Risk is one of those standard terms within cybersecurity that, when asked to define, many struggle to explain what risk is and how it applies to cybersecurity. To start, we need to understand risk as it applies to security. Risk, like mathematics, is an artificial construct that humans use to understand and describe their environment. 

In a fundamental sense, risk can be defined as the likelihood of an adverse or unwanted event occurring and the Impact should that event be realized. A simple calculation to express risk is that risk is the function (f) of the likelihood as expressed as a probability (P) and the Impact should the event occur. Often expressed in monetary terms. (I). The calculation appears as R=f(PI). (Quantifying CyberRisk- Solving the riddle | AT&T Cybersecurity (att.com)

Consider a house that is worth $100,000. Suppose that an insurance agency calculates a 1% likelihood of the house burning to the ground each year, resulting in a total loss of the house. The Annualized Loss Expectancy (ALE) can be calculated as R=f(PI) or R = f(.01 • $100,000) or $1,000 per year.  The insurance company would then calculate the premium based on the ALE and add a margin.

In much the same way, risk can be used within the safety and all security domains to identify the most significant risks to address in a prioritized fashion. Using another simple example, consider two examples. According to NASA, people are struck by meteorites approximately every nine years on Earth. There are at least seven recorded fatalities from people being struck by meteorites. (Death From Above: Seven Unlucky Tales of People Killed by Meteorites | Discover Magazine) 

While being struck by a meteorite is certainly not a fun thing to consider, compare that to the number of car accidents that result in fatality in a given year. According to the National Safety Council, there are approximately 35,000 deaths annually caused by automobile accidents and over 2 million accidents annually. ( NSC Statement on NHTSA Motor Vehicle Fatality Estimates for 2019 – National Safety Council). 

Suppose you leave your house and are only allowed to consider a single control to manage risk. You can buy a Titanium helmet to reduce the risk of a meteorite strike or buckle your seatbelt when you get into your car. Which of the controls is most likely going to mitigate the most significant amount of risk? The risk of being struck by a meteorite is infinitesimally small, whereas the likelihood of being in a car accident is much greater. In this scenario, wearing the seatbelt and forgoing meteorite protection would be wise.

In much the same way, risk analysis can help companies prioritize and mitigate their cyber risk effectively and efficiently. All companies face infinite risks, from meteorites (as demonstrated), hackers, and malicious insiders to natural events such as floods. All organizations have finite budgets and resources to address infinite risks. The question becomes: “how does a company most effectively allocate those resources to address the greatest risks?” 

By applying a risk-based approach, organizations can quickly identify and prioritize their risks based on a number of factors. While not a complete listing, aspects such as the type of data being protected (intellectual property, PII, NPI, etc.), the industry in which the organization works (national defense, retail, manufacturing, etc.), and the types of technologies employed all play a factor in identifying the risk profile and strategies to reduce the identified risks to an acceptable level. 

Many companies have chosen to use cyber insurance as their primary source of risk mitigation. This is a flawed approach. There are four different means of risk mitigation. Each should be considered for a comprehensive risk management strategy. They include 1) Risk Reduction/Control (by implementing controls as discussed), 2) Risk Transference (such as with cyber insurance) 3) Risk Acceptance (accepting the de minimus risk that is not worth addressing) 4) Risk Avoidance (avoid the risk by not engaging in the business or actions that expose one to risk).

While each of the strategies above has value, choosing one without considering the others does not allow for a comprehensive risk management strategy. By applying a risk-based approach to security, companies can most efficiently and effectively address risks and threats cost-effectively.

Read More

An undisclosed number of people have been impacted

Read More

Major phishing risk as personal details are compromised

Read More

If you recently found yourself looking for a new job, you are far from alone. According to the Institute of Labor Economics, more Canadians were seeking new employment opportunities at the height of the pandemic than during the previous three recessions combined. Job hunters only used to have to worry about the clarity of their cover letters and impressing interviewers. Now, however, a new hurdle is in the mix in the race for a new job: online job scams. 

Here are three online job scams that you may encounter, plus a few tips on how to avoid and report them. 

1. Fake Job Ads

Fake job ads trick employment seekers into giving up their financial information. Fake job ads are more likely to appear on free sites, such as Craigslist, but they could be listed anywhere. So, no matter where you are searching, be wary that not everyone is looking for a talented individual such as yourself. They are on the hunt for sensitive personal details. 

When you are interviewing for jobs, legitimate employers are careful and intentioned about evaluating your fit for the job. For this reason, employers want to make sure they are not interviewing fake candidates, so they are likely going to want to meet you face-to-face or through a video chat. If an employer extends a job offer after a few email exchanges or an instant messenger job interview, request a more formal meeting. If they say that they would like to move fast and hire quickly, be concerned as no real employer would act that quickly. 

Guard your personal and financial information until you are 100% sure of the legitimacy of a job offer. Be on high alert if the “human resources representative” asks for your credit card or banking information to pay for training. Fake employers may also ask for your Social Insurance Number before extending a job offer letter. A great rule of thumb is to never share your SIN with anyone over the phone or over email. 

2. Phishing Emails

Between March and September 2020, 34% of Canadian respondents reported receiving a phishing message, according to a survey by Statistics Canada. Phishing emails often include malicious links that, when clicked, download malware to your device. Online job scams may not only attempt to steal your sensitive information, but they may also be phishing attempts to take over your personal devices. 

Some scammers using job offers as a guise might email people who never applied for a new opportunity. Be careful around these types of messages, urges the University of Calgary. Recruiters will most likely reach out and offer unsolicited interviews through social networking channels rather than email. Also, when you receive emails from people looking to hire you, take note of their email domain name. Is the email domain customized to the company’s name or is it a generic @gmail or @yahoo? Check the spelling of the email domain carefully too. Phishers are notoriously bad spellers and sometimes they use incorrect spelling of domain names to trick people into thinking they are the real company. 

3. Immigration Scams

Immigrating anywhere is a massive and stressful undertaking. Cybercriminals prey upon this stressful, major life event and target immigrants with enticing, but fake, job offers. The Government of Canada advises to never trust someone who says they can guarantee you a job in Canada. Also, keep an eye on the salary. Is it very high? Do your skills not completely align with the job description? Does the job seem very easy? Unfortunately, that may mean that the offer is too good to be true.  

How to Cover Your Bases

The best way to avoid falling for job scams is to know what you are looking for and to take your time when considering a new job. Check out these tips to outsmart scammers and keep your personal information and devices safe. 

1. Verify employers

Most job applications are submitted online, but if an employer is impressed by your resume, they will likely offer a screening call. When a human resources representative calls, make sure to note their name and ask for the website address of the company. Afterwards, search for the company online and the human resources representative who called you. They should show up together on a professional-looking website or a professional networking site. 

2. Read carefully

Inspect all correspondences you get from potential employers. Phishers often use language that inspires strong emotions and urges a speedy response. Strong emotions could include excitement or fear. If the email says you only have a few hours to respond or else the job will go to someone else, be skeptical. Accepting a job is a huge decision that you should be able to take at least a few days to think about. Read carefully, always hover over links to see where they redirect, and keep a level head when making decisions about your next career move. 

3. Report fraudulent activity

When you come across fraudulent activity, it is important that you report it to the correct authorities to stop it from happening to someone else. For immigration and online job scams, contact the Canadian Anti-Fraud Centre. 

4. Install security tools 

Phishers and job scammers may have gotten in contact with you with the aim of downloading malicious software on your computer. A comprehensive suite of security tools will protect you from viruses and malware that may have slipped past your eagle eye. McAfee Total Protection offers premium antivirus software, safe web browsing, and PC optimization. 

The post Watch Out for These 3 Online Job Scams appeared first on McAfee Blog.

Read More

Unpatched vulnerabilities, common misconfigurations and hidden flaws in custom code continue to make enterprise SAP applications a target rich environment for attackers at a time when threats like ransomware and credential theft have emerged as major concerns for organizations.

A study that Onapsis conducted last year, in collaboration with SAP, found attackers are continuously targeting vulnerabilities in a wide range of SAP applications including ERP, supply chain management, product life cycle management and customer relationship management.  Active scanning for SAP ports has increased since 2020 among attackers looking to exploit known vulnerabilities, particularly a handful of highly critical CVEs.

To read this article in full, please click here

Read More

Threat actor bombarded Uber contractor with 2FA requests

Read More