<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:media="http://search.yahoo.com/mrss/"><channel><title><![CDATA[INFIMA Security]]></title><description><![CDATA[Empowering your security conversations]]></description><link>https://infimasec.com/blog/</link><image><url>https://infimasec.com/blog/favicon.png</url><title>INFIMA Security</title><link>https://infimasec.com/blog/</link></image><generator>Ghost 3.0</generator><lastBuildDate>Thu, 16 Jul 2026 20:58:10 GMT</lastBuildDate><atom:link href="https://infimasec.com/blog/rss/" rel="self" type="application/rss+xml"/><ttl>60</ttl><item><title><![CDATA[Product Update: Simulated Phishing URLs]]></title><description><![CDATA[New simulated phish URLs are live!]]></description><link>https://infimasec.com/blog/update-phish-urls/</link><guid isPermaLink="false">657b220c9a5e434f8a91ebe0</guid><category><![CDATA[Company]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Thu, 14 Dec 2023 15:43:16 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2023/12/3clix-gif-1.gif" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2023/12/3clix-gif-1.gif" alt="Product Update: Simulated Phishing URLs"><p>As part of our ongoing effort to provide the <strong>best possible experience to our Partners</strong> and their clients, we have <strong>expanded the landing page URLs</strong> in our simulated phishing emails.</p><p>This means that your end users will experience <strong>new variation in the links</strong> in their phishing attack simulations.</p><h3 id="from-the-engineering-team-">From the Engineering team 🤓:</h3><p><strong>Issues:</strong></p><ul><li>Landing pages hosted at infimasec.com was confusing for users who were told to trust the infimasec.com domain as part of their training</li><li>Lack of URL variety made simulated phishing emails obvious to users</li></ul><p><strong>Previous</strong> <strong>State</strong></p><ul><li>All landing pages were hosted behind https://content.infimasec.com</li></ul><p><strong>Now</strong></p><ul><li>Simulated phishing URLs vary and will change in time</li><li>Multiple phish landing pages with randomized subdomains</li></ul><p><strong>Recommendations</strong><br>Ensure your end clients are using our <a href="https://kb.infimasec.com/docs/report-phishing">Report Phishing Button</a>. This <strong>automatically filters</strong> <strong>between actual and simulated phishing emails</strong>, reducing the strain on your support team.</p><p>Have concerns or feedback?</p><p>Please do not hesitate to reach out to your INFIMA point of contact! We value your input every step of the way <em>(you know... like those 3 Clicks kicks steppin' up top!)</em>.</p>]]></content:encoded></item><item><title><![CDATA[Announcing SOC 2 Accreditation]]></title><description><![CDATA[What this security certification milestone means for INFIMA and our Partners.]]></description><link>https://infimasec.com/blog/announcing-soc-2/</link><guid isPermaLink="false">654913bf9a5e434f8a91eaf1</guid><category><![CDATA[Sales]]></category><category><![CDATA[Security]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Mon, 06 Nov 2023 16:54:06 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2023/11/SOC-2-2.png" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2023/11/SOC-2-2.png" alt="Announcing SOC 2 Accreditation"><p>In our commitment to the security of our customers and their data, INFIMA has actively<strong> pursued and achieved the esteemed SOC 2 accreditation</strong>. This reflects our <strong>pledge to protect our Partners' data and the trust you have in us</strong>. Our recent audit secured our SOC 2 certification covering the critical <strong>Security, Availability, and Confidentiality</strong> principles.</p><p>This achievement demonstrates our <strong>alignment with the SOC 2 standard </strong>established by the American Institute of Certified Public Accountants ("AICPA"). It serves as a testament to our <strong>commitment to the security of our Partners and their end clients</strong>, ensuring that your <strong>data is managed within a controlled and rigorously audited environment</strong>.</p><p>Our SOC 2 examination was conducted by an independent, third-party accounting and auditing firm. Their assessment <strong>comprehensively evaluated INFIMA's security practices, procedures, and controls</strong> pertaining to our Security Awareness Training platform.</p><p>This isn't the culmination of our SOC 2 journey at INFIMA! We remain resolute in our <strong>commitment to undergo continuous SOC 2 Type 2 audits</strong>. This dedication ensures that we <strong>uphold and continuously improve the high standards we've established</strong> to cater to our customers' needs.</p>]]></content:encoded></item><item><title><![CDATA[The Art of Deception and Phishing Psychology]]></title><description><![CDATA[In the vast world of cybersecurity, few tactics are as insidious and cunning as phishing attacks. ]]></description><link>https://infimasec.com/blog/art-of-deception/</link><guid isPermaLink="false">64de48ee9a5e434f8a91ea95</guid><category><![CDATA[Sales]]></category><category><![CDATA[Security]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Thu, 17 Aug 2023 17:57:14 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2023/08/sleight-of-hand.png" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2023/08/sleight-of-hand.png" alt="The Art of Deception and Phishing Psychology"><p>Just as a master illusionist dazzles their audience with sleight of hand and misdirection, cybercriminals <strong>employ <a href="https://infimasec.com/blog/weapons-of-influence-social-eng/">psychological tricks</a></strong> to manipulate their targets. Let's jump into the psychology behind phishing attempts, shedding light on how<strong> hackers exploit human behavior</strong>, and why simulated <strong>phishing attacks play a pivotal role</strong> in strengthening an organization's defense.</p><h3 id="the-psychology-of-phishing-exploiting-human-vulnerabilities">The Psychology of Phishing: Exploiting Human Vulnerabilities</h3><p>Phishing attacks are a testament to the age-old adage: knowledge is power. Hackers carefully study human behavior to <strong>exploit vulnerabilities and engineer convincing traps</strong>. They understand that people are naturally <strong>inclined to trust</strong>, particularly when communications appear legitimate. Phishing emails often leverage <strong>urgency, authority, and emotional triggers</strong> to prompt swift actions. These tactics elicit responses <strong>before recipients have time to <a href="https://infimasec.com/blog/clicking-fast-and-slow/">think critically</a></strong>, making them more susceptible to divulging sensitive information.</p><ol><li><strong>Urgency and Fear:</strong> Time-sensitive messages <strong>trigger an instinctive response</strong>, pushing recipients to act quickly without questioning the request's authenticity. Hackers capitalize on this by <strong>simulating crises</strong>, such as impending account suspension or security breaches, <strong>creating a sense of urgency</strong> that bypasses rational thinking.</li><li><strong>Authority and Credibility:</strong> People tend to <strong>obey authority figures </strong>and follow perceived norms. Phishers <strong>mimic trusted sources</strong>, like reputable companies or well-known colleagues, to <strong>lend credibility</strong> to their requests. Employees may feel obligated to comply with instructions from a senior executive, even if they seem suspicious.</li><li><strong>Curiosity and Reward:</strong> A well-placed lure <strong>piques curiosity</strong> and promises a reward, prompting individuals to click on malicious links. By appealing to our innate <strong>desire for gratification</strong>, phishers lure victims into compromising situations, often without them realizing the danger until it's too late.</li><li><strong>Social Engineering:</strong> Humans are <strong>inherently social creatures</strong>, and cybercriminals manipulate this trait to their advantage. Phishing attacks might exploit relationships, referencing personal details or shared connections to <strong>establish trust and create a false sense of familiarity</strong>.</li></ol><h3 id="the-role-of-simulated-phishing-attacks-a-crucial-weapon-in-the-arsenal">The Role of Simulated Phishing Attacks: A Crucial Weapon in the Arsenal</h3><p>Enter simulated phishing attacks: a strategic tool designed to <strong>educate, engage, and empower employees</strong> against these psychological tactics. Simulated attacks <strong>mirror real-world scenarios</strong>, providing employees with firsthand experience in identifying red flags. Here's why they're indispensable:</p><ol><li><strong>Hands-On Learning:</strong> Simulated attacks offer a <strong>safe environment for employees</strong> to recognize phishing attempts without real consequences. This experiential learning approach <strong>sharpens their instincts and teaches them to discern</strong> genuine communications from fraudulent ones.</li><li><strong>Behavioral Change:</strong> Repetition is key to behavior change. Regularly exposing employees to simulated phishing attacks <strong>conditions them to think twice before clicking</strong>, mitigating the knee-jerk reactions triggered by urgency or curiosity.</li><li><strong>Data-Driven Insights:</strong> Simulated attacks generate valuable data about an organization's susceptibility to phishing. By analyzing metrics like click rates and response times, businesses can <strong>identify weak points, tailor training, and measure progress </strong>over time.</li></ol><p>In the dynamic realm of cybersecurity, understanding the psychology behind phishing is <strong>essential for safeguarding sensitive information</strong>. By recognizing the tactics hackers use to manipulate human behavior, organizations can fortify their defenses and empower their workforce to become the first line of protection. Simulated phishing attacks, in turn, provide a powerful means to <strong>transform this knowledge into practical skills</strong>, ensuring that employees become vigilant guardians against the artful deceptions of cybercriminals. Through <strong>awareness, education, and ongoing training</strong>, businesses can navigate the complex seas of cybersecurity with confidence, repelling the tides of phishing attempts and securing their digital domains.