Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Almost One Quarter Of Canadians Have Clicked On A Phishing Link

by

TORONTO, March 1, 2018 /CNW/ – Online payment fraud like phishing is a growing trend, and Canadians are worried about it.  According to a new survey conducted by Interac Corp., Canadians are more likely to worry about payment fraud scams like phishing and skimming than home break-ins, vehicle theft and plane crashes.

And, almost one quarter of Canadians say they have clicked on a link that resulted in a phishing scam, while 64 per cent say they have been tempted to click on a link they weren’t completely sure was safe.

“As payment fraud increasingly migrates online through scams like phishing, the continued work we do with our partners to detect and prevent fraudulent activity has never been more important,” said Rob Fodor, Chief Data Scientist and VP of Fraud, Interac Corp. “It’s also why we feel strongly about arming Canadians with the information they need to spot, avoid and report any phishing scams they may come across.”

New-school security awareness training is a must to keep employees on their toes with security top of mind. Find out what percentage of your employees are phish-prone.

Organizations Are Failing To Learn From Phishing And Ransomware Attacks

by

By Stu  Sjouwerman – February 28th, 2018

Warwick Ashford, security editor at ComputerWeekly had an interesting observation after reading CyberArk’s latest cyber threat report:

“Organisations are failing to learn from cyber attacks, and lax security practices are leaving organisations worldwide open to damaging cyber attacks”

“Respondents said the greatest cyber security threats they currently face are targeted phishing attacks (56%),insider threats (51%), ransomware or other malware (48%), unsecured privileged accounts (42%), and unsecured data stored in the cloud (41%).

There is a worrying lack of action by businesses to improve security following an attack across the global technology industry, according to the latest cyber threat report by privileged account security firm CyberArk.

The report also highlights poor practices concerning cloud and endpoint security, and from security professionals themselves, putting sensitive data, infrastructure, assets and even employers at risk.

Every organization has something of value to a cyber attacker, and greater investments in cloud technologies and DevOps processes mean the attack surface is expanding exponentially, and attackers continue to target and exploit privileged accounts, credentials and secrets to accomplish their goals, the report said.

Nearly half (46%) of IT security professionals rarely change their security strategy substantially, even after experiencing a cyber attack, according to a CyberArk-commissioned poll of 1,300 IT security decision makers, developers and line of business owners in seven countries.

This level of cyber security inertia and failure to learn from past incidents puts sensitive data, infrastructure and assets at risk, the CyberArk report said.

The survey also revealed that while 89% of IT security professionals believe securing an environment starts with protecting privileged accounts and more than four in 10 cite it as a top security risk, more than a quarter (28%) are not putting this knowledge into action.

Demands for flexibility

The proportion of users who have local administrative privileges on their endpoint devices increased from 62% in 2016 to 87% in 2018, a 25% increase the report said could indicate that employee demands for flexibility have been allowed to trump security best practices.

The survey findings suggest security inertia has infiltrated many organisations, with an inability to repel or contain cyber threats and the resultant impact on the business.

This inertia is reflected in the fact that 46% of respondents said their organisation cannot prevent attackers from breaking into internal networks every time it is attempted, 36% said that administrative credentials are stored in Word or Excel documents on company PCs, and half admitted their customers’ privacy or PII (personally identifiable information) could be at risk because their data is not secured beyond the legally-required basics.

The report notes that the automated processes inherent in cloud and DevOps mean that privileged accounts, credentials and secrets are being created at a prolific rate. If compromised, the report said these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit crypto mining activities.

The survey shows that while organisations increasingly recognise this security risk, they still have a relaxed approach towards cloud security, with half of organisations polled having no privileged account security strategy for the cloud and more than two-thirds (68%) relying on built-in security capabilities.

“There are still gaps in the understanding of who is responsible for security in the cloud, even though the public cloud suppliers are very clear that the enterprise is responsible for securing cloud workloads. Additionally, few understand the full impact of the unsecured secrets that proliferate in dynamic cloud environments and automated processes,” the report said.

Overcoming cyber security inertia, the report said, requires cyber security to become central to organisational strategy and behavior, not something that is dictated by competing commercial needs.

