Education – Page 13 – RISC Management and Consulting

There have been multiple breaches in the news recently, headlined by the hack of the Office of Personnel Management (OPM) that exposed the information of potentially 18 million people at last tally. It was also recently announced that Blue Shield of California had also experienced a minor breach that affected 843 individuals through a coding error on one of their secure web sites. Within the past month, other notorious events included breach alerts from password manager LastPass and the Houston Astros, a professional MLB club.

While the cause may be different (or still unknown) for each of these events, they can all serve one purpose for any organization: take security seriously. Potential risks exist internally and externally for any organization that maintains or processes important and valuable data such as electronic Protected Health Information (ePHI). With the black market value of health records on the rise, it is imperative for all organizations to make efforts to ensure the confidentiality, integrity, and appropriate availability of sensitive data.

Straightforward steps towards building or maintaining a successful security program always start with a Risk Analysis. Without quantifying the potential risks to your organization, it is difficult to make informed decisions, especially when trying to purchase the right tools or delegate your workforce efforts. The next step is generally to analyze your policies and procedures. These documents state your organizations intent to comply with applicable regulations or frameworks. Maintaining up-to-date procedures is important for ensuring continuity in all of your regular processes and saves valuable time. Once each of the above has been addressed, it is then time to train your workforce. This accomplishes a number of goals including increasing the effectiveness of security controls, improving workforce efficiency, and protecting the organization in the event of a breach or other security incident.

These are just the first steps towards building a security program; there are a number of other technical, administrative, and physical controls that must be implemented to avoid breaches and comply with the standards and regulations of your industry. However, without these building blocks for long-term success, it might not be farfetched to find your organization on the OCR’s Wall of Shame.

To find help with a third-party Risk Analysis, policies and procedures, training, or any other security controls, contact RISC Management & Consulting today!

Phishing is a form of social engineering and works like a con game. A phishing attack is performed using email, a malicious website, or even a direct phone call to the victim. The many purposes of phishing include collecting personal information, gaining access to corporate information, gaining access to corporate information systems, installing malware, or even holding data hostage by changing local encryption keys! The information that is accessed or copied by the attacker is used for gaining access to your accounts such as your financial accounts, committing identity theft, gaining access to corporate networks and systems, changing credentials, or even holding your data hostage.

Social Engineering can be a positive or negative attack using human interactions to obtain information about your organization. The person attacking could potentially be someone hired by the company to locate gaps in their security or, more likely, maliciously by those wanting to hurt you or your organization. During the attack, the person will seem unassuming, or even helpful, and be able to blend in with the employees. Through this process, he/she/they are able to ask questions, retrieve data, take photos for evidence if hired by the company or infiltrate the office or department.

The attacker might send a false e-mail often that look surprisingly legitimate, and may seem valid. However, it is important to view the URL in the address field which can tell you if the page you have been directed to is not valid. The email might come from a credit card company requesting you to respond and might often come from other types of organizations such as charities during a natural disaster, holidays, etc. Some phishing attacks involve a phone call directly to the target, where the attacker often claims to be another employee, perhaps calling from the I.T. Helpdesk.

According to the U.S. CERT and IRS remaining alert and knowing the tricks can assist you in avoiding or repelling these malicious attacks. Here are their explanation (2015, January 30):

Spot common elements of the phishing lifecycle

A Lure: enticing email content.
- Example 1 of actual phishing email – see below
- Example 2 of actual phishing email – see below
A Hook: an email-based exploit.
- Email with embedded malicious content that is executed as a side effect of opening the email
- Email with malicious attachments that are activated as a side effect of opening an attachment
- Email with “clickable” URLs: the body of the email includes a link, which displays as a recognized, legitimate website, though the actual URL redirects the user to malicious content
A Catch: a transaction conducted by an actor following a successful attempt.
- Unexplainable charges
- Unexplainable password changes

Again, don’t be a victim and watch for any unexplainable changes to your financial accounts. If you think there’s a slight chance that your sensitive information was breached, change your passwords immediately. If you use the same passwords in multiple areas, it is important to change each one of those accounts as well. Remember not to use that particular password again in the future.

If you receive a phone call that you suspect of being a phishing attack, tell the caller that you need to call them back at the number you know to be the person or department they represent. For example, if the caller claims to be from the I.T. Helpdesk, tell them you are calling them back at the officially listed number (Never at the number the caller gives you), and hang up. Using a corporate directory, a known number, or a number in your contact list on your corporate-owned phone, call that department back and verify the communication to you, and their request. Never connect to a remote access service such as GoToMyPC, or setup a remote service request through Microsoft Windows when receiving a phone call that you did not initiate.

References

Mitnick. K.(2000, March 2). Frontline: The testimony of an ex-hacker. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html

Phishing. (2015). TechTerms.com. Retrieved from http://techterms.com/definition/phishing

U.S. Computer Emergency Readiness Team. (2013). Security tip (ST04-014): Avoiding social engineering and phishing attacks. Retrieved from https://www.us-cert.gov/ncas/tips/ST04-014

U.S. Computer Emergency Readiness Team. (2015, January 30). Security Tip(ST15-001): IRS and US-CERT Caution users. Retrieved from https://www.us-cert.gov/ncas/tips/ST15-001