</p><p>This is exactly why INFIMA <strong>harnesses the power of AI for good</strong> to <strong>stay ahead of cybercriminals' </strong>latest attacks, all with a deep <strong>focus on hacker's tactics for behavioral manipulation</strong>.</p><p>INFIMA's <strong>fully automated Awareness Training platform</strong> enables Managed Services Providers to<strong> </strong>provide<strong> continuous Training and Phishing simulations with ease.</strong></p><p>And for the best part... our MSP Partners can <strong>get clients up and running in <a href="https://infimasec.com/blog/3-clicks/">just 3 clicks</a>!</strong></p><blockquote><strong>If you're an MSP</strong> and want to learn more about our Partner Program, go check out how we work with Partners <a href="https://infimasec.com/partners/" rel="noopener noreferrer">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo" rel="noopener noreferrer">book a time to chat</a>!</blockquote><p><em>Thanks to Midjourney for the very convincing conman image.</em></p>]]></content:encoded></item><item><title><![CDATA[Pretexting the Attack]]></title><description><![CDATA[Hackers deepen their focus on behavioral manipulation.]]></description><link>https://infimasec.com/blog/pretexting/</link><guid isPermaLink="false">64b13e9c70e0300448aff5db</guid><category><![CDATA[Sales]]></category><category><![CDATA[Security]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Fri, 14 Jul 2023 12:48:51 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2023/07/conman.png" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2023/07/conman.png" alt="Pretexting the Attack"><p>In the ever-evolving landscape of cyber threats, <strong>hackers continuously refine</strong> their <strong><a href="https://infimasec.com/blog/criminals-early-adopters/">tactics</a> to exploit human vulnerabilities</strong>. One such technique is <strong>pre-texting</strong>, a <strong>form of social engineering that relies on manipulation and deception</strong>. By assuming false identities and leveraging psychological tactics, hackers employ pre-texting to <strong>gain trust and extract sensitive information</strong>. </p><h3 id="understanding-pre-texting">Understanding Pre-texting</h3><p>Pre-texting involves the art of crafting a <strong>believable backstory</strong> or pretext to deceive individuals. Hackers adept at pre-texting masterfully weave narratives to <a href="https://infimasec.com/blog/weapons-of-influence-social-eng/"><strong>exploit human psychology</strong></a>, relying on<strong> trust, curiosity, and the willingness to help</strong>. The aim is to <strong>manipulate victims</strong> into revealing sensitive information or performing actions that can <strong>compromise security</strong>.</p><h3 id="phases-of-pre-texting-attacks">Phases of Pre-texting Attacks</h3><ol><li><strong><em>Research</em></strong>: Before launching a pre-texting attack, hackers invest time and effort into <strong>researching their targets</strong>. They scour <strong>social media platforms, online forums, and public records</strong> to gather personal information that enhances the credibility of their pretexts.</li><li><strong><em>Building Trust</em></strong>: Armed with gathered information, hackers proceed to <strong>establish trust with their targets</strong>. They might <strong>impersonate colleagues, service providers, or even trusted authorities</strong>. By assuming an identity that resonates with the target's environment, hackers instill a <strong>sense of familiarity and reliability</strong>.</li><li><strong><em>Exploitation</em></strong>: Once <strong>trust is established</strong>, hackers employ various tactics to exploit their victims. This can involve <strong>requesting sensitive information</strong>, such as passwords or financial details, or convincing individuals to click on malicious links or download malware-infected files.</li></ol><h3 id="impacts-of-pre-texting-attacks">Impacts of Pre-texting Attacks</h3><p>Pre-texting attacks <strong>can have severe consequences </strong>for individuals, organizations, and even society as a whole. Some notable impacts include:</p><ol><li><strong><em>Financial Losses</em></strong>: By tricking victims into <strong>sharing banking information</strong> or transferring funds, hackers can <strong>cause substantial financial damage</strong> to individuals and businesses alike.</li><li><strong><em>Identity Theft</em></strong>: Pre-texting attacks often involve <strong>extracting personally identifiable information (PII) </strong>such as social security numbers, dates of birth, or addresses. This information can then be used to <strong>commit identity theft</strong>, resulting in significant harm to victims.</li><li><strong><em>Data Breaches</em></strong>: Hackers may exploit pre-texting to<strong> gain access to sensitive corporate or personal data</strong>. This can lead to data breaches, compromising individuals' privacy, and causing reputational damage to organizations.</li></ol><h3 id="defending-against-pre-texting-attacks">Defending Against Pre-texting Attacks</h3><p>While hackers' tactics may be sophisticated, individuals and organizations can <strong>adopt proactive measures to defend</strong> against pre-texting attacks:</p><ol><li><strong><em>Education and Awareness Training:</em></strong> Raising awareness about pre-texting attacks and their techniques is crucial. <strong>Regularly educate employees</strong> about the latest social engineering threats, emphasizing the importance of skepticism and caution.</li><li><strong><em>Verify Requests:</em></strong> Never disclose sensitive information or carry out actions based solely on a request received via email, phone call, or text message. <strong>Independently verify the legitimacy of the request </strong>through known and trusted channels before responding.</li><li><strong><em>Control Personal Information:</em></strong> Be mindful of the <strong>personal information shared on social media platforms</strong> or public forums. <strong>Limit the amount of sensitive data available online</strong>, reducing the ammunition available to hackers during the reconnaissance phase.</li><li><strong><em>Implement Multi-Factor Authentication (MFA)</em></strong>: By enabling MFA on various accounts, even if attackers acquire login credentials, additional authentication factors <strong>add an extra layer of protection</strong> against unauthorized access.</li><li><strong><em>Incident Response Plan</em></strong>: Develop and implement an incident response plan to <strong>swiftly address potential breaches</strong> resulting from pre-texting attacks. This should include steps for communication, containment, investigation, and recovery.</li></ol><p>Pre-texting has become a <strong>favored weapon of hackers</strong> in their social engineering and phishing attacks. By <strong>exploiting human psychology</strong>, hackers craft convincing pretexts to <strong>manipulate individuals</strong> into divulging sensitive information or taking actions that compromise security. To counter this threat, it is essential to stay vigilant,<strong> educate your team</strong> and <strong>implement proactive security measures</strong>. By fortifying defenses, individuals and organizations can <strong>mitigate the risks associated with pre-texting attacks</strong> and safeguard their sensitive information.</p><p>This is exactly why INFIMA <strong>harnesses the power of AI for good</strong> to <strong>stay ahead of cybercriminals' </strong>latest attacks, all with a deep <strong>focus on <a href="https://infimasec.com/blog/clicking-fast-and-slow/">hacker's tactics for behavioral manipulation</a></strong>.</p><p>INFIMA's <strong>fully automated Awareness Training platform</strong> enables Managed Services Providers to<strong> </strong>provide<strong> continuous Training and Phishing simulations with ease.</strong></p><p>And for the best part... our MSP Partners can <strong>get clients up and running in <a href="https://infimasec.com/blog/3-clicks/">just 3 clicks</a>!</strong></p><blockquote><strong>If you're an MSP</strong> and want to learn more about our Partner Program, go check out how we work with Partners <a href="https://infimasec.com/partners/" rel="noopener noreferrer">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo" rel="noopener noreferrer">book a time to chat</a>!</blockquote><p><em>Thanks to Midjourney for the very convincing conman image.</em></p>]]></content:encoded></item><item><title><![CDATA[AI is Amplifying Social Engineering]]></title><description><![CDATA[Hackers are amplifying their Social Engineering and Phishing Attacks with AI tools, including ChatGPT.]]></description><link>https://infimasec.com/blog/ai-and-social-engineering/</link><guid isPermaLink="false">64665c9970e0300448aff53f</guid><category><![CDATA[Security]]></category><category><![CDATA[Sales]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Thu, 18 May 2023 19:00:11 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2023/05/hacker-pixel.png" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2023/05/hacker-pixel.png" alt="AI is Amplifying Social Engineering"><p>As technology continues to evolve, so do the tools and tactics employed by cybercriminals. Throughout history, <a href="https://infimasec.com/blog/criminals-early-adopters/">criminals are early adopters of new tech</a>. This time it's <strong>no different with Artificial Intelligence (AI).</strong></p><p>AI has emerged as a game-changer, <strong>empowering hackers with enhanced capabilities</strong>. Cybercriminals have been <strong>quick to capitalize on AI's potential</strong> to revolutionize their illicit game. Understanding these risks is <strong>crucial for MSPs to stay one step ahead</strong> in the ongoing battle against cyber threats.</p><h2 id="ai-driven-social-engineering">AI-Driven Social Engineering</h2><p>Social engineering attacks <strong>prey on <a href="https://infimasec.com/blog/clicking-fast-and-slow/">human psychology</a></strong>, exploiting trust and manipulating individuals into divulging sensitive information or performing unauthorized actions. AI tools provide hackers with powerful capabilities to launch <strong>sophisticated social engineering attacks</strong>, including:</p><ol><li><strong>Sophisticated Personalization:</strong> AI-powered tools enable cybercriminals to <strong>gather vast amounts of information</strong> from multiple sources, such as social media, public databases, and leaked data. With this wealth of information, hackers can craft <strong>highly personalized spear phishing emails</strong> that appear legitimate and trustworthy. These targeted attacks significantly increase the success rate and pose a grave risk to individuals and organizations.