INTERNATIONAL FOUNDATION FORCULTURAL PROPERTY PROTECTION
Reposted from WCBV5
The Museum of Fine Arts is making changes after a group of minority middle school students said they were discriminated against during a spring field trip because of their race.
A video that will be sent to schools will outline new procedures at the museum and highlight increased staffing in select galleries.
"The majority of our visits are self-guided, but we don't want that to mean unguided," said Makeeba McCreary, the MFA Chief of Learning and Community Engagement.
On May 16, a group of 26 middle school students and chaperones from Davis Leadership Academy in Dorchester visited the museum. During the visit, students reported that they were met with racism and verbal abuse from visitors and staff during a self-guided tour.
Museum officials said they investigated the four racist incidents that were reported during the field trip. Investigators reviewed security footage of the three-hour visit.
Two visitors who were found to have made racist comments to the students by museum officials had their memberships revoked and were banned from visiting the museum grounds.
The museum also investigated an allegation from a teacher, Marvelyne Lamy, who said an employee greeted students with a slur, "No food, no drink, no watermelon." The museum said that employee recalled telling students "no food, no drink and no water bottles" were allowed in the galleries, which is part of standard operating procedure. Officials said there was no way to definitively confirm or deny what was said or heard in the galleries.
Lastly, the museum responded to the teachers' complaint that a security guard followed the students into the museum. Officials said the class actually visited spaces patrolled by 13 separate security guards.
"Based on surveillance footage, it is understandable that, because of this movement, the students felt followed," officials wrote. "That was not our intention. It is unacceptable that they felt racially profiled, targeted and harassed. In response, the MFA is taking a number of steps to adapt security procedures -- specifically designed to make sure that all people feel welcome, safe and respected at the Museum."
The museum instituted additional training for all front-line staff on how to engage with incoming school groups about policies and guidelines.
“I am cautiously optimistic and encouraged by the work that has happened here," said City Councilor Kim Janey, who represents District 7. "But, again, there is much more work to be done.”
The museum said it will continue to work with school groups as an outside investigation into the reports of racism continues.
See Original Post
Reposted from the BBC
An intruder who broke into the former home of suffragette leader Emmeline Pankhurst was found asleep on bean-bags, a charity has said.
The man was discovered inside Manchester's Pankhurst Centre museum at about 02:00 BST following reports of vandalism.
Museum boss Gail Heath said she arrived to find the building's "beautiful Georgian windows" had been "kicked in".
Repairs to the site, which also offers services for vulnerable women, are set to cost £15,000.
Sash windows, soft furnishings and suffragette costumes were damaged during Tuesday's break-in, said Ms Heath, who estimated the cost of the damage at about £15,000.
She said she was called to the museum in the early hours.
"When I arrive I can see that someone's kicked in our beautiful Georgian windows and when I open the museum door I find someone fast asleep on the bean-bags in the museum," she said.
Security had already been stepped up after a previous break-in just a few days before.
"We don't think much has been taken because of the initial intruders we'd moved some of our most precious stuff out of the way but quite a bit's been damaged," Ms Heath said.
Emmeline Pankhurst founded the Women's Social and Political Union - later becoming known as the suffragettes - at the building at 60-62 Nelson Street in 1903.
Ms Heath said the break-in happened before a series of events to mark the anniversary of founding of the suffragette movement on 10 October.
The centre is also home to Manchester Women's Aid.
A statue of Emmeline Pankhurst was unveiled in Manchester in December to mark a century since British women first voted in a general election.
Reposted from Help Net Security
1 in 50 URLs are malicious, nearly one-third of phishing sites use HTTPS and Windows 7 exploits have grown 75% since January.
A new Webroot report also highlights the importance of user education, as phishing lures have become more personalized as hackers use stolen data for more than just account takeover.
Tyler Moffitt, Senior Threat Research Analyst, Webroot: “We are beginning to see hackers create more personalized phishing emails using data gathered in recent massive breaches, as well as the use of HTTPS and trusted domains to seem more legitimate.
