post what are the latest attacks, explain what
those attacks are and what you should be doing to mitigate them. If your
company has that, take advantage of that; if it doesn't have that, ask why
not. You also want to train your users about social engineering attacks. The
more you learn about how somebody could try to get you on a telephone to
do something you shouldn't, the better off you're going to be; they're so hard
to prevent. Then there's overall user training, things that you can do that
everybody can be trained to do; log off of a workstation, especially if you
go to lunch, something like that so that your workstation is not exposed.
This idea of a clean desk policy, papers lying around on your desk, could
have confidential information on them. You don't want people just walking
by and looking at it. Sometimes companies will have a clean desk policy
where there is no paperwork left on the desk. A clean screen policy means
the computer gets locked; there's no data left on the screen and we have
password policy. A password policy, means that you don't reuse your
passwords on different websites and make sure you have strong, complex
passwords that would be very difficult to attack. These combined will
overall help you be more preventative as you move forward in keeping your
stuff secured, your data confidential and the data of your company
confidential. That takes us to wrap up this section on how to be more
proactive in your life with security. Doing things that can help prevent
malware, good anti-malware, doing good countermeasures, clean desk
policy, complex passwords, don't reuse your passwords. These things can be
proactive to help prevent you from getting malware or any attack.
Chapter 6 How to Report Malware

If you believe that you've been attacked or you believe you might have been
attacked and there is a difference, you're going to want to report this. If
you're working at your company, you're going to want to tell somebody
about this. If you're at home, you might be left to your own defenses, but
there is an ultimate way that you can also report this. That's what we want
to take a look at here is what do you do when you think you've been
attacked, and that is how to report it to the business and how to report for
any personal attacks that may have occurred and well, there is the ultimate,
you can report it to the FBI. Imagine that you go to work and you log into
your computer and something's not right. Maybe you notice that there is a
suspicious looking email in your inbox or your computer started slow or
you just launched your word processor and you saw a flash of a strange
message. It could even be something as just in your face as you have a
message on your screen saying you're infected by malware. Whatever the
case may be, it's time to report it to somebody else and here's the important
thing. A lot of businesses have a procedure for this and what I want to
encourage you to do is make sure you check with your company to see what
the procedures are. If your company has very specific procedures and
follow them, immediate action can be taken. You want to make sure you're
checking in to see what processes and procedures for you to follow. Many
times there'll be a designated security contact. This will be somebody that
you can call or you can forward emails to, or send what you believe is a
problem to and their job is to look at that issue and to talk to you and get it
resolved. There's also in your company a lot of security professionals and
while you may have a specific security department, some companies don't.
Those professionals interact with other parts of the company. It may be an
internal IT department that you call or report to or it might be your internal
help desk that you will call and say you think there's something wrong. The
last case situation is if you don't have any of the above or a good procedure
for it, you should still let somebody know, like your immediate superior.
This could be a very harmful attack; it could be nothing at all, but that's
okay. It's better to be safe than be sorry. Make sure that you're contacting
somebody in the organization about what to do and what steps to take next.
Sometimes the attack has nothing to do with your company, it only has to
do with you. You might notice that you get a strange email to your personal
account from your bank that is not looking the way it's supposed to. You
might notice you get a bill from the doctor's office that doesn't seem to be
right. These kinds of attacks, you want to contact those businesses that are
also involved in this. A great example is a phishing email I mentioned
before. The best thing for you to do is to call your bank. Don't click on the
link, don't go to wherever the email want you to go, but to call the bank and
ask them about this email that I received. The bank will tell you to delete
the email immediately. In another case, if you get a strange bill from your
doctor's office, call your doctor's office. Don't just electronically try to pay
the bill if it looks like that it's not a bill that you should be getting. They
wouldn't be the first doctor who had their client information hacked. Also,
if you believe if you're having an attack, make sure your anti-malware is up
to date. Make sure you have patches and updates to the signatures and you
perform a full scan and if it is something to do with a bank and it does look
like it is fraud, you might need to cancel your credit cards. It just so
happens that it seems like many times today banks are on this. They may
cancel a card for you and in a lot of cases they'll just cancel it for you and
send you a new one. There's something else that you can use and people
have different opinions on this. Products that are designed to prevent your
identity from being stolen that can alert you are a great monitoring software
that can alert you to people possibly trying to use your name or open up
loans or use your accounts that weren't done by you. These kinds of
software can be very beneficial. What do you do if all else fails or if you are
under attack, you've lost a lot of money, you're having problems with the
bank closing some credit cards? At the end of the day you can go for the
ultimate, which is you can report it to the FBI. There are other organizations
you can report to, but this is a common one, even for businesses to report
things to, especially in the middle of an attack so that you can report it.
They usually investigate things that have financial consequences, provable
financial consequences, but you can always check as a last resort. I hope
you find this information helpful about how to report a specific incident
either to security professionals at your business, or calling up your bank or
even the FBI.
These are some of the basic terminologies often used and how security
professional think, what they're trying to do and how you can be a part of
the solution in helping them, and how your awareness can help you not just
at your business, but at home with your own identity and accounts.
Chapter 7 Attacks on Portable Devices

We need access to our data wherever we're located, whether that be home,
office, in the car, traveling or flying to another country, doesn't matter, we
want access to our data. That though means that we need to protect that data
as we're in transit and when we use that data and being able to remove that
data. So let's start looking at how to even find that data that we want to
protect. First of all, what does a cybercriminal want? What kind of data are
they looking for, both at your business and at your home? How to inventory
and locate your data? Where are places that the data you care about the
most going to be? What's surprising is that most people don't realize a lot of
these particular locations. Then we're going to look at the modes of data,
what data looks like when it's in transit and when it's at rest. What is it
specifically that we need to protect? Well, it's data, but how and why do we
need to protect that data? Something else I want to mention is the
interception of communication when you are traveling and how to avoid
that. So let's get started with data in your business and at home.
Cybercriminals want your data. They'll take everything, but they want
specific data that can help them get into your bank accounts, help them get
into your company's bank accounts, help them learn about you, so they can
take over your identity, or they can do something with your company to
affect your customers' business. So what does a cybercriminal want? For
your business, they want anything to do with customer’s information so
they can gain access to those customers, maybe their bank accounts. They
want intellectual property about the company, accounting information,
anything that they can glean that they can use to their advantage. Same
thing when it comes to you and your personal life. They want to get any
kind of information about you that allows them to take over your identity,
your bank accounts, your medical information or anything. They want
anything that they can use to target you and get control over your identity.
With portable devices, we're making it easier on cybercriminals. We're
traveling with all of this data around us, and we have to be very careful. It's
not just about theft of the physical device, it's about how we use the device,
and is that data susceptible to some criminal gaining access to it. That's
what we want to try to prevent. To help prevent cybercriminals from taking
your data, you need to think about where your data may be located. You're
thinking it's going to be on my mobile device, and you're right. But, it also
helps to understand where that data specifically might be located. First of
all, data gets stored on your devices, laptops, phones, tablets, in a lot of
different locations by many different means and one of them being
applications. When you're using a web browser and surfing the web, that
web browser really isn't storing much about you. However, if you're going
to a website or using an application that asks you to sign in, it's probably
storing your credentials, or at least part of them locally. Similarly, the data
that you're using with that application, whether it be medical or banking,
some of that data may also be stored locally. You want to think about this,
not just that a cybercriminal stealing it, but also do you need to make sure
it's backed up in case you lose your device? Other places that data's going to
be located is in databases, both at home and at the office. A lot at the office
is going to be in a database, and it won't directly be on your device because
these databases are huge. But you may have smaller applications that do
have smaller databases that store data in them. Where is that data going to
be physically located? Well, it's going to be on your computers, your
desktops, your laptops, your mobile devices, your phones, your tablets or
your wearable. Wearable means your watches, USB keys or anything that
you may have that stores information that you've been using, we need to
protect. So you want to do a mental inventory of this. What is it that you
travel with that needs protected? If you use USB keys, are those encrypted?
It's the thing that we want to look at. Also, any type of drive technology.
I've been talking about USBs, but hard drives and the older CDs, DVDs,
and, if you do have diskettes, those as well. Not only do you want to think
about where your data is located, you want to think about how you're using
your data. I refer to this as the modes of data, but there are three definitions
of how data gets used. First of all, there's data-in-use. What this simply
means is that you are currently using the data, whether it's in a database or
not, you're accessing the data through an application, and you're currently
working with the data. Another mode is data-in-transit, or data-in-motion is
another term for this. That means that you are being portable. You are
moving with your data. So if you're carrying your phone and going to the
grocery store or traveling on a business trip with your laptops, your phone,
your tablets, that's data-in-motion. Then there's data-at-rest. What does data
do when it sleeps at night? Data-at-rest is when it's not being moved and
nobody's using it, and here's the interesting part. Of the three modes that are
up here, it's when data's in transit and data's at rest when it's most attacked.
Data-in-use isn't attacked as much because you're actually using it. You're
working with it. You're not going to web sites where you're getting
malware, opening up emails that have malware that may impact that data.
Now let's talk about what impact to data means. Before we talk about the
specific threats to your data, let's talk about the impact and what we're
worried about with data. Oftentimes, security people refer to the CIA Triad.
It stands for Confidentiality, Integrity, and Availability. I want you to
envision that your data is in the middle of the Information Security. How do
we secure this information? What we're concerned about are the
confidentiality, the integrity, and the availability of that data. Also, there's a
fourth aspect to this known as privacy, and this is your personally
identifiable information. So let's break these down a little bit.
Confidentiality. Here's what confidentiality is, that the data that you have,
that we're ensuring that it is not disclosed to anyone who is unauthorized.
Only authorized people that have validated themselves can see the data.
Confidential data is going to be trusted to certain people, and this is usually
done through authentication mechanism, like a username and a password.
What we can do to protect this from unauthorized users is we can encrypt
this data, and I want to you to really focus on this for a minute because this
is one of the best practices for data, especially when it's in motion or in
transit and when it's at rest is to make sure that the data is encrypted.
Fortunately, a lot of your mobile devices, such as phones and tablets,
already do this, but it's something for your laptops, whether you're running
a Mac OS or a Windows OS that you usually have to enable first. I want
that data encrypted. I need to turn this on. If the data gets into the wrong
hands, well then since it's encrypted, they still can't read it, so that's a good
thing. Also need to make sure that the proper use of confidentiality is in
place. For example you're logging in correctly, making sure that your
password is long so that it can't be easily determined. That requires training
and security teams will often do training. One of the greatest exposures of
confidential data is when somebody leaves something on a printer or laying
it on their desk and not locking it into a cabinet. While we're talking about
portable data, that's kind of portable data around the office too. Another
thing that we want to think about is the integrity of data, and this means that
the data is trustworthy and good. Integrity is maintaining the consistency
and accuracy of data throughout its lifecycle. Did some piece of malicious
software alter the data, like change everybody's phone number in a
customer database? That's what we want to know. Part of integrity is not
only to ensure that data can only be altered by authorized users, but if it
does get altered, whether they're authorized or unauthorized, we can log
that. We log who did it, when they did it, and what they did. If we need to,
we can recover through logging and through maintaining this. This
maintains the integrity of our data. Next is availability. Availability means
that the data is available to you when you need it. And, specifically,
authorized users, but that that data, let's say that there may be some internal
processes, like a backup process that means that data needs to be offline.
That doesn't occur during the normal work hours or business day, so we
want data available to you. It also means that we have fault tolerance and
redundancy, so if something goes wrong with the system that that data is
still available to you. We often do this in IT through redundancy. We'll have
a database that you're using for your data, but we have an exact copy of that
database somewhere else so that if that primary database fails, we can
switch to the backup copy. Similarly, we're going to make sure that with
availability, we perform the ongoing maintenance to make sure that that
data is available to you and that it has integrity to it. We're going to do this
through backups and updates and making sure that we have good recovery
plans for that information. And the last thing I mention is this fourth piece
called privacy. This is about your personally identifiable information. When
we're protecting data, we're specifically also trying to protect what
identifies you, whether you're an employee or a customer of the company or
if this is you at home, we want that data protected. Not all of your personal
information is confidential or private. Information like your credit card
numbers, your social security numbers needs to be private. Organizations,
like your business may have very specific legal compliant definitions, such
as if you're in the medical industry, you have to follow HIPAA. HIPAA has
very specific rules on how to protect somebody's personally identifiable
information. Another example is you might in the industry where you take
credit cards for payment. That's part of the payment card industry and PCI
compliance. Part of this protects you. That's the point to these particular
types of regulations. When we're moving around with our data and using
our data, what can possibly go wrong with our data? Well let's get a little
specific here. First of all, it can be lost, stolen, corrupted, and destroyed. If
you're walking around with your cell phone, you're walking around with
your tablet device, your laptop, these can be left at the airport, they can be
left in a taxicab, they can be left at a restaurant, and so they can be lost or
stolen. When it comes to mobile devices, you can use the manufacturer’s
applications to find your device and if you can find it you can remotely
wipe it. You should be able to find your device, and you should be able to
remotely wipe your device. That doesn't necessarily help you with a laptop,
and it can get a little bit worse, so you want to try not to lose your laptop.
Something else that's going to impact you, and we're going to drill into
more specifics on this, is malicious software. You can get malware, or
malicious software, from email attachments, from websites, other ways, and
mechanisms of getting malware. You can be convinced to accidentally
install it over the phone. That's social engineering. Malware is one of the
greatest impacts, and I'll tell you about different kinds of malware. Also,
there are just a flat-out malicious people that can call you on the phone and
convince you to do amazing things. I know it doesn't sound like it can
happen, but it does through social engineering. Your data will be affected
while it's in transit. While it's being portable, not only is it lost or stolen, but
there could be an interception of your communications while you're trying
to use it, and we want to talk about that, along with data leakage. This is
unintentional leakage of confidential data. These are the kinds of threats
you face. Let's drill into the specifics on a few of them. Let's drill into more
specifics about malicious software, or malware, since this has one of the
greatest impacts on our data. What kind of malicious software might we
see? Well we're going to see things like viruses, and viruses are attached to
files that usually get passed over things like USB drives and CD-ROMs.
There's also another type of malware that we used to refer as a worm, which
almost all malware today is, that is has the ability to replicate itself across
networks, like the internet or your corporate network. This is a very
common transfer mechanism used today for most malware. Some malware
might act as a time bomb. In other words, it goes off on a very specific day
and time. Sometimes this is an insider attack. People on their last day of the
job might set off a time bomb. Not only is that very disruptive and
unethical, it's going to land you in jail if you do it. A Trojan horse is a little
bit more tricky. You already are aware that malware is out there, so you
don't trust a lot of websites and you don't just download and install software
unless it's from a trusted source. Well that's how a Trojan horse gets you. If
you have a trusted program, let's say it's Microsoft Word that you use all the
time, it is possible that somebody injects malware as a payload into that
known trusted program. When you install that trusted program, you also got
the malware and you may not have realized it. Spyware will monitor you
and report back. The idea here is that it monitors what you type in, the
websites you go to, to teach the cybercriminal about your habits. Then
there's adware. It's annoying, but usually that's the problem with adware
that it's annoying. It just pops up ads. Sometimes you'll see somebody that
they'll open up their browser, and they have a whole bunch of toolbars and
ads are popping up. Phishing emails is where you get an email that has an
attachment that may be infected with malware, or the email looks like it
may have come from your bank, and it tries to get you to sign in to your
bank. When you click on the link, you're actually signing into a
cybercriminal's website, and they're collecting your username and pas
Chapter 8 Intercepted Communication & Countermeasures

When you go to the airport, and you want to use your phone or your laptop
or something like that, so you want to be able to connect to the internet so
you can surf some web pages, do some work, work with some of your data,
and get some of your job done while you're waiting on the airplane. Here's
what the challenge is. You want to connect to a web page, and you have to
do that by connecting to the internet first. You need some sort of transport,
and that's usually by Wi-Fi. You're going to connect to Wi-Fi, and that Wi-
Fi's going to get you to the internet. The problem is whose Wi-Fi? If you're
at the airport, you might see the airport listed as an open Wi-Fi, and you
connect to it. Who else can connect to that? Well, evil people can connect to
that too. The cybercriminals can connect to that Wi-Fi, and then they can
start to run programs that will tell them about you, may even let them hack
into a vulnerability on your device and access your data. In other words,
they're watching you work too, and they're taking that data from you. How
do you prevent this? Well, there are a few things that you can do. There's
one thing that is as close to a guarantee as you can get. First of all, you
should never use open public Wi-Fi. Here's what I mean by open public.
You've probably seen this where you'll see a Wi-Fi and it doesn't have a
lock symbol on it. In other words, there's no password required for it. You
just get onto it. You see these at coffee shops and airports and cafeterias and
at supermarkets. This is something you should never do. There's this other
public Wi-Fi that's a closed Wi-Fi. In other words, it requires a password,
and it's a little less dangerous because you have to have the password to get
onto the Wi-Fi. But the problem is, did they post that password so that
anybody, including the cybercriminal sitting in the coffee shop could see the
password and then get access to it? If that's the case, then it's just as bad as
an open public Wi-Fi. How do you defeat this? Well you carry your own
Wi-Fi solution. Here's what I mean. Carry something like a portable Wi-Fi
router. Portable Wi-Fi router is also knwn as pocket Wi-Fi. There are no
wires or anything. It's nice and small, fits right into your bag. When you
turn it on, your laptop and your cell phone will connect to it. This will then
use cell to get to the internet. Here's the best part. The only thing allowed to
connect to it once you set it up is those devices you specify. So no one else
can get on it but you. And it has a password, so it's known, it's only yours.
No one else can get there, and you don't have to broadcast the Wireless ID
which is also known as SSID or Service Set Identifier. You're never going
to see it broadcasting the ID. That doesn't mean that a cybercriminal can't
discover that you have it, but it's really hard for them to get on it. So if you
always carry your own Wi-Fi when you travel, you have reduced the ability
for anybody to intercept your communication. That's what the goal is. This
is a great way to prevent somebody to use a MITM or man-in-the-middle
attack from stealing your data while you're traveling. Have your own Wi-Fi
solution. It's cheap, it works and it's great to have. That combined with
antimalware, you're really doing a great job of limiting the odds of people
being able to both steal your data and corrupt your data. That takes us to the
end of this section. We looked at data, what cybercriminals want to get to,
both in your business and your home. Basically that's anything that they can
use to steal your identity or steal your money when it comes down to it. A
lot of people don't think about where their data may be located. They may
not even realize that the data's located on their cell phone, but it is and the
different apps that may have data, especially ones that you authenticate to.
We talked about data-at-rest and data-in-transit. Those are the two primary
times when data can be attacked and then data-in-use. Usually it's not
attacked. It can be, but usually it's not because while you're using it, you're
not something else that may cause malicious software to be running. We
also talked about what the CIA Triad is. What is it about our data that we're
trying to protect? Well, that was the confidentiality, so only authorized users
can see it. The integrity is so that the data is trustworthy. Availability is also
important so that data is available to us when we need it. Lastly, we looked
at the interception of communication, preventing a man-in-the middle
attack by just the simple carrying your own Wi-Fi.
sword.
Chapter 9 Introduction to Social Networking

