CyberSecurity 101

CYBERSECURITY 101

TABLE OF CONTENTS What is Cyber Attack? Cyber Risks From Employees' Bad Habits How To Spot A Phishing Email What Is Identity Theft? Beware Of Ransomware Data Loss Prevention (DLP) Multi-Factor Authentication (MFA) Work From Home Securely Safe Computing Tips Physical Security Dos And Don'ts Of Secure Passwords Information Classification The Danger Of Public Wi-Fi Social Engineering How To Avoid Security Breaches Phishing Beware Of WhatsApp Scam Email Etiquette Clean Desk Policy Protect Your Personal Data Mobile Security Cybersecurity Myths Cyber Hygiene Malware

*words from CISO*









Ransomware is a form of malware that encrypts a victim's file. The attacker then demands a ransom from the victim to restore access to the data upon payment. Nov 2018 Protect yourself from ransomware! Media Prima Berhad had been attacked by a ransomware and the Use reputable antivirus attackers demanded them 1000 bitcoin software and firewall. (RM 26.46 mil) to regain access to their data. Source: https://www.thestar.com.my/news/nation/2018/11/13/media-prima-hit- by-ransomware-hackers-demand-rm26mil-in-bitcoins-says-report/ Aug 2019 Do not download from untrusted resources. Binance, a cryptocurrency exchange based in Malta, became a victim of Do not open untrusted ransomware attack and the attackers email attachments. demanded 300 bitcoin ($3.5mil) in exhange for their database. Avoid giving out personal data. Source: https://www.bleepingcomputer.com/news/security/sodinokibi- ransomware-hits-travelex-demands-3-million/ Do keep your antivirus updated. Dec 2019 Always backup your Travelex took all its computer systems data. offline after the company systems were infected with Sodinokibi ransomware and the attackers demanded $3mil to remove the ransomware. Source: https://cloudlytics.com/a-walk-through-the-key-cybersecurity- incidents-in-2019/

EXIM needs to stay alert and aware of threats while carrying on its digital journey. See below infographic on DLP technology and how it will keep our data safe and secure. DLP technology helps enterprises minimize data leakage threats and prevent sensitive information from leaving the confines of the corporate network, which may occur accidentally or due to deliberate actions. Organizations use DLP to protect and secure their data and comply with regulations. 2019 COMMON CAUSES OF DATA LOSS The data of 7.5 million users on Adobe Human Error Creative Cloud was exposed due to an Power Outages unprotected online database. Hard Drive Damage Viruses and Malware Source: https://www.varonis.com/ Computer Theft Software Corruption 2017 CONSEQUENCES OF LOSING DATA Equifax, a credit reporting company was breached in 2017. The information of Losing customers' trust 143mil accounts in the US and 400,000 in Financial impact to the company the UK were exposed. The hackers also Penalties by regulatory bodies stole credit card numbers of over 209,000 Losing competitive edge customers. Source: https://www.6dg.co.uk/ 2009 Heartland Payment Systems suffered a data breach resulting in the compromise of 130 million records. Source: https://www.varonis.com/

EXIM needs to stay alert and aware of threats while carrying on its digital journey. See below infographic on MFA technology and how it will keep our data safe and secure. MFA is an extra layer of security that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management (IAM) policy. TYPES OF MFA WHY MFA? Something you know (knowledge) Cybercriminals have more than 15 billion stolen credentials to choose Password PIN from. If they choose yours, they could take over your bank accounts, health Something you have (possession) care records, company secrets, and more. Source: https://www.okta.com Access Card Smartphone MFA is important, as it makes stealing your information harder for the average Things you are (inherence) criminal. The less enticing your data, the more likely that thieves will choose someone else to target. Fingerprint Face Recognition

