Infosec Cloud
Solutions. Services. Training.

Phillips Solicitors reinforces Cyber Attack Protection with Security Awareness Training and Testing

Phillips invests in end user IT Security Awareness Training and Testing, to protect both their own data and networks, and those of their clients.

Based in the heart of Basingstoke since 1986, the firm works towards achieving the best outcomes for their employees, clients and the local community However, by holding client confidential and sensitive information, including financial details, Phillips, like all Legal Firms, is an attractive target for cyber criminals.

Aware of their responsibility to their clients, Phillips was one of first law firms in Hampshire to be awarded Cyber Essentials Plus accreditation. The Cyber Essentials scheme identifies the security controls an organisation needs in place to help defend against Internet-borne threats.

A key element of the accreditation is to ensure all partners and staff understand security issues, applicable company policies and how to identify and terminate potential cyber attacks. To meet this need, Phillips initially planned to run their own security awareness training, but upon evaluating the market they choose the fully managed awareness training and testing service provided by Infosec Cloud.

Mike Worth, IT Manager, Phillips Solicitors commented: “ The Infosec Cloud service was extremely competitive, yet more importantly offered a good, helpful service and strong understanding around Security Awareness and the impact on regulated businesses.”

Impressed by the results, Phillips has just recently renewed to continue the service for a third year, confident that all partners and staff are informed, empowered and cyber security vigilant.

Training and Testing

Infosec Cloud provides an integrated programme of online training and bespoke, random test phishing emails. Vulnerable employees who fall for the emails after the initial training, are provided with immediate, remedial training.

This fully managed service has been designed by experts in cyber security and training. A dedicated team manages training delivery and tracking, and uses information in the public domain to build customised, test cyber-attacks.

Cyber Security Aware

Back in 2014, Philips Solicitors were already improving staff awareness around cyber and data security. However, the firm quickly appreciated the necessity and benefit in delivering a structured and continuously reinforced Security Awareness Programme.

The firm chose to work with Infosec Cloud as the combination of awareness training and customised cyber-attack testing guaranteed a change in employee behaviour.

Plus, being fully managed, there were no additional demands on the IT team.

“Our security awareness has significantly increased and continues to do so as a direct result of the service Infosec Cloud provides. Their methodical approach along with expertise ensures that we achieve a measurable return on investment,“ added  Mike Worth, IT Manager, Phillips Solicitors.

Since purchasing SATT from Infosec Cloud, Phillips has purchased other services and are looking to further strengthen the relationship. Phillips has been impressed by Infosec Cloud’s extensive cyber security expertise, industry knowledge and understanding of specific client requirements.

Infosec Cloud is an established IT Security reseller and managed services partner. The company offers a comprehensive portfolio of cloud-based, hybrid and on-premise IT security, productivity and compliance solutions, plus video-based, measurable employee security and GDPR awareness training.

Click Here for more information on our Security Awareness Training and Testing service >>

  • Employee GDPR Awareness Training

  •  Identity-as-a-Service (IDaaS) solution

  • Tokenless Strong Authentication (MFA)

  • Next Gen Endpoint Security

  • Enquiry LinkedIn Spiceworks

    Are your legacy software applications letting hackers in?

    Guest Post: Chris Lund
    SecurEnvoy

    It’s a real challenge for any IT administrator to stay on top of network security against a constantly changing threat landscape.

    The traditional network edge is now all but non-existent thanks to BYOD, homeworking and cloud-based software, and there are inevitable compromises to the hardness of network security as a result.

    While it’s a considerable task to keep up to date with the various patches and updates for the newer tools, when breaches do happen, it’s often through older legacy tools that hackers gain access. 

    It’s hardly surprising: business software and infrastructure has evolved enormously in the last few years. Those platforms on which businesses have been reliant on for 10, 15 years or more, were conceived for a different – dare I say a more innocent – era. They were designed to be housed in closed networks with less devices and as a result their security features fine for the times – are now no longer fit for purpose.

    Exacerbating the problem, if those platforms are no longer the backbone of your business software stack, but now fulfill a supporting role, then it’s quite feasible they’ve not received the attention they should from your system admins.

    And this is exactly the weakness which hackers thrive on, and through which so many large-scale breaches have been instigated.

    Now you might be thinking that old database of outdated customer contacts is of no value to a hacker. But to do so is to misunderstand the dynamics of a hacking attack completely.

    The truth is, legacy platforms are often the gateway into the system that eventually leads to a far more serious breach.