The internet combined with human invention has created social networking,
or the social media sites that you're used to using like Facebook, Twitter or
Instagram. The best part about this is great way for us to bring ourselves
closer to one another. Yeah, I know, that sounds weird. But sharing photos
and sharing stories and keeping our families closer together. It's also a great
way for your business to market itself, create some consumer advocacy, to
create support sites for consumers to start the buzz about a new product. All
of this is good with social networking. Right until it goes wrong. Here's
how wrong it can go. We have talked about other things like malware that
can infect your computers, could even steal data or even steal money from
your bank accounts. But when it comes to social networking, we are talking
about all that as well. I want you to get an understanding of how this might
happen, but it gets much more serious. You do fall under the threat of
physical harm with social networking. We want to explore that as well so
that you can learn the best practices both at your company and at home,
when you're using social networking. First of all, we are going to look at
why is this so important in regards to social networking. You might be
under impact from things such as malware, but it can get much more
serious than that when it comes to social networking. There is a challenge
to business. We want to focus on this because not only is there a challenge
to business with employees using social networking, but there's also a lot of
benefits and we want to make sure we talk about both sides to this. The
challenges are the same challenges that could affect you personally. Why
this is so important to begin with? Well, it's about loss or corruption of
confidential data. This is what we are trying to avoid and this is what's so
dangerous to us. This can have a big impact on your business. Both, with
social networking could be a positive impact for the business, but also
there's a negative side, and that would be that loss or corruption of
confidential data. There can be a personal impact. Not only where mainly
the personal impact is about your data, but things like your bank accounts
and your identity, which all of that could be horrible if they were impacted.
We are also looking at a direct impact to your physical safety as well. That's
one of the reasons why this is so important. Security is everyone's
responsibility and with all of us working together with increasing our
knowledge, and with trying to do use the best practices that are out there,
we will improve security not only for our business, but for all of us at home.
Knowing why we are here, and why this is so important, what is the
challenge to business overall? This is the same challenge you're going to
have personally, and that's how do you prevent an attack from occurring.
When it comes from social networking and social media sites, this is more
challenging. We also have to know how to respond to the attack. That
becomes more challenging on social media sites. We need to educate
employees on the best way to use social media. For example many
companies don't allow employees to use their own personal social media
when they're at the office. That's a good practice. But I want you to see why
that's a good practice. What effects this can have. Also, we want to know if
something has gotten corrupt or lost. Or if we have got an infection of
malware from social networking. Notification is important to the business
as well. All of these we will dig much deeper into shortly. First of all, let's
talk about why social networking is valuable to a business. Why it's
valuable to your office and how your business can utilize this. Then we are
going to look at social networking related threats. What are the threats from
cybercriminals? What are the threats specifically and personally to you and
your family? Well, social networking threats are important because people
can be attacked emotionally and emotions can get serious very fast. Then
we want also to look at the actual threats to your business and how to
prevent them. We will also discuss not only what can go wrong, but how
you can prevent it. Businesses are going to use social networking because
it's good for them. There are a lot of benefits to it. But there's a lot of
dangers and risks out there that we need to work together to try to avoid.
Talking about the benefits to social networking and then explain where we
can get attacked and how to prevent those attacks. Many offices enjoy the
benefits of having employees use social networking throughout the course
of a business day. There's enhanced collaboration with other employees and
with customers plus building a strong company and culture can lead to
better business, but there are also several dangers and these aren't just from
cybercriminals. While social networking does have value to the office, there
are also risks involved. First of all, let's define what social networking is so
that we have a clear understanding of not only the process of social
networking but what are the types of applications that We are going to use.
Also have understand how social networking specifically can benefit the
business and this is a great place for initiatives into new areas for the
businesses and social networking. There are risks to the business and we
want to talk about those. What you're going to be surprised with is that not
all of them are cybercriminal related. Sometimes it's the mistake of another
employee that might cause a risk to the business. Let's go ahead and get
started with defining social networking. Let's start with a definition of
social networking from NIST or the National Institute of Standards and
Technology. NIST acts, using dedicated websites or applications like
Facebook to interact with other users and the best part is to find other
people with similar interests. These websites bring people together that
have similar interests, bring families together, sounds like a wonderful thing
and it is. What I don't want you to do is confuse the term social networking
which is the process of using these websites with another term called social
engineering. Social engineering is an attack vector. It's a way that an attack
may occur and social engineering is the process of either by phone call or
through using an email or some other means that a very devious hacker will
convince you to click on something that you normally wouldn't do. That's
social engineering. That's different than social networking. Social
networking is what well, you and I do all the time, we get onto Facebook,
we share our vacations, we put photos up on it, that's the process of social
networking. Social engineering may be a way to get you to do something
wrong with your social networking that could cause a problem but don't
confuse the two, they're very different. Along with social networking, let's
also define social media and those are the actual websites and applications
that you're going to use to perform your social networking. I'm just going to
use Facebook as an example there are LinkedIn and Twitter and Instagram
and YouTube too, which are all of these things can be considered social
media where people will gather and share interests and have conversations.
You would think that there's nothing more reasonable than that and that's
true but this is a great place for cybercriminals to do some of their work to
get you started on installing things like malware. There a lot of benefits for
a business using social networking. Not a lot of people think about that, and
unfortunately not a lot of businesses have thought about it either. First of
all, you get free marketing out of this. If the business itself is using social
media, they can be announcing product launches, talking about product
launches, building excitement for those product launches, they can even
maybe make changes to those product launches based upon feedback that
they're receiving and they can increase their brand recognition. Also, one of
the interesting things is that social media provides a unique way for
companies to provide customer support
Chapter 10 Social Networking Threats from Cybercriminals

For a business, everything sounds wonderful using social networking and

social media sites but this can go wrong fast and we are going to cover the
risk both to the business and to yourself. The damage to the reputation and
customer confidence can be worse than a data breach for mishandling of
social networking. Imagine for a fact that an employee when trying to
handle a customer support issue gets upset and maybe uses inappropriate
words and phrases, or angers the consumer even further and the consumer
takes. Well, further actions like putting it all over social media about what
their interaction is. That's a simple form of maybe having a bigger impact
than a data breach but I'm going to give you some others that can happen to
a business if they're not taking care of their social media sites. What their
social networking responsibility is that the company can get such a bad
reputation because of social networking that it could go out of business.
There are risks to the business and we want to go through those as well as
the ones to yourself personally. There are good benefits for a business using
social networking to help promote the business and to help support its
customers. But, there are also some downsides that the business has to be
very careful of. You may already have some rules in place on using social
media at your company and those rules may be the things that are
responding to risks. Let's move on and dive into what the threats are from
cybercriminals. We surround ourselves with family and we connect to old
friends, we join groups of people that share common values with us,
common interests, hobbies, religion or politics. For some reason many
people feel that social networking and the social media sites are safe
because they're talking to people they know. What a lot of people don't
realize is that their discussions are also public and Cybercriminals are going
to try to get malware on these systems or platforms. So now we want to
focus on some of the threats and shortly we are going to look at threats to
both you and your business. We are going to focus on the kinds of attacks
that cybercriminals will do, using social media sites where malware being
one of the most dominant. For example where you are going to click on a
link and possibly get malware on your system. Another thing we will
discuss is called cross site request forgery or CSRV, also known as sea-surf
or sea-surfing. Then we will look at how you can prevent a CSRF but let's
get started with malware. Because people are so comfortable with social
media sites, they think that they're only talking to people that they know,
they have a tendency even if they know about malware not to even think
about it when they're using social media and that's just the wrong time not
to think about this. Malware's an abbreviation for malicious software which
is any software that is unknowingly put onto your system and that does
unwanted things, everything from corrupting data, stealing data or stealing
your identity. Let me give you the idea of some of the terms that you'll hear
as part of malware. You've probably heard the term virus and that's
something that attaches itself to files and traditionally has been passed from
one machine to another over floppy disks, USB drives, CDs or DVDs.
Opposed to worms, which are malware that replicate across networks. We
have different types of malware such as the old time bomb or logic bomb of
malware. This is often a piece of malware that is set to go off and do
whatever destructive damage it's going to do on a specific day and time.
Many times for companies this could be an insider attack but you can also
get this from malware from the internet. One of the more famous one is a
Trojan horse where you're receiving a trusted program, one that you think is
secure, such as maybe a piece of software from Microsoft or Apple, but
along the way you it get infected with something and that's a Trojan horse.
You trust the program, but it has a payload that is malicious. Spyware that
monitors the types of sites you go to, the types of activities you do on your
computer that tells a cybercriminal more about you. With malware we have
things such as ransomware and ransomware is one of the worse kind
because when it gets on your system, it encrypts all of your data so you
cannot get to it, until you've paid the cybercriminals using Bitcoin or other
Cryptocurrencies. This is why when you see preventative measures; one of
the lines of last resort is to make sure you have a full backup. Then there's
the traditional adware or the popups that you see with all of the ads.
Sometimes you'll get custom toolbars on your browser and you'll get all
these popups. Doesn't seem too malicious but it's malicious enough and
then the infamous zero-day attack which this is the hardest one in the world
to deal with because we have no idea what it's going to do or how it's going
to get on your system. That means that your anti-malware or anti-virus
software doesn't know it either. Zero-day attacks are some of the worst
things that are very popular recently.
Chapter 11 Understanding Cross-site Request Forgery

