Citco Security Center

Citco Security Center

The security of our client’s information is always a priority.  We have many security controls in place with regard to our people, processes and technologies (including dual-factor authentication) to help keep your information safe.  You can be assured that we are committed to protecting your personal information entrusted with us.

Working with Citco:

  • Citco will never request personal or private information from you in an email.
  • If you’re concerned that an email you’ve received from Citco might be fraudulent, or you want to confirm that the email originated from Citco, we will be more than happy to help you verify that it is legitimate.  Contact your Citco representative or refer to the contact details in last section.


There are also certain steps you can take to keep safe online. Kindly consider them carefully.

CITIC0604 blue   Protect your computer, network and mobile devices

CITIC0604 blue   Protect your online identity and accounts

CITIC0604 blue   Know the signs of phishing

CITIC0604 blue   Report an online security issue to us


PROTECT YOUR COMPUTER, NETWORK AND MOBILE DEVICES

By ensuring the security of your computer and mobile devices, you can reduce the risks of your personal information falling into wrong hands. As your first line of defense, here are things you can do to help prevent your computer, network and mobile devices from being hijacked.


CITIC0702 blue  Regularly update your OS, anti-virus, anti-spyware and use spam filters

Always make sure you run the current version of OS and patches, anti-virus and anti-spyware on your computer or mobile device. Using good spam filters also helps in blocking emails that may contain malwares. Malicious software, or also known as malware, can put you at risk for identity theft, including recording keystrokes and capturing personal information such as passwords and usernames.


CITIC0702 blue  Protect your home wireless network

Most often, the default configuration on a home wireless network is not secure and configured with a low level of encryption. You should enable strong encryption and be sure to change your router’s default password.


CITIC0702 blue  Use the right firewall for your computer

Generally, computers already have a firewall and it is automatically turned on. However, you may still want to check your firewall settings by referring to support pages for your computer’s operating system.


CITIC0702 blue  Password-protect and encrypt your device

In case someone steals or finds your device, make it harder to access information stored there. Check the section below for tips in creating strong passwords. Almost all smart phones and other mobiles devices to date are also equipped with device encryption features


CITIC0702 blue  Be wary of unknown sources or senders of software downloads, emails and attachments

Download software from trusted sources only, and open emails and attachments from known and trusted senders only. Cybercriminals commonly send viruses and malwares thru legitimate-looking emails and trick users into downloading seemingly harmless software.  Consider using a browser plug-in or proxy service to report on the safety of web sites.


CITIC0702 blue  Be smart when using wireless networks

Make sure you are using a legitimate Wi-Fi hotspot, not one set up by hackers.  An employee of the airport, restaurant or coffee shop you are in, will be happy to tell you what name to look for. Also, do not transmit sensitive data over public or open Wi-Fi.  For example, never check your accounts or send confidential emails.  The risks are just too great.


CITIC0702 blue  Always log out of your session

Always log out of your account when you are done with it. This helps protect your information from people snooping around the web. Also, if you're on a shared computer or public computer, logging out when you are done prevents other users from using your account.


CITIC0702 blue  Lock your device

Most devices and smartphones can be configured to autolock and require a passcode or password to unlock it. Use this feature whenever possible.  They may also be configured (or invest in software) to automatically wipe the device in the event of too many incorrect password attempts.  In some cases, you may be able to locate your device using its GPS.


CITIC0702 blue  Test for vulnerabilities

Have your network and systems periodically tested for vulnerabilities.


CITIC0702 blue  Educate!

Educate your employees with regard to the latest security threats, especially phishing and Business Email Compromise (BEC) scams.  Employees have become the last bastion or last line of defense; they are the firewall and are the most vulnerable to attack.

 

PROTECT YOUR ONLINE IDENTITY AND ACCOUNTS

Hackers and perpetrators of identity theft and fraud are constantly coming up with ways to steal your personal data – includes tricking you into giving it to them willingly or unwittingly. The steps below will help you fight any advances the cybercriminals are making in order to grab your personal data.


CITIC0702 blue  Create strong passwords and keep them private

Here are five tips for creating strong passwords. We highly recommend you follow them, whether in your personal or business life.

    1. Strong passwords are at least eight characters long.
    2. Use upper- and lowercase letters, numerals, and at least one special character (such as ! or @) in your passwords
    3. Devise a “pass-phrase” that makes sense to you. For example, to turn “quick red fox” into a strong password, use it this way: qu1ckREDDfox! Not only do you have a strong password, it also helps you commit the password to memory or use a password vault or password keeper.
    4. Avoid using one password for all. If a hacker somehow learns, for example, your email password, then the first thing he’ll do is see if it’s also your banking and credit-card password.
    5. Never tell anybody your password. Never write down a password. Even just a risk of revealing it renders a strong and unique password useless.

