CyberheistNews Vol 3, 18
Editor's Corner
Training Fragmentation Causes Knowledge Gap
Ready for a rant? Here goes! More and more, you see training companies promote their security awareness training products as ‘modular’ as if that is something good. It’s not. They break their training in small modules, split up by security topic, and say that this is better. It’s not. They say that this is the way people learn and work. It’s definitely not. They claim that short lessons are easy to learn. That is patent nonsense. Is a 10 minute lesson in astrophysics easy to learn? They say that one lesson a month, each with a different security awareness topic, is the best approach. It’s actually an invitation to a data breach. Would you install a firewall and slowly, over time, block the ports you need to defend? There is a massive problem with this approach: Security Training Fragmentation causes a Knowledge Gap You want all your employees, as soon as possible, to understand and be armed against -all- attack vectors. Employees should get all the important online dangers in one training session, integrated and reinforced multiple times within that initial training session. That is the only responsible way to deploy security awareness training. With all employees knowing all the online dangers, there is group agreement and peer pressure in the direction of secure behavior. You don’t want to start with training them about phishing and only weeks or months later train them about dangers of social networking. That leaves a social engineering hole big enough to drive a truck through. If you want to keep all employees on their toes with security top of mind, do that with continued testing. Sending a simulated phishing attack once a week is extremely effective to keep them alert, and a proven way to dramatically decrease their Phish-prone percentage. Our apologies if we sound a bit hot under the collar, but at KnowBe4 we are passionate about security. Perhaps other types of training can be drawn out and fragmented, but we are dealing with IT security here, and employees are the weak link! [/rant]
It's 'Copy-and-Paste Cybercrime' These Days
You all remember Zeus, right? It was discovered in 2007, the year that Cybercrime went 'pro'. Zeus was not just malware, it was the start of an underground criminal cyber economy that has been flourishing. Zeus really is a platform. It allows cyber mafias to put together their attacks in a few clicks. If you can set up a web server, you can use Zeus and choose which bank you want to target, which scams you want to use to snag victims, and what methodology to store all your loot consisting of credentials and credit card numbers. Zeus lets anyone become an internet criminal for a few hundred bucks. Then, in 2011 the platform got upgraded. It generated its own much harder to take down domains, it killed the concept of 'command and control' servers and went peer-to-peer. It came with dedicated tech support, and botnets that you could hire for a few bucks per hour. Today, we're talking millions of computers that have been infected by Zeus, and the cyberheists are getting easier to pull off every year. You can no longer rely on end-point security products. You really need to give a serious look at defense-in-depth! See the article below with the graph.
Quotes of the Week
"If money is your hope for independence, you will never have it. The only real security that a man can have in this world is a reserve of knowledge, experience and ability." - Henry Ford "There is no security on this earth; there is only opportunity." - Douglas MacArthur Please tell your friends about CyberheistNews! They can subscribe here: http://www.knowbe4.com/cyberheist-news/ You can read CyberheistNews online at our Blog!: http://blog.knowbe4.com/bid/268774/CyberheistNews-Vol-3-18
|
This Is How Attackers Break Into Your Network
91% of data breaches begin with a “spear-phishing” email, research from security software firm Trend Micro shows. Are -you- vulnerable? Find out now if your email server is configured correctly, many are not!
KnowBe4 offers you a free 'Domain Spoof Test', which shows if we can send you an email coming from someone in your own domain. It's quick, easy and often a shocking discovery. The single thing we do is just send one email from the outside to you.
Can hackers spoof an email address from your own domain, which is the first step of an incredibly expensive data breach? Find out now: http://info.knowbe4.com/130416domainspooftest-0-0
10 Tips To Secure Funding For A Security Program
Over at the CSO site, Dominic Nessi, CIO for Los Angeles World Airports, outlines ten essential tips for getting your financial team on board with your security funding requests.
"Ask any cyber security specialist what their biggest challenge is, and you will get a variety of answers — ranging from strengthening network security, to managing internal threats, to protecting against cyber espionage. But upon further investigation, you may be surprised to learn that the unanimous pick for the biggest challenge cybersecurity professionals face is simply getting the funding necessary to carry out a security program. There are a great deal of resources and technical support available on how to deal with the never-ending list of threats that arise daily; and we have plenty of opportunities to learn and digest security best practices. However, little information or guidance is available to prepare one for the dreaded budget discussion when new or continued funding is necessary to maintain a strong cyber security posture." Here is the warmly recommended article! http://www.csoonline.com/article/732053/10-tips-to-secure-funding-for-a-security-program?