Cross site request forgery is a very specific type of attack. This is the attack
that alerted a lot of people using social media sites that they were being
hacked and just to let you know, this is often pronounced sea-surf. So that's
another way that you'll hear about this type of attack and what this is also
known as is a session riding attack and I'm going to explain this. This is a
very intricate type of attack but I'm going to give you the basics of how this
attack works so you know what is going on. This can be a social
engineering attack and remember, that's different than social networking.
Social engineering is when you might get a call on the phone from what
you believe to be is one of your company's distributors or you might get a
phishing email or some other malware that could also exploit this particular
type of attack. So understand that it's not just that you went to Facebook, it
could be any piece of malware that does this. However, many people have
gotten malware from Facebook that has done this type of attack and I
shouldn't just say Facebook, I should say any social media site. It's
happening on all of them. Let me briefly break this attack down for you.
First of all, it starts out that there is a particular business that you want to
have access to and you want to transact some business with that requires
you to authenticate. You would like to transfer some funds from one of your
bank accounts to another bank account, so you sign in, you log in using
your credentials to your bank and you transfer funds. At this point you then
open up your browser and go to let's say a social media site and you start
accessing the social media site. I want you to understand, that when you
authenticated to your bank, that's a session and that session is still open.
Until you log out or you turn off your machine and disconnect, that session
is still open for a while. There are time outs on sessions but I want you to
think about this. If it has a 15-minute time out, I signed in, transferred
funds, I jumped into Facebook, that session is still there. Well, what can
happen is this. You authenticate to Facebook, if the username and
passwords are the same for both your bank and your social media, but this
particular attack is much easier to pull off. That's why you should not use
the same username and password on different websites. However, this
attack can still work even if your usernames and passwords are different.
What's going to happen is that an attacker or a hacker is going to have
something on that social media site that when you click on it, and this can
be a link, a photo or an ad that could infect your machine malware or
forgery script, and here's what these software will do. They're going to try
to get their script to run and then use the original session to your bank
because it looks like you. So they're going to create a request from your
bank that transfers money not to one of your other bank accounts but
directly to them because the request comes through your session that's
already been authenticated. It looks like it's valid and that you're just
sending money to some other account. This is a complicated attack and I'm
over simplifying this in some respects but you get the idea. Because you're
signed into multiple websites, it is possible to use those sessions against you
and you would never know and it looks valid to those other websites so
they don't know. That's the challenge to this type of attack. The real
question is this. How do I prevent this? Well, first of all, and this is the most
important thing, log out of websites when you're done with them. Usually in
the upper right-hand corner or somewhere on that website in its menu bar
you're going to find a log out button. Any time you go to your bank’s
website to do a transaction, the next thing you should do is click log out and
sign out of that website before you do anything else. Also don't use the
same password and same username for different websites. This is important.
Some websites require you to use your email address. Sometimes you're
forced into using the same username or your email address but don't use the
same password because if you do, a hacker can get to it. If your email
address but your password is different for every website, you make the
attacker’s job that much more complicated. Before you panic and thinking
that you will have 300 different usernames and passwords, how will you
keep track of all these? Should you write them down? Well, the worst thing
you can do is write a password down because that means that's a piece of
paper somebody can find. The best thing to use is a password account
manager or an account manager piece of software. In general, there a lot of
password account managers that you can use that will store all of your
usernames and passwords that you can easily then put into those websites
without memorizing them and a lot of those will generate passwords for
you automatically, they're very long, very complex, they use all the groovy
characters, all of that stuff that you would never be able to memorize
anyway, so that's the best part about using those. KeePass is the most
recommended password manager which you can check out if you go and
visit https://keepass.info/ .
That's why the next thing on the list is use an account manager that
generates and stores those complex credentials and don't allow the browsers
to remember your usernames and passwords. Some companies like
Microsoft and or Apple have very secured processes on storing credentials
for browsers. In opposite, many people feel comfortable in those situations,
however you should never trust a browser with your usernames or
passwords. You should never let the browser store your username and
password. Just imagine, what if someone is sitting physically at that
computer for example and launches the browser and then all of a sudden
has access to all your credentials? Instead you should use a separate
program that has a separate authentication program, like an account
manager that will take care of all that for you. Also, try to avoid surfing to
other sites while you're logged into social media sites. That's how you can
prevent the cross site request forgery attacks. Just make sure you're not
signed into a different websites, especially when you go to social media or
anything other than a known trusted website such as your bank.
Chapter 12 Social Engineering Countermeasures

You might think; well, it sounds like cybercriminals have taken all the fun
out of social networking, but that's not the case. You can fight against it.
First of all, we talked about some of the things to do with the cross site
forgery attacks, but, let's take a look at some general countermeasures.
Whether you're a business or this is for you personally, a lot of these
measures all work the same such as make sure you have anti-malware.
That's the most important thing to do. You must have anti-malware on your
systems both at your office and at home and make sure that they're set to do
periodic scans. They're scheduled to do full scans. They're also need to be
updated, which is the most important thing with anti-malware. You also
want to ensure that your anti-malware is configured to scan all your email
attachments because that's where a lot of malware ends up. You also want to
be able to clean and quarantine threats as well. This is the basic anti-
malware protection. The last resort is to ensure that you have backups and
while this does directly help with things like ransomware, it can help in any
situation where you may be attacked, you may get something that may be
hard to clean off, you can wipe your system and restore it from a good
backup. If you don't have a backup, that's when you start to run into a lot of
problems that maybe you cannot recover from and you want to make sure
that your operating system and your application have all of their patches
and their updates. Remember, manufacturers are finding vulnerabilities and
patching them and that's how you get those fixes is through those patches
and updates. Once again, you want a different password for everything that
you sign into and use a password account manager to help you store and
manage those passwords. Not a piece of paper that you stick to the
underside of your desk. Those are some general measures. Some additional
things are user awareness and this is what you're doing, you're getting better
awareness of how these attacks occur and what to do to prevent them but
you can also help other people. Keep people informed generally, just talk
over with your friends about things that they may know or things that
they're doing. Also, if you're at a company, many times the security
professionals at the company will maintain a threat board to keep you aware
of the latest types of attacks and how to specifically prevent those.
Companies also often train their users on social engineering, social
networking, social media and a lot of other threats as well. So the user
training is a very important piece. Don't use personal media at work which
is a company standard for a lot of businesses and the reason for  that is that
you could be making mistakes with that social media which can impact
your business. That means you might be getting malware and getting it
infected on a company machines. It also means that maybe you're sharing
information about the company that you shouldn't be and we are going to
talk more about that shortly. Also, when you're using passwords, you want
to follow a complex password policy. Many companies already implement
this, your passwords must be long and they must contain complex
characters which are the funny characters above the number keys, capital
letters with small letters to make your passwords more complex and
password phrases for that matter. By combining all of these
countermeasures, if you're doing all of them, you've greatly reduced the
impact that you're going to get an infection from malware or other types of
attacks. One of the things to be cognizant of is it is not a 100% guarantee
but it certainly does reduce the odds if you're better at this. Likewise, you
want to make sure that you keep confidential information away from social
media. That's very dangerous. To wrap this up, these are things where
hackers are trying to get to us. They're going to give us malware, they're
going to use specific attacks that started to spawn from social media sites
such as cross site request forgery attacks and we talked about how to
prevent those and how to prevent malware and other types of attacks from
your system. By doing those preventative measures, you reduce the odds of
being a victim to these types of attacks. Next, we are going to dive into how
this might impact you personally and what you want to do to ensure that
you're protected on social media. I know many people who had personal
experience with what about to share with you. Here's where the problem
comes in. All of the tools I've given to you so far that will help prevent
malware and the tactics to help prevent things like cross site forgery, all
those tools now stop working at some point and we switch from
cybercriminals trying to gain information from you to criminals that are
going to do criminal activities that may involve your physical safety as
well. Let's go ahead and dive into a very serious topic. We are going to take
a look at why this is so important and why this should stand out to you. This
is about you and your family at this point. I'm not talking about your
business, this is all about you. We are going to take a look at a couple of
things that you want to be aware of and things that you want to maybe
avoid. Things like photos on your social media. We want to talk about the
profiles that you have in social media and the personal information that you
provide there. Let's not waste any time and go ahead and dive right into this
on why this is so important. First of all, for the safety and well-being of
your family, pay attention to what you are telling criminals about yourself,
think this through. You're posting things about when you went on vacation,
what new things you got from Amazon or the store or the car dealer, what
your kids are doing, what your spouse is up to, where you work when you
get home from work. Think about all this information. It's telling criminals
exactly what you have and when you're at home. Bad things can come out
of this. First all at best, you're giving criminals clues to where you live,
where you work, and when you're at home, what could possibly go wrong.
At worst, yes these things have gone wrong. It could be home robbery,
home invasion, kidnapping and even death because criminals are collecting
this information. How are you going to stop this from happening? Well anti-
malware isn't going to help you with this. What's going to help you? Being
very aware of what information you're putting on social media and
restraining yourself from giving out clues about when you're at home or
where you live, where you work. These are the things you want to think
about.
Chapter 13 Understanding Metadata

A picture says 1000 words. That's one of the reason why we love posting
photos in social media. We just love putting our photos up there. What a lot
of people don't realize is that most of the cameras today add in what's called
metadata. This is information that includes your current location and time
when you took that photo. If you took that photo while you were sitting at
home and then you put it on Facebook, well anybody who has access to that
photo can now find out exactly where you live. If you took a photo from the
office, they know where you work. If you took a photo of your kids or your
kids at school, they know where your children go to school. All of that
information goes with every photo that you take. A lot of cameras allow
you to disable this geo-tagging feature. This is something that I don't do. I
don't disable it because there are programs that will let you remove the
meta-data. The reason I don't disable it is because I like that data. When I'm
looking through a bunch of pictures, I forget where certain things were shot.
This tells me where they were shot. That's a benefit to this. However, I don't
want to go into social media. I use programs to remove this data. So when I
put a picture up, it won't have it. However, I want you to notice something
it's unwise to post photos with this data included. But I need to tell you, I
don't always remove the data. When I'm somewhere and I don't care that
people know the location or I want people to have the location. Maybe it's a
photo from a vacation I took a few months ago. Maybe that's fine to have
that metadata. What I want to make sure that nobody has access to
information about where I live, where I work, where my children go to
school, where my spouse works, that stuff. Things I wouldn't want a
criminal to know. A lot of social media sites allow you to include
information about yourself as part of your profile. The reason for this is so
that people can find you. Where did you grow up? Where did you go to
high school? Where did you go to college? That way, friends from those
time periods can do a group search for anybody from your High School you
were located at. There's a benefit and a feature to this. However there's also
a drawback to this because that same information you're putting in your
profile is letting criminals know. Most social media sites, they allow for
personal profiles that get made public. Consider not including information
that is specific to you, things like where you currently live, where you
currently work, what department you work in. A cybercriminal would love
to know the department you work in because that's easier for them to target.
Don't put up what your exact birthday is or any other personally identifiable
information about you. You would never put your credit card number up on
a public website, why are you putting your birthday up there? Or your
Social Security number? What you want to do is past information is one
thing. There are a lot of people who think that no information, including
past information which will personally identify you should be in these
profiles. But a lot of people can put in past information have been just fine,
you just don't want that current information of where you live to be there.
Things like your education, where you went to high school, where you used
to live. This is one of the questionable ones. Some people do it. However
there's people that say don't put any information and you've probably seen
this if you go to Facebook, people that have no profile information
whatsoever. That's not necessarily a bad thing. That might be one of the best
books for you to take. Before you type it and click send, just think about it.
Make sure that its information that you don't mind that a criminal that wants
to do harm can have. We have already talked about a lot of this. Discussions
about vacations, photos, locations, date and times, those you have to be
careful with. Discussions about vacations you had in the past, where you
stayed, yeah this is what we did two months ago that's not a big deal.
Saying, that you are currently on vacation, well you just let everybody
know in real time that you're not there. Be careful with that. The photos, the
locations and dates and times of everything that you're doing that just tells
criminals that you're not home. We have already talked about the photos but
that metadata, you may not have been thinking about that but the photos
that you post up of your children, of your spouse, of yourself, of your
family or of your friends make sure that you either clean that metadata off
or you don't care if somebody has that metadata. In other words, it's a
location out at some business where you were having a dinner. It doesn't
matter, photos and discussions of family, specifically, is one of the more
dangerous things because criminals know who their future targets are going
to be. These are things that you want to avoid. If you think about it before
you click send in most cases you will. Like I said, it's one of the most
important ones. I did mention that I had personal experience with these
issues, and it's about as negative as it can possibly be. Home invasions and
home robberies because of real time information were provided. You want
to be careful and you want to think it through. It doesn't mean you cannot
use social media. It doesn't mean you cannot have these conversations. Just
be careful about how you have these conversations. Be careful of your
photos and the profiles that you create on social media. Take care about any
personal information and just be careful about sharing it. This is also
important to help with your kids if you have any. Once again, please think it
through before you put a picture up to any social media site or explain those
who close to you and unaware of the possible danger to ensure that you
don't give out real time data on what you're doing or you are at.
Chapter 14 Comprehending Outside and Inside Threats to
Businesses

