Brent Voisey: Well, as Marina
said, I'm Brent Voisey. I'm the director of Sales and Marketing, for
OASSIS, we are a not for-profit organization that provides group benefits exclusively
for not for profits across Canada. We're not a broker. And we don't charge
any brokerage fees or commissions, but we deal with all the large insurers.
So we have over 370 organizations representing 5500 employees and we're very pleased
to be a sponsor for the CharityVillage webinar today. And I'm also pleased
to introduce
Danny Sadovsky, He is the, he Founded IT Business Technologies, IT Biz Tech for Short, in 1998.
And his company specializes in IT solutions for small and medium sized
businesses, including our own. We've been working with
Danny for over seven years. Danny helps numerous business owners to
establish robust and secure office networking's architecture, remote access capabilities,
secure cloud solutions for storage, and file collaborations and much more.
With growing technology de
mands on most businesses, Danny finds cost-effective ways to
provide client solutions that allow businesses to operate and grow with peace of
mind, against, downtime, hacker attacks and privacy breaches. Very important topic,
it just seems to be escalating every year. So the webinar today will show different types of
cybersecurity threats facing your not for-profit or charity over to you Danny.
Danny Sadovsky Speaking: Thank you very much, Brent, and hello, everyone.
Welcome to Cybersecurit
y Awareness Training. My name is Danny,
I am the President of ITBizTech and over 20 years, we've been helping different
sizes of businesses and non-profit organizations with their IT needs. Let's begin:
I wanted to say a big thanks to Karen and Brent from OASSIS, and Charity Village for organizing
this webinar. Thank you very much, guys. Here's an agenda for today.
We're going to, we have about 45 minutes, and we're gonna go over a lot
of stuff, and we're going to look into the definition of
cybersecurity. And we're gonna look
at the different types of threats and identify each one and define them. We're gonna look at
some statistics about cybersecurity. We're gonna deep dive into social engineering and phishing
scams, different types of ransomware that are out there. We're gonna talk about passwords, how
to basically choose the right password and not use a weak password, and we're gonna look
at ways how you can protect your organization, and we'll have time for questions.
So f
irst, let's define what Cybersecurity is. Cybersecurity refers to the processes and
practices designed to protect networks, devices, programs, and data from
attack damage, or unauthorized use. Now, let's see why cybersecurity is important.
Cybersecurity is important because it's composes everything that pertains to protecting your
privacy, data integrity and identities from theft and Damage.
And we need to work together and raise a collective awareness
to make more secure environments. Here'
s a list of types of
malware known to exist today. We're going to start with the first one
on the left side, a virus. Basically, the definition of a virus, it's, the virus
performs unauthorized and harmful actions. Second one, is the adwords
adwords designed to display advertisements on your computer. Redirect
your searches to advertize websites, and collect marketing related data about
your, such as the types of website visitors. Number three, is the rootkit.
A rootkit is an application t
hat hides itselfl deep in an operating system
and allows hacker to access victims data. Spyware, collects data, and sends to search
part if, for example, it takes screenshots of your computer and sends it to a hacker.
Ransomware. Ransomware will encrypt all of your files and will demand money to restore them.
Trojan horse, Trojan horse harms computer software and files, for example, it
can delete files or corrupt them, and you will not be able to access them.
Remote Access - Remote Access is
an application that allows hackers to access
your computer in the background remotely. Worm affects other computers on the network.
For example, the virus will spread through the network to all other computers.
Finally, a keylogger, a keylogger records, every key presses you make on the keyboard,
and sends them to a hacker, and basically, this is how hackers collect usernames and
passwords as well. That's 1, 1 of the ways. Here's a graph showing the amount
of malware in the last 10 years fr
om recent AB test report releases here. As you can see, malware has increased from 183
million in 2013 to 1.326 billion this year. So let's do a quick poll and see how many of you
have an antivirus installed on your computer? Marina Speaking:
Great, Danny. So I've launched the poll, and everyone should see this on their screen
now. So pretty simple poll today. Do you have an antivirus installed on your computer? Yes, no,
or I'm not sure, so you can just go ahead and click right on your scree
n, whichever one applies.
And Danny, I see we've got the majority of folks, so I'm going to go ahead and close and
share this so everyone can see the results. We have 85% Yes, 6% no and 10%. I'm not sure.
So I don't know if that's in line with what you were expecting well.
Danny Speaking: This is actually better than I expected, so, you know, it's good
to know that the majority do have antivirus. And we're gonna look at also that
we actually have different types of antivirus installed as well
. So, I'm going to
basically be providing some tips about that in the following slides. Thank
you very much, OK, let's move on. OK, so let's let's take a look at Cybersecurity:
Statistics for non-profits, non-profits, saw over 400% increase in cyber attacks from
last year. 33% of non-profits report the report using free or consumer grade cybersecurity.
