| |
CyberheistNews Vol 4, 02
Editor's Corner
The 5 Most Dangerous Phishing Email Subjects
Websense has posted some interesting new phishing research a few days ago. They started out: "With cloud infrastructure easily scalable and rented botnets coming on the cheap, the cost of conducting massive phishing campaigns continues to decline for cybercriminals. Even if the return rate is small or the campaign is poorly executed, phishing can result in serious money for criminals. Phishing will never simply go away—meaning ongoing headaches for security professionals."
They listed the top 10 countries hosting Phishing sites, but also the most dangerous phishing subject lines, based on research conducted Jan-Sept 2013:
1) Invitation to connect on LinkedIn
2) Mail delivery failed: returning message to sender
3) Dear (insert bank name here) Customer
4) Important Communication
5) Undelivered Mail Returned to Sender
These results were confirmed by KnowBe4's own research which showed that the LinkedIn invites had the highest scores on our simulated phishing attacks. I suggest you send these 5 topics to your users and warn them.
You may not be aware that we offer a free phishing security test you can do on your own users, and find out what the Phish-prone percentage is of our own organization. It's often higher than expected. Create your free account here:
https://training.knowbe4.com/signup
If This Is Your First Issue Of CyberheistNews...
CyberheistNews is the world's largest e-zine for IT professionals about IT compliance, social engineering and security awareness training. Need to protect your networks from penetration by the bad guys?
CyberheistNews is published by KnowBe4 LLC, arrives in your inbox once a week and looks at IT security from the human side. KnowBe4 has partnered with Kevin Mitnick to create next-gen Security Awareness Training combined with regular simulated phishing attacks.
In CyberheistNews we aim to help you keep your network safe with important news, hints, and tips so that you are aware of the latest social engineering scams and can do something about it.
KnowBe4 lives 100% in the cloud, we use SalesForce as our CRM and via their Data.com service we licensed your address. Consider this your sample issue. You can unsubscribe at any time (see below), and you will stop receiving any and all further email.
Target Databreach Now 110 Mil Cards - Neiman And Others Hacked Too
It goes from bad to worse. Target's initial 40 million turns out to be really 110 million. Apparently the forensics team discovered another 70 million cards exfiltrated. And then the news broke about Neiman-Marcus and three other major yet unknown retailers using similar techniques as the one on Target called RAM Scraping which looks at data while it travels through the memory of a computer.
Since these hacks seem to be date-coincident, you would assume that it's the same eastern European cyber mafia that was behind this record cyberheist. Next, the possibility comes to mind that these retail chains might even use the same point of sale vendor and that this vendor could have been penetrated even before both Target, Neiman-Marcus and the others.
Some conclusions: 1) If you process a lot of consumer data year-round, it is the safest play to assume you are already hacked and that you need to find and root out the perpetrators. 2) If one of your IT Vendors has been breached, you might very well become the adverse effect of that. Confirm they have achieved ISO 27001 certification and have successfully completed multiple SAS70 Type II audits. 3) It is assumed the Target hackers are eastern European since the stolen data surfaced there and is for sale by a man living in Odessa, Ukraine. That means they likely came in via spear-phishing and providing mandatory and effective security awareness training for -all- employees is becoming a -must-.
Why? "They steal and combine what was stolen in previous breaches," said Avivah Litan, a fraud analyst at technology research company Gartner. "There are warehouses of information on people and dossiers. Now we've got John's credit card, his address, his phone number... they do put it together and sell entire profiles on people." And those profiles can be used to create very convincing and sophisticated spear-phishing attacks.
I was interviewed on TV yesterday about this massive cyberheist at the Tampa CBS station. Here is the article and the video clip with yours truly:
http://www.wtsp.com/news/article/352707/250/Huge-cyberheist-means-millions-at-risk-for-identify-theft
Quotes of the Week
"Trust me, Wilbur. People are very gullible. They'll believe anything they see in print." - E.B. White, in Charlotte's Web
"It doesn't work the same way everywhere. The Americans are the most gullible, because they don't like to deny co-workers' requests. People in the former Soviet bloc countries are less trusting, perhaps because of their previous experiences with their countries' secret services." - Kevin Mitnick
Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
|
Are Regular Audits Taking Up Too Much Of Your Time?
Practically all of KnowBe4 customers need to be compliant with one or more regulations. Over the years they have told us that regular audits are taking up too much of their time, and that careless employees cause all kinds of problems. You need to satisfy auditors that all controls are in place, but you said you often have a lack of time and management support.
To top it all off, you have to produce all the evidence regularly, but the duplication of effort and keeping track of everything in a spreadsheet is a pain. Well, over the last 18 months we have worked hard on a new way to manage this problem, and we are proud to present something that takes the pain out of compliance.
