This post appeared first on Naked Security Blog by Sophos
Author: John E Dunn
attackers targeting legacy protocols with stolen credential dumps to increase the speed and efficiency of the brute force attacks. Based on Proofpoint study, IMAP is the most abused protocol, IMAP is the protocol that bypasses MFA and lock-out options for failed logins. These intelligent new brute force attacks bring a new approach to the traditional […]
The post Hackers Bypass Multi-factor Authentication to Hack Office 365 & G Suite Cloud Accounts Using IMAP Protocol appeared first on GBHackers On Security.
by Jindrich Karasek and Cedric Pernet (Threat Researchers)
Social media influencers build and expand their business or brand through credibility and authenticity to their audience. For hackers, however, they could be seen as trophies. That’s what happened to a photographer with more than 15,000 followers on Instagram, when she had her account stolen.
A closer look into the incident revealed that the hacker got into her account through phishing. While it seemed straightforward enough, we also found that targeting popular Instagram profiles has become a modus for a certain group of Turkish-speaking hackers. And by abusing Instagram’s account recovery process, they were able to keep the stolen account even if the victim squarely followed the process. We’ve seen cases where owners of Instagram profiles with followers between 15,000 and 70,000 were hacked and were never retrieved. The victims ranged from famous actors and singers to owners of startup businesses like photoshoot equipment rentals.
The group also engages in digital extortion. Once a victim tries to reach out to the hacker, they would be wringed to fork over a ransom or nude photos and videos to get the account back. Of course, the hackers never give it back. Indeed, this kind of attack — targeting high-profile accounts or social media influencers — highlights our predictions for this year’s threat landscape.
Figure 1: A visualization of how the hackers are stealing the Instagram profiles
Attack chain
Analysis of the phishing kit revealed that the hosting system blocks requests from wget. We managed to obtain the phishing kit by spoofing a user agent.
The compromise starts with a phishing email pretending to be from Instagram. The email prods the potential victim to verify the account to get the Verified badge for the user’s Instagram profile. Note that Instagram has specific requirements and the verification process happens only after a user requests for it. Instagram doesn’t ask for credentials either.
Figure 2: Screenshot of the phishing email asking the user to verify his Instagram account
Figure 3: The phishing page the user gets redirected to (left) and another that asks for the user’s email credentials (center); after credentials are keyed in and submitted, the user will be redirected to a page that notifies the profile has been verified (right)
Once the user clicks the “Verify Account” button, he will be redirected to a phishing page that asks for the user’s date of birth, email, and credentials. When we first saw these pages, they didn’t have any data validation on the input and returned the same screen even after submitting an empty form. However, they’ve since added basic data validation by not letting the user submit an empty form.
Once the attacker has access to both the victim’s Instagram profile and the email related to the account, the hacker can then modify the information needed to recover the stolen account. The victim will also be prompted to enter his email’s credentials. Once submitted, a badge notification appears, but for only four seconds. This is a trick to give users the impression that their profile has been verified.
After some time, the phishing page will be diverted to Instagram’s website. This is a common tactic in phishing. It’s likely that the victim would already be logged in with cookies, so the victim may just be diverted to his Instagram profile. Since we tested the phishing kit in a clean environment, we only got Instagram’s login page.
The hacker’s modus
We looked further into these cases to learn about the hackers’ motives and how they operate. In an Instagram profile they’ve hacked, they changed its username to “natron_raze”, probably to indicate it was hacked. The email associated with the profile was also immediately modified. After some time, the account’s email was changed again. The trick here is to flood the victim with Instagram’s security emails asking if the changes were legitimate. The hacker would also try to draw the user’s attention by defacing the profile.
Figure 4: A defaced Instagram profile aiming to get attention from its owner
After the profile was compromised, other accounts immediately followed it. Some were fake profiles, while the others were either previously stolen profiles or the hackers themselves. After some time, we saw the hacker removing the hacked accounts from his follower lists, although some returned. This could probably be because the hacker realized that his modus was being monitored.
In one instance, we saw the hacker threatening to delete the account or never return the stolen profile unless the victim pays a ransom or sends nude photos or videos. The hacker also let others know he stole another account, as shown in Figure 4.