Whether you company's using social media or not to promote the business,
it still faces the same threats that you do, so it's important to think about this
if you're responsible at your company for using social media for the
business or even if you're just using personal social media while at the
company to be aware of the things that impact the business. That's what we
are going to take a look at in this section. We are going to wrap up with the
risk to business from hackers, what hackers are going to try to do to the
business and then what employees might do, and this is where both
businesses and employees can be surprised. We are going to talk about what
businesses can do to be more proactive on preventing these types of attacks.
We are going to talk about the security teams that a business has and how
they are more proactive and some of the tools that the business can use.
Both in counter measures and in ways of preventing or at least reducing the
possibility of the different types of attacks, so let's get started with the risks
to business from hackers. Businesses, in a lot of ways, are like people too
and face the same threats from hackers that, as we discussed. It's easier for
hackers to target specific groups and if a business is using social media in
their social networking policies. Then they're creating some of those groups
through communities and community activities and community support. So
it becomes easier to find all of the people that a hacker may want to target
for a specific reason. Businesses face these same attacks, malware and all of
the same attacks that you face. Put that in perspective. We just finished
talking about very severe personal attacks, but those same things businesses
are subject to and they're subject to malware. Viruses and the phishing and
they're subject to social engineering attacks. They are also subject to
misrepresentation and this is where, we talked about this earlier, businesses
that are effectively using social media can at least try to fight some of this.
But misrepresentation, unauthorized posts and images can be a whole
different issue. This could be on the company's Facebook page, could be in
Instagram, could be just in other social media devices, but unauthorized
posts pretending that they were posts from the business and unauthorized
images, products that don't exist. These can get customers excited. But the
business might comes back and says; "hold on for a second, there is
something wrong here!" Unauthorized links and websites where you can get
a lot of malware is if, in the social media that the business has, if some of
the links have been altered or modified by hackers, a user of those links
could think that they're using a trusted site, but instead clicking on a link
that has malware. Businesses have to be very careful and maintain their
sites to make sure that things are being modified by cybercriminals. How a
business is impacted with social media from its employees? Well, a
business is impacted the same way you personally are impacted. Everything
that we have discussed about what you shouldn't do, applies to the business.
Non-business related social media can cause malware infection. In other
words, a lot of businesses don't use social media while you're here at the
company. They don't mean while you're at your desk working, they mean at
all. The reason they mean at all, well now you know. You might
accidentally do something that gets malware onto a system at your
company. You could also accidentally share information about the company
that maybe you were not authorized to share. They just don't want you to
have those personal sites there because of all the risks that are involved in
having them. But it can even get more complicated for the business.
Depending upon what the employees are doing. Here's an example. Risk to
the business can also be the accidental release of confidential information.
An employee, and this has happened several times, may accidentally release
information about a future project. They may even use the code word for
that project. We have the "Datacentre Project" and it's going to be released
sometime in December. Well, that information was confidential and
shouldn't have been released. What makes it worse is if they're releasing
information about, maybe, a breach of data improperly. Improper release of
confidential information is also a challenge. I want you to think about
something. Let's say the company has had a security event that affects
customers. The business, if they are already participating in social
networking, will have a representative, just like a press representative, that
will craft out what the message should be. The message will explain what
the breach was and what customers should do and maintain confidence with
the customers, so that the customers continue to have business with the
company. Improper release has the opposite effect. It drives customers
away. Customers no longer have trust in the company and that may not be
founded. You could probably still trust the company for the measures they
have taken but you wouldn't know that because of the improper release.
Misrepresentation, even on personal sites of the business, will have
negative impacts. Maybe an angry employee had a bad day. He goes out
and say something nasty on his social page about their boss. Not only is this
just ethically and morally wrong to publicly do that, but now it affects the
company because now they have to do something about that message. Is the
message getting spread out? Is the message getting changed and altered in a
negative way? It's one thing if it was between you and three of your friends
and nobody else knows about it, but has this gone public? If you use social
media, it went public. Unauthorized posts and images and unauthorized
links and websites, unauthorized information about the business that
misrepresents it, that's going to be a challenge for the business. Similarly,
providing hackers with any employee specific information. In other words,
me and Jack went out to lunch today. Jack works in the IT department, I
work in accounting, and that's providing more information than you want
them to know. A cybercriminal now knows that Jack is in IT, that Jack
probably has a valuable password and an account that will give me elevated
access. I'm now going to go after Jack. In other words, you just gave me the
information I needed to start to plan my attack. Don't do that. The rule is
this. Unless you're being paid by the company to talk about the company on
social media, don't ever talk about the company on social media. That's just
the best practice and that falls within the ethics and morals of most
companies and people when they work with us. How a company is going to
protect itself is going to vary depending upon what tools the company
wants to employ and what activities they're doing. Are they doing social
networking activities? This particular thing, defense in depth, we have
discussed before in this book. However, here's what a company is trying to
protect. They're trying to protect their data and the confidentiality, which
means only authorized users get to their data, the integrity, meaning that the
data is not altered or if it is altered, we know who did it and what they did.
And the availability, making sure that the data that is needed by customers
or consumers, which means employees, is available when they need the
information. To protect this, a company is going to employ what's called a
defense in depth strategy. What that involves at the core is the data and then
using multiple tools and techniques and processes to protect that data. There
is no one thing that solves the entire problem. These are multiple techniques
and tactics that will help to reduce the ability for an attack to effect what we
refer to as the CIA triad, confidentiality, integrity, and availability.
Companies are going to have security teams. Not all companies have them,
but most do. Those security teams are going to be doing detailed risk
analysis and assessments and they're going to do this on the known social
media sites and the types of attacks that occur from
Chapter 15 Introduction to Phishing

