The captions beside the reCAPTCHA images ask users to “click allow to verify you’re not a robot”.

According to Sucuri, the script that redirects users is served from two separate domains: eeduelements.com and allyouwant.online. It estimates that the script served from the former domain has infected 1,700 websites, while the latter has infected 500 websites.

It also alleges that both the tagDiv Newspaper theme and the Ultimate Member plugin are the “main contributors to this wave of infections”.

According to the WordPress plugin repository, the Ultimate Member plugin has been installed more than 100,000 times, while tagDiv’s Newspaper theme has been purchased more than 65,000 times on popular WordPress theme repository ThemeForest.

In tagDiv’s case, the vulnerability appears to be an old one that has since been patched.

The Ultimate Member plugin was also updated on 13th August however it’s believed that announcements accompanying that update may have led to more attempts to exploit the vulnerability before WordPress administrators had an opportunity to update their plugins.

Sucuri’s estimate on the scale of the infections was pulled from Public WWW, a premium “search engine for source code”. Public WWW will only indicate the presence of source code if that source code is in its database.

In other words, Sucuri’s estimate is only hints at the potential scale of the infection.

The security firm also reports that non-WordPress websites may also have been infected. It states:

“If [an] account has more than one site, all the sites will be infected (even if they don’t have the Ultimate Member plugin or any vulnerable components).

“Non-WordPress sites will be infected too. Moreover, all neighboring sites that share the same account will continue to be reinfected unless all of them are properly cleaned and hardened”.

It recommends all webmasters utilizing tagDiv’s Newspaper theme or the Ultimate Member Plugin update to the new versions as soon as possible. It outlines further steps webmasters can take to mitigate the infections in its blog post (linked above).

Not enough? The following statistic will blow your mind:

By the end of 2017, the average user was receiving 16 malicious emails per month.
—Symantec, from the company’s 2018 Internet Security Threat Report 

Given how bad the digital landscape is right now, I thought it was time to let folks know how best to protect themselves from this kind hacking. 

Part II: How Phishing Looks in Email

Screen Shot 2018 08 20 at 10.18.45 AM

Just because something looks familiar, doesn’t mean that it is.

Most phishing attacks are designed to do one thing very well: fool you. Specifically, they’re designed to fool you into thinking that you’re going online to do the things that you normally do, such as logging into Facebook, Amazon, Google or Apple. The cunning ones are designed to make you believe that you’re logging into your bank or credit card website.

The problem, of course, is that you’re not actually doing these things: instead, you’re logging into something that only looks like your favorite social media or financial websites and, without realizing it, providing your username and password to a “front” website operated by hackers who collect your data and use it to take advantage of you and others.

Pictured above are three examples of what a typical phishing attack can look like. But those are just examples from the interwebs: let me show you something from my own email inbox, ok? Here’s something I just got yesterday and lucky me: I’ve won a prize! From Google, no less! I’ve made the image quite large, so you can see the some of the obvious signs that this a phishing attack. You’ll note that I made use of the button in gmail — in the red box at top left — that allows you to “show details” about any email you receive.

Screen Shot 2018 08 20 at 11.11.05 AM

Strike 1: In the green box at the top, you’ll note that the actual email address doesn’t look recognizable or like a valid Google email address. RED FLAG!

Strike 2: In the pink box at center, you’ll note that the URL doesn’t look standard, recognizable or known. RED FLAG!

Strike 3: In the orange box, you’ll note that whoever sent this email didn’t proof for proper grammar. That rarely happens with corporate emails. RED FLAG!

Strike 4: In the blue box, you’ll note that the website that delivered this email has the word “bounces” in it.

Strike 5: When I copy and paste the website into DuckDuckGo to see if it’s a valid Google site, I see clearly (below) that it’s not.

Screen Shot 2018 08 20 at 11.13.15 AM

Final analysis: I’m not clicking on anything this email is offering.

