KnowBe4 Security Awareness Training Blog
If you extrapolate the total annual cost of phishing for the average organization it comes to more than $3.7 million. You could shave that down by $1.8 million though, with the right security awareness training, according to a new report.
More than 375 IT and IT security practitioners in U.S. organizations were surveyed in “The Cost of Phishing & Value of Employee Training” (PDF), which was conducted by Ponemon Institute and sponsored by our friends at Wombat Security Technologies.
In a Wednesday email correspondence, Joe Ferrara, Wombat's president and CEO, told SC Mag that the biggest financial hit from these attacks comes from loss of productivity.
The new report calculates that productivity losses from phishing account for more than $1.8 million. “This is not only productivity loss for IT-related personnel, but also for the people that were phished while their machine is remediated, reimaged and recertified,” Ferrara said. The report noted that employees waste an average of roughly four hours annually due to phishing scams.
Doug Olenick at SC Magazine reported on something noteworthy: "The growing threat posed by ransomware and the possibility that cybercriminals will graduate from extorting end users to large corporations topped the worry list of IBM's X-Force threat team in its Q3 threat intelligence report.
The "August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015," issued Monday, included a look at an increasing number of attacks coming from the dark web that employ Tor to steal intellectual property.
While ransomware has been a menace for years, John Kuhn, senior threat researcher, IBM Security X-Force, told SCMagazine.com it has progressed from attackers using simplistic scams, such as WinLocker, that simply annoyed people to well-organized attempts to steal money.
“We found ransomware is now so much more sophisticated with CryptoLocker and Cryptowall [software] and we see more people in the Deep Web buying Cryptolocker-type software, which will make it even easier for a beginner to get started,” Kuhn said.
You are getting your Scam Of The Week early.
Yesterday, the FBI via their Internet Crime Complaint Center announced some shocking numbers.
There is a 270 percent spike in victims and cash losses caused by a skyrocketing scam in which cyber criminals spoof emails from executives at a victim organization in a bid to execute unauthorized international wire transfers.
According to the new FBI report, thieves stole nearly 750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.
In January 2015, the FBI released stats showing that between Oct. 1, 2013 and Dec. 1, 2014, some 1,198 companies lost a total of 179 million in business e-mail compromise (BEC) scams, (also known as “CEO fraud.”)
Yesterday's figures show an incredible 270 percent increase in identified victims and exposed losses. Taking into account international victims, the losses from BEC scams total more than 1.2 billion dollars, the FBI said.
There is a clear pattern you need to watch out for. It often begins with the scammers phishing an executive, dropping a Trojan, and gaining 24/7 access to that individual’s inbox. Then they research the organization and monitor the email account for months until the right circumstances arrive, next they pounce. They spoof the CEO's address and send messages to employees in accounting from a look-alike domain name that is one or two letters off from the target company’s true domain name.
Why worse than ransomware?
For organizations that get hacked like Anthem, Target and recently Ashley Madison, the problems are only starting. Apart from towering legal fees and a damaged reputation, now an appeals court has confirmed that the FTC can slap you with fines as well. This is excellent ammo to get more IT security budget.
Yesterday, the third U.S. Federal circuit court ruled that the Federal Trade Commission (FTC) has the power to take action (PDF) against organizations that employ poor IT security practices. The ruling was part of a lawsuit between the FTC and hotel chain Wyndham. This court decision affirms the FTC’s role as a digital watchdog with real-life teeth.
This Is A Big Deal
In 2008 and 2009, Wyndham was hacked three times, losing credit card data for more than 619,000 customers and causing $10.6 million in loss due to fraud. Originally, the FTC sued them in 2012 over the lack of security that led to its massive hack. The hotel chain appealed to a higher court to dismiss it, arguing that the FTC didn’t have the authority to punish the hotel chain for its breach. Wrong move. Yesterday's decision states that Wyndham’s breach is exactly the sort of “unfair or deceptive business practice” the FTC is empowered to stop. This means Wyndham now needs to go back and confront the FTC’s lawsuit in a lower court.
The circuit court also stated that the FTC does not have to detail any specific best practices that Wyndham did not apply. The FTC did however, and it's not a pretty picture. Here are some of the highlights: Wyndham allowed its partner hotels to store credit card information in plain text, allowed easily guessable passwords in property management software, failed to use firewalls to limit access to the corporate network, and failed to restrict third-party vendors from access to its network.
Data Insecurity As ‘Unfair’ Business Practice
First a 10Gig dump with the full Ashley Madison database. Then a 20Gig dump with their whole Github repository, and then to top it all off a 300G(!) dump. In an interview with Motherboard the hackers claimed to have data which includes employee emails, internal documents, nude photographs, and private chats between members. However, the Impact Team said it would not release explicit photos of AshMad customers, but did not rule out publishing the private chats and other photographs posted through the adultery website.
When asked about AshMad security, they said "Nobody was watching. No security", when it broke into their servers repeatedly over the past few years. One hacker said, "[We] got in and found nothing to bypass."
The release last Tuesday contained customer data belonging to U.S. government officials, British civil servants and high-level executives at European and North America corporations. We have a copy and will make it available for security purposes. However...
Should You Check For Employees' Emails?
Your end-users saw this in the news yesterday, or will read about it today. The hackers who stole more than 36 million records from the Ashley Madison site (which makes it easy to cheat on your spouse), have now posted all the records for everyone to see. This is a bad one.
Cyber criminals are going to leverage this event in a lot of different ways: (spear-) phishing attacks, bogus websites where you can "check if your spouse is cheating on you", or ways to find out if your own extramarital affair has come out.
Any of these 36 million registered users are now a target for a multitude of social engineering attacks. People that have (had) straight or gay extramarital affairs can be made to click on links in emails that threaten to out them.
I have already seen the phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands, let alone the divorce lawyers and private investigators that are pouring over the data now.
Here is one of the first real examples of AshMad extortion:
Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.
If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address:
Sending the wrong amount means I won't know it's you who paid.
You have 7 days from receipt of this email to send the BTC [bitcoins]. If you
need help locating a place to purchase BTC, you can start here.....
What To Do About It
I suggest that you take immediate preventive action. It only takes one second for a worried end-user (or admin) to click on a link in an email and expose the network to attackers. I recommend you send something like this to your friends, family and end-users. Feel free to edit.
"Yesterday 36 million names, addresses and phone numbers of registered users at the Ashley Madison site (which makes it easy to cheat on your spouse) were posted on the Internet. All these records are now out in the open, exposing highly sensitive personal information.
Internet criminals are going to exploit this in many ways, sending spam, phishing and possibly blackmail messages, using social engineering tactics to make people click on links or open infected attachments. Be on the lookout for threatening email messages which slip through spam filters that have anything to do with Ashley Madison, or that refer to cheating spouses and delete them immediately, in the office or at the house."
Until last year, executives were able to pass the buck to IT in case a data breach hit the organization. However, several recent high-profile resignations are now putting the focus on board members. Here are a few examples:
US Office of Personnel Management head Katherine Archuleta was forced to resign over a massive hack that exfiltrated well over 20 million highly confidential personal records of government employees. Thomas Meston, CFO of the London-based hedge fund Fortelus, also lost his job following a cyber hack that emptied $1.2 million from the fund’s bank account.
And those are just the two latest victims. The trend began for real last year when Target's CEO stepped down in the wake of a disastrous data breach that compromised 40 million shoppers’ credit cards and 70 million customers’ personal data. Steinhafel had little choice but to resign as the CEO of the 40 billion company. Sony Pictures America co-chairman Amy Pascal stepped down in February after last year’s devastating breach at Sony Corp’s Hollywood studio.
The important thing for board members to realize is that they can do little to mitigate the damage after the data has been exfiltrated. Once the data breach has happened, they will find themselves held responsible for, and accused of prior negligence. At that point it's up to the CEO and the board to defend themselves against these claims and that all appropriate measures had been taken to protect the organization’s data.
Up to a few years ago, it sounded reasonable a boards to delegate the defense against hackers to the IT department. They relied to a large degree on traditional firewalls and antivirus. However, the last few years antivirus (AV) has shown to fall behind badly. With hundreds of thousands of new malware flavors being released in the wild every day, bad guys are overwhelming AV and often get through. Today, it is seen as the task of the Board to prioritize and make IT security budget budgets available so that defense-in-depth can be done the right way.