CyberheistNews Vol 3, # 48



CyberheistNews Vol 3, # 48
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 3, 48

Editor's Corner

KnowBe4

Your AntiVirus Does Not See NSA's 50K Botnet

The revelations are getting wilder by the week. The NSA has its own botnet, they infected more than 50,000 computer networks worldwide with malicious software designed to steal sensitive information. Documents provided by whistleblower Snowden and seen by the Dutch newspaper NRC Handelsblad, prove this. (link below)

The NSA's 1,000 in-house hackers (they are called Tailored Access Operations) have created malware that apparently has escaped all antivirus tools just like Stuxnet did. I wonder if the code base is similar. NSA's intelligence pals in the UK (GCHQ) have been gratefully using the malware as well, infecting a Belgium telecom provider where a sample was found in September 2013.

And how did GCHQ do it? Social Engineering! The Belgacom network was infiltrated by luring employees to a false LinkedIn page. The malware can be controlled remotely and be turned on and off at will. Call it a "sleeper agent". According to the Washington Post, the NSA has been carrying out this type of cyber operation since 1998. So as we speak, right now, 50,000 machines are "pwned" by the NSA and they can make those machines do what they want. That's a botnet. Incredible.

Now, let's extrapolate for a moment. If the NSA does this, so do the Chinese, and -they- mainly prey on your intellectual property. Highly likely the Chinese use contractors in the cyber mafia to send out sophisticated spear phishing attacks so that they can put invisible Chinese malware in your networks. And your antivirus is not catching it...

It is unlikely we are seeing the whole picture, but the moral of the story is to get your employees effective security awareness training!
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/

This is a link to the (English language) article:
http://www.nrc.nl/nieuws/2013/11/23/nsa-infected-50000-computer-networks-with-malicious-software/?utm_campaign=rss&utm_source=syndication

New Survey: "Biggest Security Threat Is End-user Carelessness"

An overwhelming 80% of companies say that "end-user carelessness" constitutes the biggest security threat to their organizations, surpassing the ever-present peril posed by malware and organized hacker attacks. See full story below.

Help Me Out? I need 5 minutes Of Your Time!

You need to be PCI Compliant, and I have a quick, interesting survey for you because I need your feedback on a new time-saving online compliance manager we are rolling out.

There is a prize for everyone!

Everyone who fills out the survey gets a free key for the Kevin Mitnick Home Internet Security course. This is an hour's worth of training for your family how to stay safe on the Internet with a value of $29.95. You can also give this course as a gift to 5 friends, a great way to stay safe online during the holidays. See:
http://home.knowbe4.com

Next, there will be a $500 prize for one person, given at random, managed by SurveyMonkey. The odds are pretty good. Last but not least, I need your suggestions for a product name and the winner gets an iPad Air! So please take 5 minutes now? The deadline for the $500 is December 15 so please do this right away? Thanks very much in advance! Here is the survey:
https://www.surveymonkey.com/s/PX6YSC2

Quotes of the Week

"In a world of sensitive information... they were their own worst enemies!" - Restricted Intelligence

"Those who do not know these things and engage in battle will surely be defeated" - Sun Tzu

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here


Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

Are Regular Audits Taking Up Too Much Of Your Time?

Are you dealing with the headache of managing (multiple) compliance requirements? Need to satisfy auditors that all controls are in place? Have to produce all the evidence regularly? It's a pain to keep all that in spreadsheets, especially if you need to comply with PCI and another regulation like HIPAA, GLBA, Sarbanes Oxley or many others.

You are invited to the Release Candidate 1 (RC1) version of what we have been working on these last 18 months. It currently has a generic code name "OCM" for Online Compliance Manager. OCM effectively reduces the number of controls and requirements you need to satisfy, leading to less time and money spent dealing with compliance. We are looking for participants that will run OCM in-house and help us fine-tune the process. This page shows some of the features and has a form at the end you can fill out if you are interested in giving it a spin. Participants in RC1 will get a -substantial- discount when OCM gets released! Fill out the form here:
http://www.knowbe4.com/products/compliance-audit/

KnowBe4

New Survey: "Biggest Security Threat Is End-user Carelessness"

Tying directly into the NSA story above, here are the results of the recent Security Deployment Trends Survey that many of you participated in! - By Laura DiDio

Thanks to all 500 of you who took the time to participate in the "ITIC/KnowBe4 2013 – 2014 Security Deployment Trends Survey." As always, your responses and essay comments were intelligent and informed and they provided us with deep insights about the issues and challenges motivating your security decisions.

An overwhelming 80% of companies say that "end-user carelessness" constitutes the biggest security threat to their organizations, surpassing the ever-present peril posed by malware and organized hacker attacks.

Additionally, 65% of businesses do not calculate the cost or business impact of security-related downtime and over 30% of firms admitted they are unable to detect or defend against a security breach in a timely manner if and when one does occur.

