If your business faced a ransomware attack, would you pay the hacker?

It’s estimated by Kaspersky that 45% of business employees are unaware of how to handle a ransomware attack, and especially given the current circumstances, this is a critical cybersecurity opening for many organisations.

Wherein the majority of organisations are used to a conventional security structure with secure office networks, firm access control policies, and countless on-site security measures to reduce risk, countless workers are now suddenly minimising or totally missing these security measures in place for stock-standard home networks and a plethora of exploitable risks that come with the move.

In 2019, it was also estimated that 15 percent of all ransomware victims chose to pay the ransom. However, it is widely recommended that ransomware should be treated similarly to a real-life hostage situation: never pay the ransom.

Not only does this not guarantee that the hacker will remove the ransomware, but it also incentivises them to target you and similar businesses again.

A recent example of a massive ransomware payout was that of Travelex in December 2019. Travelex is a foreign currency exchange that services businesses across 26 countries, and in response to a targetted attack by the prominent hacker group, the Sodinokibi gang, Travelex paid out a sum of $2.3 million dollars.

The Sodinokibi gang held 5GB of encrypted data at ransom to accomplish this payout, which they promised to delete upon payout. The issue is that while the payout did prevent the attackers from publishing the sensitive data, there is no way of knowing whether they actually deleted the information.

And considering that this is a criminal group, it only stands to reason that they’d keep it as a further avenue of exploitation and profit.

While the Travelex incident was late last year, research indicates that ransomware attacks have gone up significantly throughout the COVID-19 pandemic, especially against businesses in the health industry.

Regardless of whether or not your business lands in the health sector, here are some precautions you can take pertaining to ransomware, especially in these current circumstances:

• Be cautious of ransomware scams disguising as COVID-19 apps or services (Read here)
• Evaluate what security measures are missing due to work-from-home, and do your best to replicate them in employee houses (See my article from last week)
• Back. Up. Your. Data.

That last step is especially important, as oftentimes the only thing that can give you some leeway in the case of a ransomware negotiation, is if you have a copy of stolen data to restore from. (See Here for more information on developing a back-up plan for your business)

Finally, for more details on staying safe online and covering your work-from-home security, see our remote-working program.

With the advent of remote-working in response to COVID-19, we’re all making necessary adjustments. We’re incorporating new behaviors into our day-to-day life, such as limiting our time out of the house to essential shopping or exercise, and are now using our homes for activities that we’re otherwise used to performing out in the world.

We’re adopting new indoor exercise routines, frequently preparing our own meals in favor of the usual take-out, and have had to establish boundaries between working space and relaxing space within our own houses. Most notably, it’s reported that hand-washing is up by 1000% across the globe (don’t fact check me on that).

While we adjust and make preparations during this unprecedented time, it’s important that we take consideration for some of the subtler changes pertaining to safety as well. One of which being simple password hygiene.

It didn’t take long at all for scammers to jump at this opportunity and roll out a plethora of COVID-19 scams, but this isn’t the only way they’re exploiting and profiting from the masses during this time. Hackers & scammers are well aware that with the move to home-offices, comes a move away from office security.

Things like network security, access control, and general password hygiene are more exposed now than they have been for a long time

In the migration to our home-offices, most of us are taking passwords that were previously used only on secure office networks and entering them into home machines with lower standards of security. Furthermore, systems that we never had to re-log into, or that we’ve forgotten the passwords for, are having their passwords reset for the home-office.

When re-entering or changing passwords for your work systems, it’s a critical time to reconsider how strong they are, and how long you’ve been using them.

To ensure that your passwords aren’t compromised as a result of the change in workplace security.

Make the switch to passphrases.

A passphrase, simply put, is an anagram. Rather than using a simple word with some numbers, it’s encouraged in modern online safety to use complicated passwords. These can be made easily by using a phrase that you’re sure to remember, and flipping it into a passphrase. For example:
”Jack and Jill Went Up The Hill” can be used as a passphrase such as “JaJwUtH”.

Add a few numbers and a symbol to the end of that, and straight away you’ve created a strong, memorable passphrase.

Don’t re-use or share your passphrases.

I like to think of each of my passphrases as though they were my toothbrush: I don’t re-use them too much, and I never share them with others.
In most cases when your passphrase is stolen or compromised, it tends to sit on the dark-web for anywhere between a few weeks to a few months. By changing your passphrases regularly, and by using unique passphrases for each essential login, you prevent cybercriminals from being able to use stolen credentials to access your systems in the long run.

As for sharing them around, if you have team-workers or managerial staff who share a login system with you, it is key that wherever possible you are using separate sets of logins, and most importantly, that those logins are not shared between other systems.

Use a password manager!

Finally, we recommend using a password manager to store your passwords. Between the cyclical news surrounding COVID-19 and our frequently changing workloads as a result of it, our brains are full up.
It’s encouraged to use complex and unique passphrases across a number of devices, but we couldn’t reasonably ask you to remember them all.

This is where password managers come in. Their secure programs that typically plug straight in to your browser, and work like an encrypted encyclopedia of all your login credentials.

Most password managers don’t just remember the passwords, but typically enter them in for you, enable two-factor support, and even create secure, randomly generated passwords for you where needed.

Of all the advice in this article, password managers are likely the most essential. We recommend 1Password, LastPass, and Google Password Manager.

Many years ago, when I was a 14-year-old budding computer nerd, I experienced my first data-breach. I’d been playing World of Warcraft for hours on end (I was a kid, quit judging!) when another player offered me an “exclusive” opportunity to test out some new beta weapons and equipment.

All I had to do was enter my logins to the beta-test form, and this promised “exclusive gear” would be added to my account in 24 hours.

An email was sent through with the required form and being young, naive and full of the typical invincibility syndrome that young 14-year-old boys tend to have, I entered my username and password then signed off for the night.

Sure enough, I returned the next day to find that my passwords had been changed, all of my character’s clothes and weapons were stolen, and my email account had been compromised. I’d used the same email and password for my World of Warcraft account as I had for my personal email account.

Thankfully, at that time I had nothing of real value to lose from those accounts, and had some very valuable lessons to learn: don’t trust strangers online, and don’t re-use passwords!

Re-using passwords is a big no-no, but let’s be honest, everyone does it. I don’t know a single person who hasn’t re-used a password across multiple logins. It’s quick, it’s easy, and most of all it’s memorable.

The problem with re-using passwords, however, is that if they get stolen or guessed just once, they can then be used to access everything. It’s like cutting a master-key to fit your front-gate, garage and car all in one. And it’s why a silly encounter in an online game led to my email account being hacked.

In most major cyber breaches the logins are often stolen from somewhere unrelated, such as a social media account or streaming subscription, and then re-used for later attacks on bank accounts or corporate systems.

To avoid credential-based attacks, the expectation is that we use a different password for each and every login we have. However, given that the average person now has upwards of 27 online logins to remember, it’s quickly becoming an impossible task to individualise them and is likely why we’re seeing 81% to 87% of people re-using their passwords in the first place.

Following my first data-breach as a kid, my solution to making and remembering unique passwords was to enter familiar names into the Wu-Tang Name Generator. But what if I told you there was a better way!

My advice moving into 2020: instead of trying to remember all of your passwords, try forgetting them instead with password manager!

The way that password managers work is similar to how a browser’s auto-fill works. When logging in to an account, you type in your username & password just once, then your password manager securely stores and remembers them. Next time you log in, the password manager will take care of the grunt-work and log in for you.

The only password you still need to remember is your master key for the password manager itself.

You’re probably thinking that this doesn’t sound safe, but in exchange for this easy login tool, good Password Managers bulk up their security on the master login. Often times, you’re required to know your master-key, have a two-factor authentication code and authorise the device that you’re logging in from.

In exchange for that hassle, you don’t need to write down or remember any of your other passwords.

Further to being an easy and safe solution to remembering passwords, password managers also enable some huge security benefits:

• Allows for unique passwords: Wherein you’re now limited by the number of unique passwords that a human-brain can remember (or that your desk can fit on sticky-notes), a password manager has a computer-brain, and can probably remember a few more. This means more unique passwords & fewer memory games.
• Allows for stronger passwords: Most password managers will automatically suggest complex passwords for you. Instead of using common hackable passwords like donald or password123, a manager enables the use of complex, strong passwords like “t3cH^1©4l j4r30n” without ever needing to type or remember them!
• Easy Use of Two-Factor: IBM estimates that over 80% of cyber-attacks in the last decade could have been prevented with two-factor and strong passwords. Modern password managers both facilitate stronger passwords, and often come pre-installed with automated two-factor support. In short, this means that any login or hack attempted against your account(s) needs not only the password, but also the two-factor key you set up as well.

Some password managers I’d recommend are LastPass, OnePass (my preferred choice), and the updated Google Password Manager with Two-Factor enabled.

Moving into 2020, free up some of that precious brainpower and let a password manager do all that pesky remembering for you!

Author: Leonard Bernardone

Another year, another “Black Friday Crowds rampaging through Walmart” Youtube compilation for me to relax too while doing my online Christmas shopping! But for those of us who prefer to shop online and avoid the probability of being trampled to bits over a discounted microwave, there are still some big risks to consider.

Australians are seeing some of the largest damages from online scams to date, with reported losses of over $4 million in 2019 (a staggering $700k increase from 2018’s total losses). The amount of Australians who shop online has been steadily increasing every year, with the national average going up an ever further 20% in 2018, and cybercriminals are increasing their efforts accordingly. 

We recommend sharing these seven safety tips in the office to close out the week, especially for the colleague browsing 20+ tabs in search of the best deals:

1. Don’t open PDF catalogues in emails. How many infected attachments does it take to cause a ransomware outbreak? Not many! Any deals/offers should be in the email itself, not hidden in a risky PDF.
2. Watch out for fake websites in emails. If an email convinces you to shop at a particular store, dodge the risk of a scam email and just Google search the store directly for a safe link.
3. Watch out for gift card scams. Gift cards are the recurring most popular item on wish lists, and attackers will often ask for payment via Gift Cards themselves. Don’t get stuck laundering money by mistake, or purchasing a dead card.
4. Keep your money off of public Wi-Fi. The thing about public Wi-Fi is… it’s public. You don’t know who else is sitting on that network and monitoring your transactions. Switch to mobile data or wait until you’re home/at the office.
5. Checkout using safe payment gateways. Have you ever seen those scams where a fake EFT reader is put onto an ATM to steal funds? Lately, scammers have been doing the same thing on website checkouts! They intercept your order and steal your card data using a tactic called e-skimming. Always check for https, or just stay safe using services like Paypal. 
6. Switch to credit, or limit your spending account. If you must use a debit card, make sure it has a limited spend-per-day and transaction alerts set up with your bank.
7. Classic advice: Don’t Click Popups. If an offer sounds too good to be true, it is. Hit that beautiful x button and move on. 

Did we get them all? What? “No” you say? Well, please leave a comment below! Let us know what you’ll be doing to stay safe online this Black Friday/Cyber Monday. 

Have a scam-free weekend people! 

The immediate and rapid migration from our workplaces to the household has greatly expanded the cybercrime landscape:

Cyber-criminals across the globe are tailoring their efforts to remote workers and developing new scams designed specifically to exploit individuals during this vulnerable time.

As we leave the office and migrate to our respective homes, we need to take a step back and consider a few things:

1. We’re taking our office with us: not just the pens and pencils, but our sensitive company data and system logins. Assets that we as individuals need to keep safe during the transition to working from home.
2. In doing this, we’re simultaneously leaving behind one of the biggest benefits of working in the office: security.

Amidst the endless news-cycle of COVID-19, we’re seeing constant public safety warnings extending not only for our hygiene and physical wellbeing, but also our mental health, socialisation, and cyber–safety.

The Australian Cyber Security Centre (ACSC)and countless government bodies are warning of the surge in online risks and vulnerabilities that COVID-19 has introduced.

All of a sudden, we’re incurring dangers of network security, access control, data management and a whole slew of cyber-security necessities that the majority of us have never had to consider before.

For cyber-criminals, this is an opportunity to profit and exploit like never before. To put it into an analogy, it’s as if the all of the shopfronts in the world have unanimously removed their locks and taken their inventories out on to the streets.

Countless workplaces have just had their security scattered to employee households with little-to-no central safety measures, and to ensure that both staff and the organisation at large are operating safely during these changing times. there are two key factors that every business needs to account for:

1. Network security: This means a centralised standard of VPN, secure Wi-Fi and access control to any data and systems of the organisations when accessed remotely

This is typically performed by a dedicated I.T. team, member of staff or service provider. In the event that you haven’t already arranged this, I’d recommend moving fast to get ahead of the demand.

Already companies such as Cisco Systems Inc have seen a 1000% increase in demand for support services that cater to work-from-home security setups. Ensure that all members of your team are working from home under company networks and a secure connection.

1. An individual understanding of risk and cyber safety: While working from home, you’ll find yourself facing a whole range of new cyber-threats and scams specifically designed to capitalise on individual mistakes. From opening the wrong email to clicking the wrong link, we’re all at risk of exposing corporate data from our own household if we aren’t careful.

You can expect to see scams that play on concerns surrounding COVID-19, especially on matters of personal safety and job security.

Already, cyber-criminals are disguising key-logging scams, malicious viruses and password theft as urgent warnings or health tips pertaining to COVID-19. (You can report and read on said scams via the Scamwatch website)

This is common practice for scammers: Finding a hot topic of public concern or vulnerability and using it to exploit those in distress for a profit. Even as recently as the Australian Bushfire Crisis, scams were quickly tallied by Scamwatch to be in the hundreds, some with damages in the thousands. (Further reading & advice regarding Australian Bushfire Scams can be found via the ACCC)

Considering COVID-19 is a global crisis and incomparable epidemic, expect to see plenty of scams. Make sure to operate with both caution and a hefty grain of salt. We’re all surrounded by a lot of information at the moment. A lot of it bad news. We’re inundated and the majority of us are feeling overwhelmed. It’s especially important during this time in which we may not be processing things at our usual standards, that we take a step back and reconsider what we’re looking at online.

It’s especially easy at the moment to click the wrong link or open the wrong email by mistake. To avoid falling into a malicious or compromising situation, slow down while you’re checking your emails and try your best to stay mindful while you navigate through your work-day.

In addition to staying aware of the current scams surrounding COVID-19, you can further protect yourself by keeping work devices and home devices separate. We recommend that you both refrain from doing work on personal systems and keep your personal accounts logged off of your work-devices to prevent cross-contamination of potential threats between work and home.

Finally, here’s a quick-guide image to follow for some work-from-home essentials:

For more information on staying safe at home and protecting your corporate data, we’ve developed an awareness program tailor-made to working from home: https://portal.cyberaware.com/remote