| |
CyberheistNews Vol 3, 44
Editor's Corner
A Serious Legal Liability: Bad or No Security Awareness Training
Please read this article and then forward it to the head of your legal department or the person in your organization who is responsible for compliance.
Recently, the Department of Health and Human Services reported that bad or no security awareness training is a main cause for compliance failures. This is true for not only health care, but all kinds of organizations in industries like banking, finance, insurance, manufacturing, and surprisingly, high-tech. It does not stop with mere compliance failures causing regulatory fines. Trend Micro reported that 91% of successful data breaches started with a spear-phishing attack.
The problem is that to be "letter of the law" compliant, you only need to herd your users once a year into the break room, feed them coffee and donuts, and give them a "death by PowerPoint" awareness update. However, ineffective security awareness training could turn out to be a serious legal liability.
Why? Cybercrime goes after the low-hanging fruit: your users. Why spend time exploiting complicated software vulnerabilities when you can easily social engineer an end-user to click on a link?
So your end-user did not get effective awareness training and falls for the hacker trick. Their workstation gets infected with a keylogger, the hacker now knows their login and password, and with that penetrates your network. Simply put: if it's the Eastern European cyber-mafia, their focus is to transfer out money from your operating account over a weekend. (See story below). If it's the Chinese, they will steal your intellectual property. If it's independent hackers, your customer database and credit card transactions are exfiltrated and sold on dark web criminal sites.
In all three cases you run the risk of a lawsuit:
1) You might sue the bank for negligence, and they might sue you back. Massive legal fees are inevitable. If it is found out the attackers came in by social engineering a user, your case is significantly weakened. Go to Brian Krebs' site and search for Patco Construction, a nightmare scenario. Here it is: www.krebsonsecurity.com
2) If the Chinese steal your intellectual property and you are exposed to a shareholder lawsuit, there will be a lengthy and costly discovery period. If it is found out the attackers came in by social engineering a user, your case is significantly weakened.
3) If hackers get into your network, and an investigative journalist like Brian Krebs discovers a website that has all your customer records and credit card transactions, a class action lawsuit is not far away. (This is the legal profession's biggest growth industry). If it is found out the attackers came in by social engineering a user, your case is significantly weakened.
See the trend here? Not scaling your training to a level that effectively mitigates the risk you are exposed to is a severe legal liability.
We have a new whitepaper called "Legal Compliance Through Security Awareness Training" written by Michael R. Overly, Esq., CISA, CISSP, CIPP, ISSMP, CRISC. He explains the concept of acting “Reasonably” or taking “Appropriate” or “Necessary” measures. Reading this whitepaper will help you to prevent violating compliance laws or regulations.
Do These Two Things:
ONE: Did you know that legally you are supposed to "scale security measures to reflect the threat"? In the whitepaper are some examples of the Massachusetts Data Security Law and HIPAA to explain what is required. I strongly recommend you download this whitepaper and get up-to-date about the legal repercussions of not providing effective security awareness training:
http://info.knowbe4.com/whitepaper-overly-kb4-13-10-28
TWO: Have you ever wondered how effective your current Security Awareness Training program really is, and if you are at risk in case of legal action? We offer a FREE test that gives you a real quantifiable number as to the percentage of your users that would click through, and fail, a simple Phishing email. Do our free Phishing Security Test. You don't need to talk to anyone, you can just create a free account and send your simulated phishing test:
http://www.knowbe4.com/phishing-security-test
Quote of the Week
"Discourage litigation. Persuade your neighbors to compromise whenever you can. Point out to them how the nominal winner is often a real loser---in fees, expenses, and waste of time." - Abraham Lincoln
Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
|
Your end-users are the weak link in your network security
 Today, your employees are exposed to Advanced Persistent Threats. Trend Micro reported that 91% of successful data breaches started with a spear phishing attack. IT Security specialists call it your 'phishing attack surface'. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk.
It's often a surprise how many of your email addresses can be found by the bad guys. Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. We often show surprising results. An example would be the credentials of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses and where we found them.
Sign Up For Your Free Email Exposure Check Now:
http://info.knowbe4.com/free-email-exposure-check-13-10-29
ADP Spearphish To Finance Dept: $225,000 Stolen
Happened again last week. I would send this article to your CFO or Controller so they can forward it to their finance department. Can't hurt to remind them once more.
One of the clients of a channel partner of ours just had a major data breach caused by a phishing email that went to their finance department. It was opened by several finance people and included a zip file which they clicked on. The zip file then loaded cryptolocker and froze their systems. They also had $225k taken from the company bank account. (Note, these people did NOT have our security awareness training yet.)
Eastern European cyber mafia has a very successful campaign going, an ADP email to the finance department. It is amazing that this still works, it's not necessarily a new variant or a new type of malware. The bad guys only spend the resources to make sure it will not get caught by any Antivirus product before they send it out.
If you want to prevent these ADP spear phish emails to make it through your filters, you need to configure your mail servers / spam filter correctly. ADP.com has both SPF and DMARC records enabled... so that email should have been blocked.
Departing Employees Are Security Horror
Great little article in the Wall Street Journal with some good hints and tips for you: "Information theft by departing employees isn't what it used to be. It's much easier. But there are ways for companies to guard against it.
