Here’s the most important part of this article – you’re not behind on this topic. It doesn’t matter if you’re a leader in your organization who makes policy decisions, or if this morning was the first time that you’ve ever checked an email inbox. Everyone has issues understanding email security; especially when it comes to SPF, DKIM and DMARC. That being said, now is the time to learn.

As engineers at CCB, my peers and I have worked with many companies to help harden the security in their email environments. It wasn’t until the massive uptick in phishing attempts and the recent DMARC requirements with Google and Yahoo that the drive for these tools changed. 

We went from recommending these tools to our clients to working with new companies that can’t function because they’re forced to utilize these tools and don’t understand the information their vendors are asking them to incorporate!

But there was still one issue. The topic is very technical, yet businesses still need to understand it. Why? Because there’s a high likelihood that they will need to be updated or reconfigured as their business evolves.

So, let’s assume that you’re non-technical and want to understand what SPF, DKIM and DMARC are and what they actually do.

It’s simple – you just need to secure your corporate office! (not literally, although that’s a great idea as well…)

SPF (Sender Policy Framework)

In our analogy, SPF is your receptionist. When a visitor enters the building, the receptionist is there to identify who they are and whether or not they should be in the building. Let’s say they look at a list of meetings for the day to find out which visitors are expected to show up. That list is the SPF record. If the visitor is expected, they are given a badge and allowed to go to their meeting. If the visitor isn’t expected, no entry is allowed!

When it comes to your email, SPF looks at the background information of the incoming email and compares it to a record (list) of allowed visitors. If the server used to send the visiting email is on the authorized list, the email is marked with an SPF Pass! If it isn’t an expected visitor, the email is marked with an SPF Fail. 

This is the main tool that needs to be updated regularly. Let’s say you start using a new marketing company that sends emails for you. When one of your customers receives an email from that company using your email address, their server checks your SPF record to make sure that it’s an expected sender. If it isn’t, the email is marked with an SPF Fail.[HS1] 

We’ll talk more about what the pass or fail means in the DMARC area.

DKIM (DomainKeys Identified Mail)

Now that the visitor is past the lobby and has their badge, they’re free to go to their meeting. If someone in the halls questions them to see whether or not they should be there, they can present their ID badge for verification. That badge is DKIM.

DKIM adds a unique digital “badge” to every outgoing email, called a “signature”. 

Now let’s take a page out of a spy book quickly and imagine the visitor, halfway down the hall, ducks into a doorway and changes the name on their badge to try and impersonate one of their competitors. They hurry to the meeting, but once they arrive, they find out they need to swipe their badge. They swipe their badge but get pulled aside when their name doesn’t match the information in the system.

With email, DKIM looks at the contents of a message and gives it the signature described above. When that email is received, the server checks the email to make sure that while it was in transit (“walking the halls”), the content wasn’t changed. If the content is identical, it marks the email with a DKIM Pass. If it was edited in any way after it was sent, it will be marked with a DKIM Fail.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

In a well-oiled corporate environment, there may be security rules that define what to do in the event that an unexpected visitor shows up, or you find someone wandering your halls without proper credentials. Security might escort them out of the building right away, or maybe they’re taken to a holding area for questioning. This is the function of DMARC.

DMARC is the overarching policy that tells receiving servers what to do if an incoming email fails SPF and DKIM. Should the server block the email? Should it be quarantined for review? Or should it turn a blind eye and deliver it anyway? (and let the meeting attendees deal with figuring out if the visitor is legitimate or not.)

In Review:

SPF (Sender Policy Framework)

• Verifies the sender’s IP address against a list of authorized senders
• Ensures that only authorized servers can send emails from a domain

DKIM (DomainKeys Identified Mail)

• Digitally signs and authenticates email messages
• Confirms that messages haven’t been tampered with in transit

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

• Determines how to respond to emails that fail SPF or DKIM authentication
• Helps domains address domain spoofing and phishing attacks

That’s all

Securing an office building is a continual process. You need to be able to welcome your visitors while simultaneously keeping intruders out of your halls. The same principles apply to your email environment. 

SPF, DKIM and DMARC coupled with legitimate training to identify malicious emails are the number one way to keep your company’s information safe and under your control. I hope that now, understanding what they are is no longer a roadblock and the only thing left to do is to make sure that they are set up in your environment too!

Email security is crucial! Consult our experts and discover how we can help you strengthen your organization’s security.

The post Email Security: Uncomplicating SPF, DKIM and DMARC appeared first on CCB Technology.

• Everything you enter into the chat  

• All Responses  

• Geolocation 

• Public IP 

• Contact Information 

• Account Information 

• Device and Browser Cookies 

Now don’t get me wrong; there are ways around this. You just need to be informed.   