Part III: Prevent Phishing via Email Using “Best Practices”

Here are the rules (or best practices) you should implement to help prevent a phishing attack:

  1. Always confirm that every email comes from a valid, known or recognizable email address. The name displayed on an email isn’t an accurate indicator of the true sender: always double-check that the actual email address is correct. Phishing attacks sometimes contain the names of people we know because their address books (or ours) have been compromised. Those real names are then paired with bogus email addresses in an attempt to fool us. If any email address is unknown or odd-looking, send it to spam. Don’t worry about trashing something important: the important people in your life know how to contact you by other means.
  2. Never click on any link in any email, without first confirming that the URL is a valid, known, standard or recognizable website. Right click on any link to bring up a contextual menu to copy it; then paste it into a text editor. If the link doesn’t look valid, known, standard or recognizable: trash the email or send it to spam. For more info, search for the URL on DuckDuckGo to confirm it’s been indexed and known by a valid search engine.
  3. Never open any email attachments from any person that you weren’t already expecting. Your co-worker tells you she’ll be sending over the code for that new software application you’re coauthoring. Great! You know it’s coming and have cause to expect it in your inbox. Someone else sends you a Microsoft Word document and says “Check this out!”? Don’t open that attachment. Instead, text or call the person and confirm they’ve sent you that specific attachment.
  4. Always confirm that any email you receive from any online service that you use is valid. Get an email from Dropbox, Amazon or Apple asking you to log into your account? No problem: first prove that the emails are valid. Check the URL, sender email address and subject lines for anything suspicious. If you’re still unsure, log in to the service via their known, valid website.
  5. Only click on any email links that include the “s” in “https://”. That “s” means that the website is secure and has a certificate of security to back it up. These certificates can, themselves, be spoofed but it’s one indication that the website may be valid. Clicking on the “Secure” indicator in most browsers (Chrome is shown here) will reveal this certificate.

Screen Shot 2018 08 20 at 11.18.43 AM

Some of the tips above will bother you — some slightly, others more so — because they’ll make email less convenient. I won’t apologize for that: convenience without security equals danger, something we should all remember. That being said, there are a few ways to help automate this process if you feel the above list is too difficult for you:

Use multi-factor authentication. I discussed this in an earlier piece and can’t recommend it enough. If multi-factor authentication is enabled, even If attackers were to ever gain your username and password, they’d still need a rotating, six-digit code to proceed which appears only on your cell phone.

Use Slack instead of email. Some of you know about Slack, others might not. It’s a communications tool that combines email, chat and discussion boards all into one. Individuals and companies both use slack. Corporations who pay to use it require all users to log on with valid credentials. That means — generally speaking — that it’s safer to open documents from your co-workers on Slack than it is via email.

Only check email in a VM. This one takes work but is far safer than the alternatives. I keep several easy-to-open virtual machines (or VM’s) on my computer. Sometimes, if I’m wary about a particular email, I might open that email inside of a VM. Then, if there’s any damage done to the operating system or other software applications, I can either delete or reset the VM with no damage done to my actual computer. A 100% free VM can be set up using Virtual Box and the Ubuntu operating system, which is built on the open-source Linux platform.

Also, did you check those last two links were valid and secure before clicking on them? Hmm? Remember: trust no one, not even me, my friends.

Learning how to spot a phishing attack only takes a few minutes. Daily practice will make you more knowledgeable, more quickly. Then, once you’ve become a master yourself: share your knowledge with others. Make sure your friends, family and coworkers learn these best practices. You’ll be saving money, embarrassment and lost time for who know how many people.

Of course, let me know in the comments section if you’ve got a better tool or tip that the rest of the community should know.

Different organizations and security experts prioritize risks differently, but the goal is to narrow the problem down into something that’s manageable and effective while expanding awareness and responsibility.

Start by understanding the ways companies impede their security efforts so you can eliminate these unproductive practices in your own organization.

security mistake

1. They deny they’re a target

Denial is the poorest form of security. Some organizations think they’re too insignificant to become a target in the first place so they don’t worry about security.

