Did you know that thing you ordered isn't going to get here on time? At least that's what the email said. Recently, Railinc employees, contractors and consultants got a strange looking email with the subject line "Your package shipping has been delayed." They were right to be suspicious.
Cybersecurity threats exist in many forms today - from the lone hacker looking to wreak havoc, to hacker groups looking to avenge social or political grudges, to nation states looking for new avenues of warfare. Organizations like Railinc are adapting to this changing landscape with more advanced security tools, practices, and policies. Railinc is focused on protecting employees, customer data and IT infrastructure.
The email described above was part of a phishing exercise Railinc conducted as part of its ongoing cybersecurity program. Railinc takes security seriously and works hard to protect its data and systems by implementing the most up-to-date security controls, constantly monitoring and testing company systems, and mandating regular training for its workforce.
Simple emails like the one Railinc employees received might seem like they're not a big deal, but they can expose a company to cyberattacks that can compromise data or cripple technology infrastructure. This social engineering tactic is used to trick people into divulging information or taking an action, like clicking on a malicious l ink or opening an infected attachment.
No anti-malware or anti-virus product is 100 percent effective. Exercising good judgment and acting as a "human firewall" is the best way to ward off social engineering attacks. Employees also help Railinc stay on top of these attacks by reporting them to the company's security team.
"It's important for us to know when phishing attacks target our employees," said Tom Morris, Railinc's senior security analyst. "Knowing how we're being targeted and what we're being targeted with helps us understand what we need to do to continue to keep our data, hardware and systems secure."
Railinc Continues to Strengthen Security Program
In the last year, Railinc has beefed up its security program to guard against the increasing number, broadening scope and technical sophistication of attacks on its systems. From hardware encryption to employee education, these projects have focused on enhancing the company's security controls. Fortunately, Railinc experienced no security incidents in 2015 that affected service-level agreements or the integrity of customer data.
"Strong security controls are essential to Railinc's operations and are always at the front of mind for the company," said Jerry Traynham, Railinc's chief information officer. "Railinc's security team is constantly exploring systems, looking for threats to the company's infrastructure, applications and data."
Railinc tracked network vulnerabilities in 2015 such as Poodle, WinShock, GHOST and BASH that could have presented a threat to customer and corporate data. The security team regularly examined potentially vulnerable infrastructure and implemented the appropriate testing and fixes. Railinc also continued its intensive measurement program based on Center for Internet Security standards, tracking everything from system vulnerabilities to malware and suspicious email blocked. There were two minor security incidents in the first quarter of 2015—an email virus and an incident that was flagged as a potential denial-of-service attack. Railinc resolved both quickly.
The company's 2015 security program included the following activities:
Penetration testing to assess Railinc's risks and vulnerabilities, as well as security policies and practices.
Encryption initiatives to protect data, hardware and mobile devices.
Application security efforts that included analysis and upgrade of security around a number of critical products and systems.
Last year, 100 percent of Railinc employees, contractors and consultants completed four rounds of online security awareness training.
Railinc's workforce has embraced the culture of security. Last year, 100 percent of employees, contractors and consultants completed four rounds of online security awareness training. This training helped them recognize and report several potential security threats and vulnerabilities during the year, enabling Railinc's IT personnel to take immediate action. In a notable case, a Railinc team member identified and reported spoofed messages that targeted wire fraud, which the company reported to the FBI.
"Railinc will continue to educate employees on the latest security challenges and implement additional security framework components and processes to make sure applications, systems, network and data are secure," Traynham said. "These security measures are only as strong as the people who work behind them."
7 Signs of a Phishing Email
Be skeptical of any unexpected email messages you receive. While there is no single marker of a phishing attack, typical characteristics of phishing emails include:
1 - An unusual email address: Does the email come from a free service, like Yahoo or Hotmail? Is the user name a jumble of random letters? Are the "from" and "reply-to" addresses different? Is there a mismatch between the address and the signature in the email? If so, the message might be an attack.
2 - A generic greeting: Is the message addressed to you or does it have a generic salutation? Phishing emails usually do not have personalized greetings.
3 - A sense of urgency: Phishing emails often implore you to act immediately or risk missing out on the opportunity.
4 - Mistake-filled messages: Phishing emails often contain significant spelling and grammar errors and/or formatting problems.
5 - Suspicious links: Hover your cursor over a link to display its destination. If a link and the destination are different, don't click the link. Only click on links you are expecting.
6 - Unexpected attachments: Were you expecting an attachment? If not, don't open it. And if you do open an attachment, and it says you must "enable macros," don't.
7 - An offer that's too good to be true: You didn't win the lottery and you aren't going to get an iPad for $20. Delete the email.
—Railinc Corporate Communications