Privacy Settings, the Little-Known Option 
Let’s take OpenAI and ChatGPT, for example. With over 200 million weekly users, it’s probably a safe bet that people in your company are using them. 
 
In response to the mountain of people complaining about data security, OpenAI has implemented the ability to opt out of data harvesting on their free and premium tiers. Not only that, but their new Enterprise subscription tier covers this setting by default. These are huge moves by the company that shows they are taking this problem seriously, especially when included as a default feature. 
 
Though completely understandable, it’s unfortunate that so many people choose not to utilize this technology due to privacy concerns when there are more secure options available. It’s important to explore all the avenues and make sure you have the proper information before making the decision to completely rule it out – especially considering the benefits of AI. 

Don’t take it from me, read how you can opt out of data harvesting from the two companies that actually offer the option: 

• OpenAI ChatGPT 

• Google Gemini 

What They Do and Don’t Do with Your Data  
The last thing I want to cover before we move on is a misunderstanding about what happens to data that is collected. OpenAI isn’t selling your secrets. They aren’t using your data for advertising and they’re not purposefully training their models to try to sell you products. 
 
The real threat to your company comes when your data is included as training material, because it may show up in GPT’s responses when future models release. This goes for all models, not just OpenAI’s. This type of leak can cause competitive disadvantages, product disclosures and even compliance violations that put your business at risk. 
 
Real Events Highlight AI Risks 
Let’s cover a real-world example. In 2023, it was widely reported that are significant leak involving Samsung Superconductor occurred when employees (rightly knowing the benefits of using GPT) wrongly uploaded source code to utilize the LLM for bug fixing and used their phone and the GPT app to record meeting notes to create an automated presentation on that info. That protected data was stored and likely utilized by OpenAI to train their next model.   

Once a new model comes out and users begin to test out new prompts, there’s a chance that information like this may appear in GPT’s responses. Other users developing similar products may be fed this information, and Samsung would suffer from the leak. Of course, if a model has the information, it will provide it! This heavily simplifies the situation, but it happened, it worked, and it could happen to your company too. 

Since then, Samsung has banned any and all internal use of “generative AI”. Not just ChatGPT, but all models and modalities. What some do not report, however, is that they understand the massive benefits that generative AI brings to the table. So much so, they are currently in development of their own model that will function on their internal network without sharing any data with a third party. 
 
What Should Your Company Do 
Examples like the one we just covered should be enough for your company to take this information seriously. Take a few minutes and review the links above to understand what the companies are doing with your data, and what the privacy settings cover. Figure out the best way for your users to tackle privacy concerns and opt out of the data collection when using these services for anything even remotely related to work. If your company is adopting AI in a major way, think about using an offline model that guarantees that your data is secure. On top of that, do legitimate training with your staff on the proper handling of sensitive information in general! 
 
We’re calling it now. Leaks like this will revolutionize future phishing attacks, but we’ll have to dive into that in a future article. 

How CCB Can Help 
Whether you’re looking to streamline your IT operations, embark on new IT projects, or need assistance with procurement, our team is ready to elevate your business with cutting-edge solutions. Don’t let the potential of AI and digital transformation pass you by. 

Contact us today to discover how we can help your business thrive securely in the era of AI. 

The post Understanding AI Privacy Controls for a Secure Workplace appeared first on CCB Technology.

1. Go Offline

Our first action is to cut off any communication between potential viruses and the attackers that sent them.

BEFORE YOU DISCONNECT:

If you haven’t already, open this blog on your mobile device so you can continue to follow along and disconnect your compromised device.

To go offline, you’ll need to unplug your ethernet cable or turn off Wi-Fi on your device.

How to unplug your ethernet cable:

Press down on the plastic clip at the top or bottom of the plug. Pressing down on the clip will release the anchor, allowing you to pull it from the device.

How to turn off Wi-Fi (wireless internet):

1. From the Windows desktop, click the Wi-Fi icon at the bottom right-hand of your screen. Utilize the touchscreen (if available) or mouse to select the on-screen options.
2. From the Wi-Fi section (on the right, above the taskbar), click the connected Wi-Fi network address.
3. Click Disconnect.

2. Start Your Antivirus Software

Next, open your trusted antivirus software. Select the option for a full or comprehensive system scan and start it. This is your digital defense force; let it find and neutralize any threats. If you don’t have antivirus software, now is the best time to pick one up. If you’re on a work computer, talk to your IT department to get their preferred software installed as soon as possible.

 Kaspersky Free, Bitdefender Free or Avast One are great free options if you can’t afford to sign up for a paid version!

Note: If you have disconnected from the internet and have not previously installed antivirus software, you can download the installer on a different device and transfer it over with a USB drive. Copy the installer to the computer that needs to be scanned, install the software, and use it to clean the PC. Once you are done cleaning the PC, scan the USB drive (if possible) before removing it to use somewhere else!

