CyberheistNews Vol 10 #15 The Dilemma: Should You Phish Test During the COVID-19 Pandemic?



 


CyberheistNews Vol 10 #15
The Dilemma: Should You Phish Test During the COVID-19 Pandemic?

By Perry Carpenter, KnowBe4 Chief Evangelist and Strategy Officer. There’s no question, these are challenging times. Employees and organizations around the world are doing their best to keep everyone safe and settle-in to a new normal for accomplishing work from home. Tensions are high, and fear and uncertainty abound. No one wants to add more stress to an already stressful situation.

Over the past week or so, I’ve seen a few social media postings and had a few discussions with people who believe that organizations should not phish test users during this time. They feel that the best way to practice “socially responsible awareness training” is to provide simple information-based awareness training and abstain from phish testing. Thoughts like this may be well-intended; but I believe that they are wrong. Here’s why:

Cybercriminals are ramping-up their real attacks right now. This brand-new graph shows the exponential growth of new COVID-19 malicious phishing templates:
https://blog.knowbe4.com/the-dilemma-should-you-phish-test-during-the-covid-19-pandemic

So, it is super-important to keep our end-users on their toes. In fact, because cybercriminals are in a COVID-19 feeding frenzy, I’ll be bold enough to say that *not* conducting phishing training during this time amounts to negligence.

Cybercriminals prey on stress, distraction, urgency, curiosity, and fear. And they are bringing that full force against your end-users and your organization.

That being said, I totally understand where people are coming from when they feel hesitant to phish test users during this time. Organizations don’t want to add additional stress to their people. They are afraid that they may make employees feel confused or alienated. Totally understandable… and totally addressable. The key factors: your tone and your process.

CONTINUED with a 90-second example video at the KnowBe4 Blog:
https://blog.knowbe4.com/the-dilemma-should-you-phish-test-during-the-covid-19-pandemic

Phishing Trends Recap of COVID-19 Related Phishing Schemes:
https://blog.knowbe4.com/phishing-trends-recap-of-covid-19-related-phishing-schemes
The Art of Invisibility: Important New Privacy Concerns for Your Quickly Evolving Remote Workforce

Corporate privacy concerns are more paramount right now than ever before. Organizations are being forced to maneuver a new world of security and privacy issues related to a remote workforce, evolving hardware/software needs, and employee access policies. Kevin Mitnick knows this world well. In fact, that's the topic of his book, The Art of Invisibility.

Join us for this exclusive webinar as Kevin Mitnick, KnowBe4's Chief Hacking Officer, and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, enter into an eye-opening discussion of the expected and unexpected risks this workforce evolution brings.

They will discuss topics including:
  • Privacy concerns around employees using personal devices for business purposes
  • Security issues with various operating systems, mobile devices, and the Internet of Things
  • The reality of "deep privacy" and how tied together devices, systems, and surveillance really are
  • Shocking new demonstrations that will change the way you think about privacy
  • Why new-school security awareness training is more critical than ever before
Find out what you need to know to keep the bad guys from accessing your organization's critical data! Plus, earn CPE Credit for attending.

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Date/Time: Wednesday, April 15 @ 2:00 pm (ET)

Save My Spot!
https://event.on24.com/wcc/r/2234258/E797A343C5F360833FD1D4102F387FDE?partnerref=CHN1
They're Here! COVID-19 Stimulus Check Phishes Finally Arrive

Last week the FBI warned Americans to be on the look-out for malicious emails attempting to bamboozle users with news surrounding economic fiscal stimulus checks that were to be delivered to citizens in coming weeks. A day later we reported on a pair of phishing emails that seemed to be using early versions of just that very social engineering scheme.

Well, today those much-anticipated stimulus check phishes finally arrived -- in unambiguously proper form. Screenshot at the blog, link below.

There are a couple of interesting aspects to this particular phish. First, the embedded link redirects through Google to a landing page on a server that is currently not responding. Either the server is down or is buckling under the load of users trying to get their stimulus checks. Just what that landing page delivers to users -- malware or a credentials phish -- is unknown at present, but it is sure to be malicious.

