Cybersecurity - Jazz Solutions, Inc. (JSL)

Your first pet’s name is not a secret to hackers

Avery Moore — Wed, 22 Oct 2025 17:42:52 +0000

I have written articles about password management. I have told an uncountable number of people about password management. The advice that you should create unique and strong passwords for every single service you use is still relevant and sound. In fact, you don’t need to search the internet very hard to find instances of accounts being taken over because someone used their “old reliable” password on most of their accounts. This is a fundamental personal cybersecurity practice. I’ll say it louder for the people in the back. Use strong and unique passwords for every single online service you use. Zero exceptions.

But there’s one aspect of account security that isn’t discussed often or as widely: your security questions. We’re told that we should “limit sharing” on social media. Isn’t the point of social media to share? We’d better not reveal our favorite food or our first car or the city where we were married because, you know, security. And this is one of the fundamental weaknesses of security questions.

Security questions rely on the fact that 1) you’re going to forget your password; and 2) there are fundamental things about yourself or your past that are immutable. But what they are really intended to do is cut down on calls to the support desk. You forgot your password? No problem!

Question:What’s the name of your first pet?
Answer:Fuzzy Britches

Welcome back!! No need to call the support desk now.

There are at least two points of ponderance I have about these so-called security questions:

Where and how do online services store and protect the answers to your security questions?
When (not if) a data breach happens to one of those services, are the answers to your security questions included in the breached data (along with your personal data and password)?

The answer to the first question is: I don’t know, and it probably varies widely across sites and services. The name of your first girl/boyfriend is probably stored in plain text.

The answer to the second question is: It is probably part of the criminal data haul. As a result, the bad guys now know that your childhood nickname was “Poochy”.

There’s really nothing you can do about how online services manage your security questions. But there is something you can do on your end.

If you can, avoid answering security questions in the first place. That information is yours to share or not in accordance with your own tolerance for privacy about the name of your first-grade teacher or your favorite food. However, in most cases, sites and services that use security questions do not let you proceed without answering them. The best counsel I can give is to treat the answers to your security questions as you would any other authenticator. In other words, treat it just like a password. Both passwords and security question answers should only be known to you. Both passwords and security question answers should be long and strong and—you guessed it—unique for every single site or service. Here’s an example. I’m going to go ahead and let you know what my favorite flavor of ice cream is. Here it is: 7vri;1&Nu_&% 0Dvx%Y4ETV$ There’s just nothing more delicious than a big bowl of 7vri;1&Nu_&% 0Dvx%Y4ETV$ ice cream!!

Don’t worry, that’s not the answer I really use, but you get the idea. You should be treating this authentication information just like a password.

Now you may be thinking to yourself that you can’t possibly memorize that and then be able to reproduce it if you “forget your password”. That’s where password managers come in. Use a password manager to create a strong and unique password for each and every site. And, when the security questions appear, use the notes feature in that same password entry in your password manager to record the security questions that you used along with the strong and unique answers to the security questions. Here’s an example of what I do.

Username: UsernameExample
Password: I2OB1FP(U}`WN4WX!H)!K+lW=O9omns<
Security Questions:
Q1: What was the name of your fifth grade PE teacher?
A1:!.Z^La&Me3Mc5nx2s-o3$’Z7a
Q2: What was the first concert you attended?
A2:rbGm’rYrgFpV&ga-nYz$=L~i

When you set yours up, be sure to use something different than what I used above and use a different answer every single time, even for the exact same question. Many password managers provide password creation tools, and there are websites that will generate random strings of characters that you can use for both your passwords and the answers to your security questions.

If you use a password manager for all of your accounts, the chances are good that you’ll never need to invoke the use of the security questions at all, because you’ll be able to easily access the password.

Of course, this is not a “silver bullet” solution, but it does prevent bad guys from easily getting into your account by simply knowing that your first car was a 1979 Ford Fairmont. Becoming a harder target is not difficult, but it does require a little bit of diligence.

The post Your first pet’s name is not a secret to hackers first appeared on Jazz Solutions, Inc. (JSL).

