The Source March 2020

More documents

Recommendations

Info

CYBERSECURITYThe power ofsocial engineeringWhat is the easiest way to hack a password? Just ask for it! It sounds a bit straightforwardand silly but the most effect way to hack your way into a system is not byexploiting vulnerabilities and use a range of cyber weapons but by tricking peopleinto giving you their logon credentials.Social engineering, in the context of information security, is the psychological manipulationof people into performing actions or divulging confidential information.Hacking emotions using psychologySo, what makes social engineering so effective? The answer lies in how our brainworks. For our survival evolution has wired our brains to be susceptible to severalstimuli namely:Fear - defined as an unpleasant emotion caused by the belief that someone or somethingis dangerous, likely to cause pain or a threat to our wellbeing. This is arguablythe most commonly manipulated emotion in social engineering campaigns as it’s apowerful motivator. Examples of these are warnings that you have been infected witha “virus” or “hacked” and should click here to “solve your computer problems”. Theuser is prompted to act quickly to mitigate the “threat” that is caused by the fake fearstriking message and sometimes even asks to “warn” all his friends and family, thusspreading the fake message exponentially.Greed – our brains are wired for survival, that is why we like to have resources asit enhances our chances for survival. Even back in the stone age hoarding and greedmeant a bigger chance for surviving and reproducing. This emotion is also easilyabused by offering some (fake) reward in return for an action. Examples are fakelottery wins or prizes for acting fast and in essence doing what the attacker asks youto do – click here.Obedience – As people we live in groups, and just as in the animal kingdom thesegroups have some form of hierarchy. Obedience is defined as complying with anorder, request, law or submission to another’s authority. Most people comply withrequest from authority, and usually that is a good idea unless it’s an illegitimate authoritywith malicious intentions. For example, ransomware notes are sometimes disguisedas fines from the FBI because of some “illegal” download or activity. Alsoscam e-mails to instruct CFO’s to wire transfer something urgent for the CEO is acommonly seen.Helpfulness – last but not least, people for the most part are good in nature and thuswant to do good. It’s our instinct for survival of the group that prompts our brain towant to help each other. This is a good thing for obvious reasons but easily exploitedby hackers and scam artists. If you want to get past a security door without an accessbadge for example, just carry an empty box and walk up to the door and there is a bigchance someone will open it for you. Other social engineering scams like forwardinga “warning” to all your friends might actually put them in danger and helps spreadingfake or viral news as well as possible malware.In these cases, perhaps the most useful piece of advice is to stop and consider therequest or correspondence with a clear head and ask whether it could be used in anefarious way before proceeding.The material damage of business email compromise (BEC)According to the 2019 FBI Cyber-crime report, business email compromise (BEC)accounted for 1.8 billion dollars in damages suffered by companies in the US alone,that is over a tenfold of what was lost due to credit card fraud over that same period.A multitude of Aruban businesses also lost tens to hundreds of thousands of florinseach in similar scams last year.20
Paul Eelens - CybersecurityThe reason behind this is that it’s easy, cheap and scalable while the chances of gettingcaught are very slim. Protecting against this for your home or business is luckilyquite doable, some tips include:- Enable multi-factor authentication. Use tokens like google authenticator, sms verificationor others. Nowadays these will only bother you when switching to anothercomputer.- Limit usage of free web-based e-mail accounts and apps. If a product is free, youare the product.- Don’t open emails or attachments from unsolicited senders & set your spamfilterto “high”.- Secure your domain, avoid domain spoofing vulnerabilities.- Double-check the sender’s email address, it might vary slightly, if it does it’s fake.- Don’t overshare online. Anything you put on social media can be used to help thescammers.Hover over links with our mouse to see the real link, if it’s not the domain you wouldexpect, it’s fake.- Always verify before sending money or data. Make it a standard operating procedurefor employees to confirm by phone before paying any invoice sent by mail. Ifbank accounts are changed beware!Social media phishingScams have always been around, even before the internet era. Phishing itself is aform of fraud in which attackers send emails to you posing as a real business to lurepeople into giving sensitive information. Social media phishing is when attackersuse the social networking sites like Facebook, Twitter and Instagram instead of emailto obtain your sensitive personal information or trick you into clicking on maliciouslinks. Hackers love social media because most people use it frequently and it feelslike a trusted environment. This seemingly trusted environment leads to users morelikely to clicking a shared link than if the link had arrived through email.Examples of common social media scams circulating today are:- Fake customer service accounts on Twitter (also known as angler phishing)- Fake comments on popular posts by humans or bots- Fake live-stream videos taking you to malicious websites- Fake online discounts, again taking you elsewhere- Fake online surveys and contestsTips to avoid getting victimized by social phishingThink before you click, there is a reason for the term clickbait. Keep your browsersand apps updated for security reasons. Also review your privacy settings, by defaultthe ones for windows 10 and Facebook are simply awful. Close them down and stopsharing unneeded information to “improve our service”. Never download unsolicitedsoftware or click on popups and look for the lock sign in front of the HTTPS in yourweb browser and make sure the domain is legit. Pay particular attention to shortenedlinks through services like bit.ly or tiny.cc commonly used by scammers.Last but not least, train yourself and your team. Security awareness training is commonpractice nowadays for most companies to reduce the risk of social engineeringattacks.Paul EelensIng. Paul Eelens CISSP, CISM holds numerous top cyber securitycertifications and is responsible for information security at SETARN.V. He is active in several cybersecurity work groups such as anISAC - information security analysis center for national critical infrastructurefor the island of Aruba. Together with the infosec managerat CBA he also volunteers for Cyberschool Aruba to help teachyoungsters the necessary cybersecurity skills.21
Page 2 and 3: Cover & P12InterviewP14InterviewSER
Page 4 and 5: READING ROOMChina’s mishandling o
Page 6 and 7: READING ROOMTHE LONG WALK TO SUCCES
Page 8 and 9: LEGALSO YOU WANT TO BEA DIRECTOR OF
Page 10 and 11: READING ROOMLONG WALK TO FREEDOM‘
Page 12 and 13: INTERVIEWRani VardeArtist and medit
Page 14 and 15: INTERVIEWSportsHallMore than just a
Page 16 and 17: FUTURE ECONOMICSTHE FUTUREOF ECONOM
Page 18 and 19: ASSURANCE & ADVISORYCustoms duties:
Page 22 and 23: ColofonMarch 2020StA Cruz 84Aruba,
Page 24: Sometimes it looks like nothing ish

The Source March 2020

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?