3. Change Your Passwords

If there is a chance you’ve been compromised, it means those attackers could have also gained access to your personal accounts! Let’s make sure to lock any potential invaders out. Start with your most sensitive accounts – email, online banking, social media, or anything that holds valuable personal or financial information. Remember, each account needs a strong, unique password!

If you struggle to keep track of all your passwords, now is probably a good time to consider installing or enabling a password manager like 1Password or Bitwarden. Both options are considered leaders in the password manager category. Password Managers help by storing your login information for all your websites, suggesting long, unique passwords, and then auto-filling the password area when you return to the website to help you log in with complex credentials you might not otherwise be able to remember. This ensures that no two accounts utilize the same credentials, so if one account is compromised, the others are likely safe!

4. Monitor Your Accounts

Despite having updated your passwords, it is important to remain vigilant and closely monitor your accounts for any suspicious or abnormal activities in the coming days. If something looks odd, get in touch with the support of the webpage, or in the case of a bank, call their fraud line immediately.

Some examples of suspicious activity include replies from people you haven’t contacted, emails to reset passwords or two-factor authentication codes appearing when you haven’t requested them!

5. Report the Phishing Attempt

Reporting the incident helps protect others, too. Inform your workplace’s IT department if it’s a work device or your email provider if it came via email. You can also report phishing attempts to your local law enforcement cybercrime unit or your country’s equivalent of the Federal Trade Commission (FTC) in the U.S. Learn more about reporting or report an event directly to the FBI here!

6. Learn and Adapt

You’re now part of the informed internet users’ club, more prepared to spot and avoid phishing attempts in the future. Stay vigilant! Always scrutinize the sender’s address and think twice before responding to unsolicited messages asking for personal information.

And… you’re done! A big sigh of relief is in order. You’ve acted promptly and wisely to protect your digital self. Remember, this guide is here for you anytime you need it. Stay safe, friend!

Additional resources:

8 User Tips for Identifying Phishing Emails

Microsoft 365 Information on Phishing Emails

Microsoft’s Most Common Phishing Trends

ITGovernance’s Easiest ways to Spot a Phishing Email

The post What to Do if You Clicked on a Phishing Link! A Step-by-Step Guide. appeared first on CCB Technology.

Myth 1: MFA Means Extra Steps Every Login

Many believe that MFA requires additional verification every time they log in. The truth is modern MFA systems often utilize ‘adaptive’ or ‘risk-based’ authentication. This intelligent approach considers factors such as your location and device type¹. If everything seems usual, you might only need your password. If something’s off, then the system asks for additional proof, striking a balance between a smooth user experience and strong security.

Myth 2: MFA Always Requires an App on a Cell Phone

A common belief is that MFA is synonymous with having a special app on your cell phone. While some MFA methods involve using an app to receive a verification code or notification, this is NOT the only approach. Multifactor Authentication can also be performed via biometrics (like fingerprints or facial recognition) ², hardware tokens³, or even text messages⁴. It’s important to remember that MFA is designed to be flexible, ensuring everyone can use it, irrespective of their device.

Myth 3: MFA is Just for Compliance

Some people also think MFA is just a compliance check for regulatory bodies. Yes, many compliance frameworks require MFA, but it’s not its sole purpose. MFA is a robust security measure offering strong protection against unauthorized access to accounts. It’s more than ticking a compliance box; it’s about safeguarding your sensitive data.

Myth 4: MFA is a Quick Fix for a Security Breach

The notion that MFA can be enabled after a breach to quickly fix security issues is outright dangerous. Multifactor Authentication is not a reactive solution, but a proactive measure to prevent unauthorized access. When an organization implements one of the various MFA solutions before a breach occurs, it can significantly reduce the risk⁵. It should be part of a larger security strategy, including strong password practices, regular software updates, and security education.

In Conclusion

Multifactor Authentication is an accessible, intelligent, and proactive security measure that doesn’t solely rely on cell phone apps to meet compliance requirements. Remember, the purpose of MFA is to keep your digital life secure by verifying your identity when some sort of risk is present, preventing unauthorized access. By dispelling these myths, we hope to encourage more people to adopt this essential layer of online protection.

Want to learn more about your MFA and IT Security options?

CCB offers a wide variety of security services that allow you to choose the right solutions for your needs. We‘ll help you get secure and stay secure. Tell us about your IT security needs▸

Footnotes

1. Microsoft, “Adaptive MFA” 
2. National Institute of Standards and Technology, “Biometric Authentication” 
3. Microsoft, “OATH Hardware Tokens” 
4. Microsoft, “Set up Text Messaging as Your Verification Method” 
5. Microsoft, “One Simple Action You Can Take to Prevent 99.9% of Account Attacks.” 

The post Dispelling the Myths of Multifactor Authentication appeared first on CCB Technology.