Scarier than Halloween: My Brush with Identity Theft

Avery Moore — Wed, 08 Oct 2025 18:15:50 +0000

There is at least one more thing scarier than Halloween: identity theft. That’s the fear that swept through me last month when I received a text message purportedly coming from “SimpleVerify” regarding my “application”. Saying that it was fear is somewhat of an understatement. I was almost in a panic. Thus far, I’ve been able to avoid having my identity stolen. So, seeing a text message that indicated there was an account in my name with an indication of “previous actions” caused my stomach to drop. My credit is pretty good. I thought to myself, “I didn’t open this account! Wait! Who did???” I texted my wife to let her know what was going on. She provided assurances that she didn’t open a loan account either.

Screenshot of text images I received

What was going on?

Knowing that there was a strong possibility this was an SMS phishing attempt (also known as “smishing”), I proceeded cautiously and used a sandbox tool to explore the link. In many cases, these types of social engineering attacks seek to steal information rather than propagate malicious code, but one can’t be too safe.

After navigating to the link, I saw what appeared to be some sort of login page with a field that was already filled in with my actual phone number. In the URL (redacted in the screenshot), it showed my phone number and my wife’s email address.

Screenshot of malicious “SimpleVerify” page

Seeing our actual information on this page increased my feeling of panic. Even though I was 95% sure this was social engineering, I still felt the need to take proactive action. I immediately logged into the major credit bureau sites using known good links. I checked all my credit reports. To my relief, I did not see any activity that looked suspicious and didn’t see any accounts I didn’t open myself. While I was there, I put fraud alerts on my credit report, which, admittedly, I should have had those in place before my panic.

With my credit intact and assurance that I dodged identity theft for another day, I was feeling a little bit better about things. The malicious page requested the last 4 digits of my SSN, which I did not provide. The attack appeared to be a relatively sophisticated smishing attempt designed to trick me into voluntarily disclosing highly sensitive personal information through a deceptive verification service impersonation. Not having taken the bait, I felt somewhat relieved.

But what continued to nag at me was the fact that my phone number and wife’s email address were contained on the landing page. This caused an emotional reaction that I simply did not expect. Though I’ve had years of analyzing phishing emails and sneaky SMS messages, it hits a little differently when you see your own personal information in one. More about that in a moment.

This attack gave me the opportunity to follow my own advice to: 1) Stop; 2) Think; 3) Verify. That first step to “Stop” may be the most important. Taking actions quickly without thinking is precisely what the attacker wants you to do. The less you think, the more likely you are to ignore sound advice, not follow procedures, or completely violate policies. Stopping and thinking about what’s happening gives you a moment to digest what’s going on, bounce it against what you know to be right, seek counsel, and ultimately avoid making a terrible decision. The verification step ensures that you reach out to the person or organization you think is communicating with you, if possible. For things like bank account phishing or smishing, this simply means navigating to your bank’s website using a known good URL you have previously bookmarked or have saved in your password manager. You can also use known good phone numbers to call the person or organization to verify what is happening. I use the phrase “known good” because one thing you should never do is use contact information that was provided by the suspicious email or sender. Attackers often provide “help” numbers or links that lead to their own malicious call centers or web sites.

Following these three steps can prevent a lot of problems.

As for that personal data that appeared in the malicious web site, it’s very likely that it was part of one of the many data breaches we read about in the news just about every week. As more data breaches occur, it becomes more likely that your data will be involved and you’ll be targeted, if you haven’t been already. So, check your credit reports often. Put a fraud alert or a freeze on your credit reports. And do your best to keep a cool head.

No one is immune from falling for a phishing, smishing, or other social engineering attack, not even a CISO. Everyone has a “button” that can be pushed to generate fear and panic and cause them to make panicked decisions. But remembering to stop, think, and verify can help to keep you from having a very bad day.

The post Scarier than Halloween: My Brush with Identity Theft first appeared on Jazz Solutions, Inc. (JSL).

Five ways to keep staff awake during cybersecurity training

JSL Staff — Mon, 29 Sep 2025 15:05:04 +0000

Cybersecurity training is critical, but unfortunately a lot of it is forgettable. Slide decks about encryption or an annual compliance video won’t prepare employees for phishing emails or social engineering. If you want people to stay awake and remember what they’ve learned, here are five practical approaches that work.

Tell Stories, Not Just Rules
People don’t remember checklists, they remember stories. Share real examples of phishing scams, invoice fraud, or deepfake calls that targeted organizations like theirs. Put it in context: “Here’s how a federal contractor lost millions, and here’s how we avoid that.”
Keep It Short and Frequent
Long annual trainings feel like a big burden. Bite-sized lessons — five minutes in a team meeting, a quick video on Teams, a short phishing drill — fit better into busy schedules and are easier to remember.
Make It Personal
Don’t treat cybersecurity as abstract. Show how good habits protect not only organizations but also employees’ own paychecks, benefits, and personal information. When people see what’s at stake for them, they are more invested.
Use Interaction and Gamification
Quizzes, role-playing, or even a little competition can help keep people engaged. Reward teams that report phishing emails quickly. Recognize employees who demonstrate strong cyber habits. Positive reinforcement works better than complicated trainings.
Put a Human Face on Security
Generic training feels distant. Have a trusted leader — your CISO, a security lead, or even a peer — deliver messages directly. A recognizable face turns training from “another compliance box” into part of the company culture.

Training doesn’t have to be dull. With stories, interaction, and some relevance, employees can actually remember the lessons, and apply them. That’s the difference between a rote checkbox exercise and building a culture of security that protects contracts and missions.

The post Five ways to keep staff awake during cybersecurity training first appeared on Jazz Solutions, Inc. (JSL).

White Paper: JSL’s CISO reveals how you can protect your agency from social engineering attacks

JSL Staff — Thu, 22 May 2025 13:50:02 +0000

90% of cyber attacks start with a phishing email. That statistic alone should be a wake-up call for government agencies and cybersecurity professionals. While agencies invest heavily in firewalls, authentication systems, and encryption, attackers often sidestep these technical controls—not by hacking, but by manipulating people.

This is the essence of social engineering, a form of cyber attack that preys on human psychology rather than software vulnerabilities. Phishing, vishing, pretexting, and tailgating are just a few of the tactics bad actors use to trick employees into handing over sensitive information, clicking malicious links, or granting unauthorized access. And these attacks are growing more sophisticated every day.

That’s why JSL’s Chief Information Security Officer, Avery Moore, has authored “The Fundamentals of Social Engineering”, a free white paper designed to help government agencies understand, recognize, and defend against these threats.

What You’ll Learn:

The top social engineering tactics cybercriminals use to infiltrate government systems
How attackers exploit human tendencies like authority, reciprocity, and obligation
Case studies, including insights from infamous hacker Kevin Mitnick
Actionable steps to strengthen your agency’s defenses

Government systems are prime targets. The question isn’t if attackers will attempt a social engineering attack—but when. Are your employees prepared?

The post White Paper: JSL’s CISO reveals how you can protect your agency from social engineering attacks first appeared on Jazz Solutions, Inc. (JSL).

Unlock the Secrets to Social Engineering Defense

Avery Moore — Wed, 16 Oct 2024 15:17:13 +0000

Curious how even the best tech can fall short against clever social engineering? Download the presentation slides from our Chief Information Security Officer, Avery Moore, from his recent talk at DOL Cybersecurity Day: “The Best Tech Can’t Stop It! The Fundamentals of Social Engineering.” In this insightful session, Avery breaks down the human element behind cyber threats and shares actionable strategies to safeguard your organization. Whether you’re a cybersecurity pro or just looking to strengthen your defenses, these slides are packed with practical tips you won’t want to miss!

The post Unlock the Secrets to Social Engineering Defense first appeared on Jazz Solutions, Inc. (JSL).

I use Last Pass. What now?

Avery Moore — Wed, 26 Apr 2023 03:43:53 +0000

Have you heard about the LastPass breach? The company’s last press release was in late December but had few details. If you’ve paid attention in security awareness class, you know that since we still heavily rely on passwords for authentication, you need to use some kind of password manager.

Ideally, we wouldn’t need passwords, but that’s not feasible right now. A notch down from that is having all our passwords in hard copy—yes, printed in a notebook and kept in a safe. Actual paper is not reachable via any network and, therefore, is about as “unhackable” as you can get. But that’s not practical when you have tens or hundreds of passwords. Plus, you could lose it!

Enter the password manager. As a smart user, you have probably already chosen a password manager and are using it for all your passwords. But let’s say you happen to have chosen LastPass as your password manager, and now you are confused and don’t know what to do.