For ransomware, phishing, unfortunately, are the most common threats for non-profits and most
businesses out there, and only 14% of non-pro
fits have the ability to mitigate cyber risk,
which means, you know? If an attack happened, if a ransomware happened, you can actually only
14% have ability to store data from backups. Let's talk about social engineering and look
at the threats that fall under this category. Let's start with phishing attacks.
The definition of a phishing attack is, it's a practice of using fraudulent e-mails and copies of legitimate websites to extract
user's data for purposes of identity theft. Let's let's
look at the list of common
phishing attacks used by hackers every day. We're going to start with e-mail phishing.
Victims are contacted by e-mail by someone posing as legitimate institution to lure
individuals into providing sensitive data, such as personally identifiable information,
banking, and credit card details and passwords. Vishing, also known as voice phishing is a combination of the word voice and
fishing and refers to phishing scams that take place over the phone.
The call will o
ften be made through a fake caller ID, so it looks like
it's coming from a trustworthy source. A typical scenario will involve the
scammer posing as a bank employee to flag up suspicious behavior on the account.
Once they have gained the victim's trust, they will ask for personal information,
such as login details, passports, and pin. The details can then be used to empty
bank accounts and commit, identity fraud. Smishing, also known as Mobile phishing.
It is a type of phishing that uses SMS
messages, as opposed to e-mails, to
target individuals, this matter. This matters involves the fraudster sending a
text message to an individual's phone number and usually it includes a call to action
that requires an immediate response. Message will often claim to be from banks, tax
revenue systems, and even your own friends. They may ask you to click
on the link call a number, or they may even inform you that you're about
to receive a phone call from a support member. Spear phishing - S
pear phishing is
a more targeted attempt to steal sensitive information and typically focuses
on specific individual or organization. The scammer will often turn to
social media to research the victims. Once they have a better understanding
of the target, they will start to send personalized e-mails, which will include links,
which once clicked, will infect the computer. Whaling - A whaling attack is an attempt to steal sensitive information and is often
targeted at senior management. Whal
ing e-mails are a lot more
sophisticated and much harder to spot. Typically, the e-mails will contain personalized
information about a target or organization, and the language will be of corporate and tone.
A lot more effort and salt will go into crafting of this these emails due to the
high level of return for scammers. Lastly, baiting - Baiting as the name
implies, involves luring someone into trap, to steal the personal information, or,
infect, their computer with malware. Baiters often
use offers of free music or movie
downloads if users provide the login details. Another popular baiting trick involves leaving
a malware infected device, such as a USB key. In a place where someone can find it, the scammers
rely on human curiosity to complete the scam and by inserting the USB key into their
computer to see what's on it in this the malware is installed immediately.
Let's see how phishing scam works. You receive an urgent message from some sort,
and it's from a trusted source
example, social network, a store, shop, online, or bank.
This e-mail looks for real. Even if users logo and perfectly mimics
color scheme of the company, we're going to see some examples in the future slides.
This e-mail asking you to click on a link and a phishing website will open. And this is basically
where you type in your username and password. Thinking you are actually
logging into a proper website, but this is exactly the moment where all of your
credential are passed on to the hack
er and the hackers that have access to legitimate website.
This is how phishing works. Here's more known phishing scams, mass phishing. This matter is most common type of fishing.
And it's as the name suggests, messages are sent to as many people as the hacker can find to
extract the personal or financial information. This messages might ask for the recipient
to download a file that was malware, visit the malicious website, or respond
directly with personal inflammation. Clone Phishing
Clone
phishing, requires a target to create a nearly
identical replica of legitimate messages to trick victims into thinking it is real.
The e-mail is sent from the address resembling the legitimate sender, and the body of the message
should look as the same as the previous message. Advanced fee scams
Also known as upfront fee fraud, is a scam used by fraudsters to extract money
from victims by charging a processing fee in exchange for an opportunity to either
participate in special financial dea
l, or by providing a share,
and in an inheritance fund. Pharm phishing, also known as website,
Director, or DNS cache poisoning attack. In a DNS cache poisoning attack, A Pharm targets
a DNS domain name system, and changes the IP address associated with alphabetical website
name. This means an attacker can redirect users to a malicious website of their choice.
That case, even if the victim enters the correct website name, they still going to be
redirected to a malicious website. Here's a li
st of common baitingtactics.
The first one is a notification from a helpdesk or system administrator. We're
going to see some examples of that as well. This notification will ask you to take action
to resolve an issue with your account example. E-mail account has reached its storage limits,
which often includes clicking on the link and providing requested information.
Advertisement for immediate weight loss or hair grows serves as a ploy to get you to
click on the link that will infect your
computer or a mobile device with malware or viruses.
