Companies are becoming more aware of the importance of cyber security practices as they are requiring users to use multi-factor authentication methods in order to better protect user information. Login requests can be directed to applications, such as Duo Two-Factor Authentication and Google Authenticator, as ways to verify that only privileged users can access the system. Softrams is a great example of an enterprise that implements multi-factor authentication applications such as Okta and Google Authenticator, throughout its systems. Softrams has always used multi-factor authentication and continues to analyze log data for potential abuses.
Other organizations are becoming more aware of this. Just recently, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it added single-factor authentication, which only uses one username and password to log in, to its outline of bad cyber security practices. It is important to note that the use of only single-factor authentication for passwords is not a reliable system and everyone should engage in a multi-factor approach to better protect their data. According to the article, single-factor authentication is highly vulnerable to “brute force, phishing, social engineering, keylogging, network sniffing, malware, and credential dumping” attacks, making it inadequate for securing computer systems (Hope). Additionally, reusing passwords, and creating short, weak passwords, in general, contribute to the ineffectiveness of single sign-on authentication. In order to increase security, it is best to include another level of authentication which has been proven to “block 100% of automated attacks, 99% of bulk phishing attacks, and 66% of targeted attacks on Google accounts” (Hope). While logging in multiple times can be irritating, implementing this one little step in your daily logins, can go a long way in ensuring the security of your digital assets.
NMap & Why I love it!
Everyone has a favorite tool they enjoy using for one purpose or another. Today I wanted to go over a tool that I really enjoy and find hard to beat given alternatives. I’m not going to go over every option, but I did provide two links above where you can read and learn more about the tool. I just wanted to show two practical scans and how one of those scans can lead to additional stages in our attack pipeline. Sometimes an old hammer is simply better than a new lightweight hammer. Let’s dive into a few uses of Nmap and walk over the simplicity and effectiveness of the tool itself. I’ll spare you the details of performing some recon work before the enumeration phase of our attack. Let’s set the stage!
We have a host running Docker and a host running Jenkins for CI/CD workflows.
Our Docker host resides at: 10.10.1.10
nmap -sV -p- -T5 10.10.1.10 Nmap scan report for 10.10.1.10 Host is up (0.00067s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION --- Omitting non-relevant data --- 2375/tcp open docker Docker 19.03.8 --- Omitting non-relevant data ---
Well, how embarrassing is that? It looks like a DevOps engineer has exposed the Docker engine port on TCP 2375, which means we can most likely utilize it remotely by creating containers and doing nefarious things with malicious intentions! Let’s hope Jenkins fairs much better.
Our Jenkins Host resides at: 10.10.1.15
nmap -sV -p- -T5 10.10.1.15 Nmap scan report for 10.10.1.15 Host is up (0.00089s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION --- Omitting non-relevant data --- 8080/tcp open http Jetty 9.2.z-SNAPSHOT 50000/tcp open http Jenkins httpd 2.60.3 --- Omitting non-relevant data ---
It looks like there isn’t much here other than Jenkins running, and nmap can’t detect the Jenkins service that is serving web content on port 8080. Jenkins services the administration web content on port 8080, and port 50000 is used to connect other nodes. Not much can be furnished from the scan results since we only discover the services running with the given output.
So now what? We could enumerate those services further and certainly look for exploitations with the docker exposure discovered. The whole reason I love Nmap is that you can get some quick information on a host or service and then run with it to further your attack surface. This is great for red teaming or blue teaming, and let’s not forget a worthy mention of purple teaming! It’s simply a tool that you can find on just about every Linux distribution, and it’s a quick install for Windows. You can take the tool further if you work with the scripting engine, which can be pretty useful. For these two reasons, I really love Nmap as a tool, and it’s practically on every system I own and operate with for CTF events.
But wait?!?! You stated the docker port was a “NO NO.” Yes, and I did mention I was sticking to Nmap here. But let me give you this Gem. If you install Docker on your system, then you can attempt to interact with the remote system by issuing the following command in your terminal of choice: docker -H 10.10.1.10:2375 ps -a
Now, if you get back a listing that shows some running containers, then you’ve pretty much hit the jackpot and can now work on gaining some remote functionality with your very own nefarious containers. For example, pulling down the Kali Linux image “docker -H 10.10.1.10:2375 pull kalilinux/kali” and then checking to see it downloaded fine with “docker -H 10.10.1.10:2375 images” and from here, if you’re seeing a pattern it’s this: You can use docker commands remotely the same way you use them locally, so enjoy your new kali container and have fun working on the remote Docker network.
A Cyber incident is an event that could jeopardize the confidentiality, integrity, or availability of digital information or information systems.
An incident can be defined as an unexpected disruption to a service. An incident can disrupt your business which will directly or indirectly impact your customers.
Examples of incidents includes the following:
Applications locks, Network services failures, Application crashes, Wi-Fi connectivity issues, file sharing difficulties, unauthorized changes to systems, data or software, Denial of service (DoS), compromised user account etc.
What is the most important thing to do if you suspect a security incident?
If you suspect a incident on a system that contains sensitive data do not attempt to do the investigation or remediation by yourself. You will need to instruct all users on the system to stop work. Remove that system from the office network by unplugging the cable or taking it out from the wireless network and follow the incident response reporting policy according to the existing IR plan.
Incident reporting can act as a heads up to management meaning it helps in raising awareness about the things that can go wrong if corrective and preventative actions are not taking immediately. It gives management the entire ability to have more detailed information to support their proof whenever an incident occurs or reoccurs. It is good to report incidents as they can provide a reminder of possible hazards. When they are reported promptly then easier to monitor the potential problems and root cause as they can always repeat. Reporting helps to identify who, what, when and where during an attack. Reporting an incident as soon as possible can help contain, limit the adverse effect, reducing the cost to an organization both financial and reputation wise.
Incident Response is a system of people, process, and technology leveraged to prepare for, detect, contain, and recover from a suspected cyber security incident or compromise.
Incident Response Lifecycle:
Incident Response Lifecycle is broken into four phases according to NIST, as follows:
To accurately detect and access incidents is difficult for some organizations according to NIST Publication.
Advising on the measures necessary to contain the incident, limiting its spread and reducing impact to be as low as possible. Directing the available resources to manage your recovery activities, using the available resources to recover from the incident as quickly and effectively as possible to mitigate service disruptions.
The most important part of the lifecycle is learning and improving after an incident to take the adequate time to analyze the efforts of the incident response. Reviewing your incident response procedures following the incident to highlight improvements and inform your planning for next time. Advising on communications both internally and externally, including to authorities, the media and suppliers.
This blog is based on a combination of the best practice cyber incident response framework developed by CREST NIST SP 800-66rev2 and the international standard on incident management, ISO/IEC 27035.
Suppose for a moment that you’re a cartoonish caricature of an affluent individual- Say, a certain copyrighted duck. And being this caricature, rather than keeping your wealth in real estate, investments and the like, you’ve opted for a good old fashioned room full of gold coins. Who among us wouldn’t love to take a physics-defying swim in such a “pool”? Of course, a large concentration of liquid assets like that is an extremely attractive target for those who might feel themselves more worthy of your fortune, regardless of the law. Some manner of protection is obviously needed for this vault of yours.
The obvious solution is a big, heavy door with a state of the art locking mechanism. But, being this affluent caricature, you have business that takes you around the world frequently, leaving your home unoccupied for significant periods of time- such caricatures are far too miserly to employ security staff. In practice, for as long as your home is unattended, that big fancy locking door is little more than a speed bump. Sure, it would take some time, but with you gone for weeks they have all the time they need to research the lock and pick it, or even just force their way through the door with explosives or a cutting torch.
What if, instead, you made the entrance to the vault hidden, perhaps accessed by pulling a few shelves out of the pantry and opening a wall panel behind it. That would-be wealth distributor might now spend weeks combing your home and never even find the vault to get started!
It’s a no-brainer, right? Well, not exactly. In practice, this caricature would at the very least need to employ a contractor to construct this vault and its access point. Bare minimum, even with zero leaks, there are at least two more people who know the secret of your vault. And as Benjamin Franklin once wrote, “Three can keep a secret if two of them are dead.”
This is what we call Security by Obscurity; a strategy that employs secrecy as the primary method to secure an asset- whether this is liquid wealth, documents, or data on a server somewhere. A strategy that has been recognized for hundreds of years now as being fundamentally flawed. If an asset is to have any actual utility, there must be a means of accessing it, and this will fundamentally entail multiple people knowing the secret, one way or another. Each individual who knows this secret is a potential vector for compromise, and as soon as the information is leaked, it is in the hands of people with neither the obligation nor the inclination to protect your assets.
