CyberheistNews Vol 3, # 42

CyberheistNews Vol 3, # 42
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube

CyberheistNews Vol 3, 42

Editor's Corner


Scam Of The Week: Fake Invoice

This week, cybercriminals are using a well-known social engineering trick to try to make employees click on fake invoices to distribute a piece of malware. This is especially risky as they are trying to reach employees in the finance department, who either might open the attachment or get it forwarded by a co-worker that is not sure what this is and sends it to Accounting.

The emails are entitled “Invoice #3404196 – Remit File” and they read something like this: “The following is issued on behalf of the Hong Kong Monetary Authority. Attached is the invoice (Invoice_3604196 (dot).zip received from your bank. Please print this label and fill in the requested information."

If anyone in your organization opens the attachment, a malware dropper may get downloaded which in turn will pull down a large amount of malware that allows the bad guys to take over the whole machine: STOP - LOOK - THINK before you click and let's be safe out there.

Just 'Being Compliant' Increases (!) Your Risk

CSO had a great opinion piece from people at MediaPro which is in our space. The points they made were -so- relevant that I thought you should know. Take two minutes, it is great ammo:

"The Department of Health and Human Services recently confirmed that a lack of training is a common cause of HIPAA compliance difficulties. But is that really such a surprise? Given the poor state of awareness training in many organizations, it's no wonder that HIPAA violations are actually on the rise. The fact is, to achieve formal, "letter of the law" compliance, just about any form of training will do to "check the box." But as we continue to see, bad training is, in the final analysis, practically equivalent to--or worse than--no training at all, and hence the disappointing results reported by HHS and by others who wonder why their compliance training fails.

Here, then, are four clues that your "compliance" status may, in fact, be putting your organization--and your customers--in serious jeopardy:

1. You believe the minimum mandatory training will shield your organization from liability.

Just ask any number of HIPAA-compliant organizations who found out the hard way. Too many organizations, while having all their HIPAA papers in order, have still been found to be legally negligent--even though a level of training was provided that satisfied the minimum regulatory requirement! Why? Because the behavior HIPAA seeks to regulate was not changed.

2. You believe that the objective is regulatory compliance.

Simply being compliant does not translate to a safe and secure organization. Not by a long shot. And if you're only motivated by avoiding the penalties for compliance violations, you've really missed the point. Regulatory fines are actually a drop in the bucket compared with the true costs of a breach.

3. You believe that checking the box will improve your overall risk profile

The truth is that a check-the-box approach to compliance actually leaves your organization with a very poor risk profile. Because it breeds a false sense of security ("We're compliant!"), it also courts disaster.

4. You don't believe that training above the minimum standard will make any difference.

Take two organizations: one that gives awareness training the short shrift and another that takes it seriously. Which would you consider more trustworthy: the company that gave its people an annual 30-minute PowerPoint or the one that tied the training to the culture and corporate values of the organization and reinforced it throughout the year with habit-forming reminders?

In the end, complying with the letter of the law while neglecting its spirit--and the strategic benefits it provides--is precisely the attitude that can leave your organization exposed, destroy customer trust, consume precious capital, and tarnish your brand. Conversely, just a small investment in true behavior-changing training and reinforcement will pay huge dividends in fortifying the security of your organization--and protect your customers in the ways the laws actually require.

I strongly recommend you read the whole article, and/or send it to the people responsible for your security awareness budget:

Quote of the Week

"The purpose of government is to enable the people of a nation to live in safety and happiness. Government exists for the interests of the governed, not for the governors." - Thomas Jefferson

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

You can read CyberheistNews online at our Blog!:

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me:
Facebook LinkedIn Blog Twitter YouTube YouTube

Train Employees to Handle Sensitive Information Securely

You need to be compliant, but employees usually have little or no training when it comes to identifying sensitive information, leaving regulated data vulnerable.

KnowBe4 has a brand new 15-minute module of the Kevin Mitnick Security Awareness Training series. It specializes in making sure your employees understand the importance of safely handling sensitive information, like Personally Identifiable Information (PII), Personal Health Information (PHI), Credit Card data (PCI DSS), including your organization's proprietary information and are able to apply this knowledge in their day-to-day job for compliance with regulations. Learn more here, and ask for a quote. You will be surprised how affordable it is!


Major Cybercrime Arrest in Russia

Finally, the Blackhole exploit kit coder has been nabbed, it was time for some good news. The Russian authorities have arrested a man believed to be the author of the Blackhole exploit kit, widely used by cybercriminals to exploit vulnerabilities in Web browsers and other software to infect user computers with malware.

Reports of the arrest first hit Twitter, with Maarten Boone, a security researcher at Dutch cyberforensics team Fox-IT claiming the creator known on underground forums as "Paunch," was in custody. more at:


Kaspersky Uses "Print My Resume Exploit"

Kaspersky used the "print my resume" exploit which I mentioned in earlier issues, for their social engineering test - thought you might find this interesting, because it shows how effective these kinds of exploits still are in many places. Also a good example for your employees as something they need to watch out for:


Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Finally, in 2013 the dream has become reality. The Dick Tracy watch is here:

The American 4-Way Stop Sign Vs the European Roundabout - which is more efficient? The Mythbusters test it out:

What If Telekinesis Was Real? How Would You React? To promote the upcoming release of the 'Carrie' remake, a “telekinetic” event was staged in front of unsuspecting customers at a New York City coffee shop. Awesome prank:

How do you fit 100 billion transistors and several kilometers of conductors into a space no larger than a fingernail?:

Toy car goes 329 km/h (205 mph) at the race track of the America Miniature Racing Car Association:

The ‘near-human’ Atlas robot has better balance than you do:

Facebook LinkedIn Blog Twitter YouTube YouTube

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews