The Internet has become a dangerous place in which to do business. To remain secure online, you need to maintain a strong defense on several fronts. Here are tips for defending your email, social networking sites and online bank accounts and from hackers.
Spear Phishing attacks that target victims by name have become a serious and sophisticated threat. The emails fabricated by spear phishers may be addressed to a C-level employee or appear to come from a trusted individual within an organization.
The spear phisher's modus operandi involves tricking the victim into clicking on a link leading to a bogus web site. This infected site will secretly install data logging software designed to record the victim's key strokes. Once they have pirated information such as user names and passwords, spear phishers have been known to suck company bank accounts dry.
As one example, spear phishers identified key employees at companies such as Google and Adobe and then back-tracked to find out the names of their friends. The hackers then compromised the friends' social network accounts and used them trick the targets into clicking on infected links.
Said Sam Curry, Vice President of RSA:
This is a loud message for the commercial world, which is: wake up, this isn't all happiness and goodness and new business. Doing business on the internet is as risky as sending ships through the Panama Canal.
Here are just a few steps that you can take to protect yourself and your company from spear phishing;
- Be suspicious of any emails requesting confidential information, and verify the request with the company or individual named in the email. Just clicking on a malicious web link can infect your computer,
- Limit the amount of personal information you provide on social networking sites,
- Use strong passwords.
Social Networking Attacks
ID Theft expert, Robert Siciliano related how a white hat hacker used Facebook to breach a company's physical security and infiltrate their network. It is a perfect illustration of how employees can compromise themselves and their companies through a careless use of social networking.
In the article, the hacker describes stealing the identity of a company employee found on Facebook:
On the day we intended to breach the facility, our guy was dressed with a shirt embroidered with our client's logo, and armed him with business cards, a fake company badge, and his laptop. Upon entering the building, he was immediately greeted by reception. Our man quickly displayed his fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building. Later that evening, he returned to the empty office building to conduct a late-night hacking session. Within a short period of time, he had accessed the company's sensitive secrets.
Most people drop their guard on Facebook. And why not? After all, on Facebook, you're surrounded by people you "know, like and trust." How could you possibly be in danger with 6 bazillion "friends" to look out for you?
Further Reading: 6 Security Policies You Need
Online Banking Protection
If your company does high value online banking transactions, limit those activities to a secured, stand alone computer that has no access to email or web browsing, The American Bankers Association now recommends that businesses use a dedicated PC for online transactions.
Cybercriminals are writing malware to create fraudulent Automatic Clearing House (ACH) and wire transfers. In order to hijack your transactions, a criminal must first insert the malware onto one or more of your company's computers. Infecting a computer is much easier if that computer is connected to the internet or used for email.
In particular, the ABA recommends
commercial banking customers carry out all online banking activities from a stand-alone, hardened and completely locked down computer system from which e-mail and Web browsing are not possible.
To add another layer of protection, consider implementing "locked down computing" for your online transactions.
Devices such as IBM's ZTIC (Zone Trusted Information Channel) are designed to protect online bank customers from a "man in the middle" attack. In this scenario, an attacker intercepts an online transaction as it occurs, and re-directs funds to a fraudulent account.
The ZTIC is a smart card reader that attaches to a computer used for online banking. During a transaction, it bypasses the web browser completely and establishes a secure connection with the bank. This approach is referred to as "locked down computing" and lets users see exactly how their transaction is being directed. If a hacker attempts to channel funds to a frauduent account, the user can immediately abort the transaction.
Further Reading: 7 Best Practices for Online Banking Security