This very topic was heavily discussed in the mid 1800s, specifically on the topic of maintaining secrecy for lock designs. Alfred Charles Hobbs famously stated, in favor of disclosure: “Rogues are very keen in their profession, and know already much more than we can teach them.” Essentially, the benefits of sharing the lock designs and getting more -benevolent- eyes looking for flaws significantly outweighed the risk inherent in the potential for the information being leaked to bad actors, as said bad actors happened to specialize in figuring out the workings of locks and circumventing them.
This same concept persists to this day, not only in the realm of physical locks, but in information security. We allow security professionals (like my team) to review our code, and attempt to circumvent our security and access or modify data that is supposed to be protected. We accept a little risk in doing this, as the end result is a system that is extremely difficult for a bad actor to break into. A small reduction in secrecy for a massive increase in security.
And yet, despite the well documented centuries old falliblity of the obscurity approach, many individuals and small businesses continue to rely on it as their sole line of defense, some not even bothering to secure their wifi! Relying on being a small party that no one is likely to target is fundamentally flawed, particularly when mechanisms like malware are considered. Ransomware alone has already cost billions of dollars in damages, without any need for its creators to target any given individual or company specifically.
I’m not saying that obscurity is useless- on the contrary, keeping protected information on a need to know basis is one of the core principles of security. But if used alone, it is essentially useless, as the approach inherently provides a large attack vector in the form of the human element which (as we know) is already the single largest attack vector even with thorough security measures in place. The information leak need not be intentional or even direct; simple human error can result in the leak of a secret, poor security discipline can lead to a malware infection leaking the same, and so on. Secrecy absolutely has its place as part of an overarching security strategy. It is simply not to be used alone.
So by all means, make your vault entrance a hidden door- but still make sure you spring for that locking mechanism too.
Ever since the first mobile phone with a fingerprint scanner, surprisingly not the iPhone, has been released into the market in 2004 people have had mixed reviews about it. However, now that most smartphones, laptops, and security devices have the feature built-in or have an option for biometric scanners the question now becomes which is safer.
Along with biometric scanning, there is also the option of Multi-Factor Authentication which allows for a user to sign in with a PIN provided by a randomly generated application, in addition to their regular user name and password. Both methods provide an extra layer of protection and security with the applications that are being used. Another form of protection is through a private key. Private keys stay on your device and are never shared with anyone. This key can be used to unlock a device with a local gesture allowing for it to be unique and difficult to replicate.
In terms of securing information the different forms of biometric and MFA, both do the job well, by making it difficult for hackers to be able to gain access into individual users or a companies systems. What is better depends on the situation, since according to Alex Simmons the Corporate VP of Program Management, ‘99.9% of identity attacks have been thwarted by turning on MFA…'(Microsoft Security Passwordless Protection 2021).
A scenario where biometric scanning might be the better option would be for a health care worker or for someone who is constantly on the go and needs access to information without much hassle. In such situations, using a fingerprint scanner would be the most efficient way for more than one person to quickly access the system while maintaining security.
On the other hand, for someone who works in a lab or in an office where they tend to stay at their desk for extended periods of time then for such users there would not be much difference between a biometric scanner versus using a unique gesture or signing through a randomly generated PIN.
Both scenarios allow for the user to be able to access their information quickly and safely with no compromise to security. In addition, users would not have to worry as often about forgetting passwords or changing them every few weeks in fear of potential attacks. There would also be a reduction in the number of phishing attacks, since logging into a device would require the user to physically replicate different forms of biometrics or have the specific device that is used for MFA. These are only a few of the benefits of password-less authentication, and although it might not always be possible to use finger print or retina scanners on all devices, a combination of traditional authentication mixed with forms of MFA can allow for a very secure device.
Microsoft Security Passwordless Protection. (2021). Retrieved December 10, 2021, from: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2KEup.
Have you ever tried to phish yourself? It’s an odd question, right? There is a benefit to trying it though. By now, you have likely read our blogs on Security and how to stay safe online. You are likely using a password manager with MFA enabled. If you are not using a password manager, strongly consider using one. There are a plethora of password managers out there, some of which are even free for basic users. By using a password manager, you will not have to remember your login and password for all websites, with the added benefit of preventing password reuse.
However, think for a minute as an attacker. If an attacker wants to get into your accounts, how would they go about doing so without potentially knowing your username and password for those accounts? There is that pesky little ‘Forgot Password’ link on nearly every website which may be an entryway into your account(s). Even though YOU know your username and password, an attacker may not and that is a good starting point.
