CyberheistNews Vol 4, # 14



CyberheistNews Vol 4, # 14
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 14

Editor's Corner

KnowBe4

Backup Failures And Ransomware Phishing: Recipe For Disaster

With system administrators in the crossfire between cybergangs who are wielding sophisticated ransomware like CryptoLocker on one side and CryptoDefense on the other, it's likely many of them have had backups and disaster preparedness on their minds. And that is a smart thing to do, because it looks like that their backup efforts need a boost.

Baseline Magazine recently reported on the findings from cloud storage provider TwinStrata, who "indicate that companies are plagued by backup issues— even when no emergencies threaten their data. The majority of respondents say they're experiencing multiple backup failures each year. Despite the fact that most organizations say the volume of data they need to back up is increasing, more than half of them aren't backing up applications daily. And when a disaster does hit, nearly two-thirds say it takes days to recover."

If over 50% of companies have problems with backups, and if end-users are not getting effective security awareness training, (so that they will not open ransomware phishing attachments and get their workstation infected and files encrypted) that's an accident waiting to happen, costing days of lost production time. End-users are the first line of defense and to prevent a whole bunch of lost files, lost time, or both, they need to get trained and constantly sent simulated phishing attacks so that they stay on their toes and keep security top of mind.

The 7 Steps Of The Cyber Kill Chain

Cyber security professionals are slowly but surely grabbing more and more military jargon. No surprises there, with a possible cyberwar brewing. The "kill chain" is a traditional warfare term most often used by the US Air Force as the command and control process for targeting and destroying enemy forces.

The last 12 months this "kill chain" concept has made it into cyber security marketing. Many vendors have come up with models, but Websense recently broke it out into a well-defined seven-stage model that cyber criminals utilize to get to their victims. You do not have to use all of these steps all the time, but often this is how attacks go down. Here is what it looks like:

1) Initial reconnaissance
2) Crafting a phishing lure to encourage the victim to click
3) Redirecting victim to a compromised server
4) Using an exploit kit to scan for vulnerabilities and zero-days
5) Drop malware onto the victim's machine
6) Call home to the command & control server
7) Exfiltrate (or encrypt) data and take over the workstation

 

Cyber security vendors are using these steps to explain how their products will disrupt the criminal process. These steps are also useful for you as an IT pro, so you can assess your own network and see how you can best defend against cyber attacks.

Arthur Wong, HP senior vice-president and general manager of HP Enterprise Security Services (ESS) globally, told ZDNet at a media briefing last Wednesday: "The bad guys, the adversaries, they collaborate way more than governments, and way more than commercial industries do themselves. When anyone wants to even launch an attack out there on a particular company, they're going to go into chat rooms and ask, 'Hey does anybody own a computer or a system inside this company?', and someone will put up their hand, or they'll know someone else, and a deal is negotiated".

I have been talking a lot about the criminal ecosystem the last few years. It's becoming more specialized, aligned with the 7 steps in the kill chain. According to Bob Hansmann, Websense's director of product marketing, cyber criminals now provide tailored services for every step of the kill chain, and even have aggregators that pull together whole attack campaigns.

Stay careful out there.

14 Things That Definitely Should Not Be On The Internet, But Are

You would think that after the recent few years of press showing the risks of the Internet that people would wise up. But no. To my astonishment it's getting worse, not better. Just have a look at this InfoGraphic that shows 14 things that absolutely should not be hooked up to the Net, but are, and worse, have weak passwords. Un-friggin-believable. If this is what the "Internet-of-Things" is going to look like, I want to get off this planet. Things like the entire traffic control system of Los Angeles, waterplants and hydroelectric plants. Augh! Just check out the InfoGraphic at our blog and shiver. (Hat Tip to WhoIsHostingThis)
http://blog.knowbe4.com/bid/381750/14-Things-That-Definitely-Should-Not-Be-On-The-Internet-But-Are

Quotes of the Week

"Happiness resides not in possessions, and not in gold, happiness dwells in the soul." - Democritus, Philosopher (460 BC - 370 BC)

"Attitude is a little thing that makes a big difference." - Winston Churchill, Statesman (1874 - 1965)

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

NEW: Full Free Preview of the 2014 Kevin Mitnick Security Awareness Training!

