Recently, our IT Analyst attended an all-day cybersecurity conference.  If you’re interested in keeping your data safe, here are some items of interest.  NOTE:  These notes are designed for the general public, not just IT professionals.

 Universal Security Notes

80% of attacks are currently occurring through email.  Phishing for credentials is the prime vector.  This is usually done via an email trying to get you to click on a link, which will then ask you to enter your credentials.  The link will most frequently take you to a web page that looks identical to a legitimate site.  Think password reset for Gmail or Office 365, or a request to “verify” your banking info.

Far too many people continue to reuse usernames and passwords.  As an illustration, let’s say that you use same username/password for your home Gmail account and your bank, and your Gmail gets compromised.  Once you’re compromised, the hacker can monitor your email account and find out where you bank.  The attacker then uses your reused username and password to log on to your bank account, and subsequently drains your bank account.  The best way to deal with this is to use a password manager.

Multifactor Authentication is one of the most effective ways to prevent authentication attacks.  (This is where you log on to a web site and are sent a text message to your cell phone, or something similar.)

Having personal information leaked in a third-party data breach following a hacking incident drastically increases the odds of being targeted.  For example, if you were part of the Target hack, your chance of a subsequent attempt to hack your email went up drastically, because bad actors had information about you that they didn’t have before.

Consider separate email addresses for separate purposes.  For example, have one email address for trusted senders (such as close friends, password resets and so forth,) and a separate email address for spammy stuff, such as coupon sites, business promotions, etc.  The idea behind this is that mailing lists are often sold from business to business, and the more places that have your email account, the more likely it is that you will be phished.

You can go to https://haveibeenpwned.com to see if your credentials have been compromised in a known data breach.  You can type in your email address, and the web site will search that email address against their database of known compromises.  If your email address has been compromised, you can look at details of the compromise.  If your password for that site was compromised, you should change that password immediately if you haven’t already done so.  If you’re reusing that email address and password somewhere else, you should immediately change the password at the other places too.  (Refer to the previous comment about reusing passwords.)

When you purchase new computer hardware, IoT items and so forth, you should immediately change the default username and password.  This is incredibly important for sensitive network items like your home router, security cameras, or smart devices such as thermostats.  If you purchase an electronics device such at a TV or refrigerator and don’t intend to use its internet capabilities, don’t hook it up to the network just because you can.

Keep your internet-connected devices updated.  The majority of hacks occur on exploits that were patched long ago.  On a similar note, if your device is no longer capable of receiving updates, it’s probably time to retire it or disconnect it from your network.

Company-related Notes

One of the latest trends in phishing is email chain hijacking.  In this scenario, a bad actor will compromise an employee and monitor their sent emails.  When the time is right, the bad actor will use the hacked account to do damage.  For example, a bad actor compromises the account of a company executive, and then monitors an email chain about a contract negotiation.  When the time is right, the bad actor sends an email using the exact email chain, directing the accounting department to pay the contract and wire the funds to the bad actor’s offshore banking account.

Bad actors are slowing down their exploit process.  This makes intrusion more difficult to detect, and more damaging when the exploit occurs.

Mobile devices are more difficult to manage than traditional computers, because these devices may not be owned by the company, and because employees are more able to install apps on company-owned devices without authorization.  Mobile devices are “blind spots” for the company from a security standpoint.

Bad actors are increasingly attempting to destroy or compromise backups before launching a malware attack.  If data cannot be recovered from backup, then payment is the only method of recovery.

Alert fatigue is a growing problem.  At the micro level, this can mean that security professionals are receiving too many alerts in a given day.  At the macro level, this means that we are hearing about breaches so often that we’re growing numb to it.

Ongoing awareness training is an important tool in reducing risk, because people are always the weakest link.  “Naming and shaming” when human failure occurs is counterproductive.  The best approach for awareness training is to budget for fun activities and rewarding achievements.

One of the latest buzzwords is Integrated Risk Management.  In a nutshell, a lot of risk management is done in a segregated fashion.  (For example, IT and finance might perform completely separate risk assessments.)  This can lead to holes and/or redundancies in a company’s overall risk management.

Businesses could do a better job of monitoring their external data sharing.  For example, an employee intends to share a single SharePoint file with a client, but unintentionally shares an entire folder.

We are operating in a tri-polar world when it comes to privacy governance.  The US is generally geared toward business.  The EU is generally geared toward citizens.  China is generally geared toward the government.  Most other countries lean toward one of these three approaches.  Software companies that want to develop software for international use need to be aware of all three types of governance, and understand their similarities and differences.

Privacy governance is going to continue increasing in importance, and there is an expected shortfall of privacy experts in the future, similar to how there is a shortage of security experts now.  This will be especially prevalent in IoT.  Privacy and security will need to be baked in to the code.  This will become an additional factor as we move further into Web/Mobile/Cloud work.

Federal Government Continues to Develop Hybrid Workplace Strategies

In the Defense sector, Genova’s customers are implementing plans to safely increase the amount of on-site support while supporting an increase in flexibility achieved through remote support....

Continually Learning

Programmers spend more time learning than any other profession. Genova employees continually learn new languages, technologies, and processes to prepare and adapt for the future.

Ada

Ada was the world’s first programmer

Meet Genova’s 2021 Interns

Each year, Genova sponsors Interns pursuing degrees that will lead them to a career in software engineering.

Girls Who Code

We so much need woman with the talents and capability that Girls Who Code are cultivating

Genova Holds Second Employee Meeting of 2021

Genova hosted its second all-employee meeting on Thursday, May 27

The Future of Telework on DOD Programs

The past year provided unprecedented challenges for Government programs, particularly in the Department of Defense. Genova’s employees supporting the Defense sector quickly transitioned from 100% onsite support to a mix of remote and on-site tasks, leveraging a number...

Interview Suggestions from our Recruiting Department

Are you ready for your job interview? Here are some helpful reminders to help you nail the interview and be on your way to getting offered the job.

A Growth Industry

Home Mobile/Web/Data Medical Devices Avionics Agriculture Controls Government About Genova Careers Case Studies & ResourcesCONTACT FORMFOLLOW US ONfacebooktwitterlinkedin (319) 378-8455 4250 River Center Ct NE, Cedar Rapids, IA 52402 Monday Through Friday 8:00 AM...

Keyport, Washington: UUV City, USA

Last fall, The Kitsap Sun wrote a fantastic article outlining the changes underway at the Naval Undersea Warfare Center (NUWC) Division Keyport. Genova is proud to deliver numerous engineering tasks at the NUWC Keyport and is fortunate to have a front row seat as the...
CONTACT FORM

FOLLOW US ON

(319) 378-8455

4250 River Center Ct NE, Cedar Rapids, IA 52402

Monday Through Friday 8:00 AM – 4:30 PM

Due to COVID-19, building access or business hours may be restricted.  Please call before visiting the office.