“These tactics take advantage of familiarity and context, and result in unwarranted trust. Businesses and consumers need to be aware of and continually educate themselves about these evolving methods and risks to protect their data and devices.”
Reposted from The Washington Post
The National Security Agency on Tuesday will launch an organization to prevent cyberattacks on sensitive government and defense-industry computers — with an eye also toward helping shield critical private-sector systems.
For decades the agency had a cyberdefense organization, the Information Assurance Directorate (IAD), that focused on safeguarding the government’s classified and sensitive networks, as well as the private sector’s, when asked.
What is new, NSA officials said, is that the agency is hitching together under one roof threat detection, cyberdefense and future-technologies personnel. They are calling it the Cybersecurity Directorate.
“The mission of the organization is to prevent and eradicate threats,” said its director, Anne Neuberger, who reports directly to the NSA director, Gen. Paul Nakasone. “Our focus is going to be on operationalizing intelligence.”
“The cyber directorate is the right idea, period,” said Thomas Bossert, former homeland security adviser to President Trump. “If only our country could combine the NSA cyber directorate with [the Department of Homeland Security’s cybersecurity organization] and trust in our institutions, we could make an even bigger difference for our security.”
The public knows the NSA as a powerful electronic spy agency that collects intelligence by intercepting radio, satellite and phone communications and increasingly by hacking computers of foreign targets overseas. Few know about the agency’s defensive mission to protect digital systems, a job enabled by the data gathered from the “offensive,” or intelligence-gathering, side of the house.
Now the agency — which used to be so secretive that people joked its initials stood for “No Such Agency” — is seeking to be more public in its defensive work. And the new directorate will strive to declassify threat intelligence in a timely manner so it can be used by as many private-sector firms as possible, officials said.
The directorate, ordered up by Nakasone, may have the most impact in the defense industry, analysts say. The NSA’s record there is mixed. In 2011 it conducted a pilot project in which it shared threat “signatures,” or malware samples, with the major Internet providers to the defense contractors. But often the signatures were stale by the time they were shared and so were not that useful to the companies.
Neuberger acknowledged the pilot had challenges. But this time, she said, the data will arrive fresher and faster. Moreover, she said, the key is to get the most useful information to the right hands, including by partnering with the Department of Homeland Security, Neuberger said. DHS, for instance, has begun working with the NSA to identify specific systems within the banking sector that are most vulnerable to hacking so the agency’s threat detection personnel can keep an eye out for them.
One example is “wholesale payments systems,” through which banks facilitate high-value, large-volume financial transactions between banks. “In some cases, [the target] will be the big banks, but it’s also some of the niche players and the boutique software suppliers,” said Christopher Krebs, head of DHS’s Cybersecurity and Infrastructure Security Agency. “We’ll say, ‘These are the things you need to be looking for, the things you need to refine your analytics against.’ ”
The goal, Neuberger said, is “integrating all of our cyber mission so there’s one focus . . . sharing all of our unclassified information as early as possible, as quickly as possible, so we can target that sharing to the right entity and then partner with DHS on critical infrastructure . . . to build the security of that sector.”
One former senior intelligence official praised the NSA for seeking “to have a more active role” in sharing intelligence to protect the private sector. “My only point is they could have been doing this years ago,” said the former official, requesting anonymity to speak candidly about a sensitive matter. “You could have made a decision that the IAD was going to do that. You didn’t need to stand up a new directorate. The authorities were there from day one. It’s just a matter of having the will do to it.”
The new organization also will continue the work that NSA’s cyberdefensive arm has always done — developing security standards for military and commercial technologies. But it will focus as well on future technologies, Neuberger said.
“If you build secure products, it is so much easier and less costly to defend,” she said.
Defense companies expressed an openness to the initiative but are taking a wait-and-see attitude. Overseas partners, meanwhile, are rooting for its success.
If the NSA and DHS can partner effectively in the cybersecurity mission, it “could be incredibly powerful,” said Ciaran Martin, the head of Britain’s National Cyber Security Center. His organization, which is part of Britain’s electronic spy agency, GCHQ, effectively combines under one roof the British equivalent of the cyberdefense components of DHS and the NSA.
