outlook-portal.ms Open in urlscan Pro
69.10.174.232  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Cyber Network Defense Team Menu
 * Home
 * Phishing
 * Attachments
 * Identity
 * Incident Reporting
 * Contact


WELCOME


YOU HAVE REACHED AN EDUCATIONAL WEBSITE, MAINTAINED UNDER THE STATE OF CA
INDEPENDENT SECURITY ASSESSMENT PROGRAM. THIS SITE IS INTENDED TO PROVIDE
EDUCATIONAL RESOURCES FOR PARTICIPANTS WHO HAVE CLICKED THIS LINK. THIS CONTENT
IS PROVIDED AS AN EDUCATIONAL RESOURCE FOR PARTICIPANTS UNDERGOING THE STATE OF
CA, INDEPENDENT SECURITY ASSESSMENT PROGRAM


IMAGERY MISMATCH:

Sometimes phishers will recreate a logo or emblem they include if they feel it
will add legitimacy to the message. Typically this only occurs if they are
unable to make an existing logo work within their campaign because its time
consuming.

Tip: If something seems wrong, a quick search of Google Images for the companies
logo should help.


LINKS:

Always Compare the displayed link address to its actual destination: Whether in
an email or on a webpage, never take the URL displayed is where the link will
take you or that it belongs to the appropriate organization.
Tip: Take you mouse place it over this link www.bankofamerica.com | Now look in
the footer of your browser window or the tool tip (depending on browser). Does
it display: bankofamerica.com or hackers.xyz. Does the URL belong to the
organization its repersents: Often attackers will register URL's that are
similar to real ones to trick you.

Tip: If you are not sure if the link points to the intended organization, put
the domain name (e.g. acme.com | not www.acme.com) into the search box at:
https://www.internic.net/whois.html.


EMAIL CONTENT:

Offers too good to be true? Often phishing emails offer impossible to obtain
items, ridiculous discounts, or very short response intervals. This is designed
to pressure you into clicking before you think.

Tip: This is the same tactics used throughout time; I have a Bridge in New York
ill get you a deal on? You're far more likely to not get what you think,
scammed, or phished when these types of messages arrive. If you can't resist the
deal, at least use what you learned in the Links section to try to validate the
sender and site. Consider calling the real organization to verify if the deal is
legitimate.


GRAMMAR AND SPELLING ERRORS:

We all make innocent spelling and grammar errors from time to time. While less
reliable than in the past, look for signs that the email may have been written
by someone who is unfamiliar with the language of the message.

Tip: The most common mistakes tend to manifest around gender usage, verb-tense,
and common regional spellings / word usage (e.g. analog .vs analogue; Interpol
.vs FBI; etc...).
Message Requests Personal or Organizationally Sensitive Information: Email is
transmitted between mail servers across the internet unencrypted. This means it
can be intercepted using a technique called Man-in-the-Middle. Never send
sensitive information via email; never ask someone for sensitive information
over email!


GENERAL TIPS:

If someone requests sensitive personal information, use a known valid phone
number and call the individual or company.
Never, never, provide your user name to a technical support person over email!
If a technical support person asks for your password, document their name,
hang-up immediately, and call you Information Security Officer!
Never use information in the email as a source to verify the company or email
sender.


MONEY TRANSFER TIP:

If you receive an email from a senior executive directing you to immediately
transmit organization funds to an account; stop! This is a potential sign of
what the FBI terms as Business Email Compromise. Always follow the
organizational written procedure for transmission of electronic funds. If the
request is to an unknown account or otherwise unusual, do not be afraid to
confirm the requirement via telephone with the requestor. Its far better to do
your due diligence and validate, than to explain why you transferred $50,000 to
some off-short bank in Bangkok.
Law Enforcement doesn't take Gift Cards, Bill via Email, or use Bitcoin: The FBI
doesn't take gift cards or other electronic media as a form of payment for some
misdeed you are being accused!

Tip: If you receive an email or pop-up that appears to be from a Law Enforcement
agency that requests money; its malware. Immediately initiate a malware scan
both online and offline.
Free is Free - Scrutinize Surcharges or Fees: A service fee to process your
winnings form a contest you never entered should raise a red flag. The old
saying "We never get something for nothing" applies here. Secrecy or Urgency
Requirement: This category applies to two diverse social engineering techniques.
First is secrecy; we all want to feel special and trusted. When an email
requests you not share something with others, always ask would it be typical for
you to receive this information in the course or my normal duties from the
sender? Second, while short suspense actions occur in business far too often,
they typically known requirements (reports, evaluations, etc...). Urgency is a
typical tactic used to drive users to click before they think.

Tip: If unusual secrecy, content provided is outside your typical scope of
duties, or the sender is not someone you would typically deal with, you should
be suspect. Contact your Information Security Officer and seek assistance to
validate the sender. If the matter is truely urgent, taking a minute to validate
the requirement using a trusted number in your organizational directory wont
matter one way or the other. Email isn't from an Organizational Account: There
are a couple of different ways phishing campaigns can spook emails. The easiest
method is to get a free email account that is simular to the legitimate one
(e.g. bob.smith.acme@gmail.com .vs bob.smith@acme.com). Another method is to set
the information the email displays to be different than the senders (e,g, from:
bob.smith@acme.com ( bob.smith.acme@gmail.com)).

Tip: If the email client you use doesn't show the senders full email address,
hover over the sender and it should provide you a tool tip that includes the
full email address.


