Reviewing the Top Cybersecurity Threats Highlighted from the Black Hat USA 2018 Conference
Vice President and ID Theft Practice Leader
Two weeks ago I attended the 21st annual Black Hat USA conference held in Las Vegas where information security professionals had an opportunity to learn about the latest hacking techniques, advanced cloud security strategies, penetration testing, network security, machine learning, the Internet of Things (IoT), cryptography, forensics, and mobile security just to name a few.
One of the primary messages was that the cost of cybercrime, data breaches and ID theft continue to challenge both individual consumers and businesses - especially small to medium businesses (SMBs).
Another message was that if businesses do not find a way to minimize, eliminate and/or recover from data breaches and identity theft - both inside and outside their company walls - these same businesses will continue to pay the increasingly high cost of data breaches and identity theft.
One reason for these privacy concerns are over Facebook's questionable data protection policies where 55 percent of security professionals are telling users to reconsider the data they share on Facebook - and motivating some Facebook users to stop using Facebook altogether or to reduce how much time they spend on it.
Based on the Black Hat "briefings and trainings" sessions including continuing education for security professionals provided by highly-technical information security thought leaders from all aspects of the information security (Infosec) world - phishing, ransomware, banking trojans and cryptomining are the top cybersecurity threats facing businesses today.
So while the Black Hat conference is focused on hacking and technology, one of the leading threats continues to be phishing and spear phishing, where the importance of cybersecurity education to employees is critical to help mitigate the risk of phishing, spear phishing and account compromise.
During the conference I had the opportunity to meet with Stu Sjouwerman, the founder and CEO of KnowBe4, a leading security awareness and training company, and Kevin Mitnick, one of the world's most famous hackers, a leading computer security consultant and KnowBe4's Chief Hacking Officer.
Sjouwerman said that "KnowBe4 trains unsuspecting employees online with interactive modules and then sends out simulated phishing attacks to help their business clients with awareness and preparedness for future phishing attacks."
Mitnick is famous for his use of deception, intrusion, and invisibility as a hacker and helps KnowBe4 help businesses defend against social engineering threats posed by emails claiming to be from popular social media websites such as a LinkedIn connection request, financial institutions, or IT administrators that are commonly used to lure the unsuspecting employee or customer.
For the sake of transparency, my company, Merchants Information Solutions, Inc. uses KnowBe4 to educate our employees on phishing - which is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using email to evade spam filters.
To conclude, every business owner and senior executive should ask if their business was breached because of a phishing campaign - how much would your business lose in stolen records, device recovery, brand reputation, or even ransom payments?
My big take away from this year's Black Hat conference is that while IT and hacking are the sizzle that make the news headlines, phishing and social engineering continue to evolve with very sophisticated spear phishing campaigns that places every organization at risk of a data breach event.
Business owners and executives need to take a leadership role in educating their employees on the risks of phishing and social engineering - and employees need to be educated to not click on links or download attachments from an unknown sender and to exercise caution by hovering over links and verifying the URL.
To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.
Scam Alert: That Facebook Quiz Might Be a Big Data Company Mining Your Personal Information
By Better Business Bureau July 17, 2018.
In light of the recent revelation that Cambridge Analytica allegedly mined personal information from more than 50 million Facebook users, the Better Business Bureau is again reminding consumers that what they share online can be used for illegal or unethical reasons.
Social media quizzes - especially popular on Facebook - seem innocent enough. But taking the quiz might mean you are giving away more about yourself than you originally thought, and may extend to your Friends, as well.
These quizzes ask seemingly silly or useless questions, but hackers can use that information to penetrate your social accounts and gain access to your personal information or the information of your friends and family.
Some quizzes are designed to steal your data in an outright scam. According to Khristian Ibarrola, of Inquirer.net "Once answered, hackers can easily hijack personal accounts and use them to lure in more victims." The hackers will include links embedded in the quiz that can cause a security breach of your personal accounts.
But the latest news shows that it isn't just scammers who are interested in your quiz answers. It turns out, your personal information is big business.
"We always knew someone was trying to trick us with social media quizzes, because they are free" says BBB's chief security officer Bill Fanelli, CISSP. "If there is no charge, then the value is the data they can collect. We also knew that it was for a use we probably would not like, because they went to such great lengths to hide their purpose. Now we know we were right on both counts."
Not all social media quizzes are about unprincipled data collection, but BBB cautions users to be careful about what they share online. Profile data, quiz answers, and more can be used to used to steal your money, or let a scammer pretend to be you in order to steal someone else's money. And now we know that seemingly innocent information can even be used to build a profile on you that can be sold to anyone trying to influence society.
Tips to avoid social media scams:
- Be skeptical: Before you take a quiz, figure out who created it. Is it a brand you trust?
- Adjust privacy settings: Review your social media account's privacy settings and be strict about what information you share.
- Remove personal details from your profile: Don't share information like your phone number or home address on social media accounts.
- Don't give answer to common security questions: Be cautious if the questions in a quiz ask for things like your mother's maiden name, street you grew up on, or name of your high school.
- Don't accept friend requests from people you don't know.
For more information:
You can find more about BBB and the cyber security resources available to both businesses and consumers at BBB.org/cybersecurity.
Stay up on the latest scams by subscribing to BBB Scam Alerts emails. BBB Serving Central Virginia contributed to this report.
If you believe your identity has been stolen, call 866.SMART68 today!