Security awareness doesn’t have to be complicated. In collaboration with the Platform Veilig Ondernemen, NFIR has created 9 instruction videos on the most important IT security topics in understandable language. Watch these videos to protect yourself and your organization from the effects of cybercrime. Do you have questions about any of these subjects? Please contact us.
- How do I set up Two Step Authentication?
- How can I check if my password has leaked?
- Why would you use a password manager?
- What is phishing and how do I prevent it?
- What is CEO fraud and how do I prevent it?
- How can I test the digital security of my company?
- How do I make a good backup?
- How do I find good IT security help?
- How does crime digitize?
How do I set up Two Step Authentication?
How can I check if my password has leaked?
Why would you use a password manager?
What is phishing and how do I prevent it?
What is CEO fraud and how do I prevent it?
How can I test the digital security of my company?
How do I make a good backup?
How do I find good IT security help?
How does crime digitize?
How do I set up two-step authentication on my account?
That's the question we're going to answer in this movie. To avoid confusion, we will first talk about different names used for two-step authentication. It is also called two-factor verification double verification or 2FA. All these terms come down to the same thing. Namely confirming that you are the person you say you are.
Confirmation is often done by receiving a code in text messages or as shown in this video via an app on your phone. By using one of these methods you will prevent a hacker who has knowledge of your login details from breaking into your account. A hacker must first obtain the unique code with two step authentication in order to log in successfully.
This would require physically stealing your phone and usually the attack stops here because the physical step is too risky.
What do I set it up with?
It starts with downloading a 2-step authentication app. There are some; for example Google authenticator, Lastpass authenticator, Microsoft authenticator and Authy. In this example we use google authenticator. you can download this app in the google play store if you have an android phone or in the app store if you have iphone.
Once you have successfully downloaded the app, you can search for an account or application on which you want to set up two step authentication. This raises the question, what can I set it to? On a lot of accounts, 2-step authentication can be set. Like the google suite office 365 environment and on many social media like LinkedIn Twitter and Facebook. Many other modern applications today also use two-step authentication. You can ask the supplier of the application whether it supports two step authentication.
The way of setting up two step authentication differs per application. In the application or on the website where you want to set it up, you can often set 2-step authentication under settings. Usually this can be found under account, login and/or security. If you can't find it then you can Google on two-factor authentication with the name of the application behind it. An example of this is two-factor authentication on LinkedIn. Please note; only click on the link of the application itself.
On that page you will find an explanation on how to set two-factor authentication for your account. If on the page where you can set two-factor authentication you indicate that you want to set it, you will see a qr code. You have to scan this qr code with the previously installed app. Open the app, press the plus button and select the option to scan a barcode. Then enter the code you see on your phone in the application and click on save in the app.
Next, you'll see some emergency codes. Save these emergency codes somewhere safe. This can be done digitally or printed on paper. It is important not to store the codes on your phone; this is because the phone may break or be stolen and you will not be able to access the emergency codes.
This was a video about how to set up two step authentication on your account. If you want to be even more secure watch one of our other videos.
How can I check if my password has leaked?
That's the question that's going to be answered in this video. How does my password become publicly available on the Internet? When hackers have hacked an organization, they sometimes loot a database with passwords for users. If the hackers have used this database for their own purposes, they often resell the data from the database; or make the data available to other hackers. The consequence of reselling or making available is that even more people will then have access to the stolen data. If more people have access to the data, it goes without saying that more login attempts will be made with this data. This makes your account more likely to be used for fraud or other criminal practices.
What do hackers do with a leaked password?
People often use the same password on different websites and applications. Hackers will try to use the leaked passwords to gain access to other websites and applications where the same password may be used. In practice it happens that a hacker has stolen the password from you at LinkedIn; with that password he intrudes on for example a bol.com account and orders products with the option to pay afterwards. The hacker gets the stuff and you get the bill.
How can I check if my password has leaked?