The new directorate, he said, “provides the opportunity to take the transatlantic cybersecurity relationship to a new level.”
While a majority (79%) of people say they are able to distinguish a phishing message from a genuine one, nearly half (49%) also admit to having clicked on a link from an unknown sender while at work, according to a Webroot survey.
Further, nearly half (48%) of respondents said their personal or financial data had been compromised by a phishing message. However, of that group more than a third (35%) didn’t take the basic step of changing their passwords following a breach.
Not only is this false confidence potentially harmful to an employee’s personal and financial data, but it also creates risks for companies and their data.
The report surveyed 4,000 office professionals from the U.S., U.K., Japan and Australia (1,000 per region) to determine what people know about phishing attacks, what makes them click on a potentially malicious link and other security habits.
There is no foolproof way to prevent being phished but taking a layered approach to cybersecurity including ongoing user training will significantly reduce risk exposure.
As Forrester points out in its report, Now Tech: Security Awareness and Training Solutions, Q1 2019, “your workforce should treat cybersecurity awareness with the same importance they use for ensuring that their projects, products, and messages are on key with company brand. Invest in solutions that weave security best practices throughout your corporate culture.”
Can your employees spot phishing emails?
Nearly half (48%) of participants say they have had their personal or financial data compromised, but many fail to take basic cyber hygiene action following that exposure:
Security habits leave businesses vulnerable:
Employees are more click happy outside of work:
Nearly two-thirds of respondents (60%) are most likely to open an email from their boss first, compared to:
Cleotilde Gonzalez, Ph.D., Research Professor, Carnegie Mellon University: “Security and productivity are always in a tradeoff. People put off security because they are too busy doing something with a more ’immediate’ reward. These findings illuminate the pertinent need for a mindset makeover, where the longer-term reward of security doesn’t get put on the back burner.”
George Anderson, Product Marketing Director, Webroot, a Carbonite Company: “Phishing attacks continue to grow in popularity because, unfortunately, they work. Hackers and criminals weaponize the simple act of clicking and employ basic psychological tricks to inspire urgent action.
“It is vital that consumers educate themselves on how to protect both their personal and financial data and what steps to take if their information is compromised or stolen.
“For businesses that means implementing regular simulated phishing and external attacks that address the various ways hackers attempt to breach organizations through their users.
“By combining the latest detection, protection, prevention and response technology with consistent attack training and education, IT Security departments can tackle the people, process and technology combinations needed to successfully mitigate attacks.”
Reposted from The Globe and Mail
In 2018, hackers stole 10 gigabytes of data from a Las Vegas casino by compromising a smart thermometer in a fish tank. More than just a source of “phishing” puns, the aquarium breach shows the increasing ingenuity of cyber criminals – and serves as a warning to small- and medium-sized enterprises (SMEs) that might think cybersecurity is only something the big firms need to worry about.
“Your small business can really be a target,” says Paul Furtado, an Ontario-based senior analyst with Gartner Inc., an information-technology research-and-advisory company. He says the more connected our technology becomes, the greater the risk that a humble downstream supplier could find itself in the middle of a serious cyberheist.
“If I’m an agenda-driven hacker or a hacktivist or a nation state, I’m not going to go after the Department of Defence, for example, because chances are they’ve got a very robust cybersecurity program in place,” Mr. Furtado says. “But if Bob and Mary’s Nut and Bolt Shop is a trusted supplier to a company that assembles the frames for military vehicles that they sell to the Department of Defense, I’m going to see how deep I can go through their system to connect ultimately into the Department of Defence.”
SMEs are increasingly becoming targets of cybercrime. Daniel Tobok, a cybersecurity expert who advises corporations globally, says the past 15 months have seen “an explosion” of occurrences of two particular criminal tactics that offer a huge return on investment for criminals. The first is ransomware – malicious software that blocks companies from accessing their own systems until a ransom is paid. A 2018 report by IT company Datto found that Canadian companies face both the highest average ransom cost ($8,764) and the highest cost of downtime per ransomware attack ($65,724). The second type of attack, business e-mail compromise (BEC), uses a company’s own e-mail accounts to defraud employees or customers. In 2018, the Canadian Anti-Fraud Centre received BEC-related reports totalling more than $17-million in losses.
