One of the many dangerous tools in cybercriminals’ arsenals is OSINT. In this post, we explain what it is, the danger it poses, and how to guard your company against OSINT.

What is OSINT?

OSINT stands for open-source intelligence. That is, the collection and analysis of data obtained from publicly accessible information channels. Such sources can basically be anything: newspapers and magazines, television and radio, data published by official organizations, scientific research, conference reports, etc.

Nowadays, of course, such intelligence is primarily based on information scraped from the internet. Over the past 10–15 years, online public communication platforms have become especially valuable as OSINT-gathering tools: chats, forums, social networks, and messengers.

The range of people using OSINT is quite diverse: journalists, scientists, civil activists, government and business analysts, as well as intelligence officers themselves. In a nutshell, OSINT is an important and effective tool for collecting data. But perhaps the more significant question is how such information gets put to use.

OSINT and information security

OSINT can be used in planning a targeted attack on your company. After all, for a successful operation, cybercriminals need a huge amount of information about the victim organization.

This is especially true in the case of attackers who rely less on hi-tech tools (costly zero-day exploits, sophisticated malware, etc.) and more on social engineering tricks. For this type of threat actor, OSINT is often the number-one tool.

The most valuable source of open data in preparing an attack on an organization is employees’ activity on social networks. First and foremost, this means LinkedIn. There, it’s usually possible to find the full organizational structure of the company, with all names, positions, work histories, social connections, and lots of other extremely useful information about employees.

You don’t have to look far for examples of just how effective OSINT can be. Remember the infamous Twitter (now X) hack a couple of years back that targeted a whole bunch of people and companies, from Musk, Gates, and Apple to Obama and Biden)? It began with the hackers finding Twitter employees on LinkedIn who had access to Twitter’s internal account management system, and making contact with them. Then it was a simple matter of applying social engineering and good old phishing to dupe them into revealing the credentials needed to hijack the high-profile accounts.

How to protect your company from OSINT

Open-source intelligence is a predominantly passive method of information gathering, so there’s no simple and universal way to counter it. Fortunately there are measures you can take on several fronts.

Employee training and awareness

As mentioned above, modern-day OSINT is largely based on social networks, and information gathered through OSINT is most effective for social-engineering attacks. Thus, the human factor comes to the fore here.

Therefore, to counteract OSINT and the potential consequences of it, you need to work closely with your employees. Training is key here to increase awareness of potential threats and ways to protect against them.

The focus should be on two aspects: first, on the dangers of posting sensitive information about your company on social networks. Second, employees should learn to be more wary of calls, emails, and text messages that prod them to take some potentially risky action (and to be able to define “potentially risky action”). It must be clear that even if an email uses real company details, that doesn’t necessarily mean that the sender is a real colleague. The information could have been collected from open sources.

As a rough guide, if a caller, introducing himself as, say, John Smith, tells you that he works in such-and-such a position and asks for a username and password, this is wholly insufficient authentication – even if a John Smith does indeed hold this position in the company.

To raise awareness, you can develop and conduct your own in-house training program, or hire expert consultants. Another option is to use an interactive educational platform. For example, the Kaspersky Automated Security Awareness Platform.

It would also be useful to establish an internal cybersecurity communication channel with employees to convey information about live threats effectively.

Open-source counterintelligence

Over the past decade, the world of cybercrime has become highly compartmentalized. Some actors create malware, others collect data – all of which gets bought on the dark web and used for specific attacks by others.

The fact that information has been collected about your company is a surefire indicator of an impending attack. As such, monitoring activity of this kind will give you advance warning of the threat. For example, if someone puts data about your company up for sale, it’s very likely it’ll be used later to carry out an attack. So, by doing your own counterintelligence, you can take preemptive action: warn employees about what data the attackers have; put security analysts on high alert; and so on.

But such monitoring doesn’t necessarily have to be done in-house: there are ready-made services that you can subscribe to, such as Kaspersky Digital Footprint Intelligence. Note that our service offers far more than just the monitoring of mentions of your company on the dark web. It also tracks attacks on your suppliers and customers and, keeps tabs on APT campaigns that may affect your company or industry, provides vulnerability analysis, and much more.

Segmentation, rights management and Zero Trust

The third front is to mitigate the potential damage from attacks that deploy OSINT and social engineering. The primary goal here should be to limit spreading over the corporate network in the event of endpoint compromise.

The first requirement here is proper network segmentation: dividing company resources into separate subnets; defining security policies and settings for each of them; and restricting data transfer among them.

Also, pay attention to user access management. In particular, implement the principle of least privilege; that is, define and grant users only those accesses they need to perform their tasks. And review these rights regularly to reflect changes in their roles and responsibilities.

The ideal option would be to adopt the Zero Trust concept, which assumes there’s no secure perimeter, and so, by definition, no device or user is trusted, both inside and outside the corporate network.

Wrap-up

Open-source intelligence can be a powerful tool in criminals’ arsenals. Therefore, you need to be aware of the dangers and take steps to mitigate potential damage. Here’s a summary of my thoughts on how to protect your company from OSINT:

  • Be sure to train employees in the basics of information security. To do this, you can use our interactive Kaspersky Automated Security Awareness Platform.
  • Establish an internal communications channel to inform employees about information security.
  • Try to monitor the collection and sale of your company’s data on the dark web. Our Kaspersky Digital Footprint Intelligence can help with that.
  • Take measures in advance to minimize potential damage: manage user rights with maximum possible granularity; use network segmentation. And, ideally, embrace Zero Trust.


#OSINT #dangerous

In this blog we usually discuss software solutions for information security. But one of the important aspects of cybersecurity is various measures aimed at preventing physical access to data and devices that contain it. Here, of course, there is no doing without hardware. So, here I overview several categories of gadgets for data protection at the physical level.

Port locks for connectors

Connectors pose a major physical security problem. Anyone passing by could plug in something interesting. A hardware keylogger, a malware-infected flash drive, or even their own computer. And it’s hard to prevent, since connectors are literally everywhere.

Hard, but not impossible: there are special locks that help to protect almost any connector in your hardware zoo: USB (of any type, including USB-C), 8P8C (RJ-45 on the vendor’s site, but we know better) and 6P6C (popularly known as RJ-11), SFP and QSFP, DB-9 and DB-25 serial ports, memory card slots, display connectors, and so on.

Besides security plugs for empty ports, there are locks for connectors that are constantly in use. They protect against the physical disconnection of something from a computer or, say, a router (for stealing or replacing with malicious device).

In a nutshell, if you’ve long wanted total control over all your connectors, but had no idea on how to approach it, now you know.

Among similar gadgets, we could mention devices for protecting USB flash drives that allow you to lock the USB connector and literally chain the drive to something. Such devices will not, of course, help against the determined thief, but will deter the opportunist passerby from removing your flash drive with one deft hand movement.

Kensington lock

Not everyone has heard of the Kensington Security Slot, aka Kensington lock — an anti-theft system for computer equipment. It can often be found on laptops, dock stations, desktops, and monitors.

Kensington Security Slot on a laptop

An inconspicuous hole on the side of a laptop used to attach a Kensington lock

Again, we can’t say that the Kensington lock provides 100% protection against theft — special tools can defeat it. However, it makes stealing equipment a bit harder for the untrained criminal. It’s also particularly effective against casual thieves who cannot thwart the temptation to steal expensive devices that happen to be left unattended.

Laptop secured with a Kensington lock

Kensington lock in action

By the way, although the Kensington Security Slot can’t be found on Apple devices anymore, there are special gadgets for MacBooks and iMacs that add this capability.

Anti-spy screen protectors

If you’re worried about people peering over your (or your employee’s) shoulder, there’s good news: you can protect against this, too. This is what special polarizing screens are for. These protective filters reduce the viewing angle to such an extent that only someone sitting directly in front of the screen can see the display.

There are polarizing screens not just for laptops, but for smartphones and tablets as well.

Faraday cages of every creed

In today’s world, there is no escape from wireless technologies and related threats, like completely contactless data interception, relay attacks, radio tracking, or even electromagnetic pulses that can destroy information. However, there are so-called Faraday cages that can block electromagnetic radiation and thus defend against such threats.

“Cage” is a slight misnomer: in reality, it can be a “Faraday envelope”, “Faraday wallet”, “Faraday bag” or whatever, depending on what you want to protect: a portable hard drive from external exposure, a contactless card from relay attacks, a phone from cell-tower triangulation, and so on.

Among the various products you can buy are “Faraday fabrics”. These you can use to build your own shielded container of any size and shape.

Fabric for blocking radio signals

Faraday fabrics are designed to block electromagnetic radiation

Anti-peeping covers for webcams

The problem of malware and websites spying on users through the webcam pops up all too regularly. Sure, there are software-based fixes for the issue, but for maximum peace of mind, the best way is to physically cover the camera lens. A few years ago, Mark Zuckerberg’s MacBook drew attention to itself for having tape over not only the webcam but also the microphone.

Instead of duct tape, you can apply a more elegant solution: a special shutter to cover the webcam. This offers reliable anti-peeping protection with one hand motion. And if the camera is needed, the same hand motion will make it available for use. Any online marketplace will sell such covers for a pittance.

Webcam shutter

Solve the peeping problem with a webcam cover

Bluetooth tags for locking Windows

Many people aren’t in the habit of locking their computer when they step away from it. But it’s one that all employees should develop, of course. To get the ball rolling, it’s worth telling them about several ways to lock a computer quickly and painlessly. And to be on the safe side, ask them to use the dynamic computer locking feature, which appeared last year in Windows 10 and 11.

This feature is aptly named “Dynamic Lock”. It uses Bluetooth to lock the computer automatically if the device paired with it moves away. Microsoft’s intention was for this device to be a smartphone. But there is a drawback: some people don’t always take their phones when they leave their workplaces.

How to set up Dynamic Lock in Windows 10

Dynamic Lock appeared in Windows 10 and 11 last year

So, instead of a smartphone, a special tag that can be attached to, say, a keychain would be more suitable in some cases. Often such tags double up as a two-factor authentication device, increasing security on two fronts at once. Here are a couple of examples of such devices.

Build employee security awareness

It goes without saying that any security measures and solutions depend directly on the human factor. It is imperative that company employees understand the information security implications of their actions, and know where to expect threats from and, ideally, how to respond to incidents.

That means raising awareness of potential threats and ways to counter them. Our Automated Security Awareness Platform is the perfect tool for building cybersecurity awareness.


#gadgets #information #security

For decades, we were told tales of all-seeing, all-knowing hackers who use sophisticated social-engineering techniques — that is, manipulating folks into handing over secret information with neither threats of violence nor other maltreatment, or getting them to perform other reckless actions from an information security perspective.

The problem is, such tales can cloud one’s grasp on reality. Knowing so many stories about this technological voodoo, people should, you might think, be aware of such tricks. Sadly, this isn’t the case at all. Here are three high-profile cases of recent years showing that social engineering is still a potential threat, perhaps more so than ever.

Even a schoolboy can hack the director of the CIA

Let’s start with a story that could easily be taken for a Hollywood movie with the title, say, Hackers versus Spies; however, it would be less of an action thriller and more a satirical comedy.

In October 2015, a hacker group calling itself Crackas With Attitude used social engineering to gain access to the personal AOL account of CIA Director John Brennan. The hack was followed by a phone interview with the New York Post, in which one member of the group described himself as an American high-school student.

Although the CIA chief’s email was private, it revealed many interesting things related to his work: in particular, the social security numbers and other personal information of more than a dozen high-ranking US intelligence officers, as well as a 47-page application for top-secret security clearance filed by Brennan himself.

In November of that very same year, the story continued: this time hackers targeted the personal AOL accounts of another high-ranking official, FBI Deputy Director Mark Giuliano and his wife. On this occasion, the hackers’ haul, which they later made public, included the names, email addresses and phone numbers of 3500 US law enforcement agencies’ employees.

Just a couple months later, in January 2016, these same hackers got hold of a string of personal accounts belonging to Director of National Intelligence James Clapper. Finally, in February 2016, they publicly released the data of 9000 employees of the US Department of Homeland Security, plus 20,000 employees of the FBI, which the criminals claimed they’d obtained by hacking into the US Department of Justice.

That same month, one of the hackers was apprehended. He was indeed a high-school kid (though not American, but British), named Kane Gamble. As a result, the young hacker, aka Cracka, who was only fifteen when he committed his crimes, was named as the leader of the group and sentenced in the UK to two years in prison (of which he served eight months), with an internet ban for the same term (which he observed in full). A few  months later, two other members of Crackas With Attitude were detained in the U.S. This time they were adults: Andrew Otto Boggs, 23, got two years in a U.S. jail, and Justin Gray Liverman, 25, got five.

During the trial, it transpired that for more than six months — from June 2015 to February 2016 — the young Gamble successfully pretended to be the director of the CIA and on his behalf defrauded passwords from employees of both call centers and hotlines. Using them, the group managed to gain access to highly sensitive documents relating to intelligence operations in Afghanistan and Iran. Who knows, would the hackers have been caught at all had they not decided to make a public mockery of the CIA chief, the FBI deputy chief, and the director of U.S. National Intelligence?

Hacking the Twitter accounts of Biden, Musk, Obama, Gates and others

The following incident took place on July 15, 2020, when a bunch of Twitter accounts began to spread similar message: “All bitcoins sent to the address below will be sent back doubled! If you send $1000, I will send back $2000. Only doing this for 30 minutes.” It looked like a typical Bitcoin scam that wouldn’t warrant a mention were it not for one nuance: all these accounts really did belong to famous people and major companies.

At first, the scam messages started appearing in Twitter accounts directly related to cryptocurrencies: the giveaway was “announced” by Binance founder Changpeng Zhao, and several other cryptoexchanges, including Coinbase, and the crypto news site CoinDesk. But it didn’t stop there, as, one after another, more and more accounts belonging to famous entrepreneurs, celebrities, politicians and companies began to join the jamboree: Apple, Uber, Barack Obama, Elon Musk, Kim Kardashian, Bill Gates, Joe Biden (who wasn’t yet president), Jeff Bezos, Kanye West; and the list went on.

Tweet from the hacked account of Elon Musk

Tweet from the hacked account of Elon Musk Source

In the few hours that saw Twitter trying to get to the root of the problem, the hackers managed to collect more than US$100,000 — a tidy sum, but nothing compared to the reputational blow suffered by the company. It soon became clear that the hackers had penetrated Twitter’s internal account management system. Initially it was assumed they did this with insider help.

However, that turned out not to be the case. The hackers were quickly found and arrested, and again the group leader was a school kid — this time an American, the then 17-year-old Graham Ivan Clark. He was handed down three years in jail and another three on probation. More importantly, however, the investigation established that the attack was carried out with no insider help. Instead, hackers used a mix of social engineering and phishing to dupe Twitter employees into giving them system access.

First, they studied LinkedIn profiles to identify employees likely to have access to the account management system. Next, using LinkedIn’s Recruiter feature, they collected their contact information, including cell phone numbers. The hackers then called these employees, pretending to be colleagues, and using the data persuaded them to visit a phishing site imitating Twitter’s internal login page. This way, the attackers obtained passwords and two-factor authentication codes allowing them to log into the Twitter account management system and take possession of dozens of accounts with millions of followers.

Again, who knows if they’d have been caught had they not targeted half of the world’s Top-10 rich list, plus other famous personalities and, most significantly, the Twitter accounts of a former and future U.S. president.

Sky Mavis and the half-billion-dollar heist

This is a story that took place in 2022. The starring yet unwanted role went to Sky Mavis, creator of the NFT game Axie Infinity. Let’s not delve into the game specifics — suffice it to say that players earn cryptocurrency in it. At one point, some residents of Southeast Asia worked there as if it were a proper job. At its peak, the game had a daily audience of up to 2.7 million people and weekly revenue of up to US$ 215 million.

However, in March 2022, even before the crypto crash, Sky Mavis found itself in serious trouble. During an attack on the Ronin Network, which underpins all cryptocurrency activity in Axie Infinity, hackers made off with 173,600 ETH and 25.5 million USDC from the company’s accounts, worth around US$540 million at the time of the attack.

The details of the heist emerged a few months later, in July. Through a fake company, the attackers had contacted Sky Mavis employees on LinkedIn and invited them to job interviews. Eventually they got to a senior engineer who, after several rounds of interviews, was made an extremely tempting job offer. The fake offer was sent in an infected PDF through which the hackers managed to gain access to the company’s internal network.

After that, armed with access to the corporate network, the hackers were able to get hold of the private keys for confirming transactions and then withdraw cryptocurrency. They laundered the stolen funds through a complex scheme involving two cryptomixers and around 12,000 intermediate cryptowallets, followed by conversion to bitcoin and a subsequent cashout.

Analysts who helped the U.S. investigators linked the attack to the North Korean group Lazarus. Only about 10% of the face value of the stolen coins could be recovered. Or about 5% if you count in dollars: in the six months after the robbery to the close of the investigation, the crypto market collapsed, causing the Ethereum exchange rate to nosedive.

How to guard against social engineering

Sure, no one wants to be on the receiving end of such attack. But the fact is that total protection against social engineering is near-impossible — because it targets people. For effective defense against social-engineering techniques, your company should focus on employee training. Our Kaspersky Automated Security Awareness Platform is perfect for this purpose. Through a combination of exercises and simulations, the solution raises staff awareness of a wide range of attack methods and ways to defeat them.


#Social #engineering #top3 #hacks #years

Dina postingan ayeuna, urang nutupan sababaraha trik rékayasa sosial anu biasa dianggo ku cybercriminals pikeun nyerang perusahaan. Teras: sababaraha varian scam ngalibetkeun telepon dukungan téknologi palsu sareng email; serangan kompromi email bisnis; nyuhunkeun data ti agénsi penegak hukum palsu…

Halo, kuring ti dukungan téknologi

Skéma rékayasa sosial klasik nyaéta panggero pikeun karyawan perusahaan tina “rojongan téknologi”. Salaku conto, hacker tiasa nelepon dina sabtu minggu sareng nyarios sapertos kieu: “Halo, ieu mangrupikeun jasa dukungan téknis perusahaan anjeun. Kami mendakan kagiatan aneh dina komputer padamelan anjeun. Anjeun kedah langsung sumping ka kantor supados urang tiasa terang naon éta. Tangtosna, henteu seueur jalma anu hoyong angkat ka kantor dina sabtu minggu, janten jalma pangrojong téknologi “horéam” sapuk, “ngan sakali”, pikeun ngarobih protokol perusahaan sareng ngabéréskeun masalah tina jarak jauh. Tapi pikeun ngalakukeun ieu, aranjeunna peryogi kredensial login karyawan. Anjeun tiasa nebak sésana.

Aya variasi kana skéma ieu anu janten nyebar nalika migrasi massal ka padamelan jarak jauh nalika pandémik. Pangrojong téknologi palsu “perhatikeun” kagiatan anu curiga dina laptop korban anu biasa dianggo ti bumi, sareng ngusulkeun ngarengsekeun masalahna nganggo sambungan jarak jauh, ngalangkungan RAT. Sakali deui, hasilna cukup diprediksi.

Konfirmasi, konpirmasi, konpirmasi…

Hayu urang teraskeun topik dukungan téknologi palsu. Téhnik anu pikaresepeun katingal nalika serangan Uber dina usum gugur 2022, nalika peretas umur 18 taun junun kompromi sababaraha sistem perusahaan. Serangan éta dimimitian ku penjahat nampi inpormasi login pribadi kontraktor Uber tina wéb poék. Nanging, pikeun kéngingkeun aksés kana sistem internal perusahaan, masih aya masalah leutik pikeun ngalangkungan auténtikasi multi-faktor…

Sareng ieu dimana rékayasa sosial asup. Ngaliwatan sababaraha usaha login, hacker spams kontraktor hapless kalawan pamundut auténtikasi, lajeng ngirimkeun pesen ka kontraktor on WhatsApp dina kedok rojongan tech kalawan solusi diusulkeun pikeun masalah: pikeun ngeureunkeun aliran spam, ngan mastikeun. Ku kituna, halangan ahir pikeun jaringan Uber geus dihapus.

Ieu CEO di dieu. Abdi peryogi transfer artos menit ieu!

Hayu urang balik deui ka klasik deui: salajengna dina baris nyaéta jenis serangan disebut serangan kompromi email bisnis (BEC). Gagasan di tukangeunana nyaéta pikeun ngamimitian korespondensi sareng karyawan perusahaan, biasana posing salaku manajer atanapi mitra bisnis anu penting. Biasana, tujuan korespondensi nyaéta pikeun korban nransferkeun artos ka rekening anu ditunjuk ku penipu. Samentara éta, skenario serangan bisa rupa-rupa: lamun penjahat leuwih museurkeun infiltrating jaringan internal parusahaan, aranjeunna bisa ngirim korban kantétan jahat nu bener kudu dibuka.

Hiji cara atawa sejen, sadaya serangan BEC revolve sabudeureun kompromi email; tapi éta aspék téknis. Peran anu langkung ageung dimaénkeun ku unsur rékayasa sosial. Sanaos seueur surelek curang anu nargétkeun pangguna biasa sanés ngan ukur pikagumbiraeun, operasi BEC ngalibatkeun jalma-jalma anu berpengalaman dina korporasi ageung anu tiasa nyerat email bisnis anu masuk akal sareng ngabujuk panampi pikeun ngalakukeun naon anu dipikahoyong ku penjahat.

Dimana urang ninggalkeun?

Perlu dicatet sacara misah téknik serangan BEC anu parantos janten populer di kalangan penjahat cyber dina taun-taun ayeuna. Dipikawanoh salaku pangbajak paguneman, skéma ieu ngamungkinkeun para panyerang ngalebetkeun diri kana korespondensi bisnis anu aya ku cara niru salah sahiji pamilon. Sacara umum, hacks akun atanapi trik téknis henteu dianggo pikeun nyamur pangirim – sadayana anu dipikabutuh ku panyerang nyaéta kéngingkeun email nyata sareng nyiptakeun domain anu mirip. Ku cara ieu aranjeunna sacara otomatis kéngingkeun kapercayaan sadaya pamilon anu sanés, ngamungkinkeun aranjeunna sacara lembut ngarahkeun paguneman ka arah anu dipikahoyong. Pikeun ngalaksanakeun jinis serangan ieu, penjahat cyber sering ngagaleuh database korespondensi email anu dipaling atanapi bocor dina wéb poék.

Skenario serangan bisa rupa-rupa. Pamakéan phishing atawa malware teu maréntah kaluar. Tapi nurutkeun skéma klasik, hacker biasana nyoba ngabajak paguneman langsung patali jeung duit, preferably jumlah badag, asupkeun rinci bank maranéhanana dina momen katuhu, lajeng nyandak loot ka pulo tropis.

Conto pangbajak paguneman nyaéta anu kajantenan nalika transfer pamaén bal Leandro Paredes. Para penjahat cyber snuck kana bursa email handapeun kedok wawakil klub debut Paredes ‘, Boca Juniors, anu ngabogaan hak pikeun fraksi tina fee mindahkeun – € 520.000, nu fraudsters kantong sorangan.

Serahkeun data anjeun, ieu pulisi

Tren anu anyar, katingalina muncul dina taun 2022, nyaéta pikeun peretas ngadamel pamundut data “resmi” nalika ngumpulkeun inpormasi pikeun nyiapkeun serangan ka pangguna jasa online. Paménta sapertos kitu parantos ditampi ku ISP, jaringan sosial sareng perusahaan téknologi basis AS tina akun email anu diretas milik agénsi penegak hukum.

Kontéks saeutik bakal mangpaat di dieu. Dina kaayaan normal, meunangkeun data ti panyadia ladenan di Amérika Serikat merlukeun surat jaminan ditandatanganan ku hakim. Nanging, dina kaayaan dimana kahirupan atanapi kaséhatan manusa aya résiko, Permintaan Data Darurat (EDR) tiasa dikaluarkeun.

Sanajan kitu, bari dina kasus hiji pamundut data normal aya prosedur verifikasi basajan tur gampang-to-ngarti, aya ayeuna euweuh hal saperti keur EDR. Ku alatan éta, éta leuwih gampang yén pamundut misalna bakal dikabulkeun lamun sigana lumrah tur sigana asalna ti agénsi penegak hukum. Ku cara kieu, hacker tiasa nampi inpormasi ngeunaan korban tina sumber anu dipercaya sareng dianggo pikeun serangan salajengna.

Kumaha carana ngajaga ngalawan serangan rékayasa sosial

Sasaran sadaya metode serangan di luhur sanés sapotong hardware anu teu aya jiwa, tapi manusa. Janten, pikeun nguatkeun pertahanan perusahaan ngalawan serangan rékayasa sosial, fokusna kedah ka jalma. Ieu hartosna ngajar karyawan dasar-dasar cybersecurity pikeun ningkatkeun kasadaran kaamananna, sareng ngajelaskeun kumaha carana ngalawan sababaraha jinis serangan. Cara anu pangsaéna pikeun ngalakukeun ieu nyaéta ngalangkungan solusi pelatihan interaktif kami Kaspersky Automated Security Awareness Platform.


#Trik #rékayasa #sosial #umum #Blog #resmi #Kaspersky

Upami anjeun naroskeun ka ahli infosec naon anu nyababkeun kalolobaan kajadian, jawabanna ampir pasti faktor manusa. Seuseueurna serangan ka perusahaan suksés kusabab teu merhatikeun, kabodoan, sareng kalakuan salah karyawan. Dina waktos anu sami, faktor manusa mangrupikeun ancaman anu paling hese pikeun dileungitkeun, sabab anjeun henteu ngurus sistem inpormasi anu patuh, tapi jalma hirup anu hirup.

Tip kami sering kalebet komunikasi sababaraha inpormasi ka karyawan. Tapi ieu téh gampang ngomong ti rengse. Janten ayeuna, urang badé ngobrol ngeunaan kumaha carana ngajantenkeun karyawan langkung serius ngeunaan kaamanan siber sareng nuturkeun naséhat para ahli kaamanan.

Naha karyawan malire cybersecurity

Masalahna nyaéta yén cybersecurity sanés masalah prioritas pikeun kalolobaan staf perusahaan. Aranjeunna gaduh padamelan sorangan, sareng panginten henteu gaduh waktos pikeun anu aranjeunna tingali salaku sekundér. Ku alatan éta, penting pikeun sadar sareng nampi dua kanyataan.

Kahiji: pikeun pagawé biasa, kaamanan inpormasi mangrupikeun masalah sekundér. Janten tong nyangka email ngeunaan bahaya ngagunakeun deui kecap akses pikeun nyababkeun longsoran parobihan kecap akses, atanapi mémo ngeunaan ngaunduh lampiran anu diragukeun pikeun ngeureunkeun praktékna maot dina jalurna.

Kadua: sadar yén pagawé anu kaamanan siber henteu aya di payuneun pikiranna sigana henteu (atanapi sigana moal) ngartos naon anu anjeun nyarioskeun. Pikeun ahli kaamanan, frasa sapertos “serangan anu dituju nganggo phishing tumbak” henteu ngandung inpormasi anu rumit. Tapi keur pagawe kasual di jualan, rekening, atawa logistik, Anjeun meureun ogé nyarita Klingon.

Dua fakta ieu babarengan mindeng ngabalukarkeun ahli infosec kana kacindekan yén tugas téh unsolvable, ngarah nyerah sarta ngawatesan diri kana ukuran kaamanan nu patali ngan hardware jeung software. Tapi ieu téh tangtu teu ngan salah tapi bahaya. Patarosan timbul: kumaha ngahubungan karyawan?

Cybersecurity + komunikasi = ❤️

Warta anu saé nyaéta perusahaan anjeun sigana parantos ngagaduhan sadaya bahan pikeun komunikasi anu saé ngeunaan kaamanan inpormasi. Anjeun panginten gaduh ahli kaamanan anu ngartos ancaman sareng cara ngeureunkeunana. Sareng anjeun panginten gaduh ahli komunikasi – biasana aya dina SDM atanapi, langkung saé, dina jabatan komunikasi internal (upami anjeun gaduh).

Disiapkeun yén éta moal gampang dina mimitina: ahli sapertos kitu sigana henteu ngalaman dina kaamanan siber, sareng sigana moal hoyong pisan pikeun ngalenyepan detil. Tapi ulah nyerah: anjeun kedah milarian diantara aranjeunna calon anu paling cocog pikeun evangelism.

Ideally, éta kudu jadi jalma tech-savvy. Upami teu aya di bumi, cobian nyewa karyawan énggal anu terang komunikasi internal sareng gaduh latar téknis. jalma sapertos anu langka, tapi anjeun bisa jadi untung.

Lamun anjeun manggihan hiji, mimiti ningkatkeun kaahlian cybersecurity maranéhanana – ngajarkeun aranjeunna ningali dunya ngaliwatan prisma kaamanan informasi. Platform Kasadaran Kaamanan Otomatis Kaspersky interaktif kami ngan ukur anu anjeun peryogikeun – bahkan nyayogikeun latihan percobaan gratis.

Bahan penting tina bisnis naon waé nyaéta kapercayaan. Jalma IT sacara umum, sareng profésional infosec khususna, mangrupikeun freak kontrol anu kasohor. Janten di dieu aranjeunna kedah ngalilindeuk naluri sareng ngantepkeun spesialis komunikasi ngalaksanakeun tugasna anu aya hubunganana sareng komunikasi sareng karyawan.

Dimana ngamimitian

Departemén komunikasi internal (upami teu aya, teras HR) biasana gaduh ide anu saé ngeunaan karyawan mana anu ngalakukeun naon sareng kumaha. Ku alatan éta, lamun ngajelaskeun ancaman sacara lega dina cara kolega Anjeun bisa ngarti, maranéhanana kudu bisa ngamekarkeun hiji strategi komunikasi luyu — nyaeta, nangtukeun naon resiko departemén husus nyanghareup, sarta naon anu kudu ngajelaskeun ka karyawan husus. widang salaku prioritas.

Hal anu mangpaat anu anjeun tiasa laksanakeun sareng sekutu anyar anjeun nyaéta nyiptakeun pituduh kaamanan inpormasi anu gampang dibaca pikeun pagawé anyar.

Tong ngarepkeun kasuksésan instan. Overcoming fase salah paham bakal tangtangan. Abdi nyarankeun pisan ngadangukeun ceramah informatif ieu ku tilas kapala NYPD Cyber ​​​​Intelligence and Investigations Nick Selby ngeunaan ningkatkeun kasadaran cybersecurity diantara petugas NYPD (spoiler: éta henteu gampang). Kuring bakal ngabagikeun sababaraha tip ngeunaan cara ngatur prosésna:

  • Tetep basajan. Intina kampanye NYPD nyaéta kesederhanaan sareng spésifisitas, anu ngabantosan pisan.
  • Empower jalma. Penting pikeun komunikasi anu lancar ngeunaan masalah kaamanan dina tim, sareng pikeun karyawan ngartos tindakan anu kedah dilakukeun dina kasus anu khusus. Ieu supados para penjual anu kasebat atanapi karyawan normal sanés terang dimana angkat sareng email anu curiga, ku kituna nyegah peretasan perusahaan.
  • Témbongkeun hasil. Ieu mangrupakeun ide nu sae pikeun némbongkeun kumaha gawé bareng bisa ngakibatkeun hasil positif. Contona, ti jaman ka jaman anjeun tiasa surélék memo internal ngeunaan serangan nu geus dicegah, sarta ganjaran karyawan nu mantuan dina hal ieu.

Sakali deui, séri palatihan interaktif tiasa janten titik awal anu hadé pikeun ngémutan pentingna cybersecurity dina karyawan, pikeun masihan aranjeunna saran sareng saran, sareng ningkatkeun kasadaran ngeunaan syarat sareng watesan kaamanan.

Sakumaha didadarkeun di luhur, Platform Kasadaran Kaamanan Otomatis Kaspersky kami mangrupikeun solusi anu sampurna. Mitra komunikasi perusahaan anyar anjeun tiasa janten pangurus pelatihan ieu, sareng ngagunakeunana pikeun ningkatkeun kasadaran ancaman sareng prakték panyalindungan di sapanjang perusahaan.


#Kumaha #nepikeun #pentingna #cybersecurity #karyawan

Bantahan. Ieu postingan blog April Fool. Metodeu “latihan cybersecurity” anu dijelaskeun di dinya henteu sacara étika, sareng henteu dianggap sacara universal ditarima. Kami ngarékoméndasikeun yén anjeun mikir dua kali sateuacan nganggo éta dina kahirupan nyata sareng idéal nampi persetujuan ti tim pikeun tindakan sapertos kitu sateuacanna.

Lamun datang ka kaamanan informasi, link weakest nyaeta – sarta salawasna geus – jalma. Éta sababna tulisan blog urang sering nyarankeun perusahaan nyayogikeun pelatihan kaamanan maya pikeun karyawan. Hanjakalna, henteu sadayana perusahaan tiasa nyayogikeun dana anu dipikabutuh pikeun ieu. Masalah anu sanés nyaéta henteu sadayana karyawan nyandak pelajaran sapertos kitu sacara serius, ku kituna pangaweruh anu ditampi sering ngan ukur téoritis.

Warta alus nyaeta masalah ieu bisa direngsekeun tanpa méakkeun loba duit. Di handap ieu aya sababaraha cara anu pikaresepeun sareng efektif pikeun nunjukkeun ka kolega anjeun pentingna kaamanan inpormasi.

Kecap akses dina catetan caket sareng cetakan

Salah sahiji kabiasaan anu paling bahaya anu, hanjakalna, seueur pagawé kantor anu masih kaliru nyaéta nyerat kecap konci dina salembar kertas sareng ngantepkeunana di umum. Malah rébuan memes salami sababaraha taun kalayan kecap konci anu macét dina monitor parantos gagal pikeun ngeureunkeun prakték ieu.

Anceman di dieu jelas: saha waé anu nganjang ka kantor tiasa ngaluarkeun teleponna sareng cicingeun nyandak sadaya catetan caket sareng kredensial akun anu janten perhatian. Kadang catetan sareng kecap akses teu kahaja diterbitkeun. Salaku conto, teu jarang kecap konci bocor nalika wawancara padamelan atanapi ngalangkungan sababaraha poto kantor anu dipasang dina jaringan sosial.

Wawancara di tempat kerja kalayan latar anu kakeunaan

Pangeran William masihan wawancara sareng kredensial login anu disematkeun dina témbok tukangeunana pikeun sistem Publikasi Informasi Penerbangan Militer Angkatan Udara (MilFLIP) Royal Air Force.

Pikeun nyegah pencinta sticky notes ngagunakeun corat-coret sandi maranéhanana, anjeun bakal kudu: pulpén, sababaraha catetan caket, sarta batur anu pinter niru tulisan leungeun batur; pikeun nyitak nganggo kecap akses, teu aya anu diperyogikeun lian ti printer sorangan. Bersenjata sareng alat basajan ieu, cobian ngagentos catetan caket sapertos di tempat kerja karyawan — nganggo kecap konci anu sami tapi salah. Teras perhatikeun tina kajauhan anu aman kumaha jiwa anu goréng éta nyobian asup kana rekeningna. Sarta coba ulah seuri teuas teuing.

Ideally, anjeun kudu ninggalkeun catetan caket aslina dimana subjek test teu kahaja bakal manggihan eta sanggeus sababaraha waktu – lamun heunteu maranéhna bisa mikir yén éta ngan hiji glitch sistem atawa hal kawas éta (loba gumantung kana kumaha tech-savvy jalma éta, pribadi. nyarita). umum). Sareng pastikeun pikeun nunjuk jalma anu ngalakukeun dosa ka manajer sandi anu saé pikeun nyimpen kredensial dina cara anu leres.

Komputer teu dikonci

Ogé bahaya nyaéta kabiasaan ninggalkeun komputer teu dikonci nalika jauh ti gaw. Ieu ogé, hanjakalna, teu ilahar. Hanjakalna, sesah pisan pikeun ngatur masalah ieu di tingkat perusahaan.

Beda sareng kecap akses dina catetan caket, résiko di dieu henteu ngahaja bocor inpormasi sénsitip, tapi, upami sémah anu mumusuhan sumping ka kantor, ancamanna tiasa sami serius – upami henteu langkung: teu lami nginféksi hiji anu henteu dikonci. komputer nganggo malware.. Sareng saatos éta, pilihan pikeun panyerang rupa-rupa: ti spionase industri dugi ka inféksi ransomware leutik tapi jahat.

Nungkulan karyawan anu teu ngonci komputerna gampang – sareng rada ngahibur ogé, sareng anjeun ngan ukur peryogi akal sareng panangan anu lincah pikeun ngalakukeunana. Strategi umum di dieu saderhana pisan: antosan kolega anjeun kaluar tina workstations, teras laksanakeun hal anu “menarik” dina komputerna anu teu dikonci.

Aya sababaraha taktik anu kabuktian. Anu paling efektif nyaéta nyerat pesen obrolan atanapi email atas nama aranjeunna. Salaku conto, anjeun tiasa nawiskeun mésér inuman saatos damel kanggo sadayana di jurusan. Atawa nulis surelek gairah. pilihan Anjeun. Hayu impulses kreatif Anjeun ngalir kalawan bébas – wilder, hadé (tanpa overboard, tangtu).

Pilihan kadua gancang sareng gampang: dina komputer anu teu dikonci, panggihan gambar anu pikaresepeun online sareng setel janten wallpaper desktop. Kauntungannana di dieu nyaeta yén korban teu bisa sono titik: demonstrasi bakal sacara harfiah di hareup aranjeunna. Leres, pangaruh terapi tiasa langkung handap sabab tindakanna kirang umum. Upami Anjeun gaduh cukup waktu, taktik ieu malah bisa digabungkeun, sarta aranjeunna pelengkap silih ogé.

Pikeun nyegah karyawan tina isin sapertos kitu sareng ngajagi kaamanan perusahaan di hareup, nyarankeun nyetél konci otomatis saatos waktos teu aktip. Sareng ogé ngajelaskeun kombinasi konci naon anu dianggo pikeun langsung ngonci komputer kalayan gerakan hiji leungeun: dina Windows éta [Win] + [L]sareng dina macOS éta [Cmd] + [Ctrl] + [Q] (inpormasi ieu tiasa ditempelkeun dina layar :).

Smartphone teu dijaga

Smartphone anu henteu dikonci anu henteu dijaga ogé nyababkeun résiko kaamanan maya. Tangtosna, kamungkinan panyerang ngagunakeunana pikeun nyebarkeun ransomware ngalangkungan jaringan perusahaan rendah pisan. Tapi hiji nganjang mumusuhan masih bisa meunang sababaraha rinci kontak mangpaat kalawan niat ngagunakeun aranjeunna pikeun rékayasa sosial, atawa masang spyware dina alat. Dina basa sejen, meureun aya sababaraha skenario pisan pikaresepeun pikeun duanana parusahaan jeung nu boga smartphone pribadi.

Sacara umum, métode latihan ti kasus saméméhna lumaku di dieu: Anjeun bisa nulis hiji talatah obrolan metot atawa e-mail, atawa ngundeur gambar “nice” tur nyetel eta jadi wallpaper. Tapi aya taktik tambahan pikeun éfék maksimal dina waktos minimum: némbak anu teu kaduga dina telepon anjeun tanpa dijaga. Salaku conto, poto anjeun atanapi kolega anjeun babarengan dina pose anu pikaresepeun (kalayan persetujuan anu terakhir, tangtosna).

Teras, sapertos sateuacana, maréntahkeun karyawan pikeun nyetél konci otomatis saatos waktos teu aktip. Kusabab ayeuna henteu kedah ngalebetkeun kecap konci anu panjang pikeun muka konci telepon sélulér (némbongkeun sidik atanapi ramo anjeun), waktos ieu kedah pondok pisan – sebutkeun, 30-60 detik.

tikét ditinggalkeun

Kabiasaan sanés anu saé nyaéta ngantunkeun pas anjeun teu dijaga. Pikeun sémah mumusuhan urang, idin sah mangrupakeun manggihan nyata – hiji nu bisa dipaké pikeun megatkeun kana kantor parusahaan jeung meunang aksés fisik ka komputer atawa dokumén parusahaan.

Pikeun nyapih batur sapagawean anu teu ati-ati tina kabiasaan ngabahayakeun ieu, anjeun peryogi:

  • printer kantor / scanner / copier
  • Kartu plastik tina ukuran anu sami sareng pas anu salah
  • Gunting
  • Lem
  • A kegigihan saeutik

Candak pas tanpa dijaga, fotokopi, potong taliti, lem kana pas imitasi plastik anjeun, teras selapkeun karya artistik anjeun kana wadahna tinimbang pas aslina. Nempatkeun pass nyata dina tempat dimana “korban” bakal manggihan eta engké.

Mun mungkin, coba janten di gerbang kaamanan nalika korban nyoba ninggalkeun kantor, tur tingal kumaha aranjeunna ngajelaskeun ka penjaga (lamun aya wae, tangtosna) saha aranjeunna sarta naha maranéhna ngagunakeun pass palsu.

Nanging, perhatikeun yén ieu mangrupikeun bentuk pelatihan anu rada parah anu tiasa nyababkeun konflik antara anjeun sareng karyawan sanés. Kituna kami nyarankeun eta ngan salaku Resort panungtungan sanggeus sagala kecap warning geus gagal.

Ninggalkeun masalah ieu ka para profesional

Tangtosna, metodeu anu didadarkeun di luhur sanés gaganti pikeun palatihan kaamanan siber anu lengkep, upami ngan kusabab aranjeunna ngan ukur nutupan sakeupeul ancaman poténsial. Kitu cenah, upami anggaran kaamanan anjeun teu aya, aranjeunna nyayogikeun titik awal anu saé.

Ideally, maranéhanana kudu dipaké salaku bait sangkan pagawé mikir ngeunaan kaamanan informasi, kitu ogé konsolidasi pangaweruh diala salila latihan pinuh. Pikeun leuwih jéntré, pariksa kami Kaspersky Automated Security Awareness Platform (cocog pikeun perusahaan ageung) sareng Kaspersky Adaptive Online Training on Security Awareness (pikeun SMBs).

Bantahan. Ieu postingan blog April Fool. Metodeu “latihan cybersecurity” anu dijelaskeun di dinya henteu sacara étika, sareng henteu dianggap sacara universal ditarima. Kami ngarékoméndasikeun yén anjeun mikir dua kali sateuacan nganggo éta dina kahirupan nyata sareng idéal nampi persetujuan ti tim pikeun tindakan sapertos kitu sateuacanna.


#Pelatihan #kaamanan #inpormasi #pikeun #artos #sakedik