Figure 5: Screenshots of the hacked and defaced Instagram profiles
Searching for more information on “Hesap Ebedi,”(Turkish words for “account” and “eternal”) we found a forum from a hacking group discussing how to manage stolen accounts so their owners cannot get it back, even with the help of Instagram’s account retrieval process.
Figure 6: Forum post on turkhackteam mentioning the attack dynamics of stealing Instagram accounts
We reached out and disclosed our findings to Facebook and Instagram but have yet to receive a response as of this writing.
Defending against phishing
The hackers in these instances lure victims into handing out personal information to get an incentive (such as a blue badge in their profile). Their mimicry of Instagram’s emails also made their malicious emails appear legitimate. Here are some of the red flags users and businesses can watch out for:
Trend Micro Smart Protection Suites and Worry-Free
Business Security protect users and businesses from these phishing attacks by detecting malicious files and spammed messages and blocking related malicious URLs.
Indicators of Compromise (IoCs):
IP address related to the phishing attack:
URLs related to the phishing attack:
The post How a Hacking Group is Stealing Popular Instagram Profiles appeared first on .
This post appeared first on Trend Macro Blog
Author: Trend Micro
The greatest threats to the enterprise are often those that use social engineering to extract information or data from employees. For threat actors, this tactic rarely requires any technical know-how, so the barrier to entry is low.
To make matters worse, the rapid rise in social media use lowers this barrier even further. Regardless of whether your enterprise has rules in place to limit social media use, you can’t stop employees from using social media 24/7. As threat actors continue to leverage social media attacks as a launchpad to infiltrate enterprise networks, what are some defensive tactics organizations should be aware of?
Before we get into specifics, it’s critical for the enterprise to recognize that as social media use increases, the threat of attacks carried out via social media escalates as well.
The first thing organizations should be concerned about is the ease with which a bad actor can target employees through social media.
“It’s not that difficult with a little bit of information going in,” said Paul Bischoff, privacy advocate at Comparitech.com. According to Bischoff, a threat actor only needs to know the name of one person who lists a target employer in his or her profile.
If it’s a big company, the attacker may not even need to know a specific person’s name — they can simply take a guess at common names. Now that the threat actor has their target, they have several options. One is to try hacking the account, possibly by using passwords leaked in data breaches at other companies. Or, they can attempt to establish contact with the target and use a phishing attack to get the information they need, such as getting access to a business email account. They could even try to add the mark as a friend or hack an existing friend’s account to impersonate them and communicate with the original target.
Using social media can help threat actors evaluate their targets both inside and outside of the workplace. People share a lot of personal information on social media, which often includes valuable nuggets of data about their work life. While the ubiquity of social media is relatively new on the technology timeline, social engineering is a scheme as old as time.
In our hypothetical hacking situation, if access to the employee’s accounts is compromised, the next step for the attacker can be to infiltrate the target’s corporate network. Depending on the network, the starting point is often getting access to business email, according to Bischoff.
“If a hacker manages to break into someone’s email, they can wreak havoc,” Bischoff added. “Not only are they privy to existing emails, but they can write new ones. Furthermore, an email account is often where two-factor authentication PINs, password reset links and other sensitive account information is sent for all sorts of online accounts.”
Once the threat actor logs in to a victim’s email account, they can buy themselves time by taking steps to lock the target out by changing the password and/or recovery email address. Because these problems can take a while to resolve, attackers typically have some leeway to work their way up the food chain, impersonating victims and sending convincing phishing emails to others in the company.
One prolific method that threat actors use as a stepping stone to access sensitive corporate data is profile cloning, in which fake Facebook (or Instagram or another social network) profiles are created by using duplicate photos and relevant data stolen from a targeted user’s real social media profile.
“Facebook cloning can be used to establish contact with the target by impersonating an acquaintance,” said Bischoff. “The hacker might even clone an existing friend’s profile — would you notice if someone who didn’t post much on Facebook added you as a friend a second time? Facebook mitigates this by showing how many mutual friends you have with anyone who sends you a friend request, but not everyone pays attention or cares.”
To thwart these types of attacks, Bischoff advised employees to not post an employer on their social media profiles. If they must, instead of selecting from the drop-down list of existing employers that appears when you start typing, they can “create” a new employer. This prevents the employee from showing up on the threat actor’s list when they target that specific company.
Additionally, as security experts have mentioned repeatedly, it’s critical to educate employees on common phishing tactics and even consider testing this in real-time with practice phishing emails. With 27 percent of users failing a phishing test, according to a 2018 study, we must continue educating and testing teams across the organization and providing role-based education and awareness sessions. Finally, Bischoff suggested establishing rules that require a second form of identity verification to share certain information.
“For example, if someone requests a password to use the office VPN, that person should also verify the request in person or by phone, and be sure not to use a phone number listed in the email,” Bischoff said.
I’m not suggesting that you dictate how and when your employees use social media — a fool’s errand if there ever was one. Especially in this bring-your-own-device (BYOD) era, social media use, even at work, is only going to keep rising. I distinctly recall the arduous task of trying to monitor social media use in the early days of Facebook, and can’t imagine how difficult it would be for IT decision-makers today.
The lure of social media is too much to fight against. Instead of pushing back, we need to work with what we’ve got and do our best to educate employees about potential social media attacks. Make employees part of the process instead of restricting their online behaviors, and arm them with knowledge that can help them become a layer in the organization’s security shield.
“A chain is only as strong as its weakest link,” said Bischoff. It’s all about strengthening the links.
The post When Combating Emerging Social Media Attacks, Don’t Try to Swim Against the Current appeared first on Security Intelligence.
This post appeared first on Security Intelligence
Author: Mark Stone
Even though they’ve been around for quite some time, phishing attacks continue to climb. According to Proofpoint’s 2019 “State of the Phish Report,” 83 percent of businesses experienced a phishing attack and 64 percent of security professionals encountered spear phishing threats in 2018. New vectors are also emerging: As noted by Forbes, software-as-a-service (SaaS) credential theft, messaging app attacks and malicious link embedding within shared files are all on the horizon for 2019.
The data begs the question: What’s wrong with email security? For years, thought leadership articles and information security experts alike have been recommending commonsense best practices that should curtail email attack efforts. Don’t click on unknown links. Don’t open unsolicited attachments. Use automated detection tools. And yet phishers are hauling in bigger catches than ever before, expanding their operations to include new threats and grab more data.
I believe the problem is tied to phishing’s fundamental premise: Social barriers are far easier to break than their technological counterparts. By exploiting critical social flaws — specifically, workplace expectations and personal exceptions — attackers can gain the upper hand.
Despite recent challenges from up-and-comers such as social messaging apps and unified collaboration tools, email still reigns supreme in the workplace. As noted by CMS Wire, “There appears to be a general consensus that while social networks are useful to achieve work-related goals, email remains the undisputed communications tool in the enterprise.”
Email is timely and transparent — users can quickly send and receive information while creating a digital paper trail. Unlike some messaging apps, users can include attachments and draft longer responses and, since email exists outside of most collaboration continuums, employees can temporarily take a break from their inbox.
But that’s not the whole story. For better or worse, corporate email itself is a kind of social network. As Nathan Schneider, a professor of media studies at the University of Colorado, told The New York Times, “Email is the most resilient social network on the internet.” While it lacks the bells and whistles of social media platforms and the intimacy of face-to-face communication, email has evolved its own set of social rules around usage, etiquette and response times. For example, users are expected to create clear subject lines, reply to all emails (even if received in error), limit the amount of humor and restrict the use of punctuation such as exclamation marks, as noted by Inc.
The rise of interactive business email compromise (BEC) attacks also speaks to the social nature of email. New BECs don’t start with malicious payloads, but instead leverage short social messages to compel employee replies and create a compelling, albeit fake, interactive dialogue before dropping infected documents.
Simply put, email is the biggest, most used social network in the enterprise — and that’s not changing anytime soon.
The fundamentally social nature of email leads us to our first security issue: expectations.
Consider common phishing security advice that warns against emails marked “urgent” or “DO NOW.” Why the focus? Because humans are naturally conditioned to meet social norms and feel substantial pressure to conform. According to the Havard Business Review, “Throughout our careers, we are taught to conform — to the status quo, to the opinions and behaviors of others, and to information that supports our views.” What’s more, as noted by Psychology Today, this conformity is accelerated in a small group setting — such as a corporate team or enterprise department — and further enhanced, according to Psych Central, by neurotransmitters such as dopamine that are produced when humans are part of a social group.
As a result, when it comes to well-written phishing emails that are purportedly coming from CEOs or HR mangers, staff are preconditioned to reply ASAP with requested information — even if they’ve had previous security training. Social pressure almost invariably trumps learned email security.
While socially driven email networks increase the likelihood of faux-insider messages getting through the security chain, what about outside attacks? Much time and attention has been devoted to educating employees about the telltale signs of external phishing attempts, such as emails purportedly from financial institutions, government agencies or new business contacts.
Here, another facet of human social interaction is at work: Our natural disposition to believe we’re better than everyone else. It’s called the superiority illusion and, as noted by Scientific American, causes most people to think they’re better than average at most things, such as the ability to spot and prevent phishing attacks.
Since it’s impossible for the majority of people to be above average, the result is that advanced spam and phishing campaigns that make it past initial defenses may get overlooked by overconfident employees who assume they would recognize any sign of these attacks. It’s the old “it won’t happen to me” argument: Users presume they’ve got all the knowledge they need to spot attacks and if they’re victimized, there’s no way anyone could have seen it coming.
What does this mean for companies looking to prevent phishing attacks?
First, there’s no need to ditch current security training. But, as CSO Online pointed out, it’s also a good idea to educate users on how not to craft an email. Don’t be your own worst enemy by sending unexpected, hastily typed emails with “URGENT” in the subject line.
Fundamental shifts in email security, however, require a rethinking of current best practices. To handle social expectation issues, companies must adopt top-down cultural change that prioritizes safety over speed. This is easier said than done when CEOs need hard data for stakeholders or chief financial officers (CFOs) are handling financial fluctuations in real-time, but giving staff time to double-check message origins and intentions before replying goes a long way toward reducing the number of reeled-in employees.
For security professionals, this means developing the ability to present potential phishing losses as line-of-business issues. In practice, this requires leading with context: How are current security issues impacting strategic objectives such as cost savings, customer confidence and regional performance? This can help shore up the notion that time lost to double-checking email requests via phone calls, face-to-face meetings or other methods is preferable to the monetary loss associated with successful attack campaigns.
Dealing with exceptional behavior, meanwhile, starts with a layered email security approach that eliminates obvious phishing attempts before they hit inboxes. Another key component of this defensive strategy is artificial intelligence (AI). AI-based tools capable of analyzing enterprise communication patterns and spotting inconsistencies already exist. Making them applicable to “above-average” phishing finders means leveraging a kind of low-key notification process, in turn aligning with user beliefs about their own ability to recognize phishing attempts.
Email remains the top enterprise communication method and the obvious choice for attackers looking to compromise business networks. While current email security solutions can help mitigate phishing impacts, companies must recognize the role of corporate email as a social network to address the critical human components of this risk: social expectation and the superiority exception.
The post Workplace Expectations and Personal Exceptions: The Social Flaws of Email Security appeared first on Security Intelligence.
This post appeared first on Security Intelligence
Author: Douglas Bonderud
This post appeared first on Naked Security Blog by Sophos
Author: Danny Bradbury
This post appeared first on Naked Security Blog by Sophos
Author: Lisa Vaas
This post appeared first on Naked Security Blog by Sophos
Author: Danny Bradbury
The security industry is fast-paced, no doubt about it. Those who are called to the profession must be quick-witted, focused, ready to change at any moment and maybe even a little bit fearless. They must also be able to forge strong, trust-filled relationships quickly. Teams who have mastered these skills are on the front lines of cybersecurity threat prevention, defending us from those who want to take everything from us.
Security teams can quickly become like families — thick as thieves and ready for action. And Danna Pelleg, fraud specialist and security operations team lead at IBM Trusteer, wants to make sure her team and those who help support them get all the recognition they deserve.
“We’re all in this together,” she said from her office in Tel Aviv, Israel. “You spend each day, all day with these guys, and it’s important that you have a really good relationship with them. I’m lucky — I really like what I do, all the opportunities I get here, and I also really like the people I work with.”
It’s an environment Danna, her managers and her fellow team leaders have carefully cultivated. Each interviewee for a new role is scrutinized for team fit and skills. These folks are so tight that they hang out after hours and go to each others’ weddings. But that’s the type of relationship you develop when you’re in the trenches together.
“Everything changes so fast in this industry that we need to change what we work on or create something completely new very quickly,” Danna explained. “Our team members must always be open to the option that things are about to change.
