|
CyberheistNews Vol 3, 28
Editor's Corner
Five Ways Your Employees Can Kill Your Company
One - Insider Threat: Stealing valuable information for either profit or idealistic motives. Examples: Software developers taking home code for their next job, sales people downloading customer databases and move to the competition, and then there are whistleblowers like Snowden who can destroy your reputation whether you deserve it or not. The Insider Threat can be mitigated by thorough attention on the Policies, Procedures & Awareness layer of your "defense-in-depth" model, focused on granular access control, data leak prevention and compartmentalization of data.
Two - Allow access to a restricted area: You'd be surprised how easy it is to walk into a building with nothing else than a clipboard and a falsified ID. Penetration testers use this social engineering trick all the time with great success. People instinctively want to help other people; they are courteous opening doors with a friendly smile. How about that smoking area at the back of the building, someone standing there could easily piggyback in with some other smokers returning to work. Who knew the person they let in was a hacker that installed a keylogger on the PC of the CFO? Policies and Procedures are again the determining factors in these cases. Employees need to be trained or you will feel the pain.
Three - Open an infected email attachment: Advanced Persistent Threats use highly targeted spear-phishing emails with an attachment that is not flagged as dangerous because your antivirus does not know about it (yet). An example is a C-level executive who received an email from a charity requesting the exec's input about a fundraising drive. The attached Word Document was infected and sent the user's login credentials to the hacker which allowed the bad guys to completely take over the network. (Here is a link to a 2-minute video with Kevin Mitnick that shows how it's done.)
Four - Insert an infected thumb drive in their computer: An employee simply inserting a thumb drive that they found in the restroom can open your network to the outside with disastrous consequences. It can be impossible to resist checking out what is on that drive if the label says: "Q2 Layoff Plan". And how did that drive get in the restroom? An attacker was given access by a new employee who was not properly trained during their onboarding process.
Five - Click on a link in a phishing email: Most people are not aware of the fact that these days it only takes one click to let cybercriminals into your network. Cybercrime has gone pro. It's a 3 Billion industry with a well-developed underground economy. Nine out of ten times the infection is caused by a legit site that has been compromised and serves malware to visitors that arrive there by clicking on a link in a phishing email.
It honestly is no exaggeration that today one click actually can kill your company. It won't happen overnight, but if suddenly a foreign competitor sells a product almost identical to yours for one third of the price, it may be enough to bankrupt you. Security Awareness Training is no luxury these days. It's a "must-do" piece of the puzzle to keep the bad guys out.
Quotes of the Week
"It is forbidden to kill; therefore all murderers are punished unless they kill in large numbers and to the sound of trumpets." - Voltaire
"We shall not kill and maybe next time we even won't. - Earl Warren, Intruder in the Dust
Thanks for reading CyberheistNews! But if you want to unsubscribe, you can do that right here
You can read CyberheistNews online at our Blog!:
http://blog.knowbe4.com/bid/313174/CyberheistNews-Vol-3-27
|
Can Your Domain Be Spoofed? Find Out Now:
 91% of successful data breaches began with a “spear-phishing” email, research from security software firm Trend Micro shows. Are -you- vulnerable? Find out now if your email server is configured correctly, many are not!
KnowBe4 offers you a free 'Domain Spoof Test', which shows if outsiders can send you an email coming from someone within your own domain. It's quick, easy and often a shocking discovery. The single thing we do is just send one email from the outside directly to you, but we spoof someone in your own domain.
Can hackers send all your employees an email 'from your CEO'? Find out now:
http://info.knowbe4.com/130416domainspooftest-1-0
CTO Of Media Company Faked-Out Employees With Phishing Emails
There is a fascinating article in SC Magazine dated July 3, 2013 which tells the story of Atlantic Media Chief Technology Officer Tom Cochran, who blasted out a simulated phishing email to all 450 email addresses in the company directory. The results, he said, should be something of a wake-up call. The link directed employees to a website that revealed the scam, Cochran told SCMagazine.com, and the roughly 120 employees who clicked it were likely surprised to see it was a con.
That falls exactly in the 20-30% of employees we find to be Phish-prone and click on our initial Phishing Security Test before we train them.
Cochran, who worked nearly two years in the White House as director of new media technologies, said he sees a growing trend in business where functionality, convenience and cost often takes precedence over security.
“You're only as strong as your worst offender,” Schneier told SCMagazine.com this week, explaining that it only takes one reckless employee opening a malicious email to put an office network at risk. “I really would rather see investment in systems that take user mistakes out of the loop. Make it so users can't destroy security. For example, any anti-virus that makes it so the user can't click a link will help.”
What Schneier does not seem to realize is that cybercrime now produces 200,000 new malware versions on an industrial scale each and every day, and that antivirus is not able to keep up any more. It is absolutely necessary each employee from the Board on down to the mail room gets security awareness training, and be continually tested afterward. More:
http://www.scmagazine.com/cto-of-media-company-faked-out-employees-with-phishing-emails/article/301603/
Cybersecurity Is Every Employee’s Responsibility
The second quarter Industrial Control Systems Cyber Emergency Response Team Monitor summary of data and recommendations from Verizon’s 2013 Data Breach Investigations Report highlights that: "No single person or group can be solely responsible for the cybersecurity of an organization. Instead, organizations should create a culture to reinforce that cybersecurity is every employee’s responsibility all the way up to the boardroom."
The report indicates that targeted attacks frequently rely on social methods to compromise people, not just computers, using social tactics such as phishing, spear-phishing, and watering hole attacks; layered and constant approach is needed for defending, detecting, and responding to cyber incidents. Read more at:
http://ics-cert.us-cert.gov/sites/default/files/ICS-CERT_Monitor_April-June2013.pdf
SANS New OUCH! Covers Spear Phishing
SANS announced the July issue of OUCH! This month, led by Guest Editor Lenny Zeltser, they cover spear phishing. Specifically, what spear phishing is, how it works, why you may be a target and how to protect yourself. As always, we encourage you to download and share OUCH! with others. English Version (PDF):
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201307_en.pdf
WhitePaper: "Building A Human Firewall"
Our partner SwanIsland wrote a whitepaper about building a human firewall which enhances Awareness, Compliance and Education across your workforce. Cybero provides a fast, agile and comprehensive cyber threat Awareness, Compliance and Education (ACE) solution that helps your workforce manage cyber security threats in real-time. With Cybero, you can give your staff the knowledge, training, tools and services to reduce human error, and build a human firewall:
http://swanisland.net/building-human-firewalls-kb4
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Water Car Panther is the fastest amphibious car in the World - capable of 80 mph (127 km/h) on the road and 44 mph (70 km/h) on water. I want one:-
http://www.flixxy.com/worlds-fastest-water-car.htm
Meet "T8", the Bio Inspired 3D Printed Spider Octopod Robot. Disturbingly realistic. You can really scare the living daylights out of someone with this:
http://www.youtube.com/watch?v=HfiHOpv6HtI#action=share
And here are the insides of its cheaper little hexapod robot spider brother:
http://www.youtube.com/watch?v=kMKxwBRqtBw#at=82
Ten funny videos about computer passwords:
http://www.networkworld.com/slideshow/108885/10-funny-videos-about-computer-passwords.html?
A Rube Goldberg contraption powered by dogs and their favorite toys. It's an ad for dogfood but still it's well done:
http://www.flixxy.com/dog-goldberg-machine.htm
Love apparently knows no boundaries in the animal kingdom. Check out these animal odd couples:
http://www.flixxy.com/animal-odd-couples.htm
Bride and groom Gary and Tracy Richardson asked Reverend Kate Bottley to put a twist on their traditional wedding. Wait until the two old ladies walk out. ... Awkward?
http://www.flixxy.com/unexpected-wedding-dance.htm
|
