E-mail Spoof Defeats Technology…Are Your People Prepared?
According to news reports, a spear-phishing experiment conducted over the past few days has revealed some disturbing new risks for organizations using enterprise e-mail products and services: Most major enterprise e-mail products and services were unable to detect a fake LinkedIn invitation that looked like it was from Bill Gates inviting people to join his professional network. Once the ‘victim’ clicked on the ‘invite’ link, they were sent to the phishing site where information about the ‘victim’ was captured.
The article in Dark Reading detailed comments from CEO of PacketFocus including: “I tested the spoofed e-mail on six different enterprise networks using the latest e-mail security technology from most of the major vendors, and not a single one picked up on the spoofed e-mail”.
Why should this story be important to organizational leaders? Your people (employees, managers, board members, partners, service providers, etc.) could be the ‘victim’ if they are not aware of risks and threats that technology cannot prevent.
What can organizational leaders do to proactively prevent risks that cannot be stopped by technology? Because this is a social-engineering attack on people’s lack of awareness, organizational leaders must implement faster, simpler and better tools to help ensure ongoing awareness at the individual-level.
This experiment represents a ‘red flag’ for organizational leaders to take immediate action before the next phishing e-mail with a fake link leads to a real threat rather than an experiment.
UCLA Stabbing Puts Focus on College Students’ Mental Health
Could stabbing have been prevented?
A recent article discussing the brutal stabbing of a UCLA student in chemistry lab has raised difficult questions asking why disturbed students are allowed to remain at school despite red flags and obvious warning signs.
Since Virginia Tech, campuses across the Nation have been working to identify troubled students and potential warning signs of mental illness, violence or other problems. However, identifying red flags and connecting the dots across multiple people (students, faculty, dorm advisors, mental health, law enforcement, etc.) can be extremely difficult and seemingly very complex.
- Students and faculty members said that the UCLA attacker had exhibited erratic and delusional behavior in the past.
- One professor notified campus authorities about paranoid and accusatory e-mails the UCLA attacker had sent to him.
- Other professors made similar individual reports about the UCLA attacker.
- The UCLA attacker also received counseling at the Student Affairs office.
Were any of these incidents enough of a concern to force the student into treatment? Had each of these dots been connected, could the stabbing have been prevented?
It may be impossible to know for sure, but schools could definitely implement more proactive steps to connect the dots. For example, school leadership should ensure that all faculty, school administrators, school security officers, school resource officers, counselors, parents, and students understand their roles and responsibilities for reporting suspicious incidents and behavioral red flags. Would anyone disagree that prevention efforts are more effective and less expensive than recovery efforts?
Does Your Organization Send PII and PHI Through the Mail?
Did you see the story today involving CalOptima (a Medicaid managed care plan) who has notified 68,000 of their members of a potential loss of past medical claims information?
According to CalOptima, the information includes substantial identifying information, such as member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member identification numbers and even some Social Security numbers.
Do you wonder how many other organizations are sending personally identifiable information (PII) and protected health information (PHI) in packages through parcel carriers?
Do you wonder how many organizations are sending YOUR personal information through the mail?
This story is one of hundreds of lessons learned that can help organizational leaders improve their culture of awareness, their culture of accountability and their culture of protecting personal information. Hopefully this blog and this lesson learned will help organizational leaders take action to prevent future breaches, lawsuits, penalties, fines and expensive knee jerk reactions in reputation management that proactive efforts can prevent.
30,000 Hotmail Passwords Posted Online…and growing
Did you see the headlines…10,000 webmail passwords were posted online?
Did you see the headlines…20,000 webmail passwords were posted online?
Did you see the headlines…30,000 webmail passwords were posted online?
Where does this end?
The headlines offer valuable lessons learned that every organization should be utilizing to help their people (board members, managers, employees, partners, contractors, vendors, service providers, etc.) to be better prepared for phishing threats and attacks.
The fact that 20,000 or 30,000 people (or more) were social engineered and gave away their personal webmail password is alarming. So what is your organization doing to make sure your people are not giving away their password to organizational mail accounts?
Awareness is vital. Accountability is critical. Lessons Learned must become Lessons Implemented.
Is your organization prepared?
