Cyber Security FAQ’s

Tailgating is both a physical cybersecurity challenge as well as a digital one. Many people, most notably company employees, lose sight of that fact. Unauthorized people can access sensitive and proprietary data left unprotected on a desk in a folder or an unattended computer with open data files that remain unlocked during the owner’s absence. Tailgating is aptly named using its most common method of waiting for a card-carrying person to open an unmanned secure entrance and follow them through the door without being challenged for credentials. Once inside the secure area, they can create opportunities to obtain protected data in various ways.

Download files from an unattended online computer to a USB stick
Search an unattended desk for email credentials. Once they have that information, they can go anywhere and access the cloud account of that individual to download data. They only need to be in the secure area of the building for a few minutes.
The unauthorized person can put malware on unattended computers, such as keyloggers, after which they will have your sign-in credentials remotely.

The bottom line is that tailgating is a technique where the bad guy uses someone else’s credentials to gain entry to a restricted or access-controlled area. It’s strictly a socially exploitative method to subvert standard cybersecurity prevention practices. It’s deception because employees fail to ensure no one follows them through an unmanned secure entry point.

Let’s think about some common sense ways to defeat a tailgating operation.

Be aware of every person in the secure space. Do you know them? If you don’t, challenge them and ask what they are there for and whom they are working with that you do know.
Most companies have a common requirement that employees always wear their badges externally. Is there anyone in the secure area that doesn’t have a badge showing? Challenge them, or remind the person you know to wear his badge. You are the cybersecurity first line of defense.
Protect passwords, commonly called cybersecurity hygiene, and various other governance types of controls. Don’t write down passwords. Don’t share passwords and other login information.
Substantial and recurring education of people on what tailgating is and the impacts of not maintaining good cybersecurity practices in the workplace.

In the bigger cybersecurity picture, these practical preventative measures tackle the issue of social engineering controls (policy and procedure) to prevent the compromise of sensitive data.

We face some confusion of terms with spooling as a cybersecurity threat. Spooling is a legitimate computer function used to manage a computer’s input and output operations. It stands for Simultaneous Peripheral Operations On-Line and involves temporarily storing data in buffer memory or spool before processing. Spooling is a means to improve the computer’s operation by ensuring you don’t overload the microprocessor’s ability to send or receive data beyond the rated speed of the microprocessor. Spooling ensures that all the data being sent or received is done efficiently and accurately without crashing the computer.

However, the bad guys know how computers work and can use that knowledge to crash your computer by purposely sending too much data to your machine than your buffer memory can handle. Essentially, the computer loses track of what it’s doing, which creates errors in your operating system (OS), causing various OS subroutines to time out and crash the computer because it can’t execute the assigned tasks. Spooling, as a malicious cyberattack, is also known as a Disk Operating System Denial of Service (DDoS). There are many ways to disable a computer using DDoS techniques. Spooling is a particular version of how to do it. Your IT team assigned to fend off cyberattacks has a problem with this because the attack looks like legitimate traffic is being sent to your computer. It’s not until the traffic exceeds the typical profile of use of your machine for an extended time that they realize an attack is underway. It’s a more complex analysis that has to be detected in real-time to protect your machine against such an attack. The more computers running on the network, the more challenging it is to see the attack at its inception.

Spooling can cause motherboard damage, where the chips that have the memory and operating system are stored, or a data loss will occur because the computer will overwrite the data multiple times to try to process the amount of data coming in. That will corrupt the computer memory requiring it to be restored. The legitimate data trying to make it to your computer will be lost by being overwritten in memory by the false data.

Setting up your machine correctly can prevent spooling attacks. Here are some settings to be managed:
Leverage your spam filter. Spam filters should stop most spoofed emails from entering your inbox in the first place.
Use spoofing detection software. Software such as ARP and IP spoofing is effective for spoofing prevention.
Use a Virtual Private Network (VPN). Using a VPN will allow you to keep your traffic protected via encryption.
Use packet filtering. Packet filtering filters incoming packets and prevents compromised packets from questionable sources.

Security Information and Event Management (SIEM) is a cybersecurity system of record with threat detection, investigation, and response capabilities, often available via a Software-as-a-System (SaaS) cloud-native app. Thus, it is a tool that provides services for your cybersecurity team to prevent your system from being attacked. SIEM software helps security professionals monitor the IT infrastructure and check for real-time anomalies. The key word here is real-time, in that the software already knows your system and its typical performance characteristics and monitors all those key parameters looking for something that doesn’t fit the known performance trends. This is done by centralizing security information from multiple endpoints, servers, applications, and other sources and reacting immediately to any observed cyberattacks. So, the good guys are out there fighting the good fight against those bad actors that would try to harm your system and your company.