Nowadays there are parties involved in the collection of databases with login data with the aim of protecting people and organizations against misuse of this login data. These parties derive their income from offering password control on a large scale to banks, for example. This alerts banks when their customers use passwords that may be known to hackers. This service is offered to individual citizens free of charge. The two well-known parties offering this service are haveibeenpwned and Scattered Secrets. In this example we use Scattered Secrets. This is a dutch website that collects leaked passwords. To check if your password has ever been leaked, go to www.scatteredsecrets.com. When you arrive at the website, please enter an e-mail address that you use.
Then click on find hacked passwords. The website will then indicate whether a password has ever been leaked. When a password has been leaked and you want to know which password has been leaked; you must follow the instructions to create an account at Scattered Secrets. If you have succeeded you will get to a page where you can click on the magnifying glass to make the leaked password visible.
Make sure you don't use this password anymore and replace it with a new one. We recommend that you choose a new password of at least 12 characters, which also consists of: numbers, lowercase letters, uppercase letters and special characters. The length and complexity of a password make it much harder for a hack to crack it. A handy way to create long and complex passwords is to use a password phrase. For example, the phrase Schaapj3sH3bb4nw!tteV0etjes (sheep have white feet). Because of the length of the sentence and the different characters it contains, this password is safe to use. Please note that you do not literally use this example sentence as it is publicly available on the internet. Therefore compose your own password sentence. Also make sure you use a different password for each website or application.
This prevents a hacker from successfully logging in at several places with the same password. We also recommend using two-factor authentication. How to set two-factor authentication can be found in our other video called: How to set two-step authentication on my account.
Since good passwords of more than 10 characters are difficult to remember, we recommend the use of a passport manager. In another video we explain how to use a digital password manager. If a digital password manager really isn't an option for you, you can also physically save your passwords. Use the password booklet to write down the passwords and keep them in a safe place. However, we recommend using a digital password manager whenever possible.
This was a video about how to check if any of your passwords have been leaked. If you want to be even more secure watch one of our other videos.
Why use a password manager?
That's the question we're going to answer in this movie. Let's first start with the question What does a password manager do?
A password manager helps you with a number of things around managing your passwords. For example, a password manager makes good and strong passwords. It consists of at least 12 characters and contains uppercase letters, numbers and special characters. The length of the password is the most important factor for good password.
Furthermore, the password manager helps with remembering long and complex passwords and the password manager stores the password securely and encrypted in the cloud. The advantage of having passwords stored in the cloud is that you have access to your stored passwords on every device on which the password manager is installed. In addition, a password manager can fill in the usernames and passwords automatically on the website or in the application you are trying to login to.
In addition to the three functions mentioned above, a password manager offers many other advantages; it is also a place to securely keep a copy of your passport, notes, credit card details or other types of information. For a company there are even more advantages. For example, with a password manager, separate storage spaces can be created for a department, or even per employee. Each employee then has his own set of passwords and in addition, for example, the sales department cannot access the passwords of finance and vice versa.
We just meant the benefits of being a passwordt manager.
But is it safe to use? Yes, password managers are generally very secure but we do recommend looking at what reputable bodies such as the consumer association recommend. Further on in the video we will present this list of user-friendly and secure passport managers.
Password managers generally encrypt the data in such a way that the most powerful computers will not be able to decrypt the password for the next thousand years. A complex mathematical formula behind the encryption of a password guarantees this. Because of this, even the people who work at a passer manager cannot retrieve your passwords.
What good password managers are there?
We recommend the following reputable online password managers.
- 1Password
- LastPass
- DashLane
- F-Secure Key
Apple has its own passwordt manager. The advantage is that it is included with apple devices and therefore does not have to be purchased separately. The disadvantage of this variant is that it only shares passwords between other apple devices. The moment you use a device that is not from apple you can not access the passwords. Also the option to save passwords in google is often known by users of the web browser google chrome.
However, this way of storing passwords is a lot less secure than a password manager. The passwords are stored unencrypted and the passwords chrome makes for you are not of the secure length and complexity.
Can I also use an offline password manager?
Besides the online password managers there are also a number of offline passport managers. An example of this is KeePass. An offline passport manager really lacks certain functions. Like easily sharing passwords between different devices. You can also lose your passwords if you don't keep track of backups properly. Something that goes without saying with an online password manager. The advantage is that these are free. The costs of most online password managers are between 20 and 30 euros per year.
Finally, you can also choose to write down your passwords in a booklet. If you don't like the idea of storing passwords digitally. In a password booklet you can keep track of the passwords in an orderly manner. Of course, put the book in a safe place so that no one but you, or the people you trust, can see the passwords.
Also think of a smart way to create new passwords. For example, use a passphrase and remember the aforementioned requirements in the back of your mind.
How does a password manager work?
How you set up the passport manager differs per password manager. Often there is a very clear instruction on how to download and set up the password manager on the website of the creator of the password manager. An easy way to find the right instructions is by typing "getting started" on google and then the name of the password manager for example 1password. Please note that you only click on the link that leads to the website of the creator of the password manager.
A passport manager after setting up is very simple you just have to remember the strong password of accessing the password manager and the passport manager does the rest.
You can use the emergency kit you receive when setting up the password manager to access your passwords again if you forget the password. In addition, after your death, for example, your loved one can access the passwords in the password manager using the emergency kit. You should therefore keep the emergency kit in a safe place. This was a video about what a password manager is. Do you want to be even more secure? Then watch one of our other videos.
Employees of (standard) certified companies often experience surprisingly often that their employees are susceptible to phishing and social engineering. What is phishing and how do I prevent it?
What is CEO fraud and how do I prevent it?
That's the question you're going to answer in this video. CEO fraud is a form of phishing that focuses on abusing a management role. Two forms of CEO fraud occur regularly. The fraud from organization to organization and internal fraud.
The variant of organization after organization, often involves transaction hijacking and entrapment. An attacker sits in between the two negotiating organisations or, posing as one of the two parties, in order to siphon off money. We'll go into more detail on this later in the video.
In the case of internal fraud, the attacker poses as a manager in order to persuade an employee of the organisation to take action.
How does an assailant act?
In CEO fraud, the attackers work in a routine way and their goal is to catch large fish. In order to achieve a goal, the attackers use advanced techniques. Usually fences are mailboxes of the selected organization or make a spelling mistake domain name. In case of a spelling error domain, the attacker creates a domain name that resembles that of the selected organization. But in possession of the assailant. The attacker can then order the payment to be made within the organisation. This in the hope that that payment will be made and the money from the organization will end up in the attacker's account. An example of this is that management at NIFR.nl is created by an attacker. From that e-mail address, e-mails are sent to the financial department of NFIR with often from the CEO the assignment to make a payment. At first glance, the error is not noticeable but if you look closely at the domain name, the F and the I are reversed.
Many companies as well as foundations and associations have to deal with CEO fraud. The tricky aspect of CEO fraud is that there is no method used by the attackers. The attackers try to gather as much information as possible about the organization so that they can carry out a targeted attack that has a high chance of success. The most well known CEO frauds are the management fraud and transaction hijacking and entrapment.
Management fraud, in case of management fraud, the attacker poses as the director or management of an organisation. The attacker usually had this information from LinkedIn or from registration with the Chamber of Commerce. The attacker sends internal e-mail from the director to the employee responsible for the financial transactions. In that e-mail, the director asks whether the employee can pay an outstanding invoice as soon as possible. The e-mail often contains words that persuade your employee to act quickly and not to question the assignment. Remember, it has to be done today and it has to be done fast. But also that the CEO counts on the employee and tells him that the money will be used for a project with large organisations such as governments and universities. All this to make the transaction seem legitimate.
Transaction hijacking and solicitation, in case of transaction hijacking and solicitation, the attacker interferes in an acquisition process and takes over the communication at a certain point in time. This usually happens at the very last moment when bank account numbers are shared. The attacker replaces the account numbers of the legitimate recipient of the money with his own account number so that he will receive the money. There have also been situations where communication was taken over by the attacker at an earlier stage. The attacker then takes over the entire acquisition process without the other party noticing. In this form of fraud, two victims are ultimately the party that transferred money to the attacker, and the party from which the attacks are carried out will suffer financial damage and the party from which the attacks are carried out will suffer damage to its reputation.
How do I prevent CEO fraud?