As with any attack, the reason you care about this is the possible loss, or
even corruption of your confidential data, you credit cards is a great
example of that. You just don't want anybody to have that information. This
can be an impact to your business. It's not just personal. Your business can
be tricked into giving out information that could cause both financial loss,
and cause, customer-related issues with the release of customer information.
But, there's also a personal impact, where giving out too much information
to someone can cause you a financial loss, it could cause you an identity
loss, and the challenges to recovering from that can be pretty severe.
Security is everyone's responsibility, and the particular attack that we are
talking about when it comes to phishing, this is something that directly
comes to you. Both personal and at the business, you have a direct impact
on preventing this attack. The businesses need to prevent an attack, and
they have to prevent all kinds of attacks, not just this particular one that we
are talking about, phishing, and they have to be able to respond to that
attack. One of the things that most businesses will try to do is educate
employees on how to help prevent these attacks. Once you finish this book,
you're going to be able to prevent this particular type of attack from
occurring. Businesses want to notify both employees and customers if there
is a data breach of some kind, and these are part of the challenges in dealing
with this. Phishing is a strange name, and we are going to define what
phishing is, but you also may hear other names regarding phishing. Some of
the other things you might hear is a term called vishing, pronounced with a
'v' sound, as opposed to phishing with an 'f'. Vishing is different, it's going
to involve the use of your phone and text messages, and I'll give you some
examples of that. But there are also more advanced phishing techniques that
you'll hear some identifiable terms, and I have just a couple of them here for
you. One of them that we are going to talk about is more targeted, called
spear phishing, and another one that is very targeted towards your upper
management is referred to as whaling, and we will take a look at all of these
as we move through. First of all, phishing it's all about stealing your money.
It's not just about getting information, it's about taking action to remove
funds from you or your business. We are going to take a look at how these
attacks can affect you personally, and what an attack looks like. Likewise,
we will talk about attacks at the business. It's going to be pretty much the
same as personal. It's the same jeopardy that you get into. We are going to
look at the master plan in helping to prevent phishing attacks. This is one
time where you will be a clear winner, or leader in this in being able to
prevent phishing attacks. If all else fails, who to report one to if it occurs.
We are now going to focus on phishing. They can affect the confidentiality
of your data, and the integrity of your data. This is a big challenge to
business. We are going to focus on phishing in particular how people can
steal your secrets.
Cybercriminals are going to try to get information from you, and use that
information to steal your money. This is going to happen to both you and
your business. The attack is pretty much going to work the same way. You
wouldn't intentionally give someone, anyone for that matter, corporate
confidential information, or your private information, like your credit cards,
but that's the scam here. Attackers are very experienced at the human
condition, and they will play upon your emotions, both your emotions of
wanting to help people, maybe your emotions of fear, trying to stay out of
trouble. Even greed, they will play on those to lure you to giving you them
those information to someone that you didn't think was out to harm you,
and that's the idea with a phishing attack. What we are going to take a look
at in this section is overall, what is it that you're trying to protect? What
does it mean when you give up your data to someone else? What are you
giving up, and what can go wrong? This applies to both you and your
business. Similarly, the challenge that you and your business face in trying
to protect your data and the fix. In general, that we can do against many
attacks to try to fix this data. Then we will start to dive into phishing. Let's
get started with giving up your data. Before we dive into the specifics of
what a phishing attack looks like, for a lot of attacks it's about gaining data,
about getting access to data that you don't want people to have. Any data
that you want confidential, things like your banking information, credit card
information, your medical records, your social security number, any type of
personally identifiable information, known as PII, all of that can be used to
steal money from you or steal your identity. This same information can be
used against a business as well, so a lot of these attacks not only affect you,
but they can affect your business too. They can be prevented sometimes in
the same way. This data is going to be stored on a lot of different devices,
so you want to make sure that you think about this both at the office and at
home. Data that you have on databases such as on your desktop machine,
laptop, phone or tablets, especially today people are forgetting about
externally connected devices such as USB sticks where you might have
your date and backups, there are evil people trying to get access to those
data, which you don't want them to have access. What this comes up to is
the challenge to us and to a business is that new weaknesses, or exploits, are
discovered continually. That's one of the challenges is that every new day
brings a new exploit that you may need to know about or that you might be
affected by. Old weaknesses didn't get prevented, and we are going to talk
about that when we get to prevention, things like updating your operating
system, and making sure that your antimalware is up to date. Since systems
are not updated to prevent those weaknesses, you could be affected by old
stuff, as well as brand new stuff as well, and that's part of the challenge.
This is a constant daily flood, there's a big word, of attacks coming in. The
other problem is this, there's a lot of businesses, and people who don't focus
on security, they don't even think about the information they may be giving
out over the phone or the information they may be giving out through
email. They don't think about where their confidential data is located, so
part of the challenge is this, nobody is focusing on it. Then there are a lot of
the insufficient policy requirements. In security we look at policy
requirements, things like passwords, and the logging for integrity of data,
training employees and users. But if there is lack of that, if you didn't
receive training from your security team on how to prevent certain attacks,
like the one that we are going to focus on, phishing, you may not have
known how to help prevent this, and that's one of the challenges. What are
the fixes to this? Well, the fix to this is you. You are the primary one,
especially in this attack that we are going to focus on in phishing, you're the
one that can discover the attack, stop the attack, and then alert somebody
about the attack. Something you need to be responsible for is that, you hear
this often in security, everyone is responsible for security, and there are
some critical ones against the end users, that it's always the users' fault, and
that's not true, it's not the users' fault. This is very complicated and very
difficult, but you can be a big part in the solution. Also keep in mind that
people make the hardware and the software, people write the code, people
administer security to protect your data, people are flawed, people make
mistakes. Other people, attackers, can get through and utilize that against
you. The most important part is that you can spot when something goes
wrong. You're not going to see everything, but when it comes to something
like, as we are going to talk about, a phishing attack, you might be the first
one that notices this attack in your organization, so you can spot it, you'll
recognize it, and you can stop it. That's how we want to look at things going
forward. We want to make sure that you're not giving up any data that you
wouldn't normally give to someone that you trust, and that's important, that
you trust. There is a challenge there. Cybercriminals are going to try to
convince you to give up that data so then they can access your accounts and
steal money. The fix to this, well, quite frankly, is what you're doing right
now, is learning about the different types of attacks, how to recognize them,
and then how to prevent them from happening. Let's go ahead and dive into
more specifics on phishing. You may not have experienced a phishing
attack yet, but almost certain that you will. Don't take it personally. It wasn't
probably directed directly at you. In fact, that's not how a phishing attack
works. Think of it as going fishing with a rod and reel, and you put some
bait onto the hook, and you cast it out into the water where there's
thousands of fish. What you're hoping is to lure a couple of those fish, a
small percentage, to bite onto that hook so that you can have dinner. That's
what a phishing attack is. It's where a hacker is going to send out pretty
much a generic message to a large group of people, hoping that the message
gets someone to take action. The better the message, the more that it
imparts in someone the need to take action through the need of them being
able to help someone, or out of fear, or out of greed, the better the lure.
That's what the game is to get you to take action, to give up information,
therefore you end up losing money, so it's bad all the way around. Here's
what we are going to take a look at. First of all, I'm going to remind you
about the CIA security triad, and what we are trying to protect against
phishing. I want to remind you about that CIA triad, what's important, but
then we want to dive into what a phishing attack looks like. First of all,
what an attacker want from you, and then, if you get an email, how can you
start to gather that it's not a good email, it's a phishing email? There's also
advanced attacks that we want to mention here, something called vishing,
when it's done with rather than email, a phone or a text message, and also
more advanced phishing techniques called spear phishing, and we will also
mention whaling. Let's get started with the CIA triad. The CIA triad is
something that a security professional thinks about when they think about
your information or your data and protecting it. It's about three primary
aspects of protecting data; its confidentiality, meaning only people that are
authorized can access your data. Integrity, meaning that the data hasn't
become unknowingly corrupt. Availability, making sure that the data is
always available to you. Also, there is a fourth aspect of this, and that's
privacy, and this is usually the personally identifiable information like your
social security card number or driver's license. What we are focused on is
protecting your data and protecting it in these four ways. However, I want
to point somethi
Chapter 16 Phishing, Social Engineering & Vishing

A more formal definition for a phishing attack is any hacker or dishonest

person that is trying to get you to disclose sensitive personal or
organizational information through some deceptive means. Another
definition is called a digital form of social engineering. Social engineering
is something that we have a book on later in this series that you might want
to take a look at, but it is a form of social engineering that uses something
that looks like something you should be able to trust, but it's not. Many
times this is done through emails as a request for information that may look
like an email from your bank, or may direct you to a different location so
that you can authenticate to your bank. But it's a rogue website that's going
to collect that information. These are formalized definitions, and for more
definitions about anything related to security, you can always visit the
website of NIST, the National Institute of Standards Organization and
Technology. At their website you can find definitions on a lot of terms, in
fact on all the terms in security that we use. But when focused on phishing,
the idea is, what do they want from me, why are they doing this? Well, we
have already started to talk about this. They want things like your social
security number, your phone number, anything to do with your bank
account or your credit card numbers. They may just want you to open up a
simple attachment so that they can install malware. If anybody on the street
walked up and asked you for any of this, you'd never give this out. That's
the point. You wouldn't give this out unless you were convinced that it was
okay, and that's when we say, let the game begin. I'm going to provide an
example of a phishing email and I want to take you through the idea of how
a phishing email gets constructed. What are some of the key aspects to it,
how is it trying to convince you or lure you into doing something, and then
we will discuss how attackers improve upon those, and we will take a look
at some other attacks as well. In a well-constructed phishing email, you will
to notice a logo within the body of the email. This logon within the phishing
email can be look like it’s from your bank, Amazon, PayPal, Facebook or
any organization really. In the phishing attack you'll see an email that comes
in that looks like it came from let’s say a Bank specifically to you. By the
way, don't be so surprised about this because it's easy to come up with your
email address. A hacker can either buy that from a database, or they can just
scan social media sites, because everybody puts their email address and the
company they work for on social media. Then there's a “From” line, and
that might say [email protected]. Even if it looks legit, never trust a
“From” line, because those can be faked and the technique called “spoofing
the sender”. When it comes to the body of the message, in general there's a
salutation, like Hi Jack, or Dear Jack. But if you take a look at this message,
you will see sentences with misspelled wording. If it doesn't sound like
proper grammar in the English language, that should trigger all of your bells
and whistles. If it says something like “Please access your account and
approve the transaction” or whatever the line is and they give you a link to
click on, DO NOT DO IT. Do not click on hyperlinks within any email,
even if it looks to be your bank, PayPal, Amazon or anyone you think you
trust. They've might tell you that there's $10,000 is about to be deposited in
your account. If that’s the case, this is playing on your greed emotion.
Moreover, if you see a sentence such as “Please access your account to
approve the transaction to avoid delays”. An attacker is trying to create fear
for you so if you don't act immediately this may not happen and you may
not get the money. In general phishing emails are requesting your help,
which is another indication that an attacker is playing on your psychology.
Well, maybe you want to immediately click on this kind of link, but that
would be a bad idea. First of all, some of the things that are wrong in
phishing emails or things you should notice are misspellings in the body of
email. That's a common thing with a phishing attack. There will be
misspellings. It will also have very poor grammar. The English language is
an incredibly difficult language to deal with, to learn, both not only its
spellings, but the grammar for it, so that's one of the first things that throws
off hackers. The other thing could be that the link within the email might
look dodgy. Maybe the link is very long and the wording of it makes no
sense. Perhaps is not even from your bank, but from another bank you never
have been dealing with in your life. I personally have been receiving emails
from all sorts of banks before. Moving on, Hackers realize that their
phishing emails may be misspelled and don't have proper grammar, and that
might be a downfall. They realize that users recognize that, so they're
constantly improving them. Well, if that’s the case and you receive an email
that sounds like a proper message, and the link appears to point to your
bank, you might be thinking, well “I can trust this”, except for a couple of
things. First of all, your bank or any bank doesn't send emails like this.
Instead, a bank calls you on the phone when they have questions about
transactions. They do this quite often because of potential fraud. So they
call you and verify with you, and then they check to see, or sometimes
they'll say log into your bank account. In other words, you go to the bank
account. It's very rare to get an email from the bank that has a link in it.
Banks just don’t send emails with links to click on for transaction approval.
This should already trigger you to take a closer look. One of the things that
you can also look at is the link within the email body. You can hover over it
with your mouse, right-click on it and get property information on that link.
There are a couple of things you can watch out for. Look at the actual link
itself. Expose the actual link. Don't just click on it, hover your mouse over
it, and it will show you what site it points to. This is because the link within
the body of the email is just letters where it looks like it's going to your
bank. The question is, where does the link go? When you look at the link,
look at what we call the domain and top-level domain. It might be
something totally different, and if it's totally different, then you know that
this is probably a phishing email. There's something else to watch for. If
you look at the underlying actual URL link, you may see something that
looks just like; www.BankofAmerika.com, and think to yourself that this is
all good and didn’t notice that America is not spelled correctly, then you
can become a victim of a Phishing attack. This is a common thing amongst
attackers to set the URL as close as possible to the real URL link, so people
might ignore the misspelling and fallen into the trap. Vishing is happening
over a phone call, also known as social engineering. The phishing exercise
or attack could also be a text message that you get. When it's an attack on
your phone that's a phishing exercise or an attack, we have a tendency to
refer to that as vishing. The “V” stands for Voice Phishing hence is called
Vishing. Vishing is a phone or text phishing attack, and it's very similar to
something that you'd receive in email. It's probably missing a salutation. It
might say this is your bank, and we need to confirm the recent deposit.
Everything seems to be spelled correctly, has good grammar, and the link
looks like it's you bank link. It's harder in this case to check the link to see
whether it points to, but the fact of is that a bank doesn't conduct business
this way. Whether you get a phone call where there's a human asking you
information or whether you get a text message, just say that you will
contact your bank directly. That way, you can make sure that you are not
exposing yourself to either their link or to somebody on the phone. Having
said this about vishing, there's also a couple of other attacks. Spear
Chapter 17 How to Prevent Phishing Attacks

Your business faces the same type of phishing attacks that you do. In fact,
when the business receives them, it's you at the business that's going to
receive the phishing attack, either by email, phone or text. Only it's going to
be related to compromising the organization, and that's what we want to
watch out for. What we want to do is take a look at how the data in your
business is affected by this, and give you some examples of some recent
attacks against businesses, and how security is handled inside of your
business. Your business and its corporate confidential information and its
customer information, all of the data that the business wants kept
confidential, is subject to a phishing attack. Customer information or
intellectual property could be used to make money off the company, or
cause some disruption to the company, and a lot of phishing attacks are
going after the company. The problem with this is it comes right back to
you, because the phishing attack, you're going to be the one that receives it
via email, phone or text message, so your response to it could directly
impact the business, just like it could directly impact you personally. The
data that the company is trying to protect is going to be located in
databases, in servers, desktop systems, and laptops, so if there is a request
to do anything with any of those that may be compromising your data.
Tablets and phones that you use for company use, and any external drives or
backups, may contain this information. But the important part of this is that
the business, while just as subject to a phishing attack as you are, you're the
one that's going to receive the attack initially. You're the one, and your
response will determine whether that attack is successful, whether you open
the attachment or whether you do something with it. Some examples for
this for a business are a common one is a business email compromise.
There was one that was mainly a whaling attack going to more towards
corporate managers opening an attachment called Energy & Industrial
Solutions pdf. When they opened this, it installed malware that infected
their systems. There's a phishing exercise where upper management, if they
open the document, and they did, it infected them. Another one is known as
the Chipotle's Phish, and this is where a spear phishing attempt went out to
employees for Chipotle, and if they opened up the email they got malware
that compromised the point-of-sale system for those locations, and gave out
customer credit card information. These phishing attempts can be very
serious if an employee falls victim to opening these up. A couple of other
examples. The IRS W2 tax season scam is where it looks like an email may
have come from executives of your company. This is a spear phishing
attack, requesting additional information so they can properly prepare your
W2s for you during tax season. This occurs quite often in those months of
February, May, April, during tax season for this. Definitely something that
you will notice, and that you might feel confident with initially, unless you
look at the links, or you have some way of scanning those attachments.
There is also a shipping information one where a request in a link for
shipping information from one of the major carriers would arrive to you,
and say click this link to give us your shipping information, and when you
click the link so that you could get the package from the major carrier, it
installed malware. These are the kinds of things that your business is up
against that you will face as well, that can affect you both at the business,
and at home. You might think that you're alone in all of this, that you're the
only one to prevent phishing attacks, both at your business and at home, but
your business has some extra protection going for it. Most businesses will
have trained security experts, probably work in a security department, that
have already begun to implement tools and other products that will reduce
the amount of vulnerabilities and attacks, including phishing attacks. One of
the things you may have to look around your company to see where your
security professionals are located. They can be located a part of several
different teams, like the server team or help desk, the development team, or
they may all be lumped into one organizational piece referred to as IT
Security. IT Security departments often offer employee training, and
specifically what they're training for is things just like this that could impact
the business. You accidentally opening up an attachment in a phishing
email, well, that's something they want to try to train you not to do. In fact,
they may even test you to see how well you're doing on that training. I want
to point out something that there was an older Gartner report that was done
that they found that in a phishing exercise; almost 70% of the employees
opened the attachment. That's a big problem. The more awareness that
everybody has, the more that you're aware of it, and you can prevent it, the
better off the organization is. This does come back to you. You can have a
great effect on protecting the organization just by taking certain precautions
that we are going to look at. First of all, it's what we have been doing,
which is learning to recognize that you've received a phishing email, or
what could possibly be a phishing email, and now you can begin to notify
people of the problem, and not open the email of the attachment. That's
what we were focused on here. Trying to protect your organization. Its data
is just as important as your personal data. I gave you several examples of
this, of businesses that have been attacked, and sometimes those attacks
they look pretty innocuous, like asking you for your shipping information
from a common carrier. But, if you don't check the link, if you don't see
what the true link is, or expose what the true link is, and you click on it, you
could be exposing the company to malware. You can prevent this in several
different ways, and that's what we are going to start to look at next is
prevention. It's important that you check with the security people in your
company, see if there's additional training available on things that your
business may implement to try to protect you, and how to use those tools,
but stay vigilant on this.
Chapter 18 How to Report a Phishing Attack

Not everyone takes the bait, as a matter of fact that's the point to a phishing
attack, is we know, a hacker knows that they're not all going to take the bait,
but a small percentage will, and that's good enough. You're becoming part
of the percentage that won't take the bait because you're starting to
recognize what a phishing email or an attack looks like. However, it may
still happen. You may still open up an attachment. There are ways to help
prevent this from becoming catastrophic, and that's what we want to take a
look at here, is some of the preventative measures that you can have in
place. First of all, at your business there are security teams, and they're
going to be very proactive, and there's a lot to learn from them, so I want to
mention some of the things that they're going to do. Then specifically, what
are some phishing countermeasures that you can do, and just some overall
general countermeasures to protect yourself from all sorts of attacks. Let's
get started with security teams being the proactive parts at your
organization. You're not alone in this fight, and there are a lot of good
examples that you can take from the office. In other words, your
organization has security teams that are very proactive in trying to prevent,
not only phishing attacks, but all types of attacks. There's things that you
could learn from them, not only to help the business, but to even help
yourself at home. First of all, a professional security team is always going
to do a risk analysis and assessment. This is where they determining what
equipment that they have, both hardware and software, and what
vulnerabilities are there, and have they put controls in place to protect the
environment from attack. They'll do specific vulnerability scanning, and
one of the things that they'll also do is testing, like penetration testing, or
pen testing. One in particular that I want to bring out, that a company does a
mock phishing attack. This is not something to offend you, just think about
it from the situation of the company. They want people to learn how to
avoid phishing attacks, and those are a very common attack where an
employee can expose the company to a lot of dangerous things. What the IT
department or security department will sometimes do is not only will they
provide user training, they'll do some testing. They'll send everyone an
email that is a phishing email, that has all the components of a phishing
email, and they'll track how many people open it or open the attachment.
When they do that, they get to get a percentage of what's the likelihood that
we are going to get hit with an actual phishing attack? Don't be offended by
this, because this is something that is very important to test. Many times
companies will then follow this with additional specific employee training,
and this is a great opportunity for you to learn things that not only can
protect the business, but you. Remember, the more you learn about phishing
attacks, the more it's going to protect you at home as well. Your company,
or your business, also has other measures to that if an attack occurs, how
can the business recover? They're not preventative so much as they are
recovery measures, and they'll have things like business continuity and
disaster recovery, so that if there is data affected they can make changes and
make sure that the correct data is still available and protected. They'll also
use intrusion detection and prevention systems. These systems can detect
phishing attacks before they even reach your mailbox, so they might be able
to get rid of a lot of those attacks because of this particular software. One of
the most important things that a security team will make sure of is that all of
the operating systems and the applications are fully patched and up to date.
One of the common weaknesses or challenges was that there are old attacks
that some systems still haven't been updated to prevent. One of the more
important things to do both at the business and at home is to make sure that
your operating system and your applications are fully updated. That way
they have the latest and greatest security patches.
Chapter 19 Phishing Countermeasures

The good news is, is that you can work towards preventing phishing attacks
both at the organization, your business, and at home. You can prevent them,
but you cannot prevent them completely, and I want to make sure that I
point that out. We often refer to mitigate as mitigating this as best we can.
You cannot prevent everything 100%, but you can sure reduce it from
happening. Your business is going to do this in a couple of ways, as I
mentioned in the last section, and you can take away and do some of those
same similar things. One of the things is that you can install and use
antimalware. You probably have this installed, this software installed and
used at your office. Security teams will make sure that this is up to date, and
that it scans periodically. This will look for things in your email, like
attachments, so you want to have this same protection at home as well. It's
important, though, with antimalware, both in the office and at home, that it
does do periodic scans, looking on your disk for any files that might be
infected, or that might contain a malware payload. This, it must be updated
to get the latest malware definitions in it, and it should be set to scan all
your email attachments. Remember, a lot of these phishing attacks are going
to come through email, and they're going to have attachments that when you
open them are going to install malware. What antimalware can do is find
those before you get to them, and it should be able to completely clean and
quarantine an attack. Likewise, something else that you want to do, both, if
possible at the organization, and certainly at home, is always have a backup.
Remember, this is your last resort. If you happen to click on some phishing
email and you open up the attachment and it installs ransomware, well,
unless you want to go pay somebody Bitcoin to try to get the password to
open your data up, you may have to resort to that backup, so it's important
to make sure you have a backup. Also, both at home and at the
organization, you want to have the latest patches and updates to the
operating system that you're using and to the applications that you're using
as well. This ties into some overall general countermeasures. User
awareness is one of the most important things, and in an organization, a lot
of security departments, their user awareness is to keep people informed
through something called a threat board. A threat board lists the current
types of attacks and what they are, and what to expect from them. If your
company has a security team that maintains a threat board, it's worth
checking that threat board just to see what the current type of phishing
attacks are out so that you have a better awareness, and you don't fall into
the trap. Also, training users and phishing and other threats is something
that a security department definitely wants to do. They may do some mock
penetration testing as well to see how well the training is taking effect for
users. When it comes to user training, it helps when it comes to phishing,
that you look at the most recent types of phishing attacks, especially if
you're up to date, the newer ones could contain zero-day. Things that we
haven't seen before, and that antimalware cannot prevent, so being aware of
what's on the news. Also, part of user training, and make sure that you
understand how to effectively run your malware to have it do its periodic
scanning, and to get its updates, and to make sure that it's configured
correctly to scan all of your emails. There are other security practices that
you can implement as well, such as not only making sure that your
antimalware is up to date, but simple things. For example if somebody calls
you on the phone and says they're calling from their bank, you don't have to
accept that for what it's worth, you can call your bank directly back on their
number. Whatever the organization is, however they contact you, feel free
to say, no, let me contact you directly, and contact them directly to avoid
somebody on the phone, a text, or through an email, baiting you into
something that could be treacherous. The focus of this was on how the
organization protects itself with security teams, and how you can work with
those security teams at the organization to make sure you're protecting the
organization. But at the same time there are a lot of techniques that you can
bring home to protect you as well, and that is antimalware, and overall good
practices. Read the email, see if it looks suspicious. If it's a phone call or a
text message, contact the company back directly rather than providing any
information over the phone or through a text message.
Chapter 20 How to Report Phishing Attacks

So what if you fall victim to a phishing attack, or maybe you're not victim
to a phishing attack, maybe you noticed the phishing attack, and you didn't
didn't open the attachment, you didn't click on the link, but there is
somebody that you can notify that this attack is going on? The answer is
yes, both at the company level, and at personal level there are other actions
you can take if you notice some phishing attack. In this section we are
going to take a look at ways that you can report to the business if you've
noticed a phishing attack, how you can report to companies if you had a
personal attack, and worst-case scenario, if you need to you can also report
it to the FBI. Let's get started on who to tell at the business. If you see
something, say something. That's the routine that you always want to
follow, both at your business and home. So how do you report this to the
business? Well, many businesses have a procedure for reporting possible
attacks. If you were to notice a phishing email, the question is this. What is
the procedure at your company on who to tell about this? Sometimes there
will be a designated security contact, there'll be somebody that you can talk
to about, hey, I got this email, I think it's fishy, and I wonder what is going
on with this. Sometimes it'll be a team of security professionals. It could
just be your internal IT department or even Help Desk. The important part
here is to know who you are supposed to contact with this. The worst-case
scenario is there may not be a designated contact, but that means just go to
your immediate superior, go to your manager and say, I think I've noticed
this attack, or I got a very suspicious email. What do I do? Who do I call?
This is more important than you may think it is. You might be the first one;
you might be the first one at the company to have received this particular
phishing email. If you're the first one and you alert them to it, this can allow
them to take action. They could close off filters on their firewalls, they can
adjust some of the scanners that are scanning for email attachments, they
can send out an alert, a warning, to everyone of what they might see, and
not to open it. It's important to let somebody know so that further action and
prevention can be taken. Don't just delete the email and go, well, this was
addressed to me, and they wanted something, but I know it's just a scam, so
I'll delete it. Let somebody know. Even if it's just your manager. By doing
all of this, by reporting it, not only have you given the business a chance to
take action, but you've given the business a chance to alert others, and this
is the exact responsibility that every employee should take whenever
possible, whenever they recognize something, to help prevent what could
be a catastrophic event. If you're attacked at home, if it's a personal attack to
your personal email account regarding your personal information, who do
you report this to? Well, it's different, but not too surprising. You want to
contact the business or the agency that is affected by this attack. In other
words, if you got an attack from a bank and didn't fall victim to it because
you didn't open up the attachment, you can still immediately call your bank.
First of all to verify there's nothing funny going on with your account, and
the other thing is to let your bank know about it. Contact the bank or the
doctor's office, or whoever it is that is affected by this, so that they're aware
for the exact same reasons that you notified your company, so that they can
take action, they can send out notifications about recent phishing attacks.
You also want to make sure that if you think that you've had an attack at
home, you want to make sure that you've updated your antimalware, and
that you've performed a full scan on your system. Make sure that that
malware can scan your email attachments, and that it can clean and
quarantine, so this way you can make sure that you're doing everything you
can to try to prevent this attack. If you did fall victim to the attack, you're
probably going to start to need to cancel your credit cards and replacing my
credit cards. Cancelling your credit cards may be an action that you take,
but something also that I want to point out. There are third-party products
specifically for identity theft, to help prevent identity theft. These third-
party products will monitor your accounts so that if you fall victim to a
phishing attack or some other vulnerability, or some other company you do
business with fell victim to a phishing attack, these other third-party
companies will help prevent something happening to both your identity and
to your accounts. There's a lot of argument in the industry about the value
for this. There are other precautions that you can take besides knowing what
to look for, updating your antimalware, you also might invest in one of
these other third-party companies to monitor your identity. That takes us to
who to contact if all else fails. If all else fails, and if the impact is high
enough, especially with ransomware, you can report this directly to the FBI.
Also, organizationally, from an organization perspective, security officers at
your organization have external contacts, as well as the FBI to contact in the
event of a major outbreak, so you can contact them. That wraps us up for
the things that we have done in this book. In this section we were looking at
who to report phishing attacks to, both at the company, being at your
business. Who do you talk to if you sense, or you feel, or you think you
have seen some attack, same thing for personal attacks. Contact the
business that may be involved in part of the attack, like your bank or you
can even contact the FBI. The important aspect is for you to understand
what a phishing attack is. It's a blanket attack that's thrown out there into
the internet by emails, by text messages, sometimes by human phone calls,
and the idea is to lure you into taking action, clicking on a link, or opening
an attachment that will install malware or somehow get some of your
personally-identifiable information or the company's information.
Hopefully, from seeing examples of this, you will have better knowledge of
how to recognize this and prevent this going forward.
Chapter 21 Tips to Avoid Phishing Scams

Social engineering is all about compromising humans. We are the soft

center of these systems. We are the ones that are so easily exploitable, even
when there are excellent digital controls in place. One of the things that we
must do is condition the humans. We must train them to expect these styles
of attacks and know how to respond accordingly. People are the attack
vector; they're the ones who need the work. The problem is that people are
not perfect. They're also volatile, and you don't always know what to expect
from them. Not only that but particularly within an organization, they're
frequently changing. New people come on board, and they need to be
skilled up to know what to look for in terms of fending off social
engineering attacks. Part of the problem, and indeed one of the reasons why
social engineering remains such a powerful attack, is that most
organizational security training is not particularly useful. Many companies
will mandate very dry, challenging training. Lots of videos or documents
and sign-offs to acknowledge that people have read it and understand it and
will indeed ensure that they are not socially engineered. Another excellent
example of what many organizations do is using security posters. You'll
very frequently walk around an organization and see posters about;
“Beware of unknown emails and attachments” or “use strong passwords” or
“challenge tailgaters.” People see these posters, and they read them, and
then they forget about them and move on with life. They become a static
prompt, set there on the wall. People's interest is fleeting, and very quickly,
the posters just become white noise. Many of them aren't particularly
compelling or very well thought out, and they don't have a lasting impact in
terms of changing people's behaviors. A much better approach to
conditioning the humans is to put them to the test. Using a tool like Phish5
and conditioning the humans, so individuals going about their ordinary job
in their corporate roles receiving phishing emails and then measuring how
many of them fall victim to it, that's the way to condition people. Not just as
a once-off or on a predetermined date each year when people are expecting
it, but now and then on an ad hoc basis, exposing them to social engineering
in an ethical fashion and ensuring that the humans are resilient to it.
Conditioning humans is the best possible way to protect them from the risk
of social engineering. One of the best possible messages you can leave the
humans with is this: “trust, but verify.” That applies to every scenario from
the help desk calling up to the boss, asking for money to be transferred to
someone wanting to follow you through the security gate. This is a
fundamental practice, and it's one of the best things you can leave those
vulnerable humans with. In summary of countermeasures, we did cover
different things, but some of the key ones were things like using digital
controls to mitigate the risk of those vulnerable humans. Controls such as
browser defenses, the ability to block malicious attachments, or put up very
obvious warnings for potential phishing sites. While we mentioned digital
controls, access rights and applying that principle of least privilege is an
excellent example of a digital control. Don't give people access to things
they don't need to perform their job. Destroying records was another crucial
one, mainly when we think about the risk of dumpster diving. Shredders for
paper, shredders for electronic devices, and destroy anything which is no
longer needed but remains conscious of any data retention requirements as
well. I encourage people to design systems for compromised humans to
expect that people will do the wrong thing, either implicitly because they've
been socially engineered or running malicious software unintentionally on
their machine, but also because some people are ultimately malicious. Thus
design systems to protect from someone who wants to do damage or who
wants to gain a financial upside by using your systems in a way that they
shouldn't. A practice such as separation of duties is a perfect example.
Design your systems to encourage that pattern. Multi-step verification is
another excellent way of designing systems for compromised humans.
Logging, auditing, and monitoring yet another way of mitigating the risk of
a compromised human, even if it may not be able to eradicate that risk. And
lastly, testing employees, humans need conditioning. Not just training via
stock corporate video or some posters on the wall, but practice at defending
off these attacks. Running a program such as an ethical phishing campaign
and exposing them directly to the types of attacks that you're there to
protect them from is one of the best things you can do to stop humans
falling victim to social engineering.
You must consider the source. If you find a USB stick isn’t inherently a
pleasant discovery. It might be loaded with malware, just waiting to infect a
PC. And an email or text from your bank isn’t essentially from your bank.
Spoofing a trusted source is relatively informal. You must remember; Do
not click on any links or open email attachments from suspicious bases
nowadays, you may want to consider all sources doubtful. It doesn’t matter
how legitimate that email appears; it’s safer to type a URL into your
browser instead of clicking on a link. You must slow down. Social
engineers frequently count on their marks to hurry, without considering the
possibility that a scammer may be behind the phone call, email, or face-to-
face request on which they’re performing. In case you halt to think about
the ask whether it makes sense or seems a bit suspicious, you may be more
likely to work in your own best interest — not the scammers. In case it
sounds too good to be true, well, how probable is it that a Nigerian prince
would get in touch with you for your support? On the flip side, your best
friend is texting you to post bail while he is in Vietnam? Examine any
requests for personal information, money, or any value before handing it
over to anyone. There’s a good chance it’s a rip-off — and even if it’s not,
better to be safe than sorry. Install an antivirus or a security suite and keep
that software up to date every day. Likewise, ensure your PC and other
devices are running the latest versions of their OS. If conceivable, set the
OS to update routinely. By having the latest versions of these software
applications on your devices will help ensure they’re equipped for the most
recent security threats.                          Email software can support you. Many
email programs can benefit filter out junk mail, containing scams. In case
you think yours isn’t doing plentiful, do a nippy online search to find out
how to alter the settings. The aim is to set your spam filters to high to get
rid of as much junk mail as conceivable. Social engineering can be found
both offline and online. Your most excellent defence in contradiction of
these kinds of attacks is to teach yourself so that you’re conscious of the
risks and to stay vigilant.