CyberheistNews Vol 2, #36
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption]
A Powerful New Compliance Tool
Practically all of us take credit cards, so we need to be PCI DSS compliant.
But often on top of that, you are required to be compliant with your
industry regulation, internal security policies, or both. A major problem
though is that machines continually drift out of compliance (users, updates,
etc.) Non-compliance on endpoints and servers is both costly and risky;
hackers exploit vulnerabilities in your network, and failing an audit may
cause regulatory trouble. KnowBe4 introduces a powerful new compliance
tool to help you with these problems. Need to comply with either PCI DSS,
HIPAA, SOX, Basel II/III, Bill 198, USGCB, STIG or GLBA? Each of these
regulations creates a business challenge. We took each of them and explained
how InstantRevert helps you comply faster with less effort, and a LOT less
cost.
InstantRevert gives immediate benefits from a system admin perspective:
- Dramatic reduction in help-desk tickets
- Significantly improved security
- Massive IT Operations time savings
- Audit time and costs reduced 50% or more
I strongly recommend you check out this product. Depending on your time,
here are four options:
Option 1: 1 minute: Here is the 60-second video:
http://www.knowbe4.com/video-instantrevert/
Option 2: 2 minutes: Check this page, find the compliance standard
that applies to you (PCI DSS is the first one), see the business
challenge and how InstantRevert helps:
http://www.knowbe4.com/products/instantrevert-compliance/
Option 3: 5 minutes: Read through the webpage and to start with,
download your full-function 5-machine eval. One of our SE's can help you step through the install:
http://www.knowbe4.com/products/instantrevert/
Option 4: 10 minutes. Download and read the (PDF) whitepaper:
InstantRevert - A New IT Best Practice: Real-time Compliance:
https://s3.amazonaws.com/knowbe4.cdn/InstantRevertWhitePaper.pdf
Home Security Awareness Training: 30-second Survey
Ever since we released Kevin Mitnick Security Awareness Training, the single most mentioned comment from employees who had done the training was: "How do I share this with my family? They need to know this!" We are working on a Home Security Awareness Training now. Which topics do you think should be in this training? Just write down a few points you think are the most important to cover. Thanks so much in advance!
https://www.surveymonkey.com/s/homeSAT
Quotes of the Week
"You can’t get ahead if you’re busy catching up" - unknown
"It has been my observation that most people get ahead during the
time that others waste." - Henry Ford
"Leaders must be close enough to relate to others, but far enough
ahead to motivate them." - John C. Maxwell
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
PCI DSS PROBLEM:
PCI DSS PROBLEM: There are six major control objectives and 12
requirements that IT Managers must implement under PCI DSS. Discovering
the vulnerability or out-of-compliance configuration is just the
beginning. Once identified, you must then manually mitigate the issue o
to ensure compliance.
InstantRevert Solution: InstantRevert helps you manage configurations
and password settings in real-time to ensure that systems don’t suffer
any compliance drift away from the desired configurations in order
to continue meeting requirements for PCI DSS compliance. You have the
ability to report and/or log and/or automatically repair out-of-compliance changes.
Learn more about it here:
http://www.knowbe4.com/products/instantrevert/
How a Lying 'Social Engineer' Hacked Wal-Mart
"A Wal-Mart store manager in a small military town in Canada got an
urgent phone call last month from "Gary Darnell" in the home office in
Bentonville, Ark. Darnell told the manager Wal-Mart had a
multi-million-dollar opportunity to win a major government contract,
and that he was assigned to visit the handful of Wal-Mart stores picked
as likely pilot spots. First, he needed to get a complete picture of
the store's operations.
For about 10 minutes, Darnell described who he was (a newly hired manager
of government logistics), the outlines of the contract ("all I know is
Wal-Mart can make a ton of cash off it") and the plans for his visit.