SIEM is also a maturing software and must adapt to the bad actors’ new techniques to penetrate your systems. So, it is not perfect. Hackers continuously develop new cyber attack methods, meaning SIEM must mature to counter the latest and already known techniques. It is a monumental task. According to Microsoft and United States government agencies, effective SIEM solutions are cloud-based and leverage artificial intelligence to accelerate threat detection, investigations, and response. In addition, an in-depth analysis of Siem’s extensibility revealed that current SIEM solutions need to improve features such as behavioral analysis, risk analysis and deployment, visualization, data storage, and reaction capabilities to keep up with the market. In other words, it’s not perfect. As long as bad guys are figuring out how to defeat the protections that are developed, we need good guys to counter what they do.

If you’re an IT guy reading this, you must keep up with SIEM developments. It’s a moving target requiring constant upgrades to new versions. Gartner is a non-biased industry resource for emerging technology. It tracks SIEM development and provides reviews, comparisons, and development activity among the vendors with a SIEM product. It’s a great source to see what exists today and what’s planned for tomorrow.

Hashing is a friend of the cybersecurity team. It is a one-way cryptographic process that converts a message you might send a data stream to a peer into a fixed length of code that cannot be reverse-engineered. Thus, anyone that might intercept the data packet while it travels the Internet to its location won’t be able to de-encrypt it, modify it, or in any way be able to figure out what it said. You can pretty well guess what it’s used for. It’s used when storing passwords, verifying file integrity, or creating a digital signature in apps like Acrobat.

Aha, the light just flashed on. It’s an encryption algorithm. Hashing is a one-way process of generating a unique digital fingerprint for data to ensure its integrity. It converts the data to message digest or hash, which is a number generated from a string of text. Encryption, conversely, is converting plain text into ciphertext to protect confidentiality using an algorithmic encryption process. If you know the encryption key, you can reverse the encryption so you can read it. Aha, semantics, you might say. Not so. Let’s just say you must salt the hash before storing the password. Yeah, look it up.

Some examples of hashing algorithms include MD5, SHA-1, SHA-2, and SHA-3. That’s just like a sportscaster covering sports news. The scores tonight were 2-1; 122-117 … SHA-3 (Secure Hash Algorithm 3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015, where NIST is the National Institute of Standards and Technology in charge of such things, i.e., a government agency. The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. You were going to ask.

Hashing is an essential tool in cybersecurity as it provides a secure and efficient method of protecting sensitive data. Hey, it’s a good guy tool. Get to know it. If you know what it does and how to use it, you can keep your data safe from people without permission to know what it is.

Endpoint Detection and Response (EDR) is a cybersecurity technology that continually monitors an “endpoint”. Endpoints are devices and peripherals (IOT devices) that are attached to your computer or network and are turned on through either a wired connection or via Bluetooth (wireless).

• Mobile phones
• iPads
• Routers
• External hard drives
• IOT gadgets (multiplying exponentially YOY)

EDR does its job in real-time with immediate reaction to any anomaly. EDR detects threats across your network. EDR analytics investigates the entire lifecycle of the threat, providing insights into what happened and answers the:

• What
• Where
• When 
• How

It stops the detected threat as it happens.

EDR does its job by monitoring traffic on the network as well as at each device endpoint that’s active. The data is collected and put in a database for after-the-fact analysis. Each threat detection event contributes to a more comprehensive analysis designed to discover new threat profiles. The analytic results support:

• Suspicious system-level behaviors
• Contextual information about the threat
• Blocks malicious activity
• Potential remediation methods

EDR is an approach to endpoint protection in which software actively identifies, stops, and reacts to cyber threats. So, what’s the difference between EDR and the standard anti-virus protection? 

EDR and antivirus are both security solutions, but they work differently. Antivirus searches for threats on a device, while EDR monitors a system for unusual activity. EDR can adapt to new threats in real-time, while antivirus looks for similar or exact matches in its malware database. EDR incorporates antivirus and other endpoint security functionality, providing more fully-featured protection against various potential threats. Antivirus is cost-effective for individuals and offers various types of protection, including virus protection, web protection, spam protection, and a firewall. 

One of the drawbacks of EDR is that it can be expensive for organizations to implement. EDR requires significant resources to be effective, including hardware, software, and personnel. EDR can also generate a large amount of data that needs to be analyzed and acted upon. This can be time-consuming and require additional resources.

Data loss prevention (DLP) measures in cybersecurity aim to prevent data from being compromised due to data loss, modification, or erasure. DLP is an internal security solution that uses various software tools to prevent unsafe or inappropriate sharing, transfer, or use of sensitive data.  Some of the best data loss prevention software include Symantec Endpoint Protection, TERAMIND, Kogni, Mailbox Exchange Recovery, SolarWinds, and Check Point. However, as with most cybersecurity solutions, data safeguarding starts with rigorous and well-thought-out policies and best practices within the corporate workforce. To be totally practical, the software tools must work across the boundaries of the local server where data will be stored, cloud-based locations where on-premise data is typically backed-up and stored, and at the endpoint devices where employees are accessing the data. No DLP strategy is bulletproof and requires extensible administrative policies that accompany what the software tools take care of.

