Tag: Information Security

Phone Phish

Voice Phishing Scams Are Getting More Clever by Brian Krebs (krebsonsecurity.com)

Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate.

Vishing is getting more sophisticated.

Voice Phishing Scams Are Getting More Clever by Brian Krebs (krebsonsecurity.com)

Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate.

I’ve also seen some very convincing email phishing in the last few weeks with spoofed email headers. It’s made it challenging for my email spam filter to weed out the fakes. I think the best I can do at this point is to never trust these phone calls or email even if it seems to be coming from legitimate sources. It is best to visit the website of the bank or call the numbers on the back of the card. The risk are too high.

Cyber Range

Are Colleges Teaching Real-World Cyber Security Skills? by Adi Shua

SOC analysts must have a large amount of formal knowledge and the analytic abilities to derive actionable insights from the data collected by the company’s various security tools. Moreover, the analyst is expected to use human behavioral and business context to identify threats and make decisions about how to respond to keep the organization safe. However, most junior security staff enter the cybersecurity job market with only theoretical knowledge of what “security” is, lacking practical analytical methodologies, detection techniques and more advanced specialized skills. New graduates often lack the practical analysis and synthesis skills, which leaves them unprepared to face the challenges they will meet in the cybersecurity world.

 

The 2018 SANS survey states that “gamification of the SOC via simulations, exercises, training or any other form of targeted practice is becoming the standard operating procedure for providing a SOC skill set and an effective way of retaining skilled staff”. Institutions of higher education are starting to address the deep asymmetry between frontal instructionand practical exercises by incorporating a cyber range into their cybersecurity curricula.

I have 15 years of experience in information security. I think I would enjoy a cyber range course and learn something new.

Security Policy Security Failure

Why Your Security Policies Could Be Failing Your Business

For security policies to be followed, they must be known and enforced wherever possible and reasonable. If your users can’t follow your policies due to business process conflicts, or you can’t enforce the rules due to a lack of technology or another shortcoming you’re unwilling to mitigate, then you’re probably better off not having them at all.