    Credentials based attacks primarily involve hackers gaining access to weaker parts of the network, such as those legacy applications, using stolen credentials. They then use these as a platform to move laterally through the network, often over an extended period of time, eventually gaining access to core systems and critical business data through re-used passwords, sloppy integrations, or by installing key loggers on unsuspecting users’ machines. In unprotected networks, this can cause havoc, leaving the door open to subsequent follow-up attacks or crippling loss of data.

    Scary stuff. So, what can be done about it?

    Multifactor authentication solution providers (MFA) make much of their abilities to easily protect the latest web apps and end point devices with a tokenless, single-sign-on MFA solution.

    But that’s not where our partner, SecurAccess’ protection capabilities end. Far from it. SecurAccess is designed to integrate with all major firewall, VPN and network infrastructure tools to enable you to ensure network-wide security MFA protection.

    Plus, the beauty of implementing tokenless MFA at the network level is that it works in tandem with your firewall.

    In doing so, not only does it enable authentication at the network edge, it allows multiple SSO access levels for different user groups, or enforces authentication when access to other, higher value areas of the network is requested. By authenticating at the traffic level, using a solution such as this means that even where the attacker has managed to obtain correct username and passwords, they are blocked from establishing further access.

    From a security perspective this is powerful stuff: It’s not quite the silver bullet in dealing with sloppy password practices and malicious phishing attacks, but it’s a powerful tool in your armoury.

    Learn more about how SecurAccess works with Cisco, Citrix, Palo Alto and other infrastructure providers to deliver network-wide security, by requesting a call with one of our consultants here.

    Cyber Security Awareness Training & Testing (SATT) shortlisted for British Legal Awards

    Infosec Cloud is delighted to have been shortlisted for this year’s British Legal Awards. The company’s Security Awareness Training and Testing (SATT) managed service has been recognised as a finalist for the Supplier of the Year (Technology) Award.

    Organised by ‘Legal Week’, the awards will be judged by an independent panel of judges made up of senior in-house lawyers, former managing and senior partners and other senior business figures.

    Infosec Cloud’s entry focuses on the company’s Legal Sector Security Awareness Training and Testing (SATT) managed service, developed to stop IT End Users causing security incidents.

    Holding high value information and financial details, Legal Practices and Partnerships are particular targets for cyber criminals. Plus Firms have a high proportion of senior staff members who may be reluctant to follow corporate security procedures, and staff are under increasing time and workload pressures, making them even more vulnerable to today’s sophisticated cyber-attacks.

    To help the legal sector protect their data, clients and reputation, and following an in-depth market evaluation, Infosec Cloud developed their own fully managed Security Awareness Training and Testing (SATT) service. The service was launched in 2014.

    Today, nearly 80,000 IT End Users, across the UK, are enrolled on the Infosec Cloud SATT service. Legal customers include many of the top 200 law firms and all grade the service as ‘meets or exceeds expectations’ (quarterly satisfaction survey). The SATT service is applicable to organisations of all sizes, whether national or regional, plus the company is working with both LEXCEL assessors and Law Firm Networks.

    Commenting on the awards, Infosec Cloud Managing Director, Pete Sherwood says: “Being shortlisted for this award is great recognition for the service we have developed and the value it is providing to the Legal Sector in terms of keeping Firms and Partnerships cyber safe”.

    Security awareness training is not new, however the way that it is delivered, tracked and kept front of mind by Infosec Cloud is new. The SATT service comprises both training and ongoing testing with focused remedial training. The company has invested in a dedicated SATT team that researches, builds and tracks the simulated cyber-attacks, with bespoke content created for each customer.

    The SATT service is fully managed so that there are no additional time requirements for the IT team. Plus as an ‘independent’ third party, Infosec Cloud ensures all staff, regardless of seniority, are included.

    Click here for more information on the SATT service >>

    The British Legal Awards serve as a showcase for the achievements of one of the country’s most successful sectors. Hosted by Legal Week in association with The City of London Law Society, the glittering awards ceremony is attended by 1,000 lawyers, representing the cream of the UK’s legal community. This year’s ceremony will take place on Thursday 30 November at Finsbury Square, London EC2.

    More information on the Awards >>

    Deloitte hacked by stealing admin password

    It was revealed last week that Deloitte was hit by a major cyber attack that compromised its email system and certain client records.

    The attack was achieved by knowing the password of a single system administrator.

    With that simple piece of information, the hackers were able to gain access to Deloitte’s email services and, according to some reports, extract several gigabytes of data containing the content and details of clients’ email messages and attachments.

    The initial report of the Deloitte breach came from the Guardian, which revealed hackers had compromised the “confidential emails and plans of some of its blue-chip clients.” In response, the firm confirmed it had suffered a cyber-attack, but played down the significance by saying “only very few clients were impacted.”