Darnell asked the manager about all of his store's physical logistics:
its janitorial contractor, cafeteria food-services provider, employee
pay cycle and staff shift schedules. He learned what time the managers
take their breaks and where they usually go for lunch." And it was
all a big lie. Story was all over, but CNN had a picture too:
http://money.cnn.com/2012/08/07/technology/walmart-hack-defcon/
'Spearphishing' Fraud Hooks More Victims
Phishing is a business, and time is money. ROI works for criminals
the same way as for us. And they are getting more effective. Smartmoney
had an article and a very interesting graph which compares phishing
and spear phishing. Check out this graph:
"What makes spearphishing so effective, experts say, is that it turns
consumers into victims of their own tech savvy: In a world where consumers
can do everything from order groceries to pay their credit card bills
and mortgages online, it no longer seems strange for government or
financial institutions to send notifications via email, even though
many organizations say they never reach out to consumers this way.
There's another layer, too. "Fraudsters who use these types of scams
are trying to connect with the recipient emotionally," says Lang.
"People react to anything about their money." Full article:
http://www.smartmoney.com/spend/technology/spearphishing-fraud-hooks-more-victims-1344216685145/
How To Rob A Bank: A Social Engineering Walkthrough
Great article at the CSO site. Professional social engineer Jim Stickley
walks through the steps he typically takes to fool clients into thinking
he's there for fire safety, while he's really proving they are an easy
target for a data breach.
By TraceSecurity's Jim Stickley, as told to Joan Goodchild. "If a company
hires us for a social engineering engagement, typically they want us to
get in and get to their back-up tapes, or into the data in their document
room. Let's say I am posing as a fire inspector. The first thing I will
have besides my badge and uniform is a walkie-talkie, like all firemen.
Outside, we'll have our car guy. The guy that sits in the car, and
basically his job in the beginning is to send chatter through to our
walkie-talkies. We will have a recording of all that chatter you'll hear
on walkie-talkies. He sits in the car and plays it and sends it through
to our walkie-talkies.
We walk into the facility and make sure that all the chatter is coming
loudly into to the walkie-talkies as soon as we walk in their door so
that we are immediately the center of attention. When I walk in, I want
everyone to know that I mean business. My walkie-talkie is loud and
everyone looks over as I apologize and turn it down." Rest of this
quite amusing and scary story is here:
http://www.csoonline.com/article/692551/how-to-rob-a-bank-a-social-engineering-walkthrough?
UPGRADE PROBLEM:
UPGRADE PROBLEM: We need an inventory of all machines that do not meet
the minimum requirements for the next Windows workstation upgrade.
My company is upgrading everyone from Windows XP to Windows 7 and
our CIO has asked for a verified inventory of machines that don’t
meet the minimum processor, memory, and disk requirements for Windows
7 so new equipment can be ordered. He also wants us to verify that
the BIOS on every machine is updated to the latest version.
InstantRevert Solution: Create a Policy that gathers the necessary
information via the GetMetrics Policy Item. Learn more about it here:
http://www.knowbe4.com/products/instantrevert/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
This week's mini-vacation: space! Ever wished you could zoom through a
hyper-realistic map of the universe at many times the speed of light?
http://www.flixxy.com/a-flight-through-the-universe-in-3d.htm?utm_source=4
Michael Vincent defies all human experience as the world’s maestro
of sleight of hand with his close-up magic:
http://www.flixxy.com/michael-vincent-best-close-up-magician.htm?utm_source=4
A new golf club with a rocket engine to add speed and power to your golf swing:
http://www.flixxy.com/rocket-powered-golf-club.htm?utm_source=4
Watch the adventures of Canadian DIYers as they run to complete a grand
relay from the Pacific to the Atlantic:
http://www.flixxy.com/olympic-screwdriver-relay-race-across-canada.htm?utm_source=4
Like speed? Ducati and Audi team up to attack Pikes Peak:
http://www.autoblog.com/2012/08/11/ducati-and-audi-team-up-to-attack-pikes-peak/#continued
"Where Did She Go?" An incredible magic performance by 'Kamyleon' on the
French TV show 'The World's Greatest Cabaret':
http://www.flixxy.com/magic-by-kamyleon-where-did-she-go.htm
Interview with Misha Glenny, author of "DarkMarket: How the Hackers Became
the New Mafia," there is a LOT of good information in these 27 minutes:
http://www.youtube.com/watch?v=KwqqnTAB4no
Tom Cruise test drives the Red Bull Racing F1 car and does a loop in a helicopter:
http://www.flixxy.com/tom-cruise-test-drives-f1-car-and-takes-helicopter-for-a-loop.htm
