Information Security Advisory - Insecure Email Practices Put Company Data at Risk

This notice is archived content and this information may no longer be accurate.
We are seeing a perceptible increase in phishing emails containing links to malware or links used to harvest credentials. Once upon a time, it was easy enough to spot phishing emails. They were littered with misspellings and poor grammar. This is no longer the case and many current phishing emails are very well crafted. Please raise your level of caution when interacting with unsolicited emails. We will never ask you to reconfirm your email account or ask you to enter your login information on a web site to keep your account active. This month we revisit phishing, and what you can do to help protect the City.

Today, email is the lifeblood of business. Millions of workers spend most of the workday—and that’s no exaggeration—composing and responding to email messages to keep the business going.
But criminals and spies know this, which is why they put such extraordinary effort into email scams; email makes the perfect toehold into an organization’s network, where the vital data is stored.
Here, according to security specialists, are some of the email mistakes employees make that could compromise security. Are you guilty of any of these?
  • Clicking suspicious links. The rule of thumb is simple: never click an email link unless you’re 100% certain it is legitimate. Keep in mind that hackers can easily “spoof” email addresses, so even if an email seems to come from someone you trust, clicking that link may introduce malware to the network.
  • Falling for Phishing attacks. Phishing attacks aren’t always crude and easy to spot anymore. Hackers have upped their game and turned to spearphishing, a far more subtle form of attack that has tricked many smart folks.
  • Emailing work home. With the best intentions, employees often email files home so they can tackle them at night or over the weekend. But that’s not a good idea; the sensitive files then sit around on a poorly protected home computer, just waiting for a hacker to come along.
  • Sharing with friends. If you come across a juicy piece of company dirt or an exciting product plan, it can be very tempting to share it with a family member or former co-worker. But what happens when they share it with somebody else, who in turn re-shares it … clearly, this is not good. Never email sensitive business data to anyone who does not need to see it for professional reasons.
** Security FYI **

Senate Report: Agencies Fail to Take Basic Preventive Measures
Officials have warned for years that the prospect of cyberattack is the top threat to the nation and have sharply increased spending on computer security, but a new report by the Senate Homeland Security and Governmental Affairs Committee says federal agencies are ill-prepared to defend networks against even modestly skilled hackers. The report draws on previous work by agency inspectors general and the Government Accountability Office to paint a broad picture of chronic dysfunction, citing repeated failures by federal officials to perform the unglamorous work of information security. That includes installing security patches, updating anti-virus software, communicating on secure networks, and requiring strong passwords.

‘The Mask’ Dubbed World’s Most Sophisticated Cyber-Spy Operation
Governments, embassies, energy companies, and universities have all been victims of what researchers are calling the most advanced cybersecurity threat they've ever seen. The Mask, a secretive hacking organization, has evolved into a nation-state spying tool and has been operating since at least 2007. Using a sophisticated form of malware, The Mask has infiltrated more than 380 unique victims in 31 countries. Experts say it’s likely a nation-sponsored campaign, as evidenced by a very high degree of professionalism. The Mask exemplifies the increasing sophistication of cyber criminals, as well as the resources they are bringing to bear on attacks.

Big Breach at Texas Hospital
St. Joseph Health System in Bryan, Texas, admits it was recently hit by a security breach affecting the records of up to 405,000 past and current patients, as well as employees and employees' beneficiaries. The hospital says the attack occurred in December, when one of its computer servers was hacked. St. Joseph says it has hired cyber security and computer forensic experts to investigate. The attackers may have gained access to records including names, Social Security numbers, dates of birth, and possibly addresses, as well as the medical information of patients and bank account data for employees.