True North Networks Blog
Have you thought about what your boarding pass might say about you and what data might be leaking publicly on that piece of paper that you most likely discard in the seat pocket in front of you? Turns out it is most risky than you think.
What is PNR?
PNR stands for “passenger name record”, which is a data rich record that’s generated every time you book a flight. This record is a 6 character alpha numeric code that aids in managing your booking through the airline’s website. It contains confidential information such as name, date of birth, passport details, car or hotel bookings, last 4 digits of the payment credit card, etc. So you may ask, how does this affect me and my security? Example below:
Imagine you are a hacker. You may know that I have just flown from London to Bangkok with British Airways, for example. You also know that my return flight is in two weeks, I flew economy and on the outbound a vegetarian meal was requested. You put the pieces together based on your travel history and craft the following email, acting as British Airways: “If you require a vegetarian meal for your return flight, please click the link below to “order it now”. As an important customer of ours, we would like to upgrade you to “business class” as well and to do so, please click the below link to accept the offer”.
With all of the accurate information mentioned, who wouldn’t click that link?
Unfortunately, the aviation sector, like many industries, has a lot of work of work to do when it comes to cybersecurity, but we as passengers also have a responsibility for our data, too. Let’s not make it easy for the bad guys.
What can we do to reduce this risk?
- Don’t post pictures of your boarding pass or luggage tags online.
- Try to avoid identifying which airline you are flying with in any social media posts. If I didn’t know which airline you were using it would take a lot longer and a lot more effort to go through trying each airline’s website flying that route to find the one you were using.
- Destroy your boarding pass and luggage tags securely. Use a cross cut shredder ideally. Keep them in your possession until you return home and you can dispose of them securely and certainly don’t leave them in the seat back in front of you on the plane!
- Only give the airline the information it marks as essential when booking your flight. If it is not marked as a compulsory field then leave it blank. Reduce the amount of personal information they hold on you in the first place.
Information taken from: https://red-goat.com/uncategorized/boarding_passes/
As it turns out, there are many potential benefits to switching to a VoIP telephone system. Below are some of the ways that making this change can decrease cost and time investments while increasing productivity for your business:
Low Cost Per Call:
A VoIP telephone system utilizes Internet Protocol to make calls. Instead of using telephone lines, all communication data is turned into packets and sent over the IP network. The IP network your business uses could be your Internet connection, a direct IP connection to your telephone service provider or a combination of both.
On a traditional phone system, a line that runs to a home or business is assigned its own phone number. Any movement that takes place then becomes a trial of remembering the right codes or keys to dial on your phone. A lot of time can then be wasted by contacting phone companies to transfer services and phone numbers to new locations.
With a VoIP phone system, there are no physical limitations and you have the freedom to move as your business demands.
Versatility of Features:
Using VoIP phone systems allows you to multi-task with the most tech-savvy devices, allowing you to be the most productive you can be. Features such as voicemail to text and being able to forward messages and voicemail easily, and many more are available with VoIP phone systems. Because the VoIP service always goes with you, the features you find helpful can be added or subtracted with ease, allowing the system to grow with your business.
Simple Conference Calls:
Since all VoIP calls use a converged data network instead of dedicated phone lines, creating and participating in conference calls are made much easier.
Efficient Client Interaction:
In today’s global economy, businesses can be located anywhere which can mean frequent travel. This often means that meetings require travel. With a VoIP service, there is no reason to lose the ability to conduct important calls or to fail to forward essential documents.
Reliable in a Pinch:
A common worry that surfaces about VoIP is the fact that if the internet stops working, so does the ability to make calls. However, this doesn’t have to happen and like other features in VoIP phone systems, is incredibly flexible. The capability to choose where your calls are forwarded, and how, means that you also don’t have to lose productivity because of local power outages or weather-related events. If the office phone can’t be answered, your mobile device or laptop can.
Making the Right Decision for Your Business:
Understandably, any recommendation that requires wholesale shifts in how companies conduct business sounds too risky. Considering a move to a VoIP phone system can be confusing with all of the services and features that are available. It’s always best to have a knowledgeable, reliable VoIP partner at hand to assist you with major business decisions like this one. Contact us today to learn more about how we can assist you with your phone needs.
What is social engineering?
Social engineers take advantage of human behavior to pull off a scam. If they want to gain entry to a building, they don't worry about a badge system. They'll just walk right in and confidently ask someone to help them get inside. And that firewall? It won't mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection.
What are the bests ways to defend against social engineering?
- Train and train again when it comes to security awareness.Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyberthreats. Remember, this is not just about clicking on links.
- Provide a detailed briefing “roadshow” on whaling and the latest online fraud techniques to key staff.Yes, include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who get fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
- Review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
- Consider new policies related to “out of band” transactions or urgent executive requests.An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well-understood by all.
- Review, refine and test your incident management and phish reporting systems. Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.
Nearly a year ago, in February 2017, the IRS issued a warning regarding phishing attacks targeting a broad range of companies. The scam involves a hacker impersonating an employee of a company, usually the CEO, and sending an email asking for a list of employees and their W-2 forms. The hacker would then make fraudulent tax filings using the W-2 forms. The scam is similar to the traditional Business Email Compromise (BEC), which involves spoofing an employee account in order to direct wire transfers to fraudulent accounts. The scam was enormously successful. And while the IRS is taking steps to prevent the use of this information for tax fraud, companies that fall victim to these scams may still be liable under data breach laws and for other identity fraud that can be committed using this data.
Below are five questions in-house counsel should be asking their information security team to mitigate their company’s risk.
- Do we transmit employee HR information, particularly Social Security numbers and W-2 or similar tax forms, by email? Is it possible to limit the transmission to a more secure method, such as through a restricted access cloud account with limited permissions for access and downloading?
- If we do transmit these files by email, do we require them to be encrypted or password-protected? (And if so, how are these passwords created and shared?)
- Do we have a policy in place about who can access, request, or receive this information? Do we have a “whitelist” of people who should have access? And do we require phone or other confirmation before transmitting such information?
- Do we have logging in place for where we store this information that would allow us to determine if there has been unauthorized access?
- Have we done a search for similar domain names to ours that could be easily spoofed? (For example, if our domain is startup.com, do we also own stantup.com or slartup.com?) Are we aware of who owns addresses similar to ours?
Implementing just a few of these tools and policies can help reduce your company’s exposure to cybersecurity attacks.
Resource taken from: https://www.jdsupra.com/legalnews/cybersecurity-for-this-tax-season-62995/