|
CyberheistNews Vol 3, 51
Editor's Corner
The Rise Of Cyber Mercenaries
There is an interesting development I thought you should be aware of, and perhaps communicate to the powers that be in your organization.
By now it is well known that organizations get attacked all the time, and 91 percent of the organizations that were recently polled by Kaspersky suffered a successful cyber-attack at least once in the preceding 12-month period, while 9 percent were the victims of Advanced Persistent Threats.
What's new is the increasing rate of businesses turning to cyber mercenaries to penetrate their competitors’ networks. Outsourced cybercriminal gangs penetrated networks and exfiltrated terabytes of sensitive information. Other attacks were outright sabotage using malware to wipe data, block infrastructure operations, or DDoS attacks that shut down a competitor's public-facing websites. A data-wipe example was Saudi Aramco where 30,000 workstations were completely wiped out by malware this year.
Unfortunately cybercrime is incredibly innovative, they are constantly improving their malware using unconventional approaches. The most recent wave is a so-called encryptor which spreads both in corporate environments and at the house. Once the Crypto-locker malware takes over the workstation, it asks for $300 ransom to release the files. If this "ransomware" has been able to encrypt the files on a workstation and/or network shares, you better hope you have a working backup and wipe/rebuild that machine.
In 2013 we saw the first instance of targeting full supply chains. An example is discussed in a new research paper (link below) on the discovery of "Icefog"; a small but energetic APT group that focuses on targets in South Korea and Japan, hitting the supply chain for Western companies. It's obviously some Chinese operation, it started in 2011 and has increased in size and scope over the last few years.
That’s a good example what is now called of cyber mercenaries, small hit-and-run gangs that attack with surgical precision. They appear to know exactly what they need from the victims.
"They come, steal what they want and leave, they are for hire, provide cyber-espionage/cyber-sabotage activities on demand, following the orders of anyone who pays them,” said the report. The Icefog targeted attacks rely on spear-phishing e-mails that attempt to trick the victim into opening a malicious attachment or a website. Security Awareness Training is not a nice-to-have these days, it is a must... Link:
http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf
Trusting Bad Code from Day One
I wrote an article for Educause that you might like to send up the flagpole as ammo to get more IT Security budget. It explains in mostly non-technical terms why the bad guys (and the NSA) can get into practically any network at any time.
Why? In short, the Internet really is still in beta. (Vint Cerf admits that TCP/IP never made it into production code and was built for redundancy, not security). Check it out on the Educause website, and forward it to management if you think it help you will state your case for more security budget more clearly:
http://www.educause.edu/ero/article/trusting-bad-code-day-one?
Quotes of the Week
"In matters of style, swim with the current; in matters of principle, stand like a rock." - Thomas Jefferson
"Either you run the day, or the day runs you." (1975) - Jim Rohn
Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
You can read CyberheistNews online at our Blog!:
http://blog.knowbe4.com/bid/358900/CyberheistNews-Vol-3-50
|
Introducing: Kevin Mitnick Security Awareness Training 2014
You're invited to check out the brand new 2014 version! It's a 2-for-1 because you get a condensed 15-minute version focused on APT thrown in for FREE.
All new videos, a new e-learning platform that supports the iPad, and many more features for the admin like new summary information about your phishing security tests, Top Culprits, CSV formats for download, bubble graphs with number of clicks per hour, better filters and custom templates you can clone, edit and send to your users.
IT people are able to step through both the new 15-minute and 40-minute Kevin Mitnick Security Awareness Training 2014 training for free. Scroll down, Click on the Try It! Tab, fill out your name and email and click: "I Want To Try It".
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
System Admins Send Kudos About The 2014 Version
"You all probably get contacted when something does not work or when we (the user community) have a need but I wanted to say thanks! I just logged into KB4 and this is the first time since your update that I have had a chance to log in. I was going to add a few new users and went to the “Manage Users & Groups” area and this is really nice. I like the tabular approach to the screen and also the ability to see more information all at once. Seeing the groups with their information helps me a lot! I appreciate you all taking feedback from customers and improving your product. Keep up the good work! Thank you
G. S., CEH CPT CISSP IT Security Admin, Insurance Company.
2014 IT Security Spending Trends
Venture capital-backed IT security company SilverSky recently reported on next year spending plans for IT Security. As it is budget season now, this is interesting reading. They started out with:
"The unstoppable BYOD train, rapidly changing technology, tighter security regulations and ever-evolving threat landscape make it incredibly tough to prioritize and identify the best ways to allocate spending. Missteps, unnecessary splurges or cutting corners during the budgeting process could prove costly over the next 12 months – so getting it right is a business imperative."
The Good News
"As we head into 2014, an overwhelming majority of respondents (81 percent) believe that their organizations are just as secure or more secure than they were a year ago. But despite increased confidence, record numbers of high-profile cyber attacks continue to make headlines, constantly reminding organizations of the sobering "new normal" in which we now live. Because of this, enterprises are investing more than ever in security. According to Gartner, companies worldwide are expected to spend $67.2 billion this year alone and are projected to spend $86 billion by 2016. Similarly, our SilverSky study shows that more than 25 percent of organizations plan to make big investments in security in 2014.
Budget Priorities
"Though network security products remain the priority, it appears IT professional’s fears have shifted away from network risk to worrying more about the risk of data loss." In fact, targeted phishing attacks was the top concern with 87% and second came accidental data loss on the part of employees with 67% as chief concerns for the year ahead.
Security requirements will never go away as long as the "bad guys" are out there and humans continue to make human mistakes – but during this budgeting season, savvy CIOs are looking for smarter, more effective ways to allocate their budgets. Check out their 30-second video with the top five IT security spending trends for 2014 at the bottom of this page:
https://www.silversky.com/blog/spendingstudy
LinkedIn Invites Ranked As The Year's Most Dangerous Messages
Steve Ragan over at the CSO site gave a summary of a recent Websense report that confirms our own numbers at KnowBe4; LinkedIn Invites score the highest click-through rates in social engineering attacks.
"Websense published a brief report on the state of Phishing on Wednesday, covering Q1-Q3 2013. According to the numbers, the percentage of Phishing attempts within all email traffic fell .5 percent in 2013, which might seem like a bit of a positive.
However, the decline isn't necessarily something to celebrate, because it was due to the fact that the criminals behind Phishing attempts started to get focused. In this case, the focus was on the individual, Websense's Carl Leonard explained.
"Today’s phishing campaigns are lower in volume but much more targeted. Cybercriminals aren’t simply throwing millions of emails over the fence. They are instead targeting their attack strategies with sophisticated techniques and integrating social engineering tactics. Scammers use social networks to conduct their recon and research their prey. Once the intelligence is harvested, they use that information to carefully construct email lures and yield maximum success."
"Websense says that the year's most problematic email message posed as a LinkedIn invite. The messages, with the subject of "Invitation to connect on LinkedIn" offered a classic pass at Phishing, playing on the fact that a majority of the corporate world uses the social networking portal for professionals.
"A couple of months ago Websense reported that a majority of Phishing emails appear on Friday, with Monday rolling in at a close second. They know worker’s minds can stray on Fridays in a more relaxed setting.
There is a more sinister reason for all the Friday phishing attacks though. The bad guys penetrate a legit site but do not put an exploit kit on it yet. They first send spear phishing attacks on Friday that have a link to this legit site which is not yet on any blacklist and not flagged as bad in any way. That makes the phishing attack slip through all the filters over the weekend and lands in the end-user's inbox. Early Monday morning, just before everyone starts their day, they upload the exploit kit and now everyone that clicks the link gets infected during the first six hours. Upshot: You have got to train that end-user not to click on links...More:
http://blogs.csoonline.com/social-engineering/2863/linkedin-invites-ranked-years-most-dangerous-messages
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Super FAVE: Freediver Ocean Ramsey shares a quiet moment with a Great White Shark, taking a ride with it. Really:
http://www.flixxy.com/a-blonde-and-a-great-white-shark.htm?
Things that kill more people than sharks. LOL:
http://themetapicture.com/things-that-kill-more-people-than-sharks/
Helicopter Pilot Is A Master At His Job - Harvesting Christmas Trees:
http://www.flixxy.com/helicopter-pilot-is-a-master-at-his-job-harvesting-christmas-trees.htm?
The life of a drupal developer, lots of funny cat gifs... :
http://rjtownsend.com/blog/life-drupal-developer-illustrated-cat-gifs
Top 10 green concept cars of 2013. Some are pretty cool!
http://www.gizmag.com/top-10-eco-friendly-concept-cars-2013/30076/
The Best 'Wow, That Went Well!' 2013. A compilation of moments in which some skill or event went extremely well or even better than expected - Fun:
http://www.flixxy.com/the-best-wow-that-went-well-2013.htm?
This robot was made to test hazmat suits. Dang this is getting close to Terminator:
http://youtu.be/tFrjrgBV8K0
Volkswagen's incredible transparent car factory in Dresden, Germany - You have never seen a factory like this:
http://www.flixxy.com/high-tech-car-factory.htm?utm_source=nl
Adam Savage shows off his new toy, a state of the art robot spider which is truly awesome!:
http://www.youtube.com/watch?v=-vVblGlIMgw&sns=em
|
