2019 Cybersecurity Wrap-Up

It’s that time of year again. All the major vendors and security watchdogs are finishing up their big data analyses of all the hairy, scary things that went on in the cybersecurity realm in 2019. Lately I’ve been getting some very comprehensive year end security reports from many of our vendors and business partners, as well as from the FBI’s Infragard.org program.

For the past few weeks I’ve been digging through all the reports, digesting the alphabet soup of acronyms and increasingly complex graphs and charts. If you’ll stick with me for a few minutes, I’d like to share a few of what I think are the key takeaways you need to be aware of for the coming year.

I've gathered the information in this letter from a number of sources. Vendor reports were provided by Sophos, ID Agent, Datto, and Verizon. I also received the year-end report from the FBI's Infragard.org project, which I was verified to join last year. If you would like more information from or about these reports, please give me a call.

 

Ransomware is still a serious threat.

I have some bad news: ransomware is not only alive and well, it’s also in a state of perpetual adaptation. For every strain that the good guys create a blocking strategy for, another strain appears with a new way to bypass security tools. 

How’s ransomware getting in? Most of the time it enters a network by way of a phishing attack, where a phony email is sent with a link or attachment that installs a virus when clicked. Unfortunately, people are still getting fooled into clicking on malicious attachments that look like an invoices or shipping documents. Last year, a whopping 94% of malicious software that made it through network defenses got in through email.

 

Spear-phishing...what the heck is that? 

There are actually two types of phishing to be aware of. The first is the general type mentioned above, usually with a generic format sent to a large group of random people. The second and more frightening type is called spear-phishing. In this case, a hacker will do a bit of research on the company they want to attack and created a targeted email that looks like it could be from someone else inside the business. These emails don’t even have to include links; they often just ask for money.

For example, your Accounts Payable person might get an email that appears to be from the owner of the company. The email says something like, “We’re working on a discreet deal with {Vendor/Partner/etc.} and I need you to wire $15,000 to their Escrow account today. Here’s the account information.” At a glance, the email address used does look like it could be from their boss, and the Vendor or Partner listed is a familiar name. The Accounts Payable person goes ahead and wires over the money—straight into a hackers account.

Spear-phishing emails can be very convincing, and there is plenty of incentive to carry them out since only a few of the attacks need to be successful for a hacker to make a bunch of money.

 
 

This is why we are giving you FREE Dark Monitoring...we want to protect you. 

Now, here is where the exposed credential problem gets personal—do you know if your data was exposed in the Google data breach? How could you find out? How would you know what all was exposed? What about past breaches which have exposed things like usernames and passwords?

 

This is why we provide DarkWeb monitoring. We’ve already started to see the results of this breach as the data makes its way through the DarkWeb, and we’ve seen the results of plenty of other breaches before. Our DarkWeb ID helps us find out which accounts have been compromised so they can quickly be secured.

An exposed account usually just needs a new password. But if you’re using the same password on multiple sites, then you might have far more compromised accounts than you think. Most people use the same two or three passwords for every site they visit, putting them at heightened risk of a data breach. That’s where password management services like MyGlue come in. You’ll be getting more information from us about MyGlue in the near future, and since data breaches don’t seem to be going away anytime soon, I cannot recommend this service to you enough.

In Conclusion

So what does this mean for your business in 2020? Cyberattacks show no signs of slowing down, and if you want to protect your business there are two policies you must prioritize. First, spend more time teaching your people how to spot a fake or questionable email. Second, adopt a proper password management policy for yourself and your staff.

 

Doing these two simple things will help protect you from the majority of cyberattacks that I expect will be aimed at you in the coming year.

As we roll into 2020, you can rest assured that we’ll continue to pour through all the information we have at our disposal in order to gear our services and strategies towards protecting your business. We’re serious about our commitment to security, and we’re on this.

Exposed credentials are how the bad guys get into your business. 

Credentials being exposed on the internet is a problem that has been around for a while, but it only seems to be getting worse. Just this past October an unsecured Server appeared on Google’s cloud infrastructure. It contained 4

terabytes of personal information—things like home and cell phone

numbers, and the basic personal information associated with social

media profiles from sites like Facebook, Twitter, and LinkedIn—all tied

to email addresses. Approximately 1.2 billion records (yes, that billion

with a “B”) were open to the entire world.

Why does this matter? Well, many companies today make their

money by aggregating information into large databases that

people can then pay to access for advertising purposes. Just about

everything you do online today, every search, every site you visit,

every like on Facebook is recorded, compiled, and analyzed so that

online retailers can successfully target you with ads. That’s why you

might search for snow tires one time and spend the next two weeks looking

at tire ads on every website you visit.

Now, you may love or hate these targeted ads, but what you should really be concerned about is how unconcerned the folks who use this data seem to be about protecting it. Take the Google breach. Someone pulled a huge amount of this aggregated data out and just left it sitting on an unsecured server.