CyberheistNews Vol 1, #4
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption]The New Security Perimeter: People.
In the olden days, the security perimeter was the city wall. When IT
started, more than half a century ago, the perimeter was the building
with the network inside. Then, we started to automate branch offices,
and recently technology allowed telecommuting.
That means that employees
who used to be working in the office, now work from home, and that they
need security at the house. That was the latest challenge for IT until
mobile came about with a bang. Now, smartphones and tablets are hooked
up to the corporate network. How do you protect against hacking attacks
in an environment where (roaming) individuals have access to confidential
data?
The answer is by having a very good look at your Policies, Procedures
and Training. You HAVE TO HAVE an up-to-date security layer that
consists of alert and trained employees that know they may very well
be the target of a social engineering attack, and that are drilled
in knowing what to do, and especially what not to do. Call it a 'human
firewall'. If you don't have one, you are vulnerable, and the bad guys
will not hesitate to take advantage. You will ultimately be judged on
whether your organization stays safe and does not get hacked. More about
this further below in the Phishing Attacks item. Check out the
Defense-In-Depth diagram and spend 1 minute to read that page:
http://www.knowbe4.com/resources/defense-in-depth/
CYBERHEIST Book Is Now Available
Last issue I announced my new book: CYBERHEIST. It's now actually
available on Amazon as a paperback and also in a Kindle version.
Please either forward this link to management and tell them to buy a copy
of the Cyberheist book. Or better yet, if you really want to make sure
they get the message, get a copy yourself and give it to them. It's
enlightening, and written for both IT and non-IT people. Everything is
explained in normal terms to make sure we don't put anyone to sleep.
Do me a big favor and tell all your friends? Thanks so much in advance.
Check out the reviews at Amazon.com!
http://www.amazon.com/Cyberheist-financial-American-businesses-meltdown/dp/0983400008/
Quotes of the Week
"Whoever undertakes to set himself up as a judge of Truth and Knowledge is
shipwrecked by the laughter of the gods." -- Albert Einstein.
"Don't judge each day by the harvest you reap but by the seeds you plant." -- Robert Louis Stevenson.
"The ultimate judge of your swing is the flight of the ball." -- Ben Hogan
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
CSO Magazine: 'Phishing still rules, because we're still gullible'
Chief Security Office Magazine reports on KnowBe4's recent phishing research: "Despite more than a decade of warnings, users still readily fall for phishing attacks. For years, phishing attacks were viewed largely as a consumer security problem. Attackers would target users with an email that tempted them into a fraudulent 411 [check] scam, or to share their account numbers and sign on credentials with a bogus Web site.
Not anymore.
"It's become clear, going to back to the so-called 2009 Operation Aurora attacks that phishing attacks work. Regarding those attacks, a Forrester Research analyst quoted an aerospace company employee who was familiar with the exploit-laced Adobe PDF files that came attached to the spear-phished emails. "This kind of stuff is driving the defense contractors nuts. They should know better, yet they are still affected," the source said at the time. Spear-phishing attacks -- those that use information about someone to target them directly as part of an attack -- are all the more successful. The viability of phishing attacks were revealed more recently with the successful attack against RSA Security and then the related attack on defense contractor Lockheed-Martin."
See what they wrote about our recent KnowBe4 phishing research:
http://www.csoonline.com/article/683666/phishing-still-rules-because-we-re-still-gullible?
Selected Dataloss Incidents This Week
Not many people are aware of the excellent work that the people at the
www.datalossdb.org do. They gather all cyber security events and put
these in a database, free for everyone to query. Here are some selected
incidents of last week. There are a lot more, varying from records dumped
instead of shredded to stolen laptops with confidential information.
Do yourself a favor, and take a minute to review this 'Defense-In-Depth'
page. It clearly shows and explains the six areas you need to defend,
and how it all -starts- with Policies, Procedures & Awareness.
http://www.knowbe4.com/resources/defense-in-depth/
Selected Incidents:
Reported Date: 2011-06-03
Summary: 51,711 patients notified that stolen computer contained protected health information.
Organizations: MMM Health Care Inc., PMC Medicare Choice Inc
Reported Date: 2011-06-02
Summary: Over 1,000,000 users' passwords, email addresses, home addresses,
dates of birth, as well as administrator login passwords acquired by hackers.
Organizations: Sony Pictures, Sony BMG Belgium, Sony BMG Netherlands
Reported Date: 2011-06-02
Summary: 180,000 customer names, account numbers, addresses, phone numbers and
some e-mail addresses may have been exposed on infected server
Organizations: San Francisco Public Utilities Commission
Reported Date: 2011-05-29
Summary: 150 people's information for the Aadhaar (UID) project on stolen laptops
Organizations: Unknown Organization, Government of India
You can find all of them at:
http://datalossdb.org/
Phishing Attacks Keep Proliferating: How to Recognize Them
As you all very likely have seen in the press, recently there has been
a spate of successful large network hacks. First Epsilon got hacked and
lost 60 million accounts, next Sony was penetrated ten times (!) in a
row and is still hurting from losing more than 100 million customer
accounts. You can expect that a new wave of fresh phishing attacks will
be let loose on your users.
Many of those attacks will be at their private residence, (or their
private web-mail accounts they check in the office at lunch time) where
you have little or no perimeter control.
Combine that with the rapid proliferation of social media and mobile
computing, and the only conclusion you can draw is that -people- are
your new security perimeter! This means that more and more security
becomes a people problem and less of a technical problem. Apart from
your existing antivirus and soft- and hardware firewall, you need a
'human firewall' too.
But how to handle the 'human firewall' problem? There are several ways.
Send employees regular emails warning them. Remind them in meetings not
to click on suspicious things, or send them a quiz now and then. Here
is a new slideshow that eWEEK just came out with, would -you- recognize
some of these tricks as scams? Here is the link:
http://www.eweek.com/c/a/Security/Phishing-Attacks-Keep-Proliferating-How-to-Recognize-Them-747404/
You could of course also automate this end-user security awareness training
process for very little money, and super low hassle. Create an account
at our website and test your employees to see who are Phish-prone. You
will know in minutes:
http://www.knowbe4.com/phishing-security-test/
Cyberheist Map Expanded
This page now has two maps. The top one has incidents where actual money
was stolen out of an organization's bank account. Note that this is the
tip of the iceberg, as many remain unreported.
The second map has hundreds of incidents where data was stolen. Keep in
mind that these incidents cost around $180,000 each, in legal fees,
forensics, lost time and lost business, not to speak of damage to the
organization's reputation. Check out your area and see who was hacked
in your nick of the woods:
http://www.knowbe4.com/resources/cyberheist-map/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
SUPER FAVE: A monster flock of starlings swarm over Rome, Italy in one of
nature's great spectacles:
http://www.flixxy.com/birds-swarmimg-over-rome.htm
Close call of the day: Storm chaser William Phuoc happened to be in the right
place at the right time to capture footage of a spectacular cloud-to-ground
lightning strike:
http://www.flixxy.com/spectacular-lightning-strike.htm
Tornado Hits Semi Truck In Oklahoma City. Incredible, this tornado power:
http://www.businessinsider.com/video-tornado-vs-semi-truck-in-oklahoma-city-2011-5
Amazing winners: A cool compilation of wins, including an innovative method
for washing a train in 20 seconds:
http://www.flixxy.com/amazing-winners.htm
Jetpack Soars to 5,000 Feet. I want one!
http://www.wired.com/autopia/2011/06/video-jetpack-soars-to-5000-feet/