Consider this scenario: As an attacker, I want access into your bank account. There is even a likely chance that you follow your bank on social media or you have corresponded with your bank via email previously (digital bank statements as an example). But your social media profile is locked down to only trusted friends, so you are safe, right? Not necessarily. You are only as safe as your most insecure friend’s credentials. If your friend gets compromised, the attacker can see all your posts, followers, etc., and can likely gain some foothold into the services you use. That is what reconnaissance is all about and one of the first phases of hacking (ethically of course!).
If an attacker can get access to your email, they essentially have the keys to the kingdom. How many of us delete emails in the Sent folder? Sure, Inbox Zero is great but in this digital age where storage is cheap and you “may” need that email from 5 years ago that you archived, but we often overlook specific email folders. Even then, let us assume that as an attacker, I cannot obtain access to your inbox. What if I went to your bank’s website directly and attempted a Forgot Username or Forgot Password? How far could I get?
This is where you, as a digital expert in online security come in! If you were the attacker and clicked the ‘Forgot Username’ link on the website, what information is required? Is it just an email address, phone, or some other security questions that likely everyone knows? Fluffy always was my favorite cat, by the way. Try it out yourself and see how far you can get with information that may be public knowledge or even easily guessed.
You may say, ‘But I have MFA enabled on the website, so I am safer, right?’ The answer is yes and no. If the website allows an end-user to reset their username or password as a fail-safe through SMS even with MFA enabled, you are still susceptible to SIM swapping at your wireless carrier. If you can put a PIN on your wireless carrier account to prevent this, do so immediately. It’s not foolproof but it helps.
Remember, everything you do online leaves a digital breadcrumb that if someone wanted to follow and use that against you in this case, it is possible. Staying secure online sometimes requires thinking like the adversary and trying to compromise yourself with the knowledge, or lack thereof, that you may be able to find out through various means.
In today’s digital world, cybersecurity is more important than ever. We are all responsible for our own network hardening and security. Just about everyone has a home network, and the people that work remotely surely have one. This blog post is about how to harden your network and push Advanced Persistent Threats (APTs) efforts away.
Home networks that remote workers are using should have a router/firewall under your direct control and ownership. Relying on the router/WiFi Access Point (AP) supplied by your internet provider is not recommended. Placing your own router/firewall between your devices and the ISP’s router enables a more secure network. The more sophisticated routers allow for many advanced features such as WPA3 instead of a less secure WiFi protocol like WPA or, even worse, WEP. You can also block nefarious sites easier with web filters that are built-in to many firewalls. This allows you to block your network from bad sites instead of software on each machine to block unwanted sites.
Another great feature of having your own router/firewall is that you can setup a guest network. We all have friends and family (F+F) visit us. The cell coverage in your home may not be so good, so your F+F wants to use your WiFi/Internet. Letting people use your network that is used for your remote work is not recommended. You have no way of telling if their devices are compromised or not. A better solution is to have a guest network and let the F+F connect to that WiFi network. On many routers/firewalls, you can ‘lock down’ a guest network tighter than your home network, which will close your exposure to a ‘knock on the door’ as the saying goes, it is better to be safe than sorry.
Here is a screenshot of the settings for a Linksys Guest network:
A guest network is separate from your home network that is used for remote work. The traffic is segregated away from your home network traffic.
On some firewalls and routers, you can Geographically Filter your traffic. In other words, you may only allow or deny traffic from specified countries. This can be useful for blocking APT actors from countries that have a history of attacks. This is also helpful with the IoT (internet of things) devices as it can limit what countries these devices can reach over the internet.
In addition, you may want to limit your DNS in the same manner. Using a DNS service such as Quad Nines is also recommended to filter out known bad actors and sites.
Moreover, if you can purchase an enterprise firewall (FW) you should be able to implement an IPS (Intrusion Protection) policy. And most FW’s allow SSL inspection and file inspection. All FW’s are not created the same, which means if you have a particular idea of how this should work, you will have to research which company matches your desired inspection. If your resources allow an enterprise type of FW, it is highly recommended to implement one into your network.
As for WiFi; we have all been warned about connecting to open WiFi networks and the dangers presented by doing so. Simply do not do it unless you also use a VPN. When doing so on a public open network, your applications should all be closed with nothing running until AFTER your VPN is established.
For your home network, your WiFi should be configured with the WPA2 security protocol at a minimum. WPA3 is the latest and greatest standard for secure connections to WiFi. There are other methods that are more secure, but that topic is for another discussion.
Mobile Device Security
Cloud and mobile devices have changed our day-to-day work experience. Mobile device use is now a part of the business culture for today’s society. Employees want access to corporate applications and sensitive data at any given time or location. Whether it is Bring Your Own Device (BYOD), Choose Your Own Device (CYOD), or Corporate-owned Personal Equipment (COPE), the mobile device infrastructure is implemented in almost every organization.
