Having security is great, but it’s all for nothing if your people aren’t reminded about it. Everyone in your organization should understand and be reminded of their responsibilities for protecting sensitive data — from the CEO to the custodial crew. That’s why most compliance tracks (example PCI Requirement 12.6.1.a) require you to communicate security awareness and educate your employees. This should be done on an annual basis, with periodic security reminders throughout the year.
TCT is committed to helping you keep your organization secure and compliant. Every quarter, we’re publishing compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends and featured a quick tip in TCT Portal to get more out of your compliance management.
How to Spot a Phishing Email (And What to Do if You Find One)
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies. The idea is to induce you to reveal personal information, including logins and other sensitive data.
For example, you might receive an email from your bank indicating that, due to a security issue, they need you to log in to confirm your credentials. Phishing scams have increased dramatically during the coronavirus crisis, and they can be hard to detect unless you know what to look for.
There are several indicators that the email you received is phishing:
- The email is unexpected. For example, a Facebook friend is emailing you at work.
- The sender email domain is invalid. For example, the email is expected from Google, but closer inspection of the sender’s domain is that it came from baddomain.cz
- When you hover over links in the body of the email (DO NOT CLICK), you see that they point to an incorrect website.
- Buttons in the email either point to a wrong location or do not disclose where they are sending you.
- The email contains unexpected attachments (web links, PDF files, Word documents, etc.). The sender may use the attachments for additional attacks on your machine, or as a route to exposing additional sensitive information.
- There’s a sense of urgency — for example, confirm your account before it gets shut off in 12 hours, your computer’s security is at risk, or you must confirm your credentials.
Generally, if you take a few moments to investigate the email, it’s relatively easy to tell a fake from the real thing. That said, here are some best practices to follow:
- Always maintain vigilance surrounding emails, and keep an eye out for scams.
- If you think a suspect email may be real, go to the source yourself by sending a new message to an email address you trust, or communicate through another route you know to be valid (e.g., visiting the website, calling the company directly, engaging their online chat directly).
- With a suspect email, never:
- Respond to the sender
- Open the email
- Click on buttons or links
- Download, run, or open attachments
- If you accidentally handle a phishing email incorrectly, notify your internal IT or security team immediately. It’s important for maintaining the security of your company.
- Do not forward suspected emails to others in the organization without the express permission of your internal IT or security team.
Quick Tip: Skip the Guesswork for Passing Muster with Your Auditor
If you’ve been using TCT Portal and you’re in Year 2 (or later) of a particular certification, you can use the Explanations and Attachments feature to reference evidence from the prior certification track. This makes it easy to look back at the previous year and see what evidence passed muster last time. It’s a great way to quickly understand what to gather this year.
If you’re already using TCT Portal and want this capability enabled, send an email into TCT Portal Support. To learn more about the TCT Portal, request a personalized demo.
What’s Going on in Security Today
Here are the latest top headlines in the security world to keep you informed and protected.
Via ThreatPost. On June 9, Microsoft released 129 patches to CVEs (Common Vulnerabilities and Exposures). This brings the total to over 600 CVEs addressed by Microsoft this year, 50 patches short of their total in 2017. Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. This article gives the details you need to know about the security flaws.
Via ThreatPost. 70% of all applications in use today have at least one security flaw, thanks to their use of open-source libraries. Open-Source libraries allow developers to add basic functionality to their applications quickly. Without these open-source libraries, it would be far more challenging to innovate in software. Cross-Site Scripting attacks (XSS) are the most common vulnerability found in these libraries, nearly 30%. This article tells you what you need to know.
Via Cyware Social. On June 15, a report was released stating that 5G already has a vulnerability that allows attackers to carry out impersonation, fraud, and DoS (Denial of Service) attacks on targeted 5G-devices. Discover the vulnerabilities, repercussions, and solutions in this article.
Via HackRead. Spies can listen in on a conversation you’re having simply by watching a lightbulb in the room you’re in. All they need is a laptop and a telescope with an electro-optical sensor. This is called a lamphone attack, and it allows attackers to spy on conversations from more than 80 feet away. The implications are significant for organizations that protect their information.
Via The Hacker News. If you use ZOOM for video conferencing, make sure you’re running at a minimum version 4.6.12 or newer. Version 4.6.10 and older are subject to two vulnerabilities that would allow an attacker to interject themselves into the video chat and traverse your file systems.