And don’t use the same password for multiple systems!


CITIC0702 blue  Check your web browser is in secure session

Before making transactions online, or providing your personal information online, look for https at the beginning of the website address. The “s” in https stands for ”secure” and this ensures you are sending information encrypted to the target computer (this does not guarantee though that the computer you are accessing is legitimate). You should see https persists in pages or otherwise it may not be secure.


CITIC0702 blue  Be careful of who is asking you for information

Be aware of phishing emails, online scams, web sites, phone calls and other means that cybercriminals use to steal personal information. Be suspicious of emails demanding you to act urgently and asking for your personal data such as usernames, passwords or PINs – even if it seems to be from someone you know. Never click any links or download any attachments on the suspicious email. See the section below for tips on how to spot phishing.


CITIC0702 blue  Don’t reveal too much

Avoid oversharing your personal information on social media sites. Don’t provide information about your physical address, where you work or attend school. Never reveal personal information that might be the answer to a secret question used to reset your password.

The trick is to treat your personal data as you would your money.


CITIC0702 blue  Monitor your account regularly

Taking time to look at your account information, at least once a month, will help you detect and address any suspicious activity before it can cause serious damage. Watch out for any indication that your identity may have been stolen or your accounts may have been tampered with. Also, staying vigilant goes hand in hand with acting quickly. Once you have suspected your account has been compromised, report it to us immediately. For contact details, refer to the last section.


CITIC0702 blue  Never reveal your government ID number

Never provide this information unless you have initiated the contact with the person or company that has requested it and have confirmed their identity.


CITIC0702 blue  Use strong authentication

Many institutions offer dual-factor authentication.  During the authentication process, you will be prompted for additional information such as a one-time-passcode sent to you via SMS or email.  You should choose to use strong authentication whenever available

KNOW THE SIGNS OF PHISHING

Phishing is a scheme that uses legitimate-looking emails and phony websites to trick you into disclosing personal information. It is likely to be phishing, when it:

  • Offers you money.
  • Threatens some dire consequence if you do not immediately log on and take action.
  • Threatens to close or suspend your account if you do not take immediate action by providing specific information about you or your company.
  • Requires you to enter organizational or personal information directly into the e-mail or submit that information some other way.
  • Solicits your participation in a survey where you are asked to enter personal information.
  • States that your account has been compromised or that there has been third-party activity on your account and requests you to enter or confirm your account information.
  • States that there are unauthorized transactions on your account(s) and requests your account information.
  • Asks you to enter your UserID, password or account numbers into an e-mail or non-secure webpage.
  • Asks you to confirm, verify, or refresh your account information.
  • Directs you to a screen that asks you to provide additional data beyond your normal login information.
  • Asks you to validate account information for banking systems you do not use.

If an email seems suspicious, do not open it, click links within it or respond to it. Simply delete it from your inbox.

 

IT SECURITY ALERT

Executive Summary

Microsoft and global news media outlets began announcing as early as March 2, 2021 that Microsoft Exchange on-premise software packages were being actively exploited. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.

In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Citco Response

The recent news announcements that Microsoft's Exchange Email Platform is vulnerable triggered a check of our internal email systems as well as our test email systems in Azure.

While Citco does utilize the Microsoft Exchange email platform internally, we prohibit the use of Outlook Web Access (OWA) which is an internet-facing interface for email access and is one of the primary attack vectors. Citco immediately followed the advice from Microsoft and US Cybersecurity agencies and have verified that all of our systems have been patched and that no indicators of compromise or malicious web shells have been found to date. Malicious web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.

Citco will continue to monitor threat intelligence traffic looking for additional or potential vulnerabilities in the platform as they are announced.

Citco is actively notifying our staff about the dangers of this most recent vulnerability with specific focus on ensuring that any communication from our clients and other partners may be compromised and that abundant and extra due diligence may be required for all transaction or information related emails should be verified.

It is strongly recommended that all our business partners and clients that may rely on MS Exchange on premises, follow Microsoft and other governmental agencies mitigation advice.

Report an online security issue to us: 

CITIC0503 blue              USA:

 

1.800.457.2251

CITIC0217 blue

   webhelp@citco.com

Ireland:

 

1.800.570015

 

 

UK:

 

08.001693105

 

 

SNG, HK, MNL:

 

1.800.48480000 then press ‘1’