“We always want to maintain a high level of service, so we keep developing new solutions and bringing up new ideas and strategies on how to combat fraud while keeping our operations working flawlessly. We’re all very passionate about what we do, otherwise we couldn’t hang on.”
Danna’s passions converge where technology meets psychology — and cybersecurity sits at that crossroads. What makes someone fall for social engineering tricks and become a victim of fraud? And what makes someone else become a fraud actor? Working in cybersecurity allows Danna to explore these issues, and her knack for psychology is oftly handy when it comes to leading her team.
Danna grew up around technology and a family that supported her curiosity. It was a time when not all schools had access to computers, so she felt privileged to play with tech from a young age thanks to her father’s work in the industry.
That curiosity manifested in an early role as a fraud analyst, working with a company that executed takedowns of fraudster sites. When she interviewed for that position — before she was a student, despite it being a student role — the hiring managers asked her why she wanted to work there. Danna’s reply? “I want to fight the bad guys.”
“It really felt like that,” she laughed. “It really felt like you were doing things and defeating bad guys trying to steal money from innocent people. And you could see the significant impact you had: something you handled is now offline.”
Danna continued working once she started her studies in social sciences and psychology — her other passion after technology. She feels blessed to be able to merge her two passions now as the leader of a team that tracks and analyzes fraud activity.
Danna was still a Bachelor of Arts student when she decided to change companies and ended up in the support department at Trusteer, where she stayed after she was promoted to Tier 2 support. At Trusteer Danna learned the art of effective communication, how to guide customers through challenges and how to ask questions to get to the bottom of an issue. She made a name as a phishing prevention expert, so when a major client had a phishing crisis, Danna interviewed for a new role. She was ultimately hired to build a team specifically to sort out the problem.
This particular client was one Trusteer couldn’t afford to lose, and Danna’s team was tasked with creating something completely new and tailored to the issue at hand. The team supported Trusteer’s artificial intelligence (AI) phishing solution to help enhance its efficacy and support daily operations. Ultimately, this led to the formation of her current cybersecurity operations team, which does the work Danna said she is most proud of in her career to date.
“We provide the first line of defense for all types of fraudulent activity,” she said. “The team analyzes potential phishing, they analyze fraud cases and try to reach any conclusions. The best scenario will be to understand what can we do to protect the client — or, if we missed protecting them, how we can catch things next time.”
Danna’s team works across products and departments to analyze fraud activity such as phishing, malware and social engineering. The threat intelligence and research group then delivers customer-oriented information to improve cyber awareness and offer insights about new trends in the cybersecurity industry. Sometimes these reports are incredibly detailed, and sometimes they need to be translated into business terms for stakeholders who won’t understand the nitty-gritty.
The vast troves of threat intelligence at Trusteer’s disposal help customers enhance their security. Understandably, customers want to know more, and Danna is determined to deliver them the richest, most up-to-date information available.
“It’s not just about how to protect them using our products; it’s also enriching their intelligence and providing them with the most accurate and up-to-date information” she explained. “We are constantly trying to improve our products and security content so we can stay one step ahead of the bad guys.”
Danna is also determined to continue to cultivate that trusting, helpful, friendly environment they hold so dear in security operations. As she grows to take on more responsibilities, her team’s remit grows, too. Her studies in psychology, her time in support and the example set by her managers all guide Danna’s professional, supportive managerial style.
Danna’s longtime interest in phishing prevention and attack analysis still drives her day to day — after all, this attack method is still incredibly prevalent, and it won’t be vanishing any time soon. On the contrary, phishers are getting more and more sophisticated in their attempts. They’re even mimicking the antiphishing warning messages banks have been adding to customer communications.
“We share so much information online today, it’s crazy,” Danna said. “If you are really into making money from fraud, you can connect the dots in all different ways and get the info you need to steal an identity and money. Sharing your phone number and email on your Facebook account might seem harmless, but getting that information is the first step in a social engineering attack — and we publish that information willingly to the public domain.”
The complexity of such social engineering schemes has made Danna and her team “extra suspicious about everything.” Anytime her bank calls her with a new offer, Danna tells them she’ll call them back — just in case.
And when the tough days and cases pull her down, Danna rests easy knowing there’s a dog-friendly policy in her office.
“It’s really calming,” she laughed. “They really help us to be more calm and positive. Although the work is very interesting, sometimes you just need to pet a dog.”
Meet Security Operations ‘Goddess’ Limor Golan
The post How Fraud Specialist Danna Pelleg Fights Bad Guys With the Best Team in the Business appeared first on Security Intelligence.
This post appeared first on Security Intelligence
Author: Security Intelligence Staff
It was one of the highest phishing rates I had ever seen: Almost 60 percent of employees clicked the malicious link. Yet the client, a chief information security officer (CISO) of a Fortune 100 company, asked a question that caught me completely off-guard.
“So what?” he said, clearly unimpressed.
As a “people hacker” for X-Force Red, IBM Security’s team of veteran hackers, I’ve performed social engineering exercises for companies around the world. There seem to be a lot of misconceptions about my job and the usefulness of social engineering assessments in security audits.
Confronted with that CISO’s indifference, I tried to explain exactly how serious our findings were and what the consequences might mean for the business.
During this assessment, my team started off by getting several payloads through the company’s email filters undetected. We identified that only two of the 300 employees reported the phishing email. The incident response (IR) team didn’t start its investigation until two days later; during those two days, we managed to infiltrate some of the legal team’s email accounts, where we discovered that the company was the target of a lawsuit that wasn’t yet public. If that lawsuit were to leak, it could significantly hurt the company’s reputation.
Additionally, by reusing some of the passwords we had compromised, we were able to log in to multiple employee payroll accounts, where we had access to direct deposit information — again, undetected. A criminal attacker could have changed direct deposit account numbers to siphon funds from employee paychecks.
My answer seemed to surprise the CISO and his team. In the end, they acknowledged that I provided a lot more information about their security posture than they expected to receive from the assessment.
Learn more at the Jan. 29 webinar
If you ask someone to define a social engineering assessment, they would most likely say it tests the human aspect of security. However, if done correctly, it evaluates much more than that. Yes, assessments track how many times employees click a link, open an attachment or divulge sensitive information to a suspicious recipient on the phone. However, they can also assess if and how employees are reporting suspicious activity, and the effectiveness of IR and security awareness training programs.
With a well-designed assessment, the client should have a better understanding of how their IR team handles social engineering attacks. Many components of IR programs can be analyzed by answering questions such as:
In this type of engagement we test more than just people and processes; we can assess the effectiveness of security technologies too. Many of the actions performed — such as emailing a malicious payload, having an employee open a malicious USB device on their workstation, etc. — attempt to bypass different types of technologies in places such as email filters, intrusion detection systems (IDSs), antivirus software and more. Social engineering attack vectors test deployed technology to determine whether the social engineer can bypass them.
Some critics have argued that social engineering assessments are pointless, as they know employees will always fail against such an attack. But these assessments provide valuable metrics, which are important to track over time to identify how employees are performing and identify any major deviations. Often, individual employees fall victim repeatedly. It’s important to identify these users so they can receive additional training, and the company should ensure those accounts have limited access.
Others have pointed to social engineering tests that went too far, such as targeting employees’ personal accounts. Each social engineering consultancy tests differently. That’s why it’s important for security leaders to define what’s acceptable for the company, so that testers don’t cross any ethical lines. This conversation between security leaders and testers typically happens during the scoping process.
Here’s another common refrain: “We already have a security awareness training program in place, and it covers social engineering.” But how do you know the program is effective? Without properly testing it, there is no way to determine whether it could efficiently and successfully contain an attack. Plus, employees should have continuous opportunities to identify social engineering activities. It is not a one-and-done exercise. Social engineering exercises are the most realistic training employees can get outside of an actual attack.
Some of the social engineering assessments performed by X-Force Red include physical tests, such as walking into a building carrying a box of doughnuts to get past security, and remote tests, such as impersonating an auditor to trick employees into divulging sensitive corporate data over the phone. For each test, only a limited amount of company insiders know we are coming, and we scope the project ahead of time to ensure it is effective and ethical.
I can’t give away all our tricks of the trade, but you’ll have an opportunity to hear from five X-Force Red hackers, including me, when we share our greatest hits and best practices during a one-hour webinar on Jan. 29 at 11:00 a.m. EST. You may be surprised by some of the many ruses that get us through the door.
Register for the Jan. 29 webinar
The post Social Engineering Training: Why Getting Hacked Is a Security Advantage appeared first on Security Intelligence.
This post appeared first on Security Intelligence
Author: Stephanie Carruthers