3. Confidential 3
More than 400
businesses are
targeted with
business email
compromise (BEC)
scams every day
Phishing volume
grew by a massive
41 percent in Q2
2017
Almost half of all
breaches are
caused by phishing
FACTS ABOUT PHISHING
PHISHING
7. Confidential 7
EXTERNAL VULNERABILITIES
INTERNAL VULNERABILITIES
The attacker could be a criminal or hacker and they
use the vulnerabilities to get into the network or
access data.
The attacker could be found within the business, they
can be employees that intentionally sell information or
mistakenly expose the information.
8. Confidential 8
EXAMPLES OF
EXTERNAL VULNERABILITIES
Insufficient access control to
customers, suppliers, partners
Cloning access cards & FOB
Keys
Weak firewall rules and
unpatched software on firewall
Weak Security administration
9. Confidential 9
EXAMPLES OF
INTERNAL VULNERABILITIES
Unprotected
Laptops
Unpatched
Software
Access Control
Issues
Vulnerabilities in
internal Applications
Weak/ Default
Password
10. Confidential
42%
33%
18%
7%
Where are the threats coming from?
Ex-employees
10
PERCENTAGES
Third Parties
Employees
Outside the
Organization
Within the organization
58%
Source: Clearswift.com
11. Confidential
LIMIT CYBER VULNERABILITIES
Train your
Workforce
Secure
Configurations
for Hardware &
Software
Control Use of
Administrative
Privileged
Accounts
Install proper
Firewalls &
Anti-virus
Track all
hardware
devices on the
network
Practice Patch
Management
Conduct
Vulnerability
Assessment
Use strong
passwords
Backup your
data
11
12. Confidential
Joining the workforce?
12
What you can expect when
you join the workforce
• Career opportunities
• A booming industry
• What you are likely to hear even
if you are not in the
Cybersecurity field
13. Confidential 13
HOW COMPANIES TEST CYBER
VULNERABILITIES
External Penetration Testing
Internal Penetration Testing
Vulnerability Assessment
Web Application Testing
Social Engineering
14. Confidential 14
PENETRATION TESTING
External Penetration
Testing
• An external penetration
test mimics the actions of
an actual attacker
exploiting weaknesses in
the network security.
Internal Penetration
Testing
• This test examines
internal IT systems for any
weakness that could be
used to disrupt the
Confidentiality, Integrity or
Availability of the network,
thereby allowing the
organization to address
each weakness .
This process helps identify the security vulnerabilities within the system
or network by simulating an attack.
15. Confidential 15
VULNERABILITY ASSESSMENT
A vulnerability assessment is the process of identifying, quantifying, and
prioritizing (or ranking) the vulnerabilities in a system.
Table Risk Level Matrix
Impact
Likelihood Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
16. Confidential 16
WEB APPLICATION TESTING
Web application testing, a software testing technique exclusively
adopted to test the applications that are hosted on web in which the
application interfaces and other functionalities are tested.
Web application Testing Techniques to
test Confidentiality, Integrity, Availability
• Functionality Testing
• Usability testing
• Interface testing
• Compatibility testing
• Performance testing
• Security testing
17. Confidential 17
SOCIAL ENGINEERING
Phishing
• Phishing is the
fraudulent attempt
to obtain sensitive
information such
as usernames,
passwords and
credit card details,
often for malicious
reasons, by
disguising as a
trustworthy entity
in an electronic
communication.
Vishing
• Vishing is the
telephone
equivalent of
phishing. It is
described as the
act of using the
telephone in an
attempt to scam
the user into
surrendering
private
information that
will be used for
identity theft.
Tailgating
• Tailgating is a
physical security
breach in which
an unauthorized
person follows an
authorized
individual to enter
a secured
premise.
These are the most common types of cyber threats are malware, phishing, spyware, whaling, Botnet & spam. One of the most popular threats people is impacted by is phishing. Some other types are of threats are hacking, bots, misuse of employee privileged.
Malware is a malicious software and there are different types as viruses, Ramsomware, spyware, worms and more.
• Malware can get in your computer by accidentally clicking a suspicious email attachment or perhaps you connected an infected drive to your computer.
• How can malware affect your business? Malware can affect your business by loss of customer information, loss of reputation, financial cost, legal costs and More. -> http://honigconte.com/malware-attacks/
• How can we prevent malware? Examine the email before you open it (check the sender’s address, is it a trusted URL?) , update your operating system,
Browsers & plugins, and antivirus install and updated. For more information -> https://blog.malwarebytes.com/101/2016/08/10-easy-ways-to-prevent-malware-infection/
What is phishing? Phishing is when they send emails posing as a reputable institution/companies in order to obtain sensible data as your password, credit card information or username.