“It’s a real epidemic,” Mr. Tobok says. “Twenty years ago, the big criminals were really only interested in government and bankers and banking associations, because they held a lot of meaty things that they could monetize quickly. But as those enterprises grew more educated and more secure, SMEs are one of the biggest attack vectors for cybercriminals and state-sponsored attacks, because smaller enterprises are not as mature when it comes to their security. Everybody understands they need a roof and a door, but not everybody knows you have to have an alarm and a hungry German shepherd protecting their property.”
Corinne Pohlmann, senior vice-president of National Affairs and Partnerships for the Canadian Federation of Independent Business (CFIB), says many SMEs don’t have adequate cyberprotection in place, simply because they don’t know they need it.
“That’s the biggest challenge,” she says. “Many small and medium enterprises just don’t realize how vulnerable they may be.”
Ms. Pohlmann recommends that SMEs conduct a risk-exposure survey. In addition to identifying their role in supply-chain security, businesses should also look at what data they’re collecting and educate themselves about its street value.
Large data breaches of big companies make headlines – but an unprotected small customer database is equally worth a hacker’s time. According to Symantec’s Internet Security Threat report, just a name or birthday can be worth up to $1.50 on the black market. A scanned passport or driver’s license can command up to $35, and a full ID package (name, address, social insurance number, e-mail address and bank account number) can go for up to $100.
“Any small business that collects electronic customer data, even if it’s Joe Smith’s hardware store, could have hundreds and thousands of names in there,” says Gartner’s Mr. Furtado. “And that makes them a really good target.”
Once an SME knows what it needs to protect, Mr. Furtado recommends engaging the services of a managed security-service provider or a managed detection-and-response provider to help identify their gaps.
“It’s not that SMEs face special threats,” he says. “The challenge is that they usually don’t have the resources in place [to] know how to protect themselves. They need somebody to identify where the gaps are and what resources they need to bring in to fill those gaps.”
In addition to keeping security technology current, CFIB’s Ms. Pohlmann urges business owners to stay educated about the latest scams – and to train their employees to recognize and take protective action against ransomware, BECs and other risks. The CFIB recommends resources such as the Competition Bureau of Canada’s Little Black Book of Scams, which details current cyberfraud tactics.
Fifteen or 20 years ago, says Mr. Tobok, most cyber attacks were “brute force” attempts to compromise IT infrastructure. He now estimates that around 80 per cent of cybercrimes rely on human error, such as tricking someone into sharing sensitive information.
“Bad guys today are attacking people more than attacking infrastructure, because IT and digital security have evolved a lot faster than people’s education and maturity level,” he says. “After a company is breached, we often hear, for example, that it was Suzy in administration who clicked the phishing link that took the whole company down. I always ask the question ‘Did anybody actually train Suzy [on best cybersecurity practices] before pointing the finger at her?’
“We always train our kids to not talk to strangers,” Mr. Tobok says. “Now we’ve got to do the same thing in the workplace, because people don’t understand the danger.”
Reposted from BBC
The email came in like any other, from the company chief executive to his finance officer.
"Hey, the deal is done. Please wire $8m to this account to finalise the acquisition ASAP. Needs to be done before the end of the day. Thanks."
The employee thought nothing of it and sent the funds over, ticking it off his list of jobs before heading home.
But alarm bells started to ring when the company that was being acquired called to ask why it had not received the money.
An investigation began - $8m was most definitely sent, but where to?
We will never know.
Some of the money was clawed back by the banks, but most was lost to hackers who may have cashed out using an elaborate money-laundering network or simply moved on to the next victim.
Meanwhile, the finance officer is left feeling terrible and the company is left scratching its head.
After all, the email had come ostensibly from the boss's address and his account had not been hacked.
It was left to cyber-security experts to break the bad news to the firm: emails are not to be trusted.
This is a real-life example of a cyber-attack known as Business Email Compromise, or CEO Fraud.
The attacks are relatively low-tech and rely more on social engineering and trickery than traditional hacking.
Cyber-criminals simply spoof the email address of a company executive and send a convincing request to an unsuspecting employee.
The message looks just as though it has come from the boss - but it has been sent by an imposter.
There is usually a sense of urgency to the order, and the employee simply does as they are told - maybe sending vast amounts of money to criminals by mistake.
These scams are on the rise and according to the FBI in the US, they have resulted in worldwide losses of at least $26bn (£21bn) since 2016.
Earlier this month, 281 suspected hackers were arrested in 10 different countries as part of a massive takedown operation of global cyber-crime networks based on the scams.
Ryan Kalember, executive vice-president of cyber-security strategy at Proofpoint, said: "Business Email Compromise (BEC) is the most expensive problem in all of cyber-security. There is not a single other form of cyber-crime that has the same degree of scope in terms of money lost."
Proofpoint was appointed to deal with the CEO Fraud incident described in this article.
Mr Kalember and his team have seen the tactics evolve during the past year and have some interesting observations and warnings for potential victims.
The traditional targets for BEC attack are the "C-suite" figures of major companies, such as chief executive officers or chief finance officers.
But recently, criminals have been going for lower-hanging fruit.
"The 'very attacked people' we now see are actually rarely VIPs. Victims tend to have readily searchable emails or easily guessable shared addresses.
"VIPs, as a rule, tend to be less exposed as organisations are generally doing a fairly good job of protecting VIP email addresses now," Mr Kalember added.
The trend has also been noticed by cyber-security company Cofense.
In some cases, employees' emails are spoofed and the attacker asks the human-resources departments to send a victim's wages to a new bank account.
"A smaller but much wider reward system will be a deliberate attempt to fly below the radar to target financial processes that are likely to have weaker controls, yet still produce attractive returns," said Dave Mount, from Cofense.
Another method being seen more regularly is scam emails sent on Monday morning.
According to Proofpoint, more than 30% of BEC emails are delivered on Mondays as hackers try to capitalise on weekend backlogs.
They hope "social jetlag" will mean employees are more easily fooled by fake emails and other social-engineering tricks.
"Attackers know how people and offices work. They depend on people making mistakes and have a lot of experience with what works. This is not a technical vulnerability, it's about human error," said Mr Kalember.
Fake email threads are part of another technique that has evolved.
Attackers start the subject lines of their emails with "Re:" or "Fwd:" to make it look like their message is part of a previous conversation.
In some cases, they even include a bogus email history to establish apparent legitimacy.
According to researchers, fraud attempts that use this technique have increased by more than 50% year-over-year.
Mr Kalember says all these trends follow a predictable pattern based on our own behaviour.
"One of the reasons why this is a particularly difficult problem to stamp out is that it relies on the systemic risk of all of us trusting email as a means of communication," he said.
Unfortunately for businesses and unwitting employees, BEC is unlikely to go away.
Email spoofing is technically very simple, and free-to-use online services offer a low barrier to entry.
But there are lots of things companies and employees can do - including being vigilant and aware of the attacks.
Companies could insist on so-called two-factor verification before a payment is sent.
All of this, of course, relies on people taking a step back from what is often strived for in the workplace - speed and efficiency.
Reposted from CNN Business
The shooter was a man: bald, wearing pants and a button-down shirt, standing in front of me in an office break room, firing a gun.
Shots rang in my ears. A heartbeat thump-thumped around me. A high-pitched noise made it hard for me to think. Seconds later, I heard rapid breathing sounds.
I had to find a way out. I made my way to a tall glass window and decided to smash it. Then I yanked off my virtual-reality headset and took a deep breath.
It was a virtual experience — not even that high-tech, as far as VR goes, and only about 15 minutes long — but it felt distressingly real.
Created by two Seattle-based companies — VR video platform and training startup Pixvana along with tactical training company Alexo — the experience was announced this month with the goal of helping companies prepare their employees for an active-shooter scenario.
According to Pixvana, the first company to try it out was Vulcan, the investment firm of deceased Microsoft (MSFT) co-founder Paul Allen. Vulcan, which is based in Seattle, declined to comment about the training. Pixvana is currently talking to a hospital system that wants it to build specific hospital scenes for its active-shooter training.
If this VR experience sounds jarring enough that it could leave a lasting dent in your memory, that's kind of the point.
"What we're trying to do is a long-term memory effect they can call upon should they find themselves in a violent situation," Alexo founder Drew Hancock, who's also a Seattle police officer and SWAT leader, told CNN Business. But he believes the experience stops short of being traumatic. Instead, Hancock said it is trying to create "somewhat of a stimulus" among viewers, without featuring anything graphic.
The active shooter response training experience is the latest example of companies using VR to train workers for all kinds of on-the-job situations — a hot application for technology that has otherwise seen slow adoption. Walmart (WMT) is using it to prep its employees for Black Friday. Numerous sports teams, especially in the NFL, use VR for realistic off-the-field training. And Seabourn, a cruise line, uses Pixvana to train new waiters on table locations in their restaurant.
Yet while using VR could help people feel more prepared for a violent encounter, some experts who study shootings cautioned that increasingly realistic scenarios may trigger certain people.
"You've got to realize when you reach out to the public that they're all across the board in what they're prepared to deal with," said Pete Blair, a criminal justice professor at Texas State University and executive director of the school's Advanced Law Enforcement Rapid Response Training Center.
While the solution may be a matter of some debate, the problem is strikingly clear. There were 337 mass shootings — defined as at least four people shot or killed on the same occasion, excluding the shooter — in the US in 2018, according to the nonprofit Gun Violence Archive. That number has already topped 300 this year, as of late September.
Many experts in tactical training, including the FBI, believe training for shootings in particular can be helpful. An FBI study of active shooters from 2000 to 2013 noted that even when police were able to get to the scene of the crime in minutes, "civilians often had to make life and death decisions, and, therefore, should be engaged in training and discussions on decisions they may face."
Training for such situations in VR does force people to pay more attention than they would to, say, a lecture and a PowerPoint presentation, if only because you can't check your phone while you've got a headset on your face. And Pixvana isn't the only one suggesting VR training for dealing with gun violence. The US Department of Homeland Security offers a free, video-game-like program called the Enhanced Dynamic Geo-Social Environment (also known as EDGE) for training first responders and school staffers.
By using 360-degree video, Pixvana's approach is more realistic looking. It starts with Hancock instructing you, in VR, on how to deal with a shooter and then drops you into violent scenarios. To make you feel somewhat like you're in the midst of a real active-shooter scenario, the training uses sounds and scenes such as the office and an outdoor plaza.
To tone it down a bit, the lone male shooter is a static figure, rendered in red with a white outline. Brightly colored indicators peppered around the office help give you ideas about what items might work as weapons (a toaster or a bottle, for instance), and what may be your best paths for escape.
"You don't want people so scared that they're not remembering what they're learning," said Rachel Lanham, Pixvana's chief operating officer. "That's not the point."
Pixvana is tapping into what Jillian Peterson, a psychologist and an assistant professor at Hamline University who studies the psychology of criminology, estimates is about a $3 billion industry at the moment. Companies are now coming up with all kinds of technologies and techniques to train people to respond to shootings.
But while there may be a large market for such services, Peterson is concerned that they're not just helping innocent bystanders learn how to cope with a shooting at work or at school: they're also training the very people who could be perpetrators. She said research indicates that about 90% of school or workplace shootings are committed by former students or employees.
It also makes Peterson nervous to put people through simulations in virtual reality in case it triggers a fascination or interest in shootings that wasn't there previously. "If you're suicidal, and you're in crisis, and you have a trauma background, and you have access to weapons, this sort of rehearsal could be problematic," she said.
Pixvana didn't consult with mental health professionals such as psychologists before creating the training, Lanham said.
Hancock does think that if someone previously had a traumatic life experience it could trigger them. He also feels the training should be voluntary and limited to adults, though he can envision it being used by high schoolers.
Reposted from ABCNews
The Department of Homeland Security has announced a "compelling and urgent" framework to combat violent white supremacy.
DHS said the agency hopes to provide an annual state of the Homeland Threat Assessment, which "evaluates the strategic threat environment within the Homeland related to terrorism and targeted violence," according to the report.
The department is looking for a "balanced" approach to combating domestic and foreign actors, and McAleenan said, according to the report, the agency will be deploying some of the same tactics against both groups.
The report specifically outlines domestic terrorism, which DHS defines as "a phrase typically used to denote terrorists who are not directed or inspired by" foreign terror organizations. Domestic terrorists, at least recently, have killed more Americans than foreign terrorists.
The report also noted that, similar to radical Islamists, violent white supremacist extremists "connect with like-minded individuals online."
John Cohen, a former DHS undersecretary and an ABC News contributor, said the department's strategy understands that many violent attacks in the U.S. "are being conducted primarily by native-born individuals."
But Cohen also said the administration needs to acknowledge its own role in the problem, including the fact that words "used by the president and the administration are the same words used by white supremacist thought leaders."
"Law enforcement officers believe his words incite violent acts by white supremacists," said Cohen, referring to President Donald Trump.
Vice President Joe Biden said while on the campaign trail that the President has "fanned the flames" of white supremacy. Trump disagrees.
In a speech just after the El Paso,Texas, shooting that left 22 dead, the president condemned white supremacists and defended himself against such accusations.
"In one voice, our nation must condemn racism, bigotry and white supremacy," Trump said. "These sinister ideologies must be defeated. Hate has no place in America."
Reposted from ZDNet
Nearly all successful email-based cyberattacks require the target to open files, click on links, or carry out some other action.
While a tiny fraction of attacks rely on exploit kits and known software vulnerabilities to compromise systems, the vast majority of campaigns, 99%, require some level of human input to execute. These interactions can also enable macros, so malicious code can be run.
The finding comes from Proofpoint's Annual Human Factor Report, a paper based on 18 months of data collected from the cybersecurity company's customers.
Sometimes it seems easy to blame users for falling victim to phishing attacks, but campaigns are becoming increasingly sophisticated. It's often difficult to distinguish a malicious email from a regular one because attackers will tailor attacks to look as if they come from a trusted source, such as cloud service providers like Microsoft or Google, colleagues, or even the boss.
This social engineering is the key element in conducting campaigns: the report even states that attackers are mimicking the routines of businesses to ensure the best chance of success.
Phishing is one of the cheapest, easiest cyberattacks for criminals to deploy – but the reason it remains a cornerstone of hacking campaigns is because, put simply, phishing works.
"Cybercriminals are aggressively targeting people because sending fraudulent emails, stealing credentials, and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure," said Kevin Epstein, vice president of threat operations for Proofpoint.
"More than 99 percent of cyberattacks rely on human interaction to work—making individual users the last line of defense. To significantly reduce risk, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users," he added.
While many phishing attacks are designed to look highly legitimate, there are ways to identify what could potentially be a malicious attack.
For example, unexpected emails that are based around a sense of urgency could be viewed as suspicious. If a user is in doubt, they could contact the supposed sender of the message to see if it is a legitimate message.
It's also worth noting that cloud service providers like Microsoft and Google won't ask users to click through unexpected links to enter login credentials and other information. If a user is suspicious of a supposed login URL, they can bypass the link by going direct to the provider itself and entering their details there.
Organisations should also ensure that software updates and security patches are regularly applied, so in the case of someone accidentally clicking a link, malware that relies on known vulnerabilities can't operate.
ConferenceMembershipTraining & Certification
TRAINING & EVENTS
1305 Krameria, Unit H-129, Denver, CO 80220 Local: 303.322.9667
Copyright © 2015 - 2018 International Foundation for Cultural Property Protection. All Rights Reserved