Subscribe to our Newsletter!

Subscribe to Blog

Follow Me

KnowBe4 Security Awareness Training Blog

Current Articles | RSS Feed RSS Feed

CyberheistNews Vol 4, # 16 Scam Of The Week: XP Phishing Threat

 
CyberheistNews Vol 4, # 16
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 16

Editor's Corner

KnowBe4

Scam Of The Week: Blended XP Phishing Security Threat

During the first quarter, I have been warning about the coming wave of Windows XP-related scams having to do with the April 8 End Of Life of XP. Here is what you can expect, and many variants will follow. It is important to warn your end-users about this, even if they -are- running more recent versions of Windows, because often they do not know what version they actually are running, and easily get scared into doing something that may damage your network.

So here is the scam, cybercriminals either send phishing emails or make cold calls and claim to represent either Windows Helpdesk, Microsoft Tech Support, Windows Support Group, or other Microsoft support teams.

They claim that there are now no more official security patches for XP, (true) refer to the Windows popups stating: Windows XP End of Support April 8th, 2014, but Microsoft still releases updates for Win7 and 8, (true) and that hackers have analyzed these updates and found new security holes in Windows XP that cannot be fixed anymore (half-truth). Next, the bad guys claim that they -do- have an urgent update but that they need to apply this patch manually (blatant lie). The end-user gets tricked to allow remote access to the scammers, using admin tools like join.me and others.

Once that is the case, the bad guys own the workstation of the employee and can hack into your network, or they take over their home machine and try to charge them hundreds of dollars on their credit card. So, urgently remind your users (again) of the following:

"In the office or at the house, when anyone sends phishing emails or calls claiming to be from 'Support', and claims that they need to 'update' your computer for any reason and ask for remote access, hang up the phone immediately and report the email or the call to the correct team in your organization." (Note: often these callers have foreign accents.)

Redmond's Security Center states neither Microsoft nor its partners make unsolicited phone calls, but end-users often do not know this. For the rest of this year, we need to be on the look-out for XP-themed scams like this. Security Awareness Training is a -must- these days. Find out how affordable this is for your own organization here:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/

BONUS Scam Of The Week: Starbucks Gift From a Friend Phishing Emails

Love your tall latte? Better watch it, as a "friend" might send you an email with a fake Starbucks Coffee Gift offer. These emails read something like this in broken English: "Your friend just made an order at Starbucks Coffee Company a few hours ago. He pointed he is planning to make a special gift for you and he have a special occasion for that. We’ve arranged an awesome menu for that case that can really surprise you with our new flavors."

They then continue with describing the whole menu, and when you can come over and celebrate the day with your friend. The only thing you need to do is (of course) open the attachment.

Granted, Starbucks does have options for people to give gifts to friends, but this phishing attack has nothing to do with that. There are several red flags, the language is broken, the emails come from hacked accounts at Yahoo and Gmail, and they are sent with "high importance."

In the malicious attachments sits a variant of the banking Trojan ZeuS, directly attached without any attempt to hide, and will install itself as a hard-to-remove rootkit. They probably hope you get so excited about the free offer that you will ignore all the warnings. Don't fall for it. Think Before You Click! For a screen shot of the email, check the KnowBe4 Blog:
http://blog.knowbe4.com/bid/383111/Scam-Of-The-Week-Starbucks-Gift-From-a-Friend-Phishing-Emails

Osterman Report Reveals: Only 13% Happy With Compliance Methods

We are excited to announce a new whitepaper that covers important compliance requirements that you are obligated to satisfy, provides some high level recommendations about what you can do to address these issues, and offers a brief overview of a tool that helps you to better manage these compliance problems.

The whitepaper is called "Improving the Compliance Management Process". One of the conclusions of the research is that only 13% of the organizations Osterman surveyed are "very satisfied" with the way that they manage regulatory compliance issues, despite the fact that 63% consider regulatory compliance to be "very important".

Moreover, Osterman's research found that you typically spend 19% of your compliance and audit time each year on tracking requirements and another 31% on gathering and maintaining audit evidence. Because these two activities alone consume fifty percent of your compliance efforts, improving the process of just these two requirements can save you significantly on overall compliance costs both in time and budget.

