CyberSecurity 101 (1)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Ransomware is a form of malware that encrypts a victim's file.
The attacker then demands a ransom from the victim to restore
access to the data upon payment.
Media Prima Berhad had been
attacked by a ransomware and the
attackers demanded them 1000 bitcoin
(RM 26.46 mil) to regain access to their
data.
Source: https://www.thestar.com.my/news/nation/2018/11/13/media-prima-hitby-ransomware-hackers-demand-rm26mil-in-bitcoins-says-report/
from ransomware!
Use reputable antivirus
software and firewall.
Protect yourself
Nov 2018
Binance, a cryptocurrency exchange
based in Malta, became a victim of
ransomware attack and the attackers
demanded 300 bitcoin ($3.5mil) in
exhange for their database.
Aug 2019
Travelex took all its computer systems
offline after the company systems
were infected with Sodinokibi
ransomware and the attackers
demanded $3mil to remove the
ransomware.
Dec 2019
Source: https://www.bleepingcomputer.com/news/security/sodinokibiransomware-hits-travelex-demands-3-million/
Source: https://cloudlytics.com/a-walk-through-the-key-cybersecurityincidents-in-2019/
Do not download from
untrusted resources.
Do not open untrusted
email attachments.
Avoid giving out
personal data.
Do keep your antivirus
updated.
Always backup your
data.
EXIM needs to stay alert and aware of threats while carrying on
its digital journey. See below infographic on DLP technology and
how it will keep our data safe and secure.
DLP technology helps enterprises minimize data leakage threats and prevent
sensitive information from leaving the confines of the corporate network,
which may occur accidentally or due to deliberate actions. Organizations use
DLP to protect and secure their data and comply with regulations.
2019
The data of 7.5 million users on Adobe
Creative Cloud was exposed due to an
unprotected online database.
Human Error
Power Outages
COMMON CAUSES OF DATA LOSS
Source: https://www.varonis.com/
Hard Drive Damage
Viruses and Malware
2017
Equifax, a credit reporting company was
breached in 2017. The information of
143mil accounts in the US and 400,000 in
the UK were exposed. The hackers also
stole credit card numbers of over 209,000
customers.
Source: https://www.6dg.co.uk/
2009
Heartland Payment Systems suffered a
data breach resulting in the compromise
of 130 million records.
Computer Theft
Software Corruption
Losing customers' trust
CONSEQUENCES OF LOSING DATA
Financial impact to the company
Penalties by regulatory bodies
Losing competitive edge
Source: https://www.varonis.com/
EXIM needs to stay alert and aware of threats while carrying on
its digital journey. See below infographic on MFA technology and
how it will keep our data safe and secure.
MFA is an extra layer of security that requires the user to provide two or
more verification factors to gain access to a resource such as an application,
online account, or a VPN. MFA is a core component of a strong identity and
access management (IAM) policy.
Something you know (knowledge)
TYPES OF MFA
WHY MFA?
Password
PIN
Something you have (possession)
Cybercriminals have more than 15
billion stolen credentials to choose
from. If they choose yours, they could
take over your bank accounts, health
care records, company secrets, and
more.
Source: https://www.okta.com
Access Card
Smartphone
Things you are (inherence)
MFA is important, as it makes stealing
your information harder for the average
criminal. The less enticing your data, the
more likely that thieves will choose
someone else to target.
Fingerprint
Face Recognition
As Covid-19 turns working from home into the new normal, adapting and
keeping focus on cyber security in all settings is critical. Working from home
exposes both individuals and businesses to a range of cybersecurity risks.
That’s why it is essential to give serious consideration to your home
cybersecurity.
Use Antivirus and Internet Security Software at Home
Antivirus suites take the hard work off your hands by offering automatic
remote work security against a host of threats.
Secure Your Environment
Keep your devices safe and do not allow other household
members to access your work laptops, mobiles and other forms
of hardware.
Use Virtual Private Network (VPN)
VPN creates secure, controlled paths for staff to access work related
data remotely.
EXIM have VPN technology which is EXIM Virtual Office (EVO) via EasyConnect client or
web browser.
Secure Your Home Wi-Fi
Create a strong, unique password, rather than relying on the
automatic password your router came with.
Verify Video Conferencing Link
Ensure meetings are private.