“If you believe you’re not at risk, then you’re not taking [cybersecurity] seriously enough,”said Alan Brill, a senior managing director in the Cyber Risk practice at corporate investigations and risk consulting firm at Kroll. “I see cases coming in every day of organizations that have been compromised. When you drill down, part of the problem was an assumption of, ‘Who would want to target us?’ The bad guys.”

2. They’re unaware of their assets

Organizations suffer from many blind spots that enable exploitation. Because they’re unaware of all of their IT and data assets, there’s no way to assess all the vulnerabilities.

“Companies don’t know where their data is and what the sensitivity level is, and that’s become a huge problem with some of the data privacy laws. Cloud and mobility have made that a bigger problem,” said 451 Research’s Bekker. “If you talk to some of the cloud security vendors, it’s not uncommon for enterprises to have upwards of a thousand cloud applications running across their network they don’t even know about. What I hear quite frequently is companies will do a scan and find out they have thousands of databases they didn’t even know about.”

3. Cybersecurity is viewed as a technology problem

Cyberattacks are software attacks. On the other hand, why break into an organization when one can walk through the front door with someone else’s credentials?

“It’s not just a technology problem, it’s an operational problem, it’s a cultural problem,” said 451 Research’s Bekker. “One of the biggest threats to enterprises is their users being tricked into giving up their passwords over the phone or through phishing email. At the end of the day, it doesn’t matter how big your firewall is. There’s a social/cultural/behavioral element to it. Employees are arguably the weakest link internally.”

4. Cybersecurity functions as an island

While the CISO is arguably the person responsible should a breach occur, cybersecurity is a cross-functional issue that affects other parts of the organization. For example, in the case of shadow IT, the CISO may be unaware of the asset and therefore can’t assess the potential risk. Meanwhile, the user has accepted the service’s terms and conditions, likely without reading them, which could violate the company’s policies, as well as laws and regulations.

“It really has moved from being a technology issue to being a corporate, legal, and compliance issue that has to be tackled as an organizational problem,” said Kroll’s Brill. “[You should also include] HR because they get involved in personnel training. Some of our clients have taken it to the point where they’ve added questions about cybersecurity to performance reviews.”

5. They don’t understand the scope of their risks

Business at the speed of light typically means that in-house personnel lacks the time they would need to do a risk assessment. Since they can’t do a risk assessment, they may be making educated guesses about vulnerabilities and how serious those vulnerabilities are.

“One my personal pet peeves is that the perception of an audit versus an assessment. An audit is a checkbox exercise, which is part of a broader assessment,” said Chris Duvall, senior director at global advisory services firm The Chertoff Group. “In an assessment, you stand in the shoes [of] your adversary and ask what do they have, how can I turn it into money/power/destruction — whatever the purpose is — and what is the means by which I can get that.”

6. They don’t know what to address first

Risk management approaches differ. Kroll’s Brill said one way to look at the problem is to decide which risks are within one’s control and which aren’t. For example, if employees are careless about passwords, require two-factor authentication. If in-house resource constraints are an issue, outsourcing may be wise.

“We recommend looking at the foundational aspects first and then expand it,” said The Chertoff Group’s Duvall. “It’s cyber hygiene, looking at your password policies, account lockout, account inventory, asset inventory, having control over the identity and access management. Segmentation and whitelisting are [also] important.”

7. They’re not testing

Perimeter-based security isn’t enough anymore. Organizations need to realize that their perimeters will be breached and take appropriate action. In addition, some companies endeavor to find out how they could be breached.

“Testing is the best way to see if your security controls are working,” said The Chertoff’s Group’s Duvall. “Do you have pen teams, red teams or exercises? It may be outside [your] budget or scope, but do you have a person or two on your security team who be an internal red team or do pen tests? The organizations that we’ve come across, even with limited resources, find that useful.”