   There Is No "Unregulated" Industry

All organizations must deal with compliance obligations. These range from relatively minimal obligations that focus only on protection of certain types of records; to very strict obligations to monitor and sample employee communications, retain a wide range of record types for long periods of time, and to protect the confidentiality of highly sensitive customer information. Consequently, all organizations must satisfy varying levels of compliance obligations – the only difference between a "heavily" regulated vs. a "lightly" regulated one is in the number and invasiveness of the regulations that they must satisfy.

Organizations in some of the more regulated industries – for example, financial services, insurance, healthcare, energy, government, education and life sciences – must deal with a large and growing number of compliance obligations. A failure to satisfy these obligations can result in serious consequences, including fines, sanctions or even business closure.

Complicating the problem is the fact that there are regulations at the federal, state and local level; not to mention the variety of industry-focused and international regulations that organizations must satisfy. Moreover, many of these regulations are in a continual state of flux as regulators modify and add to the body of regulations to which organizations are subject.

   Ten Thousand Commandments

Washington set a new record in 2013 by issuing 3,659 "final" rules in the Federal Register, which means they now need to be obeyed, and 2,594 proposed rules are on their way to becoming orders from the political headquarters. And the feds aren't letting up, there are another 3,305 regulations moving through the pipeline on their way to being imposed. Source WSJ 4-16-2014:
http://online.wsj.com/news/articles/SB10001424052702304311204579505953682216682?

   Managing Compliance Is Cumbersome And Expensive

Many organizations satisfy their compliance obligations using manual processes focused on maintaining spreadsheets or using out-of-date software to help compliance managers keep the organization as close to full compliance as possible. Moreover, compliance obligations are managed with a significant amount of labor, which drives up costs beyond where they would be if a more automated and holistic approach for compliance management were available.

To understand the high cost of conventional compliance management processes, Osterman Research conducted a survey with organizations in a variety of industries. Using a subset of their survey sample to eliminate outliers, they discovered that the combination of labor and expenditures on tools and services totals $523.93 per employee per year translates to a cost of $43.66 per month.

   Next Steps

Osterman Research recommends that any organization that must satisfy compliance obligations take a multi-step approach toward reducing their compliance costs and improving their ability to satisfy its compliance obligations. The Whitepaper with these steps is available for download here:
http://info.knowbe4.com/whitepaper-osterman-140414-0

Quotes of the Week

"I count him braver who overcomes his desires than him who conquers his enemies; for the hardest victory is over self." - Aristotle

"It is better to conquer yourself than to win a thousand battles. Then the victory is yours. It cannot be taken from you, not by angels or by demons, heaven or hell." - Buddha

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

How Much Time Can You Save On Compliance Audits?

Only 13% of the organizations Osterman surveyed are "very satisfied" with the way that they manage regulatory compliance issues, despite the fact that 63% consider regulatory compliance to be "very important".

Osterman's research found that you typically spend 19% of your compliance and audit time each year on tracking requirements and another 31% on gathering and maintaining audit evidence. Because these two activities alone consume fifty percent of your compliance efforts, how much time can you save on compliance audits? Download this whitepaper and find out ...
http://info.knowbe4.com/whitepaper-osterman-140414-0

KnowBe4

Phishing Scam Targets Public School District

A Michigan public school district is the focus of a phishing scheme that almost allowed unknown attackers to steal more than $163,000.

The hackers took control of the finance director's email to send a phishing email to an accounting clerk within the Caledonia Public Schools district, according to a local news station. The email asked about available balances in the schools' accounts.

Because the email came directly from the finance director's account, the clerk replied with a file containing the balances along with account numbers. Following that exchange, multiple emails directed the clerk to complete wire transactions.

After the clerk sent an $8,500 transfer, prompting a query by the finance director, the scam was discovered. Banks in both Pennsylvania and Florida were affected, and the Federal Bureau of Investigation (FBI) is looking into the case.

It is clear that this started with someone clicking on a link and got their workstation infected. Without training and constant reinforcement, people will continue to fall for social engineering attacks. Get your employees trained NOW and prevent attacks like this:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/

KnowBe4

Increased Demands On Compliance Teams

Thomson Reuters fifth annual cost of compliance survey provides insights to help regulated firms with future planning, resourcing and focus.

They recently surveyed more than 600 compliance practitioners from financial services firms including banks, brokers, insurers and asset managers across 71 countries covering Africa, the Americas, Asia, Australia, Europe and the Middle East, building on annual surveys on similar respondents conducted over the course of the last five years.

A major finding of the survey showed 53 percent of compliance officers now feel that their personal liability has increased; a reflection of increased focus on senior individuals at the supranational level. This perceived increase in personal liability may be a contributing factor of costs associated with senior compliance officers continuing to escalate.