You May Qualify For A Full Free Preview. You know that your employees are the weakest link in your organization’s IT security. You are looking for an effective approach that will protect your network against phishing attacks. This free preview gives you access to the full new 2014 version of the 30-40 minute training. The preview is free, and after you decide to sign up, your yearly subscription allows you to both train all employees and to schedule simulated phishing attacks to all employees, with tracking of ‘who clicks when’. You can also check out the 15-minute APT version in 9 languages and the modules Mobile Device Security, PCI Compliance Simplified, and Handling Sensitive Information. Sign Up For Your Free Preview Now:
http://info.knowbe4.com/kmsat-preview-14-04-08

KnowBe4

New Crop Of CyberCrime InfoGraphics

It's April and here is a new crop of fresh, fragrant Cybercrime InfoGraphics. The first of these I mentioned in the Editors Corner, but there are 13 more. With some of these you will have an "OMG how can they be SO stupid" moment....With others you might learn some factoids that you had not run into before so here goes:
http://www.hacksurfer.com/posts/19-new-cybercrime-infographics-march-2014

KnowBe4

Final Fixes For XP -- And A Way To Keep It Running Safely

Windows XP End Of Life is today after a 12 year run. Unbelievable that it lasted this long, and then to think that tens of millions of machines will be running it a few years longer, some even forever in a virtualized state. Bill Gates would -never- have envisioned that.

Redmond last week released its advance notification for today's April 8 Patch Tuesday which has the final security updates for Windows XP and Office 2003. There will be four patches, two of which are rated critical. One of the flaws that will be fixed is a RTF file handling issue in Word that is being exploited in limited, targeted attacks.

If you are upgrading to Win7 or 8 as part of getting rid of XP, you should take the opportunity to upgrade your security policy and procedures while you are at it and train your users on these new rules.

Look at locking down admin privileges, have Windows auto-update turned on by default, turn browser security settings up to paranoid, and possibly deploy whitelisting as a whole new way to protect your network.

Whitelisting is a very successful way to get a few more years of life out of XP in case you cannot get rid of it yet. Did you know that the Australian Government has made whitelisting mandatory for -all- their workstations? Learn more:
http://www.knowbe4.com/project-malwareshield/

KnowBe4

The April SANS OUCH! Has Arrived

SANS said: "We are excited to announce the April issue of OUCH! This month, led by Guest Editor Eric Conrad, we discuss why you are a target, how cyber criminals are targeting you and what you can do to protect yourself. As always, we encourage you to download and share OUCH! with others. English Version (PDF):
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201404_en.pdf

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Remember that you can get the very latest Trending, Most Popular and Recent IT security news at the new hackbusters site!
http://www.hackbusters.com/

Pay close attention. Your attention is being diverted. Will you spot the changes? With over 6 million views, "The Colour-Changing Card Trick" by Richard Wiseman has become a YouTube classic:
http://www.flixxy.com/color-changing-card-trick.htm?utm_source=4

Can you imagine living on a tiny planet like that of 'The Little Prince'?
http://www.flixxy.com/360-degree-spherical-panorama.htm?utm_source=4

The Flying Shanghai Circus Acrobats with their amazing performing at the International Circus Festival of Monte-Carlo. Some awesome routines!
http://www.flixxy.com/flying-trapeze-with-the-greatest-of-ease.htm?utm_source=4

The amazing things Andrew Kelly can do with a deck of cards will blow your mind:
http://www.flixxy.com/magician-andrew-kelly-amazes-ellen.htm?utm_source=4

This is the first time in history that a meteorite has been filmed in the air during dark flight - after it has burned out. And almost killed someone:
http://www.flixxy.com/skydiver-films-meteorite-nearly-hitting-his-parachute-full-story.htm?utm_source=4

The Buoyant Airborne Turbine (BAT) uses a helium-filled, inflatable shell to lift to high altitudes where winds are stronger and more consistent than those reached by traditional turbines:
http://www.flixxy.com/the-next-generation-of-wind-power.htm?utm_source=4

Amazing Magic Trick! Master Magician Kevin James performing in Las Vegas on America's Got Talent. I have no idea how he does it! Watch it twice:
http://www.flixxy.com/cutting-edge-magic.htm?utm_source=4

To end off, this cartoon (I thought) was very funny...
http://abstrusegoose.com/432

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews