CyberheistNews Vol 1, #4.5
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption]Why Your Security Sucks
No, I did not come up with this title myself. That was Eric Knorr over at
InfoWorld. But when I read the article, I thought to myself, great idea,
how come I never came up with this?. He said: "The maddening thing is that
simple measures, well known for years, would prevent most attacks. According
to Roger Grimes (InfoWorld's security expert), 90 percent of exploits involve
users downloading and installing items they shouldn't. Often, these exploits
begin with scareware messages that tell users their system has been
compromised and that they should install an antivirus program to remove
the infection, which of course turns out to be malware itself.
"It's hard to train users to ignore fake alerts, Roger says, especially when
they don't know what a real virus alert looks like. I've asked every company:
Do you give a picture to your employees of what your antivirus program looks
like when it finds a virus? Never. They never do. Ever. If this is the No. 1
problem in most environments today -- and it is -- why are we as defenders
not even doing the simple stuff? Is it too hard to take a picture and tell an
end-user, "this is what your product looks like?" It's not. I'm not sure if
it's lethargy or what. Every company I've ever said that to ... none of them
have ever taken the picture. They're like "Oh, you're right, good idea,"
and then they don't do anything."
So, take a screenshot of what it looks like when your existing antivirus
product finds malware, and send it to all users. Like... now?!
Here is the whole article, which is warmly recommended:
http://www.infoworld.com/t/security/why-your-network-security-sucks-630
ISAT Version 1.5 Released!
We are happy to announce the release of Version 1.5. There
is some good news for all our customers and people that are
in the process of running the Phishing Security Test.
1. An account can now have more than one account owner.
This is very handy if you want two people to be able to
manage the site, e.g. adding users. The first account
owner can navigate to the Users page and make any user
an account owner by clicking on 'Make owner' link.
Any account owner can revoke the account owner privileges
to any account owner (except to the first account owner
who opened the account)
2. Users can now be bulk imported by an account owner.
The account owner can navigate to the Users page, click on
the Import Users link, enter user email addresses (one per line)
and click import. All users will be imported. Optionally,
the account owner can provide a password in the "password"
field. If the password is specified, all the users will
have the same password, and they can log in without the
need to register, by following the link:
https://training.knowbe4.com
Note: If the password is not specified, users still need
to go through the self-register sign-up process at:
https://training.knowbe4.com/signup
3. An account owner can see users that never signed in.
On the Users page, there's a new column in the table
"Last sign-in" containing the date when the user last
signed in. Also the table has a column "Joined on"
representing the date the user registered for training.
4. The 20-question test at the end has been updated with
answers that point the employee to existing policy on what
to do with spam and phishing that made it through the filters.
5. We have a new campaign: "Security Hints and Tips". You
can schedule this via the same Phishing Security Test option,
and it allows you to send ready-made templates with security
best practices.
6. You can now have a custom landing page where you can
have employees wind up after they fail a phishing test. This
page can be created by your own team, and lives on your
own website.
We are excited to announce V1.5 is now available! Existing
customers, contact support regarding upgrading to this new version.
support@knowbe4.com
Bank Gets Sued Over $2,000,000 Cyberheist
A judicial decision came down last week from a District Court in Michigan.
Experi-Metal fell victim to a major cyberheist and then sued their bank
(Comerica) over a nearly $2,000,000 (two-million dollars) loss. The two
major factors that led to this cybercrime were a well-crafted phishing
email message and a gullible employee.
The Experi-Metal employee fell for a phishing scam email that was disguised
as a legitimate notification from Comerica and gave the log-in credentials
to cybercriminals who then logged in to Experi-Metals commercial Comerica
bank account and began transferring out their funds. More at the KnowBe4 blog:
http://blog.knowbe4.com/2011/06/20/bank-gets-sued-over-2000000-cyberheist/
Quotes of the Week
"A nation that expects to be ignorant and free... expects what never was
and never will be." - Thomas Jefferson.
"A positive attitude causes a chain reaction of positive thoughts, events and outcomes. It is a catalyst and it sparks extraordinary results."
- Wade Boggs
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
Need more IT security budget? Give This Book To Your Boss
"The book is well crafted and an intoxicating read - I couldn't put it down." - Paul Wright
"Anyone who uses a computer connected to the Internet needs to know this information to protect themselves." - H. Heller
"As both an IT Pro and a businessman, I highly recommend this book for anyone concerned about online threats." - C. Contor
"Stu Sjouwerman informs in a way that managers can understand, and "techies" can relate to. He goes in detail about the oft-overlooked (and in my opinion THE most dangerous) part of online security: The Human Element." - Robert Folden
"If you fall victim to a cyberheist after reading Sjouwerman's book, shame on you." -- Dirk A. D. Smith
Buy and Read Cyberheist!
http://www.cyberheist.com/
Selected Dataloss Incidents This Week
Not many people are aware of the excellent work that the people at the www.datalossdb.org do. They gather all cyber security events and put these in a database, free for everyone to query. Here are some selected incidents of last week. There are a lot more, varying from records dumped instead of shredded to stolen laptops with confidential information.
Do yourself a favor, and take a minute to review this 'Defense-In-Depth'
page. It clearly shows and explains the six areas you need to defend,
and how it all -starts- with Policies, Procedures & Awareness.
http://www.knowbe4.com/resources/defense-in-depth/
Selected Incidents:
Reported Date: 2011-06-17
Summary: Hackers acquire 1,290,755
users' names, emails addresses, dates
of birth and encrypted passwords.
Organization: SEGA
http://datalossdb.org/incidents/3870
Reported Date: 2011-06-17
Summary: 43,000 consumers' health
information 35,000 personal representatives'
contact information on stolen laptop.
Organization: Area Agency on Aging, Inc.
http://datalossdb.org/incidents/3867
Reported Date: 2011-06-16
Summary: 18,000 user account names,
passwords, email addresses, and birth
dates accessed by hacker.
Organizations: BioWare, Electronic Arts (EA)
http://datalossdb.org/incidents/3862
Reported Date: 2011-06-13
Summary: 200,000 usernames, email
addresses and passwords acquired by hacker.
Organization: Bethesda Softworks
http://datalossdb.org/incidents/3839
Reported Date: 2011-06-11
Summary: Virus may have exfiltrated
12,000 alumni, faculty, and staff Social
Security Numbers
Organization: Penn State Altoona
http://datalossdb.org/incidents/3837
Reported Date: 2011-06-11
Summary: 300,000 workers compensation
applicants names and Social Security
Numbers were exposed on Internet.
Organization: Southern California
Medical-Legal Consultants.
http://datalossdb.org/incidents/3836
Reported Date: 2011-06-10
Summary: 26,000 email addresses
and passwords of porn site users
acquired by hackers; some posted online.
Organization: pron.com
http://datalossdb.org/incidents/3849
Reported Date: 2011-06-09
Summary: Email addresses and
encrypted passwords of forum users
acquired by hacker.
Organization: Epic Games
http://datalossdb.org/incidents/3856
---------------------
You can find all of them at:
http://datalossdb.org/
The Cyberheist Closest To You
We now have a Google map, with many hundreds of cyberheist incidents, and
the place where they happened. Check out the cyberheist closest to you, and
find out what was stolen - cash straight from the bank account or files
that contained confidential data:
http://www.knowbe4.com/resources/cyberheist-map/
Loose Keystrokes Sink Cybersystems
In the Wall Street Journal of June 15, Richard Clarke wrote an op-ed about
China's cyberassault on America. John Moynihan, President of Minuteman
Governance, wrote in and said: "The breaches referenced by Mr. Clarke had a
common signature: They were caused by the actions of employees who worked
within the "hacked" organization.
"Organizations have traditionally addressed the cyber threat by focusing on
myriad technological controls, while often neglecting critical nontechnical
measures. The implementation of clear acceptable-use policies, a comprehensive
employee training program and ongoing risk assessments are central to an
information-security strategy. Although firewalls, virus protection and
encryption must be part of a company's security approach, the most
sophisticated of these technologies are neutralized by the arbitrary keystroke
of an untrained or unwitting employee.
"I have remediated dozens of data security incidents that were caused by
either an employee, contractor or vendor who worked within the victimized
organization. By opening infected email links, using compromised USB drives,
accessing sensitive data without authorization, visiting nonbusiness websites,
using mobile devices irresponsibly and opening attachments from unknown
sources, employees routinely expose our financial system, military, government
agencies and critical infrastructure to cyber attack.
"Data breaches will continue to occur, likely with increased frequency, until
there is widespread recognition that technology alone is insufficient to
protect the nation's critical systems."
We could not agree more.
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Parahawking adventure over the skies in Nepal. Birds of prey fly with
paragliders guiding them to thermals in exchange for food:
http://www.flixxy.com/parahawking-over-nepal.htm
A new $60 Chinese watch (fake Diesel brand) records HD video with four
infrared lights for shooting in complete darkness. It shoots 1080p at 30
frames per second, and stills at a max of 4,032 x 3,024 pixels. Wow:
http://www.etronixmart.com/hd-1080p-ir-night-vision-waterproof-dvr-spy-watch-4gb-p-846.html
Nic Case broke the world speed record for radio-controlled cars at the Rockingham
Dragway with a 161.76 mph run:
http://www.flixxy.com/worlds-fastest-rc-car-161-mph.htm
In a galaxy far, far away, the board of the Tripartium corporation meet to decide the fate of planet Earth. A clever and funny, but thought-provoking ad.
http://www.flixxy.com/planet-earth-ad.htm
The Grand Rapids LipDub Video was filmed with 5,000 people, and involved a
major shutdown of downtown Grand Rapids, which was filled with marching bands,
parades, weddings, motorcades, bridges on fire, and helicopter take offs. It
is the largest and longest LipDub video, to date and its all in one take.
Roger Ebert even called it "The Greatest Music Video Ever Made":
http://www.flixxy.com/greatest-music-video-grand-rapids.htm