GENERAL RULES:

Executable File types: Typically an attacker needs to get a user to launch their
malware in order take over a host; referred to as "getting code execution".
There are a number of file formats that can host the attackers malware. The most
common formats include files that have a file extension that ends in: .bat;
.exe; .js; .cmd; .ps; .docm; .doc; .docx; .xlsm; .xls; .xlsx; .ppt; .pptm; .pptx
Unfortunately, office file formats are in this list. Always use caution when
receiving a file from an unverified source.

Tip: If you receive a file with one of these extensions and must open it, ensure
it came from a trusted source. Prior to opening any files you should always
perform an Anti-Virus scan of the file prior to launching it. If it is flagged
as having a virus or malicious, contact your Information Security Officer
immediately.
Pop-ups = Caution: It you open a file and receive a pop-up message requesting
permission to launch something; Stop - Read, Think! The operating system
manufactures' put this warning in place to alert you to unexpected or privileged
access request is pending. Ask yourself, is this normal behavior for this type
of file? If you open a Word Document and it ask you to Launch Cmd.exe - freeze;
its likely malware trying to launch.

Tip: If you get a pop-up or unusual prompt from a file once launched, stop and
seek service desk assistance before proceeding.


ADVANCED TECHNIQUES (HUNTING):

Suspect Processes: If you suspect that something odd is occurring on your
system, consider reviewing the running processes for unusual child processes.
This assumes you are familiar with what normally is running on your system.
Often malware will piggy-back (hollow) a legitimate process and inject itself so
it can spawn a child process to run. While it could take years of experience to
be good at this, try using Microsoft Systernals Process Explorer to identify odd
processes.

Tip: Open Process Explorer | Select Columns | Check Verified Signer; Image Path;
VirusTotal | Options | VirusTotal.com | Check VirusTotal.com | Wait for
VirusTotal Column to update. Any file with a digit > 0/X requires further
review.
(e.g. time-sync-notifier c:\windows\tmp\tdm.exe 3/65)


SUSPECT CONNECTIONS:

Another method you can use is to observe the remote connections running on your
system in an attempt to detect an executable or connection that appears suspect.
Again this assumes you know what look right on your host.
Get-foreign-connections.ps1.

Tip: This is a Powershell script that requires an Admin Powershell Console to
run properly.


GENERAL RULES:

Generally speaking, people are social beings. We are naturally wired to help
each other and share information. This is great when the recipient is good
natured and terrible when they are collecting information for social engineering
attacks against the network. We can help inhibit social engineering while still
assisting our customers by following a few simple steps:

1. Never use your work email on social media website unless you are directed to
by management. If you must provide an email address, ask your IT department to
create a distribution list that is generalized to its purpose (e.g. Customer
Assistance; Fraud Reporting; etc...).
2. Do not post your phone number on any publically accessible site. Establish
general business unit phone numbers for public sites and provide those
alternatively
3. Never post your name and email address on any publically assessable site;
this is how spammers and phishing campaigns target users. This includes
government sponsored directories and conference sites.
4. Never like or friend someone unless you verify you know them or review their
profile to determine if its fake. These signs can include few known friends, a
short age since creation, or few posts over a long period of time.


SEPARATE PROFESSIONAL AND PRIVATE IDENTITIES:

1. Never link or otherwise cross post between your professional persona and
personal persona. This can lead to social targeting include a technique called
DOXING or SWATING. These actions are undertaken by hacktivists and other threat
actors who may not agree with the position take by the government, your agency,
or yourself. These action can both expose you and your family to professional
and personal safety risks.

2. Never use the same password or recovery pin on both professional and personal
sites. A compromise of one can lead to both!



State policy requires agencies to follow a prescribed process when information
security incidents occur. Typically, it is each agency’s Information Security
Officer’s (ISO) responsibility to notify the proper authorities. However,
regardless of the reporting individual, ALL State of California Agencies,
Departments, Boards, Panels, and other entities are required to perform the
prescribed process includes the following steps:

1. All Incidents will be reported within 60 minutes of detection via the:

Note: Using this system meets the requirements to report to both the California
Information Security Office (CISO) and the California Highway Patrol (CHP)
Computer Crimes Investigation Unit (CCIU). If you have a situation that is Law
Enforcement Sensitive or involves an ongoing criminal investigation, contact the
California Highway Patrol (CHP) Computer Crimes Investigation Unit (CCIU)
directly for guidance.


MANDATORY REPORTING CATEGORIES:

1. Loss or Compromise of State Data or Processing Resources (includes
electronic, paper, or any other medium)

2. Criminal Activity - Use of a state information asset in commission of a
crime. This includes situations involving Unauthorized Access; Attacks;
Inappropriate Use; Outages or Disruptions (> 2 hrs); Theft or distruction of
government property, and any incident that violates privacy of information
security policies of the agency.

3. Any event cybersecurity related event adversely impacting a state activity
that generates local, regional, or national media coverage.

ADDRESS

--------------------------------------------------------------------------------

Sacramento, CA

EMAIL

--------------------------------------------------------------------------------

Admin[at]saccounty.online

PHONE

--------------------------------------------------------------------------------

916-854-4623

LINKS

--------------------------------------------------------------------------------

CDT Information Security Site

ABOUT

--------------------------------------------------------------------------------

This site is maintained by the California Military Department - Cyber Network
Defense Team a resource for the Independent Security Assessment (ISA) program.
For more information about the Independent Security Assessment (ISA) program,
please visit our Quick Links Section.
California Military Department Cyber Network Defense Team | All Rights Reserved