The findings also highlighted the diverse pressures which compliance functions continue to face, with shifting supervisory expectations, no let-up in the volume of regulatory change and the start of many of the big implementation programs for major complex legislation.

"The ability to comply with confidence and transparency is integral to building trust in the financial services sector," says Chris Perry, managing director, Risk, Thomson Reuters. "Compliance leaders are being held to increased accountability amidst an ever-increasing volume of regulation, the expectation to move and comply fast, and the exposure to record fines for non-compliance, now regularly totaling in the billions. In this time of heightened scrutiny, it has never been more important that boards support their compliance function and its senior leadership with the budget, resources and tools to help ensure transparency, trust and a lasting change in behaviors throughout firms."

Download a detailed report on the survey’s findings:
http://accelus.thomsonreuters.com/special-report/cost-compliance-survey-2014

KnowBe4

Annual ITIC 2014 Global Server Hardware and Server OS Reliability Survey

ITIC’s 2014 Global Server Hardware and Server OS Reliability Survey is live! The survey polls organizations on the reliability and security of the top server hardware and server operating system and virtualization platforms.

The survey should take only about 5 minutes to complete. All responses are confidential. As always, anyone who completes the survey AND leaves an essay comment with their contact information is eligible to win $250 Amazon gift certificate. To be eligible to win the prizes you must leave your email address along with your comment in the comment box of the last question. No sales people will call you and we never share your information with anyone.

Once the survey results are tabulated we will post an Executive Summary in Cyberheistnews and on the ITIC Website: www.itic-corp.com. Anyone who completes the survey is eligible to receive a complimentary copy of the full Report when it’s published. All you have to do is email Laura DiDio at ldidio@itic-corp.com or Stu Sjouwerman at: stus@knowbe4.com. Here’s the link to the survey:
https://www.surveymonkey.com/s/FGQDZDY

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Magician Nate Staniforth performs the impossible and amazing 'Lottery Ticket Illusion.' I know how he does it - do you? It must involve a very small portable thermal printer he has tucked away on his body... LOL
http://www.flixxy.com/incredible-magic-trick-the-lottery-illusion.htm?utm_source=4

It is fascinating to look over the watchmaker's shoulders and see how a mechanical watch is made:
http://www.flixxy.com/look-over-the-watchmakers-shoulders.htm?utm_source=4

Of the seven billion people on this planet, you are the only one that has seen things from your point of view. This is a great ad for Canon cameras:
http://www.flixxy.com/no-one-sees-it-like-you.htm

How six guys in Saudi Arabia change the tires of their Toyota FJ Cruiser, while it's going down the road:
http://www.flixxy.com/how-to-change-your-car-tires-while-driving.htm?utm_source=4

Beavers are fascinating creatures. They move 3 tons of material to build their home:
http://www.flixxy.com/david-attenborough-how-beavers-build-a-lodge.htm?utm_source=4

Richard Hammond from Top Gear sets up a stunt for a Volvo 245 to jump over a line of caravans!
http://www.flixxy.com/caravan-jump-top-gear.htm?utm_source=4

Sometimes when people get into an accident they say: "The other car came out of nowhere." In Russia, it really does happen. Here is the dashcam video to prove it. I just love the Russian commenting copy. You can pretty much predict what they say:
http://www.flixxy.com/the-other-car-came-out-of-nowhere.htm?utm_source=4

Meanwhile in Russia, ingenious firemen have found a way to replace fireladders with a platform lifted by the water pressure of six firehoses:
http://www.flixxy.com/flying-fireman.htm?utm_source=4

This optical illusion is really fun. But as incredible it is - you can easily re-create it yourself and amaze your friends and family:
http://www.flixxy.com/an-optical-illusion-so-amazing-you-will-have-to-try-it-yourself.htm?utm_source=4

Parkour runner Alex Van Duong and Jumpy the dog are both having a great time in the park:
http://www.flixxy.com/jumpy-the-dog-and-alex-the-parkour-runner.htm

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube

Police Grapple With Cybercrime And Have Trouble Keeping Up

 

mugshotsDanny Yadron at the WSJ got the picture right. State, and local law enforcement are struggling to keep up as their online case load grows. They are even gettting a hand from the FBI here and there. 

He started out with this initial paragraph: "When cybercriminals stole $2.5 million from the state of Utah in 2009, authorities got most of the money back—but never could find their man.

The money was wired to a bank account in Texas, officials said, as a step before an attempt to move it overseas. Utah authorities managed to freeze much of the funding in the U.S., but couldn't figure out how the state agency got hacked and by whom, officials said. At one point, state investigators sought a man with a false name at a nonexistent address.

"It was just, for us, kind of a helpless feeling," Utah Commissioner of Public Safety Keith Squires said of the incident."

"Another hurdle: Many cyberattacks originate overseas, where state police often are unlikely to have the power to make an arrest. "Legally, I'm not going to Romania," said Lt. Mark Brown with the New York State Police. "That's where a lot of these cases are coming from." I recommend you forward this article to the powers that be. It illustrates the need for effective security awareness training. This is the link: http://on.wsj.com/1mtQ7aV

Scam Of The Week: Blended XP Phishing Security Threat

 

windows xp end of support 1During the first quarter, I have been warning about the coming wave of Windows XP-related scams having to do with the April 8 End Of Life of XP. Here is what you can expect, and many variants will follow. It is important to warn your end-users about this, even if they -are- running more recent versions of Windows, because often they do not know what version they actually are running, and easily get scared into doing something that may damage your network.

So here is the scam, cybercriminals either send phishing emails or make cold calls and claim to represent either Windows Helpdesk, Microsoft Tech Support, Windows Support Group, or other Microsoft support teams.

They claim that there are now no more official security patches for XP, (true) refer to the Windows popups stating: Windows XP End of Support April 8th, 2014, but Microsoft still releases updates for Win7 and 8, (true) and that hackers  have analyzed these updates and found new security holes in Windows XP that cannot be fixed anymore (half-truth). Next, the bad guys claim that they -do- have an urgent update but that they need to apply this patch manually (blatant lie). The end-user gets tricked to allow remote access to the scammers, using admin tools like join.me and others.

Once that is the case, the bad guys own the workstation of the employee and can hack into your network, or they take over their home machine and try to charge them hundreds of dollars on their credit card. So, urgently remind your users (again) of the following:

"In the office or at the house, when anyone sends phishing emails or calls claiming to be from 'Support', and claims that they need to 'update' your computer for any reason and ask for remote access, hang up the phone immediately and report the email or the call to the correct team in your organization." (Note: often these callers have foreign accents.)

Redmond's Security Center states neither Microsoft nor its partners make unsolicited phone calls, but end-users often do not know this. For the rest of this year, we need to be on the look-out for XP-themed scams like this. Security Awareness Training is a must these days.

Scam Of The Week: Starbucks Gift From a Friend Phishing Emails

 

Starbucks Phishing Emails Love your tall latte? Better watch it, as a "friend" might send you an email with a fake Starbucks Coffee Gift offer. 

These emails read something like this in broken english. "Your friend just made an order at Starbucks Coffee Company a few hours ago. He pointed he is planning to make a special gift for you and he have a special occasion for that. We’ve arranged an awesome menu for that case that can really surprise you with our new flavors."

They then continue with describing the whole menu, and when you can come over and celebrate the day with your friend. The only thing you need to do is (of course) open the attachment.

Granted, Starbucks does have options for people to give gifts to friends, but this phishing attack has nothing to do with that. There are several red flags, the language is broken, the emails come from hacked accounts at Yahoo and Gmail, and they are sent with "high importance."  

In the malicious attachments sits a variant of the banking Trojan ZeuS, directly attached without any attempt to hide, and will install itself as a hard-to-remove rootkit. They probably hope you get so excited about the free offer that you will ignore all the warnings your email might give you.  Don't fall for it. Think Before You Click !

What's The Best Free Antivirus For Windows 8?

 

MalwareShield SmallUse the free built-in antivirus called Windows Defender? Use a free tool like Avast? Buy a third party tool?

The situation is an interesting one. Redmond is walking a tightrope here. On the one hand they do not want to tick off their third party security partners, and on the other hand they do not want to have millions of users unprotected that do not want to/can put AV on their machines for a variety of reasons.  

So, what I seem to observe here is that they make both sides (AV vendors and users) "moderately unhappy" as a compromise, but in the mean time provide a very efficient AV engine that protects against what is -really- out there now. Kind of like Audi under-reporting the amount of horsepower in some of their high-end cars. 

