On Thursday February 2 the IRS put out a press release warning schools, hospitals, restaurants, tribal groups and "others" to be on the lookout for sophisticated W-2 phishing scam that has netted crooks millions of dollars and cost employees, in some instances, their jobs. This diverse list of potential targets and "others" is of note because the W-2 phishing scam is growing in reach and effectiveness, hoovering up a larger and more diverse group of victims. Discovered in 2016, the W-2 scam is particularly dangerous because it is a blended attack that targets employees with authority to do two things: release employees’ W-2 tax information in bulk and/or conduct wire transfers on behalf of their employers. Wire transfer scams are called business email compromise (BEC) scams and are carried out using similar means to the W-2 hacks.
Whenever a company suffers a headline-grabbing data breach, its reputation takes a serious blow. If you’re a big company, evidence suggests the impact is short-lived. But if you’re a small company doing business with large partners, it could be a different story. Retail giant Target saw its sales decline after suffering a breach in 2013 that compromised payment card information of 110 million customers, but one year later the company’s sales had increased. In a March 2015 article, Fortune magazine reported that breaches cost big companies “shockingly little.” Citing a study by Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs, Fortune reported that breach-related expenses cost Sony, Target and Home Depot “less than 1 percent of each company’s annual revenues” after suffering major cyber attacks. Even though the study measured revenue, there is a correlation to reputation. If customers abandoned a company in droves after it suffers a breach, the impact wouldn’t be this low.
Part II – Identity
As the business world continues to embrace cloud and mobile technologies, and any semblance of a secure network perimeter is being obliterated, it is imperative for cyber security pros to focus their efforts on the technologies and techniques that will have the greatest impact in the shortest amount of time for the greatest number of users. This is why focusing on identity management is increasingly seen as a sound cyber security practice. In a perimeter-less world, if you can know what people are doing on the network and can limit that activity and their access based on roles or other privileges, you will be far more able to thwart a cyberattack before it gets out of hand or even gets started. According to one highly placed security industry CTO, "If you could achieve that guarantee at all times, your problems would more-or-less be solved. And identity is foundational in that regard."
Part I – Visibility
As has been made abundantly clear by the 2016 presidential election, hacking has entered new territory. This land grab shouldn't come as a surprise to anyone responsible for cyber security but, if it does, what they need to realize is cyber security today is about a lot more than protecting a few credit card numbers. Thankfully, the seriousness of countering these bad actors is finally getting the Board Room notice it deserves. So now that a beachhead in the battle for basic awareness is finally being established, the focus can shift to mounting an effective counter-offensive? We use this term deliberately. Up until the past few years, most cyber security measures have been defensive in nature: firewalls, IDS/IPS, anti-virus, monitoring, alterting, etc. According to analyst Zeus Kerravala writing NetworkWorld, the average company deploys security products from 32 different vendors.
Traditional cybersecurity approaches revolve around building a defensive posture. Cybercriminals come up with new, inventive ways to break into networks, and cybersecurity professionals scramble to stop them.
But what if you flipped this approach on its head? What if rather than a defensive approach, you went on the offensive? Is that even possible?
In the good old days when shadow IT was just a piece of hardware or a few lines of borrowed code, CIOs
could expect their networks and infrastructures to be reasonably well-protected from all but the most determined foes.
Ransomware discussions mostly revolve around protection against attacks, but how should we view an attack in the context of regulatory compliance?
In June, an insider (employee) accessed PHI records of patients of Orlando Health, a multi-hospital healthcare system in central Florida. This is the same hospital system that treated victims of the Orlando Pulse nightclub shootings at its Orlando Regional Medical Center. Local TV station, WFTV confirmed that the affected records belong to victims of the nightclub attack.
The cloud’s greatest appeal is productivity. When executed properly, cloud investments produce productivity gains that permeate multiple aspects of the business – even less obvious ones.
When it comes to crafting the “best” phishing email scam letter, over the years it has been assumed that the less polished a letter, the better. Having something that is poorly worded, or purposely uses bad syntax and grammar tends to eliminate the sharper-eyed readers who probably wouldn’t respond to the phish anyway. This way the phisher ensures that only the most gullible users will end up getting snared. The use of bad grammar makes the emails seem more authentic, as it would appear to be a personal letter written from a foreigner who isn’t completely fluent rather than from a criminal trying to steal your identity or bank account information.