Due to the extensive usage of mobile devices in today’s work environment, the risk of data theft has risen enormously. Threats such as newly discovered mobile malware are spreading via SMS messaging in the U.S. and Canada, using lures about COVID-19 boosters and regulations. The site tells users they need an “Adobe Flash update.” If they click on the subsequent dialog boxes, TangleBot malware installs.
With most business PCs now mobile, portable devices present distinct challenges to network and data security. Between malicious hackers and inexperienced users, mobile devices are vulnerable to a broad spectrum of attacks. Potential threats to devices include malicious mobile apps, phishing scams, data leakage, spyware, and unsecured Wi-Fi networks. Businesses also should account for the possibility of an employee losing a mobile device or the device is stolen. To avoid a security breach, companies should make clear, preventative steps to reduce the risk.
Securing mobile devices requires a multi-layered approach and investment in enterprise solutions. While there are crucial elements to mobile device security, each organization needs to find what best fits its network.
The following are some best mobile device security practices:
Mobile device policies are only as efficient as the organization’s ability to correctly communicate those rules to employees. Mobile device security is precise and understandable. Various stakeholders should document business device standards, and users should provide their signatures to acknowledge compliance.
One of the most basic ways to prevent unauthorized access to a mobile device is to create a strong password. A common security problem is employees using the same password for their mobile devices, email, and work-related accounts. Employees must create strong, unique passwords and create different passwords for different accounts. Password should be no less than eight characters and contain at least one unique character, numeric symbol, and capital letter.
Instead of relying only on traditional methods of mobile access security, such as passwords, some organizations are looking to biometrics as a safer option. A computer uses measurable biological characteristics, such as face recognition, fingerprint, voice, or iris recognition for identification and access.
Mobile devices are only as secure as the network through which it transmits data. Organizations are required to educate employees about the dangers of using public Wi-Fi networks, which are vulnerable to attacks and can easily breach a device, access the network, and compromise data. The best defense is to encourage intelligent user behavior and prohibit open Wi-Fi networks, no matter the convenience.
Malicious applications are the fastest-growing threats to mobile devices. When an employee unknowingly downloads one, either for work or personal reasons, it provides unauthorized access to the organization’s network and data. Further reducing this rising threat impacting businesses, businesses can instruct employees about the dangers of downloading unapproved apps or ban employees from downloading certain apps.
Most mobile devices are bundled with a built-in encryption feature. Users need to locate this feature on their devices and enter a password to encrypt their devices. With this method, data is converted into a code that authorized users can only access.
Utilize a virtual private network (VPN) if possible. A VPN extends a private network across a public network. A VPN enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. VPNs’ encryption technology allows remote users and branch offices to access corporate applications and resources securely.
Mobile devices and their data security are based on personal configuration, device platform, cloud-based 3rd party services, and web services. Individuals who utilize their devices to access sensitive company data must continuously educate themselves on potential threats and security practices to adequately secure mobile devices. Organizations should perform a detailed analysis of risks against all possible known security threats for mobile applications and use findings to form a secure strategy. In addition, continuous information awareness programs should be adopted by all organizations utilizing mobile devices for business use.
Have you ever been asked the following question: How do you stay current with cybersecurity threats and news? If the answer is no, then you’ll be asked at some point, including now! How do you stay current with cybersecurity threats and news? Let us know as well and together we can help spread the information. With October being Cybersecurity Awareness Month, I thought it would be nice to share a few of my favorite methods of remaining updated with threats and news.
US-Cert Vulnerability Summaries – A great way to remain updated on a weekly basis of reported vulnerabilities impacting but not limited to Operating Systems and Application Software. The weekly bulletin can give you great insight into your own threat landscape including your home network. You can subscribe to their bulletins and receive them weekly in your email inbox.
CSO – A nice informational website to have in your toolbox to read updates and gather some additional insight into what is going on in the Cybersecurity world. They do have a paid subscription but I find the free browsing and reading is more than sufficient to remain updated on current events. CSO provides news, analysis, and research on security and risk management.
Threatpost – Another great website to read news, analysis, and research articles as they happen! If you want to sleep at night then you’d probably want to limit reading this website to about 15 minutes maximum. I suppose in the field of Cybersecurity we hardly sleep anyway, so binge-read at your liberty!
