|
CyberheistNews Vol 3, 45
Editor's Corner
Is Social Engineering An IT Problem?
Many people would say yes to this question, but it is really? Certainly social engineering is a problem in IT (because IT feels the pain) but essentially it is a much wider issue not limited to just IT. To illustrate the point, Spiceworks guru Scott Allan Miller commented: "In the Milgram Experiment in 1966, 21 out of 22 nurses were willing to accept an unverified outsider over the phone, violate their training, violate the rules and violate common sense and effectively participate in outright murder... as long as the person asking them to do so did so with authority. "Considering that nurses have extensive training, have rigid structures protecting them and knowledge that any patient could be a victim... how can we expect less trained users with less important data in their care to be more vigilant? We are normally just dealing with data... not peoples' lives." See experiment #4: http://news.yahoo.com/bone-chilling-science-scariest-experiments-ever-150037235.html Miller is right, social engineering goes way beyond IT boundaries. In that sense it definitely is not an IT problem, but an enterprise-wide problem. However, when an enterprise is attacked long-distance and the Internet is used as the main attack vector, IT is a crucial part of the mitigating policy and procedures. The majority of users are relatively easily manipulated. A good social engineer can get access to pretty much anything they want. The only defense against this is training. Drill, drill, drill in scenarios that approximate reality. Additionally, the threat of job-loss for employees who repeatedly violate company security policy helps. In other words, your company policy has to have teeth and needs to be communicated clearly and regularly. Security awareness training obviously cannot eliminate the issue completely, but certainly helps to mitigate it to a high degree, specifically when we are talking about spear-phishing attacks that are part of an advanced persistent threat. Here is a real-life example from a KnowBe4 customer in health care with 1,500 employees who sent us this: "Also you will be happy to know that I just finished Security Awareness metrics for the leadership here. In January 2013 the failure rate averaged at 85% and above. In June down to 75%. In July down to 25%. The amazing part is October. We are down to 4.4 %. I am excited to share this with you and our leadership here! All the best, V.F
Quote of the Week
"A lie can travel half way around the world while the truth is putting on its shoes." - Charles Spurgeon "For every credibility gap there is a gullibility gap." - Richard Cobden Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe, you can do that right here
|
Your end-users are the weak link in your network security
Today, your employees are exposed to Advanced Persistent Threats. Trend Micro reported that 91% of successful data breaches started with a spear phishing attack. IT Security specialists call it your 'phishing attack surface'. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk.
It's often a surprise how many of your email addresses can be found by the bad guys. Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. We often show surprising results. An example would be the credentials of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses and where we found them.
Sign Up For Your Free Email Exposure Check Now: http://info.knowbe4.com/free-email-exposure-check-13-11-05
Social Engineers Pwn The 'Human Network' In Major Firms
Apple, General Motors, Home Depot, Johnson & Johnson, Chevron, Boeing, and other major corporations easily fell to social engineering attacks in a recent contest.
Darkreading had a good summary. "To provide some perspective on just how poorly corporate America is able to combat social engineering attacks today, consider this: Famously secretive Apple fared the worst in a recent social engineering contest.
Organizers of the annual Social Engineering Capture The Flag (SETF) contest at DEF CON have released the final report on the competition, held in August in Las Vegas, and the findings don't bode well for enterprises: Social engineering exploits are as easy as ever to pull off successfully, with contestants able to glean valuable company information online and from employees answering phones at large companies.
The fifth annual SETF, which is held to raise awareness about social engineering threats, included 10 men and 10 women contestants who each initially conducted online research (no hacking or direct contact allowed) on their assigned target company for the contest. They then placed live telephone calls to their target in a soundproof booth at DEF CON in front of an audience of attendees and contest organizers. Each was scored based on the "flags," or specific checklist items, they were able to obtain from their targets, such as the caller's browser, operating system, or getting them to visit a rigged URL.