Here is what Holly Stewart, a senior program manager of the Microsoft Malware Protection Center, told Dennis Technology Labs that Security Essentials -- by design -- will "always be on the bottom" of antivirus software rankings.

The reason, per Stewart, is that in 2011 Microsoft decided it didn't make sense to fixate on developing the best antivirus software in the industry -- which at times relies on effectively gaming third-party tests that don't necessarily reflect real-world threats. (Having been inside the AV business, this is actually true). 

The company shifted toward focusing on "prevalent threats," Stewart said. "We developed this new telemetry to look for emerging threats -- sort of an early notification system that new threats were emerging. We had this group of folks start focusing on those threats and we saw that it increased our protection service level for our customers. We're providing all of that data and information to our partners so they can do at least as well as we are," Stewart said. "The natural progression is that we will always be on the bottom of these tests. And honestly, if we are doing our job correctly, that's what will happen." Stewart said Microsoft was "doing everything we can to protect against real threats" and passing data on those threats to antivirus makers, so multiple parties can target the problems.

So, my take on this question is that the best free AV for Win8 is Windows Defender (and I am running it on my home and office PC now) BUT, AV IS NOT ENOUGH.... so I am also running the beta of our coming whitelisting product in tandem with Redmond's protection, and the combination of the two have not let me down yet. Want to participate in the Beta? Fill out the survey at the bottom of this page: 

http://www.knowbe4.com/project-malwareshield/

Phishing Attacks Work Best On Wednesday, Coming From IT

 

Mandiant M-Trends report.

I had a look at the recent Mandiant M-Trends report. Interesting stuff. They observed that employees seem to fall for hacking tricks mostly on Wednesdays, and are most likely to click on these phishing links seem to come from IT in their own organization. The graph above is just a snippet of much more interesting data.

Laura Galante, manager of threat intelligence for Mandiant, told SCMagazine.com in an interview that the social engineering trend remained a common attack method through the first quarter of this year, as well. "We were able to go in and see the initial compromise, in this case, [by] looking at spear phishing emails," Galante said. More at SC Magazine.

Funny thing is that well over three years ago, we standardized on an email coming from IT in our baseline Phishing Security Test which is the start of our Kevin Mitnick Security Awareness Training program. 

CyberheistNews Vol 4, # 15 Scam Of The Week: Heartbleed Phishing Attack

 
CyberheistNews Vol 4, # 15
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 15

Editor's Corner

KnowBe4

Scam Of The Week: Heartbleed Phishing Attack

The Heartbleed vulnerability truly is causing almost everyone a major headache. Talk about a FIRE that needs to be put out. On a scale of 1 to 10, this is an 11.

And to throw some gasoline on this fire, there are hackers sending out phishing emails related to Heartbleed. One of these is that they try to trick users to give passwords that have not been compromised yet!

A list of more than 10,000 domains that were vulnerable, patched or unaffected by the bug was found on Pastebin by Easy Solutions. The fraud prevention company believes hackers are most likely behind the list.

"A lot of time what these guys will do is dump a list of inventory on Pastebin, cut that link and then share the link with their friends on a (underground) forum," Daniel Ingevaldson, Chief Technology Officer for Easy Solutions, said. "So, it's essentially a billboard for a service."

There are now world-wide scans going on across the whole 'Net, many of these are legit scans, but the bad guys are not sitting still and they are also looking for potential victims. "We're seeing a systematic canvassing of the entire Internet right now to see what's vulnerable and what isn't," Ingevaldson said. "It's a bit of a gold rush."

Tell your users to watch out for any emails (or scam phone calls) that relate to the Heartbleed bug. Any emails with links should not be followed, any attachments should not be opened, and in case they want to change a password, wait until that site has announced they are patched, and they should go to that site directly and not click on any link to get there. Oh, and if you want to send them to a simple, funny cartoon that explains the (simple, stupid) bug, here is a recent xkcd cartoon that explains...
http://xkcd.com/1354/

KnowBe4 has a new Current Events simulated phishing attack related to the Heartbleed bug so our customers can send this to their users and inoculate them against this attack.

Regarding your own IT environment, Roger Grimes over at InfoWorld has a very good write-up. This thing is more pervasive than you think. Grimes said: "There's a very good chance that if you can connect to an SSL-/TLS-based service and it's not running Microsoft Windows or Apple OS X, it's vulnerable. This includes most VPN appliances, copy machines, and even most appliances. If you can connect to it using HTTPS, and it's not running on Microsoft Windows or OS X consider it vulnerable until proven otherwise. Do your best due diligence to make sure that you and your company are covered. This isn't just about external, Internet-facing websites. The bad guys routinely get on the internal networks and you can bet that they will be looking for vulnerable versions of OpenSSL with vigor." Read his full article here:
http://www.infoworld.com/d/security/the-heartbleed-openssl-flaw-worse-you-think-240231?

Wall Street Journal Quoted Me Regarding Ransomware Phishing Attacks

This week, Wall Street Journal MarketWatch reporter Priya Anand quoted me in an article she wrote about the new wave of ransomware phishing attacks.

She started out with: "Malware attacks that hijack your computer files until you pay a ransom increased by 500% from January to December last year, reaching 600,000 identified cases, according to a report released Tuesday by the security software company Symantec. And the kidnappers may not take cash. The criminals increasingly demand cryptocurrencies like bitcoin as payment, and have raked in some tens of millions of dollars in the last year."

And here is my quote: "The criminals often give their victims a decryption key to get back their files after receiving a ransom. For small businesses that haven’t backed up files, it becomes a game of chance, says Stu Sjouwerman, CEO of the Clearwater, Florida-based security consulting and training company KnowBe4. "If you have a choice between losing a month’s worth of work or playing the game, you’re going to…just pay up and hope it doesn’t happen again," he says. (Unless you step your users through effective Kevin Mitnick Security Awareness Training, that is...)

Here is the article, recommended to forward to your C-level; it's in the WSJ!
http://www.marketwatch.com/story/data-kidnappers-hold-your-files-for-ransom-2014-04-08

Quotes of the Week

"Judge a man by his questions rather than his answers." - Voltaire, Writer and Philosopher (1694 - 1778)

"Don't judge a man by his opinions, but what his opinions have made of him." - Georg Christoph Lichtenberg, Scientist (1742 - 1799)

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

Which Security Awareness Training Has The Best Results?

A new whitepaper from Osterman Research shows which of the 5 types of awareness training has the best results.

Well over 200 organizations were asked questions related to their awareness training, malware infiltration, and if their problems with phishing were worse, the same or getting better. Research showed that an organization's Security Awareness Confidence Score varies significantly depending on the awareness training type they use.

Download this whitepaper and find out which awareness training approach correlates with improvement of the phishing problem.
http://info.knowbe4.com/whitepaper-osterman-14-04-15

KnowBe4

More Than Half Of End Users Did Not Get Security Awareness Training

This week I attended a webinar about Security Awareness Training hosted by David Monahan, Research Director Security and Risk Management of Enterprise Management Associates.

Some astonishing numbers came out of this study of 600 employees. A whopping 56% of end-users state that they did not get any security awareness training from their employer.

Think about that for a moment, and how that translates in behavior like opening attachments infected with ransomware. Yikes. Next, the other 44% stated that they received their once-a-year training. That is almost just as worrisome, because getting reminded once a year not to click on bad links simply does not hack it (pun intended) these days. Recent scientific research shows that even being reminded every 90 days not to click on phishing links is completely ineffective.

Having no training obviously leads to all kinds of security policy violations, first because they simply do not know about them, and second because they simply don't care. Here are some more hair-raising statistics:

 

  • 59% say they store work information on cloud services
  • 58% of respondents say they store company-sensitive information on their personal devices
  • 35% of the respondents say they have clicked on an email link from an unknown sender
  • 33% say they use the same password for both work and personal devices
  • 30% say they leave mobile devices unattended in their vehicles

 

This is the Internet equivalent of taking candy from strangers. "People repeatedly have been shown as the weak link in the security program," stated Monahan. "Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don't realize what they are doing is wrong until a third-party makes them aware of it."

Words straight out of my mouth, and I'm glad someone else is confirming the sorry state of affairs with security awareness training. More @hackbusters: http://www.hackbusters.com/news/stories/36193-majority-of-users-have-not-received-security-awareness-training-study-says

KnowBe4

Fake Anti-Virus App Gets 10,000 Downloads on Google Play

When you do not provide effective security awareness training, people get social engineered ALL the time. For a short time, the fake app was the Top New Paid app on Google Play, but the app simply was a total scam and did nothing at all.

Android Police reports that a new Android app called Virus Shield, which was first made available on the Google Play store on March 28, 2014 for $3.99. Open the app and click on the shield, and an X changes to a check mark, apparently indicating that your device is now being protected. Hah.

