(866) 251-4459 support@compnetsys.com
OAuth Phishing Attacks: Threat Advisory

OAuth Phishing Attacks: Threat Advisory

What You Need To Know About OAuth Phishing Attacks
Amnesty International has reported that OAuth Phishing attacks targeted dozens of Egyptian human rights defenders since the beginning of this year. They are warning that these human rights defenders should be vigilant and contact them if they receive any suspicious emails.
“Since January 2019 several human rights defenders and civil society organizations from Egypt started forwarding dozens of suspicious emails to Amnesty International. Through the course of our investigation, we discovered that these emails were attempts to access the email accounts of their targets through a particularly insidious form of phishing known as OAuth Phishing … We estimate the total number of targeted individuals to be in the order of several hundreds.” Amnesty International
What Is OAuth Phishing?
The Egyptian authorities are using a new spear-phishing technique called OAuth phishing. OAuth is an industry-standard protocol used for authorizations. All computer users should beware of OAuth Phishing.
OAuth Phishing is being used to abuse the legitimate authorization feature of online service providers that lets third-party applications gain access to an account. OAuth is the protocol used by many companies, including Google, Facebook, Amazon, and Microsoft. It’s used to manage access to user data across these and other platforms.
With access to a user’s email account OAuth can add events or flight times to their calendars. The OAuth Phishing hackers use malicious third-party applications to trick users into giving them access to their accounts.
OAuth Phishing targets OAuth tokens instead of passwords. When a user grants a third-party app the right to access their account, the application uses the OAuth token instead of a password. Egyptian authorities are gaining unauthorized access and use third-party apps to compromise users’ accounts.
How Does OAuth Phishing Work?
The hacker uses phishing emails with fake security warnings from Google to trick victims into clicking on a malicious link. The victim is instructed to click the “Update my security now” button. When they do, they’re sent to a third-party application called “Secure Mail.” This prompts the OAuth process.
But that’s not all. They are then asked to give the “Secure Mail” app access to their Gmail or other accounts. They’re told to click on the “Allow” button. When this happens, the hacker gains access to the victim’s account.
Now the attacker can use a malicious application to:

Download other messages, attachments and files.
Search for and read their messages.
Install filters and forwarding rules.
Inject macros into Word documents.
Access users’ contacts.
Get into OneDrive and search for downloaded files.
Extract emails by searching for keywords.
Setup malicious Outlook rules.

Amnesty International warns that these OAuth phishing attacks also target users’ Yahoo, Gmail, Outlook and Hotmail accounts.
How Can You Prevent Your Employees From Being Victimized By OAuth Phishing?
The best way is to be educated. Security Awareness Training is the go-to solution to keep employees informed about security threats and how to avoid them. But, because OAuth phishing can be difficult to detect and the victim authenticates through a legitimate site, people are still being tricked.
OAuth Phishing can be hard to identify. And, even with Security Awareness Training, people are being tricked. They’re trained to look for suspicious website URLs and to use Two-Factor Authentication. But these tactics don’t work to prevent OAuth phishing.
Phishing messages can convince users to click links that deliver malware or reveal their user credentials. Now with new tools, OAuth is being used for this. The account can be accessed until authorization is explicitly revoked. Not even password resets or using 2-factor authentication will work to stop it.
Train and test your users to:

Spot phishing messages and specifically OAuth phishing messages.
Know how to submit suspicious email messages if they find them.
Defend and respond to OAuth attacks.

Along with Security Awareness training, companies must ensure that their IT service companies have set up the technology, policies and remote monitoring and management to detect these OAuth attacks.
What Does OAuth Recommend?
You can visit this page for security guidance. They say that if a suspicious or malicious third-party application is found in the OAuth environment that all permissions should be revoked. Then review remote monitoring logs to learn what was compromised.
They also suggest that you:

Limit the number of third-party applications that can be accepted.
Disable any third-party applications that you don’t need.
Search and monitor all third-party applications that have been approved for use, and check for suspicious activity.
If you use Microsoft Office 365, be sure to monitor your application permissions in the Cloud App Security.

The Bottom Line
All of your employees should be educated about the dangers of OAuth and other phishing attacks. They should always use best practices and only access applications that they trust.
Also, make sure that you and your IT provider periodically review the list of applications that you use. Revoke access to all applications that you no longer need.

