KnowBe4 Security Awareness Training Blog

Number One Infosec Headache Is End Users

Posted by Stu Sjouwerman on Feb 25, 2015 11:56:11 AM

cartoon

New survey by IT security company shows that 80 percent of IT pros point at end-users as the cause of their security problems.

Yes, unpatched workstations and configuration problems with servers are certainly ongoing issues for infosec pros, but untrained end-users are really what keeps them awake at night. It's a known problem that continually needs to be managed. It was again confirmed by a new survey conducted by IT Security firm Bromium which shows almost 80% of IT pros responsible for security point at end-users as their number one security headache.

Things that bubbled up in the survey as the most dangerous things end users do are clicking on suspicious or malicious links, opening suspicious or malicious attachments, and bypassing security controls in some way or another. 

A recent Aberdeen Group study confirms this and showed that end-user security awareness training can reduce IT security risk up to 70 percent. In many cases, employees do things that are risky simply due to a lack of awareness of what dangerous links or emails look like, or why certain security measures are in place. "Actions that are taken by individual end-users – the networks and devices we use, the files we send and receive, the apps we install and run, the links we click on, the emails we open – are behaviors that result in a high percentage of security infections," stated Derek Brink, analyst for Aberdeen Group.

Bromium had some more things to report though. "In addition to struggling to maintain control over their users, many information security professionals are struggling to maintain control over their current security systems," the Bromium survey showed.

IT security pros are overwhelmed by the sheer volume of attacks and trying to manage endpoint security products with overlapping functionality. Almost fifty percent of IT pros observed that multiple redundant solutions cause the highest cost and complexity into their networks. Last but not least, over 60 percent came clean on the worrisome fact that they can only investigate or respond to about half of their security alerts.

Ouch. Well, at least getting effective user education in place should be a good start. Stepping end-users through Kevin Mitnick security awareness training makes them aware of what things are dangerous to do on the Internet and significantly cuts down on risky behavior. Find out how affordable this is for your organization today.

Get A Quote Now

 

CyberheistNews Vol 5 #8 | Two Disgusting Scams Of The Week: Death And Taxes

Posted by Stu Sjouwerman on Feb 24, 2015 9:15:00 AM


 
                                                                                                               

CyberheistNews Vol 5 #8 Feb 24, 2015 

                                                                           
                                                                                                                                       

Scam Of The Week #1: Death In The Family

Cybercrime is innovating on a known and disgusting scam; preying on people that have recently suffered a loss. Used to be that old time scam artists read the obituary notices in the paper, dress in black and show up to  freeload at funerals. Well, here is the modern equivalent and it's much worse. Keep in mind that over 2.4 million Americans die in accidents every year, and over 1 million of these are sudden.

Unfortunately, the Internet allows crime to scale, so a new criminal  industry of death has developed. These criminals scan the Internet for a  death in the family and start social engineering the immediate family  members via email or social media by claiming the deceased left them a  confidential message that must be kept secret. They insist on strict  confidentiality and after a few emails it turns out they want $2,500  in exchange for 3 DVDs and other "very important documents". How deep  can these people sink? You'd wish for them to be six feet under themselves.

I would send your users something like the following. Feel free to edit:

"By now you are used to seeing spam and phishing emails in your inbox, but cunning cybercriminals are constantly coming up with new ways to find victims. Unfortunately, the direction that this is going is more  and more targeted. That means cybercrime can directly target YOU because  they have information specifically related to your personal data or events.

"At the moment, cyber criminals scan for deaths in your family (2,4  million Americans die every year, and over 1 million of these are sudden) and then try to scam you by claiming the deceased has left them very confidential information that needs to be kept secret from the rest  of the family. They demand you transfer money for DVDs and "very  important documents". Don't fall for it. It is a shame if you  suffer a major loss that you also need to be on your guard for  criminals like this, but they prey on you when you are at your  most vulnerable. Keep an eye out for this when something like this  happens in your family or a friend's!  Here is a link to the blog post:
http://blog.knowbe4.com/scam-of-the-week-death-in-the-family

Scam Of The Week #2: The IRS is Suing You

Feb 20, 2015 at 8am I received a robo-call at the house in a female voice  that said the following: "We have been trying to reach you. This call  is officially a final notice from IRS, the internal revenue service.  The reason of this call is to inform you that the IRS is filing lawsuit  against you. To get more information about this case file, please call  immediately on our department number 360-362-4254"

The area code 360 is very cleverly western Washington outside of Seattle,  but it looks official when you see the "Washington" caller ID. First thing  I thought was "wrong mark!" and of course I got really interested to see  if I could call them back and mess with them, but the line was busy.  Too bad, that would have been fun but don't try this at home. 

However, this is another heads-up that these social engineering attacks  are happening all the time and are targeting your employees at the house.  I would send an email to your users with something like this:

"It's tax season and cybercriminals are trying to make money off this opportunity. At the moment, massive amounts of robo-calls are being made to people at the house claiming that the IRS is suing you, with a callback number in Washington. The same is happening with IRS phishing emails. Don't  try to call the number, and delete the emails. These scammers use high  pressure tactics to extort your money. Remember to never give out personal  information to anyone unless YOU have initiated the contact."

Here is a link to the blog post:
http://blog.knowbe4.com/just-got-a-social-engineering-call-that-the-irs-is-suing-me


Warm Regards,
Stu Sjouwerman



Quotes Of The Week

 

Quotes of the Week:

" The fear of death follows from the fear of life. A man who lives fully  is prepared to die at any time.  "  - Mark Twain

" The only difference between death and taxes is that death doesn't get  worse every time Congress meets. "  - Will Rogers

 


 

Thanks for reading CyberheistNews!

 

 

Security News

 

Which Employees Are Most Likely To Fall For Phishing Attacks?

Did you know that 91% of successful data breaches started with a  spear-phishing attack... but who clicked?

Take the first step now to significantly improve your organization’s  defenses against cybercrime. You will be able to immediately start  your Free Phishing Security Test (PST). No need to talk to anyone.  The PST allows you to find out what percentage of your users is  Phish-prone. Start here. Did we say this is free?
http://www.knowbe4.com/phishing-security-test/

Most Vulnerable Operating Systems And Applications In 2014

Christian Florian at GFI wrote a great blog post. Here is a short extract but I suggest you read the whole thing at their site.

An average of 19 vulnerabilities per day were reported in 2014, according  o the data from the National Vulnerability Database (NVD). The NVD provides  a comprehensive list of software security vulnerabilities. In this article,  I look at some of the trends and key findings for 2014 based on the NVD’s  database. Some of the questions asked are:

  • What are the latest vulnerability trends? Are we seeing an increase or  a decrease in the number of vulnerabilities?
  • What percentage of these vulnerabilities are rated as critical? (e.g.  high security impact – like allowing remote code execution – and thus  easy to exploit)
  • In which areas do we see the most vulnerabilities? Are operating systems,  third-party applications or network devices such as routers, switches,  access points or printers most at risk?
  • Which operating systems and applications are listed with most  vulnerabilities? This data is important because the products which are  on top get the most frequent security updates. To maintain an IT  infrastructure secure, sysadmins need to continually monitor these  operating systems and applications for the latest updates and ensure  they are always fully patched.

7,038 new security vulnerabilities were added to the NVD database in  2014. This means an average of 19 new vulnerabilities per day. The number  is significantly higher than in 2013 and continues the ascending trend  over the past few years. Read the post and see the trends:
http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

New Details About $1 Billion Crime Ring

In an exclusive interview with Tracy Kitten, Sergey Golonvanov, a threat  researcher at Kaspersky Lab, explains how a highly sophisticated and  well-funded crime ring based in Russia, which made headlines over the  weekend for successfully defrauding up to $1 billion from banks in  Europe, the U.S. and elsewhere, was able to fly under the radar of  detection for nearly a year. The ring used a string of seemingly  unrelated malware attacks aimed at compromising everything from ATMs  and money-transfers to retail point-of-sale systems.

The group, which Kaspersky calls Carbanak, is one the White House, the  Federal Bureau of Investigation, Interpol and Europol, as well as  numerous security firms, have been keen to learn more about, Golonvanov  says. More at:
http://www.bankinfosecurity.com/interviews/new-details-about-1-billion-crime-ring-i-2582?

Pilot Kyle Davis (22) and his passenger Joe Surowiec were flying from  Winter Haven to Lakeland, Florida, when they experienced engine failure:
http://www.flixxy.com/private-airplane-emergency-landing-on-the-street-from-pilots-perspective.htm?utm_source=4

Simon Pierro, an amazing magician from Germany, performs magic using an Apple iPad at the Ellen Show:
http://www.flixxy.com/amazing-ipad-magic-on-the-ellen-show.htm?utm_source=4

A German Shepherd was taught to get into the back seat of a police car all by himself:
http://www.flixxy.com/police-dog-opens-and-closes-the-door-to-get-in-the-car.htm?utm_source=4

After he hears the sound of his food being served, big fluffy cat  makes a dramatic entrance:
http://www.flixxy.com/the-cat-who-came-in-from-the-cold.htm?utm_source=4

Japanese cat relaxing in front of the fireplace, purring loudly.
http://www.flixxy.com/cat-relaxing-in-front-of-the-fireplace.htm?utm_source=nl

A unique Japanese technology to park bicycles safely and protect them from  theft and bad weather.
http://www.flixxy.com/japan-bicycle-parking-technology.htm?utm_source=4

Purikura refers to Japanese photo booths that heavily edit your picture and print an instant version of a "perfect you" on a sticker. Armed with  heavy makeup, Canadian native Micaela Braithwaite experiments:
http://aplus.com/a/purikura-experiment-japan-photobooths

Got kids? They are going to love this one: Polar bear cubs play and wrestle  in the snow while their mother keeps a close eye on them from the den:
http://www.flixxy.com/baby-polar-bears-playing-in-the-snow.htm?utm_source=4

17-month-old Ethan decided to join his dad on stage at a New Year's Eve  concert in Irving, Texas. Cute:
http://www.flixxy.com/dancing-baby-steals-the-show.htm?utm_source=4

WATCH: Magnetic silly putty eats a magnet. Weird, scary and there are  more videos with magnetic putty fun:
http://boingboing.net/2015/02/20/watch-magnetic-silly-putty-ea.html

The San Diego State University women’s golf team show us their amazing  trick shot skills:
http://www.flixxy.com/san-diego-state-university-womens-golf-team-trick-shots.htm?utm_source=4

                                                                       
                                                                   
                                                       
                                           
                                                                   
                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
                                                                                                                                                           
                                                            Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.                                                            
                                                                                                                       
                                                           
                                                            Our mailing address is:                                                            
                                                            601 Cleveland St. Suite 240, Clearwater, Florida, 33760                                                        
                                                                                                                                                                 
                                                           
                                                                                                               
                                           
                                                                   
                                           
       
       

Intel Report About Social Engineering

Posted by Stu Sjouwerman on Feb 23, 2015 4:13:59 PM

Intel_SE_ReportIn a new report, Hacking the Human OS, McAfee (owned by Intel) security researchers Raj Samani and Charles McFarland found that, increasingly, hackers are using social engineering techniques to manipulate their victims and coerce them into making poor decisions. This is effective in government agencies as well as private sector businesses.

Intel describes social engineering as the deliberate application of deceitful techniques designed to manipulate someone into divulging information or performing actions that may result in the release of that information.

The report found:

Two-thirds of the world’s email is now spam aiming to extort information and money.

  • A sharp increase of malicious phishing emails has resulted in more than 30 million suspect URLs recorded by McAfee Labs;
  • 20 percent of attacks involve hackers using seemingly benign, bogus websites to deliver vicious malware into their targets; and
  • Bogus emails are another effective form of social engineering, as 18 percent of users will unwittingly click a link in a phishing email.

Here is a link to the PDF. It is clear that security awareness training is a must today. It takes 2 minutes to find out how affordable this is for your organization.

 

Get A Quote Now

 

Scam Of The Week: Death In The Family

Posted by Stu Sjouwerman on Feb 21, 2015 10:49:00 AM

funeralCybercrime is innovating on a known and disgusting scam; preying on people that have recently suffered a loss. Used to be that old time scam artists read the obituary notices in the paper, dress in black and show up to freeload at funerals. Well, here is the modern equivalent and it's much worse. Keep in mind that over 2,4 million Americans die in accidents every year, and over 1 million of these are sudden.

Unfortunately, the Internet allows crime to scale, so a new criminal industry of death has developed. These criminals scan the Internet for a death in the family and start social engineering the immediate family members via email or social media by claiming the deceased left them a confidential message that must be kept secret. They insist on strict confidentiality and after a few emails it turns out they want $2,500 in exchange for 3 DVDs and other "very important documents". How deep can these people sink? You'd wish for them to be six feet under themselves.

I would send your friends and family something like the following. Feel free to edit and send them a link to this Scam Of The Week: http://blog.knowbe4.com/scam-of-the-week-death-in-the-family

"By now you are used to seeing spam and phishing emails in your inbox, but cunning cybercriminals are constantly coming up with new ways to find victims. Unfortunately, the direction that this is going is more and more targeted. That means cybercrime can directly target YOU because they have information specifically related to your personal data or events.

"At the moment, cyber criminals scan for deaths in your family (2,4 million Americans die every year, and over 1 million of these are sudden) and then try to scam you by claiming the deceased has left them very confidential information that needs to be kept secret from the rest of the family. They demand you transfer money for DVDs and "very important documents". Don't fall for it. It is a shame if you suffer a major loss that you also need to be on your guard for criminals like this, but they prey on you when you are at your most vulnerable. Keep an eye out for this when something like this happens in your family or a friend's.

 

Hat Tip to Steve Ragan at CSO

Just Got A Social Engineering Call That The IRS Is Suing Me

Posted by Stu Sjouwerman on Feb 20, 2015 9:49:00 AM

IRS_LOGOThis morning, Feb 20, 2015 at 8am at the house I received a robo-call in a female voice that said the following: 

"We have been trying to reach you. This call is officially a final notice from IRS, the internal revenue service. The reason of this call is to inform you that the IRS is filing a lawsuit against you. To get more information about this case file, please call immediately on our department number 360-362-4254"

The area code 360 is very cleverly western Washington outside of Seattle, but it looks official when you see the "Washington" caller ID. 

First thing I thought was "wrong mark!" and of course I got really interested to see if I could call them back and mess with them, but the line was busy. Too bad, that would have been fun but dont try this at home. 

However, this is another heads-up that these social engineering attacks are happening all the time and are targeting your employees at the house. It's important to get trained to spot these types of scams so they do not fall for them either at the house or the office. 

 

 

 

More Phishing Attacks Going After Financial Data

Posted by Stu Sjouwerman on Feb 17, 2015 11:27:37 AM

Kaspersky recently reported that 28.8 percent of phishing attacks in 2014 tried to steal financial data from consumers. The results show how cybercrime has shifted its focus to payment systems and online shopping websites. 

kaspersky-02-2015

Here are some of the highlights :

  • Cybercriminals used the names of well-known banks in 16.3 percent of attacks; in 2013, the level of bank phishing was 22.2 percent
  • In the Payment Systems category, cybercriminals mostly targeted data belonging to Visa card owners (31.02 percent), PayPal (30.03 percent) and American Express (24.6 percent)
  • The names of well-known online shopping sites were used in 7.3 percent of attacks compared to 6.5 percent in 2013
  • In 5.1 percent of cases, Kaspersky Lab’s protection technologies were triggered by phishing pages mentioning payment systems, which is 2.4 percent more than in 2013
  • The proportion of financial phishing detected on Mac systems increased by 9.6 percent compared to the previous year, representing 48.5 percent of all instances in which the anti-phishing component of Kaspersky Lab security products for Mac OS X was triggered.

Last year, the proportion of financial phishing to all phishing attacks fell by 2.7 percentage points compared to 2013, primarily due to a decrease in the level of phishing targeting banks. At the same time, there was proportionally more phishing targeting other financial categories.

In the Payment Systems category, cybercriminals mostly targeted data belonging to users of Visa cards (31.02 percent of detections in this category), PayPal (30.03 percent) and American Express (24.6 percent). At the same time, in 2014 detections for phishing pages mentioning PayPal saw their share fall by 14.09 percent compared to 2013.

Amazon remained the most commonly-attacked brand in the Online Shopping category – 31.7 percent of attacks in this category used phishing pages mentioning the popular Internet-based retailer. However, this is 29.41 percent less than in the previous year.

“The rise in financial phishing that we saw in the past has naturally drawn a response from the brands most frequently abused in phishing scams – they are beginning to tackle phishing distribution channels, especially email spam, more actively. That leads to a reduction in the levels of phishing that targets some of the larger brands. However, cybercriminals immediately responded by targeting new ‘markets.’ For example, in 2014 we saw a large number of phishing scams based on websites that sell plane tickets. These are targets that used to be seen fairly infrequently in phishing scams,” said Nadezhda Demidova, web content analyst at Kaspersky Lab. The complete report is available here.

It is clear that employees need to be trained to recognize phishing attacks, and not fall for social engineering tricks in the office or at the house. Effective security awareness training is a must. Find out how affordable this is for your organization today.

Get A Quote Now

 

Hat Tip to Help Net Security 

 

 

CyberheistNews Vol 5 #4 Chinese Phish All Identities of NSA, CIA, FBI and more...

Posted by Stu Sjouwerman on Feb 17, 2015 9:29:00 AM

 
                                                                                                               

CyberheistNews Vol 5 #4 Jan 27, 2015  

                                                                        

Chinese Phish All Identities of NSA, CIA, FBI and more...

For a day or so I was puzzled that the Anthem hack trail led to China. This would normally be a Russian operation. Then an insider told me  that most of the three-letter U.S. Government agencies have their  employees insured through Anthem's Blue Cross Blue Shield and then the whole thing fell into place.

The Chinese now own the identities of all the people fighting them, and can use this in a multitude of social engineering scenarios.  No wonder that many people in the Government have steam coming out of their ears about the Anthem hack. Cyberwar has suddenly become -very- personal to them.

This may be why President Obama last Friday signed an executive order that will nudge private companies to share  data about cybersecurity threats between each other and with the  federal government.

Apart from the fact that the cost of the Anthem data breach are likely  to smash $100 million barrier, it's surprising that Anthem did not  encrypt SSN's which allowed wholesale identity theft of thousands of American cyberwarriors.

Wonder why hackers are going after healthcare records these days? They are much more valuable because they stay active for several months after a hack, as opposed the credit card numbers which  quickly get nixed after a few days.

Since Anthem is a healthcare company, you would expect them to take HIPAA compliance to the max and even top the required controls with higher standards. As we all know, compliance does not equal security, but it establishes a basline at the very least.

 

Becoming HIPAA compliant and staying that way is a challenge to say the least. The KnowBe4 Compliance Manager can help you with that. Fill out the form to get a webdemo or a 30-day trial:
http://info.knowbe4.com/knowbe4-compliance-manager_lp_14-04-15

Scam Of The Week: Microsoft Volume Licensing

Watch it! The bad guys are going after YOU this time. There is a phishing  scam doing the rounds which sends you malware "from Microsoft" about your Volume Licensing that evades sandboxes and contains a Word doc which has  macros inside and leads to a possible malware infection.

Following the instructions in the phishing email results in Chanitor being  downloaded, which is used to download other malware. Corporate users are  phished from Microsoft Volume Licensing Service Center (VLSC), according  to researchers with Cisco.

A screenshot of the phishing email – which asks recipients to click on a  link to download VLSC registration details – was included in a Monday post by  Martin Nystrom, senior manager for Cisco Managed Threat Defense. He wrote  that the message is very similar to the real email sent by Microsoft.

The link in the email appears to be for a Microsoft website, but Nystrom  points out that hovering over it with the mouse reveals the true URL.  Clicking on it will result in the authentic VLSC login page opening, but  will also trigger a ZIP file to download that recipients may not notice  is being delivered from a different website.

The ZIP file contains a Windows executable with a SCR extension – a  screensaver file – and opening it results in the system being infected  with Chanitor, which is used to download other malware, Nystrom wrote. This is the link to the full post:
http://blogs.cisco.com/security/fake-volume-license-trojan-targets-corporate-users-and-evades-sandboxes


Warm Regards,
Stu Sjouwerman



Quotes Of The Week

 

Quotes of the Week:

" Find something you're passionate about and keep tremendously  interested in it.  "  - Julia Child

" Passion will move men beyond themselves, beyond their shortcomings,  beyond their failures. "  - Joseph Campbell

 

 

 

Security News

 

New KnowBe4 Console V4.0 Released

We are excited to announce Version 4.0 of our console with some exciting new phishing features! Here are two highlights but there are many more. As you know we regularly survey our customers and #1 was the by far the most requested feature. 

  1. Random phishing emails chosen from multiple campaigns, at random  times over 24-120 hour period, where you can exclude weekends. We call this the "anti-prairie dog" feature because this prevents employees  popping up from their cubicle from warning each other a test is going on.
  2. Targeted spear-phishing campaigns; the ability to replace certain  fields within email templates similar to marketing emails that have [[first_name]] [[last_name]] fields that are populated dynamically for  each recipient. We can do this now for our phishing emails based off of  the information located in the Account profile and User profile. Available  for both landing pages and email templates.

Check out these cool new features in your Management Console, and here is a full write up of the 10 new features of V4.0 at our blog:
http://blog.knowbe4.com/new-knowbe4-console-v4.0-released

What Are Our Customers Saying?

"Our bank has used your product for the last three years and I feel  it is one of our BEST frontline security defenses. I have seen a  dramatic increase in employee security awareness through the online training and phishing tests. I feel like a KnowBe4 evangelist when  I am at any type of event." - L.S. AVP/Information Security Officer

   "I think the random sending feature is great and I did not realize  it went live yesterday! I logged in this morning to setup another  campaign for the month of March and realized it was there, then  received your email. Now I can setup one campaign for the entire  firm and still prevent employees from asking each other. This will  help them to think on their own."  - B.D.

Anthem Hack Caused By A Phished System Admin?

The foreign hackers who stole up to 80 million records from Anthem  social engineered their way into the company's network by obtaining  the credentials of five tech workers. Thomas Miller, the Anthem's  chief information officer said the first sign of the attack came  when a systems administrator noticed that a database query was  being run using his identifier code although he hadn’t initiated it. 

Forensics Team Says "Phishing"

The Mandiant forensics team that was called in to investigate the hack  now believe the criminals got in through by phishing which tricked the  five tech workers into unknowingly revealing a password or downloading  a Trojan with a keylogger software.

At this point it is thought that the system administrator who was  social engineered took over a month to notice that his own credentials  were being used. This shows a significant lack of security awareness,  as well as a lack of good audit practices. An insider told me it's  especially painful for the U.S. Government as all their 3-letter  agencies are insured via Anthem. Imagine the Chinese having all the  CIA health records.

To quote Anthem's website, "Security awareness training is incorporated  into annual compliance training," which means that there is no continual  security awareness training, and that's not cutting it as we continually  see (Home Depot, Target). This picture is a screen shot from the Anthem  website:

Anthem-yearly-training

If you want to spend less time putting out fires, get more time to be proactive, and get the things done you know need to be done, step  employees through effective security awareness training. It will help you prevent this kind of disaster or at least make it very hard for  the bad guys to social engineer employees. Find out how affordable this  is for your organization. Get a quote now:

http://info.knowbe4.com/kmsat_get_a_quote_now

Antivirus Products Are Slow at Making Malware Signatures

The traditional malicious software detection approach is far from  being sufficient, especially in corporate environments. More and  more it's found that antivirus products can take months before  adding the algorithms to recognize the more complex threats.

A recent study from Damballa, a security company offering solutions  against advanced cyber threats, revealed that malware could spend  as much as six months on a system before it is identified using  signature-based detection.

Damballa's CTO Brian Foster said: "For years now the industry has  discussed the declining effectiveness of preventative controls like  antivirus, firewalls and IPS. These technologies simply do not work  against polymorphic malware, which is used by nearly all of today’s  advanced attacks. And yet RSA estimates that most organizations still  spend about 80% of their security budgets on prevention technologies.

Damballa wanted to demonstrate the limitations of a prevention-centered  approach to malicious software. They analyzed a sample set of  tens-of-thousands of files sent to them by their customers. The  files detected as malicious by their own Failsafe system were also  scanned by the four most commonly deployed antivirus products.  Here’s what they found:

  • Within the first hour, the antivirus products missed nearly 70% of the malware
  • After 24 hours, still only 66% of the files were identified as malicious
  • At the seven-day mark, the accumulated total was 72%
  • After one month, 93% of the files were identified as malicious
  • More than six months passed before 100% of the malicious files were    identified malware-alerts-per-week Courtesy Ponemon
  

A 2015 Ponemon Institute report shows that the average enterprise gets  17,000 malware alerts weekly, or 2,430 daily, from IT security products.  Based on the Damballa study you can do the easy math; antivirus products  miss 796 malicious files on Day One.

And now combine the data from Damballa, RSA and Ponemon. You come to the  shocking discovery that 80% of the security budget is spent on controls  that are missing 796 malicious files a day.

Many of these infections are caused by end-users who click on a malicious  ad, click a bad link or open an infected attachment.

We all have limited budget and manpower. Nobody can afford to dedicate  the majority their budget to failing controls. You need to defend your  networks in depth, and get proactive instead of continuing to run around  putting out fires. The Ponemon graph shows the lost time caused by infected  devices. 

The very first step in getting proactive is deploying effective security  awareness training combined with simulated phishing attacks. Prevention  that really works is more important than ever, and end-user education  gives you the best bang for your budget buck, but you also need to put  greater emphasis on deeper defense-in-depth levels with detection and  response. If you can reduce the time between the initial infection and  its discovery and remediation, you reduce your risk of damage.

The first thing though would be to step your users through security  awareness training combined with simulated phishing attacks to keep  them on their toes with security top of mind. It's a must these days.

Boston dynamics has a smaller version of the quadruped Big Dog, nimbler  and pretty impressive. They can run in packs and run off a battery so  they are much more quiet. This is getting very interesting!
http://youtu.be/M8YjvHYbZ9w

The most amazing bowling tricks, featuring the greatest bowling master  of all time - Andy Varipapa. This is all real - no CGI:
http://www.flixxy.com/the-worlds-greatest-bowling-show-andy-varipapa.htm

Infographic from 1931 depicting 4000 years of world history. It's obviously behind, but fascinating nonetheless: 
http://tinyurl.com/megu958

Some Brazilian workers demonstrate amazing teamwork and timing:
  http://www.flixxy.com/teamwork-in-brazil.htm?utm_source=nl

45% of women between the ages of 25 and 35 are single. 100% of them own  cats. Coincidence? A BBC Comedy:
http://www.flixxy.com/why-some-women-stay-single.htm?utm_source=4

In a world filled with war, the greatest weapon is love.  Extended Cut (2 min.)
               http://www.flixxy.com/make-love-not-war-extended-cut.htm?utm_source=4

                                                                       
                                                                   
                                                       
                                           
                                                                   
                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
                                                                                                                                                           
                                                            Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.                                                            
                                                                                                                       
                                                           
                                                            Our mailing address is:                                                            
                                                            601 Cleveland St. Suite 930, Clearwater, Florida, 33760                                                        
                                                        Unsubscribe here                                                                                                                      
                                                           
                                                                                                               
                                           
                                                                   
                                           
       
       

Kaspersky: NSA has pwned all hard drives firmware

Posted by Stu Sjouwerman on Feb 16, 2015 5:51:17 PM

Reuters just broke news that's pretty astounding.  I\m copying just a few paragraphs and I recommend you read the release yourself.

 

nsa3-resized-600"The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

"That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

"A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

"According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.

Here is the whole article: 

http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216

Kaspersky is pretty reliable so if they make a claim like this they have proof. They were also the people that reported first on StuxNet, so this is very likely to be true. 

What to do about it? Get a chromebook, or a Chromebox that does not have a hard drive, and store all your files in an encrypted cloud drive.

 

 

 

 

Billion Dollar Cyberheist Caused By Phish-prone Employees

Posted by Stu Sjouwerman on Feb 16, 2015 8:58:00 AM

As promised, here is more data about the Carbanak cyberheist in addition to the original post  First of all, a map that shows the IP addresses of the institutions that were hit. Kaspersky called them the "Carbanak cybergang" because of the name of the malware they used. Most of the banks that were hit are in Russia, but also on the list are ones in Japan, many in Europe, and the United States. According to Dutch securify firm Fox-IT, Carbanak is the same group that was uncovered by Group-IB and Fox-IT in a Dec. 2014 report which referenced the attackers as the “Anunak hackers group” which stole reams of data from Staples, Sheplers and Bebe.

Carbanak_Targets

The gang appears to be the first international cybermafia, a group of cybercriminals from Russia, Ukraine and other parts of Europe and China. Kaspersky could not release the names of the banks because of nondisclosure agreements. The Times said that The White House and FBI have been briefed on Kaspersky Lab's findings, and Interpol is coordinating an investigation.

 

what_every_bank_should_know

  “Despite increased awareness of cybercrime within the financial services sector, it appears that spear phishing attacks and old exploits (for which patches have been disseminated) remain effective against larger companies,” Kaspersky’s report concludes. “Attackers always use this minimal effort approach in order to bypass a victim’s defenses.”

 

More Than 16 Million Devices Are Infected With Mobile Malware

Posted by Stu Sjouwerman on Feb 15, 2015 4:41:39 PM

Pierluigi Paganini blogged about a recent study published by Alcatel-Lucent’s Motive Security Labs which reported that 16 million devices worldwide have been infected by mobile malware.
mobile-device-infections-number-300x172
Security experts noticed a significant increase in cyber threats to mobile and residential devices and attacks on communications networks in 2014. A growing number of sophisticated attacks are threatening personal and corporate information representing a serious menace to the security of enterprises and users’ privacy.
The “Motive Security Labs H2 2014 Malware Report” published by Alcatel-Lucent’s Motive Security Labs provided a detailed analysis of trends and statistics for malware infections in devices. The experts confirmed an acceleration in the growth of infections related to mobile devices, with an increase of 25% in 2014, compared with 20% in 2013. The main cause for infections is social engineering; people ckicking on links they get on their smartphone. A large part of the 12 million new malware strains per month are mobile malware.
“Currently, 0.68% of mobile devices are infected with malware. This is a growth of 25% in 2014. We can use this infection rate to calculate the total number of infected smartphones worldwide. According the ITU there are currently 2.3 billion mobile broadband subscriptions, so we estimate that 16 million mobile devices had some sort of malware infection in December 2014. This global estimate is likely on the conservative side because our sensors do not have complete coverage in areas such as China and Russia, where mobile infection rates are known to be higher than average. ” states the report. More at his blog:
Step end users through our Mobile Device Security security awareness training module. Find out the cost today.
Get A Quote Now

Subscribe to Our Newsletter!

Subscribe to Blog

Follow Me