Information Technology and Security Update

Introduction

Our previous newsletter article was written to focus mainly on phishing. Since phishing continues to be a major hindrance to cyber freedom and information integrity, this article will present, along with other subjects, an update on this alarming phenomenon.

What’s new in the world of phishing?

The total losses attributed to phishing continue to rise significantly. It is now estimated that over $30 billion are lost every year to phishing. These losses are not confined to any one type of company or business sector. They are also not confined to any particular type of phishing.

Several consultants in the field believe that the losses indicated are conservative as it is known that some organizations fail to report losses, mainly out of embarrassment. Others do not report for fear of concerns by shareholders. In fact, it is felt that a large number of publicly traded companies choose to simply pay whatever is demanded by hackers.

Cybersecurity experts report that the one reasonably consistent factor in hacking is that email remains the activity most targeted by phishing.

In the last newsletter, we provided signs to look for within your email. Try to remember these signs and to observe the rules.

In the event of doubt or concerns, please contact your IT department. Do not reply to emails that appear to be unusual or out of character. Do not open attachments to such emails.

These rules should be observed for both your personal and work emails. Remember that when phishing takes place in company email, hackers may be searching for key company information, including about key personnel or information which provides a key competitive edge.

Hackers are well aware of what business entities may be prepared to pay to keep their competitive strategies out of public ears and eyes. A common tactic of hackers is to demonstrate their possession of sensitive information and then demand large sums of money to withhold circulation thereof. Dirty? – Yes. Difficult to execute? – Not necessarily.

What are other ways that hackers obtain information?

COVID-19 has been an absolute bonus in the world of cybercriminals, and the chief vehicle is video conferencing (VC).

Many of you would have seen the statistics. In November of 2019, Zoom Video boasted a user-base of approximately 10 million. By the end of March 2020, Zoom’s user base had extended to over 200 million. This was wonderful news for Zoom and its shareholders.

The good news did not end there. Cisco WebEx and Microsoft Teams also enjoyed tremendous increases in sales and usage. The Skype folks have, according to the information provided, not been as successful. VC became the tool of choice as more and more companies shifted to working from home.

Unfortunately, the good news situation also extended to hackers, who suddenly found a new means of obtaining key company information. We often merrily go about our video conferencing virtual meetings without realizing that there may be uninvited guests at the party. They frequently join the party unnoticed and may choose to leave and rejoin several times to remain undetected. They may also decide to stay connected to the meeting, depending on the numbers in the party.

Can you think of the wonderful company news and “goodies” that an intruder might pick up by listening in on a company sharing key strategic planning information with employees regionally, nationally, or globally? At EPI we currently have the benefit of a small and easily recognizable group. Larger companies may have hundreds or thousands of attendees on a single VC session.

How secure is VC? How can we use VC securely?

For some time, Zoom has been leading the pack in VC, boasting millions of corporate users. The explosion in the number of users in recent months drew hackers into the ring, making Zoom a severely targeted commodity. Weaknesses in Zoom’s security became known and were exploited wherever possible.

Microsoft seized this opportunity by feverishly marketing Teams and touting its advanced security features. This resulted in a significant increase in Teams usage. Author’s note: It will be interesting to see where this highly competitive situation ends. In April, Zoom came roaring back with what they, and others, classify as outstanding security. Fortunately, the two organizations can co-exist. This would afford users the best of both worlds.

At EPI, we have chosen Microsoft Teams as our VC standard.

Despite this choice and the fact that we now have a standard, we often find ourselves working with Zoom when attending external VC meetings. At times we may also be called upon to join VC meetings using other tools including Cisco WebEx and Skype, for example. Note that Microsoft announced an end-of-life plan for Skype, to be replaced by a consumer-oriented Teams.

The message from this is very clear. We have to become familiar with and learn how to safely use multiple VC tools. While there is little that we can do to ensure secure use, it is considered prudent to observe a few key rules.

  • Be vigilant. There is no guaranteed way of preventing an apparently authorized intruder from attending a VC meeting.
  • Observe and note participants in your VC. Be prepared to challenge if you do not recognize a name, initials, or photo. Immediately stop speaking or screen-sharing if you suspect an intruder. Where deemed necessary due to unresolved suspicions, end and restart your meeting.
  • External participants should be forced to request admission through the “waiting room” feature.
  • Hosts should become familiar with VC tools and features which reduce the likelihood of intrusions. Some of these features include, for example: enable/disable join before host, screen sharing, lock meeting, mute all controls, waiting room, etc.
  • Watch out for fake VC meeting emails and invitations. In this case, the email contains a meeting invitation link. Selecting this link will take you the hacker’s phishing site where your credentials may be stolen.

Summary and next steps

EPI’s ITS department continues to gather critical information from cybersecurity consulting firms. A cybersecurity review with penetration testing will be conducted once COVID-19 restrictions are sufficiently lifted that companies clear their staff for external visits.

The results and recommendations from this will assist us in creating our cybersecurity strategy.

Norman Dash, Vice President of IT and Security