Create Your Own Fonts In Windows 10

Create Your Own Fonts In Windows 10

Create Your Own Fonts In Windows 10
You may have been using Windows 10 for some time now, but it’s likely that you haven’t mastered all of its features just yet.
Did you know that you can create your own fonts?
In the Windows store, you can get the “Make Your Own Font” app, a great way to add a personal touch to anything you may need to write. For example, you could even send an email in your own handwriting!
All you need to do is fill out the alphabet letter by letter (lower and upper case) as well as numbers and symbols. Then you name it, save it, and upload it via Control Panel > Fonts.
The next time you’re drafting something and find that Times New Roman is too formal, you’ll be able to switch to your personalized font instead.
Let us know what you think about this Windows 10 tech tip.  Just reply to this email.  Over the next few weeks, we’ll have more Windows 10 tips for you.

Why Today’s CEOs are Worried About Cybersecurity

Why Today’s CEOs are Worried About Cybersecurity

The top concern for CEOs today isn’t competitors or a recession — it’s cybersecurity. See why this is becoming the biggest challenge for an organization’s top executive.
Why Today’s CEOs are Worried About Cybersecurity
A business’s top executive has plenty on their minds: the potential of a major recession, competitors nipping at their heels and a shortage of talent. However, none of these hot topics are the top concern for US CEOs in 2019 — that banner falls to cybersecurity. When there are so many other issues facing organizations, why is cybersecurity the highest business concern for CEOs? Perhaps part of the issue is the continual cycle of mainstream media coverage of the massive breaches such as Equifax in 2017 that affected millions of individuals and can cost billions of dollars to resolve. It could also be the high-profile challenges that Facebook, Yahoo, Under Armour and Marriott have been facing over the past few years. A recent poll of over 1,400 CEOs and senior executives by The Conference Boardpoints to some of the reasons cybersecurity is a top strategic consideration for CEOs in 2019.

CEOs Struggling to Find the Right Cybersecurity Leaders
One of the key threats facing today’s CEOs is the ability to adequately resource their cybersecurity teams. This relatively new need is one that is causing a significant shortage in the hiring market, with organizations wrestling with budget requirements for an increasingly-expensive skill set. Unfortunately, the dearth of talent is not just at the executive leadership level, it is also causing IT departments around the country and the world to flounder as they attempt to staff up to meet the growing needs of cybersecurity as well as data compliance requirements. These individuals will be in high demand for the foreseeable future as gaining knowledge about cybersecurity requires time and investment in education. Savvy CEOs and other technology leaders have been growing these skills internally for the last several years, but having a split focus between cybersecurity requirements and their “day job” can quickly cause individuals to fall behind in the ever-changing security landscape.
Keeping Cybersecurity Initiatives in the Limelight
It’s relatively easy for CEOs to keep shorter-term strategies top-of-mind for their executive teams, but there are no quick solutions to enhancing your organization’s cybersecurity. This requires a long-term, focused effort — and resisting the siren songs of short-term gains to ensure that your strategic focus on IT security stays in place. Changes in the economy or in the competitive marketplace may tease CEOs to redirect some of the funds or teams to other parts of the organization, but it’s crucial that top executives stay in tune with the benefits that cybersecurity provides to the organization. In many cases, the changes that need to be made to make your organization more secure will also have payoffs in the efficiency of your operations, too.
Marketplace Perception of a Data Breach
The extremely negative perception and sheer quantity of negative publicity that can come with a data breach are reason enough for CEOs to be overly concerned about the cybersecurity within their organization. It doesn’t take long for smaller, leaner competitors to enter many marketplaces, and these organizations can receive positive publicity if larger organizations are caught up in a breach situation. How the business handles their communication around a massive breach, ransomware or other cybersecurity incidents can be as damaging as the incident itself if the CEO isn’t careful. These situations require a great deal of proactive communication and notification to customers along with the major effort required to evaluate the incident and begin remediation. Without a comprehensive incident response plan in place, the situation becomes that much more difficult for leaders throughout the organization.
Creating a proactive field for cybersecurity does start at the top, which makes it encouraging that CEOs are considering cybersecurity their very top initiative for 2019. As long as this focus on IT security and the value for the business continues strong over the next few years, businesses should be able to prepare adequately to weather this type of storm.

What Is Network Segmentation?