</li><li><strong>Deepfake Threats: </strong>AI algorithms can generate realistic synthetic media, such as <strong>manipulated audio and video content.</strong> Hackers leverage deepfake technology to <strong>impersonate trusted individuals</strong>, creating fraudulent content that deceives employees into revealing sensitive information or taking malicious actions. The authenticity of these deepfakes makes them even more challenging to detect.</li><li><strong>Automation and Scale: </strong>AI-powered tools enable cybercriminals to <strong>automate various stages of the attack process</strong>, including reconnaissance, email creation, and response analysis. This automation allows hackers to <strong>launch attacks at a large scale</strong>, targeting multiple individuals simultaneously.</li><li><strong>Evading Detection:</strong> AI algorithms can <strong>adapt and evolve</strong>, making it challenging for traditional security measures to detect malicious activities. Hackers leverage AI to constantly refine their attack techniques, <strong>bypassing security controls and remaining undetected for longer periods</strong>.</li></ol><h3 id="defending-against-ai-enhanced-attacks">Defending Against AI-Enhanced Attacks</h3><p>To protect your clients from the amplified risks posed by AI-powered social engineering and phishing attacks, MSPs should <strong>adopt a proactive and comprehensive approach</strong>:</p><ol><li><strong>Continuous Security Awareness Training: </strong>Educate your clients' employees about the evolving nature of cyber threats and the potential impact of AI-driven attacks. Provide regular security awareness training that covers social engineering tactics, phishing awareness, and how to identify suspicious emails or requests.</li><li><strong>Advanced Threat Detection:</strong> Implement advanced threat detection solutions that leverage AI and machine learning algorithms to identify patterns and anomalies associated with social engineering and phishing attacks. These tools can help detect sophisticated attacks that may bypass traditional security measures.</li><li><strong>Multi-Layered Defense:</strong> Deploy a multi-layered security strategy that combines email filtering, endpoint protection, network monitoring, and user behavior analytics. This approach ensures that potential threats are identified and mitigated at multiple levels, reducing the risk of successful attacks.</li><li><strong>Incident Response Planning:</strong> Develop a robust incident response plan that outlines the steps to be taken in case of a social engineering or phishing attack. This plan should include communication protocols, incident containment measures, and post-incident analysis to improve future response capabilities.</li></ol><p>AI has undoubtedly <strong>transformed the landscape of cybercrime</strong>, empowering hackers with sophisticated tools to amplify social engineering and phishing attacks. As MSPs, it is crucial to <strong>understand the power of AI in the wrong hands</strong>.</p><p>By implementing a <strong>proactive defense strategy</strong> that includes continuous training, advanced threat detection, multi-layered defense, and effective incident response planning, you can <strong>bolster your clients' security posture and mitigate the risks</strong> associated with AI-enhanced attacks.</p><p>This is exactly why we're working hard to <strong>harness the power of AI for good</strong> and <strong>stay ahead of cybercriminals</strong> to safeguard the digital world.</p><p><strong>INFIMA created a fully automated Awareness Training platform</strong> that enables Managed Services Providers to<strong> </strong>provide<strong> continuous Training and Phishing simulations with ease.</strong></p><p>In fact, our MSP Partners can <strong>get clients up and running in <a href="https://infimasec.com/blog/3-clicks/">just 3 clicks</a>!</strong></p><blockquote><strong>If you're an MSP</strong> and want to learn more about our Partner Program, go check out how we work with Partners <a href="https://infimasec.com/partners/" rel="noopener noreferrer">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo" rel="noopener noreferrer">book a time to chat</a>!</blockquote><p><em>Thanks to OpenAI's Dall-E for the cute pixelated hacker image.</em></p>]]></content:encoded></item><item><title><![CDATA[Criminals are Early Tech Adopters]]></title><description><![CDATA[From the telegraph to the Tommy Gun, criminals have quickly used tech advancements to their advantage.]]></description><link>https://infimasec.com/blog/criminals-early-adopters/</link><guid isPermaLink="false">6441456870e0300448aff426</guid><category><![CDATA[Sales]]></category><category><![CDATA[Security]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Thu, 20 Apr 2023 14:43:15 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2023/04/Screen-Shot-2023-04-20-at-10.43.54-AM.png" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2023/04/Screen-Shot-2023-04-20-at-10.43.54-AM.png" alt="Criminals are Early Tech Adopters"><p>So here's a <strong>walk down history lane</strong> that includes an inconvenient truth...</p><p><strong>Criminals adopt new technologies before law enforcement</strong>. We'll get into the examples in a moment, but let's first address the "why" here.</p><p>Criminals adopt tech quickly because <strong>they have the</strong> <strong><a href="https://infimasec.com/blog/hackers-and-chatgpt/">quickest path to profit</a> from it</strong>.</p><p>Let's jump in for some <strong>examples of criminals staying a step ahead of law encorcement</strong>:</p><h3 id="the-telegraph">The Telegraph</h3><p>In the mid-19th century, the telegraph was a new technology that allowed<strong> </strong>for<strong> rapid communication over long distances</strong>. Criminals quickly<strong> realized its potential for coordinating their activities</strong>, and used it to<strong> plan robberies and escapes.</strong> The Pinkerton Detective Agency, which was founded in 1850, was one of the first law enforcement agencies to use the telegraph to track down criminals.</p><h3 id="the-automobile">The Automobile</h3><p>In the early 20th century, automobiles became <strong>increasingly popular and accessible</strong>. Criminals quickly realized that cars could be used to <strong>make fast getaways and to transport stolen goods</strong>. In response, law enforcement agencies began to use cars to pursue and apprehend criminals.</p><h3 id="the-tommy-gun">The Tommy Gun</h3><p>The Thompson submachine gun, also known as the "Tommy Gun," was invented in 1918 and <strong>quickly became a popular weapon among criminals</strong>. Its ability to fire rapidly and with great accuracy made it a <strong>favored weapon for bank robbers and gangsters </strong>during the Prohibition era in the United States. Law enforcement agencies initially <strong>struggled to counter the threat posed by the Tommy Gun</strong>. Many police departments lacked the necessary equipment and training to respond effectively to a heavily armed criminal.</p><h3 id="the-telephone">The Telephone</h3><p>In the early 20th century, the telephone became a common household appliance. Just like the telegraph, criminals quickly realized that they could use it to <strong>coordinate their activities and to plan crimes</strong>. Law enforcement agencies responded by tapping phone lines and using wiretapping to gather evidence against criminals.</p><h3 id="the-internet">The Internet</h3><p>And then there's our beloved Internet. In the 1990s, the internet became widely available, and criminals quickly began to use it to <strong>commit fraud, distribute illegal goods, and coordinate criminal activities</strong>. Law enforcement agencies have <strong>struggled to keep up</strong> with the pace of technological change and the global nature of <strong>internet-based crime</strong>.</p><p>The key here is that the <strong>criminals move rapidly</strong>. They see opportunity and then <strong>develop ways of exploiting their newfound advantage</strong>.</p><p>The same is <strong>still true today</strong>.</p><p>Criminals will <strong>use tools like GPT-4 and other AI platforms</strong> to stay<strong> a step ahead of law enforcement </strong>and the general public.</p><p>This is exactly why your <strong>cybersecurity layers need to be hyper-responsive and forward-looking</strong>.</p><p>It's the same reason why<strong> INFIMA leverages these same tools to protect</strong> your people.</p><p>And the best part - we make it easy with our <strong><a href="https://infimasec.com/blog/3-clicks/">fully<strong> automated</strong></a><strong> Security Awareness Training </strong></strong>platform, <strong><strong>built for the MSP community</strong></strong>.</p><blockquote><strong><strong><strong><strong>I<strong><strong><strong><strong>f you're an MSP</strong></strong></strong></strong></strong></strong></strong></strong> and want to learn more, go check out how we work with Partners <a href="https://infimasec.com/partners/">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo">book a time to chat</a>!</blockquote><p><em>Image by <a href="https://pixabay.com/users/alles-2597842/?utm_source=link-attribution&amp;utm_medium=referral&amp;utm_campaign=image&amp;utm_content=4598563">Alexander Lesnitsky</a> from <a href="https://pixabay.com//?utm_source=link-attribution&amp;utm_medium=referral&amp;utm_campaign=image&amp;utm_content=4598563">Pixabay</a></em></p>]]></content:encoded></item><item><title><![CDATA[CIS Control 14 and Security Awareness Training]]></title><description><![CDATA[The MSP community is taking security regs head-on, with CIS Controls high on the list.]]></description><link>https://infimasec.com/blog/cis-control-14/</link><guid isPermaLink="false">640a8fff70e0300448aff2eb</guid><category><![CDATA[Sales]]></category><category><![CDATA[Security]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Fri, 10 Mar 2023 03:05:31 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2023/03/number-14.PNG" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2023/03/number-14.PNG" alt="CIS Control 14 and Security Awareness Training"><p>Lots of eyes are on <a href="https://www.cisecurity.org/controls">CIS Controls</a>, so let's jump in.