Six Steps To Successful Security Awareness Training
If you would schedule an event to teach people about Internet Security, and make it optional to attend, only about 5% of your entire office population will show up. And guess what, those 5% are probably the people that need it least.
Here are the six elements of a successful Internet Security Awareness Training Program"
1) Formulate, and make easily available a written Security Policy. Each employee needs to read the document and sign it as an acknowledgment they understand the policy and will apply it.
2) Give all employees a mandatory (online) Security Awareness Course, with a clearly stated deadline. It is highly recommended to explain to them in some detail why this is necessary.
3) Make this Security Awareness Course part of the onboarding process of each new employee.
4) Keep all employees on their toes with security top of mind, by continued testing. Sending a simulated phishing attack once a week is extremely effective to keep them alert.
5) Never publicly identify an employee that fails a simulated attack, let their supervisor or HR take this up privately. Give a quarterly prize for the three employees with the lowest ‘fail-rate’.
6) If you use posters, stickers and or screensavers, change the pictures or messages monthly. After a few weeks people simple don’t ‘see’ them anymore. It’s more effective to send them regular ‘Security Hints & Tips’ via email.
Defense-in-Depth
Organizations defend their networks on each of the six levels in the graph you see. End-user Internet Security Awareness Training resides in the outer layer: ‘Policies, Procedures, and Awareness’. As you see, this is the outer shell and in reality it is where security starts. You don’t open the door for the bad guy to come freely into your building, right? Let’s have a quick and admittedly highly simplified look at defense-in-depth.
End-user Security Awareness is an important piece of your security puzzle because many attack types go after the end user (called social engineering) to succeed. Once an organization has published policies, has implemented security procedures, and has trained all employees, the first step of defense-in-depth has been established.
- The second step is defending the perimeter. In the case of IT that usually means a firewall, and related tools to block intrusions.
- Part three is protection of the internal network. There are various software tools that scan the network for attackers, traffic that should not be there, and many other ways to detect attacks.
- Next, protecting each individual computer in the network is also crucial. Here is where end-point security tools live, which attempt to block attacks on the individual computer level.
- Then, there are many ways to protect the individual applications that are running on computers in the organization, and last but not least, the data also needs to be protected, and yet again, there are many, many ways to do that, for example encryption.
However, end-user security awareness can affect every aspect of an organization’s security profile, as it truly is where security starts! That is why it is so important that small and medium enterprises (including non-profits) give their end-users Internet Security Awareness Training, and enforce compliance.
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Alice Fredenham impressed the Britain's Got Talent judges and audience with her acoustic rendition of 'My Funny Valentine': http://www.flixxy.com/alice-fredenham-sings-my-funny-valentine-on-britains-got-talent.htm
After their viral success of 'Roller Skating Babies' in 2009, Evian is back with a new version titled ‘Baby and Me.’ This one is fun!: http://www.flixxy.com/dancing-evian-babies-are-back-with-baby-and-me.htm
Humorous trombone performance that builds up as it goes along: http://www.flixxy.com/fun-with-trombones.htm
Diver and dolphin work together to get a fishing hook and line off the bottlenose dolphin's fin: http://www.flixxy.com/dolphin-asks-diver-for-help.htm
World´s Fastest Electric Supercar is called 'VOLAR-e'. From 0-62 in just 3.4 seconds: WOW: http://www.flixxy.com/worlds-fastest-electric-supercar-volar-e.htm
Giraffes take on high diving in '5m80', a funny animated short film by Nicolas Deveaux: http://www.flixxy.com/high-diving-giraffes.htm
Slideshow: 10 surreal moments in infosec history. A look at moments in infosec history that left us dumbfounded: http://www.cso.com.au/slideshow/459002/pictures-10-surreal-moments-infosec-history/
A cute collection of some sad looking cats, combined with the right music for each. LOL: http://www.flixxy.com/sad-cats.htm
A modern, simple and efficient way to sweep a chimney, as practiced in Zarinsk, Russia. http://www.flixxy.com/modern-chimney-sweep.htm
|