Attachment labeled invoice or shipping order. This type of baiting tactic contains a malware
that can infect your computer or mobile device. If open, it may contain
what is known as the ransom, a type of malware that will encrypt your
files unless you pay specified sum of money. Notification for what appears
to be a credit card company. It will indicates someone has made an
unauthorized transaction on your account and if you click on the
link to login into
verifies the transaction, your username and password will be collected by a hacker.
And lastly, fake account on a social media site. This will mimic a legitimate person, business
or organization, may also appear in the form of online game, quiz or survey designed to
collect information from your account. Let's see how you can detect a phishing scam.
First of all, most scams contain lots of spelling errors, So this is the
first thing you should look for. Secondly, the hyper
links are usually pointing
to a different website, but we'll see example in the next slide how you can identify if
the if the link just is actually fake or not. Thirdly, they use threatening language and
requesting to confirm your login information. Sometimes, you will see notifications that
you won a lottery that you never played, or notification asking you for donation. So, be aware of all of this. It
will indicate a phishing scam. Here's how you can check.
If the hyperlink is actually re
al or not, all you have to do is hover
over with a mouse over it, and you will see. actually, a popup window appear next to the link
to actually show you the actual, the actual URL, the actual link where it's going to take.
So, here's an example of two identical website links, but they're pointing to different websites.
The top one, as you can see, it's pointing to Office 365 dot com, which basically corresponds
to the name that appears on left of it, but the bottom link also says WWW dot off
ice 365 dot com.
But when you mouse over it, you will see it's going to appear as totally different link,
in this case is going to be fake link dot com. This is how you identify if the link is fake.
With the COVID 19 crisis as the backdrop fraudsters appear to be, redoubling their
efforts to steal information or money from unsuspecting users sending fake e-mails
and text messages such as this one? Here's another example of
smishing, which is SMS messages. And of course, at the time was fake,
the link
that will take you to a website that will request your login information. Here's another example of smishing about
a lot of a draw that you never played, and again, there's a link where
you will get specific instructions. Here's another example of phishing scam.
Overall, you can see they use Amazon logo to make it look more authentic.
But when you look closer, you can see on top that it's actually, it doesn't state Amazon,
it's, it's missing a, it says mazoncanada. So you gotta loo
k for things like that, that this
is a fake website. There's a missing in a domain. And when you hover over the links, it's
actually shows a completely different website. So this is how you can easily identify.
Phishing scame. Here's an example of a phishing
scam Mimicking Microsoft Office 365. Once again, everything looks very
authentic, but when you look closer, you can see the sender, e-mail is fake.
Right, on top, you can see that actually the e-mail address doesn't make any sense.
It's
coming actually from the United Kingdom. And e-mail contains a threat and a
spelling mistakes also has grammatical errors and fake e-mail signature.
This is type of thing. You should be looking at every single e-mail to
identify if this is a phishing scam. Here's a phishing scam targeted
at the Finance Department. A real looking e-mail address can be
seen can be set up using information easily harvested from social network.
Scammers can now easily address your finance department on a first
name basis, using an account
with your CEO, a real name, and the real picture, or alternatively gain access to a real
account through a phishing campaign, letting them send e-mails from there.
Here's an example of a phishing scam involving an invoice as an attachment.
E-mail contains fake invoice file with a zip extension.
This file can contain Excel file with macros. That's where macros were usually virus will
hide, E-mail has one Word subject line, one line message, no signature.
So this is
, again, incomplete e-mail and you should be looking that this is
this, this attachment definitely looks. It's, it's a red flag to see a zip
file attached as an invoice, OK. Here's an example of a phishing e-mail, using
eml attachment, eml, basically, it's an e-mail attachment, that's right. So, basically, an
e-mail attached as an attachment, so when you open this e-mail attachment, which, basically,
in this case, it looks like it's a voicemail, it will actually look like this.
And what you
're going to see is you're going to see links to listen to your audio,
to your, to your voicemail. And obviously the links will be pointing to a fraudulent box.
So when you hover over the domain, you will see. When you hover over the link, you will see
it's going to take it to a different domain. Here's a fake Microsoft notice. Almost
identical in appearance to an actual notice from Microsoft concerning unusual sign on activity.
This e-mail points users to a phony 1 800 number that will actua
lly take you directly to a hacker
themself. And below has the link for a phishing portal, where credentials are stolen.
So, be aware of this type of e-mails. Here is a spear-phishing example.
A spoofed e-mail is sent to the victim from IT Department and asking users
to update their account by clicking a link. The link points to a fake website
where credentials are stolen. Be aware, IT departments will never ask users to
click on any links to update the user password or any other information.
So do
not fall for this type of scam. This example shows that hackers take advantage
of the pandemic to send out links to help with safety measures. Once again, the link pointing to
a fraudulent sites. So be aware of that as well. So make sure to mouse over the the
link and see where that takes you. Here's an example of mass phishing e-mail used to
a spam e-mail template to warn the user that their computer has been hacked and their data has been
stolen, which is not the case, the e-mail
states, your computer hacked, exclamation
mark, we have taken your personal data. If you follow the instructions attached to
this letter and transfer us hundred dollars, we will simply delete your data. Just to
be clear, they did not hack your computer, and they're trying to scare you by threatening
you so do not fall for this type of e-mails. If you happen to double click on that attachment, your Microsoft Word by default will not enable
micros, and it will show you this security warning t
hat macros have been disabled. And to
enable them, you have to click on this button. So usually if you enable the content, that
will enable the macros, and it will execute those scripts that are basically where virus's
hide and it will actually get installed immediately on your machine.
So be aware of this. So before clicking on any links, you gotta
actually look for common baiting tactics if the message looks suspicious or too good to be true.
Treat it as such. Beware of messages asking for
passwords or
other personal information any information. Most reputable businesses and organizations
will not ask for this information via e-mail. Never send passwords, bank account numbers,
or any other private information in an e-mail. Do not reply to requests for this information.
Verify by contacting the company or individual, by phone, by do not use the contact
information included in the message. Do not click on any hyperlinks in the e-mail. Use your computer mouse to hover over
each
link to verify an actual destination. Pay attention to the URL and look for
variations of spelling or different domains. Consider navigating to familiar sites on your
own, instead of using links within the messages. Examine the websites closely.
Malicious website may look identical to legitimate sites.
Look for HTTPS, S stands for secure. You will also see a lock Icon, appear
next to, that means that the Secure Site and the In the address bar before us, if you don't
see, if you see the lock
and Unlock position, and you do not see S, you would just see
HTTP. That means the site is not secure. So if you get suspicious e-mail and you
just want to be sure in, and you know that it's, it's actually treated and you have to
notify your IT helpdesk for verification, Sometimes, it will help IT people also
block the future type of messages, you know, for the whole organization. And
if you don't have a dedicated IT helpdesk, you gotta make sure to mark it as Junk.
You do right click on t
hat e-mail and then select Junk and say, block the sender and
this will block future e-mails from this sender. Now, let's talk about ransomware. Ransomware is
a malicious software, that infects your computer and displacing messages, demanding fees to be
paid in order for your system to work again. This class of malware is criminal money making
scheme that can be installed through deceptive links in an e-mail message, instant messages,
or websites. It has the ability to lock your computer sc
reen or encrypt important
pre-determined files with the password. Here's a list of known ransomware types.
and let's look at each category separately. Cryptojacking. It isn't an unauthorized use of someone else
computer resources to mine cryptocurrency. In a typical workflow, user visits a website.
Where cryptojacking operator, have placed JavaScript code that is loaded
alongside the web page in the user's browser. This JavaScript code causes the user browser to
mine cryptocurrency as part
of a mining pool. Any cryptocurrency and associated value from the
mining operations are kept by the cryptocurrency operator, which is a hacker. When fraudster
hijacks the user device, the user notices extreme slowdown in the processing speed, So, if
your computer operating extremely slow, There is a possibility to somebody is actually utilizing
your computer resources to mine cryptocurrency. Here's a message that you will see on the screen,
if you have been a victim of a ransomware attack.
And ransomware is, causes a lot of damages,
because it's encrypts all of your files and folders, and also external hard drives. External
drives may contain data or backups of your data and they also get encrypted. Victims
are asked to pay ransom in Bitcoin to retire, to retrieve the information.
Usually it's not recommended to pay the ransom, but if you do not have a proper backup of your
files elsewhere, people usually pay the ransom. Locker Ransomware is known for infecting
your operatin
g system to completely lock you out from your personal computer or
device, making it impossible to access any of your files or applications.
Once again, you were given instructions how to basically gain access back
to your machine by paying a ransom. Scareware. This is a fake software that acts like
an antivirus or a cleaning tool. Scareware often claimed to have found issues on your computer,
demanding money to resolve the problems, some types of scareware lock your computer as it
floods
your screen with annoying alerts and popup messages such as this one. You can see here,
it says scanner report for 27 infectious falls detected, this is completely fake, none of this is
true, and it's giving you the option to activate. Um, basically the software that should
eliminate and protect your PC but in the return. If you click Activate, it will actually install
a virus on your machine. As a matter of fact, when you get this message already, it's
too late, basically, to do anything.
