CyberheistNews vol2, $36

CyberheistNews Vol 2, #36

Editor's Corner

A Powerful New Compliance Tool

Practically all of us take credit cards, so we need to be PCI DSS compliant.

But often on top of that, you are required to be compliant with your

industry regulation, internal security policies, or both. A major problem

though is that machines continually drift out of compliance (users, updates,

etc.) Non-compliance on endpoints and servers is both costly and risky;

hackers exploit vulnerabilities in your network, and failing an audit may

cause regulatory trouble. KnowBe4 introduces a powerful new compliance

tool to help you with these problems. Need to comply with either PCI DSS,

HIPAA, SOX, Basel II/III, Bill 198, USGCB, STIG or GLBA? Each of these

regulations creates a business challenge. We took each of them and explained

how InstantRevert helps you comply faster with less effort, and a LOT less

cost.







InstantRevert gives immediate benefits from a system admin perspective:


- Dramatic reduction in help-desk tickets


- Significantly improved security


- Massive IT Operations time savings


- Audit time and costs reduced 50% or more








I strongly recommend you check out this product. Depending on your time,

here are four options:







Option 1: 1 minute: Here is the 60-second video:


http://www.knowbe4.com/video-instantrevert/







Option 2: 2 minutes: Check this page, find the compliance standard

that applies to you (PCI DSS is the first one), see the business

challenge and how InstantRevert helps:


http://www.knowbe4.com/products/instantrevert-compliance/







Option 3: 5 minutes: Read through the webpage and to start with,

download your full-function 5-machine eval. One of our SE's can help you step through the install:


http://www.knowbe4.com/products/instantrevert/







Option 4: 10 minutes. Download and read the (PDF) whitepaper:

InstantRevert - A New IT Best Practice: Real-time Compliance:


https://s3.amazonaws.com/knowbe4.cdn/InstantRevertWhitePaper.pdf

Home Security Awareness Training: 30-second Survey

Ever since we released Kevin Mitnick Security Awareness Training, the single most mentioned comment from employees who had done the training was: "How do I share this with my family? They need to know this!" We are working on a Home Security Awareness Training now. Which topics do you think should be in this training? Just write down a few points you think are the most important to cover. Thanks so much in advance!


https://www.surveymonkey.com/s/homeSAT

Quotes of the Week

"You can’t get ahead if you’re busy catching up" - unknown







"It has been my observation that most people get ahead during the

time that others waste." - Henry Ford







"Leaders must be close enough to relate to others, but far enough

ahead to motivate them." - John C. Maxwell









Please tell your friends about CyberheistNews! They can subscribe here:


http://www.knowbe4.com/about-us/cyberheist-news/

PCI DSS PROBLEM:

PCI DSS PROBLEM: There are six major control objectives and 12

requirements that IT Managers must implement under PCI DSS. Discovering

the vulnerability or out-of-compliance configuration is just the

beginning. Once identified, you must then manually mitigate the issue o

to ensure compliance.

InstantRevert Solution: InstantRevert helps you manage configurations

and password settings in real-time to ensure that systems don’t suffer

any compliance drift away from the desired configurations in order

to continue meeting requirements for PCI DSS compliance. You have the

ability to report and/or log and/or automatically repair out-of-compliance changes.

Learn more about it here:


http://www.knowbe4.com/products/instantrevert/

How a Lying 'Social Engineer' Hacked Wal-Mart

"A Wal-Mart store manager in a small military town in Canada got an

urgent phone call last month from "Gary Darnell" in the home office in

Bentonville, Ark. Darnell told the manager Wal-Mart had a

multi-million-dollar opportunity to win a major government contract,

and that he was assigned to visit the handful of Wal-Mart stores picked

as likely pilot spots. First, he needed to get a complete picture of

the store's operations.

For about 10 minutes, Darnell described who he was (a newly hired manager

of government logistics), the outlines of the contract ("all I know is

Wal-Mart can make a ton of cash off it") and the plans for his visit.

Darnell asked the manager about all of his store's physical logistics:

its janitorial contractor, cafeteria food-services provider, employee

pay cycle and staff shift schedules. He learned what time the managers

take their breaks and where they usually go for lunch." And it was

all a big lie. Story was all over, but CNN had a picture too:


http://money.cnn.com/2012/08/07/technology/walmart-hack-defcon/

'Spearphishing' Fraud Hooks More Victims

Phishing is a business, and time is money. ROI works for criminals

the same way as for us. And they are getting more effective. Smartmoney

had an article and a very interesting graph which compares phishing

and spear phishing. Check out this graph:

"What makes spearphishing so effective, experts say, is that it turns

consumers into victims of their own tech savvy: In a world where consumers

can do everything from order groceries to pay their credit card bills

and mortgages online, it no longer seems strange for government or

financial institutions to send notifications via email, even though

many organizations say they never reach out to consumers this way.

There's another layer, too. "Fraudsters who use these types of scams

are trying to connect with the recipient emotionally," says Lang.

"People react to anything about their money." Full article:


http://www.smartmoney.com/spend/technology/spearphishing-fraud-hooks-more-victims-1344216685145/

How To Rob A Bank: A Social Engineering Walkthrough

Great article at the CSO site. Professional social engineer Jim Stickley

walks through the steps he typically takes to fool clients into thinking

he's there for fire safety, while he's really proving they are an easy

target for a data breach.

By TraceSecurity's Jim Stickley, as told to Joan Goodchild. "If a company

hires us for a social engineering engagement, typically they want us to

get in and get to their back-up tapes, or into the data in their document

room. Let's say I am posing as a fire inspector. The first thing I will

have besides my badge and uniform is a walkie-talkie, like all firemen.

Outside, we'll have our car guy. The guy that sits in the car, and

basically his job in the beginning is to send chatter through to our

walkie-talkies. We will have a recording of all that chatter you'll hear

on walkie-talkies. He sits in the car and plays it and sends it through

to our walkie-talkies.

We walk into the facility and make sure that all the chatter is coming

loudly into to the walkie-talkies as soon as we walk in their door so

that we are immediately the center of attention. When I walk in, I want

everyone to know that I mean business. My walkie-talkie is loud and

everyone looks over as I apologize and turn it down." Rest of this

quite amusing and scary story is here:


http://www.csoonline.com/article/692551/how-to-rob-a-bank-a-social-engineering-walkthrough?

UPGRADE PROBLEM:

UPGRADE PROBLEM: We need an inventory of all machines that do not meet

the minimum requirements for the next Windows workstation upgrade.

My company is upgrading everyone from Windows XP to Windows 7 and

our CIO has asked for a verified inventory of machines that don’t

meet the minimum processor, memory, and disk requirements for Windows

7 so new equipment can be ordered. He also wants us to verify that

the BIOS on every machine is updated to the latest version.

InstantRevert Solution: Create a Policy that gathers the necessary

information via the GetMetrics Policy Item. Learn more about it here:


http://www.knowbe4.com/products/instantrevert/

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

This week's mini-vacation: space! Ever wished you could zoom through a

hyper-realistic map of the universe at many times the speed of light?


http://www.flixxy.com/a-flight-through-the-universe-in-3d.htm?utm_source=4

Michael Vincent defies all human experience as the world’s maestro

of sleight of hand with his close-up magic:


http://www.flixxy.com/michael-vincent-best-close-up-magician.htm?utm_source=4

A new golf club with a rocket engine to add speed and power to your golf swing:


http://www.flixxy.com/rocket-powered-golf-club.htm?utm_source=4

Watch the adventures of Canadian DIYers as they run to complete a grand

relay from the Pacific to the Atlantic:


http://www.flixxy.com/olympic-screwdriver-relay-race-across-canada.htm?utm_source=4

Like speed? Ducati and Audi team up to attack Pikes Peak:


http://www.autoblog.com/2012/08/11/ducati-and-audi-team-up-to-attack-pikes-peak/#continued

"Where Did She Go?" An incredible magic performance by 'Kamyleon' on the

French TV show 'The World's Greatest Cabaret':


http://www.flixxy.com/magic-by-kamyleon-where-did-she-go.htm

Interview with Misha Glenny, author of "DarkMarket: How the Hackers Became

the New Mafia," there is a LOT of good information in these 27 minutes:


http://www.youtube.com/watch?v=KwqqnTAB4no

Tom Cruise test drives the Red Bull Racing F1 car and does a loop in a helicopter:


http://www.flixxy.com/tom-cruise-test-drives-f1-car-and-takes-helicopter-for-a-loop.htm