Invincia Blog

Category: Barracuda

  • Coming to terms with COVID security reality

    survey of more than 1,100 American workers conducted by PwC suggests the divide between cybersecurity teams and the end-users they are trying to protect has only widened in the wake of the COVID-19 pandemic.

    While most cybersecurity and IT leaders have increased access to cybersecurity training since the bulk of employees suddenly began working from home in March, only 30 percent of employees said their employer trained them on to secure data, and only 23 percent said their company provided a compelling case for why employees need to have good data security habits.

    Well over a third of respondents (39%) said they find it burdensome and restrictive to comply with all the security guidelines of their organization. Less than a third, however, also said they are required to authenticate their identity to access corporate networks/data (31%).

    Less than a third (29%) also said their employer provided devices so they could work outside the office without having to employ their personal devices. In addition, more than half (51%) of the Millennials and 45 percent of so-called Gen Zers admitted they use applications on their work devices that their employer has expressly prohibited.

    Perhaps most troubling of all, though, only just over a quarter (26%) of respondents strongly agree that they can escalate a security incident they may have caused without fear of reprisal.

    Increased cybersecurity challenges

    Cybercriminals have apparently taken note of reckless employee behavior. A global survey of 1,000 CXOs conducted by Tanium, a provider of endpoint management and security tools, find 90 percent have seen an increase in cyberattacks due to the pandemic. The most common of these were attacks involved data exposure (38%), business email or transaction fraud (37%), and phishing (35%).

    A full 98 percent of respondents said they experienced security challenges within the first two months of the pandemic. The top three challenges identified are new personal computing devices (27%); overwhelmed IT capacity due to virtual private network (VPN) requirements (22%); and increased security risks involving video conferencing (20%).

    A full 88 percent of respondents also had trouble patching systems, with 43 percent specifically citing difficulties patching personal devices belonging to workers. Just over a quarter (26%) admit they effectively side-lined patching systems at a time when Microsoft alone released more than 100 fixes on successive Patch Tuesdays.

    Preparing for an extended battle

    While most IT teams are to be applauded for enabling a mass transition to working from home in a matter of a few days, it’s clear that from end-user training to zero-trust architecture there are lots of cybersecurity issues that need to be addressed. Many organizations assumed the COVID-19 pandemic would be roughly equivalent to an extended blizzard that would shut down the office for a few weeks. Increasingly, it’s looking like combating the COVID-19 pandemic will be an extended battle that requires fundamentally new approaches to how IT is delivered and secured.

    Naturally, each organization always will need to decide just what the right level of business risk should be given the sensitivity of the data that needs to be protected. However, organizations are being presented with a unique opportunity to approach cybersecurity with a blank piece of paper that should not be wasted.

    _______________

    Re posted with permission from: https://blog.barracuda.com/2020/08/03/coming-to-terms-with-covid-security-reality/

    Written by:

     

  • COVID-19 fraud: companies face new phishing attacks

    As Coronavirus COVID-19 makes its way across the world, individuals are doing their best to stay up-to-date on the latest outbreak locations and confirmed cases. Hackers have created new attacks based on the public interest in this virus.

    One of the most common attacks is an email impersonation attack. In this attack, the criminal impersonates organizations like the UN World Health Organization (WHO) and the US Centers for Disease Control and Prevention (CDC) to trick users into opening a malicious email. Multiple government organizations have issued warnings against these attacks.

    Email scams always follow the headlines

    It’s not unusual for hackers to monetize on tragedies like hurricanes and other disasters. Most of these scams are designed to do some variation of the following:

    • Infect the user device and spread malware
    • Steal login credentials by way of a phishing site or other phishing mechanism
    • Collect donations for fake charities through malicious websites

    The current pandemic has given scammers all those opportunities and more:

    Email scammers will continue to find new ways to take advantage of the Coronavirus COVID-19 pandemic. If you have the proper email protection in place and you know what to watch out for, you can protect yourself from these email attacks.

    Spreading the infection

    There has been a real surge in the registration of new domains that use the word ‘coronavirus.’ Some of these will be put to a good use, but many will be used by hackers for malicious purposes. These malicious websites might appear to offer news or advice on coronavirus outbreak but are being used for phishing or to spread malware. Email impersonation scams often include links to this type of site.

    Email impersonation attacks

    Over the past few weeks, we have seen a number of attacks impersonating the World Health Organization. These phishing emails appear to come from WHO with information on Coronavirus COVID-19. They often use domain spoofing tactics to trick users into thinking these messages are legitimate.

    These email impersonation attacks will include a link in the body of the email.  Users who click on that link are taken to a newly registered phishing website.

    Remote work and increased risk

    As a preventative measure against the spread of Coronavirus COVID-19, many organizations are asking employees to work remotely from home until further notice. These remote workers may rely on email for communication with other employees as well as updates on workplace location and other issues related to the outbreak. This puts users in a state of expectation for email messages from HR or upper management on the subject of the virus. This expectation creates an increased risk for the company because the user is more likely to accidentally open a malicious email if they are expecting a similar legitimate message.

    These factors, combined with the diminished ability to confirm the legitimacy of an email due to remote working is a perfect environment for email scams.

    Protecting your organization and employees

    There are several ways to protect your company and employees from email scams, and they are based on employee education and security technology:

    • Don’t click on links in email from sources you do not know; they may lead to malicious websites
    • Be wary of emails claiming to be from the CDC or WHO. Go directly to their websites for the latest information.
    • Pay special attention to email messages from internal departments or executives who sent regular updates on the outbreak. Domain and display name spoofing are some of the most common techniques used.
    • Never give personal information or login details in response to an email request. This is how a phishing attack leads to business email compromise.
    • All malicious emails and attacks should be immediately reported to IT departments for investigation and remediation.
    • Ensure that your organization has reliable virus, malware, and anti-phishing protection.
    • Make sure employees receive up-to-date training on the latest phishing and social-engineering attacks.

    Criminals are always looking for new ways to exploit the latest tragedies. Keep up on the latest scams by following alerts from CISA and similar sites.

    Posted by  on 

    From: https://blog.barracudamsp.com