|
CyberheistNews Vol 3, 30
Editor's Corner
"It's Not That Computers Aren't Secure, It's That People Aren't."
DefCon has a blog discussing issues related to Social Engineering. It starts out with this anonymous quote: "It's not that computers aren't secure, it's that people aren't." Oh so true. To illustrate that, here is a great video made by the U.K.'s Centre for the Protection of National Infrastructure. The video is a few years old but only recently uploaded to YouTube, and still very relevant. Nice to see the Brits get the message, this is a very good one to share with all employees!:
http://www.youtube.com/watch?v=2sh4BIaF6gg&feature=youtu.be
My New Pebble Smartwatch: A Social Engineering Problem
I scored a brand new jet-black Pebble smartwatch this week. It's Kickstarter's most visible and successful product, pretty cool, easy to set up out of the box even for a non-techie and the customization features are exciting. I finally have watch face I designed exactly like I needed it. There are some drawbacks though.
Soon Sony, Google, Apple, Samsung and others will come out with their own wearable devices. For better or for worse, we are at the cusp of a new age: BYOWD (Bring-Your-Own-Wearable-Device).
If you listen to the ever wildly optimistic Juniper Research, almost 70 million smart wearable devices will be sold in 2017. At the moment wearable tech is for the pioneer / early adopter crowd, but I'm tellin' ya, one of your execs that hooked up their smartwatch or Google Glass to their smartphone is going to have pairing issues or other problems, need tech support... and calls YOU.
Perhaps you yourself will be wearing one of these puppies to warn you that a mission critical system is down. And mostly these smartwatches are going to be used for just that: notification.
I've got my Pebble set up with Caller-ID and Text notifications so I can see who tries to get in touch with me without having to quickly grab my phone and see who it is. However, it looks like the firmware is still being worked on as I'm having some pairing problems with my brand new Galaxy S4.
And imagine the extra security risk and social engineering threat you now have to deal with. The Bluetooth or Wi-Fi connection gets hacked, the attacker sends a text from a supposedly trusted source with the request to quickly call re an emergency and it's security breach city. Think about the risks in the financial, healthcare and energy sectors with BYOWD. Here is an article that shows that Google Glass is vulnerable to attacks:
http://www.cio.com/article/736633/Symantec_Google_Glass_Still_Vulnerable_to_Wi_fi_Attack
One way to deal with this is you're going to have to manage one more class of device in your Mobile Device Management console, this one literally connected to your user, and only approve devices for network access that you actually can manage that way.
For better or for worse, we live in an era of "there's an app for that", in which the employees choose which applications to use on their mobile devices and we in IT need to somehow provide a secured framework for this purpose. From a security angle, this is not a "nice to have", but a real need.
Forget about "securing the perimeter", that concept is now dead. BYOWD makes it more than clear that your individual user is your perimeter now, where ever they may be. And they'd better be trained to not fall for hacker tricks.
What do you think? Does wearable tech have a future in the enterprise?
Quotes of the Week
"For once you have tasted flight you will walk the earth with your eyes turned skywards, for there you have been and there you will long to return." - Leonardo da Vinci
"Learning the secret of flight from a bird was a good deal like learning the secret of magic from a magician." - Orville Wright
Thanks for reading CyberheistNews! But if you want to unsubscribe, you can do that right here
|
Organizations have five ways to do Security Awareness Training:
1: "Do Nothing" and count on users to not click on phishing links. A surprising 25% of organizations still rely on this tactic.
2: "The Break Room", herd all users into the break room once a year with donuts and coffee and give them a death by PowerPoint session. Rinse and Repeat after 12 months.
3: "The Monthly Security Video", where users are being given short videos that each cover a topic related to keeping the network and organization safe and secure.
4: "The Phishing Test", where (usually an internal) team selects a group of users and sends them a simulated phishing attack. Employees that fail are asked to do a short remedial training.
5: "The Human Firewall", pre-test all users to find out your organization’s Phish-prone percentage, next you train all employees to resist important attack vectors, and then continue to send simulated phishing attacks to all users year-round. Fully automated, super simple, very little time required.
Find out now how affordable Option 5 really is. Get a Quote for your organization now:
http://info.knowbe4.com/free-email-exposure-check-1-3-0-7-1-5
The One Security Technology That Actually Works
July 16, 2013, Roger Grimes wrote an article in InfoWorld that was straight out of my mind. He said: "Antivirus, perimeter defense, and network monitoring are jokes. But whitelisting works once you clear the political and logistical hurdles."
He went on with: "To decrease security risk, most companies try to do too much. They have dozens of "top priority" security projects, few of which they ever complete and even fewer that are done well. The irony: Little of that activity addresses the threats most likely to compromise an enterprise.
"The No. 1 defensive measure any company can take is to prevent unauthorized programs from running on any computer. Most often, bad guys break into companies through holes in unpatched software -- and when they do, they almost always end up running hacking tools. Prevent those hacking tools from running and you'll reduce risk by 99 percent.
"The best way to do that is to use an application control program, aka whitelisting software. Basically, you allow only those programs on the list to run and block everything else."
You should really read this (short) article. He gets to the point fast and is TOTALLY RIGHT:
http://www.infoworld.com/d/security/the-one-security-technology-actually-works-222763
KnowBe4 Customer Feedback
KnowBe4 has a LinkedIn product page where customers leave their recommendations. Scott Lewis, Information Security Officer said: "I am totally pleased with the training. We have just implemented the product and we have had great feedback from the employees. There is such a huge NEED for this product in our society! It sure fits a definite security need AND it is backed by Kevin Mitnick AND it is at a great price. I can't imagine any SMB not wanting it!" Thanks very much Scott! Here are the other LinkedIn recommendations: http://www.linkedin.com/company/knowbe4/kevin-mitnick-security-awareness-training-237471/product?trk=biz_product
Here is another one: "Stu, my staff has been trained using your Kevin Mitnick program, and I'd say it's been a success. I now regularly get questions from my staff about suspicious e-mail messages they receive, and proud comments about how they successfully detected and deleted phishing messages on their own.
Over the weekend two of my staff forwarded the message below to me, questioning whether it was fraudulent. As one of them pointed out, 'Tulips are not in season.' I thought that was pretty good reasoning, and shows just how effective the training was at raising their awareness levels." E.C. - Coordinator of Technology and Media.
Employees the Weakest Link of Cyber Security, Report Finds
Antivirus company Bitdefender reported something important. Here is their blog post of July 17, 2003.
"Even though hacks and cyber criminality cost companies plenty of cash and sensitive data, the employee remains the weakest link in the business ecosystem, new Boardroom Cyber Watch Survey 2013 finds.
"Human error, though mostly unintentional, appears to be the main cause of security incidents that result in data loss. IT Governance reported that 54% of the interviewed “senior executives” think their own employees represent the biggest threat to cyber security, as opposed to 27 per cent who think that hackers pose the greatest risk. 12 per cent fear state sponsored attacks and 8 percent their corporate rivals.
"Companies are not ignorant of the risks: 77 per cent of bosses told us that their organization has a method for detecting and reporting attacks or incidents. However, in the boardroom, many companies still appear too removed from the action for directors to meet their governance obligations" Alan Calder of IT Governance says.
"Of all participants in the study, 25 percent of the institutions have experienced at least one security incident in the past 12 months. But only 30 per cent of the respondents believe that employers and board members understand the gravity of IT security threats.
Problematic is that some companies are not even aware that they were victims of a cyber-attack or data loss, while others deliberately choose not to make such incidents public for fear of reputation issues and possible bankruptcy. As a solution, Alan Calder said "the best way for organizations to prove their cyber security credentials is to comply with, and be certificated against, ISO 27001, the global best practice standard for information security management. This lets you signal to customers anywhere in the world that you have a robust method for addressing the entire range of risks associated with systems, people and technology."
http://www.bitdefender.com/security/employees-the-weakest-link-of-cyber-security-report-finds.html?sm_id=SMGlobal
Why Help Desk Employees Are A Social Engineer's Favorite Target
"A new report from the SANS Institute and RSA on help desk security and privacy finds help desk workers are the easiest victims for a determined social engineering criminal. Due to metrics and basic job requirements, end user and network support operations are still the top target when it comes to breaching corporate security. The reason is that help desk operators are being too helpful, which results in attackers gaining access simply by asking.
A third of the IT professionals responding in the survey acknowledged they had “weak” risk management and security awareness training for their help desk staff, while 5% had “none” and 6.0 “didn’t know.”
Seventy percent of the survey respondents acknowledged “social engineering” attacks in which someone tries to get sensitive information or passwords from helpdesk agents as a significant risk.
This is worthwhile to check out, the link to the full SANS/RSA report is in the article:
http://www.csoonline.com/article/736544/why-help-desk-employees-are-a-social-engineer-s-favorite-target?
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Your 5-minute Virtual Vacation! A beautiful video of Myanmar (Burma) filmed and edited at a resolution four times greater than regular 1080p HD:
http://www.flixxy.com/myanmar-burma-in-4k-ultra-hd.htm
Brilliant marketing campaign from Heineken. Watch it and try not to get excited!
https://www.youtube.com/watch?v=PenROORvLyw#action=share
KnowBe4 Chief Hacking Officer Kevin Mitnick interviewed on CCTV about Snowden:
http://www.youtube.com/watch?v=JHCFF0NgU2Y
Tareq Alsaadi makes a stunning flight demonstration with an R/C helicopter and impressed us with his skills:
http://www.flixxy.com/impressive-rc-helicopter-aerobatics.htm
Check out this milling machine made out of LEGOs. Pretty cool!
http://www.youtube.com/watch?feature=player_embedded&v=pX1cO2XhMrg#action=share
The 'Artificial Leaf' has the potential to provide at least part of the answer to the World's power problem:
http://www.flixxy.com/the-artificial-leaf-renewable-energy.htm
On June 13th, 2013, the AeroVelo Atlas Human-Powered Helicopter captured the long standing AHS Sikorsky Prize with a flight lasting 64.1 seconds and reaching an altitude of 3.3 meters:
http://www.flixxy.com/muscle-powered-helicopter.htm
Jumpy the Border Collie knows a LOT of cool tricks:
http://www.flixxy.com/jumpy-the-dog.htm
The 1933 steam powered aircraft was powered by a steam boiler that was so quiet that spectators on the ground could hear the pilot calling to them:
http://www.flixxy.com/besler-steam-airplane.htm
Gladys Ingle of the '13 Black Cats' changes planes and fixes new landing gear on a disabled plane in mid-air:
http://www.flixxy.com/mid-air-airplane-repair.htm
Distributed Drone Flight Array - this is very cool technology !
http://www.youtube.com/watch?v=fcradVE9uts#action=share
|