KrebsonSecurity – One of the top sites I browse daily to see if there are any emerging zero-day attacks. If you don’t want to subscribe to Microsoft patch bulletins, you’ll find a nice Tuesday patch article here to consume.
FBI Cyber News – A great way to catch some articles that might not be reported on other outlets. What I like about these articles is how they vary between events but at times have really great recommendations.
This is a nice list to get you started with receiving news content related to Cybersecurity events and to help you in your journey to remaining informed on World issues impacting security globally. But that’s not all! There are additional resources available to you. I don’t venture much on Social Media but I do keep tabs on a few accounts that are immensely helpful. So, with that said I’ve compiled a list of my top five Twitter accounts I like to follow and receive some quick alerts and information related to Cybersecurity events. I won’t mention the obvious FBI, and US-Cert accounts, you can easily search for those.
Twitter Accounts to Follow
@SecurityNewsbot – Great way to get a quick alert on some activity related to Cybersecurity events.
@VulmonFeeds – A great way to get quick alerts on vulnerabilities (CVE related).
@PhishStats – A great way to see what’s going on with new websites hosting phishing activity.
@CVEnew – Another way to check up on quick alerts with CVE related vulnerability content.
@CISAInfraSec – Great way to stay updated on CISA posts related to infrastructure security.
I also think there should be a worthy mention of something else that is very important. How do you get information about new tools to test out or try for various Cybersecurity activities? Here are a few additional Twitter accounts you can follow where you’ll get some great tool recommendations to add to your arsenal.
@LSELabs – Tweets are related to security tools and contain links with decent reviews with further information for obtaining the tool from a typical git repository.
@KitPloit – More tools but also scripts that are great to monitor.
I do hope this short blurb about informational awareness sources can help you get some additional information to aid in your efforts to combat the ever-changing threat landscape. We look forward to your recommended sources as well! Together we can make the world safer by sharing resources.
Did you know over the past year there has been a significant increase in the number of phishing attacks around the world? According to the FBI’s IC3 annual report for 2020 there were 241,342 complaints in the country with losses amounting to around $54 million. This staggering number is just for phishing crimes itself, when including some of the more harmful attacks on small businesses and companies the amount only increases. However, there are simple ways to help protect your devices from phishing attacks and making sure everyone stays safe.
What is Phishing?
The term Phishing was originally coined around 1966 and is when hackers trick users into clicking on spoofed links in their email or website. Once directed to the fake website the user is tricked into providing sensitive information such as one’s full name, birthday, account numbers, addresses, and even work emails, allowing for the hacker to be able to easily break into a person’s account and steal valuable information. What the hacker can steal and use against you can vary greatly depending on the context; however, it is most common for attackers to attack where there is a monetary value associated. This can include sending emails posing as your bank or a fake website claiming to sell a product that is sold out in other areas. With an increasing number of people depending on technology and online resources hackers are able to easily gather specific information about a single person and their lifestyle.
How can you spot it?
Spotting phishing attacks and protecting oneself takes more than gut instincts. There are some simple ways to spot potential attacks. The image below is an example of a common type of email that a user might receive from an attacker. By looking at the body of the message, there is nothing that is out of the ordinary, it seems like a regular alert message for the user. In this instance first, check the header, the user can understand if the email came from a valid source. In the first image, the message is from firstname.lastname@example.org; however, by reading through the message, the name of the software being mentioned is Okta. This discrepancy between the name of the software being used can be a helpful indicator that this email is not safe.
Another way to make sure that the email or link is from a trusted domain is by hovering over a link. In the image below by hovering over the word link, it shows the pathway that is being taken and, in this case, it is taking the user to a website name okto when it is supposed to be from okta as stated within the body of the email. By making sure this path is consistent with no typos can ensure that the email can be trusted.
Finally, another simple way to spot a phishing is by observing if there are any grammatical or punctuation errors within the email that was sent.
What can you do to protect yourself?
Protecting yourself and others might seem like a daunting task. With so many websites and emails being sent on a daily basis, it is important to take a few precautions to protect oneself.
Last but not least,
Once a suspicious email is found it is important to prevent the spread by sharing it with others. It could be your colleagues or your friends and family, spreading the word helps the community stay safe. Finally, if you come across an email, that you are simply not sure of but seems suspicious do not click on anything and simply delete it. It is always easier to bring back a message from the trash folder in an email than it is recovering from a phishing attack.
https://www.umass.edu/it/freshphish – Phishing email attempts with explanations
http://www.phishing.org/phishing-examples – Phishing email examples
https://www.eff.org/privacybadger – Privacy Badger