Prevention is a challenge but not impossible. Hard rules and relying on your feelings prove to be the most effective. We will discuss some concrete' organisational and technical measures. Organisational measures that can be taken are:
- Permission for transactions never via mail, make sure that permission for transactions is not via mail but physically or by phone so that an extra check is carried out using facial or voice recognition.
- Make sure that procedures are not ignored, make sure that procedures concerning transactions are not ignored even for small amounts.
- Four-eye principle, only execute transactions using the four-eye principle so that the transaction is always double-checked.
- Awareness, make employees aware of the properties of CEO fraud emails. The properties are: Often a strong emphasis is placed on the authority relationship. The payment order is then given as an order. The so-called CEO emphasizes that confidentiality is of great importance. The assignment may not be shared with colleagues the employee is praised and made important. He or she has been chosen to carry out the assignment because of his or her exceptional qualities. The success of an action is placed on the shoulders of a particular employee. Pressure is increased this way.
The fake emails sent by these fake CEOs are usually also recognizable by the use of a fake sender address. Very often it seems to come from the domain of a company, but for example an L is replaced by a capital i and then there is also a time pressure. Money must be transferred quickly.
Awareness is an effective first step in the fight against CEO fraud. From a technical point of view, we recommend ensuring that 2-step authentication is set up on all communication channels used within the organisation. This prevents a hacker from gaining access to an employee's account. How to do that is explained in our video called: How to set up two step authentication.
In addition, you can get ahead of the criminal by reserving spelling error domains before criminals have a chance to do so. Think creatively about which variants can be made based on their real domain name. For example, is there an O in your domain name? Then use a 0 in the spelling error domain.
This was a video about what CEO fraud is and how to prevent it. If you want to be even more secure watch one of our other videos
How can I test the digital security of my company?
That's the question we're going to answer in this video. First, let's start with the question of what digital security testing consists of. The digital security of companies can be tested by means of a pen test, a walk-in action or red teaming, and a phishing test. The results of the tests together give an insight into how digitally safe and business is.
A pen test
Digital security testing is called pen testing in the cyber security world. This term comes from two words penetration and testing. These tests are performed by ethical hackers. These are hackers who use their knowledge to alert organisations to digital open doors. They do this to stay ahead of malicious hackers and to protect the organization against an attack. A pen test is therefore a preventive measure in favour of digital security. Pen testing generally takes place in three ways. The manners are: Blackbox, Greybox and Whitebox.
The degree of lightness determines the extent to which the ethical hacker has prior knowledge of your digital systems. In a blackbox pen test, the hacker has no prior knowledge. In a greybox pen test only a few things like certain login details are shared with the hacker. In the case of a white box pen test, the hacker is given all the information in advance in order to specifically search for vulnerabilities. The way in which the pen test takes place depends on what needs to be tested.
The walk-in action
A walk-in action is not only a physical test of the security but also a digital test. During the physical aspect it is checked whether the servers workstations and digital infrastructure are accessible to unauthorized persons. If that is the case, hackers can penetrate buildings and steal or sabotage information, including digital information, from the inside.
The phishing test
A phishing test provides insight into the extent to which employees are resilient to your digital attacks and are aware of their share in security. Usually, man turns out to be the weakest link when it comes to security. Employees who are not alert can unconsciously contribute to the fact that important passwords, company data and personal data leave the organisation unauthorised. Through phishing tests, staff can be trained to stay alert and act correctly when they receive their fish email.
Why should I have my company tested?
In today's society it is important that companies and digital security are in order so that confidential information such as personal data is not available to unauthorised persons. Companies are expected to have insight into how their digital security is arranged. By means of a pen test, among other things, you can gain that insight and immediately remedy any vulnerabilities. In addition, it is also a unique selling point when a company can demonstrate that digital security is in order. Companies that carry out various tests periodically will be able to put themselves on the map better than companies that fail to do so. On top of this, customers are generally making more and more demands on companies' digital security. They are also increasingly asking companies to submit results of my recent test before doing business.
How do I test my digital resilience?
