Watch out for Email Scams About the Olympics

There are reports that hackers are using a 2018 Winter Olympics Phishing Campaign that hides malicious attacks inside of an image! Why is this particularly dangerous? Not only does hiding the attack inside an image help it evade detection, but once it actually runs, it uses a technique that generally won't get picked up by traditional antivirus solutions. How is the Attack being Done? The attack is being delivered via phishing emails disguised as alerts from the country's National Counter-Terrorism Center, with malicious Word documents attached. Once opened, the Word doc encourages readers to enable content. DO NOT ENABLE CONTENT. The tricky aspect of this attack is that no download of the actual image is necessary: malicious code can be run from either downloaded images or images hosted on the web. That means an attacker doesn't necessarily need to download an image onto a machine in order to get the malicious code to run on that machine. What to do to protect yourself and your company • Do not to open email attachments from senders you don't know: You should be especially wary of Word documents that ask you to enable content/macros. • Do not click on any links in an email

Third Party Risk

A phone call or personal meeting are often crucial for success when dealing with third parties that have access to your critical or confidential data. East coast partners like morning meetings; I think they take great pleasure in doing this to us Californians to get back at us for the amazing weather we have. When we have business partners, we have to get assurance that they are practicing appropriate security and have a mature security program with good security controls. Make sure you have security standards to share with your partners, and ensure that they can follow them. These standards should cover contract language, their development environment, coding standards, ongoing assessments of their systems and processes, and much more. The last thing you want is for a breach of your data to occur and you had not done adequate assessments of your business partner.