CyberheistNews Vol 1, #11
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption]The Four Reasons Why Your Network Gets Hacked
You might be surprised that there are only four reasons hackers get into your network. Its been like this for 20 years, and is not likely to change much, because these four reasons still work today, so why would the bad guys change something?
Reason One: Software Vulnerabilities. There are numerous vulnerabilities in many software products. That could be a web application, or an email client, the Operating System itself, a PDF reader or any of thousands of others. Scanning for these vulnerabilities and patching them is crucial to prevent hackers from breaking in, since often they use known (and unpatched) vulnerabilities to hack in.
Reason Two: Misconfigurations. A computer normally comes out of the box in a relatively trusting mode. It needs to be told to be paranoid. This is a configuration issue, and often when you are running a Microsoft network, this means making sure that Group Policy is properly configured to allow the least possible amount of privileges. This is not always easy and allows for things to be overlooked. A misconfigured machine is a hacking target.
Reason Three: Sloppy Password Policies. Many organizations are very sloppy with password policies. The passwords are easy to crack, and are not changed often enough.
Reason Four: End-Users Let Hackers In. At the moment, I am reading Ghost in the wires by Kevin Mitnick, who at one point in time was the most wanted hacker in the U.S. He describes how he simply called people up and they gave him their password. Huh? They Did? Yes, they did, as he was using Social Engineering tactics to manipulate them in revealing their network credentials. Here is an example that I edited a bit to make it shorter:
Now, the problem is how to choose among all of the layered security options.
And then, after selecting controls, what are the elements of an effective
layered security strategy that satisfies the guidance and enhances security?
End user receives call from hacker: Hi, Im from the IT department, we have suffered a major hard disk failure. Do you have any files you need to recover?
End-user: You bet! I need access to my files right now!
Hacker: We can do that on Thursday.
End-user: Whaaat?! Totally unacceptable. That would be three days downtime!!
Hacker: OK, well I guess I can make an exception, and put you first in line, if you keep it to yourself. We are creating a brand new server, and I will need to re-create your account on that machine. I already know your user name, what is your password?
And as if by magic, the end-user has allowed the hacker right in. Took 5 minutes! You need to train your end-users so they do not fall for these social engineering tactics.
Quotes of the Week
"Intellectual growth should commence at birth and cease only at death." - Albert Einstein
"Education is a progressive discovery of our own ignorance. Will Durant
Education is learning what you didnt even know you didnt know. Daniel J. Boorstin
An education isnt how much you have committed to memory, or even how much you know. Its being able to differentiate between what you know and what you dont. Anatole France
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
Need more IT security budget? Give This Book To Your Boss
"The book is well crafted and an intoxicating read - I couldn't put it down." - Paul Wright
"Anyone who uses a computer connected to the Internet needs to know this information to protect themselves." - H. Heller
"As both an IT Pro and a businessman, I highly recommend this book for anyone concerned about online threats." - C. Contor
"Stu Sjouwerman informs in a way that managers can understand, and "techies" can relate to. He goes in detail about the oft-overlooked (and in my opinion THE most dangerous) part of online security: The Human Element." - Robert Folden
"If you fall victim to a cyberheist after reading Sjouwerman's book, shame on you." -- Dirk A. D. Smith
Buy and Read Cyberheist!
http://www.cyberheist.com/
White House Takes On the New Cybercrime Mob
The White House has decided that its time to take hacking seriously, asking for tougher sentencing for those found guilty of cybercrime. Speaking before the Senate Judiciary Committee, Associate Deputy Attorney General James Baker and Secret Service Deputy Special Agent in Charge Pablo Martinez explained that sentencing has failed to keep up with the growing seriousness of hacking, and that the administration is calling for the Computer Fraud and Abuse Act to be folded into the Racketeering Influenced and Corrupt Organizations Act.
The key to understanding the proposed changes is the new presumption that modern hackers are not acting alone. Martinez told the Committee that Secret Service investigations have shown that complex and sophisticated electronic cybercrimes are rarely perpetrated by a lone individual, adding that online criminals organize in networks, often with defined roles for participants, in order to manage and perpetuate ongoing criminal enterprises dedicated to stealing commercial data and selling it for profit (or, you know, just to cause chaos and show that they can hack into that place someone said they couldnt, but whatever). Its a narrative picked up by Baker, who went even further, saying that as computer technology has evolved, it has become a key tool of organized crime. Many of these criminal organizations are similarly tied to traditional Asian and Eastern European organized crime organizations.
In addition to reclassifying hacking as an organized crime activity, the White Houses proposal seeks the creation of a national data breach standard, replacing whatever various state laws may be in place. For the full story click here:
http://techland.time.com/2011/09/08/hackers-are-the-new-mob-white-house-gets-serious-on-cybercrime/
Cybercrime Theft Topples $388 Billion Annually
U.S. government agencies are getting better at sharing information about cybercrime with private companies, but cybercrime shows no signs of slowing down, cybersecurity experts told lawmakers Wednesday.
The U.S. Secret Service, the Federal Bureau of Investigation and the Department of Homeland Security work closely together to combat cybercrime, witnesses from the three organizations told a subcommittee of the House of Representatives Financial Services Committee. But criminals are taking advantage of the growing amount of personal information online and the ability to share attack tools and strategies over the Internet, said A.T. Smith, assistant director of the Secret Service.
The Secret Service has observed a marked increase in the quality, quantity and complexity of cybercrimes targeting private industry and critical infrastructure, he said.
The FBI is currently investigating more than 400 cases involving unauthorized wire transfers from bank accounts of U.S. businesses, said Gordon Snow, the assistant director there. Those 400 cases involved the attempted theft of US$255 million, with actual losses of $85 million, and the cases involving the takeover of accounts represent just one type of attack against financial systems, he said.
Snow also listed recent examples of payment processor breaches, stock trading fraud, ATM skimming, mobile banking attacks and other schemes targeting the U.S. financial system. Cybercriminals capabilities are at an all-time high, although combating cybercrime is a top priority for the FBI and other agencies, he said.
The annual cost of cybercrime is about $388 billion, including money and time lost, said Brian Tillett, chief security strategist at Symantec. Thats about $100 billion more than the global black market trade in heroin, cocaine and marijuana combined, he said. For more on this story click here:
">http://www.pcworld.com/businesscenter/article/240041/us_agencies_making_progress_on_cybercrime_officials_say.html
The most basic and essential step any organization can take to increase cyber security is implement a program of Internet Security Awareness Training. For more information on this type of training visit www.knowbe4.com and try our free phishing security test to see how phish-prone your employees areits a great way to assess the security savvy of your employees.
http://www.knowbe4.com/phishing-security-test/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
What does it feel like to fly over planet Earth? A time-lapse taken from the front of the International Space Station as it orbits our planet at night:
http://www.flixxy.com/what-does-it-feel-like-to-fly-over-planet-earth.htm
An awesome and epic compilation of some of the best extreme sports athletes:
http://www.flixxy.com/extreme-sports-compilation.htm
A toy gyroscope demonstrates the remarkable consequences of "angular momentum":
http://www.flixxy.com/gyroscope.htm
Cows are curious and playful animals, especially when they see an Remote Controlled car:
http://www.flixxy.com/cows-playing-with-rc-car.htm
If Kittens Ran The World - A funny ad for cat lovers from a French Internet company:
http://www.flixxy.com/if-kittens-ran-the-world.htm
This is a very useful little podcast (remember those?) about training end-users to not fall for social engineering tactics:
http://cdn.ttgtmedia.com/rms/security/tm_pascucci_091511v3.mp3