AITP, HRAM, ARMA and more…Connecting the Dots Across Nebraska
Awareity’s CEO/President, Rick Shaw, is planning to share his knowledge and expertise at several upcoming events in the Lincoln/Omaha area.
October 13 – HRAM Omaha
October 15 – AITP Omaha
November 19 – AITP Lincoln
March 17 – ARMA Lincoln
Previous blog posts and every day headlines reveal organizations are struggling to keep up with escalating complexities. So how can lessons learned help organizations keep up more effectively and efficiently?
Rick will discuss real world examples and case studies to share proven steps organizational leaders can use to implement lessons learned and improve management efforts across all appropriate personnel – no matter how many departments, locations and third-party entities.
To attend any of these upcoming sessions or if you have any additional questions about how your organization can begin implementing lessons learned, please contact info@awareity.com.
Rocky Mountain Bank vs. Google
In this Network World article, a US District Court Judge in California ordered Google to deactivate the Gmail account of a User who accidentally received personally identifiable information. An employee of Rocky Mountain Bank sent an e-mail to the User’s account in error containing names, Social Security Numbers and loan information of more than 1300 bank customers.
Once the employee realized their mistake, they quickly sent a follow-up e-mail requesting that the recipient destroy the previous e-mail and contact Rocky Mountain Bank as soon as possible. After receiving no reply from the recipient, the bank contacted Google and asked for information on the Gmail account holder which Google refused to provide without a court order.
On September 25, the court issued a temporary restraining order, insisting that Google shut the account down and divulge whether the account was still active and whether the confidential info had been viewed. Google complied with the order. The bank has confirmed that the confidential message was never opened and that it has now been permanently deleted.
Not sure if I agree with the judge’s decision, but I think everyone can agree that important lessons were learned. Lessons learned include 1) make sure employees understand regulatory mandates which prohibit the transmission of unencrypted personally identifiable information and 2) make sure employees understand acceptable e-mail usage guidelines and verify the e-mail address or addresses are correct before hitting SEND!
Additional acceptable e-mail usage guidelines and questions to consider before sending any e-mail or other electronic message, may include:
- Who is receiving the e-mail?
- Does the content disclose proprietary information about my organization?
- Does the content disclose sensitive personal information?
- Does the content disclose confidential data about clients, contracts, etc.?
- Are there statements or accusations in the content that cannot be substantiated?
- Does the content contain offensive, racist or slanderous information?
- What would happen if the e-mail was shared, stolen or forwarded to someone else within or outside of my organization
- If the e-mail went public, would it have a negative effect on me or my organization?
- Does the e-mail comply with organizational requirements?
Remember….everyone knows how to use e-mail…but not everyone understands the risks and consequences of using e-mail, so taking time to ensure awareness and accountability can make a huge difference in your bottom line results.
Customers vs. Banks – Failure to Implement Adequate Security Procedures?
Two recent headlines caught my attention:
Construction Company Sues Bank for Money Lost in Cyber Scam
Couple’s Lawsuit Against Bank Over Breach to Move Forward
In both of these cases, banks are being sued for not taking adequate precautions that could have prevented cyber thieves from stealing money from the customers’ accounts. The customers claim that the banks did not offer two-factor authentication and also failed to notice suspicious and anomalous behavior. Therefore, the customers are claiming that the banks breached their duty to protect account holder information.
These lawsuits could have significant ramifications and I will be curious to see the final outcome. Should a bank be held liable in the breach of their customers’ online accounts?
As Cyber Criminals continue to develop more sophisticated attacks and are constantly finding new ways to target financial accounts, financial organizations will need to show due diligence and work continuously to secure their networks and data with up to date data protection measures. Organizations that can’t prove they took adequate measures to protect data will find themselves exposed to additional legal liabilities and reputational damages.
Financial organizations may also need to educate their customers about their efforts to ensure customer data is protected and secured. By maintaining ONGOING compliance with regulations like FFIEC, PCI-DSS, GLBA, FACTA Red Flags, etc., organizations can improve their reputation and develop a culture of trust with their customers. Organizations may also want to make a proactive effort to educate their customers on the latest risks and threats and how to implement security best practices. If customers understand the importance of strong passwords, how to recognize a phishing attempt, how to use e-mail securely, etc. they can become a layer of defense rather than a weak link.
