|
CyberheistNews Vol 4, 07
Editor's Corner
SNEAK PEEK At New Site: HACKBUSTERS
KnowBe4 Announces Hackbusters, A Curated IT Security News Site.
You miss important security news because you aren’t subscribed to the right sources, or your relevant security news is snowed under simply because of the incredible volume. So KnowBe4 brings you relevant, trending and most popular IT security content with Hackbusters, a hot new website that delivers both human and algorithm-curated articles specifically for IT Security professionals.
When you go to www.hackbusters.com, you immediately see the "trending" section, but "most popular" and "recent" are immediately to the right. For instance, this weekend when the news broke that Kickstarter got hacked, it bubbled up to the #1 spot within the hour. This Sneak Peek is only the first thing of many exciting Hackbusters features to follow.
Each news section combines both stories chosen by KnowBe4’s human editors and stories that floated to the top through the proprietary Hackbusters site algorithm. The goal isn’t to just pump articles by only large news sites, but also posts by expert yet undiscovered bloggers and commentary by industry pundits. Take your Sneak Peek now:
http://www.hackbusters.com/
Quotes of the Week
"To know what people really think, pay regard to what they do, rather than what they say." - George Santayana - Philosopher
"Those who cannot remember the past are condemned to repeat it." - also George Santayana (1863 – 1952)
Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
You can read CyberheistNews online at our Blog!:
http://blog.knowbe4.com/bid/373854/CyberheistNews-Vol-4-06-Cryptolocker-Scambles-Files-Of-US-Law-Firm
|
Kiss Your Old Security Awareness Training Program Goodbye!
 Is Your Security Awareness Training Program Not Working? Are Users Still Clicking Phishing Links And Opening Infected Attachments?
It could be you are not using awareness training best practices. Brand new research from Vanderbilt U, MITRE and Dartmouth College shows that embedded training is ineffective when it is only done every 90 days, and not part of a program that includes initial training.
If you have been using a program from another vendor and you do not see dramatically improved Phish-prone results, it's time to kiss that program goodbye!
KnowBe4 offers a 50% Competitive Upgrade Discount if you change from your current program to Kevin Mitnick Security Awareness Training. Better yet, we will make whole your current subscription period as well. And to top it all off, if you do not see a significantly dropped Phish-prone percentage at the end of our program, YOU GET A FULL REFUND.
With extremely malicious Cryptolocker malware out there, you have got to start with an effective security awareness program TODAY. Click this link and get a quote now:
http://info.knowbe4.com/get-a-quote-14-02-18
ITIC and KnowBe4 Latest Study Reveals Companies Lack "BYOD" Security
New ITIC/KnowBe4 Independent Survey Reveals 53% of businesses are unprepared to deal with hacked or stolen BYOD devices even though 50% indicated company-owned tablets, notebooks & smart phones may have been hacked in last 12 months
February 19, 2014 – A 53% majority of organizations acknowledge that they are unprepared to deal with security breaches to their corporate and employee-owned Bring Your Own Device (BYOD) notebooks, tablets and smart phones. And this despite the fact that 50% of businesses say their BYOD devices may have been hacked in the last year.
The findings are part of a joint study conducted by ITIC, a research and consulting firm based in the Boston area specializing in conducting independent surveys tracking crucial trends and KnowBe4, a security awareness training firm. The ITIC/KnowBe4.com "2014 State of Security" survey, polled 250 companies worldwide in February 2014. The survey found that 55% of organizations are not increasing or fortifying their existing security measures despite the recent spate of high profile security attacks against companies like Target, Skype, Snapchat and others.
The survey results indicate that a 65% majority of businesses now allow end users to BYOD and use them as corporate desktop or mobile devices to access organizational data including email, applications and sensitive data. BYOD usage enables businesses to reduce expenditures and lower the administrative burdens of IT departments as end users manage, maintain and in many cases pay for their own devices. The rise in BYOD, mobility and remote/telecommuting users potentially increases the risk of security breaches.
Approximately half or 50% of survey respondents said their employee and company-owned BYOD devices had not been hacked compared to about 10% that indicated that desktop devices and smart phones were penetrated. However in a disconcerting trend, 40% of businesses admitted they were "unsure," "had no way of knowing" or "do not require employees to inform them" if their desktops or BYOD devices have been hacked.
Kevin Mitnick (former "World's Most Wanted Hacker"), KnowBe4’s Chief Hacking Officer said: "Mobile devices are the new target-rich environment. Based on lessons learned in the early days of the personal computer, businesses should make it a top priority to proactively address mobile security so they avoid same mistakes [of the PC era] that resulted in untold system downtime and billions of dollars in economic loss.”
BYOD can render corporations extremely vulnerable to security breaches. Unless the corporation has strong, effective policy, procedure and security awareness training in place to govern BYOD usage, the company and its sensitive corporate data could be put in a precarious position in the event that a mobile device is lost, stolen or more likely, hacked, a real possibility in recent times.
Among the other ITIC/KnowBe4.com survey highlights:
• Organizations remain divided on who bears responsibility for BYOD device security. More than four-out-of-10 businesses – 43% - currently have no designated BYOD security policies. Some 28% of respondents say their company IT department takes responsibility for BYOD security while nine percent say it’s the employees’ duty to secure their BYOD devices. Another 20% of businesses indicated that both the corporate IT department and the end users share the responsibility for BYOD security.
• However, the 28% of respondents who said the corporation and IT department is responsible for BYOD device security is down nine percent from the 37% who said their firms took responsibility for safeguarding BYODs in our prior September 2013 BYOD Security survey.
• Some 45% of businesses indicated they are taking additional security measures. The top three most popular security mechanisms include: installing the latest security fixes and patches (49%); conducting security audits and vulnerability testing (36%) and initiating computer security training for IT and end users.
• Only 13% of respondents said their firms have specific policies in place to deal with BYOD deployments, while another nine percent indicated they were in the process of developing BYOD procedures.
• An 80% majority of firms consider strong anti-virus, intrusion detection and firewalls the most important/critical element and most effective mechanism to safeguard their networks followed by endpoint security (65%). Some 60% of survey participants cited physically limiting access to the server room/datacenter and providing end-user security awareness training as also being crucial to maintaining security.
ITIC principal analyst Laura DiDio added, "These survey findings should galvanize corporations to proactively safeguard data in advance of an expensive and potentially crippling loss or hack."
For necessary and vital security measures, every firm regardless of size should conduct a risk assessment review, adopt the "defense-in-depth" strategy and create a strong first layer that includes up-to-date security policies, procedures and security awareness training to deal with server and desktop deployments, including BYOD.
NIST Releases Voluntary Cybersecurity Compliance Framework
The National Institute of Standards and Technology has finally unveiled the long-awaited cybersecurity framework that the White House has been pushing for. This framework provides best practices for voluntary use in all critical infrastructure sectors, including, for example, government, energy, financial services and transportation.
KnowBe4's Director or Security Research Brian Jack commented: "While the idea of the framework is good, there are already established frameworks that follow similar guidelines. This new set of requirements is actually not much more than a subset of existing requirements."
Jack continued: "Let's take a look at the NIST SP-80053 as the common set of requirements and the mappings provided in NIST SP800-66, which is the 'Implementing HIPAA Security Rule' and compare to the new Cybersecurity Framework (CSF), you will notice that if you implement HIPAA using 800-66 you will have 52% of the CSF requirements covered, and if you implement CSF you will have 86% of the HIPAA requirements covered."
KnowBe4's conclusion about the new CSF is that there is already a lot of 'general' overlap between most all best practices and standards. The new CSF will not change much since it is just considered voluntary, we think the organizations that take compliance and security seriously are already meeting the requirements of the CSF. The organizations that don't have well formed compliance and security processes will not dedicate time and money to an effort that is voluntary. More time and effort should be spent on changing the mindset regarding security and compliance rather than spending time coming up with new frameworks or requirements that are just subsets of existing frameworks or requirements.
This brings us to becoming compliant and then remaining compliance. Are regular audits taking up too much of your time? Are you dealing with the headache of managing (multiple) compliance requirements, only to have careless end-users cause all kinds of problems?
Need to have all controls in place to satisfy auditors but struggling with lack of time and management support? Tired of duplicating effort and the nightmare of spreadsheets and gathering evidence regularly? Are audits for PCI, HIPAA and SOX a yearly hurdle to get over? Here’s a new way to manage this problem:
http://info.knowbe4.com/knowbe4-compliance-manager
Next, for people that are in the process of making sure their compliance regarding security awareness training is kept valid, the Lawrence Livermore National Laboratory references the NIST SP800-16 and -50 series publications for IT security awareness, education, and training as described in their model of "IT Security Learning Continuum". Documents can be found at:
http://csrc.nist.gov/publications/PubsSPs.html
SANS Monthly Awareness Video - International Travel:
Lance Spitzner wrote: "At SANS Securing The Human every month is security awareness month. We would like to share that commitment with you. Every other month we will post one of our security awareness videos on this page. This video will be available for a two-month period. At the end of the period we will take down that video and replace it with a new one. This way you, your family, friends and co-workers can stay updated with some of the latest cyber threats and technologies. Our goal is to help people to change behavior so they can leverage technology more safely and effectively. To learn more about how to protect yourself, your family and your friends, please subscribe to our free, monthly security awareness newsletter called OUCH!.
"This month's video is on international travel. Traveling internationally is growing exponentially as more and more organizations work internationally. This videos explains the risks with international travel and how you can protect yourself and your data when traveling to other countries:"
http://www.securingthehuman.org/resources/ncsam
Tips For Handling Your First Security Breach
Jim Hansen - Senior Director of AlienVault wrote a highly useful article you should read:
"When it comes to data breaches, the risk for organizations is higher than ever before - from the calculable costs of leaked data to the less tangible effects on the companies' brands and customer loyalty. Therefore, with targeted security breaches on the rise, defining an action plan is critical for every security practitioner.
Getting breached does not determine whether or not you have a good security program in place, rather how you respond to one does. Before you begin to stress out about how to keep your head (and your job) intact when the worse case scenario happens, here are the top five tips for handling an organization's first security breach.
Expect to have quality time with executives
Prepare yourself for some quality time with the executive team. During a security breach, you will find yourself interacting with an entire group of people that previously were merely names on your corporate organization chart. The executive management team will expect you to make confident decisions quickly. This will often drive you crazy because you are an engineer and as you know, the unknown always outweigh the known. You will be sought after to make decisive, quick assessments regarding the information and data that you have collected and be prepared to be held accountable for them afterwards.
Make sure you establish and record a timeline of events
Create a complete and detailed timeline of events because your responsibility is to determine "how" this happened. A comprehensive list of everything that happened within your network is crucial information that your management team needs from you. This is not an interpretation of "why" this happened. Additionally, know that this collected data will be essential for legal, PR and the board members, and will be the primary deliverable that the rest of the workflow is derived from.
Set clear expectations and don't succumb to the endless requests for updates
Do not succumb to the endless requests for hourly updates because it can impact the organization's productivity. Although you should expect to receive constant status update requests, you should not update too often because it can negatively affect your work. Make sure that the analysts are given enough space to conduct their actual analysis. You might insist that hourly status calls occur, but understand that a 15-minute phone call every hour can actually rob and interrupt you of 25 percent of your productivity in conducting actual forensics work. Do not be afraid to push back and give yourself time to gather and report accurate information. After all, your responsibility is to enable informed executive decisions at this point.
Keep calm
Stay calm and do not panic. During a security breach, things are going to get a little crazy. During a time of crisis, do not worry about offending others by not being nice to them rather be more concerned about not adding to the insanity. Be prepared to make some decisions that may be above your typical job responsibilities. Inevitably, you will be required to task others that you normally do not have authority over, on the understanding that you will answer for it later on if needed. As long as you make this clear, then any reasonable person will support you on this.
Do not hesitate to ask for advice and support
Do not be reluctant to ask for help or support. It's okay. As the long hours and sleepless nights count up, just know that there is an end. Eventually you will have discovered all there is to discover, the executive team will have collected all of the data that is required to do their job and life will return to normal once again. If public disclosure of your security is required, know that it is a double-edged sword. For example, you may experience great catharsis in knowing that the truth is out in public, but you must realize that the PR-spin engine will be operating in full speed and so you will be under a mountain of non-disclosure. Also, know that if you work for a large organization, they often have employee counselors readily available to discuss legal matters. Take advantage of these employee counselors because you shouldn't underestimate the value of having someone you can obtain advice from.
In this day and age, it is an accepted truth that it is just a matter of time before your organization is breached - what is important is how you handle it. Remember to breathe and to manage your stress accordingly and know that you will come out of this situation with an experience that you cannot learn in any lab or any simulated exercise." Here is where I found it:
http://net-security.org/article.php?id=1949
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
SUPER FAVE: Top Gear praises the McLaren P1 hybrid supercar as "probably the most advanced and jaw-dropping car the world has ever seen". WOW indeed:
http://www.flixxy.com/mclaren-p1-test-drive-by-top-gear.htm?
A compilation of some incredibly lucky "near-miss" pedestrians, train spotters, truck drivers, bicycle riders, motorcyclists and rally drivers:
http://www.flixxy.com/when-luck-is-on-your-side.htm?
Video; Top Hacker Shows Us How It's Done. This is FUN:
http://www.cyberwarzone.com/video-top-hacker-shows-us-how-its-done
Don't watch this if you are afraid of heights! Two crazy Russians climbed the Shanghai tower in China, the world's second tallest building:
http://www.flixxy.com/climbing-shanghai-tower-worlds-second-tallest-building.htm?
Talking about buildings, termites teach robots a thing or two:
http://on.wsj.com/1lLlBGh
A fisherman dragged a waterproof camera behind his boat. When he looked at the footage ... the result was magical!:
http://www.flixxy.com/underwater-camera-magical-catch.htm
Mother/Son Wedding Dance Goes From Cute To Epic:
http://klaw.com/motherson-wedding-dance-goes-from-cute-to-epic-video/
U.S. unemployment rate is at 6.7 percent, according to the Bureau of Labor Statistics (BLS) -- the IT job market is faring better with an unemployment rate of only 3.3 percent. Where are these jobs?
http://www.networkworld.com/slideshow/139903/top-10-states-for-it-jobs.html?
From the archives. Ronnie Barker and Ronnie Corbett in the sketch "Swedish Made Simple" featuring the famous F.U.N.E.X? conversation:
http://www.flixxy.com/two-ronnies-comedy.htm?
|
