Office/Phishing/Passwords in the workplace

Topics

  • Office security
  • Phising
  • Password managment

Office Security

  1. Access to the office is controlled by a personal ID tag
  2. If you see someone at the office that you don't recognize, it's OK to ask them who they are.
  3. Don't leave/write a password on a post-it attached to your screen, desk, drawer
  4. Visitors are asked to wait in the Lobby, for you to come and pick them up

...Remember, I am watching you...

What is Phishing?

Phishing is a type of social engineering where an attacker sends a fraudulent ("spoofed") message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim.

 As of 2020, phishing is by far the most common attack performed by cyber-criminals, with the FBI's Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.

https://en.wikipedia.org/wiki/Phishing

Types of phishing

  • Email phishing
  • Spear phishing
  • Whaling and CEO fraud
  • Clone phishing
  • Voice phishing
  • SMS phishing
  • Page hijacking

Text

Email

  • Email is one of the most common and most successful attacks on the internet
  • Emails can contain malicious files like viruses, malware, link to malicious sites, or even try to coerce or convince you to give away personal or business information
  • Cybercriminals who use email to attack businesses - are becoming more and more effective at evading detection 

Text

Email Do's and Dont's

  • Always verify the sender of a message (In Gmail - view original)
  • Always hover over web page links (URLs) in email messages to see where they link to – beware URL shortening services (like bit.ly) that may obscure the final website destination
  • Be skeptical of messages with odd spelling/grammar, improper logos, or that ask you to upgrade or verify your account
  • Report suspicious emails to the CISO (or even better - share a print screen in Slack)

DO

Text

Email Do's and Dont's

  • DON'T Open an attachment from an unknown sender. Consider the source and whether or not the file was expected.
  • DON'T Click on a link from an unknown sender
  • DON'T Email someone your username or password
    • For Example: send username in Slack, and password in Whatups, don't add context, don't use the same service for sensitive information

DON'T

Text

Examples

Text

Spear phising

Targeting a specific organization or person with tailored emails. This is to trick that person to believe that this email is legitemate

Text

Whaling and CEO fraud

Targeting the executive team or high profile target directly - the message will be crafted specifically. CEO fraud is spoofing and email from an executive to the CEO

Text

Clone phishing

Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email.

Then some of the links will be replaced to point to other sites.

Example:

https://www.discountbank.co.il/

will be changed to

https://www.discountbanc.co.il/

Text

Voice phishing

Using an official-sounding recording with the help of text to speech application convincing people to input personal credentials

This is a sophisticated social engineering attack vector

In Israel, this is very popular with Gama'ch and another type of donation - You think you are approached by a legitimate party while in reality, it is a criminal outfit.

 

Text

SMS phishing

Sending links via SMS (where you can't check the actual path of it), and there by hijacking accounts

Text

Page hijacking

Altering a legitimate site, to replace links, or actual behavior

 

Example

A browser plugin changes the HTML of the google results page - Very common in the Ad tech industry.

Passwords

Following National Institute of Standards and Technology (NIST) guidelines

  • Length > Complexity
    • Conventional wisdom says that a complex password is more secure. But in reality, password length is a much more important factor because a longer password is harder to decrypt if stolen.

Passwords

Following National Institute of Standards and Technology (NIST) guidelines

  • Use a password manager (Not the one in the browser)
  • Use passphrases any time the system allows it. Passphrases are much harder for a computer to guess than passwords, and much easier for you to remember.

Google Quiz

a task for eveybody

https://phishingquiz.withgoogle.com/?hl=en

Phishing in the workplace

By Eyal Mrejen

Made with Slides.com

Phishing in the workplace

  • 124

More from Eyal Mrejen