You need to implement Multi-Factor authentication to protect your critical business data and cloud services.

Second Factor (MFA) Authentication – something you know, something you have.

Have you implemented 2FA yet?

Let’s begin with what is Muti-Factor or 2 Factor authentications. The simplest definition is; something you know like a password and something you have like a USB token, SMS text, authenticator app on your cell phone.  The best 2-factor authentication process is the one you will use.  Any 2FA is better than no 2FA.  I had a debate with a “security expert” who said SMS authentication is not secure; it is true that it is not the best choice. It is better than relying on a password alone.  I would not recommend clients relying on SMS to protect their most valuable assets. Start with something that works for you for ‘the something that you have,’ like SMS or voice call. Develop the habit of implementing Multifactor authentication everywhere.

Large enterprises have been using multi-factor authentication for decades to protect their systems and data against unauthorized access. What I find interesting is for the past 15 years, a friend has had a small token calculator for accessing their European bank account online; nice to see financial institutions protecting their clients.  I would love to see this level of protection in Canadian banking institutions; however, SMS is a good start (It is an improvement over nothing).

So how does 2FA work?  You first need to set up your multi-factor authentication method with the application you desire to secure. 

How to secure our LinkedIn account with Second Factor Authentication. 

  1. We first login normally.
  2. Click on me
  3. Select Security and Settings
  4. Choose Account Tab
  5. Under login and security choose two-step verification
  6. Turn on
  7. Choose SMS or Authenticator app
  8. If choosing the Authenticator app. Install the Google, Microsoft, Authy or other authenticator apps on your device, which you will always have with you.
  9. Using the authenticator app – to add the account, scan QR code with the Authenticator.
  10. When the Account shows up added in your authenticator app, enter the 6-digit code on LinkedIn to verify the Authenticator activation.
  11. LinkedIn will confirm that Two-step verification is activated successfully.
  12. Now each time you log in to LinkedIn, enter your username and password. Then you will be prompted to enter your 6-digit code from your authenticator for LinkedIn.
  13. You will get an email to your LinkedIn registered email notifying you that you have enabled two-step verification.

Using 2-factor authentication becomes an automatic habit that protects our identities.  Yes, it is an inconvenience, just a little; however, the increase in protection is worth it. An account compromise is a major inconvenience.  Please consider this years ago, people complained of the inconvenience of wearing safety belts in their cars, now people don’t even discuss it, it is part of our safety culture. Let’s all make protecting and securing our identities as a part of our security awareness culture.

There are ways to create two-factor authentications for your business. If you have questions, stay tuned for future blog articles.  Please feel free to reach out by message to speak with me about two-factor authentications to protect your organization. If your needs are pressing, please call my office to arrange a time to meet by phone or Zoom meeting.

The worst advice is not to implement any two-factor authentication as that method is not the best or most secure.

Stay Safe and Secure.
Jeff S Brodie
Managing Partner – Codefusion Communications Inc.

Do you have feedback or questions? Feel free to schedule a call to speak with me.

Your FAV browser is under attack – Google Zero-Day vulnerability UNDER ATTACK!

Halloween is meant to be fun! However, this news released by Google is downright frightening; about another ZERO-DAY vulnerability. You need to update your Google Chrome browser immediately. This news meets the theme for FRIGHT NITE!  In a Halloween fright night announcement, Google discloses a Zero-Day Vulnerability. This announcement releases information identifying Google Chrome cyber vulnerabilities; putting Millions of devices at risk!  

Chrome Browser – Cyber Attack Target

“Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild,” Google Chrome security team said in a blog post. Is there nothing sacred anymore?  Not in the digital world. This is a great move for a developer to be documenting their vulnerabilities on their blog.  It is a good thing that others like Forbes also pickup and publicize the news getting the information out to the public at large. 