1. Security awareness training is the first order of the day. The employee must protect passwords and credentials. Passwords must be strong, meaning they must use capital letters, lowercase letters, numbers, and special characters, making them random. Your user ID should be well-thought-out, avoiding using your company email address. Passwords should be changed routinely, typically every six months. Sharing or writing down your credentials is a bad thing. If you’re forgetful, use secure password storage software to store it.
2. Security policy and best practices should include no sharing of credentials. The company should also create a database permissions matrix that limits who can download data, who can only read data, and who shouldn’t have access at all. That’s called a “least privilege” default policy.

Cybersecurity DLP efforts aim to mitigate data breaches and loss, either accidentally or because the system was hacked (stolen credentials are a primary way). If the bad guys happen to steal the credentials of someone without database access, they get nothing.

Smishing is phishing that uses SMS or MMS text messages to deceive victims into giving sensitive information to a disguised attacker. Smishing can be assisted by malware or fraudulent websites. Both mobile users and enterprise security are at risk. Enterprise security that doesn’t have endpoint monitoring can be caught off guard. Remote workers that bring their own devices (BYOD) don’t play well in adhering to company policies.  

Smishing attacks can take many forms. Here are some examples of smishing attacks:

• “You’ve won!” messages
• Company-wide texts asking everyone to log in or update their password
• “Your favorite candidate needs your support” messages
• “Shocking news headline” messages
• “Sign-in alert, tap link” messages
• “Track your package” messages
• Messages that ask you to provide information to a government agency

The dark and the ugly of smishing:

1. It’s practically an unknown cyber threat to most people. Less than 35% of people can tell you what smishing means. See this ProofPoint report.
2. It’s a very profitable money-grab game for the bad guys. We’re talking billions of $ and Euros.
3. In its many forms, social media is again proven not to be your friend. Smishing attacks are on the rise exponentially. 
4. One favorite scheme is to exploit the two-factor authentication (2FA) by redirecting you to fake login pages or even intercepting your one-time password prompt and sending it to a device they control.
5. Smishing is insidious in its approach, using local phone numbers to gain your trust or even spoofing numbers you recognize.

The list of methods is long and scary. You’ve probably been victimized and don’t even realize it. Anti-virus can help, but you’re mostly on your own using sound judgment and good decision-making.

Here are some tips to protect yourself from smishing attacks:

• Do not respond to suspicious messages.
• Call your bank directly if you receive a message that appears to be from them.
• Do not click on links within messages.
• Never share your password or MFA code.
• Slow down; never act in haste.
• Please report it to your IT team. They are the people in the know that are on your side.
• Be vigilant; look for signs of common smishing messages.

Spear phishing is an attack that uses email or other electronic communications to deceive a specific individual or organization into divulging sensitive information, downloading malware, or performing other actions that benefit the hacker. Spear phishing messages are addressed directly to the victim and use personal data or additional information specific to their targets to make their deception more convincing. Spear phishing is a cyber social threat that’s mind play meant to con you into doing something you probably wouldn’t under normal circumstances without thoroughly checking out the story being spun. The tactic requires the hacker to carefully plan and use personal knowledge about you that can be obtained from your public social media postings, resume postings, and online profiles you create. Spear phishing is a specific sort of phishing threat, the broader term used for less sophisticated efforts to attack a wider audience of more general knowledge needed to hack electronic files or gain access to sensitive data. Smishing is a specific term for phishing SMS and MMS messages using similar tactics on your smartphone.

Spear-phishers use a range of tactics to make their emails appear legitimate, sometimes even legitimate science practices. Common tactics include personalization – attackers will often research their victims and craft personalized messages that appear to come from someone known or trusted to them. Impersonation – attackers will impersonate someone known that the victim will trust. Urgency – attackers will create a sense of urgency in their messages, such as threatening to close an account or take other action if the victim does not respond immediately. In the vernacular of the day, spear phishing is a form of social engineering which, in more everyday language, is a con job. The funny thing about these scams is that they usually fold their cards and melt away into the ether if you call the hacker’s bluff. A good example is if the pressure tactic is to threaten you with arrest when the hacker impersonates a cop or FBI agent, or IRS auditor. They will usually impersonate someone local to where you live. Go to the police station, surrender, and ask the desk sergeant if there is a warrant for your arrest.

What can you do to protect yourself against spear phishing? Well, the first order of business is to keep your wits about you. Ask many questions until you find the point of inconsistency in the story. There will be one. The only one that knows you better than the hacker is you. Of course, the surefire way to defend yourself against spear phishing is to follow the security training provided to you by your company.

• Use email security software.
• Enforce tight password management practices.
• Enforce multi-factor authentication (MFA).
• Encrypt all sensitive corporate data.
• Do regular backups and install the latest security patches, especially if you’re a remote worker using your personal devices.
• Apply the techniques taught to you in your continuous security training.

Coming soon…

Coming soon…

Coming soon…

Coming soon…