DarkReading had an article a few weeks ago: 'How Hackers Fool Your Employees' that was very interesting to read. What caught my eye were two quotes from thought leaders in our security training space: Lance Spitzner from SANS and Rohyt Belani from PhishMe.
Lance Spitzner, training director for the Securing The Human Program at SANS Institute said: "Computers store, process and transfer information, and people store, process and transfer information," he says. "They're another endpoint. But instead of buffer overflows, people suffer from insecure behaviors."
Rohyt Belani, CEO of security training firm PhishMe observed something interesting. He said: "Conversational phishing is the latest attack trend. The victim gets multiple emails that make it look like there's a human on the other end and that it's part of an email thread,". The attacker knows enough about the victim and his interests to convince him that, say, they had met at a busy convention such as RSA.
"From there, the attacker tells the victim about a blog post that he'd surely be interested in and attaches an infected version. The attacker even sends a follow-up message asking the user if he had a chance to look at the blog. "Now you're subconsciously convinced that it's a real human being so you open that document," Belani says. "The bad guys have been doing that for at least the last six months."
That's why I call it 'PSP' for Persistent Spear Phishing but the concept is clear. It's ultimately a human attacking a human via the Internet, either through a single email or a logical sequence of emails that can easily be automated. Here is the whole article, which ends with two VERY interesting graphs you should definitely check out! http://www.darkreading.com/end-user/how-hackers-fool-your-employees/240152770?
Did you know that SonicWall has an interesting Phishing IQ test on their website? Its a few years old but actually fun and interesting to do. You get a series of 10 emails and you need to indicate if it is a phishing attack or if it's legit. Go ahead and test if you get them all correct. At the end they have an explanation for each why it's either a scam or legit. Here you go and have fun!: https://www.sonicwall.com/furl/phishing/
Quotes of the Week
"The winner's edge is not in a gifted birth, a high IQ, or in talent. The winner's edge is all in the attitude, not aptitude. Attitude is the criterion for success." - Denis Waitley
"An intelligent person is never afraid or ashamed to find errors in his understanding of things." - Bryant H. McGill
"The true sign of intelligence is not knowledge but imagination." - Albert Einstein
Stop Phishing Security Breaches
Your end-users are the weak link in your network security. Today, your employees are frequently exposed to advanced phishing attacks, and over 90% of data breaches start with a phishing attack.
IT Security specialists call it your 'phishing attack surface'. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk. It's often a surprise how many of your addresses are actually out there, and who's.
Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. KnowBe4 customers with a Gold package get an EEC sent to them regularly so they can address the issues that are found. An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.
Advanced Persistent Threats (APT) are essentially industrial espionage by nation-states. Several of these APT's are supported by their military (like China and Iran) and go after both civilian and military targets. APT really is a team of skilled hackers that have been given a target like Boeing and work day and night to penetrate that account.
Obviously cyber-espionage can be used for two things: 1) Exfiltrate intellectual property for competitive purposes, 2) Discover weak spots in a nation's critical infrastructure and use these for cyberwar (disruption).
This is the 30,000 feet perspective of what needs to be done. First you need to filter ingress, but also filter egress at the same time, then you analyze your network for hacker intrusions, and last but not least, you need to step your users through security awareness training. The filtering can be done with existing software layers. The analysis is a job for died-in-the-wool security researchers that dig into all your log files, the registry and other data. You know where to go for the training.
Federal CIO's Awareness Training Survey Results
TechAmerica, the trade group representing IT manufacturers released some interesting survey results this month. Of the U.S. Federal CIOs about 40 percent contend security awareness training is effective or very effective; only 8 percent rate it as ineffective. Half of them are neutral and I am sure that's because they have done it simply for compliance reasons only, and old-style - coffee and donuts in the break room and death by powerpoint.
One government agency phished its own employees, and nearly one in five receiving a tainted e-mail took the bait. "Those who fell for it were directed to a page and told they had been phished," the CIO says. "Then we provided some on-the-spot training and education. The reaction was actually very positive." More: https://www.techamerica.org/Docs/CIO%20Survey_May%202013_v4.pdf
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Quadruped Robot walks of four legs, rolls on four treads. Crafty: