CyberheistNews Vol 3, #5
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu Sjouwerman"]
[/caption]Cyber Crime Cost Small-Med Biz $1,324 Per Seat
The Ponemon institute published their 2012 survey a few months ago,
and the cyber crime costs are steadily rising, especially for small
and medium sized organizations. There are some very interesting
results in this story that you can use as ammo to get budget.
They split out the cost per seat (per capita) over all the organizations
they surveyed. Table 2 on page 7 shows this average cost per enterprise
seat. Consistent with prior years, the 2012 average per capita cost for
organizations with the fewest seats is 4.3 times higher than the average
per capita cost for organizations with the most seats.
Also, there is a difference in the type of cyber crime when you compare
small to large organizations: "Smaller organizations (below the median)
experience a higher proportion of cyber crime costs relating to viruses,
worms, trojans, phishing, stolen devices and malware. In contrast, larger
organizations (above the median) experience a higher proportion of
costs relating to malicious code, denial of services, web-based attacks,
and malicious insiders."
This is a very interesting report that you should check out and perhaps
forward to the people that hold the budget strings:
http://www.ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf
Is Security Awareness Training 'In Modules' Really Working?
Most of you know Spiceworks, and if you don't this is a community for
system administrators. I started a discussion about modular security
awareness training, to see what the community thinks about that type
of learning. An interesting discussion ensued, as the CEO of Wombat
Security pitched in with his (modular) perspective, and my comments
on that. Have at it!
http://community.spiceworks.com/topic/292397-is-security-awareness-training-in-modules-really-working?
Quotes of the Week
"Let no man pull you low enough to hate him." - Martin Luther King Jr.
"Hate the sin, love the sinner." - Mahatma Gandhi
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/cyberheist-news/
Arm Your Users Against Social Engineering
Your end-users are the weak link in your network security. Traditional
once-a-year Security Awareness Training doesn't hack it anymore. Today,
your employees are frequently exposed to advanced social engineering
attacks. Your users need to be trained by an expert like Kevin Mitnick,
and after the training stay on their toes with you sending them
'set-it-and-forget-it' simulated phishing attacks. Both the attacker
and the user are human. You need a 'human firewall'
Find out how affordable this is for your organization now! Click on the orange "Get A Quote" button on this page:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Cyber Crime Expert Advice: Trust No One
The Union Leader in New Hampshire had an interview with Special Agent
Timothy Russell, supervisor of the FBI's cyber crime unit in Boston,
known officially as the Criminal and National Security Computer Intrusion
Squad.
Many executives in small and medium enterprises simply are not up to
speed regarding the rapidly increasing sophistication of the cyber mafia.
This article makes it real and comes from a trustworthy source.
If you still think of the typical computer hacker as a nerdy teenager
working from his mother's basement to engage in online vandalism, think again.
"That's not the reality today," Russell said, "There is a very sophisticated
underground economy that traffics in cyber crime."
I recently have become a member of InfraGard myself, which is a national
information sharing program between the FBI and the private sector. There
is a lot of good work being done!
Here is the Union Leader article:
http://www.unionleader.com/article/20130119/NEWS02/130129957
Got a Barracuda? It's Backdoored.
During the last few days it has come out that quite a few Barracuda
products have hardcoded backdoors that can be exploited. These backdoor
accounts can be accessed via the secure shell (SSH) protocol, and allow
an attacker to log in remotely, which can lead to accessing confidential
information or fully take control of the whole network. OUCH, this is
really bad, keeping an undocumented feature like this hidden from your
customers. EGG - FACE.
To add insult to injury, these backdoor accounts only have weak passwords
and they CANNOT be disabled. Yeah, you read that right. Time to seriously
look at unplugging the 'cuda until they have this fixed or at least start
making some noise with your Rep. The problem was reported to Barracuda in
November 2012 and the company is urging all users to update their security
definitions to version 2.0.5, but that does not quite solve the hardcoded
backdoor issue. It was all over the press, but I liked Brian Krebs' take:
http://krebsonsecurity.com/2013/01/backdoors-found-in-barracuda-networks-gear/
Java Scam: How Oracle And Ask Profit From Sneaky Add-Ons
Bill Snyder over at InfoWorld puts the finger on the sore spot:
"Who doesn't love free stuff? I, for one, don't, and neither do millions of
users burdened with unwanted software when they install a new update of Java,
Adobe Reader, or Skype. Foistware, as it's called, is irritating to users,
particularly nontechnical folks who don't know how to get rid of it. Foistware
can also plague IT when it has to support naive users who allow the apps to
roost on their PCs.
"To be fair, Adobe and Skype (now owned by Microsoft) have backed off from
some of their more annoying foistware habits -- but Oracle has not. Here's
why: Every time a user is tricked into installing the useless Ask toolbar
or McAfee antivirus scanner, Larry Ellison makes a bit of money. And
because Java is notoriously insecure (the feds have even warned users to
disable it), Oracle keeps pumping out patches that give users yet another
opportunity to inadvertently install the foistware. You'd almost think
the endless patches exist as excuses to deliver foistware."
And then you hope that the foistware was designed to be secure from
the ground up; otherwise it even expands your attack surface! More:
http://podcasts.infoworld.com/d/the-industry-standard/java-scam-how-oracle-and-ask-profit-sneaky-add-ons-211421?
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Seen this one? Richard Hammond races rocket-powered flying man Yves Rossy
against a rally-spec Skoda. FUN:
http://www.flixxy.com/rocket-man-vs-rally-car.htm
And while we are in the air, aerobatic pilot Martin Sonka manages to maneuver
his airplane in a tilted position, almost hovering like a helicopter alongside
parachutist Petr Mestak:
http://www.flixxy.com/airplane-vs-parachutist.htm
The amazing Mozart Group combine superb musical skills with creative
humor, joy and fun:
http://www.flixxy.com/group-mozart-how-to-impress-a-woman-being-a-musician.htm
And as we are in Music, a spectacular video for Johnny Ferretti's rendition of
the classic aria Nessun Dorma. (meaning 'none shall sleep'):
http://www.flixxy.com/the-last-chance.htm
This fun little slideshow is a Quiz about security mistakes in the workplace:
http://www.infoworld.com/slideshow/83587/security-mistakes-right-your-workspace-211592?
2012's worst security exploits, fails and blunders. Read it, weep, and don't let
it happen to YOU:
http://www.pcworld.com/article/2021495/2012s-worst-security-exploits-fails-and-blunders.html
Meanwhile in Japan: Train plowing through deep snow:
http://www.flixxy.com/train-plowing-through-deep-snow-in-japan.htm
"Lets just drop it and hope it floats." Launch of the Alaska Region Research Vessel 'Sikuliaq' at Marinette Marine in Wisconsin on October 13, 2012:
http://www.flixxy.com/dramatic-ship-launch.htm
Driving in snow and ice provides many challenges. These drivers and pedestrians are incredibly lucky!
http://www.flixxy.com/lucky-winter-driving.htm
