How to Protect Your Data – Part 2

In last week’s blog post, we covered how to protect your data with precautions to take in the event that your device is lost or stolen. We also touched on the implications of providing passwords to integrate with third party applications. This post will go into password policies, social engineering attacks and ways to stay safe while sending data online.

Password policies

Every company should have some very basic password rules in place: that passwords are complex, that they are not reused (per account or across other systems) and that they are changed regularly.

Creating new, complex and often-changed passwords creates a new problem –  remembering all of those passwords. We’re all human. We’re prone to forget. Consider whether it is wise to use a password wallet or a password locker system. These systems, which can store numerous passwords and unlock with one central login, make it easy to organize and store passwords, while only remembering one. Employees won’t need to resort to keeping a written list of passwords. You may need to look for one that stores online passwords, as well as application passwords. Here’s a great list from PC Magazine of what they consider the best password managers.

Understanding Social Engineering Attacks

Sometimes a security breach starts with a simple phone call for information. Social engineering is much more than phishing for information. It can include manipulating people to give up confidential information. They want you to take them at their word, to trust them. To give a very good example of this, here’s a personal story that involves “spear phishing,” where the hacker poses as a trusted source. At one of my old jobs, we had a seemingly random visitor to our online chat service ask, “Who is the person who is in charge of your marketing?” The chat operator gave them my name, the chat ended. No one thought anything about it. (And why would they?) Several days later, someone posing as me came onto our online chat service after hours and said, “Hey, this is Carren, I forgot to give you a file of new messaging to download before I left. I’m going to email it to you now. You should download it right away.” Then the hacker emailed support a .zip file. The chat agent attempted to open the file, but had problems extracting it. The breach, in this case, was discovered before the file was installed on the chat agent’s computer. It was only when he contacted his supervisor because he couldn’t open the file that the problem was discovered. In this case, there were numerous clues that could have prevented what ended up just being a scare, not an actual data breach. Let’s evaluate the details:

1. The hacker actually misspelled my name in the chat.

1. It was 2 a.m. at the time they posed as me. I may work the occasional late hour, but 2 a.m. would not have been standard operating procedure even on a bad day.
2. The request broke the chain of command. It would never have been my place to tell our support personnel that I had new messaging that they needed to install.
3. Had the chat operator looked at tools available during that conversation, they would have seen that chat history showed that this visitor had previously asked for my name. Had he looked at the visitor’s location he would have seen that the location was not “Wichita, KS” where I was located.
4. The offending file came from a webmail account unknown to the chat rep, rather than my company account.

This example of a failed social engineering attack is a very simple case. It’s important to note that in the days between the first and second chats, I received several strange Facebook requests that I ignored because I didn’t recognize the name. This is not a coincidence and was mostly likely related. Had they become my “friend” they would have had personal information that allowed them to employ more convincing methods. Social engineering very often includes intricate stories, and heavy manipulation. For this reason, it is important to follow protocol and not act on anything if it feels even a little “off.” In this case, it is unfortunate that the chat agent didn’t feel empowered enough to question the scenario, even though he said there were several things that struck him as odd. And had the agent employed all the tools available, like chat history or location, he would have realized that the visitor was not me at all.

Staying Safe While Sending Files

Sending files outside of your network can also have ramifications. First, can you trust the person you are sending data to? Do you trust the method on how you send the data?  (Email, internet service, etc…)? The method you use to send the data is very important to security and it is the area that SendThisFile comes in. SendThisFile has several security measures in place to keep your data secure. Data is encrypted in transit and at rest, plus, if there’s any question of who’s on the other end of receiving the file, you can even ask your recipient to authenticate by logging in or using a password. Plus, once the file is downloaded, with SendThisFile, it is deleted using a proprietary process that removes all remnants of the file. So there’s no file hanging around online waiting to be discovered. For more information on how SendThisFile can help you stay safe when sending data, contact our solutions specialists.

Image credit.