The boring details that the few want to know! When developers create massive programs like Chrome there is 1000’s of lines of software code. This inevitably can expose the program to attack when clever and malicious Threat-Actors (those with criminal intent to steal your information), learn of these bugs which allow them to use the ‘software bug’ to gain access to computer systems running the program through the application bugs (vulnerabilities). Google along with many security testers (good guy – White Hat Hacker) organizations test, discover and report these bugs and vulnerabilities. The software owner will develop a fix (patch) to correct the software bug in their software to close the loophole (vulnerability).

The moral of this story: You need to be vigilant in this assault against vulnerabilities. Organized Cyber Criminals are using to target user systems for data theft for profit.  Most importantly keep your software and security patches up to date. (When you see a little Red Arrow in the Top right corner click on it to update your Chrome browser.)

Stay Safe and Secure.
Jeff S Brodie
Managing Partner – Codefusion Communications Inc.
Have questions? Book a free consultation call with us?

SPEAR PHISHING – Targeted phishing for “big fish”. The greatest threat to your organization.

Businessman protecting piggy bank with sword and shield. Conceptual business illustration. Isolated

Back to my childhood fishing stories, they really do tie in here as well.  I can remember going to a fast stream to go fly fishing for Rainbow Trout and Specks as they are called. I remember seeing these kids standing on the rocks right at a large pool just near the fastest water. Someone had a spear in their hand, they were targeting, then spearing the largest and juiciest trout in the stream. I thought that just isn’t fair.  They did their research and they knew where the largest, the best fish would be and using a spear they could precisely target the ideal fish to give them the greatest reward for their efforts.

Let me introduce you to a tactic which cyber-criminals use called ‘ Spear Phishing’, this is where the criminal identifies the big fish and goes after the juicy reward. They learn about the organization they are targeting, and they learn who the “big fish” is (CEO, the boss etc.) and who the persons are that report to them. This reporting person would hold the keys to the kingdom. Busy Executives sometimes have a very direct language in their email – a command language (Terse and to the point).  They might also be intense people and not very forgiving of those who do not follow their instructions precisely. 

These emails come in as requests (demands) for Company Personal Identifiable Information (PII), like the issue that happened at Sprouts in California, where an email which appeared to be from the CEO asked for the list of all employees with all data (Employee SIN/SSN, address, etc.). The Director of HR personally sent the information for all 28,000 employees to the Phishing person whom he thought was the CEO.  He just caused a major privacy issue for this organization by simply following what he thought was a command request from his superior. This is what is known as a spear-phishing email.  Another spear-phishing example where a CFO received an email from the president informing them to wire $250,000 to a bank account as he just finished a deal.  The email purportedly told the CFO, “you know I am at this conference, and have limited access to email, please do not delay this deal needs to be closed today!”  What are people in these positions expected to do? 

It is important that we put in place checks and balances to ensure that these demands being made in the email are true. As busy executives, we need to understand the risk and create a method for our staff to validate these requests. We need to educate and empower our staff to question the validity of these requests and have them validate our email addresses before they do anything.  Perhaps as executives, we need to inform our staff, we will not request large financial transactions be performed via email only.  Perhaps these types of transactions could be handled via telephone calls or have a “Please call me if you are not sure” policy.

We need to make it a priority to protect our organization from leaking confidential information and causing financial loss.  Protecting our organizations from Cybercrime is a team effort; that we in management must commit to educating ourselves and our staff on how to recognize both Phishing and Spear Phishing attacks. 

Stay Safe and Secure.
Jeff S Brodie
Managing Partner – Codefusion Communications Inc.
Have questions? Book a free consultation call with us?

PHISHING is not always so obvious! However it is a big area of risk for your organization!

I remember as a child I would go with my brothers to find fishing worms. We knew the pickerel liked worms, and we always had luck catching them in our favourite fishing hole behind our house on the river.  My dad, on the other hand, would take those small coloured marshmallows along when he went fishing for lake trout. Apparently, lake trout also like those little coloured marshmallows! My dad had great luck using marshmallows as bait (I bet satisfying his own sweet tooth as well). The key to catching fish is to know what they like and have let them take the bait.