At this stage, you need to literally
unplug the power from your computer and possibly the virus will actually
not be able to register in your system. So if it's a laptop, you hold your power
button until the laptop powers off. Doxware is commonly referred to
as leakware, or extortionate, doxware threatens to publish a stolen
information online if you don't pay the ransom. Just to be clear, this e-mail shows a fake story. Which is trying to scare you? So
do not fall for this type of scam. I
am pretty sure most of you
already got this type of e-mail. Macintosh Ransomware Mac ransomware system were
infiltrated by the first ransomware in 2016. There were known as Key Ranger, this malicious
software, infected Apple user systems through an app called Transmission, which was able to
encrypt its victims files after being launched, similar to PCs it’s asking for a payment in
bitcoin. So you can see here this is just an example of what people with Macintosh would see.
Ransomware on Mo
bile Devices. It began infiltrating mobile devices
on a larger scale in 2014. Mobile ransomware often is
delivered via a malicious app, which leaves a message on your device that says
it hasn't been locked due to illegal activity. Of course, you will get you will receive
instructions, how to unlock your device. Ransomware infections matter.
So basically, these are ways you can actually get a ransom infection.
So when you visit unsafe or suspicious website, they will use actually different co
des, and
like JavaScript, and that will infect, your system says, It's very important to have
an antivirus installed on your machine, as it says below. Here's a tip. Make sure
your antivirus has a web filter built-in. And I'm going to show you basically
how it works in the next slide, e-mail and e-mail attachments, so make
sure to look for any zip files or JS files, which means JavaScript files do not open
those. Those are very dangerous in attachments, and also malicious links on the
Fac
ebook, Twitter, et cetera. They actually always would
have suspicious websites. Here's how a web filter results lookalikes as a
web filter. You can see on the left side, will actually show which links are safe to click on.
Orange, for example, means warning. Green means safe, and if you
see a red, it means danger. Do not click on it, OK, So this is basically,
once it's enabled in your browser, this is actually helps you to navigate more safely.
So different links on the web browser. Let's ta
lk about passwords.
Make sure to keep your passwords in a secure location.
Quite often they find people put passwords on a sticky note under keyboard or they
actually put it right on the monitor, right in front of everybody. Do not, don't use
this technique. This is very dangerous. Also, do not store passwords in the clear text
on your computer, like on the desktop, and Instead, my suggestion is to utilize something
called password manager, password managers. We have basically there are thre
e very famous
ones, one is called one password, LastPass and Robo form. This are not known as a third party.
Applications are basically secure your passwords in one volt and they keep it
secure basically and when you actually access different websites they even fill all
your password information for you in a safe way. So this is actually an excellent way to actually
manage your passwords, OK. This way, you will not, If you have, let's say, 30 passwords, This, this
applications, will help yo
u manage your, OK. And two, if you basically have
trouble coming up with passwords, you can actually use a tip below here.
You can go to this website, itbiztek.com and on this website you will see, actually, five possible
generated was every refresh, and those passwords that are generated are random, and they are very
secure, easy to remember, but impossible to guess. Here's a few more possible tips. Avoid using
items that can get associated with you, such as your address, phone number, path
names, birthday,
child names. Make sure to have a separate password for each account. Very important. Never share
your password. Have a system with your password, for example. You can actually change numbers for
each account. So basically, the last, for example, three digits could be different for each account.
And that's a suggestion would be to create a
mnemonic passwords using random letters. And numbers and this passwords are easy
to remember, but impossible to guess. And you can see a
n example here, W K, Y, and W is
Capital, and then there's five digits following or you can add a special characters
and make it even stronger by putting a dollar sign in between, OK. And, like I said,
you can use the password generator to help, and it's available, anytime. Make sure that your
passwords are along. Make sure there are at least eight characters long, and you it's
recommended to change your password. Every 3 to 6 months to actually be you know,
in the good books. Otherwise, y
ou know, you should change it like once a year. It's OK.
But if you using the same password for last 5, 10 years, no, I would strongly
recommend to change it right away. Here's a, here's actually a list of
suggestions, how to protect your organization. So first of all, antivirus, I would recommend that
you have antivirus installed on every computer and it is strongly recommended not to use
free antivirus, free antivirus, they do not provide you with a full protection, and they're
going to g
ive you a very partial protection. And you do actually have a full set of
tools, such as a web filter and everything. You should actually use subscription based
antivirus. Or if you have an IT department, they should look for something centrally
managed, cloud managed, antivirus software. Always make sure to have a strong password
policy, with a two factor authentication. For example, services such as Microsoft
Office 365 have the ability for two factor authentication. So, how does it work?
When you log into the portal to check your e-mail, Microsoft will send you, a code through a text
message to your phone for a second verification. This is called two factor authentication.
This is actually make sure that even this hacker has your password for e-mail.
They still will not be able to login to your e-mail, because they're not getting
the code, OK, the second, the second verification code that is sent to your phone.
Now, operating system and software updates. This updates include
bug fixes that help defend
from cyber attacks, and it's very important to ask your IT department to remove administrative
privileges from every single account. So users basically do not have the ability
to let the virus penetrate the system. This is one of the basic defenses
IT departments should do. It's the first step to protect computers.
So when a user actually clicks on, for example, on the on the patch where there was a
virus, it enables the macros, if you do not have administrative
privileges, you know,
that's virus will not be able to get installed. Lookout for phishing e-mails. Always hover your
mouse over the links to see the actual links. Always look for spelling,
mistakes, always looks for who send you the e-mail and actually
verify that the e-mail is correct, Make sure to look for any threats or, you
know, fake fake signatures and stuff like that. And always backup your company data to a secure
cloud. As you have heard me talking about before, when you have a U
SB key or a USB hard drive,
external hardware, plug it into the system for backups viruses will actually have access to that.
and they will encrypt your data and your backups, so you're gonna lose everything. So if you
actually want to have your ability to mitigate this and be able to restore data, make sure
that your organization has secure cloud backup. Finally, if you ask IT professional to help
you build and maintain secure infrastructure, and this is basically meaning that
you will hav
e secure local backups, and secure cloud backups with full encryption
which hackers cannot get no matter what. OK, we're basically almost done. This
is just a few things about my company. So, we have been over 20 years in business.
We provide free IT assessment and review. If you have an existing infrastructure,
we can help you identify how you can improve it. We manage client server data.
We provide dedicated help desk support. You can call call anytime, and someone will be able
to help you
with any of your technical issues. We protect data from threats and
viruses and ransomware and you name it. We monitor your servers and data 24/7, and
we provide secure cloud backups. That means we can mitigate absolutely any disaster.
OK, now we're basically gonna go into questions, and.
Marina Fantastic. Danny, OK, we've got lots of questions
coming in, so bear with me as I sift through them here. We had a few folks ask about phishing
e-mails. And just how, well, first of all, how are att
ackers able to spoof legitimate
e-mail domains? Can you shed any light on that? Danny
Well, basically what they do is, it's, it's quite technical, but to explain it, in short,
there is, they have actually ability to send fake e-mails, and it will actually
show that it's came from legitimate persons. So there's different ways of doing that.
One way is actually, they would have access to the persons, it's e-mail account.
So, what they can do, they actually can send e-mails from a legitimate e-m
ail, and send it to
whoever's in the on the context. And this is how they will know who to send it to, how to spread,
you know, the phishing scam. And what they can do that essentially, you know, access your account.
Or there's another way which is a very technical ways to basically create a spoof e-mail account.
And the only way to identify it is to look in the envelope of the e-mail which is a
bit technical for this type of webinar. But in the envelope of the e-mail itself, it will
actual
ly show the actual e-mail it was sent from, so if you will not see it, actually
when you open it through Outlook or or e-mail, web e-mail interface.
Marina: That's great.
Thank you Danny and on the same topic um, with phishing scams are external sources able to
retrieve the info just by you opening the e-mail? Or do you have to actually click on something?
Danny: No you have to click on something and you have to
actually give them credentials and now if you just open an e-mail and nothing's g
oing to happen
but if you're gonna start clicking on links and enter a username and password, it will
go straight of hackers all the information. Marina
Great. And is having an about page for the organization with e-mail addresses listed on
it. Is that a security weakness, and could someone potentially be monitoring this for new e-mail
addresses that they might then try, to spoof. So a lot of organizations have an about page
where they have the e-mail addresses. Is that a security weakness?
Danny: It is absolutely, as a matter
of fact, Hackers utilize something called crawlers - web crawlers,
which basically scan through the webpages and looking for e-mail addresses.
And this is how they scoop all of the e-mail addresses from the website.
So my recommendation is you basically, instead of you know posting the e-mail on the
site in a text form, post it in the image form. This way, crawlers will be useless because
they're looking for text and when you have image post, that you wi
ll have absolutely no problem.
So, basically, if somebody crawls the website, they will not be able to scoop any e-mails.
Marina: Excellent, Thank you. Let's talk a little
bit about mobile devices. So, um, one of our attendees has acknowledged that cellular phones
are now very integrated into business networks. Do you have a sense of whether or not there's a
specific kind of percentage or ratio of attacks that you know, are specific to mobile? And if so,
are there certain operating systems o
n mobile that are more vulnerable?
Danny Well, it's still evolving, and it's, it's
basically hacker's don't sleep pretty much, and they're looking always for different ways,
and, all I can tell you is that the best way to protect your mobile device is basically to
make sure, to keep it up to date with all of the software updates. So, you actually have
operating system updates, and you also have application updates. So, make sure you're always
up to date with both of them. I can basically gi
ve you an example and then, as I mentioned, during
the webinar, that sometimes you download an app, and it may look innocent, but in the background,
It actually does harm. I have an example, for example, one of my clients called me, and he says,
Danny, I don't know what happened. But somebody got into my e-mail and sending out a whole bunch
of phishing scams right from my e-mail account. And I had my computer turned off the last week,
because I was on vacation, how did that happen? So sort
of the conversation I found
out that he gave his phone to his son, who was actually basically 10 years old, and he
downloaded the game on his actually work phone, And the game had actually malware in it.
And that malware basically penetrated our operating system because
his phone was not up to date and it showed a little message on a string, Would you like?
Would you let us access your e-mail and the son, clicked OK, that basically gave them access to the
e-mail that was actually installed o
n the phone and, and basically applications started sending
out all of those phishing scams to everyone in his contacts. So this is basically it would
have been prevented if his phone was up to date. And if actually, he actually had all the apps
in the future, we're definitely going to have to have an antivirus of some sort install on mobile
devices. It's already exists, we already have it. You can actually see third party applications
where you can buy an antivirus for your iPad or any tab
let or a phone.
And it's not as popular yet, but, you know, as the threats actually increase
every year, as you can see, you know, eventually, every device, I would recommend
to have an antivirus, including your phone, and your tablet.
Marina: Excellent. Thank you, Danny. And before we
continue on with questions, I just want to remind everyone that we are recording this session
including the Q and A, and you will get access to that and the slide deck later today. And please
do feel free to
share this with your colleagues. I know a few people have been asking about
whether they can share it with their staff and their teams? Yes, absolutely, we encourage that.
OK, Danny, why should you mark an e-mail as junk instead of just deleting it?
Danny: Basically, when you mark the e-mail as junk, it's
actually going through a different process where it will be basically blocked from future or it
will be placed in the junk folder instead of your inbox. So that basically, it's a behavioral
process. When you did just delete the e-mail, the same type of email will
appear next time in your inbox. But when you tell the software such as Outlook,
that this is junk, It will actually try to learn what basically type of e-mail was
sent to you, and then actually place it directly in the junk in the future.
So it's a, it's essentially gives you ability to control this type of junk e-mails.
Marina: Great, and let's talk a little
bit more about antivirus software. So I know you, you spok
e about why it's best
not to use the free antivirus software that's available, but we've also had some questions come
in about whether it's best to use the factory installed antivirus such as through Windows, over
the commercial options. Could you speak to that? Danny:
Sure. So basically, Microsoft was under pressure for, for many years, to provide some
sort of protection, like a minimal protection for end users or Microsoft users. And they ended up
buying, actually a small antivirus firm,
tiny, tiny, antivirus firm. And they essentially created
an antivirus basically, which is extremely basic for end users. And they are giving it
for free, OK? As a very basic protection. Obviously, for enterprise level users, Microsoft
has a different type of product, and it's, it's a different protection. But for end users,
if you buy a laptop, let's say, from Best Buy. Then you basically, it usually comes with,
either a free antivirus or a trial antivirus? So what you should look for is, l
ike
I said, look for antiviruses that are big names, first of all. Secondly, look for
antiviruses that have the ability to mitigate ransomware to mitigate different malwares, like
very strong on the malware side. Make sure they actually have ability for you to safely browse the
Internet, so they have a web filter that actually will indicate which links are safe, and which
links are not safe, so you will have a visual understanding of actually where to click, OK.
And antivirus, that actuall
y have subscription, basically, are the ones who are gonna
give you constantly fresh updates, not just to the database signatures,
but also to the application itself. So it is very, very important to understand that
free antivirus is all they do is basically just give you, like, extremely basic protection where
they do not have any of the features, you know, and some of the antivirus even come with password
volts and VPN and so forth, so basically there'll be a lot of different features bui
lt into it.
So look for that, and basically based just based on your requirements,
essentially. Make sure to choose one And, and like I said, if you have an
organization or business, I would definitely recommend IT people to use centrally managed
antivirus systems. That normally, you do not buy them at BestBuy type of environment. And as
a managed service provider, we have access to special cloud managed antiviruses that we can
see in real-time, and this is how we monitor and protect comput
ers and servers and data 24/7.
Marina: Danny, are you able to hear me?
Yes, now I can hear. Marina: I'm so sorry about that
everyone my internet just dropped for a moment. So sorry about that. Let's carry
on with the questions. Okay, so Danny, when we were talking about antivirus,
you mentioned web filters. Are there certain web filters that you recommend?
And we also had a question from someone asking whether or not if they just do a
straight Google search, if they might come up with fraudu
lent websites. You know, is that
something that a web filter protects against? Danny:
Like I mentioned, web filter basically checks the website's content before
clicking on them, and it analyzes basically, what scripts are loaded, and it compares them
to the signatures from the signature databases. And if it recognizes anything that actually is
close to any threat, it will actually give you a red light. It will actually give you a red
dot, saying, this is, this is dangerous. And even if you
tried to collect on it, it will
actually not let you click on it. So that's how basically a Web filter works. And there
is no different types of filters There is. Basically, it's important that the web filter will
be compatible with different browsers, because we have today different browsers such as
Microsoft Edge. We have Google Chrome. We have Mozilla, Firefox. So it's very important
that this this type of web filter will actually be compatible with all the browsers, not just like,
for
example, one browser like Google Chrome, but Yeah. Not all antiviruses out there. We'll have a
web filter, so look for the one that actually has that feature and switch to that if possible.
