IT security can be a black-box for many, with the risks and protection methods being difficult to understand. I titled this article “IT Security Boogeyman” because some organizations and experts ring the alarm bell about irrelevant threats and/or offer bad recommendations. IT researchers have often identified “the next big threat” only to be proven wrong. When this occurs, it is important to move-on and focus energy on threats relevant to your organization’s size and profile. Focusing on every possible threat leads to fatigue, reducing the attention available for protecting against pertinent threats.
One of the Boogeyman threats was recently in the news again: being hacked by an airport or other public USB charging station. This is a theoretical threat, and the urgency is based on the technical simplicity of hacking a cell phone from a charging cable. This attack may seem simple to law-enforcement who warned against it, since they have very expensive equipment allowing them to hack into criminals’ cell phones with relative ease. In real life, this type of attack requires equipment along with the logistics of sneaking a device in and out of a public location. There are scant documented examples of this type of attack, if any. At the end of the day, this alarm only wastes the public’s limited attention for IT security because it is unlikely, and because anyone who wants their phone charged quickly will use their own high-power charging device.
Our next Boogeyman is an oft-repeated security recommendation to use a low-cost VPN when browsing the web. The threat is that web activity can be monitored and bank credentials or other personal data can be stolen. This threat is easy for IT security researchers to execute with their toolset. Hackers have access to similar tools, but executing this type of attack is extremely rare except for on public WiFi networks, where it is still rare. Using a low-cost VPN to protect against this threat on public WiFi networks makes people less secure by routing many peoples’ personal and confidential data through the VPN company, creating a juicy target for attackers. Indeed, several VPN providers have been compromised over the years. Many security experts are now recommending the use of your cell phone hotspot instead of public WiFi to address this threat, because it will connect more reliably and usually provides faster bandwidth.
Understanding which threats pose a risk to you and your organization requires understanding the adversary. Today, most attacks are executed by sophisticated organizations. Often called “gangs,” they operate more like corporations with HR departments, annual reviews and bonuses. As a business, they will minimize risk and investment for the best return. Ransomware is extremely profitable, and can be successfully deployed from Eastern Europe or Asia, where law-enforcement often looks the other way. These factors make other types of attacks costly and risky by comparison. With that in mind, I have outlined the three threats which AT sees attempted most often, and the value to the adversary:
Ransomware
Ransomware is the 800 lbs gorilla in the IT security world these days. For the uninitiated, ransomware attackers will lock-up all data and systems on a network, demanding a ransom to provide the unlock key. Ransoms can reach into the millions, and are often just a fraction of the cost to restore business operations. There are some critical components to effectively protecting against Ransomware. The first is advanced email security filtering. Ransomware most-often starts with an email, which either initiates the malware installation process or entices staff to call a human who convinces staff to install malware. Email must be thoroughly scanned, including opening and scanning all attachments for malicious scripts. The second critical component is behavior-based security software called EDR, since anti-virus software cannot detect modern ransomware installations. The third critical component for protecting against ransomware is Security Awareness Training for staff. Staff must be cautious about opening attachments, and skeptical of any urgent situation requiring them to call immediately.
For companies not fully in the cloud, Mulit-Factor Authentication (MFA) and password policies are also vital to keep outsiders from gaining access and installing ransomware on the network. MFA is crucial for all organizations, but for other reasons.
Stolen Personnel Data
For the majority of companies, the most valuable data in possession of the company is private health and banking data of the staff held in HR files. This data can be compromised in multiple ways. Here are the two most common methods we have seen:
- Mailbox Compromise - This is when an attacker gains access to a staff mailbox by using that staff members credentials. Here is how it happens: Since the majority of the businesses use Office 365, attackers try common passwords against an entire company (Password1, Spring2023, etc) and usually gain access. Another method is to send an email with a link to a fakes Office 365 logon page, where staff member accidentally give their password to attackers. Once access to a mailbox is gained, the mailbox can be quickly exported for future searches of personnel data, and then an email is sent out to all contacts in the mailbox, to extend the attack further. One company found that 85% of Office 365 customers have been compromised in this manner during a recent 12 month period. (Read the article here.) MFA is the best protection against mailbox compromise. Microsoft states that 99.9% of these attacks would have been blocked with MFA.
- Impersonation -The second method used to gain access to personnel data originates with a seemingly authentic email. An email appearing to come from an executive will be sent to a subordinate asking for all recent W2s (or a member list, or insurance info, etc). This method has also been attempted for other types of fraud, such as illegitimate wire transfers and the purchase of gift cards. Email security filtering and Security Awareness Training are the best methods of protection against this threat.
Website Attacks
Websites can be enticing targets for multiple reasons: attackers can insert code to send all entered credit cards to another location, attackers can retrieve personal data, or they can simply use the website as an entry-point for installing ransomware. AT has seen all three attempted multiple times. Website security is a comprehensive topic by itself, but two areas we see small organizations overlook are:
- Decommissioning old applications: many associations keep old web applications online without upgrading them. New applications are written with more secure tools and are more secure by design.
- Upgraded Firewall Protection: The newest type of firewall inspects data provided to your application or website, and this type of firewall is often called a Web Application Firewall (WAF). A WAF provides a higher level of protection against traditional hacking methods on websites, often at an affordable monthly fee rather than requiring a large investment in new equipment. AT has been offering a WAF solution for a few years now, due to an increase in malicious web activity.
Extra Credit: Protect your members
Volunteers are often high-profile and/or successful professionals in the field. Their success makes them an appealing target for personal fraud. This is especially true when their contact information is posted online, such as the “Find a Doctor,” “Find an expert” page on your company’s website. AT has seen attackers impersonate association staff to target board members for fraud, as well as attackers impersonating board members to target the general membership for fraud.
