If you don’t where it is, you can’t protect it.
Do you know where ALL your organisation’s data is – not physically, but on which web and cloud services?
Here’s the problem. If you don’t where it is, then you can’t protect it. The secondary problem is finding out, because not everyone in your organisation will be onboard. It is common for people to sign up to web services because they offer something useful that helps them do their job.
They sign up using their email address and creating a password. There is the first headache – how does anyone track what has been signed up to across your organisation, let alone who has access to it? If that person leaves, no one will change the account credentials if they don’t know about it, but your ex-colleague still has access.
Secondly, what data do they upload? Is that data that you have a legal or moral responsibility for?
There’s nothing noble about Nobelium.
This isn’t theory – it’s real. USAID is a pretty important US organisation – promoting democracy and human rights around the world. Turns out, someone there was using a well-known email database tool called Constant Contact. But their account wasn’t well protected. Worse still, their account had a huge mailing set up, and of course, it had all the official USAID templates.
So, these Nobelium people, allegedly a Russian state-sponsored hacker group, compromised the Constant Contact account and sent a bulletin out. The bulletin contained malware that allowed the hackers to take command and control over victims computers. Ironically the fake email alleged interference in the US federal elections.
So, what can you do?
The first step is knowing what SaaS tools your people are using. We call this SHADOW IT and it is inevitable. Rather than stopping it, the job IT has is to identify it and manage it. The second step is to secure those platforms. That’s why our KARE for Security S2 plan contains a useful tool to help you identify what services your people are using.
Refer : What We Know About The Apparent Russian Hack Exploiting USAID : NPR
Cyber-risk mitigation – why Multi-Factor Authentication (MFA) is vital, but NOT enough
We keep making the point that nothing can guarantee you won’t be hacked. But you can, and must, mitigate your cyber-risk. We think tools like Multi-Factor Authentication is crucial for protecting your IT systems – and MFA should be on EVERYTHING you use – your email...
What are your 2021 New Years (IT) Resolutions?
It's a new year and who knows what it will bring? COVID vaccines or not, 2021 is bound to have surprises. One prediction we can make with absolute confidence is that we need to be more careful than ever about protecting our data from ever-increasing computer security...
The Worst Hack in US History
In the last week, we’ve seen two major successful attacks on critical US IT management and Cyber security tools. The first we learned about was on FireEye which is one of the leading and most trusted cyber security tools, used by much of the Fortune 500. ...
Windows 7 slips quietly away
There is no doubt about it, 2020 will be a year to remember. COVID : Lockdowns, work from home, toilet paper shortages, return to level 3, hand cleaners, level 2, mask envy, normality (kind of), lockdown again, election(s), housing market and more. Perhaps the only...
DDOS – Distributed Denial of Service Attack (aka what went wrong at the NZ Stock Exchange)
Denial of Service (aka what went wrong at the NZX?) In September the NZ Stock Exchange was the victim of an attempted extortion via a DDOS attack. The attack took them offline serval times over a number of days. Many business are now asking, what is DDOS and could...
What’s new in Microsoft Office for the end of 2020?
There is a pay-off!! While there are few things as annoying as Office occasionally pausing to install new features, there is a benefit in the new abilities you get. While the timing always seems to be terrible, it should save you time in the long run. Here’s three of...
Urgent Security Warning – Nitro PDF
CERT NZ have issued a warning about Nitro PDF. It’s a common PDF tool that users log into to share documents. Unfortunately, there are reports that hackers have breached their database We’re being told that “Nitro PDF, a PDF enterprise document creation and sharing...
Keeping our Security tools up to speed
Cyber-crime is estimated to earn criminals US$7 Trillion a year That sort of money buys cyber criminals a lot of resources. It’s no surprise then that cybercrime has its own support industries. You don’t need to access the "Darknet" to purchase hacker tools. Many...
GOOD PROCESS WASN’T GOOD ENOUGH – SCAMMERS STILL WON
In August we all heard about Team NZ falling prey to a $2.8 million invoice payment fraud. It was the now-familiar story of a fake or hacked email, asking for payment to go to a different bank account. We should all be familiar with these tales by now. I’m sure that...
Hacking the hackers (aka what goes around, comes around)
Even hackers can be hacked! Isn't that serendipitous? There is a website, Cit0Day.in, which hosts 23,000 hacked databases. Access is available at a cost, daily or monthly subscription. Hackers mine this data for passwords and other information. They then use this...