8. They lack an effective security strategy

Most organizations find themselves in reactive mode when it comes to cybersecurity so the execution may be tactical without the benefit of an overarching strategy.

“You need to develop a strategy, identify your most important missions, and then identify people, processes and technology to address the most important issues,” said Jonathan Reiber, head of Cybersecurity at data center and cloud computing security company Illumio. “Prioritization is one of the most important parts a security journey that an organization can go through. You have to be able to implement security in the best way you can around the assets that matter most to you as quickly as you can.”

Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include … View Full Bio

 

“This year, we had 20 colleges of the 28 participate. I can see the last eight jumping on board next year, bringing cyber camps to the entire region,” Lemus said. 

While every camp follows the same curriculum, each one has its own personality based on the students who participate. Lemus said that no two classrooms were the same throughout the six weeks, but the benefits students took from the program did overlap. 

“Students were excited about Windows and Linux security, to meet new friends, and see that they are part of something much bigger than the classroom they were in,” he said.  

Cyber camps serve as a recruiting tool for CyberPatriot teams throughout the region, but that’s not the only mission. Lemus and his team also hope to increase awareness about the benefits of cybersecurity education, especially among underrepresented communities. 

Lemus added a capture the flag challenge to this year’s camps and is planning to better align the camps with courses offered at the region’s community colleges for next year.

“We want the communities of the Bay to know that we exist and have strong CTE programs,” Lemus said. “High school students, college students, and the community at large can take advantage of that.”

Lemus’s work has been instrumental in raising awareness about cybersecurity education and helped the Bay Area Community College Consortium (BACCC) become a designated CyberPatriot Center of Excellence.

“I want to recognize Irvin Lemus, our CyberCamp Coordinator over the past two summers, for his direct involvement and leadership. Irvin’s expertise and years of experience helped the BACCC receive the Center of Excellence designation,” said Richard Grotegut, Bay Region Deputy Sector Navigator for the ICT-Digital Media Sector.

For more information about Bay Area Cyber Competitions or to get involved with the program, visit baycyber.net.

Bay Area Cyber Camps

Maxim Kovalsky, senior manager of cyber risk services for Deloitte, told Route Fifty there were concerns about convincing companies to partner in the effort. “Naturally I think there’s a reluctance to share information from members of these kinds of collectives,” he said.

Deloitte, a New York City-based consulting firm, has worked with Cal-CSIC since its inception to share threat information at pace with cyber criminals’ activities. A tech stack, or framework, was developed to detect bad behavior and automatically flag and send the information to Cal-CSIC.

But the private sector, in particular, is protective of its data, so memorandums of understanding have been established with partners—among them three state agencies, a large bank and a major Northern California utility about how Cal-CSIC can use their information.

“Once we started doing what my analysts were doing with the data, we’ve actually had a few really big wins,” said Keith Tresh, Cal-CSIC commander. “We are definitely looking into expanding.”

Two cities may soon be joining the automated threat feed program, which has eight partners and is carefully adding others due to staffing limitations. In Cal-CSIC’s business plan, it’s considering onboarding every city and county in the state over a four- to five-year period.

When Cal-CSIC pinpoints a cyberattack, it reaches out to the victim or victims and recommends action to them, as well as other partners that may still be threatened.

Get the latest federal technology news delivered to your inbox.
email

For instance, if a system is infected with malware or reaches out to a malicious domain, that information is shared with Cal-CSIC.

“We want to know what IP and what domain that malware reaches out to—how many calls in what period of time,” Kovalsky said.

Sometimes the malware may communicate with the domain of a legitimate website that’s been compromised by a threat actor in a single attack. In those cases, you don’t want to blacklist the site forever but block it for a few days, Kovalsky said.

Cal-CSIC has made strides lowering its rate of false positives, like that, and false negatives, Tresh said.