</p><p><strong><a href="https://www.cisecurity.org/controls/security-awareness-and-skills-training">CIS Control 14</a></strong> (version 8) emphasizes the importance of <strong>providing regular and relevant Security Awareness Training to all employees</strong>, including new hires and third-party contractors.</p><p>Below, we <strong>go through this Control step-by-step</strong>, so you can determine how well your Security Awareness Training program satisfies the requirements and if there are any gaps to fill. </p><h3 id="14-1-establish-and-maintain-a-security-awareness-program">14.1: Establish and Maintain a Security Awareness Program</h3><p>This section establishes the need for maintaining a Security Awareness Training program that <strong>educates the organization's staff</strong> on the proper and secure usage of enterprise assets and data. The program should include <strong>relevant training upon hire and should be conducted at least annually</strong>, if not more frequently. The program's content should be reviewed and updated annually, or as needed when security risks to the organization change.</p><h3 id="14-2-train-workforce-members-to-recognize-social-engineering-attacks">14.2: Train Workforce Members to Recognize Social Engineering Attacks</h3><p>Provide training to employees to <strong>identify and respond to social engineering attacks.</strong> The breadth of social engineering attacks can be very broad, but the safeguard uses a subset of examples, including phishing, pretexting, and tailgating.</p><h3 id="14-3-train-workforce-members-on-authentication-best-practices">14.3: Train Workforce Members on Authentication Best Practices</h3><p>Provide instruction to the organization's personnel regarding <strong>authentication best practices</strong>, including topics such as multi-factor authentication (MFA), password creation standards, and effective credential management.</p><h3 id="14-4-train-workforce-on-data-handling-best-practices">14.4: Train Workforce on Data Handling Best Practices</h3><p>Educate employees on the <strong>proper identification, handling, storage, transfer, archiving and disposal of sensitive data</strong>. This training should also encompass best practices for maintaining clear screens and desks, including locking screens when not in front of your machine, clearing whiteboards (both physical and digital) after meetings, and securely storing any sensitive data and assets.</p><h3 id="14-5-train-workforce-members-on-causes-of-unintentional-data-exposure">14.5: Train Workforce Members on Causes of Unintentional Data Exposure</h3><p>Educate employees on the potential causes of unintentional data exposure, such as the <strong>accidental delivery of sensitive information</strong> to the wrong recipient, the <strong>loss of any portable devices</strong>, or the <strong>inadvertent publication of data</strong> to unintended recipients.</p><h3 id="14-6-train-workforce-members-on-recognizing-and-reporting-security-incidents">14.6: Train Workforce Members on Recognizing and Reporting Security Incidents</h3><p>Educate employees to enable them to <strong>identify potential security incidents</strong> and effectively report such incidents. This includes educating employees on insider threats and its hallmark signs.</p><h3 id="14-7-train-workforce-on-how-to-identify-and-report-if-their-enterprise-assets-are-missing-security-updates">14.7: Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates</h3><p>Educate employees on the procedures for r<strong>ecognizing and reporting outdated software patches</strong> or any <strong>concerns related to automated processes</strong> and organizational tools. This training should also include instructions for notifying IT personnel in the event of any concerns related to patches, processes or tools.</p><h3 id="14-8-train-workforce-on-the-dangers-of-connecting-to-and-transmitting-enterprise-data-over-insecure-networks">14.8: Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks</h3><p>Educate employees regarding the <strong>risks associated with utilizing insecure networks</strong> for organizational activities. Additionally, for remote workers, training must include guidance on configuring their home network infrastructure to ensure secure connectivity.</p><h3 id="14-9-conduct-role-specific-security-awareness-and-skills-training">14.9: Conduct Role-Specific Security Awareness and Skills Training</h3><p>Provide security awareness and skills <strong>training customized to the specific roles and responsibilities of employees</strong>. The safeguard provides several examples of such training: "secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles."</p><p>All in all, this <strong>hits on a broad range of topics</strong>. And they've done an excellent job of it!</p><p>Ultimately, it <strong>ends up being a lot of work </strong>to run a Security Awareness Training program for any organization.</p><p>This is exactly why <strong>INFIMA created a fully automated Awareness Training platform</strong> that enables Managed Services Providers to<strong> satisfy CIS Control 14 with ease.</strong></p><p>In fact, our MSP Partners can <strong>get clients up and running in <a href="https://infimasec.com/blog/3-clicks/">just 3 clicks</a>!</strong></p><blockquote><strong>If you're an MSP</strong> and want to learn more about our Partner Program, go check out how we work with Partners <a href="https://infimasec.com/partners/" rel="noopener noreferrer">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo" rel="noopener noreferrer">book a time to chat</a>!</blockquote><p><em>Thank you to the great minds at the <a href="https://www.cisecurity.org/">Center for Internet Security</a> for their continued work in securing our workplaces and staff. Note that we've used their section titles verbatim and shared our understanding of the requirements.</em></p><p><em>Disclaimer: our attorneys make sure we remind you that none of the above is legal advice, and all services are governed by our Terms of Service and End User License Agreement. Also, we love you!</em></p>]]></content:encoded></item><item><title><![CDATA[3 Clicks to Freedom]]></title><description><![CDATA[Security Awareness with ease: Sync. Authenticate. Activate.]]></description><link>https://infimasec.com/blog/3-clicks/</link><guid isPermaLink="false">63ee4e3970e0300448aff1cc</guid><category><![CDATA[Sales]]></category><category><![CDATA[Security]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Thu, 16 Feb 2023 16:21:13 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2023/02/pablo-heimplatz-EAvS-4KnGrk-unsplash.jpg" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2023/02/pablo-heimplatz-EAvS-4KnGrk-unsplash.jpg" alt="3 Clicks to Freedom"><p>Security Awareness Training can be a <strong>pain to manage</strong>.</p><p>We get it.</p><blockquote>“It used to take us two or three hours to set up one client. We migrated all of our clients to INFIMA in that time.”<br>- Rob Walters @ Executive Image Solutions</blockquote><p>That's exactly why we developed a <strong>fully automated platform, built for Managed Services Providers</strong>.</p><p>Ok, so let's jump into <strong>what 3 Clicks to Freedom means</strong> for our MSP Partners:</p><h3 id="sync">Sync</h3><p>First, we <strong>sync your client's users.</strong></p><p>Whether you've got 10 clients or 500 clients, <strong>every single one of them</strong> deserves your excellent services. One of the key issues is ensuring that <strong>every user across every client</strong> is <a href="https://infimasec.com/blog/train-em-all/">actively engaged</a> in your Security Awareness Training program.</p><blockquote>Set up a customer, sync it to their 365 so it finds all their users, and then that's it.  It just goes off and does its thing.”<br>- Roger Curtis @ Masser Tech</blockquote><p>This means every individual receives <strong>consistent Simulated Phishing Attacks</strong> alongside timely and relevant <strong>Cybersecurity Training Courses</strong>.</p><p>With INFIMA's <strong>Office 365 and Google Workspace syncs</strong>, your clients users are<strong> automatically enrolled</strong> in their comprehensive program. Like magic, your <strong>client is now set up in your multi-tenant dashboard</strong>.</p><p>Don't worry, it doesn't get any more challenging than this!</p><h3 id="authenticate">Authenticate</h3><p>The next step in your onboard is a simple authentication with our <strong>Office 365 or Google Workspace integration</strong>. Here, we<strong> take care of deliverability</strong>.</p><blockquote>“I was able to set up a client within five minutes of my first introduction to the platform."<br>- George Childers @ Best Servers</blockquote><p><strong>Whitelisting can be the hardest part </strong>of this whole process. Your <strong>email filters are trying to do their job</strong>, too! They don't know that your Simulated Phishing attacks are supposed to get delivered. </p><p>So we <strong>ensure those Simulated Phishes and Training Course Invites get delivered</strong> to every one of your clients' users.</p><h3 id="activate">Activate</h3><p>Now, let's get your clients rolling!</p><p>Here, <strong>INFIMA automatically populates their Training Curriculum</strong> and <strong>schedules Phishing Simulations</strong>.</p><blockquote>"INFIMA's just set it, forget it."<br>- Dan Fitzpatrick @ Christo IT</blockquote><p>Note that I didn't say - now you, friendly Partner, have to do <a href="https://infimasec.com/blog/automation-for-the-win/">all the work</a>... we do all Training Course scheduling, tracking and sending, in addition to designing, scheduling and sending Phishing emails. </p><p><strong>Reduce your risks </strong>from <a href="https://infimasec.com/blog/slas-and-automation/">SLAs</a> and <a href="https://infimasec.com/blog/cyber-insurance-subrogation/">Cyber Insurers</a>.</p><p>And there it is.</p><p><strong>3 Clicks, and you're freed from all those tasks</strong> of managing a comprehensive Security Awareness Training program!</p><blockquote><strong>If you're an MSP</strong> and want to learn more about our Partner Program, go check out how we work with Partners <a href="https://infimasec.com/partners/" rel="noopener noreferrer">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo" rel="noopener noreferrer">book a time to chat</a>!