Second, although this phish is obviously tailored to exploit very recent news surrounding the COVID-19 outbreak, this kind of social engineering scheme is actually standard fare for the bad guys: spoofed emails purportedly hailing from American Express, Bank of America, Wells Fargo, Chase, or even PayPal and dangling supposed payments (aka free money, a favorite lure of fraudsters) in front of punters.

Third, wittingly or unwittingly, this particular social engineering scheme — which has AMEX delivering government stimulus checks to recipients -- actually dovetails quite nicely with reality. See this Bloomberg article from yesterday. We will undoubtedly see a number of variants on this one. Blog post with links and screenshot:
https://blog.knowbe4.com/theyre-here-covid-19-stimulus-check-phishes-finally-arrive
[Live Demo] See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, April 8 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

See how easy it is to train and phish your users:
  • Train your users with access to the world's largest library of awareness training content including 300 pieces of training content on work from home scenarios.
  • Send fully automated simulated phishing attacks, including COVID-19 phishing templates and thousands of customizable templates with unlimited usage.
  • NEW Assessments! Find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 32,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, April 8 @ 2:00 pm (ET)

Save My Spot!
https://event.on24.com/wcc/r/2221013/F79935BDC3895D0E7B4BB23420F63136?partnerref=CHN2
The Best Computer Security Solvers Look Beyond the Problem

By Roger Grimes: Who doesn’t love a good computer security “cowboy”? That’s a man or a woman who is a recognized authority in their field of expertise, who groks their subject, who is truly a subject matter expert.

When there is a crisis, everyone wants at least one cowboy on the solution team. They are usually passionate at what they do and love and seem to have a natural ability to recognize and fix whatever the problem is faster than most.

The more experienced I’ve become, the more I also like the exact opposite – the competent generalist who sees the big picture. Every team needs a bit of both.

I’ve come to better appreciate defenders who can see beyond the current crisis, who look for the ultimate reason for how the current problem became a problem and then suggest how to fix it.

Good defenders like to map an organization’s individual computer security defenses to a capability maturity model. Capability Maturity Models (CCMs) ask observers to rank how well and mature a particular process or control is as compared to the best imagined process or control for mitigating risks. Computer security professionals can also be ranked along a CCM continuity scale from immature to completely mature. The best computer security professionals are highly technical, but look at all problems in a highly mature, broader way.

The best defenders ask the right questions. What was missing that allowed something to become a problem? Was there a missing policy or tool that could have helped? Why did that person make that mistake? They wonder, if I change nothing, can a similar mistake happen in the future? Continue to read this new Roger Grimes article here:
https://blog.knowbe4.com/the-best-computer-security-solvers-look-beyond-the-problem
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk management modules, transforming KCM into a full SaaS GRC platform!

Join us TOMORROW, Wednesday, April 8 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements across your organization and third-party vendors and ease your burden when it's time for risk assessments and audits.
  • NEW! Demonstrate overall progress and health of your compliance and risk management initiatives with custom reports.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TOMORROW, Wednesday, April 8 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2221015/A1CA7DD075729F4CB87EFB5E1C369BE7?partnerref=CHN2
No-Charge Coronavirus and Work From Home Resources to Keep Your Network Secure

Did you know that cybercriminals have ramped-up phishing attacks over 667% in the month of March alone? With cybercriminals in a feeding frenzy, it's super-important to train your users and conduct phishing tests during this time.

Make sure that your users are prepared. It's better to "fail safe" and direct your users to a learning moment than to have an employee click on a real phishing email and have your entire organization experience a breach. And these resources can help.

Your complimentary resource center includes:
  • A brand-new, no-charge 15-min course: Internet Security When You Work From Home
  • A short video series designed to help you conduct critical phish testing in a way that feels caring and compassionate
  • An on-demand webinar on security for remote employees
  • And more!
Get Your Resources Now, and Please Tell Your Friends:
https://www.knowbe4.com/coronavirus-security-awareness-resources

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc


PS: There is an interesting documentary live now: "KnowBe4, The Making of a Unicorn. A Cybersecurity Story." You can watch these 23 minutes here, great for a break:
https://www.youtube.com/watch?v=W9UvWQJoRfE&feature=share
Quotes of the Week
"I am a firm believer in the people. If given the truth, they can be depended upon to meet any national crisis. The great point is to bring them the real facts." - Abraham Lincoln, US President (1809 - 1865)

"The best way out is always through." - Robert Frost - Poet (1874 – 1963)



Thanks for reading CyberheistNews

Security News
Trends in Phishing, as Seen From Mountain View

Researchers from Google’s Threat Analysis Group (TAG) released details on recent state-sponsored phishing campaigns from around the world. The researchers said that Google’s phishing defenses have forced attackers to turn to more targeted attacks.

“In 2019, we sent almost 40,000 warnings, a nearly 25 percent drop from 2018,” they said. “One reason for this decline is that our new protections are working—attackers' efforts have been slowed down and they’re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt.”

Google warns that state-sponsored threat actors are increasingly impersonating news outlets and journalists. The researchers specifically call out Iran and North Korea for doing this. The attackers pose as these outlets to spread disinformation and to distribute malware.

“For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation,” the researchers said. “In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email.

Government-backed attackers regularly target foreign policy experts for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks. “

The researchers also stressed that state-sponsored attackers are persistent and will repeatedly target the same person until they succeed.

“In 2019, one in five accounts that received a warning was targeted multiple times by attackers,” the researchers said. “If at first the attacker does not succeed, they’ll try again using a different lure, different account, or trying to compromise an associate of their target.”

Phishing is a cheap and effective way to compromise an account, and the victim only needs to slip up once in order for the attacker to gain a foothold. New-school security awareness training can help your employees defend themselves against these attacks by teaching them how to thwart social engineering tactics.

Google has the story:
https://www.blog.google/technology/safety-security/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/
A New Ransomware Strain Called 'Save the Queen’, Distributes Itself From Your Own Domain Controllers

Sophisticated cybercriminals have continuously improved the effectiveness of ransomware attacks, according to Yaki Faitelson, co-founder and CEO of Varonis. In an article for Forbes, Faitelson explained that targeted ransomware attacks attempt to encrypt the most valuable data at the worst possible time for the victim organization.

“Small-time criminals go for the quick buck,” Faitelson writes. “They don’t have the time or skill to pull off an enterprise-wide cyberattack while covering their tracks. Big-game ransomware groups are not small-time criminals — they have time, skills and motivation. That means they’ll get in, figure out what matters and then burn things to the ground only when they’ve maximized their return.”

Faitelson describes recent attacks in which the attackers gained access to the victim’s Active Directory accounts. Active Directory has become a frequent target in these types of ransomware attacks.

“Our company recently analyzed a new strain of ransomware, called ‘Save the Queen,’ that distributes its ransomware from its victim’s Active Directory Servers (known as Domain Controllers),” Faitelson says. “Domain Controllers hold the keys to your digital kingdom. They are important systems that pretty much every other system connects to, making them ideal for distributing ransomware.

Because of their importance, manipulating Active Directory Servers requires a very high level of access — and that’s exactly what these attackers had.”

Faitelson points out sophisticated cybercriminals can do more with this access than simply encrypt data, and they may go even further than holding stolen data for ransom.

“If big-game hunters have all this access, why wouldn’t they also grab financial information or intellectual property?” Faitelson asks. “Trade on insider information? Grab copies of important files before they encrypt them so they can threaten to leak them later? It would be naïve to think they don’t. And that should be a board-level worry....[A]s these groups get more organized and efficient at monetizing your property, it’s more likely that they’re not going to leave any money on the table.”

Faitelson also notes that there are additional security challenges that accompany a remote workforce, which is particularly pressing now.