Verify the Video Conferencing link is legit from the sender.
Beware of Email Phishing
Look out for emails that: It is where staff are baited to click on a
link or to download a file. Look out for emails that:
Start with generic greeting such as "Dear Colleagues".
Have poor grammar and spelling mistakes.
Solicit personal or financial details.
Demand action with a threat.
Misleading domain name.
Please refer to previous EXIM Cyber Security 101 “Beware of Phishing” & “How to Spot
a Phishing Email” topics.
As an employee you are a valuable target for attackers. Follow these safe computing
tips to protect your workplace against the most common cybersecurity risks.
Avoid Phishing Scams
Phishing scams can be carried out by phone, text, email or through social
networking sites.
Be suspicious of any official-looking email message or phone call that asks
for personal or financial information.
.
Keep Software Up-To-Date
Turn on Automatic Updates for your operating system.
Make sure to keep browser plug-ins (Flash, Java, etc.) up-to-date.
Install Anti-Virus Protection
Only install these programs from a known and trusted source. Keep virus
definitions, engines and software up-to-date to ensure your programs
remains effective.
Be Careful of What You Click
Avoid visiting unknown websites or downloading software from
untrusted sources. These sites often host malware that will
automatically install and compromise your computer.
Never Leave Devices Unattended
If you need to leave your laptop, desktop, phone or tablet for any length of
time, lock it up so no one else can use it.
Safeguard Protected Data
Keep high-level Protected Data off your workstation, laptop or
phone.
Securely remove sensitive data files from your system when they are
no longer needed.
Always use encryption when storing or transmitting sensitive data.
As soon as you detect anything unusual with your EXIM-issued device contact Helpdesk
immediately. Even if the issue occurs on your personal device, such as your mobile phone,
do let them know that it is a personal device, and they will advise possible next steps.
If a hacker gains access into the office, he or she can access to confidential
company information throught company devices, exposed documents or even by
being on the company network which will be disastrous. We must do our part to
prevent physical infiltration.
Do carry your
access card with
you at all times.
If you lose your
access card,
immediately
report to your
security office.
Lock down all
laptops, devices
and documents.
id: xxx
pswd: xx
Do not leave
any
confidential
information
lying around
your
workstation.
If someone looks
unfamiliar or
suspicious, do
question them.
Do not let any
stranger follow
you into the
office building.
So many accounts, so many passwords. That’s online life. The average person
with a typical online presence is estimated to have about 100 online accounts,
and that figure is rising. Some accounts are low in priority, which we may
have neglected password hygiene and fallen into unhealthy habits like
password reuse, putting our other accounts at danger in the event of a data
breach. Here’s a list of handy Dos and Don’ts to put us on the right track when
it comes to password security.
DO
DON'T
Change your password
regulary.
Don't use the same
password for multiple
accounts.
Ab_12
Use a combination of
upper- and lower-case
letters, numbers and
symbols.
pass****
Don't use the word
“password” or any
combination of it.
******
Make password hard to
guess.
Don't use short and
simple passwords.
Make your passwords at
least 8 characters long.
Don’t share your
passwords and don’t
put them on a piece of
paper.
Use an extra layer of
security with two-factor
authentication (2 FA).
A S D F G
Don’t use common
keyboard patterns like
asdfjkl, 111111 or abc123.
Knowing how to classify information is critical given today’s advancing
cyber threats. With well over 5,000 data breaches occurring in 2019 alone,
including more than 8 billion pieces of data compromised, classifying your
information is essential if you want to know how to secure it and prevent
security incidents. Information Classification starts with labeling
documents with various levels of confidentiality. These levels are aligned
to names, and ultimately tied to how it will be used, transmitted and
ultimately protected in and outside of the business.
This type of data is freely accessible to
the public (i.e. all employees / company
personnel). It can be freely used, reused,
and redistributed
without repercussions.
An example might be
first and last names,
job descriptions, or
press releases.
This type of data is strictly accessible to
internal company personnel or internal
employees who are granted access. This
might include internalonly
memos or other
communications, business
plans, etc.
Access to confidential information
requires specific authorization or
clearance. Types of confidential data
might include Social
Security numbers,
cardholder data, M&A
documents, and more.
Usually, confidential
information are
protected by laws like
HIPAA and the PCI DSS.
Restricted information includes those that, if
compromised or accessed without
authorization, could lead to criminal
charges and massive legal
fines or cause irreparable
damage to the company.
Examples of it includes
proprietary information or
research and data
protected by state and
federal regulations.
Social engineering is the art of exploiting human psychology, rather than
technical hacking techniques, to gain access to buildings, systems or data.
Pretexting
The act of creating an invented scenario to persuade a
targeted victim to release information of perform an action.
Baiting
Leaving a flash drive containing malicious code in a public
place.
Dumpster Diving
Important and private information can be gathered by
simply digging through the garbage.
Phishing
Attempting to gather information in the form of pop-ups
and websites masquerading as a thrustworthy entity.
Delete any request for personal
information or passwords.
Reject requests for help or offers
of help.
Set your spam filters to high.
Secure your devices.
Always be mindful of risks.
Use different passwords for
different accounts.
With so much data stored digitally today, most firms tend to focus their security
efforts on stopping hackers and others from getting in. Unfortunately, our biggest
security risk may not come from the outside, but the inside, in the form of current
and former partners and employees. The best way to prevent a security breach crisis
is to be proactive in following best practices and policies.
Limit Access to Your Most Valuable Data
Keep all records partitioned off so that only those who specifically
need access will have it.
By limiting who is allowed to view certain documents, you can
narrow the pool of employees who might accidentally click on a
harmful link.
.
Third-Party Vendors Must Comply
Limit the types of documents these vendors can view.
For those companies that are allowed to view your important
data, demand transparency. Make sure they are complying
with privacy laws, don’t just assume.
Use Only Firm-Based Devices and Systems
It is easier to install security measures on firm-owned devices that
can help you locate them or wipe the data if necessary.
Update Software Regularly
All application software and operating systems must be
updated regularly.
Install patches whenever available.
Use Difficult to Decipher Passwords
Change your passwords regularly.
Use upper case letters, numbers and special characters when
formulating passwords.
******
Phishing is a type of social engineering attack often used to steal user data,
including login credentials and credit card numbers. It occurs when an
attacker, masquerading as a trusted entity, dupes a victim into opening an
email, instant message, or text message. The recipient is then tricked into
clicking a malicious link, which can lead to the installation of malware, the
freezing of the system as part of a ransomware attack or the revealing of
sensitive information.
Think Before You Click!
Always check the spelling of the URLs in email links before
you click or enter sensitive information.
Verify a Site’s Security
Before submitting any information, make sure the site’s
URL begins with “https” and has a closed lock icon near
the address bar. Check for the site’s security certificate as
well.
Use Firewalls
Firewalls act as buffers between you, your computer and
outside intruders. You should use two different kinds. A
desktop firewall and a network firewall.
Be Wary of Pop-Ups
Many popular browsers allow you to block pop-ups. If
one manages to slip through the cracks, don’t click on
the “cancel” button. Such buttons often lead to phishing
sites. Instead, click the small “x” in the upper corner of
the window.
Hackers waste no time and every time their hacking tactics are exposed,
they invent new ones. This time, a user alerted about a new system to hack
WhatsApp that masquerades as a message from any of your friends. Here
we tell you how it works and how you can protect yourself from a possible
attack in this app.
This new form of fraud begins when the
user receives a text message with a 6
digits number on their phone. This
supposedly comes from the WhatsApp
platform itself.
Shortly after, another message arrives,
this time in the app and from the chat
of one of his contacts.
WhatsApp Scam
Don’t share your login
details or verification
code with anybody. Not
your closest family or
trusted friends.
Protect yourself from
How it works
“Hi, sorry, I mistakenly sent you a 6-digit
code by SMS. Can you transfer it to me,
please? It is urgent,"
The first message comes to you
because hackers are trying to
configure WhatsApp with your
number on a new device. Upon
detection, the app sends a 6-digit
authorization code to your cell phone
via SMS.
If you fall into the trap and share
this code with your WhatsApp
"contact," your account will be
hacked.
Source: https://www.digitalinformationworld.com/2021
Set up two-step
verification to secure
your account.
Be wary of WhatsApp
messages requesting
money, even if they
come from your
contacts. If you’re not
sure, give the friend a
quick call to check.
According to a study by the International Data Corporation (IDC)
workers spend 28 percent of their workweek reading and answering
email. While we try to work faster and more efficiently, we must not
forget the social rules that accompany any form of communication.
Here are some of the dos and don’ts of email etiquette.
DO
DON'T
Do have a clear and
descriptive subject line.
Don't forget your
signature.
Do use a professional
salutation.
Don't use humor.
Do proofread your
message.
Don't assume the
recipient knows what
you are talking about.
Do reply to all emails.
Don't shoot from the lip.
Do keep private
material confidential.
Don't overuse
exclamation points.
A clean desk policy involves removing any sensitive business information from your
desk everyday. This includes notebooks, business cards and printed documents. A
lot of documents, print outs and notes can pile up in a day!
Making sure these are properly filed or disposed of accordingly is the real aim of a
clean desk policy. This should be combined with a 'clear screen' policy, logging off
every time you are away from your computer.
Clean working spaces
lead to productivity.
When one person has a
clean desk, it inspires
others to clean theirs.
Keeping a clean office
space looks good to clients,
partners and stakeholders.
Maintaining a clean desk
keeps germs and bacteria
away. Hence, employees
healthier.
Clean spaces pave way
for improved office
security.
Computer workstations must be locked when workspace is
unoccupied and shut completely down at the end of the workday.
Any restricted or sensitive information must be removed from the
desk and locked in a drawer when the desk is unoccupied and at
the end of the workday.
Passwords must not be left on sticky notes posted on or under a
computer, nor may they be left written down in an accessible
location.
All sensitive or confidential information in hardcopy or electronic
form must be secured in the work area at the end of the day and
when you are expected to be gone for an extended period.
username: admin12
password: p@s$word
The Social data engineering breach at is credit the art reporting of exploiting agency human Equifax psychology, affected rather 143 million than
Americans,
technical
giving
hacking
hackers
techniques,
access
to gain
to Social
access
Security
to buildings,
numbers,
systems
addresses,
or data.
and
credit file data. Identity thieves can use this information to destroy your credit,
file fake tax returns, collect refunds, and hijack your medical data. Equifax
breach is a reminder that everyone is vulnerable to identity theft. By changing
some habits, you can greatly minimize your risk.
Put Passwords on Your Devices
Be Less Social
The act of creating an invented scenario to persuade a
targeted victim to release information of perform an action.
Minimize the amount of data you have on social media platforms.
Information like your pet's name or your birth place sometimes used to
recover account logins. Don't give hackers an easy way into your online
accounts.
Set up Two-Factor Authentication
Put Passwords Leaving on a Your flash Devices drive containing malicious code in a public
Make sure place. to have passwords on all your devices so that thief
won't has instant access to all your data.
Consider using a password management app to create and keep
track of them.
Don't Do Online Shopping and Banking at the
Important
Set up Two-Factor
and private
Authentication
information Local can Cafe be gathered by
simply digging through the garbage.
Make sure Two-Factor Authentication is enabled on all your accounts to
protect ypur credentials from being used by hackers who have stolen a
password database.
Don't Give Out Personal Information on the Phone or
Don't Give Attempting Out Through Personal to gather Email Information information Text in on the the form Phone, of pop-ups
Through Email and websites or Text masquerading as a thrustworthy entity.
If you get a call, email or text from a retailer, charity or government
asking for personal information, there's a chance it's a phishing
scam, no matter how real it seems, don't give out your info.
Don't Do Your Online Shopping and Banking at the Local Cafe
Use your own device and secured network whenever you are doing any
kind of transactions.
It’s no secret that the technology we use can make us a target for viruses and cyber
attacks if not secured properly. When it comes to mobile device use, there is no
manual that comes with a phone to teach the user mobile security. In addition,
threats are always evolving and adjusting based on our habits. Refer this
infographic that includes some mobile security tips to keep your device safe.
Keep Your Phone Locked
Lock screen with
passcode, pattern,
fingerprint or facial
recognition.
Lock when idle for
30 seconds - 1
minute.
Set Secure Passwords
Set
strong
passwords with
upper and lower
case, numbers and
special characters.
Don't reuse the
same password.
Keep Your Device OS Up-To-Date
Connect to Secure WiFi
Always update your
device's OS once
the updates are
released.
Beware of networks
that aren't password
protected.
Use a VPN.
Beware of Downloads
Use verified app
stores.
Look at app reviews,
recent updates and
app ratings.
Don't Jailbreak or Root Your
Phone
Jailbreaking or
rooting your phone
is when you remove
the safeguard the
manufacturers have
put in place so you
can access
anything you want.
MYTHS
REALITY
A strong password is
enough to keep your
business safe.
Two factor authentication
and data monitoring are
also needed
Small and medium
sized business aren't
targeted by hackers.
Small business made up
over half of last year's
breach victims.
Anti-virus and antimalware
software keeps
you completely safe.
Software can't protect
against all cyber risks.
Cybersecurity is solely
the IT/IS Department
responsibility.
All employees play a role
in keeping a company
cybersafe.
Cybersecurity threats
come from the outside.
Insider threats are just as
likely and harder to
detect.
You'll know right away if
your computer is
infected.
Modern malware is
stealthy and hard to
detect.
Complete cybersecurity
can be achieved.
Cyber preparedness is
ongoing, with new threats
emerging every day.
Cyber hygiene is a reference to the practices and steps that users of
computers and other devices take to maintain system health and
improve online security. These practices are often part of a routine to
ensure the safety of identity and other details that could be stolen or
corrupted. Much like physical hygiene, cyber hygiene is regularly
conducted to ward off natural deterioration and common threats.
Document All Current Equipment and Programs
All hardware, software, and online applications will need to be
documented. Start by creating a list of these three components:
Hardware - Computers, connected devices and mobile devices.
Software - All programs, used by everyone on a particular
network, that are installed directly onto computers.
Applications - Web apps, applications on phones and any other
program that isn’t directly installed on devices.
Analyze the List of Equipment and Programs
Unused equipment should be wiped and disposed of properly.
Software and apps that are not current should be updated
and all user passwords should be changed.
Create A Common Cyber Hygiene Policy
The newly clarified network of devices and programs will need a
common set of practices to maintain cyber hygiene.
Here are typical items that should be included into a cyber hygiene
policy:
Password changes
Software and hardware updates
Manage new installs
Access management
Backup data
Install Reputable Antivirus and Malware Software
Antivirus software is a program or umbrella of programs
that scans for and eradicates computer viruses and other
malicious software, or malware.
Use Multi-Factor Authentication
Multi-factor authentication adds additional layers of security with
the use of biometrics, like facial or fingerprint recognition, to make
it harder for hackers to gain access to your device and personal
information.
In 2019, Kaspersky’s web antivirus platform identified more than 24 million
“unique malicious objects”. This number will only continue to increase and
with it, our need to learn more about potential threats. Malware is any type
of software that seeks to do harm or steal information. It’s commonly used
to steal personal, financial, or sensitive business information, destroy or
lock users from data and disrupt operations
OF MALWARE
TYPES
1. Bots and Zombies
Used by hackers to take control of your
computer without your knowledge.
Hackers seek to build botnets, large
groups of computers they control,
which they then lease out to
spammers, extortionists, and others
seeking to commit fraud.
2. Viruses and Worms
Virus: A malware that “infect” other
programs, carry out some missions
such as deleting files or stealing
information.
Worm: Similar to virus, but it is a
program of itself and does not infect
other program. It also self-replicate
over a network without any user
interaction.
3. Ransomware
Ransomware is malware that finds its
way into your system, blocks access to
your files and data, and demands
payment to restore your access.
4. Trojan Horses
Trojan horses deliver malware code in
an innocent-looking email attachment
or free download. When user clicks on
the attachment or downloads, the
hidden malware inside the Trojan is
transferred to the user’s device. Once
inside, the malicious code can execute
whatever task the attacker designed it
to carry out.
Install and run an antimalware
application.
Do not execute any
program in your computer
unless you believe it is
from a trusted source.
Never open any emails
from unknown senders
especially when it has
attachments with the
extensions .exe or .vbs.
Regularly install the latest
patches available of your
operating system.
Do not accept programs
sent out from instant
messaging applications.
When you download any
program from Internet
websites, always scan
them first.
MALWARE PREVENTIONS