</blockquote><p><em>Photo by <a href="https://unsplash.com/@pabloheimplatz?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Pablo Heimplatz</a> on <a href="https://unsplash.com/photos/EAvS-4KnGrk?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></em></p><p><em>Disclaimer: our attorneys make sure we remind you that none of the above is legal advice, and all services are governed by our Terms of Service and End User License Agreement. Also, we love you!</em></p>]]></content:encoded></item><item><title><![CDATA[Training Every Employee]]></title><description><![CDATA[Post-breach, cybersecurity insurers are looking more deeply into third party providers. Security awareness training is key across every employee.]]></description><link>https://infimasec.com/blog/train-em-all/</link><guid isPermaLink="false">63ca975970e0300448aff13b</guid><category><![CDATA[Security]]></category><category><![CDATA[Sales]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Fri, 20 Jan 2023 13:48:04 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2023/01/husna-miskandar-FC4z3l4sUYc-unsplash.jpg" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2023/01/husna-miskandar-FC4z3l4sUYc-unsplash.jpg" alt="Training Every Employee"><p>As an MSP, one of your many jobs is to <strong>keep your clients' networks safe and secure</strong>.</p><p>Easier said than done, right?</p><p>In reality, the job is more about <strong>putting the right technical tools, training and processes in place</strong>, such that your clients are <strong>as safe as you can control</strong>. There is always <strong>plenty left to human error</strong> - from tinkering with firewall settings to clicking on phishing emails to falling for social engineering scams.</p><h3 id="the-training-challenge">The Training Challenge</h3><p>We're a security awareness training company, and we're going to stay in our lane on this one.</p><p>So what happens <strong>when a compromise occurs</strong>? Post-breach, your client usually looks to their <strong>cybersecurity insurance policy</strong> to cover the costs of the incident. <strong>Insurers are now quick to look at third party providers</strong> to see if there were <strong>any gaps</strong> in service versus contractual obligations.</p><blockquote>Security awareness training is all too often one of those gaps.</blockquote><p>It’s not because your MSP doesn’t have a training vendor. It’s that <strong>it can take a lot of work</strong> to make sure it’s in place for <strong>every user at every client</strong>. And let's be honest, <strong>things sometimes slip through the cracks</strong>.</p><p><em>Here’s a scenario:</em></p><p>You’ve got 25 clients, including a <strong>local paper company called Dunder Mifflin</strong>. Naturally, they’re an awesome client, and we love them!</p><p>Six months ago Dunder Mifflin<strong> added 8 new employees</strong> to handle their growth.</p><p>But yesterday, <strong>one of those eight employees</strong> (we’ll call him Ryan) clicked on a phishing email and<strong> downloaded ransomware.</strong></p><p>Bad news!</p><p>You <strong>engage your incident response plan</strong> and get to work remediating their environment. This isn't your team’s first rodeo, so they <strong>do a stellar job</strong>, getting the Dunder team back in action within 48 hours.</p><p>Unfortunately, there were a lot of <strong>costs associated with that remediation</strong>, including disclosure of the breach to all clients and government authorities.</p><p>The regional manager (let’s call him Michael) contacts his cyber insurance carrier with the<strong> damages claim</strong>. The <strong>insurance company requests a bunch of information</strong>, and Michael diligently delivers.</p><p>Then there’s a <a href="https://infimasec.com/blog/cyber-insurance-subrogation/">problem</a>.</p><p>From Dunder Mifflin’s <strong>security awareness training reports</strong>, the insurance company notices that <strong>the last 8 employee hires were never enrolled in training</strong>. It was Ryan, <strong>one of those new hires, who caused the breach</strong>.</p><p>The insurance company now <strong>turns its eyes on the MSP, subrogating the claim</strong>.</p><h3 id="what-is-subrogation">What is Subrogation?</h3><p>Subrogation is the process in which an <strong>insurance company seeks to recover the costs of a claim from a third party</strong> who is deemed to be responsible for the loss.</p><p>In this case, if the insurance company can prove that the <strong>MSP failed to properly train ALL of the client's employees</strong> on security best practices, they <strong>may seek to recover the costs of the claim from the MSP</strong>.</p><p>This is brutal.</p><p><strong>All the other employees were actively enrolled </strong>in training. <strong>It was just these 8 users</strong> who were somehow missed.</p><p>This can be a <strong>serious risk </strong>for managed services providers, as the <strong>potential costs</strong> of a subrogation claim are significant. Not only will the MSP be responsible for <strong>reimbursing the insurance company</strong> for the costs of the claim, but they may also be responsible for <strong>covering the costs of any legal fees </strong>incurred during the subrogation process.</p><h3 id="how-do-we-avoid-this">How do we avoid this?</h3><p><a href="https://infimasec.com/blog/automation-for-the-win/">Automation</a>.</p><p>Your best bet is automation throughout the lifecycle:</p><ul><li><strong>Syncing</strong> active users</li><li>Sending <strong>training</strong> courses to every user</li><li><strong>Tracking and re-sending</strong> training to users who don’t finish</li><li><strong>Phishing</strong> every employee regularly</li><li><strong>Tracking and re-targeting</strong> risky employees</li><li><strong>Reporting</strong> on every step of the process</li></ul><p>If done manually, that's<strong> a lot of work</strong>. And if it goes wrong, that's<strong> a lot of risk.</strong></p><p>Fortunately, <strong>automation is exactly what INFIMA does.</strong></p><p>And the best part - we make it easy with our <strong>fully automated Security Awareness Training </strong>platform, <strong>built for the MSP community</strong>.</p><blockquote><strong>If you're an MSP</strong> and want to learn more, go check out how we work with Partners <a href="https://infimasec.com/partners/" rel="noopener noreferrer">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo" rel="noopener noreferrer">book a time to chat</a>!</blockquote><p><em>Photo by <a href="https://unsplash.com/es/@hbunny_?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Husna Miskandar</a> on <a href="https://unsplash.com/photos/FC4z3l4sUYc?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></em></p><p><em>Disclaimer: our attorneys make sure we remind you that none of the above is legal advice, and all services are governed by our Terms of Service and End User License Agreement. Also, we love you!</em></p>]]></content:encoded></item><item><title><![CDATA[An AI Poem on Security Awareness]]></title><description><![CDATA[Let's ring in 2023 with what will be the most pivotal change to the security landscape: easy-to-use AI tools.]]></description><link>https://infimasec.com/blog/security-aware-shakespeare/</link><guid isPermaLink="false">63ae09bd70e0300448aff0f3</guid><category><![CDATA[Security]]></category><category><![CDATA[Sales]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Thu, 29 Dec 2022 21:53:13 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2022/12/Screen-Shot-2022-12-29-at-5.09.19-PM.png" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2022/12/Screen-Shot-2022-12-29-at-5.09.19-PM.png" alt="An AI Poem on Security Awareness"><p>While we've been on the topic of <a href="https://infimasec.com/blog/hackers-and-chatgpt/">AI in the hands of cybercriminals</a>, we'll try something a little more lighthearted.</p><p>Thanks to the <strong>brilliant machines at ChatGPT</strong>, here is your end of year poem on INFIMA's favorite topic, <strong>written entirely by AI from the below prompt</strong>:</p><h3 id="prompt">Prompt</h3><p>Write a poem about security awareness training in Shakespearean iambic pentameter.</p><h3 id="security-awareness-training">Security Awareness Training</h3><p>Security is a vital part of life<br>That we must all be mindful of each day<br>For without it, trouble and strife<br>May come our way</p><p>In order to keep ourselves secure<br>We must be vigilant and wise<br>And always be prepared to endure<br>The threats that may arise</p><p>That's why security awareness training<br>Is such an important thing<br>It helps us to stay safe and thriving<br>And enables us to sing</p><p>So let us all embrace this learning<br>And keep ourselves secure<br>For peace of mind and less concern<br>Is what we all can ensure</p><hr><p>While these new <strong>AI tools create a fun playground for experimentation</strong> and education, they offer <strong>immense opportunity to hackers</strong>, as well.</p><p>We will see expanded use of <a href="https://infimasec.com/blog/hackers-and-chatgpt/">AI tools in the hands of cybercriminals</a>. This will make for an <strong>even more dynamic threat landscape</strong>.</p><p>Now for the good news - <strong>INFIMA trains your team on the safe behaviors</strong> designed to keep your organization and your people safe.</p><p>Rooted in <a href="https://infimasec.com/blog/cognitive-bias/">Behavioral Science</a>, INFIMA <strong><strong>focuses on removing unsafe behaviors</strong></strong> in your team and <strong><strong>replacing them with consistent, safe practices.</strong> </strong>Through<strong> <a href="https://infimasec.com/blog/right-and-wrong/">regular phishing simulations</a>, </strong>your employees<strong> </strong>experience<strong> varying tests across multiple emotional states.</strong></p><p>And yes, we are also <strong>leveraging the incredible power of AI</strong>.</p><p>And the best part - we make it easy with our <strong>fully<strong> automated Security Awareness Training </strong></strong>platform, <strong><strong>built for the MSP community</strong></strong>.</p><blockquote><strong><strong><strong><strong>I<strong><strong><strong><strong>f you're an MSP</strong></strong></strong></strong></strong></strong></strong></strong> and want to learn more, go check out how we work with Partners <a href="https://infimasec.com/partners/">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo">book a time to chat</a>!</blockquote><p><em>Photo credit to deepai.org (Yes, we used AI to generate the photo of Shakespeare writing an email.)</em></p>]]></content:encoded></item><item><title><![CDATA[Hackers will use ChatGPT, too]]></title><description><![CDATA[Hackers already use AI tools. This makes it more accessible.]]></description><link>https://infimasec.com/blog/hackers-and-chatgpt/</link><guid isPermaLink="false">63920f6270e0300448afefee</guid><category><![CDATA[Security]]></category><category><![CDATA[Sales]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Thu, 08 Dec 2022 17:46:28 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2022/12/alexander-shatov-PHH_0uw9-Qw-unsplash.jpg" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2022/12/alexander-shatov-PHH_0uw9-Qw-unsplash.jpg" alt="Hackers will use ChatGPT, too"><p>Well, we've got some <strong>flashy</strong> <strong>new tech</strong> out there, and we should <strong>expect hackers to maximize it</strong>. Unless you live under a rock (or saved yourself from LinkedIn and Twitter!), you've heard about <strong>ChatGPT</strong>.</p><p>So, in a move of both laziness and intrigue, <strong>let's use ChatGPT</strong> to educate us further...<br>(Note: each "Q" is the prompt and each "A" is the response)</p><hr><p><strong>Q:</strong> Why are <strong>criminals early adopters </strong>of new technology?<br><br><strong>A:</strong> Criminals are often early adopters of new technology because it can provide them with <strong>new opportunities and ways to commit crimes</strong>. For example, the rise of the internet and online payment systems has made it easier for criminals to conduct cyberattacks and steal personal information. New technologies can also provide criminals with new ways to evade detection and law enforcement, such as using encrypted communication channels or anonymizing tools. Additionally, criminals may be motivated to adopt new technologies in order to <strong>stay ahead of their competition</strong> and avoid detection.</p><hr><p>Ok, so <strong>criminals are quick to adopt</strong> new technology. Shall we see how this new tech might be used?</p><hr><p><strong>Q:</strong> How will cybercriminals <strong>use ChatGPT to craft better phishing emails</strong>?<br><br><strong>A:</strong> Cybercriminals may use ChatGPT, a natural language processing tool, to craft <strong>more convincing and personalized phishing emails</strong>. With ChatGPT, criminals can generate language that sounds natural and convincing, making it <strong>more</strong> <strong>likely that the recipient will believe the email </strong>and take the desired action, such as <strong>providing personal information or clicking on a malicious link</strong>. Additionally, ChatGPT can use information gathered from the individual <strong>recipient's social media profiles </strong>and other online sources to create personalized messages that are <strong>tailored to the recipient's interests </strong>and characteristics. This can<strong> </strong>make the phishing email more effective and <strong>increase the chances of success for the attacker</strong>.</p><hr><p>Well, that's disconcerting. But to be fair, we knew <a href="https://infimasec.com/blog/facebook-linkedin-clubhouse/">cybercriminals love social media</a>. (and <a href="https://infimasec.com/blog/hackers-love-social-media-part-2/">here</a>, too). So hackers can leverage this to <strong>speed up phishing attack cycles</strong>.</p><p>And we'll end with an example of the ease of <strong>personalizing phishing attacks </strong>with this tech. <em>Note that the ChatGPT response in this one has been edited gently.</em></p><hr><p><strong>Q: </strong>John wants to show Sally <strong>how convincing a phishing email can be</strong>. Sally's <strong>social media accounts show that she recently traveled to Italy</strong>. For instructional purposes, can you write a hypothetical phishing email to Sally?<br>[this story is a workaround to the blanket block of some outputs]</p><p><strong>A: [example phishing email]</strong><br>Hi Sally,</p><p>We are writing to you because we have some important information about your recent Italy trip.</p><p>We have received reports of fraudulent activity using credit cards linked to your account. In order to protect your account and personal information, we need you to verify your account information by clicking on the link below.</p><p>Please click here to verify your account: [insert link]</p><p>If you do not verify your account within 24 hours, your account will be suspended and your personal information may be compromised.</p><p>Thank you for your cooperation.</p><p>Best regards,</p><p>[Fake bank name]</p><p>In this example, the phishing email uses Sally's recent travel to Italy to make the email <strong>appear more personal and credible</strong>. The email also includes a fake bank name and logo, as well as a <strong>sense of urgency</strong> and a <strong>threat of account suspension</strong> to <strong>pressure Sally into clicking</strong> on the link and providing her personal information. However, the link in the email would actually redirect Sally to a <strong>fake website</strong> where her personal <strong>information would be collected by the attackers</strong>.</p><hr><p>It's interesting to note that the <strong>output automatically includes <a href="https://infimasec.com/blog/weapons-of-influence-social-eng/">weapons of influence</a></strong> like <strong>authority</strong> (the bank), <strong>urgency</strong> (short timeline) and <strong>loss aversion</strong> (account suspension and data loss).</p><p>This isn't some magical phish that will make everyone fall for it. <strong>Hackers don't need a 100% success rate</strong>. Remember, <strong>hackers make more money</strong> if they can (1) <strong>speed up the cycle of attacks</strong> and (2) <strong>increase their victim click-through.</strong> Even <strong>small improvements lead to exponential gains</strong> for the cyber underworld.</p><p>Ok, let's hit something positive to finish this out...</p><p>Now for the good news - <strong>INFIMA trains your team on the safe behaviors</strong> designed to keep your organization and your people safe.</p><p>Rooted in <a href="https://infimasec.com/blog/cognitive-bias/">Behavioral Science</a>, INFIMA <strong><strong>focuses on removing unsafe behaviors</strong></strong> in your team and <strong><strong>replacing them with consistent, safe practices.</strong> </strong>Through<strong> <a href="https://infimasec.com/blog/right-and-wrong/">regular phishing simulations</a>, </strong>your employees<strong> </strong>experience<strong> varying tests across multiple emotional states.</strong></p><p>And the best part - we make it easy with our <strong>fully<strong> automated Security Awareness Training </strong></strong>platform, <strong><strong>built for the MSP community</strong></strong>.</p><blockquote><strong><strong><strong><strong>I<strong><strong><strong><strong>f you're an MSP</strong></strong></strong></strong></strong></strong></strong></strong> and want to learn more, go check out how we work with Partners <a href="https://infimasec.com/partners/">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo">book a time to chat</a>!</blockquote><p><em>Photo by <a href="https://unsplash.com/@alexbemore?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Alexander Shatov</a> on <a href="https://unsplash.com/s/photos/chat?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></em><br></p><p></p>]]></content:encoded></item><item><title><![CDATA[Key Takeaways from ITNation Connect]]></title><description><![CDATA[Outside of the epic rap battles and charity beard shaving, here are our key takeaways for Partners.]]></description><link>https://infimasec.com/blog/itn22/</link><guid isPermaLink="false">63762dca70e0300448afee28</guid><category><![CDATA[Sales]]></category><category><![CDATA[Security]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Thu, 17 Nov 2022 17:57:04 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2022/11/IMG_9995--1-.jpeg" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2022/11/IMG_9995--1-.jpeg" alt="Key Takeaways from ITNation Connect"><p>For those who missed it, the <strong>rap battles were legit</strong>.<br>And the <strong>beard shaving raised 6-figures</strong> for charity!</p><p>Awesome week.</p><p>We heard a lot about the <a href="https://infimasec.com/blog/protecting-your-margins/">economy</a>, <a href="https://infimasec.com/blog/inflation-and-automation/">inflation</a>, talent shortages - you know, all those things<strong> keeping you up at night</strong>.</p><p>Fortunately, the MSP space still have an <strong>expanding opportunity set</strong>, across<strong> </strong>clients, products and services.</p><p>Now, how do you <strong>seize on these opportunities</strong>?</p><p>Let's dive into the <strong>takeaways for INFIMA and our Partners</strong>, with these<strong> 4 focus areas</strong> highlighted throughout the conference for <strong>high-performing MSPs</strong> (or Dynamic ITSPs in ConnectWise parlance):</p><ul><li>Relentless Automation</li><li>Put Data to Work for You</li><li>Exceptional Customer Experience</li><li>Focus on Cybersecurity</li></ul><figure class="kg-card kg-image-card"><img src="https://infimasec.com/blog/content/images/2022/11/Screen-Shot-2022-11-17-at-1.06.26-PM-1.png" class="kg-image" alt="Key Takeaways from ITNation Connect"></figure><h3 id="relentless-automation">Relentless Automation</h3><p>As an MSP, you have to <strong>leverage every hour of your team's time</strong> to maintain and <strong>expand margins</strong>. You have plenty of ways to expand your top-line revenue, but that <strong>revenue doesn't magically turn into profits</strong>. Customers demand more for less.</p><p>This is where automation comes into play.</p><p>With <strong>accurate automation</strong>, your team:</p><ul><li>Saves time</li><li>Reduces costs</li><li>Protects margins</li><li>Lets you expand your offerings!</li></ul><p>In short, if you're not automating, you're already feeling the pain, and it's only getting worse.<br><em>(Spoiler alert: we automate every step of your Security Awareness Training program - click <a href="https://infimasec.com/talk-to-zach/">here</a> for more)</em></p><h3 id="put-data-to-work-for-you">Put Data to Work for You</h3><p>Big data. Machine learning. AI.<br>It all sounds great. But <strong>data is only useful</strong> if you know it's <strong>correct</strong>, in a <strong>usable format</strong>, at the <strong>right time</strong> and with a <strong>relevant use</strong>.</p><p>Let's be honest, <strong>all of those are tough to hit</strong>. You've got data, but <strong>you don't have the time</strong> to do it all.</p><p>Here's where you <strong>identify</strong> <strong>vendors who provide data AND take the necessary actions automatically </strong>(reference that Relentless Automation piece above!)</p><p>For example, <strong>INFIMA continuously takes in hundreds of thousands of data points</strong> from our <strong>Training courses and simulated Phishing</strong> tests. Sure, we could deliver all of that to you with a nice<strong> "Good Luck" </strong>message and a f<strong>at invoice.</strong></p><p>Instead, <strong>we take the next steps</strong> and <strong>put that data to work for you - automatically.</strong></p><p><strong>With those millions of data points</strong>, we work to <strong>instill <a href="https://infimasec.com/blog/cognitive-easy-living/">safe behaviors</a> </strong>for each of your end users.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://infimasec.com/blog/content/images/2022/11/IMG_0019.jpeg" class="kg-image" alt="Key Takeaways from ITNation Connect"><figcaption>Quick break: can you guess which of ConnectWise's own is here lighting it up at the rap battle?</figcaption></figure><h3 id="exceptional-customer-experience">Exceptional Customer Experience</h3><p><strong>Technology has to delight</strong>. We're past the time when it was widely accepted that new devices and applications are hard to use.</p><p>This puts the <strong>burden on MSPs</strong> to: (a) <strong>provide excellent service</strong> at onboarding through the lifecycle and (b) <strong>only partner with vendors that complement this</strong> customer experience.</p><p>People are expensive. <strong>Good people are priceless.</strong> This means you need to <strong>leverage your best talent</strong>, with both relentless automation and useful data.</p><h3 id="focus-on-cybersecurity">Focus on Cybersecurity</h3><p><strong>Cue up the latest mind-blowing stat</strong> on hacks or phishing or cyber wallet-share. <strong>You've already heard </strong>them all, so we won't waste that bullet!</p><p>Instead, it helps to <strong>think your MSP business first as a cybersecurity provider</strong> that also does all the other tasks of an MSP. <strong>Cyber wins the day</strong>, and that's <strong>not changing</strong> anytime soon.</p><p>So this means MSPs <strong>need excellent cyber vendors</strong> who make it <strong>easy to sell their products </strong>and <strong>simple to deliver</strong> and manage them. Pretty sure <strong>that's what you pay them for</strong> in the first place, right?!</p><p>Ok, let's get to the punch line here...</p><p><strong>INFIMA automates</strong> every step of your clients' <strong>Security Awareness</strong> journey, using <strong>data for customized user experiences</strong> that <strong>enhance the value of your cybersecurity offering</strong>.</p><blockquote><strong>If you're an MSP</strong> and want to learn more, go check out how we work with Partners <a href="https://infimasec.com/partners/" rel="noopener noreferrer">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo" rel="noopener noreferrer">book a time to chat</a>!</blockquote>]]></content:encoded></item><item><title><![CDATA[Automation Over Mistakes]]></title><description><![CDATA[Mistakes happen. When there's liability on the line, it's a big deal.]]></description><link>https://infimasec.com/blog/automation-for-the-win/</link><guid isPermaLink="false">6365210370e0300448afed8d</guid><category><![CDATA[Sales]]></category><category><![CDATA[Security]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Fri, 04 Nov 2022 14:51:27 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2022/11/varvara-grabova-NCSARCecw4U-unsplash.jpg" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2022/11/varvara-grabova-NCSARCecw4U-unsplash.jpg" alt="Automation Over Mistakes"><p><strong>Can we be honest </strong>with each other for a moment?</p><p>I mean, I'm <strong>not going to share this</strong> with anyone else...</p><p>But have you (or "a friend of yours") ever, maybe, <strong>forgotten to onboard a new client onto part of your stack</strong>?</p><p>As an MSP, <strong>you've got a ton on your plate already</strong>. You've got your <strong>checklists</strong>. You've<strong> trained your team</strong>. You've even got <strong>dashboards and alerts.</strong></p><p>But things can <strong>still fall through the cracks</strong>.</p><p>That's exactly where <strong>comprehensive automation </strong>comes in.</p><h3 id="why-does-this-matter-for-security-awareness-training">Why does this matter for Security Awareness Training?</h3><p>Let's jump into it. Security Awareness is the world we know, and we stick to our lane.</p><p>Your clients' Security Awareness Training program has gone <strong>beyond being an excellent security tool</strong>. It's now a key part of their <strong>compliance, regulatory and insurance requirements</strong>.</p><p>Every <strong>major <a href="https://infimasec.com/blog/security-awareness-guidance/">regulator</a> and <a href="https://infimasec.com/blog/cyber-insurers-tighten-requirements/">insurance company</a></strong> now calls out Security Awareness Training as a <strong>mandatory</strong> part of an organization's security program.</p><p>So back to when we were honest just a moment ago, you may not have ever missed onboarding a new client, but it's very <strong>easy to miss adding in a client's new hire</strong> to the entire stack.</p><blockquote>Whenever there is a manual process involved, things can get missed.</blockquote><p>Given that many of your clients are bringing multiple new hires, it's likely <strong>not just one new user who gets missed</strong> on part of the onboard.</p><p>And if <strong>one of those missed users happens to cause a breach</strong>, things <strong>can get ugly</strong> for the MSP.</p><p>That's where the concept of <a href="https://infimasec.com/blog/cyber-insurance-subrogation/">subrogation</a> comes into play. This is the unpleasant situation where an <strong>insurance company can swim upstream to tag service providers</strong> with losses.</p><h3 id="how-does-automation-solve-this">How does automation solve this?</h3><p><strong>Every one of your end clients' users </strong>needs to be <strong>actively enrolled</strong> in your Security Awareness Training program.</p><p>The best way to accomplish this (and avoid costly errors) is to have automation throughout.</p><p>This means <strong>automating</strong>:</p><ul><li>User syncs</li><li>Training course notifications</li><li>Reminders for those falling behind</li><li>Phishing simulations</li><li>Re-targeting risky employees</li><li>And a bit more….</li></ul><p>You have to <strong>get the the users in</strong>, <strong>trained</strong>, <strong>phished</strong> <strong>and monitored</strong> for additional follow-ups.</p><p>If done manually, that's<strong> a lot of work</strong>. And if it goes wrong, that's<strong> a lot of risk.</strong></p><p>Fortunately, <strong>automation is exactly what INFIMA does.</strong></p><p>And the best part - we make it easy with our <strong>fully automated Security Awareness Training </strong>platform, <strong>built for the MSP community</strong>.</p><blockquote><strong>If you're an MSP</strong> and want to learn more, go check out how we work with Partners <a href="https://infimasec.com/partners/" rel="noopener noreferrer">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo" rel="noopener noreferrer">book a time to chat</a>!</blockquote><p><em>Photo by Varvara Grabova on <a href="https://unsplash.com/s/photos/mistake?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></em></p>]]></content:encoded></item><item><title><![CDATA[Cognitive Easy Living]]></title><description><![CDATA[Your team's energy should be spent on real work, not burned on cyber tasks.]]></description><link>https://infimasec.com/blog/cognitive-easy-living/</link><guid isPermaLink="false">63518fb970e0300448afec48</guid><category><![CDATA[Sales]]></category><category><![CDATA[Security]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Fri, 21 Oct 2022 02:16:15 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2022/10/s-migaj-b2qszO9C7sw-unsplash.jpg" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2022/10/s-migaj-b2qszO9C7sw-unsplash.jpg" alt="Cognitive Easy Living"><p>As much diversity as we have across humanity, we're all <strong>still the same in important ways</strong>. Important <strong>ways that <a href="https://infimasec.com/blog/cognitive-bias/">hackers love to exploit</a></strong>, but let's leave that alone for the time being.</p><p><strong>Let's nerd down for a moment </strong>with a look at decision making frameworks. Then, we'll get to the real-world application.</p><h3 id="system-1-and-system-2">System 1 and System 2</h3><p>Human decision making can be broken down into <strong>two primary paths</strong>, often referred to as <a href="https://thedecisionlab.com/reference-guide/philosophy/system-1-and-system-2-thinking"><strong>System 1 and System 2</strong></a>. These mental processes were identified and popularized by <strong>Nobel Prize-winning economist Daniel Kahneman</strong> in his book <em>"Thinking, Fast and Slow."</em></p><p>Our brains leverage <strong>System 1 for quick, intuitive decisions</strong>. System 1 thinking requires <strong>low effort, low mental stress</strong>. These would be things like <strong>tying your shoes</strong>, <strong>driving down an empty road</strong> or answering the <strong>solving for 2 + 2</strong>.</p><p>On the other hand, <strong>System 2 thinking is slower and more deliberative</strong>. Our System 2 brains are engaged when System 1 recognizes that <strong><a href="https://infimasec.com/blog/paypal-phish/">additional thought is necessary</a></strong>. This includes things like <strong>solving challenging math problems</strong> or <strong>driving to an unfamiliar location</strong>.</p><p>So let's jump into <strong>how this applies to all of us IT geeks</strong>.</p><h3 id="system-2-and-cognitive-strain">System 2 and Cognitive Strain</h3><p>When it comes to the work day, we'd all <strong>like to spend our energy on productive things</strong>. Every manager would certainly like that for their employees.</p><p>Ok, thanks for stating the obvious, right?! So <strong>where does <a href="https://infimasec.com/blog/clicking-fast-and-slow/">Cybersecurity Awareness Training</a> come into play</strong>? We'll get to that in just a moment.</p><p>Engaging our <strong>System 2 thinking causes cognitive strain</strong>. It's mental work, and it also has <strong>physical manifestations</strong>. This <strong>drains energy</strong>. Clinical studies in this realm show that activating our System 2 brain leads to <strong>tense muscles</strong>, <strong>higher</strong> <strong>blood</strong> <strong>pressure</strong> and <strong>increased</strong> <strong>heart</strong> <strong>rate</strong>. You'll even notice <strong>dilated pupils</strong> while exerting System 2 effort.</p><p>So how do we <strong>cut down on the System 2 thinking required to stay safe online</strong>?</p><p>TL;DR: we <strong>train staff in safe online behaviors</strong>.</p><p><strong>Making safe behaviors the routine</strong> allows your users to <strong>avoid having to engage System 2</strong> for every tricky potential phishing email. <strong>Studying every link</strong> and digging into email headers <strong>takes a lot of time and energy</strong>.</p><p>This isn't to say that you shouldn't <strong>teach your users</strong> on all the facets of risky links, emails and attachments. This is critical. But this should be aimed at <strong>replacing the cognitive strain of System 2 thinking with the ease of safe behaviors</strong>.</p><p>This is <strong>exactly what INFIMA does.</strong></p><p>Rooted in Behavioral Science, INFIMA <strong>focuses on removing unsafe behaviors</strong> in your team and <strong>replacing them with consistent, safe practices. </strong>Through<strong> </strong><a href="https://infimasec.com/blog/right-and-wrong/" rel="noopener noreferrer"><strong>regular phishing simulations</strong></a><strong>, </strong>your employees<strong> </strong>experience<strong> varying tests across multiple emotional states.</strong></p><p>And the best part - we make it easy with our <strong>fully automated Security Awareness Training </strong>platform, <strong>built for the MSP community</strong>.</p><blockquote><strong>If you're an MSP</strong> and want to learn more, go check out how we work with Partners <a href="https://infimasec.com/partners/" rel="noopener noreferrer">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo" rel="noopener noreferrer">book a time to chat</a>!</blockquote><p><em>Photo by S Migaj on <a href="https://unsplash.com/s/photos/relaxed?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></em></p>]]></content:encoded></item><item><title><![CDATA[Clicking, Fast and Slow]]></title><description><![CDATA[We're stealing from Behavioral Science to prevent Phishing attacks.]]></description><link>https://infimasec.com/blog/clicking-fast-and-slow/</link><guid isPermaLink="false">63400d5c0de8f476b88c4169</guid><category><![CDATA[Sales]]></category><category><![CDATA[Security]]></category><dc:creator><![CDATA[Joel Cahill]]></dc:creator><pubDate>Fri, 07 Oct 2022 11:39:54 GMT</pubDate><media:content url="https://infimasec.com/blog/content/images/2022/10/juan-rumimpunu-nLXOatvTaLo-unsplash.jpg" medium="image"/><content:encoded><![CDATA[<img src="https://infimasec.com/blog/content/images/2022/10/juan-rumimpunu-nLXOatvTaLo-unsplash.jpg" alt="Clicking, Fast and Slow"><p>Have<strong> you ever clicked on a phishing email?</strong></p><p>Ok, so it <strong>wasn't you</strong>, but certainly <strong>that squirrelly guy three desks down </strong>from you. He's the one who clicks on this stuff.</p><p>Let's be honest, though - <strong>tons of smart, capable people stumble for phishing emails. Every. Single. Day. </strong>We can blame our brains for it. Phishing emails are <strong>designed to exploit our System 1 Thinking </strong>- the part of our brain that automatically responds to stimuli without any conscious thought. System 1 Thinking is <strong>fast, intuitive, and often emotional</strong>. It's the part of our brain that allows us to make the thousands of nearly subconscious, rapid decisions required for daily life. It's also the part of humans <strong><a href="https://infimasec.com/blog/cognitive-bias/" rel="noopener noreferrer">exploited most by social engineers</a> and phishers</strong>.</p><p>On the other hand, <strong>System 2 Thinking is slower, more deliberate, and logical</strong>. This is the part of our brain we use when we're trying to <strong>solve a difficult problem or make a tough decision</strong>. System 2 Thinking is what allows us to see through phishing attempts and resist clicking on suspicious links.</p><h3 id="hold-on-what-is-this-system-1-and-system-2-stuff">Hold on! What is this System 1 and System 2 stuff?</h3><p>This novel framework for decision making came from the remarkable brains of <a href="https://www.nobelprize.org/prizes/economic-sciences/2002/kahneman/facts/" rel="noopener noreferrer">Daniel Kahneman</a> and <a href="https://en.wikipedia.org/wiki/Amos_Tversky" rel="noopener noreferrer">Amos Tversky</a>. In fact, <strong>Kahneman won a Nobel Prize</strong> in Economics for this work. Their research is the foundation for much of what we now understand of <strong>behavioral economics</strong>. (Since Tversky passed away prior to the award, he is not named in the prize. We deeply appreciate his work.)</p><p>Let's explain this decision-making framework a bit more.</p><p><strong><a href="https://thedecisionlab.com/reference-guide/philosophy/system-1-and-system-2-thinking">System 1</a> thinking is fast, automatic, and often unconscious</strong>. It is based on <strong>intuition and emotions</strong>, and it is <strong>very efficient</strong>. System 1 thinking is great for making the many quick decisions <strong>required for daily life.</strong> We need System 1 in order to live a normal life, but it can also <strong>lead to mistakes</strong>.</p><p>For example, you <strong>don't have to consciously think about your route to work</strong>. You're certainly making decisions along the way, but these are <strong>quick and effortless</strong> along the way.</p><p>On the other hand, <strong>System 2 Thinking is the slower, more deliberative thinking process </strong>that is activated when a person is confronted with a <strong>difficult problem or decision</strong>. This type of thinking is analytical and logical, and it <strong>relies on past experiences and accumulated knowledge</strong> in order to come to a conclusion. System 2 Thinking is also responsible for monitoring and controlling the impulses and emotions that are generated by System 1 Thinking.</p><p>To use our example from above, you engage your <strong>System 2 Thinking when you see a traffic jam ahead and decide to re-route</strong>. At this point, you <strong>slow down and actively consider different options</strong> to avoid this traffic and still get to work on time.</p><h3 id="so-how-does-this-relate-to-phishing-attacks">So, how does this relate to Phishing attacks?</h3><p>Your attacker is actively<strong> trying to exploit your System 1 Thinking</strong>. He (or she) is <strong>hoping you won't slow down and think </strong>before clicking on that link.</p><p>For example, you <strong>get an urgent <a href="https://infimasec.com/blog/paypal-phish/" rel="noopener noreferrer">email from PayPal</a></strong>, saying your <strong>account is about to be debited</strong> if you don't click this link to verify your login and password. It looks real. It seems urgent. And you're about to lose a lot of money. <strong>Unless you slow down and think, System 1 takes over.</strong> That's when we react exactly how the cybercriminal wants. This is how hacks begin.</p><h3 id="what-do-we-do-about-this">What do we do about this?</h3><p>Now for the good news - <strong>INFIMA trains your team on the safe behaviors</strong> designed to keep your organization and your people safe. By instilling better behaviors, we can <strong>make our System 1 Thinking safer</strong> and more <strong>readily engage System 2 when needed</strong>.</p><p>Rooted in <a href="https://infimasec.com/blog/cognitive-bias/" rel="noopener noreferrer">Behavioral Science</a>, INFIMA <strong>focuses on removing unsafe behaviors</strong> in your team and <strong>replacing them with consistent, safe practices. </strong>Through<strong> </strong><a href="https://infimasec.com/blog/right-and-wrong/" rel="noopener noreferrer"><strong>regular phishing simulations</strong></a><strong>, </strong>your employees<strong> </strong>experience<strong> varying tests across multiple emotional states.</strong></p><p>And the best part - we make it easy with our <strong>fully automated Security Awareness Training </strong>platform, <strong>built for the MSP community</strong>.</p><blockquote><strong>If you're an MSP</strong> and want to learn more, go check out how we work with Partners <a href="https://infimasec.com/partners/" rel="noopener noreferrer">here</a>. If you like what you see, <a href="https://calendly.com/zach-carter/demo" rel="noopener noreferrer">book a time to chat</a>!</blockquote><p>For those curious, we highly encourage diving into Kahneman's <a href="https://www.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555/ref=asc_df_0374533555/?tag=hyprod-20&amp;linkCode=df0&amp;hvadid=312371602209&amp;hvpos=&amp;hvnetw=g&amp;hvrand=10170940085242241574&amp;hvpone=&amp;hvptwo=&amp;hvqmt=&amp;hvdev=c&amp;hvdvcmdl=&amp;hvlocint=&amp;hvlocphy=9011784&amp;hvtargid=pla-395340046230&amp;psc=1&amp;tag=&amp;ref=&amp;adgrpid=61011965686&amp;hvpone=&amp;hvptwo=&amp;hvadid=312371602209&amp;hvpos=&amp;hvnetw=g&amp;hvrand=10170940085242241574&amp;hvqmt=&amp;hvdev=c&amp;hvdvcmdl=&amp;hvlocint=&amp;hvlocphy=9011784&amp;hvtargid=pla-395340046230" rel="noopener noreferrer"><em>Thinking, Fast and Slow</em></a>.</p><p><em>Photo by <a href="https://unsplash.com/ja/@earbiscuits?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Juan Rumimpunu</a> on <a href="https://unsplash.com/s/photos/thinking?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></em></p>]]></content:encoded></item></channel></rss>