“Remote workers are now easy conduits to corporate resources, and most organizations are unprepared to spot unusual activity generated by these remote users,” Faitelson says. “Your goal should be to detect attackers who are looking to take advantage of remote workers as early as possible.”

Organizations have to rely on their employees’ security practices now more than ever. New-school security awareness training can enable your employees to spot targeted social engineering attacks.

Forbes has the story:
https://www.forbes.com/sites/forbestechcouncil/2020/03/30/big-game-ransomware-four-things-ceos-should-know/
What KnowBe4 Customers Say

"Amidst all of the negative things going on in the world today … I thought I would share something that made me smile. I’m a bit of a nerd when it comes to security awareness and can’t believe your organization was able to help take us from a place that security was 110% ignored and folks thought was a waste of time… to this. It literally took almost a year to sell a Sec Awareness program internally and now they are excited about it. I love it. (and we aren’t even doing a great job with what we have setup with our program because we are all so busy)"
- M.R., Security Manager



"Hello Stu, on behalf of our security team, I just had to stop and thank you and KnowBe4 for the quick release of the COVID19, “Taking Security Home” and related videos. The fast and essentially proactive release of these places KnowBe4 well ahead of other providers. These are timely, and allow us to keep our colleagues informed & engaged while we pause our planned training until we feel that they are settled enough for us to continue with the overall security awareness initiative."
- L.D., Security & Disaster Recovery Analyst



"Loved the video, especially the sensitivity. 'During these crazy times right now' Keep calm and don't click. Overall I loved this, simplified, yet not accusing, but bringing it to your mind and attention."
- B.Z.. Senior Information Security Engineer

The 10 Interesting News Items This Week
    1. CrowdStrike CEO seeing 'increased need of security as everyone works from home':
      https://money.yahoo.com/crowdstrike-ceo-seeing-increased-security-184111744.html

    2. COVID-19 Fuels Heated Fight Over CCPA Enforcement Timing:
      https://www.law360.com/cybersecurity-privacy/articles/1257124/covid-19-fuels-heated-fight-over-ccpa-enforcement-timing

    3. Cybersecurity Lawyer Who Flagged The WHO Hack Warns Of 'Massive' Remote Work Risks:
      https://www.npr.org/sections/coronavirus-live-updates/2020/03/30/822687397/cybersecurity-lawyer-who-flagged-the-who-hack-warns-of-massive-remote-work-risks

    4. There's now COVID-19 malware that will wipe your PC and rewrite your MBR:
      https://www.zdnet.com/article/theres-now-covid-19-malware-that-will-wipe-your-pc-and-rewrite-your-mbr/

    5. When hackers kidnap their data, companies are increasingly using ‘breach coaches’ and negotiators:
      https://www.fastcompany.com/90473369/when-ransomware-strikes-companies-are-increasingly-turning-to-breach-coaches

    6. Group-IB: New Financially Motivated Attacks in Western Europe Traced to Russian-Speaking Threat Actors:
      https://www.group-ib.com/media/silence_ta505_attacks_in_europe/

    7. Spike in Remote Work Leads to 40% Increase in RDP Exposure to Hackers:
      https://hotforsecurity.bitdefender.com/blog/spike-in-remote-work-leads-to-40-increase-in-rdp-exposure-to-hackers-22782.html

    8. Spearphishing Campaign Exploits COVID-19 To Spread Lokibot Infostealer:
      https://www.fortinet.com/blog/threat-research/latest-global-covid-19-coronavirus-spearphishing-campaign-drops-infostealer.html

    9. Brand-New Ransomware Simulator Now With 19 Latest Infection Scenarios:
      https://www.knowbe4.com/ransomware-simulator

    10. The Cybersecurity 202: Coronavirus pandemic unleashes unprecedented number of online scams:
      https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/04/01/the-cybersecurity-202-coronavirus-pandemic-unleashes-unprecedented-number-of-online-scams/5e83799b88e0fa101a757098/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews