Recently, our IT Analyst attended an all-day cybersecurity conference.  If you’re interested in keeping your data safe, here are some items of interest.  NOTE:  These notes are designed for the general public, not just IT professionals.

 Universal Security Notes

80% of attacks are currently occurring through email.  Phishing for credentials is the prime vector.  This is usually done via an email trying to get you to click on a link, which will then ask you to enter your credentials.  The link will most frequently take you to a web page that looks identical to a legitimate site.  Think password reset for Gmail or Office 365, or a request to “verify” your banking info.

Far too many people continue to reuse usernames and passwords.  As an illustration, let’s say that you use same username/password for your home Gmail account and your bank, and your Gmail gets compromised.  Once you’re compromised, the hacker can monitor your email account and find out where you bank.  The attacker then uses your reused username and password to log on to your bank account, and subsequently drains your bank account.  The best way to deal with this is to use a password manager.

Multifactor Authentication is one of the most effective ways to prevent authentication attacks.  (This is where you log on to a web site and are sent a text message to your cell phone, or something similar.)

Having personal information leaked in a third-party data breach following a hacking incident drastically increases the odds of being targeted.  For example, if you were part of the Target hack, your chance of a subsequent attempt to hack your email went up drastically, because bad actors had information about you that they didn’t have before.

Consider separate email addresses for separate purposes.  For example, have one email address for trusted senders (such as close friends, password resets and so forth,) and a separate email address for spammy stuff, such as coupon sites, business promotions, etc.  The idea behind this is that mailing lists are often sold from business to business, and the more places that have your email account, the more likely it is that you will be phished.

You can go to https://haveibeenpwned.com to see if your credentials have been compromised in a known data breach.  You can type in your email address, and the web site will search that email address against their database of known compromises.  If your email address has been compromised, you can look at details of the compromise.  If your password for that site was compromised, you should change that password immediately if you haven’t already done so.  If you’re reusing that email address and password somewhere else, you should immediately change the password at the other places too.  (Refer to the previous comment about reusing passwords.)

When you purchase new computer hardware, IoT items and so forth, you should immediately change the default username and password.  This is incredibly important for sensitive network items like your home router, security cameras, or smart devices such as thermostats.  If you purchase an electronics device such at a TV or refrigerator and don’t intend to use its internet capabilities, don’t hook it up to the network just because you can.

Keep your internet-connected devices updated.  The majority of hacks occur on exploits that were patched long ago.  On a similar note, if your device is no longer capable of receiving updates, it’s probably time to retire it or disconnect it from your network.

Company-related Notes

One of the latest trends in phishing is email chain hijacking.  In this scenario, a bad actor will compromise an employee and monitor their sent emails.  When the time is right, the bad actor will use the hacked account to do damage.  For example, a bad actor compromises the account of a company executive, and then monitors an email chain about a contract negotiation.  When the time is right, the bad actor sends an email using the exact email chain, directing the accounting department to pay the contract and wire the funds to the bad actor’s offshore banking account.

Bad actors are slowing down their exploit process.  This makes intrusion more difficult to detect, and more damaging when the exploit occurs.

Mobile devices are more difficult to manage than traditional computers, because these devices may not be owned by the company, and because employees are more able to install apps on company-owned devices without authorization.  Mobile devices are “blind spots” for the company from a security standpoint.

Bad actors are increasingly attempting to destroy or compromise backups before launching a malware attack.  If data cannot be recovered from backup, then payment is the only method of recovery.

Alert fatigue is a growing problem.  At the micro level, this can mean that security professionals are receiving too many alerts in a given day.  At the macro level, this means that we are hearing about breaches so often that we’re growing numb to it.

Ongoing awareness training is an important tool in reducing risk, because people are always the weakest link.  “Naming and shaming” when human failure occurs is counterproductive.  The best approach for awareness training is to budget for fun activities and rewarding achievements.

One of the latest buzzwords is Integrated Risk Management.  In a nutshell, a lot of risk management is done in a segregated fashion.  (For example, IT and finance might perform completely separate risk assessments.)  This can lead to holes and/or redundancies in a company’s overall risk management.

Businesses could do a better job of monitoring their external data sharing.  For example, an employee intends to share a single SharePoint file with a client, but unintentionally shares an entire folder.

We are operating in a tri-polar world when it comes to privacy governance.  The US is generally geared toward business.  The EU is generally geared toward citizens.  China is generally geared toward the government.  Most other countries lean toward one of these three approaches.  Software companies that want to develop software for international use need to be aware of all three types of governance, and understand their similarities and differences.

Privacy governance is going to continue increasing in importance, and there is an expected shortfall of privacy experts in the future, similar to how there is a shortage of security experts now.  This will be especially prevalent in IoT.  Privacy and security will need to be baked in to the code.  This will become an additional factor as we move further into Web/Mobile/Cloud work.

Genova Holiday Party – 2024

Genova held our Holiday Party at Elmcrest Country Club on Saturday, January 20th. Our employees across Iowa gathered in Cedar Rapids for a night of conversation, food, and fun! Here's to a great 2024!Home Mobile/Web/Data Medical Devices Avionics Agriculture Controls...

Tailgate Grill Out & Potluck 2023

Genova hosted its final grill out of the year on Thursday, September 28th. The weather cooperated and it ended up being a lovely day for grilling! Thank you to everyone that brought a dish. As we move towards the 50s and 60s this weekend, look back fondly on the...

Genova Open 2023

Fore! One of Genova's newer annual events, the Genova Open, was held on Thursday, August 31st at the Elmcrest Country Club. Five teams of four players participated in the action. While only one team took the crown, all players (and spectators!) were treated to...

Genova Picnic at the Park

Genova hosted our annual Picnic at the Park on Friday, August 18th. Luckily, it was a beautiful day at Guthridge Park! New this year - a cornhole tournament! Home Mobile/Web/Data Medical Devices Avionics Agriculture Controls Government About Genova Careers Case...

Genova Night at the Ballpark

Genovians of all ages gathered together at the Cedar Rapids Kernels stadium for a night of food, fun, and baseball! Home Mobile/Web/Data Medical Devices Avionics Agriculture Controls Government About Genova Careers Case Studies & ResourcesCONTACT...

Genova Grill-out and Potluck

With the 4th of July fast approaching, Genova held our annual grill-out and potluck on Thursday, June 22nd. Special thanks to our two grillmasters!Home Mobile/Web/Data Medical Devices Avionics Agriculture Controls Government About Genova Careers Case Studies &...

Genova Holiday Party

Genova had its annual Holiday Party on Saturday, February 4th. Which holiday do we celebrate in February, you ask? All of them, of course! We figure that our employees have enough going on in December and January, so Genova decides to hold our party a month later than...

Day of the Dead

Dead of the Dead CelebrationGenovians celebrated the Day of the Dead with lunch and performance from Mr. Bones! Mr. Bones is a creation from one of our Software Developers, Gerardo. He used an Arduino Board that controlled three servo motors which moved the arms and...

Federal Government Continues to Develop Hybrid Workplace Strategies

In the Defense sector, Genova’s customers are implementing plans to safely increase the amount of on-site support while supporting an increase in flexibility achieved through remote support....

Continually Learning

Programmers spend more time learning than any other profession. Genova employees continually learn new languages, technologies, and processes to prepare and adapt for the future.
CONTACT FORM
FOLLOW US ON

(319) 378-8455

4250 River Center Ct NE, Cedar Rapids, IA 52402

Monday Through Friday 8:00 AM – 4:30 PM