In February 2017, authorities evacuated 188,000 residents near Oroville after a hole opened in the local dam’s spillway threatening flooding. Officials at Cal-CSIC became concerned about what might happen if a cyberattack leveraging industrial control system data was able to open the dam’s floodgates, Tresh said.

Cal-CSIC works closely with the state’s Critical Infrastructure Protection team to monitor for such possibilities.

“We’ve seen a lot of attacks coming from nation states looking to probe or test critical infrastructure protection,” Tresh said.

Russia targeted Ukraine’s electrical grid in a December 2015 cyberattack, successfully shutting down service, in what was likely a test of hacks it might carry out in the U.S., Tresh said. Open source information shows that, since 2015, the administrative systems of several water treatment dams have been hacked but not the systems that could shut them down or open the floodgates, he added.

Original article posted on nextgov.com.

“The Cybersecurity Labor Market Analysis is a major step forward in understanding the significant gap between the demand for cybersecurity-related occupations and number of qualified candidates in the state,” said GO-Biz Director Panorea Avdis. “As California’s companies rely more on digital technologies, addressing this labor shortfall becomes more urgent. We look forward to working with public and private partners to identify and implement solutions that support California businesses.”

In order to complete this analysis, a statewide survey of 385 businesses was conducted to collect data for nine of the most common cybersecurity occupations, using the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. This included roles such as Systems Security Analyst, Cyber Defense Analyst, Vulnerability Assessment Analyst, Cyber Defense Forensics Analyst, and Software Developer, among others. Additionally, as part of the study, primary and secondary data was collected on public and private postsecondary institutions offering cybersecurity related programs.

Based on employer responses, strong cybersecurity employment growth is expected over the next 12 months, ranging from 4% to 21% for the work roles studied, representing an increase of about 14,300 positions. In 2016, the most recent year of available data, 242 accredited postsecondary institutions in California offered 1,177 programs that were related to cybersecurity. However, only 3,200 awards were conferred by programs that focused directly on cybersecurity or clearly included aspects of cybersecurity in their curriculum. The study concludes that California’s educational institutions are not currently supplying enough qualified candidates to fill the thousands of cybersecurity job openings that exist.

Eileen Sanchez, CASCADE Program Manager said, “These numbers show a real opportunity to train individuals into high growth occupations. Knowing what occupations and skills are most important is a key factor in re-training defense workers and getting them to adapt to national security priorities and the changing skills requirements of jobs in our economy here in California.”

Additional Key Findings

  • For all nine work roles, 60% or more of employers reported some or great difficulty finding qualified candidates. This demonstrates the significant challenge employers are facing hiring the cybersecurity workers they need.
  • Across all nine work roles, the top three hiring challenges are: lack of qualified candidates in general, lack of relevant work experience, and lack of required technology skills.
  • For all nine work roles, 75% or more of defense contractors reported that security certifications are important or very important when hiring, and for seven of the work roles, 80% or more of defense contractors reported this.
  • For each of four IT/IS work roles, a majority of employers indicated that employees spend more than a quarter of their time on security/cybersecurity issues and that compared to 12 months ago the amount of time spent on security/cybersecurity issues had increased.
  • The majority of cybersecurity-related programs are offered by public two-year (56%) and public four-year (16%) colleges, resulting in public colleges offering 72% of cybersecurity-related programs.
  • In a survey of postsecondary institutions with cybersecurity related programs, nearly two-thirds of respondents indicated they offered programs that align with the “Operate and Maintain” category in the NICE Cybersecurity Workforce Framework.
    Download a free copy of the Report.

About the CASCADE Program

Funded by the U.S. Department of Defense, Office of Economic Adjustment (OEA), the CASCADE program seeks to bolster California’s defense supply chain cybersecurity resilience, innovation capacity and diversification strategies, and to support the growth and sustainment of California’s cybersecurity workforce through cybersecurity-related education curricula, training and apprenticeship programs. CASCADE is led by the California Governor’s Office of Business and Economic Development (GO-Biz) and the California Governor’s Office of Planning and Research (OPR). CASCADE includes 15 funded projects in partnership with government, industry, community, and academic institutions and is the most ambitious and comprehensive approach to addressing cybersecurity and the defense supply chain in California.