Here’s what we know:

The attackers stole backup copies of password vaults. You should assume that a copy of some version of your password vault is in an attacker’s hands. In and of itself, this isn’t bad. That’s why we encrypt things. If you followed the LastPass recommendation of setting your master password at 12 characters, using all available characters (upper and lower case, numbers, special characters), it would take an attacker about 174 years to exhaustively search the password space. That’s using brute force to try all possible passwords and assumes all possible combinations are tried. But if your master password was short or used only letters, you have much less time. If your master password is the same as any of your other accounts, you should consider your password vault compromised. Not everything in the password vault was encrypted.Usernames, passwords, and notes are encrypted. But everything else does not appear to be, including URLs. Attackers may have what they need to send carefully crafted phishing emails so be on the lookout for those.
Multi-factor authentication won’t help with this. The MFA you have set up for LastPass is there only to access your vault in the cloud. The bad guys already have your vault and all they need is that master password (the key) to unlock it.

So, what should you do now?

Start changing passwords on high-priority accounts first. I recommend starting with your financial accounts. If you haven’t already, enable and enforce multi-factor authentication where available. This way, even if the bad guys do discover the password to one or more of your accounts, there’s another factor to make it harder for them and to buy you some time.
Watch out for convincing phishing emails. An attacker doesn’t need to guess your password if they can just trick you into giving it to them.
Evaluate other password managers. Jazz Solutions does not endorse one password manager over another, so do your homework, and make the best choice for your particular needs. Pro tip: Add the name of the password manager to your Google news alerts, so if this happens again, you’ll find out faster.

Share Post

The post I use Last Pass. What now? first appeared on Jazz Solutions, Inc. (JSL).

‘The Triple C’ Approach to Security Incident Response

Avery Moore — Wed, 26 Apr 2023 03:43:52 +0000

Creating an incident response (IR) capability can be a daunting task. The National Institute of Standards and Technology (NIST) alone has a dozen or so security controls related to just that topic.

The prevention of all security incidents is the ideal scenario; but the fact is that security incidents do occur and being able to respond to them should be a priority in your organization. But how can this be done?

Auditors and assessors examine an organization’s compliance against specific controls, and issue findings typically without regard for how that organization is maturing in that area. IR can and should be viewed as a miniature maturity model with the most critical concepts addressed first, while simultaneously planning for implementation of more advanced capabilities. Viewing this as a maturity model shifts your focus from where you are now to where you’re going. NIST’s Computer Security Incident Handling Guide breaks down the IR life cycle as follows:

Preparation
Detection & Analysis
Containment, Eradication & Recovery
Post-Incident Activity

Volumes have been written about the above phases, but I will focus on one small but critical piece: Containment.

Once you understand that a security incident is occurring, it’s important to quickly get to a state of containment to avoid further damage or data loss. Being in a contained state allows the organization a moment to breathe so that the next step can be taken.

Using a first-aid analogy, containment means stop the bleeding. When a person is hurt, you don’t start asking about their life choices and circumstances that led to the problem. The most important thing is to stop the bleeding and get to containment. After that is achieved, other important measures can be taken.

Security incident containment, however, doesn’t just occur on its own. Some critical functions must be established to implement that capability while the organization is building out the other aspects and capabilities of IR. Those minimal functions are Communication and Coordination.

If an organization can communicate and coordinate during security incidents, they will be much more successful in achieving containment. I call this the “Triple C”: Communication and Coordination leads to Containment.

Proper communication enables responders to:

Talk an issue out quickly and effectively;
Know who to talk to about what; and
Speak the language of IR.

None of the above works well without coordination. Proper coordination enables responders to:

Know what team members and support members do what;
Keep communications short and focused; and
Know their own role and job.

If your communication and coordination are executed well, that will lead you to containment, where:

The root issue is identified and stopped or isolated quickly;
Further issues are prevented;
Damage is minimized; and
The “bleeding” is stopped.

Using this “Triple C” concept as a step in your IR maturity model means that you can’t simply stop once you’ve determined you can contain an incident.

A static security incident containment program is not adequate in the long term. While implementing these minimal measures, organizations should simultaneously be working on implementing or shoring up measures for detection & analysis, eradication, and recovery.

After all, you can’t contain a security incident if you haven’t found it first.