Diamond Digital Marketing International

Cybersecurity vulnerabilities practice in ddm

Cybersecurity Practice in DDM

Jan Tang Avatar

( modified at

) by

Jan Tang
in category

Definition

DDM

  1. Any legal entity under Diamond Digital Marketing Group
  2. Any Digital Assets operated under the Business Name of Diamond Digital Marketing Group
  3. Teammate including any contractor or individual employee in DDM’s Group

Practice

A internal framework and guideline for the teammate to behave and follow.

Objective

In order to protect the digital assets of DDM Group from being exploited in cybersecurity, DDM Group is going to provide a Cybersecurity Practice for all teammate in DDM Group to follow.

General Practice

The principle of least privilege (PoLP)

The principle of least privilege (PoLP) will be applied throughout any permission granting situation such that the permission will be fine-grained to different parameters including session, capabilities, role related projects and related clients.

Cybersecurity Vulnerabilities

Human Vulnerabilities

A big porton of human vulnerabilities of cybersecurity are derived from human activities. An event-driven approach will be applied to suggest for the practice for these kinds of vulnerabilities. The events are as below:

Device lost ,stolen or sold

Vulnerabilities
  1. Login and password information which are saved in the browser will be exploited.
  2. Login and password information can be extracted from a specific exploited applications, which these login and password can apply to login attempt behaviors in another applications within DDM Group.
  3. Leakage on PII stored in local drive
Practice – Prevention

Teammates are suggested to :

  1. Assign a login and password for device login.
  2. Do NOT save any login and password of any applications in local drive, or in the cloud drive or cloud application where login session will not be expired periodically.
  3. Set factory default to the obsoleted device before it is sold. If the device is damaged to the level which it is impossbile to set the factory default, please raise out to I.T. Manager for buy-back program.
Practice – Remedy
  1. All Teammates in DDM should report to their supervisor or contact point immediately after their smart devices are realized to be stolen or lost.
  2. Once any device lost or stolen cases are being reported , DDM Group will execute the following to prevent loss:
    • Suggest the victim to report to police
    • Provide an application checklist for the victim and suggest them to use another device to login the applications one by one and cease the login session from the stolen or lost device.
    • Provide an application checklist for the victim and suggest them to change the passwords of these application
    • Reset the passwords for the applications which shared the same login and password within the whole DDM Group.
    • Announce the lost or stolen device incident to other teammates which alerts them to address any frauds on pretending the victim to send out the email or message to other teammates in the DDM Group.

Connecting Public WiFi

Vulnerabilities
  1. Man-in-the-Middle Attacks: Attackers can position themselves between victim and the connection point, intercepting and potentially altering victim’s data.
  2. Malicious Hotspots: Hackers can set up fake Wi-Fi networks with names (e.g. Starbuck_Guest_5G) similar to legitimate ones (e.g. Starbuck_5G), tricking victim into connecting and exposing their data.
  3. Malware Distribution: Public Wi-Fi can be a vector for malware, allowing attackers to exploit vulnerabilities in victim’s device to install malicious software
Practice – Prevention

Teammates are suggested to :

  1. NEVER and EVER use public hotspot in any circumstance.
  2. Use teammate’s own hotspot in their mobile device to share WiFi.
  3. Setup a strong password for the hotspot in their mobile device.
  4. As a last resort, if a public WiFi is inevitably used,
    • install WiFi Security Scanner to scan the WiFi before using it. For details please refer to article Anti-Virus Software Installation
    • Scan out ALL similar WiFi names (instead of picking the 1st WiFi name that you guess is a real one) in the WiFi lists and explicitly ask the legitimate WiFi provider if the WiFi name you picked is correct.  

Connecting Digital Assets via Public Devices

Vulnerabilities
  1. Session Cookies will be stored in the public devices so that the next person who uses the device may access the digital assets previously logged by the teammate.
Practice – Prevention
  1. Do NOT use public device to login any digital assets of DDM Group
  2. As a last resort, use incognito mode in the browser to login the digital assets of DDM Group
Practice – Remedy
  1. Delete the Browser History ,Session Cookies as well as the saved password in the Browser used to log in the digital assets of DDM Group before leaving the public device.

Storing PII in Local Device

Vulnerabilities
  1. PII leakage if device is stolen or lost.
Practice – Prevention
  1. If needed , save the PII in cloud drive instead of local device.
  2. Zip the PII file with password if it is inevitable to save it on a local device.

Malicious Software

Hackers prey on human greed and fear to entice individuals into their traps through the following methods:

  1. Fraud Business Email claimed that there is luractive business opportunity.
  2. Pretend to be a renowned and trustworthy brand and send you the SMS message with a URL claiming that there is a special and limited offer for you.
  3. Visited a website and then a modal popped up and claimed that your computer is compromised and suggested you download and install a software to clean up the virus.
  4. Pretend to be one of your friends by compromising the WhatsApp account of your friend and use this compromised account to send you message and suggest you to follow his/her instruction.
Vulnerabilities
  1. Unauthorized and malicious software is secretly installed in the victim’s device and plishing attack is triggered.
Practice – Prevention
  1. Enable anti-virus software constantly.
  2. Do not being greedy or to fear (it’s very hard!)
  3. NEVER and EVER click any URL from any SMS or WhatsApp message.
  4. NEVER and EVER download the attachment from any emails sent from that you have not contacted with before. (even though the sender is seemed to be an big brand)
  5. Even though the email or message is sent from a known person, pay double attention when clicking a URL or opening a file because even your friend may not address that his/her device is being compromised.
Practice – Remedy
  1. Formatting the device or reset it to factory default is the device is compromised.
  2. Annouce to your clients and teammates that your device is being hacked.

Installing Malicious Application

Hackers prey on human greed and fear to entice individuals into their traps through the following methods:

  1. Embed the malicious function into an Mobile APP or desktop software installer claiming that this APP or software can help you to hack another device or network.
  2. The rule of thumb is that whenever you want to use an APP or software to hack others or execute some dark magic, most likely the APP or software you are going to use is by itself a malicious software which will hack your device.
Vulnerabilities
  1. Plishing attack
Practice – Prevention
  1. Formatting the device or reset it to factory default is the device is compromised.
  2. Do NOT fall into the trap of being greedy or to be fear.
Practice – Remedy
  1. Run Antivirus program to scan the device periodically.
  2. Annouce to your clients and teammates that your device is being hacked.

Weak Password

Vulnerabilities
  1. Brutal Force Login Attempt
Practice – Prevention

Always comply with the following rules when choosing a password:

  1. Use strong password combination, for example:
    • Alphanumeric , AND
    • Case Sensitive, AND
    • Special Charcters
  2. Login and password should not be the same.
  3. Do NOT use 1 password combination for ALL of your applications. In case you want to share your login and password to any other to work on behalf of you, or in case one of your applications is being compromised, the hacker/ the people you share the password will/may apply the same password to login other applications. In fact, it is strongly recommended you to use DIFFERENT password for EACH different application.
  4. Use Zoho Vault to store the password of different applications. (So that you will not use 1 password for all applications simply because you are afraid of forgetting the passwords of different applications.)
  5. Do NOT use the password in worst password list, or applying the same logic derived from the worst password list
  6. Always enable 2FA (or MFA) function of an application. (if there is any)

Share Password to Teammate

It is common that you would like to share the password of an application to your teammates or clients for temporary use.

Vulnerabilities
  1. Plishing Attack if the device of the teammate that you shared the password to is already compromised.
  2. Password Eardropping
Practice – Prevention
  1. Separate the Login Name, Login URL and Password into 3 separate emails or messages when you send them to your teammate.
  2. Always choose to delete access permission function inside the application, instead of sharing Root Access (i.e. Login and Password) to your teammate.
  3. Apply the principle of least privilege (PoLP) when sharing access permission to others.
  4. Cease the login session after finishing using the access permission.
  5. Modify the password if the Root password is shared to others before.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Diamond Digital Marketing International