«

»

Mar 19 2014

Oh No! You’ve Been Hacked Pt.2

Categories:

All Posts, Articles, Law Firm Tips, Legal Secretaries

by Pepe

Hacked

Photo credit: Flickr/Johan.V.

Good morning,

We are on our concluding part to our “Oh No! You’ve Been Hacked” series. I found this article on NALS giving us the cyber breakdown. Read it below!

 

“You’ve Been Hacked!

 

Websites

Malware can be inadvertently downloaded from malicious websites. Links to these sites might be delivered in an email or might be embedded in a harmless website or shown on a social media site.

 

 

  • If you do not have a good reason to click on a link, avoid clicking on it. Among other things, this means if you are at work, do not mix your work and personal pursuits by clicking on items related to your personal life at work.
  • Be very suspicious of requests to download applications or to install ‘Add-Ons,’ such as suspicious ActiveX components or strange media players.
  • Never download or install software from unknown or untrusted websites.

• Sites notorious for housing malware include porn sites, gambling sites, music lyric sites, dating sites, and—sadly—religious sites.

 

Pop-Ups

A fairly new tactic to spread malware is to use pop-ups that appear to be legitimate Windows alerts, messages, or ads.

  • Never buy software in response to unexpected pop-up messages or emails.
  • Be especially wary of hoax adverts that claim to have scanned your computer and detected malware.
  • Immediately close your browser if you see one of these types of pop-ups. Do not respond or click on any part of the pop-up to acknowledge or close it.

 

Social Networking

The popularity of social media is exploding. Criminals are always looking for ways to exploit their victims and the relative newness of social media makes it a natural vector for delivering malware and extracting information from victims, particularly young and naive users. Malware is increasingly spread through social networking sites by installing dubious third-party add-on applications or by providing web links in messages. There is a false sense of security when using these sites, so you must remain vigilant at all times.

 

  • Only install third-party social networking applications that are well-known and trusted.
  • Never click links in messages from unknown or untrusted contacts, and avoid clicking on message links sent from trusted contacts unless you are absolutely sure the content is valid.
  • Avoid clicking on games, joining groups, adding people you do not know, or agreeing to load any software unless you want to receive the social networking version of spam in your account.

 

Software

Malware is sometimes located in legitimate software, although this is rare. If you suspect this to be the case, you should contact the software vendor immediately.

 

  • You should never install unauthorized, unlicensed, or unapproved software on your computer.
  • Be suspicious of all free software. There are many valuable free software applications available, but many also carry malware or have other undesirable side effects such as pop-up ads.

 

Computer Media

CDs, DVDs, portable hard drives, diskettes, and USB drives are all potential sources of malware, particularly if shared between home and work systems.

  • Never access untested computer media with your computer.
  • Always scan all files stored on computer media for malware before accessing them.
  • Give suspicious disks to your Information Services Department to test before loading them on your own computer.

 

Mobile Devices

A new threat is malware spread through mobile devices such as smartphones and tablets.

 

  • The same warnings that apply to computers described above apply to mobile devices which are really miniature computers and are susceptible to all the same types of problems that workstations might encounter.
  • Be aware that mobile devices can also disclose your location, which is potentially a very serious exposure that could be exploited by sophisticated criminals.

 

Phishing

Everyone who routinely uses emails is familiar with phishing. You receive what looks like a legitimate email from an individual, business, or political entity (often someone you know) that asks you for something you would normally never freely provide to someone else. Usually personal information or money is requested. Spearfishing occurs when the sender specifically targets a particular individual or group with a phishing attack. For example, a law firm may be solicited to send money to an escrow account for a particular matter at the request of a particular client. Spearfishing attempts can be extremely convincing.

 

Avoiding phishing attempts is fairly simple. Never give out personal information or spend money over the Internet unless you originated the conversation. If possible, contact senders to check for legitimacy and report phishing attempts to your Information Services Department.

 

Avoiding Problems

In addition to the specific information provided above, there are some general rules you should follow to avoid problems. It is absolutely necessary to recognize that there are people in the world who want to cause harm to you and/or your company, family, and friends. They want to take your money, damage your company, or cause general chaos, sometimes just for “fun.” Therefore, when online, you should view every communication as a potential attack on you, your friends and family, and/or your company. These attacks may occur at work, at home, or on the road. Being protective of your information and suspicious of all electronic communications is a state of mind you should acquire and nurture.

 

Your first and most important line of defense at work is your Information Services Department. An effective Information Services Department has policies, procedures, and hardware and software applications in place to block or disable attacks. To help them help you, you should:

 

  • Never try to circumvent security controls that are put in place.
  • Never violate your company’s safety and security policies and procedures.
  • Understand that when your Information Services Department does not give you administrative access to your computer, they are doing so to prevent you from inadvertently loading malware onto your system.
  • Use the malware scanning tools provided by the Information Services Department to check out potentially dangerous files.

 

Second, trust your intuition. If something seems wrong, nine times out of ten there is something wrong. We are all busy and in a hurry, but avoid blithely clicking on links or opening attachments if something seems strange. You may lose a few minutes checking the validity of the communication, but it is far better than having your whole system, and potentially your entire firm, rendered nonoperational for hours or days due to carelessness.

 

  • Always remember: the “from” field in an email can be easily spoofed to look like the email came from a trusted sender. This is, in fact, the most desirable situation from the criminal sender’s viewpoint.
  • If someone asks for money or information in an email, you are virtually always dealing with a phishing or malware situation. Banks, businesses, and the government (in particular, the IRS) never contact people soliciting this type of information. The most trustworthy way to interact with others is to initiate the contact yourself, not through a supplied link or attachment.

 

These guidelines also apply to your home systems and their use by family and friends. Be vigilant!”

Deanna Pepe Law Firm Trainer

Tags: , , , , , , ,