We have developed KnowBe4 Compliance Manager, a Software-as-a-Service or cloud-based application, which consolidates your audit management and regulatory compliance tasks into simple automated workflows which prevent overlap and eliminate gaps.
No more compliance spreadsheet nightmare...
Spreadsheets are inefficient, error prone, costly, and a risk in itself. Save your time, save budget, and decrease complexity associated with first becoming compliant and then maintaining compliance. You can now streamline your audit compliance management with the new KnowBe4 Compliance Manager™ (KCM).
Here is what someone responsible for compliance in IT said: "This is a valuable tool. We need to improve our compliance, and this makes it easy. Duplication of effort is a pain!" IT Manager, Healthcare - 1,500 users.
Start your New Year with one (compliance) headache less and save yourself a lot of time. Ask for a web demo: http://info.knowbe4.com/knowbe4-compliance-manager
Senior Managers Fumble Security Much More Often Than Rank And File
Antone Gonsalves at CSO wrote: "Senior managers are the worst offenders of information security, because of a combination of job pressures, busy schedules and an attitude that they are above the rules, an expert says.
A recent study by Stroz Friedberg, which specializes in digital forensics and risk management, found that almost nine in 10 senior managers regularly uploaded work files to a personal email or cloud account.
In addition, more than half had accidentally sent the wrong person sensitive information and had taken files with them after leaving a job. The percentages, 58 percent and 51 percent, respectively, were much higher than for general office workers.
The reason why senior management skirts the rules is twofold. First, they tend to be under a lot of pressure due to their busy schedules, so they often have no patience for security measures that add time, Eric Friedberg, co-founder and executive chairman of the firm, said. In addition, many managers, particularly in large organizations, travel a lot and often find themselves in countries or hotels where Internet access is subpar." More at:
http://www.csoonline.com/article/745703/senior-managers-fumble-security-much-more-often-than-rank-and-file?
Ouch! January 2014
SANS announced the new issue of their newsletter called OUCH!
"This month, led by Guest Editor Kevin Johnson, we discuss how to secure your home network. We figured that since many of you may have new devices connecting to your home network, this would be an excellent time to review and update its security. As always, we encourage you to download and share OUCH! with others.
English Version (PDF)
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201401_en.pdf
SANS also released a new security awareness poster called "Don't Get Hooked." Developed as a community project, the poster shows a common phishing email and explains the top indicators of a phish. Learn more at:
http://www.securingthehuman.org/resources/posters
Why The Bad Guys Have An Easy Time
Stephen Northcutt, in his book Network Intrusion Detection: An Analysts’ Handbook stated: "Fewer than one in twenty security professionals has the core competence and the foundation knowledge to take a system all the way from a completely unknown state of security through mapping, vulnerability testing, password cracking, modem testing, vulnerability patching, firewall tuning, instrumentation, virus detection at multiple entry points, and even through back-ups and configuration management."
My comment: Yeah, it takes an impossible amount of time to learn all of that if you also are a system- or a network admin and work 60 hours a week just to keep everything up and running in a small or medium-size business. This is a real problem and not an easy one to solve, looking at the limited budgets of SMBs.
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
How much have we learned from history? How many people would still fall for the ancient Trojan Horse trick today?
http://www.flixxy.com/trojan-horse-today.htm
Guards are supposed to perform their duty precisely, ceremoniously and without showing any emotion or reaction, but once in a while something unexpected happens....
http://www.flixxy.com/ceremonial-guard-bloopers.htm
How do you make a tree float in the air? Graphic designer Daniel Siering and art director Mario Shu create magic using artistic inspiration:
http://www.flixxy.com/hovering-tree-illusion-painting.htm?
The most amazing stage magic ever - sawing a woman in half using clear see-through boxes:
http://www.flixxy.com/best-international-stage-magicians.htm?
Running, jumping and biking on 8,000 liters (2,100 gallons) of non-newtonian fluid (corn starch and water) in Kuala Lumpur, Malaysia:
http://www.flixxy.com/can-you-walk-on-water.htm
A starship is entering an area of space near our solar system. The crew is being briefed on the strange species called "humans":
http://www.flixxy.com/danger-humans-a-message-from-the-interstellar-safety-council.htm?
Would you like to learn the basics of the Chinese written language in 5 minutes? Interesting!
http://www.flixxy.com/chinese-made-easy.htm
12 famous passwords used through the ages, this is a fun slide show:
http://www.csoonline.com/slideshow/detail/135304/12-famous-passwords-used-through-the-ages?
|
|