How can I avoid phishing scams? A couple of the things you could do to avoid phishing scams are to keep informed on the latest techniques use for
Phishing, don’t click on emails from unfamiliar sources or people and install an anti-phishing toolbar. -> http://www.phishing.org/10-ways-to-avoid-phishing-scams
What is whaling? Whaling is a type of phishing that targets C-Level Executives in order to obtain sensitive information https://digitalguardian.com/blog/what-whaling-attack-defining-and-identifying-whaling-attacks
Sources:
• https://www.getcybersafe.gc.ca/cnt/rsks/cmmn-thrts-en.aspx
• https://purplegriffon.com/blog/10-cyber-security-threats-in-2017
https://Info.phishlabs.com/blog/the-impact-of-phishing-and-why-it-should-be-your-1-priority
The volume of spam emails increased by 400 percent in 2016 – If you click on the phishing email is automatically linked to spams.
Symantec – More than 400 businesses are targeted with business email compromise (BEC) scams every day https://www.symantec.com/security-center/threat-report
Phishing Volume grew by a massive 41 percent in Q2 2017 - https://info.phishlabs.com/q2_2017_phishing_trends_and_-intelligence_report
Verizon - Almost half of all breaches are caused by phishing - https://www.verizonenterprise.com/verizon-insights-lab/dbir/
We need to see the external and internal vulnerabilities
Source: https://www.statista.com/statistics/700965/leading-cause-of-ransomware-infection/
https://www.nytimes.com/2017/05/15/technology/personaltech/heres-how-to-protect-yourself-from-ransomware-attacks.htmlLack of Security Ads – Ransomware developers often use pop-up windows that advertise software products that remove malware.
Do not click on anything through these pop-ups, then safety close the windows.
We need to see the external and internal vulnerabilities
Keylogger: are use to capture passwords and other private data, this software or equipment is sold in the open market. https://knowledgemines.com/keyloggers/
Example of External Vulnerability Threats - https://ebrary.net/26640/computer_science/security_threats
Could Fob keys be cloned? Yes, they could be cloned https://www.youtube.com/watch?v=cxxnuofREcM https://www.clonemykey.com/faq/ https://www.getkisi.com/blog/how-to-copy-access-cards-and-keyfobs
Source: https://www.newgenapps.com/blog/internal-and-external-security-threats
Infographic: Where are the threats coming from - https://www.clearswift.com/sites/default/files/images/blog/enemy-within.pdf
Control Use of Administrative Privileged: minimize & monitor the administrative privileges.
Practice Patch Management: a process in where you will identify, acquire, install and verify patches for products & systems.
Conduct Vulnerability Scanning: to check the software and configurations of the systems of your network.
Secure Configurations for Hardware & Software: Certain configurations options can open new opportunities for hackers.
Track all hardware devices on the network:
Use strong Passwords: Remember to change your password frequently and do not reuse the password. The password needs to contain letters, numbers,
& symbols.
7. Secure Wi-Fi Networks: Make sure that the Wi-Fi Networks are encrypted
8. Have proper Back-up Plans: Perform regular back-ups of important files from your laptop. If you are a victim of malware, a backup drive will ensure that important files are not lost.
9. Firewalls: offers different layers of protection and can be in hardware or software form.
Source: https://www.calyptix.com/top-threats/5-security-controls-stop-85-cyber-attacks/
http://www.manageitafrica.com/avoidable-cyber-security-mistakes-prevent-vulnerabilities/
External Penetration Testing: https://www.hacklabs.com/penetration-testing/
Internal Penetration Testing: https://www.hacklabs.com/internal-penetration-testing/
Penetration Testing: It’s the process to identify security vulnerabilities in an application by evaluating the system or network with various malicious techniques. https://www.softwaretestinghelp.com/penetration-testing-guide/
Why your company needs penetration testing? - To avoid incidents as the WannaCry Ransomware attack from May 2017. Companies need to
Protect their information systems against security breaches.
Phishing: https://en.wikipedia.org/wiki/Phishing
Vishing: https://www.webopedia.com/TERM/V/vishing.html
Tailgating: https://whatis.techtarget.com/definition/tailgating-piggybacking
Picture: social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. This is a type of confidence trick for the purpose of information gathering, fraud, or system access, and the first type of attack of this kind known in history is the Trojan horse itself (not the computer virus, but the Greek mythical event). For example, in this attack, an international cyber crime ring based out of Eastern Europe managed to steal $1 billion in 2 years from 100 different banks in nearly 30 countries using spear phishing emails targeting bank employees. The spear phishing technique is, by far, the most successful on the internet today, accounting for 91% of attacks! Website::: https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/