Some of the tests can be done by yourself. This mainly concerns the tests around digital awareness among employees. A nice test is sending a date picker for company barbecue from the spelling error domain. You can then check who clicks on the link and enter the date. Afterwards you can inform everyone that it was a test and that a certain percentage of the addressee did not pay attention to the sender of the request and therefore stepped into a phishing action. In this way you can monitor and increase the awareness of the employees yourself. If you want to test the security of, for example, your website idea infrastructure or application, it is best to use an independent party that employs ethical hackers. You will then have an objective and reliable insight into the level of digital security. Incidentally, it is important to select a party that meets the following requirements:
- The organisation is based in the Netherlands, in view of the regulations and liability.
- The organisation must be able to demonstrate and explain how they operate and be transparent in the execution of the assignment.
- The organisation must operate in a safe manner and process and store any data obtained in a safe manner.
- The organization employs ethical hackers who are certified and work according to internationally recognized standards.
- The organisation is a member of a sector association of the cyber security sector.
You can also use these same criteria if you want to choose a company that performs a walk-in action for you.
Finally, we advise you to always follow your feelings when choosing an organization. If an organization doesn't feel right, look for another one.
This was a video about how you can test your company's digital resilience if you want to be even more secure watch one of our other videos.
How do I make a good backup?
That's the question we're going to answer in this video. How you make backups varies greatly from device to device. In this video we will explain how to make a good backup and specifically how to make a backup of a windows computer, a mac, an iphone and an android smartphone.
What's a good backup?
A good backup consists of 3 2 1 principle. This principle means that you have three versions of your data. Two of these are stored in different physical locations and connected in different ways. In addition, one is stored in a different physical location or online.
Unfortunately this rule cannot be applied everywhere, but for most computer systems it is possible to perform a backup.
According to this principle, the 321 principle is the way to achieve redundancy. If one backup stops working or gets damaged by fire, for example, it is always possible to fall back on one of the other two and the data is not lost. Make sure that a backup is made at least once a week. Then the data lost is one week old and the damage is reasonably limited. Does your company generate a lot of administration and important data? Think about running a backup several times a week.
In any case, make sure that you change the hard drive or nas connected to your computer once every two months with the one at the other location. With the 321 principle, it is very important to pay attention to the separation of the two backups that are present at the same location. Make sure that one of these backup systems is not actively connected to the running IT environment. Or make sure there is correct segmentation at network level. This prevents backups from being encrypted in the event of a ransomware attack. Due to the good segmentation, the malicious software cannot reach the backup and is spared.
Besides the principle of performing backups properly, it is also important to test if your backups are actually able to be restored without loss of essential data. So test on a regular basis whether a backup can be restored and also how quickly this can be done. That way you're always prepared for the time when it comes down to it.
How do I make a backup of a windows computer?
Backing up to windows is very easy these days. All you have to do is make sure you have three external hard drives. This can also be done in combination with the nas. The size of these storage media must be twice the size of the data to be backed up. You can perform a backup by clicking on the Windows logo at the bottom left and then type in backup. Next you will see the option where backup settings are set. Click on it and then click on the plus button and select the hard drive you want to backup to and execute the backup. If this doesn't work then google to "backup on windows". A recommendation from us is the instruction of the consumer association. To find this manual on google, type the following in "backup windows consumer association"
How do I back up a Mac?
Creating and restoring a backup of the mac is very easy. This can be done via the Time Machine application. This application is already installed on the Mac by default. Again, you will need three external hard drives and this can be done in combination with an after. In addition, the storage medium must also be twice as large as the data it backs up exactly how you perform the backup is explained in detail on the Apple website. Search Google for "run backupMac" and think again of the three two a principle.
How do I make a backup on Iphone or IÓS?
Backing up the iphone karma in two ways and is a challenge to comply with the 321 principle. However, the two things you can do are enough to ensure the backup of the data. The first thing you can do is make a backup on icloud also make sure that your photos and other important files in it are turned on eventually this storage will be full due to the increased amount of files in the backup. For a small amount an extra storage can be bought. We recommend that you pay a small amount per month to use the service. Losing important files is worse than a few euros. Also make sure your icloud is protected with two step authentication. How to set that is explained in our video: "How to set up two-step authentication."