Workers who wanted to take confidential corporate information with them when they left a company used to have to sneak paper documents out the door. Now, in a few clicks, corporate secrets can be downloaded to a mobile device or uploaded to an online storage service.
Most theft of this kind goes unreported, but it is rampant. Half the employees recently surveyed by the Ponemon Institute and Symantec Corp., a maker of information-security software, said they had taken sensitive business documents with them when they changed jobs.
To prevent such theft, it's important for companies to first understand what data they're trying to protect and where it resides, says George J. Silowash, a cybersecurity analyst at the CERT Insider Threat Center at Carnegie Mellon University's Software Engineering Institute. Sensitive information tends to be scattered among departments or business units, sometimes in different computer systems, and many companies don't have a comprehensive record of the data they hold.
Next, it's important to know what access every employee has to company information, says Earl Perkins, a research analyst at Gartner Inc., so that access to confidential information can be revoked when an employee leaves the company. Ideally, revoking that access should happen automatically, he says.
Data-loss prevention software can help companies keep track of sensitive information. The software inspects data content and, based on policies the company creates, blocks certain information from leaving the company.
Finally, it's crucial that IT security managers communicate with the human resources department so they are aware of pending layoffs or other personnel issues that might lead to employee departures. "The simplest thing companies can do is to make sure there is a good communication path between human resources and IT security staff," says Patrick Reidy, former chief information-security officer at the Federal Bureau of Investigation, who now holds the same post at Computer Sciences Corp.
But companies should have legal or privacy experts make sure human resources is allowed to share employee information this way, keeping in mind that laws differ in various countries. Link to full article:
http://online.wsj.com/news/articles/SB10001424052702303442004579123412020578896
The Data Breach Checklist You Hopefully Never Need
If your organization uses cloud-based file sharing designed specifically for business use with strong safeguards (e.g. end-to-end encryption), you can skip this article. If your employees are using a consumer focused file-sharing solution, the following four steps might be an interesting little wake-up call.
- Investigate, identify and fix: Murphy's law in security states that if it can be breached, it will be breached, and it will continue to be compromised until it is truly fixed. Worse yet, this process tends to uncover additional security gaps, which will require additional resources. During this step, someone will have to document the incident in great detail: who discovered the breach, when did it happen, how much data was compromised and what type of data was it? This will require several lengthy interviews and weeks of investigation. Got time for that?
- Inform internal authorities: Your organization will need to hold several meetings with the internal stakeholders directly affected by the breach. This includes accounting, HR, IT (i.e. you) and the entire upper management team - not a very valuable use of anyone's time.
- Inform the external authorities: When your data has been stolen or compromised, you will need to also alert various levels of law enforcement (FBI, secret service, etc.) as well as your legal counsel. If your organization has a PR/crisis management team, this is their time to shine.
- Inform the end users: Sorry, but if data was compromised, it is best that the employees hear it from their own organization first instead of reading about it on the Internet. Aside from the written communications, your helpdesk is going to be swamped with questions about the data breach so they need to ramp up for heavy traffic.
Depending on your industry, your data breach checklist (by the way, do you have one?) will vary in terms of exact tasks, but the following is pretty much universal: You have got to find it and you've got to fix it - and you've got to let a number of parties know all the messy details. I would recommend using an external Incident Response company that knows what they are doing. The rules of evidence in cyber crime forensics are easy to break and that gets you further in the soup.
The real point here is that data breaches redirect valuable resources away from production time and easily cost hundreds of thousands of dollars. So if you've tried everything and still can't convince upper management to block all consumer file sharing sites in your firewall rules, maybe this short checklist will do the trick.
With grateful acknowledgement to, and adapted from:
http://mspmentor.net/infocenter-cloud-based-file-sharing/data-breach-checklist-your-clients-hopefully-never-need
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Halloween Light Show 2013 “What Does the Fox Say?” with over 8,500 lights and roughly 1066 channels of computer animation:
http://www.flixxy.com/halloween-light-show-2013-what-does-the-fox-say.htm
A new Honda CR-V car drives through a series of optical illusions in this cool and clever commercial:
http://www.flixxy.com/honda-optical-illusions.htm
Google has a new live digital attack map that shows DDoS real-time:
http://www.digitalattackmap.com/
Skully reveals Google Glass-like motorcycle helmet with a read view mirror. I would buy that if I was riding a bike. Video at Autoblog:
http://www.autoblog.com/2013/10/23/skully-hud-motorcycle-helmet-video/#continued
Gordon Ramsay, one of the world's most celebrated chefs, shows you how to cook the perfect steak: http://www.flixxy.com/how-to-cook-the-perfect-steak.htm
Comedian Tom Mabe uses a remote controlled flying Grim Reaper to chase soccer players, joggers, bikers and basketball players at the local park:
http://www.flixxy.com/epic-halloween-prank-by-tom-mabe.htm
Magician Dani Lari performs scary Halloween magic for the French television show 'The World's Greatest Cabaret' hosted by Patrik Sebastien:
http://www.flixxy.com/halloween-magic-by-dani-lari.htm
|
|