According to the survey, 86% of IT security professionals feel security should be a regular board-level discussion topic, and 44% said they recognize or reward employees who help prevent an IT security breach, increasing to nearly three quarters (74%) in the US.

However, only 8% of companies continuously perform red team exercises to uncover critical vulnerabilities and identify effective responses. Investing in regular red team exercises could help determine where to focus efforts and prioritize risk reduction, the report said.

Rich Turner, European vice-pesident at CyberArk, said cyber attackers are often able to penetrate traditional perimeter defences when targeting organisations that have not moved with the times. This was cross-posted with grateful acknowledgements.

Report: 52% of companies sacrifice security to expedite projects

Organizations can be exposed to vulnerabilities when professionals prioritize a deadline over security, according to research from Threat Stack.

  • 52% of companies admit to cutting corners on security to meet a project deadline. — Threat Stack, 2018
  • 68% of executives said their CEO doesn’t want the security or DevOps teams to do anything that could slow a project down. — Threat Stack, 2018

More than half of companies admit to loosening security measures to expedite projects or meet deadlines, a new Threat Stack report found.

In a survey of over 200 executives, 52% said their company had prioritized a deadline or objective over the firm’s security. The emphasis on speed over security could leave holes in a project, leaving a company vulnerable.

The focus on speed comes from pushback on both sides of a project, the report found. Over two-thirds—68%—of respondents said their CEO asks the DevOps and security teams to not do anything that would slow a project, while 62% said their operations team sometimes fights new security efforts.

The majority of respondents said SecOps is important for their organization, but only 35% said it was a complete or mostly complete project at their company. At 18% of companies, SecOps isn’t established at all, the report found.

“The vast majority of companies are bought-in, but, unfortunately, a major gap exists between intent of practicing SecOps and the reality of their fast-growing businesses. It’s important that stakeholders across every enterprise prioritize the alignment of DevOps and security,” Brian Ahern, Threat Stack CEO, said in the press release.

Most of the challenges come from organizational alignment, the report found, as DevOps and security teams might be operating in different silos.

The discrepancy suggests companies should agree and focus on security to ensure their company remains safe, even under pressure from a deadline or the competition. More at: https://www.techrepublic.com/article/report-52-of-companies-sacrifice-security-to-expedite-projects/#ftag=RSS56d97e7

KnowBe4 Attains SOC 2 Type I Compliance For The Hosted Phishing And Training Product Offerings

by

KnowBe4, Inc, the world’s largest security awareness training and simulated phishing platform, this week announced it has successfully completed a Service Organization Controls (SOC) 2 Type I examination for the hosted phishing and training product lines, which help organizations address the human sources of risk associated with phishing attacks.

Created for entities operating in the rapidly expanding technology and cloud computing sector, SOC 2 compliance is an industry standard in data security compliance. In pursuit of this industry-leading certification, organizations undergo a rigorous analysis that can include the following trust services criteria: security, availability, processing integrity, confidentiality and privacy.

“Achieving this certification demonstrates our continued commitment and investment in larger compliance efforts to exceed enterprise standards and expectations with respect to data security,” said Stu Sjouwerman, Founder and CEO of KnowBe4.

360Avanced, Inc., an independent and qualified security Assessor in St Peterburg, FL, conducted the audit of KnowBe4’s platform, testing the suitability of design of controls, with a focus on security, availability and confidentiality principles in line with strict criteria.

The purpose of SOC standards are to help provide confidence and peace of mind for organizations and their third-party partners. KnowBe4 earned the SOC 2 certification because it has sufficient policies and strategies that are designed to satisfactorily protect their customers’ data.

For more information about KnowBe4’s security practice, visit: https://www.knowbe4.com/security

IBM Discovers Cybercrime Ring Targeting Canadian Businesses

by

November 27, 2017 – www.pymnts.com

IBM X-Force, the cybersecurity intelligence and research unit of IBM, has reportedly discovered a cybercriminal ring operating out of Ukraine targeting Canadian businesses.

Recent reports in Security Intelligence said the criminals are deploying custom phishing attacks against business customers of Canadian banks to gain access to their bank credentials, passwords and authentication codes. The attackers send a spear phishing email to a target with seemingly legitimate contents, including a bank logo.

