KnowBe4 Security Awareness Training Blog
We moved to a new 15,000 square feet office with expansion space for 100 KnowBe4 employees, and this week we had our logo mounted on the top of the building. This is a 30-second time-lapse of the old logo coming off and the new one being put up. Here is the picture of the building when we had the same top floor when we were Sunbelt Software. Click on the image to see the video on YouTube. Enjoy, we did! (you may have to click twice)
By far the most requested feature in the KnowBe4 console was Training Campaigns. We're excited to tell you they are here now, in version 5.2 of your console. When it comes to rolling out training for your users, this feature does the heavy lifting for you, saving time and effort associated with setup and chasing down users who need to finish their training for compliance purposes. Keep on reading for one really cool feature.
These new campaigns provide Learning Management System functionality which gives you an easy way to manage your security awareness training while providing sophisticated reporting. Training Campaigns allow you to create ongoing or deadline-based training campaigns for your employees. These campaigns can contain any or all of the courses and limit course availability by group.
Campaigns can be set up to automatically send e-mail invitations and signup links to users, prompting them (at various intervals) to complete training by a specified time-frame. This functionality also allows you to train a group of users in a classroom setting and pass them all at once.
Again, we have a nightmare phishing scenario with the brand new AshleyMadison (AM) hack. A few months ago, the Adult Friend Finder (AFF) website was hacked, and now their biggest competitor.
AM is one of the most heavily-trafficked websites in the U.S. and has 37 million registered users, some will overlap with AFF though. A rough guess is that 10% of your users may be very worried at this time that their sexual preferences and/or activities are going to come out. These end-users are a security breach waiting to happen.
Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to the users of the hookup service, whose slogan is “Life is short. Have an affair.”
The data released by the hacker or hackers — which go by the name The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.
Here Is The Problem
Any of these 37 million registered users is now a target for a multitude of social engineering attacks. Just one example: you can imagine that a man married to a woman but who is hunting down gay hookups on the side could easily be blackmailed or receive a spear phishing email with a poisoned link that infects his workstation.
Security researcher Fedor Sinitsyn reported on the new TeslaCrypt V2.0. This family of ransomware is relatively new, it was first detected in February 2015. It's been dubbed the "curse" of computer gamers because it targets many game-related file types. The attackers are focusing on the U.S. and Germany. See the hotmap to the right.
The innovation rate of TeslaCrypt is furious, lots of changes are being made, including ripping off cryptowall's identity, which is a clear case of borrowing cryptowall's reputation, trying to make people pay as soon as possible. The encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm.
Early versions of TeslaCrypt were designed to check whether a Bitcoin payment had been successfully made on the blockchain.info site. If the payment was received, the malware reported this to the command server and received a key to decrypt the files. This scheme was vulnerable, since an expert could send a request to the C&C and get the necessary key without making a payment. This has been corrected / replaced with a completely new decryption feature.
The TeslaCrypt family gets distributed using Exploit Kits like Angler, Sweet Orange and Nuclear. It focuses on malvertising (malicious ads on large sites like Yahoo, Drudge, CBSSports and HuffPost), paid for by stolen credit cards. This is very hard to defend against. Here is how that works: when a victim visits an infected website, the Exploit Kit scans the victim's browser and finds vulnerabilities (usually in plugins) and installs the Trojan in the system.
What To Do About It
According to the 2015 Black Hat Attendee Survey, nearly three quarters (73 percent) of top security professionals think it likely that their organizations will be hit with a major data breach in the next 12 months -- but they won't have enough time, money, or skilled staff to handle the crisis.
The survey polled some 460 infosec professionals, 61 percent of whom carry "security" as a full-time job title, and two thirds of whom carry a CISSP or other professional security credentials.
More than a third of the Black Hat survey respondents say that their time is consumed by addressing vulnerabilities in internally-developed software (35 percent) or in off-the-shelf software (33 percent). Meanwhile, their budgets are often consumed by compliance issues (25 percent) or sealing accidental leaks (26 percent), leaving them short of resources to fight the real threats.
Nearly a third (31 percent) of Black Hat attendees cited end users as the weakest link in the security chain. "The biggest roadblock I have is a lack of cultural importance on security," said one survey respondent. Here are the survey results, and the #1 problem that needs to be managed is: " End users who violate security policy and are too easily fooled by social engineering attacks".
The Tech Support Scams are getting worse by the month. Here is a horror story that was just shared today. I suggest you read it, and keep alert for Red Flags like these!
"My dad almost got badly scammed by a guy who claimed he was from "IT Innovations" selling virus protection for computers. My very trusting dad who isn't at all computer savvy fell for this guys' pitch when he called my parents land line several months ago.
"The same man called back this past Saturday telling dad he had to refund the money because the company was going out of business. He convinced my dad to sign into some website that gave the scammer access to my parents' home computer. Then he got dad to log into his credit union account online in order to make sure the money was back in his checking account.
"It was, plus an extra $2000. When my dad told the guy he said he had made a mistake and wanted my dad to wire the money back to him. Thank God my mom walked into the house and made my dad stop and power off the computer.
"At this point the guy was yelling and threatening my parents over the phone. My mom simply told him he wasn't getting his money back, that he is evil, and hung up on him (go mom!). Thank heavens my parents know the president of the credit union and they were able to get the accounts locked down immediately, get new accounts, and the guy didn't get a penny.
Here is the crux of the scam, pay attention to what happened!
KnowBe4 has seen explosive growth for eight consecutive quarters. Massive data breaches in the first half of 2015 such as Anthem and OPM, affecting millions, have left C-level execs scrambling for a way to manage the problem of social engineering. Even the FBI sent an alert on June 23, 2015. As a result, security awareness training has gone from lunchroom-to-boardroom in priority, exceeding a billion in worldwide annual revenue.