In the Cyber Security world, Phishing for information is very similar to fishing.  Phishing is using something someone will bite on (eg. click on, log into) to give up useful information, like credentials, to the criminals Phishing. Cybercriminals know where to find their prey, know what they are likely to bite on and have a mechanism to collect that information. 

Cybercriminals have the sophistication and intelligence-gathering operations to be highly effective at obtaining highly sensitive credentials and access financial transactions.

Phishing today can be difficult for people to identify, especially when the victims are targeted well. I was nearly fooled when I was quickly skimming over messages and I saw an email from an industry colleague that had a link to news about the latest cyber threat, I clicked on it only to see my Security tools popup and block that action! BUSTED! What saved me was having the latest security tools (intelligence-driven tools backed by deep learning and analysis). Tools like this are essential to protect us in today’s crazy world. 

Cybercriminals are very sophisticated, and they have intelligence gathered on their audience and know what they will bite on. I saw a good example on Facebook in September where a message came in my messenger with a link to a video where the caption was “Is this you?”. Then when you clicked on the link you needed to “log in to Facebook” (on a mimicked Facebook site designed to steal your credentials) to access the video.  Many people ended up handing over their Facebook user name and password.  Very effective on a social media platform where people are anxious to see what their friends are sharing them.  A well-executed ‘Social Engineered Attack’ based on human curiosity. (You need Multi-factor authentication – more on that in a future post).

We need to recognize Phishing as a serious threat to the security of our company assets. Do you have the training material to educate yourself and staff to identify phishing emails/sites and take appropriate actions? Is this overwhelming and frustrating?  Feel free to reach out to me and my team. We would be happy to have a conversation with you about Phishing.  We can demonstrate training and testing platforms which you can use to protect your organization.

Stay Safe and Secure.
Jeff S Brodie
Managing Partner – Codefusion Communications Inc.
Book a free consultation call with us?

Are you teaching your employees to keep their eyes open? Cyber Security Awareness Training.

The US FBI Agency has issued a Public Service Announcement on High Impact Cyber Attack Warning and the threat it poses to its national security and business world.

October has been dedicated to Cyber Security Awareness Month.  Cyber is all things digital, all things connected which means an office, the internet, telecommunications, video streaming and you got it, even the traffic systems.  While automation in the digital world has provided us with many conveniences like instant communications around the globe, the latest information on world economics and when your child has arrived at school through GPS tracking of smartphones.  There are two sides to the blade, so to speak, one is good and one side can be devastating, the question is how do we protect ourselves?

I recall in a Karate lesson where our Sensei (instructor) said “a punch doesn’t hurt any less with your eyes closed. However, with your eyes closed you do not have an opportunity to avoid that punch nor do you have an opportunity to counter that move”.  Cyber Security Awareness month is about keeping your eyes open and realizing that we are dealing with an ongoing attack coming from all sides.  The best defence is not just a good offence it is truly a good understanding of what the threat is.  Our best defense is a prepared and trained front line.  Our employees are on the front line dealing with these threats, and unless we as leaders take an active role in helping them get educated, there will be holes that can and will hurt us.

Use October to help your team get educated about Cyber Security and how to spot an attack.  Not everyone will get it right the first go-around, however, repeat education which raises awareness in your organization is the first step to protecting your company.  Education along with a sound Cyber Security strategy including education, testing, tools and monitoring will help to fortify your organization against common attacks.  This reminds me of an old saying “An ounce of prevention is worth a pound of cure.”

Stay Safe and Secure.

Jeff S Brodie, Managing Partner – Codefusion Communications Inc.

Welcome to Codefusion Blog

Hello there. Our blog will contain information about Cyber Security, Applications, tutorials and other useful tidbits.