The emails are sent with PDF attachments designed to hide from detection tools. Analysts said it is possible that the criminals may have first deployed an earlier attack on their targets to learn more about the companies’ account information before launching the PDF-related attack. The PDFs urge readers to synchronize their devices and re-activate with one-time passwords and tokens, while links in the PDF send users to phishing sites.

The scheme is designed to give attackers access to business bank accounts.

According to IBM X-Force, the same attackers have also been operating a separate ring targeting consumers, though cybercriminals have recently been heightening their focus on corporate victims and high-value accounts.

The cybercrime ring identified by IBM X-Force is one of several that have taken to targeting businesses in recent months. Last June, in the wake of WannaCry, Bloomberg reported on another “massive cyberattack” originating in Europe. Investigators found Mondelez International, A.P. Moller-Maersk and BNP Paribas Real Estate to be among the targeted victims.

A research report released in October by Deutsche Bank and Economist Intelligence Unit found cybercriminals are particularly interested in targeting the corporate treasury department, which holds a trove of sensitive company and customer data.

“Sophisticated cybercriminals often use social engineering and insight information to execute high-value thefts via corporate treasuries,” said Deutsche Bank head of cash management Michael Spiegel, in a statement at the time. “Our research has identified serious gaps in corporate defense, including vulnerabilities hidden with third parties and their subcontractors. This gives cybercriminals the opportunity to steal data.”

Many businesses continue to leave their doors wide open to unsophisticated attackers, research shows

by

From Bitdefender – Flip Truta 

New research reveals that cyber-attacks by unsophisticated hackers this year have successfully exploited vulnerabilities that many of the world’s famed businesses were already aware of but did nothing to fix.

Despite upcoming laws that will charge them millions in penalties if found non-compliant, many businesses worldwide continue to neglect standard security procedures.

The latest evidence comes from the 20th annual EY Global Information Security Survey (GISS), which breaks some disconcerting news regarding the willingness of big businesses to beef up security.

While the surveyed companies weren’t named in the report, the research was conducted with the aid of “1,200 C-level leaders of the world’s largest and most recognized organizations.” Here’s what EY found:

Only 56% of those surveyed are changing or planning to change their strategies due to the increased impact of cyber threats. Even though most organizations are spending more on cybersecurity, only 12% expect an increase of more than 25% this year.

Potential damage from a cyber-attack isn’t always immediately obvious, yet 64% say an attack that “did not appear to have caused any harm” would not likely persuade the powers-that-be to spend more on cybersecurity.

Many, however, recognize that lack of adequate resource allocation can increase cybersecurity risks. As many as 20% of respondents admit they do not have enough of a grasp on current information security implications and vulnerabilities to decide what needs to be done.

Cybersecurity budgets are bigger in organizations that place dedicated security officers in key lines of business, as well as in companies that report on cybersecurity to the board audit committee at least twice a year.

However, while 50% report to the board regularly, only 24% say the go-to person with responsibility for cybersecurity sits on that board. Moreover, only 17% of respondents say boards have enough of a grasp on IT security matters to properly assess the effectiveness of preventive measures.

The report also reveals, perhaps most importantly, that common attacks described as “cyberattacks carried out by unsophisticated, individual attackers” have successfully exploited vulnerabilities that many of the surveyed organizations were aware of. According to EY analysts, this finding points to “a lack of rigor in implementing standard security procedures.”

Other findings include:

  • Malware and phishing are regarded as the most prolific threats in the past 12 months
  • Careless, unaware and/or malicious employees are seen as the most significant increasing vulnerability to organizations’ security
  • 75% rate the maturity of their vulnerability identification as “very low to moderate.”
  • 12% say they have no formal breach-detection program
  • 35% describe their data-protection policies as ad-hoc or non-existent
  • 38% either have no identity and access program or have not formally agreed on such a program.
  • 57% of respondents have an “informal” threat intelligence program or do not have one at all
  • just 12% of respondents can confidently say they can detect a sophisticated cyberattack targeting their organization

If you have questions or would like to discuss how to improve your security posture – contact us.