Some of the impersonation methods used are difficult or impossible for IT to protect against. The only option to protect your members may be education: alert them to the problem, and provide Security Awareness Training for your board and member volunteers.
|
| |
|
| Tech For Travel |
This spring I was lucky enough to take a trip half-way around the globe to South Korea. My son is spending the spring semester of his junior year in Seoul. I'm not quite sure how he does it but languages come naturally for him. For me, two and and half years of French was all I could handle. This month I thought I would share a few of my travelling technology tips and challenges.
Since I was going to be in a completely different time zone (and on vacation) I had planned on not checking email. So when our network team asked if I needed access I confidently replied...nope! However about 24 hours into the trip I realized that many of the reservations I had made were under my work email address and the companies were sending me updates and reminders. I quickly shot our team an email (from my gmail account) and they immediately got me access. Tip - make sure you let your team know if you are travelling out of the country if you need access.
I quickly realized that many of the apps I rely on in the states are not as useful overseas (or at least in Korea). Fortunately I had done my research and I had a slew of new apps to guide us on our journey. Papago is a language translation app that is simply amazing. It does many things including voice translation, conversation mode and text translation. My favorite feature was the ability to take a picture and translate and overlay the text at the touch of a button. Cryptic menus were quickly transformed into English so we had "some" idea of what we were eating. Naver Map was my replacement for Google and Apple Maps. It made navigating the huge city easy, including the super-convenient subway system.
These apps would have been absolutely worthless without an internet connection. My son, who is there for four months, picked up a new prepaid SIM card for his phone. Once we had his new Korean number we could easily communicate with him. Since we were there for only a week we opted for a cellular hotspot which worked perfectly. Our three phones were able to connect seamlessly wherever we were. Using apple messaging and WhatsApp we were able to communicate easily.
Seoul has a reputation as a high-tech city and our hotel didn't disappoint. Our hotel was a dream for a smart home connoisseur (like me). Blinds, lights, music were all easily controlled from our bedside. The bathroom technology...well we'll save those stories for another day...even the language translation apps didn't help.
If you ever get the opportunity to visit Seoul I cannot recommend it enough. The combination of modern skyscrapers, thousand year old palaces, mountains, friendly people and amazing food makes it well worth the fourteen hour flight.
|
| |
|
| Congratulations to Alex and Miranda Ramos on the birth of Dakota who arrived Wednesday, May 24th at 1:21pm. Dakota was the largest of the Ramos boys, weighing 8 pounds, 5 ounces and measuring 20.5 inches. Mom, Dad and big brothers Ayden (6) and Elias (21 months) are loving every moment with their new bundle of joy and also anxiously awaiting the day he sleeps thru the night. |
| |
|
| Five Years Post-GDPR, Data Privacy Even More Important |
Though the European Union’s General Data Protection Regulation went into effect five years ago, organizations are still ensuring they stay compliant and keeping a close eye on any new data privacy legislation that may be down the road.
Read More |
|
|
| |
| What People Want Out of Leaders Now |
New research suggests that employees want leaders to get back to matters of trust and stability. But don’t buy the idea that empathy is “out.”
Read More |
|
|
| |
|
We have an archive of our newsletters and industry related
articles available on our website, click HERE to access them.
|
| |
|
| JUNE |
| 20 |
| 12:00 PM - 4:00 PM CST |
|
|
|
| NiUG Partners Product Showcase |
Location: Online
Join us as we show you some extraordinary products that can help you and your organization achieve amazing results while using iMIS! This online product showcase will provide you with information on some of the many products that can work with iMIS and RiSE. Come see this showcase to enhance your use of iMIS and help take your offerings to the next level, save you time and stress, and add efficiency to your processes and offerings to your constituents. This online event is complimentary to everyone in the iMIS Community! In fact, it is FREE for members, non-members, iMIS Solution Providers, Consultants and preferred Vendors. |
|
|
 |
|
| |
| HighRoads Solutions Webinar: AI vs The Human Experience |
| 2023 is seemingly the year of AI. Whether you want to think, talk or ponder the value of AI, adoption and application seems imminent. Did you know though, that many martech applications already have AI baked into their feature set? Join us as we discuss the value of AI as it seeks to enhance or replace legacy functions, and how digital marketing technology can build trust as humans leverage AI in the right way. |
|
|
|
|
| |
| JUNE |
| 22 |
| 5:30 PM - 10:00 PM |
|
|
|
| Association Forum's Honors Gala |
Location: Morgan Manufacturing, 401 North Morgan, Chicago, IL
Get ready to put your best foot forward and join us for our annual fundraising event, the Honors Gala! We're thrilled to invite you to our reimagined annual fundraising tradition in a brand-new, electrifying venue.
|
|
|
|
|
| |
| JULY |
| 19 |
| 09:00 AM - 4:00 PM EST |
|
|
|
| Mobile Platforms Demo Day |
Location: Online
Join us for the just-in-time virtual Mobile Platform demo day! The event is July 19th and will feature presentations from a limited number of industry partners that offer Mobile Platforms. Mobile experts will be showcasing apps and sharing their knowledge with the association market. |
|
|
|
|
| |
| ASAE Annual Meeting & Exposition |
Location: Atlanta, GA, US
|
|
|
|
|
| |
| NiUG International iMIS User Conference |
Location: Rosemont, IL
Mark your calendars for the iMIS Annual User Conference! Many of you know it as Discovery, this year the conference will be on August 21-23 instead of later in the Fall. The conference will be in Rosemont, IL, just miles from downtown Chicago. |
|
|
|
|
| |
|