"Let's not mince words here," writes Android Police's Michael Crider. "This is fraud, pure and simple, and the developer 'Deviant Solutions' potentially made considerable amounts of money based on a complete lie." The app has since been removed from Google Play, and the developer's account has been suspended. More @hackbusters: http://www.hackbusters.com/news/stories/36217-fake-anti-virus-app-gets-10-000-downloads-on-google-play

KnowBe4

The History Of Malware Samples In Numbers

Virus Bulletin came up with some interesting historical facts. In 1989, when the very first Virus Bulletin rolled off the press (produced in a black-and-white, printed pamphlet style), there was only one subscriber and there were only 14 viruses known for the IBM PC. Five years on in 1994 there were over 3,000 viruses known to researchers, and here are the approximate numbers from there on out.

These numbers are an aggregate from several sources like AV-test, and antivirus vendors like Symantec, Sophos and Avast. As you can see, this is exponential. New malware strains are created on an industrial scale at about 1,000,000 a week now. No wonder that traditional antivirus can't keep up anymore and that it's time to "do a 180" and use a whole new way to protect workstations...

1989 = 14
1994 = 3,000
2002 = 15,000
2003 = 28.000
2004 = 90,000
2005 = 103,000
2006 = 124,000
2007 = 711,000
2008 = 11,600,000
2009 = 30,000,000
2010 = 46,000,000
2011 = 63,000,000
2012 = 70,000,000
2013 = 80,000,000
2014 = 130,000,000 est

The graph is at our blog where I have this posted as well. Always good ammo to show users and management to illustrate the malware challenge:
http://blog.knowbe4.com/bid/382586/The-history-of-malware-samples-in-numbers

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Old but amazing! Bob Hoover is one of the world's greatest aviators with unbelievable flying skills. Watch him pour iced tea while the plane is doing a roll!. It's an Aviation Special Faves this week:
http://www.flixxy.com/bob-hoover-flying-ace.htm?utm_source=4

An Airbus A310 of the Portuguese Airline TAP makes an incredibly low pass turn at the 2007 Airshow in Evora. Watch that wingtip -almost- touch the ground:
http://www.flixxy.com/airbus-a310-air-show.htm?utm_source=4

Wouldn't it be nice to get a singing reception when you arrive at the airport? No instruments were used in this film, although I suspect they recorded it in the studio first, and then redid it live:
http://www.flixxy.com/welcome-back-heathrow-airport-t-mobile.htm?utm_source=nl

The world’s smallest twin-engine airplane has a wingspan of 16 feet, weighs 158 pounds, runs on two 15 hp engines, cruises at 120 mph, has a range of 310 miles and can even do aerobatics! (first 2 minutes):
http://www.flixxy.com/worlds-smallest-twin-engine-airplane.htm?utm_source=4

And staying with small planes, Featured in the James Bond flick "Octopussy", the Bede BD-5J is the world's smallest jet aircraft:
http://www.flixxy.com/worlds-smallest-jet-plane-bd5.htm?utm_source=4

And here is the exciting future of small planes - The Quiet Supersonic Transport (QSST) aims to redefine air travel in the 21st Century:
http://www.flixxy.com/super-sonic-business-jet.htm?utm_source=4

Last bit of very cool brand new technology. A bionic kangaroo. Really:
http://youtu.be/mWiNlWk1Muw

A huge herd of elk crossing the road in Montana near Yellowstone Park. Cute ending:
http://www.flixxy.com/huge-herd-of-elks-crossing-with-an-ending-that-will-make-you-smile.htm?utm_source=4

Last but not least, this is is a 6-minute essay that you should really watch:
http://www.flixxy.com/the-long-road-to-success.htm?utm_source=4

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube

Pirated PC's And Software Loaded With Malware

 

new pcs with pirated software infected with malwareHere is another reason why buying legitimate operating systems and application software is a good idea. new study conducted by IDC and commissioned by Microsoft reveals some troubling statistics that illustrate the depths of the global malware and pirated software problem. The study, sponsored by Microsoft and published this month, found that nearly 46 percent of computers purchased from common distribution sources – such as computer specialty shops, resellers, and local markets – came with dangerous malware, including viruses, worms, Trojan horses, rootkits, and unwanted Adware. 

How come? These non-brand PCs had a pirated version of Windows on it, so that the vendor could make higher margins on the sale. But the machine is infected with malware from the get-go and Microsoft's defenses are turned off.  Conclusion? Only buy PCs from major, international brands and not from a guy at your local stripmall. (Tip 'o the Hat to PC Pitstop.)

 


 


New Whitepaper: Improving the Compliance Management Process

 

Improving the Compliance Management ProcessWe are excited to announce a new whitepaper that covers important compliance requirements that you are obligated to satisfy, provides some high level recommendations about what you can do to address these issues, and offers a brief overview of a tool that helps you to better manage these compliance problems.

The whitepaper is called "Improving the Compliance Management Process". One of the conclusions of the research is that only 13% of the organizations Osterman surveyed are “very satisfied” with the way that they manage regulatory compliance issues, despite the fact that 63% consider regulatory compliance to be “very important”.

Moreover, Osterman's research found that you typically spend 19% of your compliance and audit time each year on tracking requirements and another 31% on gathering and maintaining audit evidence. Because these two activities alone consume fifty percent of your compliance efforts, improving the process of just these two requirements can save you significantly on overall compliance costs both in time and budget.

There Is No "Unregulated" Industry

All organizations must deal with compliance obligations. These range from relatively minimal obligations that focus only on protection of certain types of records; to very strict obligations to monitor and sample employee communications, retain a wide range of record types for long periods of time, and to protect the confidentiality of highly sensitive customer information. Consequently, all organizations must satisfy varying levels of compliance obligations – the only difference between a “heavily” regulated vs. a “lightly” regulated one is in the number and invasiveness of the regulations that they must satisfy.

Organizations in some of the more regulated industries – for example, financial services, insurance, healthcare, energy, government, education and life sciences – must deal with a large and growing number of compliance obligations. A failure to satisfy these obligations can result in serious consequences, including fines, sanctions or even business closure.

Complicating the problem is the fact that there are regulations at the federal, state and local level; not to mention the variety of industry-focused and international regulations that organizations must satisfy. Moreover, many of these regulations are in a continual state of flux as regulators modify and add to the body of regulations to which organizations are subject.

Ten Thousand Commandments

Washington set a new record in 2013 by issuing 3,659 "final" rules in the
Federal Register, which means they now need to be obeyed, and 2,594 proposed
rules are on their way to becoming orders from the political headquarters.
And the feds aren't letting up, there are another 3,305 regulations moving
through the pipeline on their way to being imposed. Source WSJ 4-16-2014:
http://online.wsj.com/news/articles/SB10001424052702304311204579505953682216682?

Managing Compliance Is Cumbersome And Expensive

Many organizations satisfy their compliance obligations using manual processes focused on maintaining spreadsheets or using out-of-date software to help compliance managers keep the organization as close to full compliance as possible. Moreover, compliance obligations are managed with a significant amount of labor, which drives up costs beyond where they would be if a more automated and holistic approach for compliance management were available.

To understand the high cost of conventional compliance management processes, Osterman Research conducted a survey with organizations in a variety of industries. Using a subset of their survey sample to eliminate outliers, they discovered that the combination of labor and expenditures on tools and services totals $523.93 per employee per year translates to a cost of $43.66 per month.

Next Steps

Osterman Research recommends that any organization that must satisfy compliance obligations take a multi-step approach toward reducing their compliance costs and improving their ability to satisfy its compliance obligations. The Whitepaper with these steps is available for download here.

 

The history of malware samples in numbers

 

Virus Bulletin came up with some interesting historical facts. In 1989, when the very first Virus Bulletin rolled off the press (produced in a black-and-white, printed pamphlet style), there was only one subscriber and there were only 14 viruses known for the IBM PC. Five years on in 1994 there were over 3,000 viruses known to researchers, and here are the approximate numbers from there on out.

These numbers are an aggregate from several sources like AV-test, and antivirus vendors like Symantec, Sophos and Avast. As you can see this is exponential. New malware strains are created on an industrial scale at about 1,000,000 a week now. No wonder that traditional antivirus can't keep up anymore and that it's time to "do a 180" and use a whole new way to protect workstations...

1989 14
1994 3,000
2002 15,000
2003 28.000
2004 90,000
2005 103,000
2006 124,000
2007 711,000
2008 11,600,000
2009 30,000,000
2010 46,000,000
2011 63,000,000
2012 70,000,000
2013 80,000,000
2014 130,000,000 est
Here is the graph

The History Of Malware Samples In Numbers

Here is a link to a FULL SIZE graph over at our Amazon content delivery network.

 

 

All Posts