More and more, the bad guys are bypassing your firewall, endpoint protection and other technology-based security measures by going after your users, and you have (reluctantly) come to the conclusion that now your employees are the weak link in your IT Security. Augh! Is there a patch for stupid? (I didn't really mean that).
Welcome to the club. Now what.
Well, phishing your own employees and finding out who the culprits are is a logical course of action. Let's phish our own employees and then work out how to get them through Internet Security Awareness Training. But not like the yearly Sexual Harassment Training (SHT) they do in this outfit, because they forget about that CYA exercise in a few weeks. We need something that keeps users on their toes year-round.
OK but first, how are we going to phish our employees? We need to know the Phish-prone percentage of our end-users.
There are a few ways you can do this:
1) Raise a temporary webserver, and 'roll your own' phishing site. Then create your own phishing email that should lure the users to your fake site, using what (little) you know about Social Engineering. Work out how the tracking and reporting works, and code that. Make it all look acceptable. Takes a few days of work for someone who knows what they are doing. Next, send the email to all users using a mail server that allows you to spoof the From address. Then keep track, fend off users calling and emailing about this. Fend off your manager who is getting calls from other managers about this, despite the fact this was all announced well in advance. All this on top of my normal workload? Forget that, never gonna happen.
2) Get an outside security consultant to come in and do all the above as a 'mini PEN test'. Whoa Nellie, 40 hours at 250 bucks an hour? I don't have 10 grand in the budget and will never get that approved. And that's a one-time gig? No way, not much better than SHT if you ask me.
3) OK, there are the people of Phishme and Wombat. They have most of this automated that could save some time, and they compete with each other. So, for 600 users how much would that be? Ask both for a quote. Wow, that is more than I expected. And there is still a lot of manual work here. Hmm, if you really want to go this route, there is an open source project called Simple Phishing Toolkit (SPT) that allows you to do this for free.
4) Well, there are those guys from KnowBe4. New outfit but it's Stu, he's that Sunbelt Software co-founder, who wrote this newsletter for system admins when he was at Sunbelt... er, oh yeah: for I don't know how long, 16 years? He usually knew what he was talking about. After building an antivirus / antispyware product he decided to move into end-user training. I wonder what he knows that I don't? Stu, get me up to speed quickly?
Stu: "Yup, sounds very familiar. That's actually why I started KnowBe4. Could have retired after selling Sunbelt but fighting cybercrime is way more fun. Now, to the point. Sorry to be blunt, but testing if users will click on a link, go to a phishing site and fill out a form is so 'last decade'. Both Wombat and Phishme started something like 7 or 8 years ago, when teaching people about phishing was still new. Cybercrime is moving at lightspeed and has gone pro in the last 5 years. Bad guys are now spear-phishing your employees, and all it takes is ONE CLICK and that workstation is infected with (possibly zero-day) malware and your network is compromised.
What you want to test and train on is JUST THAT ONE CLICK. Today, users need to be inoculated against social engineering. Forget about that whole fake phishing website, that's so old hat. What you want to do is - 1) Do a simulated phishing attack and get a baseline percentage of which users are Phish-prone. (You could skip this step if company politics get in the way). But what you absolutely have to do is - 2) Train them online about various vectors of social engineering for about 30 to 40 minutes, 3) Send them simulated phishing attacks once a week.
Once they understand that they will get tested on a regular basis, and that there are repercussions for repeated fails, their attitude changes, and with each email with will take a second or two and 'stop, look, think' if this might be a scam email. This is the ONLY effective way to train employees against social engineering. I have the statistics to prove this by the way. We see a dramatic drop in Phish-prone percentages at our customers, seen clearly in their KnowBe4 management console. KnowBe4 has these three steps fully automated, gives you a management console and the whole thing takes 15 minutes, set-it-and-forget-it, whether you have 50, 500 or 50,000 users.
I recommend you start with our free Email Exposure Check which shows you your email attack surface. Sorry, sometimes this is an unpleasant surprise, but great ammo to get budget approval.
http://en.wikipedia.org/wiki/Sender_policy_framework
Fake Caller ID Attacks On The Rise
This is something we are addressing in our new Version 2 that should come out end of April. In the meantime, warn your users about this.
DarkReading had the best article that summarizes the problem, which is a new area of 'expansion' of the large cyber-criminal gangs.
"Vishing" attacks increased by 52 percent in the second half of last year. What if your caller ID showed an incoming call from your bank, but it was really from criminals posing as your bank? That's what's happening en masse, with a major surge in voice-call phishing, or vishing, attacks in the second half of 2011. A new report from enterprise anti-phone fraud firm Pindrop Security found a 52 percent increase in vishing attacks in the U.S. between July and December 2011. There were 124,258 phony calls reported by banks in July, and some 189,439 in December, according to the report."
Warn Your Users
This week, there is a wave of malware connected to the Hunger Games movie. People are doing a lot of online searches, and a variety of
these are returning malicious results. Tell them to be careful out there!
Quotes of the Week
"Discovering witnesses is just as important as catching criminals." - Simon Wiesenthal
"The first lines of defense against criminals are the victims themselves." - Michael Badnarik
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
Stop Phishing Security Breaches
Are you aware that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch (spear-) phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.
IT Security specialists call it your ‘phishing attack surface‘. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. It’s often a surprise how many addresses are actually out there.
Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. KnowBe4 customers with a Gold package get an EEC sent to them regularly so they can address the issues that are found. An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.
Sign Up For Your Free Email Exposure Check Now
https://www.knowbe4.com/email-exposure-check/
Cost Of Data Breaches Falls For First Time In Seven Years
The CSO website had some interesting data. "The average organizational cost of data breaches has decreased for the first time in seven years, according to a study released by Symantec and the Ponemon Institute on Tuesday. In 2011 the average cost of a data breach was US$5.5 million, 24 percent less than in 2010, according to the 2011 edition of the annual "U.S. Cost of a Data Breach" study. The cost per compromised record has also decreased, by 10 percent, and stands at $194. The study's results are based on information collected from 49 U.S. companies spanning 14 industry sectors that experienced data breaches last year. Catastrophic data breaches resulting in over 100,000 compromised records have been excluded from the study because they could have skewed the results, said Larry Ponemon, the chairman and founder of the Ponemon Institute. More:
https://www.csoonline.com/article/2131231/data-protection/cost-of-data-breaches-falls-for-first-time-in-seven-years.html
Security's New Reality: Assume The Worst
I thought this article was very interesting, as it looks at the security problem from a whole new perspective. "Tucked away on the sprawling show floor at the recent RSA Conference was a newly commercialized appliance that sits inside the network and spies on attacks already in progress. Its mission isn't to stop the attacker from getting in, but instead to stealthily observe the attacker's moves while gathering intelligence and ultimately containing any damage."
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuf
Ever seen a rube Goldberg contraption to pour a glass of wine? This is the steampunk way of doing that. Amazing what this guy built:
https://www.youtube.com/watch?v=wSuH9u0kvhU
The NIST Definitions of what they feel Cloud Computing really is. Quite interesting for the geeks among us:
https://csrc.nist.gov/publications/detail/sp/800-145/final
