Ain't Just for Us Country Folk Anymore!

Ain't Just for Us Country Folk Anymore!

AIN’T JUST FOR US COUNTRY FOLK ANYMORE! Q2 - 2016 COMPLIANCE EDUCATION PARHEZ SATTAR, INFORMATION SECURITY OFFICER SALLY SHEEHY, COMPLIANCE COORDINATOR GRANDE RONDE HOSPITAL CYBER CRIME Cyber crime refers to any crime that involves a computer and a network. Offenses are primarily committed through the internet. • Common examples of cyber crime include: • Credit card fraud • Spam • Identity theft • Health care information is a high value target • Hackers work daily to target information systems SOCIAL ENGINEERING Social engineering is the art of manipulating and exploiting human behavior to gain unauthorized access to systems and information for fraudulent or criminal purposes. • Social engineering attacks are more common and more successful than computer hacking attacks against the network. • Social engineering attacks are based on natural human desires like: • Trust • Desire to help • Desire to avoid conflict • Fear • Curiosity • Ignorance and carelessness Social engineers will gain information by exploiting the desire of humans to trust and help each other. PHISHING • Phishing is a social engineering scam whereby intruders seek access to your personal information or passwords by posing as a legitimate business or organization with legitimate reason to request information. • Phishing emails often contain spyware designed to give remote control to your computer or track your online activities. • Usually an email (or text) alerts you to a problem with your account and asks you to click on a link and provide information to correct the situation. • These emails look real and often claim to have been sent by someone that we “trust” and contain a familiar organization’s logo and trademark. The URL in the email resembles a legitimate web address. • For example, “https://aaa.securegrh.org” PUTTING STAFF TO THE TEST In December, GRH hired an information security consulting firm to perform a social engineering exercise to identify vulnerabilities in our internal network and environment. A spoofing email that looked like it came from Parhez Sattar, Senior Director IT, was designed to trick employees into signing over their AAA portal usernames and passwords. Eight percent of the target Notice the audience fell for the ruse altered GRH and submitted their address in the email link. credentials through the malicious portal. USER BEWARE Clicking on the link led the deceived users to this fake site, which was designed to appear very similar to our real AAA portal access site. In a few short minutes, 8 percent of our workforce handed over the keys to our IT systems. PHISHING EXAMPLE Phishing emails are designed to fool us and they appear to be legitimate. Take a look at another real-life example: If you receive such an email, simply ignore or delete it. If you receive it at work, call IT. DON’T TAKE THE BAIT! NEVER provide your password to anyone via email. Be suspicious of any email that: • Requests personal information. • Contains spelling and/or grammatical errors. • Asks you to click on a link. • Is unexpected or from a company or organization with whom you do not have a relationship. If you are suspicious of an email: • Do not open the message. • Do not open any attachments in the email (don’t even click on them). • Do not click on any link embedded within the message. • Make a note about the subject line (who it’s from, when it was received), and then delete the message. • Notify the IT Helpdesk by dialing or emailing “1410.” WHAT IS PHARMING? Pharming is a scam whereby hackers install malicious code to redirect Internet users to a bogus website that mimics the appearance of a legitimate one, in order to obtain personal information such as user names, passwords, account numbers, etc. Phishing vs. Pharming…what’s the difference? Phishing involves getting a user to enter personal information via a fake website, email, attachment, link or pop- up. Pharming involves the hacker “hijacking” the intended site’s DNS (domain name server), which causes users to be redirected to an imposter site that looks like the real site. RANSOMWARE: WHY HOSPITALS ARE WORRIED Ransomware attacks are the latest in cyber Recently, a hospital that scams on the Internet. Ransomware is a type of became the victim of a malware virus used by cyber criminals to take ransomware attack lost over an entity’s computer network by encrypting access to its clinical and and preventing authorized users from accessing billing systems and suffered other disruptions information on an affected network. It is typically in its services, such as delivered via email, and involves a combination having to divert of social engineering and technical subterfuge. emergency patients to other hospitals. Although When a recipient opens the deceptive email the hospital contained the message and clicks on the attachment, the threat and declared that ransomware is executed on the computer system no evidence suggested and infects all digital devices that are actively that patient or employee linked to the infected device. One form of information was accessed, the hospital ransomware has hackers sending a message to did pay a $17,000 the victim’s infected device and demanding a ransom in the interest of ransom payment in exchange for a decryption restoring its operations as key to unlock the data. quickly as possible. HOW PREPARED ARE WE TO DEFEND OURSELVES? The following is a real email that was sent to several GRH employees in February. The email appears to be sent from Accounting to inform people about an attached email from the IRS. At first glance, seems legit, right? Wrong! When an employee opened the attachment, a KEYLOGGER virus was downloaded onto the computer which was designed to record every keystroke the employee made. Fortunately, the computer was confiscated right away before sensitive information, such as passwords or other confidential data, could be transmitted to the bad guys. BEST PRACTICES TO SECURE IT ASSETS The tips in these next few slides can be used to protect your home computer as well as All phishing attacks fit into the same work computer. general information flow: 1. A suspicious email is sent to • Criminals can use your personal you. information to steal your identity and ruin 2. You take an action that might your finances. compromise your personal information. • Protecting yourself and your family on the 3. You are then prompted for personal and confidential Internet at home is just as important as information. This can happen by protecting information systems at work. means of a remote website or by a local “web Trojan” or virus. • Always use caution about giving out 4. You compromise your personal personal information over the Internet. information. 5. Your confidential information is Luckily, companies have begun to employ then forwarded from a “phishing tactics to fight against scammers, but they server” to the attacking “phisher.” cannot fully protect you on their own. 6. The phisher is using your private information to impersonate you. • If you are not sure if a message is 7. The phisher will then use that information to commit your legitimate, don’t click on the links or open identity theft. the attachments. Only open if you are expecting the message. BEST PRACTICES TO SECURE IT ASSETS • Rather than clicking on a message with links, manually go to the site (i.e. IRS, Bank, e-Commerce, whatever) and log on directly after you feel confident that it is a legitimate site. • All legitimate sites should have an address with https:// if collecting any kind of sensitive information or payments. Check the http address. When you get to the page where you're asked to enter personal information, the http should change to https. The "s" stands for secure. Who’s at risk? Anyone who uses the Internet and has online banking, credit card, and shopping accounts is at risk to pharming and phishing attacks. BEST PRACTICES TO SECURE IT ASSETS An attacker obscures the actual URL by overlaying a legitimate looking address or by using a similarly spelled URL. Check the Web browser's address bar to make sure the spelling is correct. For example, when you type https://www.paypal.com, you should see that address. But the address for a pharmed site might have paypal in the name, but it’s bogus. Don’t be fooled! Look for a padlock or key on the bottom of your browser or your computer task bar. A locked padlock, or a key, indicates a secure, encrypted connection and an unlocked padlock, or a broken key, indicates an unsecured connection. MORE GENERAL TIPS TO PROTECT YOURSELF AGAINST CYBER CRIME Guard against spam: 1) Install spam filtering/blocking software. Anti-spam software examines incoming email to try and separate spam from legitimate messages. Filtering software can automatically identify and detect spam, or offensive emails, and prevents those messages from reaching your inbox. 2) Do not respond to suspicious emails. If you suspect an email is spam, do not respond, just delete it. Do not click on or open any attachments. And do not click on any email links asking to be taken off the sender's list -- sometimes unsubscribe links are phony, and your response only confirms the accuracy of your email address and could result in even more unwanted messages. 3) Set up a disposable email address. Have a secondary -- or disposable -- email address for public use, such as a free web email account. Use that email when you're registering for web services or signing up for online newsletters. 4) Create an email name that's tough to crack. Some spammers use computer programs to guess email addresses. Research shows that email addresses containing numbers, letters and underscores are more difficult to guess and tend to receive less spam.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    28 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us