     Well-respected security journalist, Brian Krebs, cites sources close to Deloitte who suggest the hack was likely more severe than that. The sources claimed the hackers accessed the entirety of the firm’s internal email database, and all administrative accounts.

    This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for ‘a long time’ and that the company still does not know exactly how much total data was taken.

    Meanwhile, Krebs’ sources say Deloitte has yet to identify the full pervasiveness of the attack.

    For a key system to rely simply on user name and password for access is a fundamental failure of security, and one that could easily have been fixed by the addition of multi-factor authentication (MFA).

    MFA provides maximum flexibility and ease of use, and can be rapidly introduced – thereby ensuring that a lost password no longer offers hackers an easy way into your organisation. Read our guide to choosing the right MFA solution to meet your specific needs.

    Request the MFA Buyer’s Guide:

    Full Name (required)

    Business Email (required)

    Job Title

    Company Name (required)

    Phone Number

    Enter these characters below: captcha

     

    Implications of the Equifax Data Breach

    Credit-reporting company Equifax Inc. disclosed last Thursday that cyber criminals had gained access to some of its systems, compromising the personal data of up to 44 million British consumers.

    The information commissioner has said that it is investigating how the hack on Equifax, a US credit rating firm, affected UK customers, many of whom will be unaware their data is held by the company.

    Equifax and its UK subsidiary companies state on their websites that they represent British clients including BT, Capital One and British Gas.

    This latest data breach will lead to a spate of phishing emails with credit card related themes, which are sometimes very hard to resist because money is at stake. Training employees to correctly spot social engineering hooks is essential.

    How many of your employees would click on this email:

    Equifax Notification Email

    Everyone needs to look out for:

    *  Phishing emails like the example above that claim to be from Equifax
    *  Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information
    *  Calls from scammers that claim they are from your bank or building society
    *  Fraudulent charges on any credit card because your identity was stolen

    ICO Deputy Commissioner James Dipple-Johnstone, said: “We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised. We will be advising Equifax to alert affected UK customers at the earliest opportunity.

    A spokesman for BT said: “We are aware of the developing story and are monitoring the situation closely. Like many companies in the UK, BT uses Equifax services. We are working on establishing whether this breach has any impact on those services.”

    Find out how to ensure your IT end user are cyber-security aware >> http://www.infosec-cloud.com/security-awareness/

    2016 Research – Cyber Attacks on Law Firms Increasing

    73% of top 100 law firms targeted in 2016

    The 2016 PwC Law Firms Survey reports that an increasing number of security incidents are being experienced across the UK legal sector. The research found that 73% of the UK top 100 law firms were the target of attacks last year.

    Although larger firms are the greatest target, all law firms are targets for cyber-crime due to the confidential information held and the large volume of client funds retained. The very nature of law firms makes them an attractive target.

    Key findings:

    *  Information security is a significant area of risk to the legal industry with 73% of all law firms reporting they had suffered from a security incident.
    *  The most common incidents relate to phishing attacks (malicious emails) and infection by viruses/malicious software, with 84% and 55% of firms respectively stating they have suffered one such incident during the past 12 months.
    *  Whilst there is an increasing threat from outsiders, 41% of all law firms report that they have suffered incidents as a result of their own staff.

    Security awareness training and and simulated, random cyber-attack testing is proven to actually change staff behaviour and build a human firewall of vigilant, empowered employees.

    Download the Legal Sector Guide to Security Awareness Training and Testing (SATT) >>

     

     

    Are employees your greatest risk?

    The Business Debate: Can the greatest asset of a business also be one of its greatest risks?

    Interview with Paul Hopkins, Technical Director, Institute of Risk Management.

    The Business Debate – IRM’s vision for Risk Management
    The Debate Biz.

    Minimise ‘people risk’ with Security Awareness Training and Testing >>

    Hidden Dangers of HTML Attachments

    Over the last six to nine months, we’ve seen a lot of .DOC and .JS file attachments as malicious attachments, used for mainly ransomware attacks.

    However, our researchers have spotted an up and coming trend; malicious HTML “attackments” that are used for credentials phishing. Cyber criminal are using .HTML attachments to spoof bank login pages, popular online services and secure messages from financial institutions.

    There are a couple reasons why the cyber criminals have taken a liking to HTML

    1. Reduced chance of AV detection

    Carefully crafted .HTML files can reduce the chances that phishing emails sporting those attachments will be stopped by email security software or devices. While .EXE and Office files (.DOC, .XLS, etc.) pose obvious threats in a Windows environment and have a long history of being used in malspam (malicious spam email), .HTML files are not commonly associated with email-borne attacks — at least not recently (several years ago they were being used to deliver malicious Javascript). Moreover, .HTML files can be used to embed URL redirects to evade AV scanners that check only URLs that appear in the bodies of emails. HTML files can also be used to deliver obfuscated web pages (usually base64 encoded) that might slip past even scanners that do check .HTML attachments.

    2. User familiarity

    Although your users and employees may not recognise the potential threat of .HTML attachments, that doesn’t necessarily mean they aren’t familiar with them. HTML attachments are commonly used by banks and other financial institutions to deliver secure documents and messages as well as to enable users to conduct banking business in a secure environment.

    User Education is your best defence:

    Inevitably, your filters are going to miss some of these, and we suggest you send the following to your employees as part of your ongoing awareness campaign:

    Internet criminals never stop trying to get past our spam filters and trick you into clicking on phishing links or opening malicious email attachments.

    This is a warning against a new type of attack that uses an HTML attachment which tries to scam you into entering your user name and password.

    HTML attachments are often used by banks for secure messages, so you might think that these are always safe. They are NOT. If you get an email with an HTML attachment, be just as careful as always and do not open it unless you have asked for it, or have verified with the sender that the attachment is legitimate.

    Remember: Always Think Before You Click!

    Regular Security Awareness Training is critical to ensuring that your employees recognise and correctly respond to the actual threats they will encounter. Find out how affordable this is for your organisation  – less than £1/user/month.Get a Quote orange button image

    If you do not like to click on redirected buttons, here is a link you can cut and paste:
    http://www.infosec-cloud.com/security-awareness/free-security-awareness-training-quote/

    Recognise phishing emails, links, or phone calls

    Phishing emails, websites, and phone calls are designed to steal money and data. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of your computer.

    Cybercriminals also use social engineering to convince you to install malicious software or hand over your personal information under false pretenses. They might email you, call you on the phone, or convince you to download something off of a website.

    What does a phishing email message look like?

    Here is an example of what a phishing scam in an email message might look like.

    phishing_email_example-image

    • Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organisations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam.
    • Beware of links in email. If you see a link in a suspicious email message, don’t click on it. Rest your mouse (but don’t click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company’s web address. Links might also lead you to .exe files. These kinds of file are known to spread malicious software.

    Malicious link image

    • Threats. Have you ever received a threat that your account would be closed if you didn’t respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised.
    • Spoofing popular websites or companies. Scam artists use graphics in email that appear to be connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up windows. Cybercriminals also use web addresses that resemble the names of well-known companies but are slightly altered.

    Beware of phishing phone calls

    Cybercriminals might call you on the phone and offer to help solve your computer problems or sell you a software license.

    Once they’ve gained your trust, cybercriminals might ask for your user name and password or ask you to go to a website to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information is vulnerable.

    Treat all unsolicited phone calls with skepticism. Do not provide any personal information.

    Report phishing scams

    If you receive a fake phone call, take down the caller’s information and report it to your local authorities.

    You can use Microsoft tools to report a suspected scam on the web or in email.

    • Internet Explorer. While you are on a suspicious site, click the gear icon and then point to Safety. Then click Report Unsafe Website and use the web page that is displayed to report the website.
    • Outlook.com (formerly Hotmail). If you receive a suspicious email message that asks for personal information, click the check box next to the message in your Outlook inbox. Click the arrow next to Junk and then point to Phishing scam.
    • Microsoft Office Outlook 2010 and 2013. Right-click the suspicious message, point to Junk, and then click Report Junk.

    You can also download the Microsoft Junk E-mail Reporting Add-in for Microsoft Office Outlook.

    Source: http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx

    Find out how train your IT End Users to be Cyber Security Vigilant – and protect themselves and your organisation >>

    Verizon: Enterprises fail to protect against phishing

    The ninth annual Verizon Data Breach Report has bad news on multiple fronts, including click-through rates on phishing messages, how long it takes companies to detect breaches, and even whether companies spot the breaches at all.

    Phishing emails continued to be a primary starting point for attacks, said Bryan Sartin, executive director, global security services at Verizon.

    The number of phishing email messages that were opened hit 30% in this year’s report, up from 23% last year.

    In addition, 12% of users don’t just open the email but open the attachment as well, while 11% follow links in the email to online forms where they then input sensitive data such as login credentials.

    The vast majority of the attacks (89%) were by financially-motivated crime syndicates, and 9% by state-affiliated actors.

    Also interesting is how phishing fits into the larger pattern of stealing credentials:

    Verizon DBIR Report 2016 phishing

    Find out how End User Security Awareness Training is the first line of defence against phishing attacks.
    Click Here >>