Marina: Excellent. And I think we're going to, you be
moving on to our final question, which has come up from a few folks. Can you
comment on Google Drive, or, say Microsoft OneDrive are those secure places to store your
files? Should organizations be concerned about using those kinds of cloud systems.
D
anny: That's a very good question. So, basically, Google Drive and one Drive from
Microsoft are basically cloud based storage, and they're excellent places where
you can store files. The reason is, basically, first of all, it's a cloud based,
so you can access the files from any device. Secondly, it's actually a secure place, so,
basically, everything is password protected, So Google Drive, specifically, for example, if,
if somebody will try to login to your Google Drive from a different de
vice, you will
get a notification right away that there is someone else accessing your Google
Drive. So, you, it's a very secure location. The only problem is that the place where you put
docs such as Google Drive, you will actually, if you delete the file accidentally,
that file will go to the recycle bin, where it's going to sit there for 30 days
and then it's going to be expunged forever, right. So, you will have no way to retrieve it
back like this. So basically, there is only this thi
s would be like a minus about that. Microsoft
OneDrive the same same. Now, the good thing about Microsoft one Drive and Google Drive is that you
can actually tell Microsoft OneDrive to backup your desktop and my documents automatically and
synchronize it to OneDrive. So this is actually very important. Because essentially, if, let's
say, you failed for a Ransomware attack. And you basically lost all of your computer data, you
will have all everything saved on OneDrive, OK. And if, for examp
le, somebody on OneDrive decided
to encrypt all your data, the good thing about OneDrive, it's actually using technologies, such
as allows you basically to have a version history. So you can actually bring back the file to
a different actually time. So basically, you can see it's sort of like a backup. So you
can basically say, I want to restore this file to a week ago, and you will have a list of all the
versions on your screen. So this is actually a great way to kind of like store things
and be
and know that actually, if anything happens, you actually in control of your data.
But of course, it's very important to still have a proper backup. And what we do normally
is we actually set up cloud to cloud backups where we integrate, for example, into Microsoft
Office 365 environment. And we backup OneDrive, we backup SharePoint three times a day and your
e-mail is also backed up. Hackers find a way to, to basically disrupt your operation. No
matter what, and what they do. Someti
mes, they would actually disable the whole e-mail
services for the whole organization, and we can actually restore those services.
Microsoft will not do that for you. So, it's very important still to have backups,
and if you decide to do a backup, make sure to use, and a USB drive, but not, don't do, not keep
it plugged in. Make sure to unplug at the end. Marina: Excellent. Well, thank you so much Danny.
I see we're a little bit over time here, so I know for those of you that need to jump,
you
know, please do so as, you know, we will be sending out the full recording afterwards later
today. But I wanted to just thank you, Danny. Great presentation, so informative, and for those
of you who didn't get your questions answered, Danny has very generously included his contact
information here as well, so please feel free to reach out. I wanted to just turn things back over
to Brent from OASSIS, again, just Brent did you have any final words before we wrap up today.
Brent: Just to t
hank Danny for doing such a great job, as you said, and to Charity
Village for hosting this for us today. We are very pleased to be sponsors, and
thank you everybody who's still on the line, stuck through it. And have a great day, everyone.
Danny: Thank you. Thank you, everyone. Thank you, Brent. Thank you, Marina.
Marina: Wonderful. Well, thank you so much to both of you, Brent.
We completely agree, it was a wonderful presentation, and we thank you and OASSIS for
bringing this to our audien
ce today, as well. I just wanted to remind everyone that you will
receive that follow-up e-mail later today with the link to the recording. Again, please feel free
to share this with your colleagues, and it's all publicly available, As an e-mail will also include
a survey link you can fill out with the feedback on today's webinar. Additionally, we are currently
surveying the non-profit sector on its diversity, equity, and inclusion practices, and a link to the
survey will be included in the
follow-up e-mail. It does take about 15 minutes to complete, and the
last day to complete it is tomorrow. So I hope you will consider taking part. We will be sharing
the results of that with everyone in the spring. On behalf of Charity Village, thank you again! I hope you'll join us for our next
free webinar, coming up on March 10th, where we will cover Digital Marketing and Google
Ad Grants. You can find out more information on that and all of our upcoming webinars at charity
village dot
com slash webinars. Thank you, again, for taking part today. I wish you all
a wonderful rest of your day, Bye bye!
Comments