| |
CyberheistNews Vol 4, 18
Editor's Corner
Shocker: Symantec Admits That Antivirus Is Dead
An article in the Wall Street Journal of May 5, 2014 summarized what I have been talking about these last few years. 25 years ago, Symantec was one of the first IT security companies to develop commercial antivirus software to protect computers from hackers. Now the company says that's no longer working. Antivirus "is dead," says Brian Dye, Symantec's senior vice president for information security. "We don't think of antivirus as a moneymaker in any way." Mr. Dye estimates antivirus now catches just 45% of cyberattacks.
Antivirus products try to keep the bad guys out of a computer. But hackers often get in anyway, using 0-day threats, social engineering and other tactics. So Brian Dye is reinventing Symantec; instead of protecting against the bad guys, he is now focusing on detection and response, following FireEye which recently paid $1 billion for Mandiant who act like hackbusters after a data breach.
Ted Schlein, who helped create Symantec's first antivirus product, describes such software as "necessary but insufficient." As a partner at venture-capital firm Kleiner Perkins Caufield & Byers, Mr. Schlein invests in new cybersecurity companies that compete with Symantec.
It is clear that new strategies need to be deployed to make sure defense-in-depth is effective. Providing effective Kevin Mitnick Security Awareness Training is the starting point, but moving toward whitelisting as a measure to block unauthorized executables is another way to stop malware from taking hold on a computer.
If ever I saw an article that should be forwarded to management with a request for more budget this would be the one! Link:
http://on.wsj.com/1nXj3bU
How To Make CEOs Get Cyber Security
How about: "You get fired for a data breach". This is now a reality, as Target is replacing CEO Gregg Steinhafel, following a massive data breach over the holidays.
A new two-party study by Websense and the Ponemon Institute confirms that global security pros find themselves "deficient, disconnected and in-the-dark" in addressing cyberthreats. They surveyed 4,881 experienced IT and IT security practitioners across 15 countries across the world, and found that not only were C-level executives unaware of the security risks, but that infosec pros themselves were finding it hard to keep up with cyber-criminals.
Approximately 80 percent of respondents said that their company's leaders "do not equate losing confidential data with a potential loss of revenue", despite the fact that about 30 percent of consumers would avoid further business with a retailer post-breach.
The problem is that security has to be the bedrock of the whole organization and not just at a cyber level. Security is a -business- issue, and has to include how people operate via telephone, paper and electronically. However, CEOs get thrown off by the dense jargon of the IT security industry.
It's obvious this is a language problem and there are significant losses in translation between business goals and IT security objectives. CEOs need to be enlightened about IT security issues and CSOs and CISOs need to be trained in speaking the language of finance. Unless everyone uses the same vocabulary we will be stuck with an IT Security Tower Of Babel.
Returning to the report, after exposing the cracks in cybersecurity defenses for organizations, the study offers recommendations for companies wanting to better manage and prevent cyber attacks targeting their sensitive and confidential information:
1) Eliminate the uncertainty of cyber risks by investing in technologies that provide visibility and details about attempted attacks and how successful attacks would affect your company.
2) Look for access to better threat intelligence and real-time defenses.
3) Deploy an all-encompassing defense strategy that incorporates web, email and mobile channels. Avoid hyper-focusing on one channel and examine all the channels your users and network use to interact with information.
4) Assess security solution capabilities and deployments against a comprehensive kill-chain model to eliminate gaps and minimize excessive overlap.
5) Find effective employee security education methods to promote cooperation and communicate the seriousness of cyber attacks and reduce high risk behavior.
Obviously I could not agree more, and especially with item #5. The whole report can be found at WebSense as a free download (registration required)
http://www.websense.com/content/2014-ponemon-report.aspx?intcmp=hp-promo-en-2014-ponemon
If you want to get a book for your C-Level execs that explains in easy to understand terms how a lack of cybersecurity can impact your organization, here is a link to a free full-240-page e-book download of "Cyberheist".
http://www.knowbe4.com/free-e-book/
And if you want to order the old-fashioned paper version, go to Amazon:
http://www.amazon.com/Cyberheist-financial-American-businesses-meltdown-ebook/dp/B004XDE20O/
Want Instant Alerts on Major IT Security Events?
Follow me on Twitter. My handle is @stuallard, and I will tweet about breaking news that usually is seen first at our www.hackbusters.com site.
Quotes of the Week
"The liberties of our country, the freedom of our civil constitution, are worth defending against all hazards: And it is our duty to defend them against all attacks." - Samuel Adams
"Supreme skill is subduing the enemy's operations and its forces without battle. Therefore, the ideal military strategy and planning is to destroy the enemy's plans and strategy." - Sun Tzu
Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
|
Can Bad Guys Impersonate Your Executives?
Can the bad guys impersonate one of your co-workers or your executives? In other words, can your domain be spoofed? KnowBe4 can help you find out with our new Domain Spoof Test.
This new Domain Spoof Test sheds light on a major potential vulnerability; email servers not being correctly configured. Bad guys searching for your organization's publicly available email addresses can find enough information to attack your employees by impersonating (spoofing) a co-worker or executive.
We offer a free one-time Domain Spoof Test (DST) that verifies whether a hacker can disguise a malicious phishing email as a normal message from someone within your organization, such as a manager or CEO/President. If this is possible, hackers can easily launch a spear-phishing attack.
It takes 1 minute, so request a free domain spoof test for your own domain name. Click here and fill out the form:
http://info.knowbe4.com/domainspooftest-14-05-06
FBI: Phishing Attacks on Telco Customers Grow
Phishing attacks targeting telecommunication companies' customers, which result in account takeovers, are on the rise, according to the Federal Bureau of Investigation and the Internet Crime Complaint Center (IC3).
The schemes involve using automated telephone calls, or vishing, and SMS texts, or smishing, to lure customers to phishing sites that replicate telecommunication companies' sites, requesting the victims' log-in credentials and the last four digits of their Social Security numbers. Once access is gained, the fraudsters make changes to the customer's account and may place orders for mobile phones, the FBI says.
An example of a fraudulent URL used in the scams, authorities say, is: www.my[insertphone company name]900.com.
The IC3 urges consumers to be cautious of unsolicited telephone calls, e-mails and text messages, especially those promising some type of compensation for supplying account information. More at:
http://www.bankinfosecurity.com/phishing-attacks-on-telco-customers-grow-a-6806?
HIPAA Breach Tally and Enforcement Grow
The federal tally of major breaches continues to grow. But even relatively small breaches can result in tough federal sanctions, as settlements announced earlier this week show.
As of April 23, the federal "wall of shame" tally included 966 major breaches affecting a total about 31.1 million individuals since 2009. About 35 breaches have been added to the tally, which tracks breaches affecting 500 or more individuals, in the past month.
But while the tally helps draw attention to bigger breaches, two recent Department of Health and Human Services HIPAA compliance settlements offer a reminder that that even very small breaches can result in sanctions if an investigation turns up serious issues. The settlements in cases involving stolen unencrypted laptops highlight the importance of encrypting data on mobile devices to prevent breaches. And keep in mind, the federal tally shows that the loss or theft of unencrypted devices or media has been the No. 1 cause of major breaches.
OCR entered a $250,000 resolution agreement with QCA Health Plan, based in Little Rock, Ark., which was the result of a HIPAA compliance investigation sparked by a breach involving a stolen unencrypted laptop that affected only 148 individuals - too small to make the federal tally of major breaches.
Lessons to Be Learned
"The primary lesson to be learned from these recent cases is that the cost to prevent mobile device data breaches is far less than the cost of mitigation," Evans says.
"The goal of encryption is to provide confidentiality protection for information. Most mobile devices have encryption already built into their operating systems," he notes. Jennifer Smith, QCA's legal counsel, points out that the cost of a settlement with OCR goes far beyond any financial penalty. More:
http://www.databreachtoday.com/hipaa-breach-tally-enforcement-grow-a-6780
And obviously giving mobile device security awareness training to employees that have these is also a great way to prevent expensive legal settlements:
http://info.knowbe4.com/mobile-security-module
Six Infosec Tips I Learned From Game Of Thrones
Corey Nachreiner, Director of Security Strategy and Research of WatchGuard Technologies wrote a fun article at net-security.org. He started out:
"In Westeros—the land of dark knights, backstabbing royals, dragons, wildings, wargs, red witches, and White Walkers—even the youngest ones have to learn basic self-defense if they’re to have any hope of surviving the cruel fictional world imagined by A Game of Thrones (GOT) author, George R. R. Martin. And so too, must every CISO and security pro learn the latest information security best practices if they’re to survive today’s Internet threat landscape.
"If you’re a GOT fan, you’re probably excited about the recent launch of season four. Accordingly, the second article of my pop-culture/cyber-security series explores the information security tips you might extract from the morbidly dark, yet inescapably intriguing fantasy series. Here are six security tips I learned from Game of Thrones.":
http://www.net-security.org/article.php?id=2001
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
U.S. F-15 pilots with GoPro cameras: One of the Best Cockpit Videos Ever:
http://theaviationist.com/2014/05/05/kadena-67-fs-video-2013/
John Green explains the origins of 32 popular brand and model car names:
http://www.flixxy.com/32-car-name-meanings.htm?utm_source=4
Toyota Describes Combustion Engine That Generates Electricity Directly Video of the Free Piston Engine Linear Generator (FPEG):
http://www.tytlabs.com/tech/fpeg/fpeg02.html
Strange but true, this is the story of Frane Selak: Train derailment, plane crash, bus crashes, car accidents and an amazing surprise ending:
http://www.flixxy.com/the-worlds-luckiest-unlucky-man.htm?utm_source=4
Part all-terrain dune buggy, part light-sport aircraft, the Skyrunner is the ultimate recreational sports vehicle. I want one!:
http://blog.petflow.com/cnn-report-do-not-let-your-husband-see-this/
Baltimore Landslide April 30th, 2014, Video filmed by Nick Reyes. Wait for the last 15 seconds...pretty amazing!
https://www.youtube.com/watch?v=MrNluXrrHKY
What do you do when you have a sea plane, but no sea nearby? But I guess they did not think this through fully... where to land? LOL
http://www.flixxy.com/sea-plane-takes-off-from-truck-trailer.htm?utm_source=4
Dani Lary Magic - Le Taj Mahal. In the town of Agra, in Northern India, lived in the 17 century a queen... Good modern execution of an old trick:
http://www.flixxy.com/dani-lary-magic-le-taj-mahal.htm?utm_source=4
Liquid Nitrogen Bottle Rockets. Liquid nitrogen floats on top of the warm water, expanding and thus propelling the soda bottle upwards with extreme force. I would warn against doing this at home:
http://www.flixxy.com/liquid-nitrogen-bottle-rockets.htm?utm_source=4
LIX, the smallest 3D printing pen in the world, enables you to draw in the air without using paper. This is pretty cool!:
http://www.flixxy.com/lix-the-worlds-smallest-3d-printing-pen.htm?utm_source=4
|
|