The data indicates that IT departments have a hard time staying abreast of myriad security issues which represent just one portion of their overall job responsibilities. Some 44% of survey respondents said their IT departments and security professionals spend less than 20% of their time on daily operational security. Another 32% said they devote 20% to 40% of their time to security. Only 20% of participants dedicate a significant portion of their daily and weekly administrative activities to securing their systems and networks.

The anecdotal data from the essay comments and first person interviews strongly indicates that IT and security administrators find themselves in unenviable position of being caught in the middle between upper management and end users. They have difficulty convincing upper management to allocate the necessary monies and resources to secure the network. And IT managers find it increasingly challenging to safeguard the network against end user errors. Many users unwittingly make the network vulnerable to malware, viruses and phishing threats via the BYOD trend by falling for scams or clicking on bad links.

Among the other survey highlights:

 

      • Top security priorities: 55% of users cite "Ensuring adequate and robust security for the business’ needs;" 44% cited the need to provide security awareness training.

      • Some 65% or a two-thirds majority of businesses do NOT calculate hourly security downtime costs compared to 21% of participants that said they did estimate the cost/impact of security downtime.

      • Of the 21% of organizations that claim to track downtime costs only 38% of respondents were able to provide specific cost estimates of hourly losses due to security breaches. In reality, only 5% to 8% of the total number of 500 respondent businesses is able to provide specific cost estimates related to security breaches/hacks.

      • Some 35% of firms expressed fear/concern about the threat posed by external, organized hackers.

      • Malware & viruses remain the most common type of security breach according to 56% of survey participants.

    • Just three percent of firms indicated they had experienced more than 10 security breaches during the last 12 to 18 months.

 

In the next issue of Cyberheist News we’ll publish Part 2 of the Survey Results: Users Unplugged: Uncensored Anecdotal Security Comments. And we’ll also announce the winners of the three (3) Amazon gift certificates for the Best Essay comments. Anyone who wants a full copy of the Report can download the PDF at:
https://s3.amazonaws.com/knowbe4.cdn/WhitePaper_ITIC_KnowBe4_Security_Threats.pdf

KnowBe4

Ponemon Study: SMBs Fail Miserably at Security

This is a new Ponemon survey that proves the validity of the ITIC / KnowBe4 results and shows the challenge you are facing, being caught between upper management and end-users:

 

"Perhaps most troubling, the Risk of an Uncertain Security Strategy study found that the more senior a manager was in their SMB organization, the more likely they were to dismiss the seriousness of potential cyber threats.

"The state of IT security in small and midsized businesses may be worse than previously thought, according to a new study that finds a majority are in deep denial about the risks of cyberattacks and the compromise of critical data. The study by Ponemon Institute and sponsored by UK security vendor Sophos Ltd. found 58 percent of SMB IT decision makers do not see cyberattacks as a significant risk to their business.

"The scale of cyberattack threats is growing every single day," said Sophos CTO Gerhard Eschelbeck, "yet this research shows that many SMBs are failing to appreciate the dangers and potential losses they face from not adopting a suitably robust IT security posture." More at:
http://channelnomics.com/2013/11/22/ponemon-study-fail-miserably-at-smb-security/

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

SUPER FAVE: Amazon.com robots automate the warehouse environment. This technology is what enables Amazon to be so efficient at logistics:
http://www.flixxy.com/how-the-amazon-warehouse-works.htm

Automated life guard: life-saving flying robot is now a reality:
http://youtu.be/c0BOq2Y0Ngk

And here is another variation on that theme, but this one you sit in and fly yourself. The Volocopter is a Vertical Take-Off and Landing aircraft. I want one. Great for my commute!
http://www.flixxy.com/multi-rotor-volocopter-a-revolution-in-aviation.htm

AcaBelles version of the song 'Royals' by Lorde. Such amazing talent!:
http://www.flixxy.com/florida-state-university-acabelles-rendition-of-royals.htm

Landrover enthusiasts from Norway show that they can do better than Volvo and Jean-Claude Van Damme. Also shot in one take:
http://www.flixxy.com/the-landrover-experience-split-better-than-volvo.htm

Did you know that OpenDNS has a phishing Quiz? Worth it!:
http://www.opendns.com/phishing-quiz/

Yuri Arcurs shoots 30000W Flash and lights up a Fighter Jet going 750km/h in midair. It's a photography feat:
http://www.youtube.com/watch?v=J2dCelnwYxY&feature=youtu.be

Don't know what to do with that old iPhone? Make it a Lanyard. LOL:
http://www.youtube.com/watch?feature=player_embedded&v=Ch9INNHRj8s

Francois Gissy hits 285 km/h on his rocket-powered push-bike. Suicidal:
http://youtu.be/P_YcqovFeGs

There are some things you can only see in Russia… Compilation:
http://www.flixxy.com/only-in-russia-compilation.htm

Simon's cat resorts to increasingly desperate measures to wake its sleeping owner: LMAO:
http://www.flixxy.com/wake-up-call-for-all-the-cat-people.htm

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews