Cybersecurity updates
Information regarding risks when accessing information, measures to take and habits to cultivate.
At AERTEC we are aware that cybersecurity is everyone’s business. All the technological means at our disposal are of little use if we don’t simultaneously develop the right habits.
On this page, we will update information regarding new threats and the means for combatting them. We will also suggest habits for minimising risks when using computers. Shall we begin?
Updates February 24, 2022
Ransomware attacks
Government agencies in the United States (FBI, CISA and NSA), Australia (ACSC) and the United Kingdom (NCSC) have issued a joint advisory to warn about the rise in ransomware attacks that has been seen in recent months, with the following trends being observed:
✓ Vectors most commonly used: phishing, compromised credentials, brute force attacks and exploitation of vulnerabilities.
✓ Criminal organisations exchange and sell information to each other (victims, vulnerabilities, attack methods, etc.) and they join forces to share the benefits. Professionalisation and specialisation of organisations in specific activities within the attack chain.
✓ The market known as “services-for-hire” is now firmly established.
✓ Selecting targets with the biggest impact: cloud services, managed service providers, industrial processes and the supply chain.
✓ Attacks are carried out during holidays or weekends to take advantage of the victim’s limited ability to respond.
Recommendations to mitigate the risks:
- PHISHING -> monitor emails and chat messages on PC’s and mobile devices.
- COMPROMISED CREDENTIALS-> use two-factor authentication tools whenever possible. If this is not possible, use unique passwords for each service and make sure that they are strong enough (over 16 characters that cannot be guessed easily). Use a password manager like Keepass.
- BRUTE FORCE ATTACKS-> these happen daily in O365 accounts. Use the same precautions as for compromised credentials.
- EXPLOITING VULNERABILITIES -> Apply updates and patches regularly: operating system, office suites, browsers, etc.
Recommendations to prevent any loss of information:
- Back up important information in the personal network folder.
- Email is not a document management tool Delete any important or unused information, which may be stolen at any time by simply stealing the password.
Updates October, 22, 2021
Data leaks
There are data that can be taken automatically from public profiles on LinkedIn, Twitter, Facebook and other social networks and that can be processed and cross-referenced with other social networks.
This is not exactly a data leak or data theft, in spite of being monetised by cybercriminals by selling them on hacking forums, as the data can be used to obtain a more complete profile of potential victims with the aim of subsequently carrying out phishing/vishing campaigns with a high success rate.
The following data is usually taken from public profiles: email, company employees, geographical location, education, current and previous jobs, name, telephone numbers, other linked profiles, etc.
How can you find out if your account and profile have been compromised?
Haveibeenpwned.com is a website launched by Troy Hunt, a cybersecurity expert, that allows you to check if an email address appears in a data leak or security breach.
Security recommendations to be followed by every user:
Check whether your email, which you use in a specific social network, appears in any data leak informed by Haveibeenpwned.com.
If so, follow these guidelines:
- Do not use the corporate account to subscribe personal services
- Bear in mind that LinkedIn is also a personal social network; therefore, you must change your LinkedIn email account for a personal email account
- Change the password
- Have different passwords for each service in order to prevent a leak or compromising a service that affects others
- Using a complex password, with more than 15 alphanumeric characters, is recommended
- Enable two-factor authentication in each service, whenever possible
- Limit as much as possible your personal information on the internet
- Configure the privacy settings so that the email account and other data are not publicly visible on your profile
By implementing these measures, you will not be fully protected, but you will make it a bit more difficult for those who want to fraudulently use your data.
Updates September, 7, 2021
Disinformation campaigns
While we all use the Internet as a source of information, we may not be aware that some of the news that comes to us is not only false, but has been deliberately manipulated. If we also rely on this information for our professional activity, it could cause significant damage to the reputation of the organisation.
Far from being jokes in bad taste or isolated lies, fake news is often part of complex disinformation campaigns aimed at influencing certain groups and constitutes a type of cyber-attack designed to weaken people, companies, organisations and even countries.
In the case of companies, the perpetrators of attacks may be other companies or interest groups whose goal is to discredit the brand in the face of potential competition in a specific market or to give it a competitive advantage when developing a product or service.
In the case of countries, the perpetrators of attacks are usually governments or subnational groups, which use them as another weapon to achieve their geostrategic objectives. Some countries have acknowledged that they have carried out these types of actions in the past. In fact, it is well-known that this activity is ongoing and will continue in the future.
Ask yourself the following: considering the current situation in Afghanistan, are you able to determine which information you receive daily is reliable, doubtful or utterly false?
Against this backdrop, the Spanish Cryptologic Centre (CCN) has created a guide for citizens who use digital media, where it explains the methodology and consequences of disinformation campaigns, as well as their key elements, and offers a set of recommendations to avoid being manipulated.
Take advantage of the following relevant information:
- Security decalogue against disinformation campaigns, published by CCN-CERT (click here)
- Guide on Good practices in the field of disinformation (PDF, 5.4 MB) (click here)
And, of course, you can submit your queries directly to our cybersecurity department.
Updates April 22, 2021
Data leaks
Recently, there have been reports of data-related incidents in large companies such as Facebook, Linkedin and The Phone House.
The data accessed includes information such as full names, dates of birth, ID numbers, bank accounts, mobile phone numbers, email and physical addresses or places of employment. All this data is more than enough to carry out other phishing attacks or collect data with social engineering techniques in order to access more sensitive data.
The recommendations are the same as always:
- To check if your email address or telephone number have been leaked on the web, visit either Have I Been Pwned: Check if your email has been compromised in a data breach or Firefox Monitor
- Do not use your work email for external services unless absolutely necessary, in order to avoid exposing it to attacks after a leak.
- Reinforce the security of your password for the email account you have used for these services.
- Change the account password of these services.
- When changing, do not use the same password for different services to prevent a leak in one from affecting other accounts.
- Enable two-factor authentication for all external services that provide it.
- Do not give excessive permission to these services. For example, do not give Facebook permission to authenticate you for other services as this would allow an attacker to access more personal services outside of Facebook.
- Finally, be aware that it is possible to use leaked data to:
- Search our activity on Internet and access more personal information.
- Search for personal or professional relationships with other people.
- Use all this data to perform more credible and targeted phishing, not only via email, but also through calls and SMS.