About GO-Biz

The Governor’s Office of Business and Economic Development (GO-Biz) serves as California’s lead entity for economic development and job creation efforts. GO-Biz offers a range of services to business owners including: attraction, retention and expansion services, site selection, permit streamlining, clearing of regulatory hurdles, small business assistance, international trade development, assistance with state government, and much more.

Article originally posted on Governor’s Office of Business and Economic Development (GO-Biz).

GSCH“The girls asked them questions about their careers and what they do and had a chance to visualize themselves in those careers,” Raleigh said. “For the employers, it was a chance to come in and see what GenCyber is all about and get a hands-on look at what these students are doing.”

Sarah Brown, a third-year GenCyber attendee, moved from the middle school group to the high school group this year and said she enjoyed the more advanced level of learning that came along wit hit.

“We interacted a lot more in the virtual reality room and I learned how the fisheye camera works and how to live stream and the delay that occurs between the equipment and the stream,” she said.

Hawley said the all-female environment helps build a sense of confidence in the girls that would not exist in a mixed-gender environment.

“Girls learn differently than boys do,” Hawley said. “If she’s not 100 percent sure, she won’t raise her hand if she’s around male counterparts. It shows just how important this work is to provide the all-girl learning environment.”

That confidence is bolstered even more by the CSU San Bernadino faculty who serve as GenCyber instructors. Claire Jefferson-Gilpa’s 14-year-old daughter had the opportunity to serve as a teaching assistant for a college-level class after her GenCyber experience — which speaks to the academic integrity of the program and its faculty.

“She enthusiastically accepted, and the experience has been world changing,” Jefferson-Gilpa said. “For my daughter seen as a leader and encouraged to do so on a collegiate level by experts in the field is tremendously valuable. It is also exceptional in contrast to much of her experience where she must constantly prove her worth and place in the field.”

While GenCyber is organized by the Girl Scouts, the camp is open to any middle or high school girl in Riverside or San Bernardino counties. To that end, Raleigh and Hawley partnered with the Riverside Unified School District and the Girl Scouts Beyond Bars program to increase awareness about cybersecurity in underserved communities and start those students on a pathway toward a stable and well-paying job in the cybersecurity field.

Raleigh hopes this is the first step in a long partnership with community organizations.

“I talked with one of the chaperones, and she said it was an amazing experience for the girls,” Raleigh said. “They had never really talked about their future, but saw that they could go to college and saw that there were people who look like them doing these careers.”

The program also embraces students with disabilities. The demand for cybersecurity careers is large and growing by the day; it’s going to take people from all walks of life to meet the need. Cyber careers are also uniquely suited to some disabilities, as student Emma Shanks learned at GenCyber.

“Because she is deaf, my girl scout Emma uses the internet and chat rooms for much of her communication with the ‘hearing world’,” said Melissa Stark, Shanks’ girl scout troop leader. “I’m so thankful for GenCyber offering opportunity for all abilities of girls to attend so Emma can gain the skills to be safe online and when sharing information about herself. Her confidence has grown and she feels included and accepted.”

After the success they’ve seen thus far, Raleigh expects the GenCyber program to grow even more in the years to come. Even if attendees do not end up pursuing careers in technology, the skills they are learning will help them lead safer lives online.

“We are teaching girls about the world around them, and that world is changing,” Raleigh said. “They know how to use technology, but they don’t know how to protect themselves and how the choices they’re making now can impact them down the road.”

For more information about GenCyber, visit gen-cyber.com. For more information about the Girl Scouts of San Gorgonio Council, visit www.gssgc.org.

GSCHCarrie Raleigh and Knea Hawley

 

CH 1

CH2

CH3