CyberheistNews Vol 1, #7
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption]Survey Finds: Most Of Us Don't Follow Best Practices. BUT WHY?
A majority of organizations are not applying information security best
practices, according to a fresh survey by Venafi, an enterprise key and
certificate management firm, and research firm Echelon One.
Echelon One developed a set of information security best practices based
on industry standards and worked with Venafi on surveying 420 enterprises
and government agencies to see how they did in terms of following these
best practices.
According to the survey, 77% of respondents failed to follow the best
practice of performing quarterly security and compliance training for
their employees. "Humans are the weak link in information security",
said Jeff Hudson, chief executive officer at Venafi. "What was surprising
was the poor state of training for those humans. Since humans are the
weak link, they are not getting trained very well, and turnover is high,
the problem only gets worse", he told Infosecurity. Here is the link to
the article:
-do-not-follow-security-best-practices-survey-finds/">http://www.infosecurity-us.com/view/19737/most-organizations
-do-not-follow-security-best-practices-survey-finds/
But now comes the real question. WHY don't we? This weekend I read a
white paper by Cormal Herley, one of the 'propeller heads' at Microsoft
Research. From his perspective (taking about 10,000 words to make the
point) the reason why we don't follow best practices is a cost-benefits
calculation: 'Takes too much time for the perceived benefit', especially
when you factor in the cost of user time.
Well, I don't quite agree. The problem with this is that the user is
operating on: "Won't happen to me". True...until it does. And then
it's too late. Spending 30 minutes per end-user to protect against
phishing attacks, with a dramatic reduction of well over 90% after
just 4 weeks of the KnowBe4 program is highly likely the best security
budget money ever spent, providing the highest ROI in the shortest time.
Find out at no cost what the Phish-prone percentage of your employees is.
You are likely to be surprised. The whole thing takes 5 minutes max:
http://www.knowbe4.com/phishing-security-test/
Quotes of the Week
"Few delights can equal the presence of one whom we trust utterly." - George MacDonald
"Learning to trust is one of life's most difficult tasks." - Isaac Watts
"Love all, trust a few, do wrong to none." - William Shakespeare
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
Need more IT security budget? Give This Book To Your Boss
"The book is well crafted and an intoxicating read - I couldn't put it down." - Paul Wright
"Anyone who uses a computer connected to the Internet needs to know this information to protect themselves." - H. Heller
"As both an IT Pro and a businessman, I highly recommend this book for anyone concerned about online threats." - C. Contor
"Stu Sjouwerman informs in a way that managers can understand, and "techies" can relate to. He goes in detail about the oft-overlooked (and in my opinion THE most dangerous) part of online security: The Human Element." - Robert Folden
"If you fall victim to a cyberheist after reading Sjouwerman's book, shame on you." -- Dirk A. D. Smith
Buy and Read Cyberheist!
http://www.cyberheist.com/
Digital Hit Men for Hire
Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009,
authoring more than 1,300 blog posts for the Security Fix blog. Then he
continued with the Krebs on Security Blog which I highly recommend.
"Cyber attacks designed to knock Web sites off line happen every day, yet
shopping for a virtual hit man to launch one of these assaults has traditionally
been a dicey affair. That's starting to change: Hackers are openly competing to
offer services that can take out a rival online business or to settle a score."
"There are dozens of underground forums where members advertise their ability to
execute debilitating 'distributed denial-of-service' or DDoS attacks for a
price. DDoS attack services tend to charge the same prices, and the average rate
for taking a Web site offline is surprisingly affordable: about $5 to $10 per
hour; $40 to $50 per day; $350-$400 a week; and upwards of $1,200 per month."
"Of course, it pays to read the fine print before you enter into any contract.
Most DDoS services charge varying rates depending on the complexity of the
target's infrastructure, and how much lead time the attack service is given to
size up the mark. Still, buying in bulk always helps: One service advertised on
several fraud forums offered discounts for regular and wholesale customers."
Please use the link below to continue reading this posting at the Krebs on
Security Blog:
http://krebsonsecurity.com/2011/08/digital-hit-men-for-hire/
Recent Dataloss Incidents
Not many people are aware of the excellent work that the people at the
www.datalossdb.org do. They gather all cyber security events and put
these in a database, free for everyone to query. Here are some selected
incidents of last week. There are a lot more, varying from records dumped
(instead of shredded) to stolen laptops with confidential information.
Do yourself a favor, and take a minute to review this 'Defense-In-Depth'
page. It clearly shows and explains the six areas you need to defend,
and how it all -starts- with Policies, Procedures & Awareness.
http://www.knowbe4.com/resources/defense-in-depth/
Selected Incidents:
Summary: 1800 usernames, email addresses and hashed passwords acquired by hackers
Date: 2011-07-26
Organizations: Government of Tasmania
Summary: 214,000 data files, including 96,000 containing sensitive bank account
information, acquired by hackers
Date: 2011-07-25
Organizations: GIS
Summary: Customers' credit and debit card captured during transmission
Date: 2011-07-21
Organizations: City Newsstand Inc.
Summary: Police officers' and others' personal information acquired and posted by hackers
Date: 2011-07-20
Organizations: Policía Nacional de Colombia (Colombia National Police)
Summary: 19,799 employees' names and Social Security Numbers exposed on the Internet
Date: 2011-07-20
Organizations: Swedish Medical Center
Summary: Tens of thousands customers' details (names, e-mail addresses, passwords)
obtained from two online stores
Date: 2011-07-18
Organizations: REWE Group
Summary: Over 4,800 customers' names, street addresses with city and zipcode, ages,
userIDs, e-mail addresses, and plain text passwords acquired and posted by hacker
Date: 2011-07-18
Organizations: JL Audio, Inc.
Summary: 2,021 patients notified that their personal and some medical information
may have been transmitted by virus after vendor forgets to restore security
controls following maintenance
Date: 2011-07-18
Organizations: Beth Israel Deaconess Medical Center
You can find all of them at:
http://datalossdb.org/
The Cyberheist Closest To You
We now have a Google map, with many hundreds of cyberheist incidents, and
the place where they happened. Check out the cyberheist closest to you, and
find out what was stolen - cash straight from the bank account or files
that contained confidential data:
http://www.knowbe4.com/resources/cyberheist-map/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
A camera mounted on Yu Muroga dashboard captured not only the March 11
earthquake, but also the moment he and other drivers were suddenly engulfed
in the Tsunami. You will be pleased to know that he survived:
http://www.flixxy.com/japanese-tsunami-viewed-from-a-car.htm
As if the "Grand Rapids Lip Dub" wasn't enough - Traverse City pulls off
another huge lip dub proving that Michigan is Pure Awesome. Gotta Watch!
http://www.flixxy.com/traverse-city-lipdub-2011.htm
There are people doing crazy stuff on their motorcycles and then there
is Jorian Ponomareff from Montpelier, France. Dang he's GOOD:
http://www.flixxy.com/jorian-ponomareff-ride-your-passion.htm
Winds are so strong on the southern coast of Australia that waterfalls
are running upwards:
http://www.flixxy.com/australian-waterfalls-are-running-upwards.htm
One of the world's best R/C helicopter pilots shows his skill performing
amazing maneuvers at low altitude:
http://www.flixxy.com/rc-helicopter-low-altitude-aerobatics.htm
Watch this video about hackers stealing $680,000 from a Church fund:
http://www.cbsnews.com/stories/2011/06/30/eveningnews/main20075926.shtml