What Is Network Segmentation?

What Is Network Segmentation?
Businesses that offer WiFi to their customers or have sensitive data needs should consider network segmentation as a necessary component of their IT solution.

With network segmentation, your wireless services are separated into different parts, allowing you to better control access and data flow.
Network segmentation splits your wireless services into different segments or subnetworks. By establishing separate networks, you significantly reduce your company’s security risks.
Instead of putting all your corporate and guest traffic on the same WiFi network, segment the activity to keep sensitive data apart from visitors, reduce risk.
Why?
When devices are connected to the same network, by default they can “talk” to other devices on the same network. That increases the potential for devices to listen to network traffic without any rules or monitoring in place.
The risk is lower if all the devices on your network are trusted and managed by your company. However, you could have a problem when less trustworthy devices are connected, such as guest and visitor smartphones, legacy computers and servers, or employee personal devices.
How Does Network Segmentation Work?
Network segments are designed with their own hardware and only allow credentialed users to access the services. Rules are built into network configurations to determine how devices on subnetworks can connect with each other.
Network segmentation limits the impact if there is a system intrusion by containing the threat within a subnetwork.
What Does a Typical Segmented Network Look Like?
For many small- and medium-sized businesses, there is only a need for a simple, two-subnetwork structure. A corporate subnetwork would be used for company-owned and -managed devices, providing access to the internal company subnetwork and, through a firewall, to the internet.
A guest subnetwork would be built to provide access to the internet only, also through a firewall. It keeps those guest devices disconnected from the corporate subnetwork from the start. Employee-owned devices can also be connected to a guest subnetwork.
Your business, whether it’s a medical practice, retail operation, auto dealership or professional services firm, may want visitors and guests to have WiFi access. It’s an appreciated service for those who need connectivity and do not want to use up their allotted data. If that service is the expectation or norm, you want to make sure it’s done carefully.
What Are the Security Benefits of Network Segmentation?
Security is the primary reason to choose network segmentation. The benefits are considerable

Stronger Security Standards. Segmentation allows you to better protect your most sensitive data. With layers of separation among your segmented networks, you’re putting up additional barriers to all users — whether well-intended or not.
Slowed Access for Attackers. If there is a breach to one segment of your network, it will be more difficult and take more time for the attacker to reach other parts of your system.
Minimized Threat from Outside Devices. Outside devices may have been hacked for the sole purpose of accessing corporate networks when connected. Often hackers install programs that lie dormant until connected to a wireless network. If compromised guest devices are contained within a subnetwork, the impact is minimal.
Better Policy Development. Strong network segmentation means your company can better restrict user access. Using a policy of least privilege lets you limit user access to files and systems to only what’s necessary.
Limited Damage. Network segmentation lets you reduce any damage inflicted by successful attacks. A breach to a single device within a subnetwork will mean less time and money to repair the damage of a widespread, system-wide assault.
Improved Performance. An added benefit of having segmented networks are the performance gains. With fewer devices on each subnetwork, local traffic is minimized and broadcast traffic can be isolated and prioritized.

What’s Needed to Start Network Segmentation?
If your internal IT staff does not have experience with network configuration, it’s a smart move to work with a local managed services provider to complete the project. Your business should do the following in preparation for a segmentation project:

Identify your network and data security needs, including the sensitivity of data you use and the business impact of compromised data and system downtime
Know where the data you want to keep safe is stored and how they could be separated
Determine who needs access to information on your network and limit access to only what is necessary by department or role
Identify those who will be responsible for monitoring and maintaining your network. A managed IT services company can do both remotely with net-generation firewall solutions

Network segmentation is a strategic move to keep data protected and accessible only by those who need it.

Online Excel Training: Tips & Techniques For Managing Workbooks

Online Excel Training: Tips & Techniques For Managing Workbooks

Organization Shouldn’t Be Complicated
Out of all of Microsoft’s Office programs, Excel is one of the most universally used. What started out as a fairly basic spreadsheet program has evolved into a must-have business tool. However, the more you use Excel, the more data your workbooks will accumulate.
Keeping these workbooks organized and easy to navigate can be a challenge. We can help with that. Check out our short Excel: Tips and Techniques for Managing Workbooks training video, available to you free and on-demand.
Simply Click Here.
Watch at your leisure, and say goodbye to your Excel frustrations.