As Covid-19 turns working from home into the new normal, adapting and keeping focus on cyber security in all settings is critical. Working from home exposes both individuals and businesses to a range of cybersecurity risks. That’s why it is essential to give serious consideration to your home cybersecurity. Use Antivirus and Internet Security Software at Home Antivirus suites take the hard work off your hands by offering automatic remote work security against a host of threats. Secure Your Environment Keep your devices safe and do not allow other household members to access your work laptops, mobiles and other forms of hardware. Use Virtual Private Network (VPN) VPN creates secure, controlled paths for staff to access work related data remotely. EXIM have VPN technology which is EXIM Virtual Office (EVO) via EasyConnect client or web browser. Secure Your Home Wi-Fi Create a strong, unique password, rather than relying on the automatic password your router came with. Verify Video Conferencing Link Ensure meetings are private. Verify the Video Conferencing link is legit from the sender. Beware of Email Phishing Look out for emails that: It is where staff are baited to click on a link or to download a file. Look out for emails that: Start with generic greeting such as \"Dear Colleagues\". Have poor grammar and spelling mistakes. Solicit personal or financial details. Demand action with a threat. Misleading domain name. Please refer to previous EXIM Cyber Security 101 “Beware of Phishing” & “How to Spot a Phishing Email” topics.

As an employee you are a valuable target for attackers. Follow these safe computing tips to protect your workplace against the most common cybersecurity risks. Avoid Phishing Scams Phishing scams can be carried out by phone, text, email or through social networking sites. Be suspicious of any official-looking email message or phone call that asks for personal or financial information. . Keep Software Up-To-Date Turn on Automatic Updates for your operating system. Make sure to keep browser plug-ins (Flash, Java, etc.) up-to-date. Install Anti-Virus Protection Only install these programs from a known and trusted source. Keep virus definitions, engines and software up-to-date to ensure your programs remains effective. Be Careful of What You Click Avoid visiting unknown websites or downloading software from untrusted sources. These sites often host malware that will automatically install and compromise your computer. Never Leave Devices Unattended If you need to leave your laptop, desktop, phone or tablet for any length of time, lock it up so no one else can use it. Safeguard Protected Data Keep high-level Protected Data off your workstation, laptop or phone. Securely remove sensitive data files from your system when they are no longer needed. Always use encryption when storing or transmitting sensitive data. As soon as you detect anything unusual with your EXIM-issued device contact Helpdesk immediately. Even if the issue occurs on your personal device, such as your mobile phone, do let them know that it is a personal device, and they will advise possible next steps.

If a hacker gains access into the office, he or she can access to confidential company information throught company devices, exposed documents or even by being on the company network which will be disastrous. We must do our part to prevent physical infiltration. Do carry your If you lose your access card with access card, you at all times. immediately report to your security office. Lock down all id: xxx Do not leave laptops, devices pswd: xx any and documents. confidential information lying around your workstation. If someone looks Do not let any unfamiliar or stranger follow suspicious, do you into the question them. office building.

So many accounts, so many passwords. That’s online life. The average person with a typical online presence is estimated to have about 100 online accounts, and that figure is rising. Some accounts are low in priority, which we may have neglected password hygiene and fallen into unhealthy habits like password reuse, putting our other accounts at danger in the event of a data breach. Here’s a list of handy Dos and Don’ts to put us on the right track when it comes to password security. DO DON'T Change your password Don't use the same regulary. password for multiple accounts. Use a combination of Ab_12 upper- and lower-case Don't use the word letters, numbers and “password” or any symbols. combination of it. pass**** Make password hard to Don't use short and guess. simple passwords. ****** Make your passwords at Don’t share your least 8 characters long. passwords and don’t put them on a piece of Use an extra layer of A S D FG paper. security with two-factor authentication (2 FA). Don’t use common keyboard patterns like asdfjkl, 111111 or abc123.

Knowing how to classify information is critical given today’s advancing cyber threats. With well over 5,000 data breaches occurring in 2019 alone, including more than 8 billion pieces of data compromised, classifying your information is essential if you want to know how to secure it and prevent security incidents. Information Classification starts with labeling documents with various levels of confidentiality. These levels are aligned to names, and ultimately tied to how it will be used, transmitted and ultimately protected in and outside of the business. This type of data is freely accessible to This type of data is strictly accessible to internal company personnel or internal the public (i.e. all employees / company employees who are granted access. This might include internal- personnel). It can be freely used, reused, only memos or other communications, business and redistributed plans, etc. without repercussions. An example might be first and last names, job descriptions, or press releases. Access to confidential information Restricted information includes those that, if requires specific authorization or compromised or accessed without clearance. Types of confidential data authorization, could lead to criminal might include Social charges and massive legal Security numbers, fines or cause irreparable cardholder data, M&A damage to the company. documents, and more. Examples of it includes Usually, confidential proprietary information or information are research and data protected by laws like protected by state and HIPAA and the PCI DSS. federal regulations.

Public Wi-Fi can be found in popular public places like airports, coffee shops, malls, restaurants, and hotels and it allows you to access the Internet for free. These “hotspots” are so widespread and common that people frequently connect to them without thinking twice. The problem with public Wi-Fi is that there are a tremendous number of risks that go along with these networks. Information you risk exposing to hackers Usernames and passwords of : Online Banking Emails Social Media Online Shopping Original Connection Man-In-the-middle attack You New Connection Public Wi-Fi The hacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. Man-in-the-middle rogue wi-fi networks A hacker sets up a fake network that masquerades as a legitimate network to steal information from unsuspecting users who connect to it. packet sniffer A sniffer program used by hackers which targets packets of data transmitted over unsecured network. Don't allow your Wi-Fi to auto-connect Use a VPN to make sure your public Wi- to networks. Fi connections are made private. Don't access websites that hold your Log out of accounts when done using sensitive information. them. Don't log onto a network that isn’t Only visit sites using HTTPS. password protected. Disable file sharing.

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. Pretexting The act of creating an invented scenario to persuade a targeted victim to release information of perform an action. Baiting Leaving a flash drive containing malicious code in a public place. Dumpster Diving Important and private information can be gathered by simply digging through the garbage. Phishing Attempting to gather information in the form of pop-ups and websites masquerading as a thrustworthy entity. Delete any request for personal Secure your devices. information or passwords. Always be mindful of risks. Reject requests for help or offers Use different passwords for of help. different accounts. Set your spam filters to high.

With so much data stored digitally today, most firms tend to focus their security efforts on stopping hackers and others from getting in. Unfortunately, our biggest security risk may not come from the outside, but the inside, in the form of current and former partners and employees. The best way to prevent a security breach crisis is to be proactive in following best practices and policies. Limit Access to Your Most Valuable Data Keep all records partitioned off so that only those who specifically need access will have it. By limiting who is allowed to view certain documents, you can narrow the pool of employees who might accidentally click on a harmful link. . Third-Party Vendors Must Comply Limit the types of documents these vendors can view. For those companies that are allowed to view your important data, demand transparency. Make sure they are complying with privacy laws, don’t just assume. Use Only Firm-Based Devices and Systems It is easier to install security measures on firm-owned devices that can help you locate them or wipe the data if necessary. Update Software Regularly All application software and operating systems must be updated regularly. Install patches whenever available. Use Difficult to Decipher Passwords ****** Change your passwords regularly. Use upper case letters, numbers and special characters when formulating passwords.

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information. Think Before You Click! Always check the spelling of the URLs in email links before you click or enter sensitive information. Verify a Site’s Security Before submitting any information, make sure the site’s URL begins with “https” and has a closed lock icon near the address bar. Check for the site’s security certificate as well. Use Firewalls Firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds. A desktop firewall and a network firewall. Be Wary of Pop-Ups Many popular browsers allow you to block pop-ups. If one manages to slip through the cracks, don’t click on the “cancel” button. Such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.

Hackers waste no time and every time their hacking tactics are exposed, they invent new ones. This time, a user alerted about a new system to hack WhatsApp that masquerades as a message from any of your friends. Here we tell you how it works and how you can protect yourself from a possible attack in this app. How it works Protect yourself from WhatsApp Scam This new form of fraud begins when the user receives a text message with a 6 Don’t share your login digits number on their phone. This details or verification supposedly comes from the WhatsApp code with anybody. Not platform itself. your closest family or trusted friends. Shortly after, another message arrives, this time in the app and from the chat Set up two-step of one of his contacts. verification to secure your account. “Hi, sorry, I mistakenly sent you a 6-digit code by SMS. Can you transfer it to me, Be wary of WhatsApp please? It is urgent,\" messages requesting money, even if they The first message comes to you come from your because hackers are trying to contacts. If you’re not configure WhatsApp with your sure, give the friend a number on a new device. Upon quick call to check. detection, the app sends a 6-digit authorization code to your cell phone via SMS. If you fall into the trap and share this code with your WhatsApp \"contact,\" your account will be hacked. Source: https://www.digitalinformationworld.com/2021

According to a study by the International Data Corporation (IDC) workers spend 28 percent of their workweek reading and answering email. While we try to work faster and more efficiently, we must not forget the social rules that accompany any form of communication. Here are some of the dos and don’ts of email etiquette. DO DON'T Do have a clear and Don't forget your descriptive subject line. signature. Do use a professional Don't use humor. salutation. Don't assume the Do proofread your recipient knows what message. you are talking about. Do reply to all emails. Don't shoot from the lip. Do keep private Don't overuse material confidential. exclamation points.

A clean desk policy involves removing any sensitive business information from your desk everyday. This includes notebooks, business cards and printed documents. A lot of documents, print outs and notes can pile up in a day! Making sure these are properly filed or disposed of accordingly is the real aim of a clean desk policy. This should be combined with a 'clear screen' policy, logging off every time you are away from your computer. Clean working spaces When one person has a lead to productivity. clean desk, it inspires others to clean theirs. Keeping a clean office space looks good to clients, partners and stakeholders. Maintaining a clean desk Clean spaces pave way keeps germs and bacteria for improved office away. Hence, employees security. healthier. Computer workstations must be locked when workspace is username: admin12 unoccupied and shut completely down at the end of the workday. password: p@s$word Any restricted or sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the workday. Passwords must not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location. All sensitive or confidential information in hardcopy or electronic form must be secured in the work area at the end of the day and when you are expected to be gone for an extended period.

TShoecidaal teangbirneeaecrhinagtisctrheediatrrteopfoerxtpinlogitainggenhucymEaqnupisfaycxhaoflfoegcyt,erdat1h4e3r mthialnlion Amteercihcannicsa,lghiavcinkignhgatecckhenrsiqaucecse, stos gtoaiSnoaccicaelsSsetcoubruitiyldninugms,bseysrtse, madsdorredsasteas., and credit file data. Identity thieves can use this information to destroy your credit, file fake tax returns, collect refunds, and hijack your medical data. Equifax breach is a reminder that everyone is vulnerable to identity theft. By changing some habits, you can greatly minimize your risk. Put Passwords on Your Devices TBheeMaLceintsimosfiSzcoercethiaaetlianmgoaunntinovfednattaedyosucheanvaeroion tsoocpiaelrmsuedaidaeplaatforms. targeIntfeodrmvaictitoimn litkoeryeoluerapseet'isnfnoarmmeaotiroynouorf bpiertrhfoprlamceasnomacettiiomne.s used to recover account logins. Don't give hackers an easy way into your online accounts. Set up Two-Factor Authentication Put PasswLoeradvsinognaYfolausrhDderivviececsontaining malicious code in a public Make suprleacteo. have passwords on all your devices so that thief won't has instant access to all your data. Consider using a password management app to create and keep Don'ttraDckoofOthnemli. ne Shopping and Banking at the ImSpeot rutapnTtwanod-FapcritvoarteAiuntfohremLnatoitcicoaantilocanCnabfeegathered by simpMlyadkeigsguinregTtwhroo-FuagchtorthAeutghaernbtiacagteio. n is enabled on all your accounts to protect ypur credentials from being used by hackers who have stolen a password database. Don't Give Out Personal Information on the Phone or Don't GivAetteOmuTtphtirPnoegrutsooggnhaatlhEeImrnifnoafroimrlmaoatritoioTnneionxntthethfoermPhoof npeo,p-ups Through EmanadilwoerbTseitxets masquerading as a thrustworthy entity. If you get a call, email or text from a retailer, charity or government asking for personal information, there's a chance it's a phishing scam, no matter how real it seems, don't give out your info. Don't Do Your Online Shopping and Banking at the Local Cafe Use your own device and secured network whenever you are doing any kind of transactions.

It’s no secret that the technology we use can make us a target for viruses and cyber attacks if not secured properly. When it comes to mobile device use, there is no manual that comes with a phone to teach the user mobile security. In addition, threats are always evolving and adjusting based on our habits. Refer this infographic that includes some mobile security tips to keep your device safe. Keep Your Phone Locked Set Secure Passwords Lock screen with Set strong passcode, pattern, fingerprint or facial passwords with recognition. Lock when idle for upper and lower 30 seconds - 1 minute. case, numbers and special characters. Don't reuse the same password. Keep Your Device OS Up-To-Date Connect to Secure WiFi Always update your Beware of networks device's OS once that aren't password the updates are protected. released. Use a VPN. Beware of Downloads Don't Jailbreak or Root Your Phone Use verified app stores. Jailbreaking or Look at app reviews, recent updates and rooting your phone app ratings. is when you remove the safeguard the manufacturers have put in place so you can access anything you want.

MYTHS REALITY A strong password is Two factor authentication enough to keep your and data monitoring are business safe. also needed Small and medium Small business made up sized business aren't over half of last year's targeted by hackers. breach victims. Anti-virus and anti- Software can't protect malware software keeps against all cyber risks. you completely safe. All employees play a role Cybersecurity is solely in keeping a company the IT/IS Department cybersafe. responsibility. Insider threats are just as Cybersecurity threats likely and harder to come from the outside. detect. You'll know right away if Modern malware is your computer is stealthy and hard to infected. detect. Complete cybersecurity Cyber preparedness is can be achieved. ongoing, with new threats emerging every day.

Cyber hygiene is a reference to the practices and steps that users of computers and other devices take to maintain system health and improve online security. These practices are often part of a routine to ensure the safety of identity and other details that could be stolen or corrupted. Much like physical hygiene, cyber hygiene is regularly conducted to ward off natural deterioration and common threats. Document All Current Equipment and Programs All hardware, software, and online applications will need to be documented. Start by creating a list of these three components: Hardware - Computers, connected devices and mobile devices. Software - All programs, used by everyone on a particular network, that are installed directly onto computers. Applications - Web apps, applications on phones and any other program that isn’t directly installed on devices. Analyze the List of Equipment and Programs Unused equipment should be wiped and disposed of properly. Software and apps that are not current should be updated and all user passwords should be changed. Create A Common Cyber Hygiene Policy The newly clarified network of devices and programs will need a common set of practices to maintain cyber hygiene. Here are typical items that should be included into a cyber hygiene policy: Password changes Software and hardware updates Manage new installs Access management Backup data Install Reputable Antivirus and Malware Software Antivirus software is a program or umbrella of programs that scans for and eradicates computer viruses and other malicious software, or malware. Use Multi-Factor Authentication Multi-factor authentication adds additional layers of security with the use of biometrics, like facial or fingerprint recognition, to make it harder for hackers to gain access to your device and personal information.

In 2019, Kaspersky’s web antivirus platform identified more than 24 million “unique malicious objects”. This number will only continue to increase and with it, our need to learn more about potential threats. Malware is any type of software that seeks to do harm or steal information. It’s commonly used to steal personal, financial, or sensitive business information, destroy or lock users from data and disrupt operations TYPES OF MALWARE MALWARE PREVENTIONS 1. Bots and Zombies Install and run an anti- malware application. Used by hackers to take control of your computer without your knowledge. Do not execute any Hackers seek to build botnets, large program in your computer groups of computers they control, unless you believe it is which they then lease out to from a trusted source. spammers, extortionists, and others seeking to commit fraud. Never open any emails from unknown senders 2. Viruses and Worms especially when it has attachments with the Virus: A malware that “infect” other extensions .exe or .vbs. programs, carry out some missions such as deleting files or stealing Regularly install the latest information. patches available of your Worm: Similar to virus, but it is a operating system. program of itself and does not infect other program. It also self-replicate Do not accept programs over a network without any user sent out from instant interaction. messaging applications. 3. Ransomware When you download any program from Internet Ransomware is malware that finds its websites, always scan way into your system, blocks access to them first. your files and data, and demands payment to restore your access. 4. Trojan Horses Trojan horses deliver malware code in an innocent-looking email attachment or free download. When user clicks on the attachment or downloads, the hidden malware inside the Trojan is transferred to the user’s device. Once inside, the malicious code can execute whatever task the attacker designed it to carry out.

THANK YOU