"The bottom line is [the target corporations] did really poorly," says Michele Fincher, chief influencing agent for Social-Engineer, Inc., the firm that runs the event each year at DEF CON. "The companies who happened to do well did so accidentally or out of ignorance in they either couldn't answer the question or didn't know how, so the call shut down. Very few [employees] said, 'I am not allowed to give out this information.'"
Fincher says it is easy to gather valuable information on a targeted organization via the Internet using open-source intelligence, a.k.a. OSINT, or information gathered from publicly available sources such as websites, social media, and other online resources. "There has not been a lot of activity on the part of corporations to improve this sort of exposure and data leakage, it doesn't take a skilled social engineer to dig through the Net and find information," Fincher says.
The top flags captured by the contestants, in order, were Internet browser type; operating system information; information on corporate wireless access; confirmation of a corporate VPN. Browser and OS intel could aid an attacker in crafting a targeted phishing email, for instance.
"One of the key findings are across the board there is way too much information to be gathered through open source. The training being provided is not adequate to cover this," Fincher says. "There's a lot of focus on technology: It's a lot easier to put up a firewall. But a conversation can be way more damaging than malware."
It takes more customized, repetitive training to teach employees to be careful in what they share online or in conversation, she says. "I would like to see people put as much effort in keeping their human network safe" as they do their computer networks, she says.
The full report on this year's SECTF and more detail are available at Darkreading: http://www.darkreading.com/vulnerability/social-engineers-pwn-the-human-network-i/240163379?
Adobe Hack 10 TImes Worse
The Adobe hack was way worse than they initially thought. Cyber mafia stole data of more than 38 million customer, including credit card numbers, usernames and encrypted passwords, not the 2.9 million Adobe previously reported.
They also got part of its Photoshop source code in addition to the source code for Acrobat, ColdFusion and ColdFusion Builder and the attacker has been able to unencrypt the stolen credit card numbers and passwords using Adobe’s keys. Yikes. If you have bought any kind of Adobe product, it is a good idea to go and change your password at their site. More at Brian Krebs' site: http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/
Google Is Building Huge Mystery Barges
Google has got a huge barge filled with shipping containers stacked 4-high over at Treasure Island in San Francisco Bay. Everyone is speculating on what's in there, but since since Google has a patent on a floating data center, that seems to be the consensus, however there are other possibilities. If it's a data-center obviously that thing would be sea water-cooled which would be interesting to see. There is a second one of these puppies in the water off Maine, and there are rumors of a third. CNET reported on these mystery barges as one of the first, and heard from a tipster that they could be floating Google invitation-only “luxury showroom” stores, or maybe backup data centers in case of natural disasters. Security is sky-high and everyone working on these things has signed NDA's. Here is how they look: http://news.cnet.com/8301-1023_3-57608585-93/is-google-building-a-hulking-floating-data-center-in-sf-bay/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
NSFW: A viral video from the Dutch government to get more awareness of Cyber Criminality. Very interesting to see how this is done, like 100% criminal call centers in the Ukraine, but this is definitely Not Safe For Work: http://www.liveleak.com/view?i=807_1383224319
A tongue-in-cheek, comic book inspired, detective film noir music video by Hilary Grist: http://www.flixxy.com/an-invisible-man-a-songstress-a-mad-scientist-and-a-femme-fatale.htm
9-year-old Amira Willighagen blows away the judges and audience of Holland’s Got Talent by singing Puccini's ‘O mio babbino caro’ (Oh My Beloved Father). The point is that this kid does not get any singing lessons: http://www.flixxy.com/9-year-old-girl-sings-opera-on-hollands-got-talent.htm
Fly through 17th Century London, courtesy of six students from De Montfort University Leicester, England, who built this 3D computer model. Wow: http://www.flixxy.com/fly-through-17th-century-london.htm
A quantum computer works in a totally different way from a classical computer. http://www.flixxy.com/how-does-a-quantum-computer-work.htm
New optical disc can store information for "a billion years": http://www.gizmag.com/billion-year-data-storage/29530/?
|
|