How to back up and set up is clearly explained by Apple. Search for this explanation on Google for "set up backup iphone". The second thing you can do is make a backup via the computer. This through Itunes. Download itunes to your computer and connect the phone to the computer. How exactly the backup should be done can be found by searching on google in "Backup Itunes".
How do I back up on android phones?
How you back up your android phone unfortunately differs greatly from one developer to another. What you can do is search online for: "how do I back up" and behind that the name of your phone and the version. For example, "how do I back up my samsung s 50".
This was a video about how to make a good backup if you want to be even safer than one of our other videos.
How do I find a good IT security tool?
That's the question we're going to answer in this video. IT security assistance can be divided into two categories. Namely preventive help and reactive help.
The category of preventive aid includes the means that can prevent or help to detect an attack. This also includes tests such as an audit or a pen test. Which is specialist jargon for ethical hacking.
The explanation of what a pen test is and content we cover in another video called: "what does digital safety testing consist of".
Reactive help includes the services that you purchase from an organisation that comes to support, for example, the recovery after a hack or a subsequent forensic investigation.
In order to determine whether IT security assistance is good and reliable, we have drawn up a number of criteria that the helping organization must meet:
- The organization is based in the Netherlands because of the liability.
- The organisation must be able to demonstrate and explain how they operate and be transparent in the execution of the assignment.
- The organisation must operate in a safe manner and process and store any data obtained in a safe manner. They should be able to demonstrate this.
- The employees of the organizations and screened this at a higher level than VOG approval.
- The organisation is a member of a sector association of the cyber security sector.
Where can you find good suppliers of IT security assistance?
The most accessible way to search for good idea security help is to ask around in your network. Take a look at colleagues, former colleagues or other entrepreneurs or know a service provider. They may be able to tell from experience whether the proposed organisation is a good and reliable organisation and what makes this organisation so pleasant. In addition to colleagues and entrepreneurs, you can also search online for organisations that offer these services. Search on google, for example: "get a pen test done"; "help with a hack"; or "get an IT audit done". Also remember the following rules:
- The first one isn't always the best.
- See what else there is, ask different parties for information and compare them.
- Quality also comes at a cost.
This was a video about how to find good idea security if you want to be even more secure than any of our other videos.
How does crime digitize?
Let's start with the question: Which crime is digitizing? Nowadays there are almost no more crimes that take place without a digital component. From burglars viewing homes via google street view to the most sophisticated and catastrophic hacks. Traditional organised crime, on the other hand, is hard at work adding digital components to their portfolio. Recruitment of run boys and catcatchers is no longer through the street corners, but through social media such as Instagram, Snapchat and Telegram.
The same goes for finding new customers. The middlemen disappear and the margins increase. Logistics and communication have had the biggest leap. By means of digitisation, organised crime can remotely control their business and follow products live. This is possible by means of beacons a kind of improved version of track and trace. They also collect data for money laundering through hacking. For example, customer files of companies are sometimes taken over and reused by hackers as legitimate customers on paper.
In addition to these forms of traditional crime that have been digitized, known scam techniques have also been digitized. Attacks take place on a daily basis in which organisations and individuals are scammed for large or small amounts of money. This happens in many different ways, but phishing is the greatest technique. How to prevent phishing is explained in our video called: "what is phishing and how do I prevent it".
Why does crime digitize
The digitisation of traditional crime has the same motives as general digitisation. The following examples outline the reasons for digitisation.
- The first reason is convenience. It's easier to control things remotely. In addition, a lot can be done with relatively few actions such as selling drugs through the dark web. A way to easily get to your customers and serve them.
- The second reason is security and anonymity. You can be anonymous on the internet much better and faster. The crimes committed by digital means are difficult to trace back to physically existing persons.
- The third reason is continuity. Digitally, you are less dependent on third parties and it is easier to continue conducting criminal business. In spite of the police and judiciary doing their utmost to counteract this. For this reason it is also important to report cybercrime. The police have a lot to gain from this information and every little bit helps to catch the criminals.
This was a video about how crime digitizes if you want to be even safer than any of our other videos.
Also read: The 5 biggest CyberSecurityrisks