Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

“Lost ring” or “Add me to your LinkedIn network.” Those could be the email subject lines for a phishing campaign that could trick employees in clicking, according to a recent phishing report.  No doubt that 2019 was a big year for successful phishing attacks. In fact, the report states that 55 percent of organizations surveyed dealt with a phishing attack last year. An InfoSecurity Magazine article reports that infosecurity professionals reported a high frequency of social engineering attempts across a range of methods including spear-phishing attacks, business email compromise (BEC), and social media attacks. Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint recommends “taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.” A Financial Post article says that “management has to build a culture of security, figure out who is being attacked and the types of attacks they face, and be ready to adapt if your threat climate changes.”

If it isn’t phishing, it’s malware

Security companies are seeing a resurgence in malware, specifically Emotet, a powerful email malware that is used to attack U.S. government and military targets, according to an article in TechRepublic,. How it works is “the malware attacks email accounts and spreads by infiltrating other contacts in the inbox and responding to threads with malicious links or attachments.” Researchers from Cisco Talos, a security intelligence and research group, say that Emotet has the ability to mimic email language, even adding previous email threads to a message, making it difficult for anti-spam systems to stop. According to the researchers’ blog post, “one of the most vivid illustrations…can be seen in Emotet’s relationship to the .mil (U.S. military) and .gov (U.S./state government) top-level domains (TLDs). Talos saw a rapid increase in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019.”

How to prepare your employees

With constant cybersecurity threats – including in your inbox – what can organizations do? Bob Bruns, chief information officer with Avanade, writes that there are two doors that malicious actors will use to gain entry to your environment and data. In his Forbes article, he says that door one is your technology and door two is your people. He recommends strengthening your technology. Sounds easy enough, but what specifically? Bruns outlines the importance of focusing on the foundational pillars of your cybersecurity program: multifactor authentication, information protection tools, and trust but verify as a mandate. As for employees, Bruns encourages a comprehensive and consistent training and education program. Here’s what he suggests to get started:

  • Understand your unique needs, strengths and weaknesses. You need to have input to build your program and focus your efforts. You can get this input through security behavior surveys or any other security metrics you may have. This valuable data can help you understand where you need to grow and build the program’s short- and long-term goals.
  • Create a culture of shared responsibility. This objective should be part of the goals of your employee cybersecurity program. The general idea is to develop an employee culture committed to protecting your company, clients, work, data and assets. Shared responsibility means the onus isn’t just on the company to protect against cyberattacks; it’s also on each employee.
  • Educate continuously. It’s vital to make good security behavior understandable and consumable. Make participation creative and fun, not tedious. Look at your efforts as an internal marketing campaign. Activities must be compelling and creative. Security quizzes or apps, mock phishing campaigns, incentive programs and ways to introduce a little friendly competition will motivate and engage your employees to be the best cybersecurity champions in their departments.
  • Integrate cybersecurity training with onboarding. This includes security behavior training to help employees build secure behaviors from day one. This could include 30-, 60- and 90-day check-ins to reinforce training and behavior further.

Government taps cybersecurity companies for information

As covered in the last Cyber Oregon News Roundup, the U.S. government is on high alert for global cyber threats and cyberattacks from foreign countries. The latest NPR piece covers the fact that private cybersecurity firms have often been the ones sounding the alarm and selling their services to the U.S. intelligence community. “The U.S. government says it welcomes help from tech companies,” says Shelby Pierson, who works for the acting director of national intelligence, Joseph Maguire. “FireEye and CrowdStrike, for example, have done really good work, where based on the analysis, expertise and information analysis that they do, those are products and services that they can sell to the U.S. government.”

Partner blog of interest: CrowdStrike: CrowdStrike Services Report Focuses on Trends Observed in 2019 and the Outlook for 2020