CyberheistNews Vol 11 #03 [Heads Up] Now Here Is Some Exciting Certification News... :-D

CyberheistNews Vol 11 #03
[Heads Up] Now Here Is Some Exciting Certification News... :-D

For years I have wanted a true, professional certification for Security Awareness Professionals, think "the CISSP" for the awareness space if you will. I have asked, lobbied (begged on my knees) the existing certification bodies but no joy.

So, I decided to take the matter in my own hands and talked to one of the certification industry's most respected leaders: Professional Testing, Inc. I am happy to announce that KnowBe4 is now sponsoring the first vendor-neutral certification specifically for security awareness professionals.

And we need your input.

Here is your invite for a survey that allows you to give input for several key factors in the certification exam. As a CyberheistNews reader, you are selected as one of our global survey participants, so we better understand how you approach your respective security awareness responsibilities.

OK, this is going to take you some time. But it's worth the investment!

The survey should take no more than 20 minutes to complete and responses are confidential. If you are not responsible for security awareness in your organization, please forward this message to that person.

Please complete the survey as soon as possible as it will close once a representative sample has been collected.

Online Survey Directions:
  • Use this link to complete the survey:
  • Don't like to click on links? Copy and paste the link into your Web browser.
  • You will be able to change your responses throughout the survey until you click “Submit” at the conclusion.
  • If you wish to take a break during the survey, you may do so and return as long as the same device is used, and cookies are enabled.
Thanks in advance you for your participation. If you have any technical questions, please email

I saved the best for last! We expect this new certification to be released no later than the second quarter this year. Woo Hoo!!
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 and G Suite to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, January 20 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Use Security Roles to Create a Multi-Tiered Incident Response System in PhishER
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, January 20 @ 2:00 PM (ET)

Save My Spot!
Google Finds an Alarming Thousands of Phishing Sites Every Day in 2020

Google discovered a record number of phishing sites in 2020, according to researchers at AtlasVPN. The researchers cite Google’s Transparency Report, which says the search giant detected 2.11 million phishing domains last year. That’s 25% more than the 1.69 million phishing sites discovered in 2019.

On average, Google flagged more than 40,000 phishing sites each week in 2020. The researchers note that the number of malicious sites has been steadily increasing for the past five years.

“Moving back to 2010, Google detected an average of 317 dangerous sites per day,” AtlasVPN writes. “Last year, the number jumped to 5789 websites per day, representing a 1726% surge in a decade. Looking at the last decade year-by-year, the volume of phishing portals grew by 43% on average.

In short, cybercriminals have been ramping up their efforts for the better part of the decade.”

[SUPER POPULAR] The Pesky Password Problem: Policies That Help You Gain the Upper Hand on the Bad Guys

What really makes a “strong” password? And why are your users tortured with them in the first place? How do hackers crack your passwords with ease? And what can/should you do about your authentication methods?

For decades, users have borne the brunt of the password tyranny, a result of the IT industries’ inability to engineer secure systems. Password complexity, length, and rotation requirements are the bane of your users and literally the cause of thousands of data breaches. But it doesn't have to be that way!

In this on-demand webinar, watch Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, to find out what your password policy should be and learn about the common mistakes organizations make when creating password policy.

In this webinar you'll learn:
  • Why passwords are so easy to hack and how the bad guys do it
  • How to craft a secure, risk-focused password security policy
  • The truth about password managers and multi-factor authentication and how they impact your risk
  • How to empower your users to become your best last line of defense
Watch Now!
Employees Are Too Trusting of Workspace Tools

A study by Avanan has found that users tend to trust workplace communication tools such as Microsoft Teams, Slack, and Google Hangouts, even though these platforms are subject to many of the same risks as traditional email.

For example, if an attacker phishes a user’s Office 365 credentials, they can then access the user’s Teams account and message the victim’s contacts. Avanan’s CEO Gil Friedrich told SC Media that many organizations have third-party partners tied into their Teams environment, which increases the level of risk.

“You should be more careful in those environments with data you share as well as that with the things you download, etc., because you can’t really control the security of your partners,” Friedrich said.

Avanan’s report describes one incident in which an attacker gained access to one employee’s Teams account, then sent a malicious GIF to another employee. When the other employee clicked the GIF, the attacker received their session token, which enabled the attacker to impersonate that employee and gain access to their files. The attacker continued using this technique to impersonate additional users and gain access to more content.
In another instance, a hacker lurked within an organization’s Teams environment for nearly a year before sending a malware-laden file. “Unlike traditional spray-and-pray campaigns we see in compromised email accounts, this hacker acted differently on Teams,” the report says.

“For that year, the hacker did not contribute once in the channel. Instead, the hacker listened, collected data and waited for an opportunity. This is a new revelation. In order to evade detection in this new medium, hackers would rather wait for when they can make the biggest impact with the least possible detection.

When an opportunity arrived and sharing a file was part of a natural chat conversation, the hacker shared a zip file, which included a version of a malware kit designed for desktop monitoring and configured to install silently upon clicking the file. This Remote Access Trojan would have given the attacker full access to monitor and control the victim’s desktop.”

Post with Links:
Are Any of Your Users Exposed in a Data Breach?

Almost every day we learn about a new data breach. This creates a very important need to address disclosed breaches. Do you know which of your users has put your organization at risk?

KnowBe4’s Password Exposure Test (PET) is a complimentary IT security tool that allows you to run an in-depth analysis of your organization’s hidden exposure risk associated with your users.

PET makes it easy for you to identify users with exposed emails publicly available on the web and checks your Active Directory to see if they are using weak or compromised passwords that are part of a known data breach. PET then reports on any user accounts affected so you can take action immediately!

Here's how the Password Exposure Test works:
  • Checks to see if any of your organization’s email addresses have been part of a data breach
  • Tests against 10 types of weak password related threats associated with user accounts
  • Checks against breached or weak passwords currently in use in your Active Directory
  • Reports on the accounts affected and does not show/report on actual passwords
Get your results in a few minutes! You are probably not going to like what you see.

Find Your Weakness!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Top Five Common CISO Myths Debunked By Yours Truly in FORBES:

Quotes of the Week
"Human greatness does not lie in wealth or power, but in character and goodness.
People are just people, and all people have faults and shortcomings,
but all of us are born with a basic goodness."

- Anne Frank, Writer (1929 - 1945)

"Live life as if everything is rigged in your favor."
- Rumi, Poet (1207 - 1273)

Thanks for reading CyberheistNews

Security News
How Crime Pays, Ransomware Edition

The Ryuk ransomware operators have raked in more than $150 million from their attacks, researchers at Advanced Intelligence and HYAS have found. The researchers describe how these operators are able to demand such large ransoms and then successfully launder the Bitcoin into fiat money.

“Our research involved tracing payments involving 61 deposit addresses attributed to Ryuk ransomware,” they write. “The Ryuk criminals send a majority of their Bitcoin to exchanges through an intermediary to cash out.

The two primary (known) exchanges are Huobi and Binance, both of which are located in Asia. Huobi and Binance are interesting choices because they claim to comply with international financial laws and are willing to participate in legal requests but are also structured in a way that probably wouldn’t obligate them to comply.”

The researchers also note that, unlike some other, more lenient, ransomware operators, the Ryuk gang is merciless when its victims are unable to pay. This group is also known for intentionally targeting hospitals.

“With the limited visibility available to analysts, it is painfully clear that the criminals behind Ryuk are very business-like and have zero sympathy for the status, purpose, or ability of the victims to pay,” the researchers say.

“Sometimes the victims will attempt to negotiate with Ryuk and their significant offers are denied with a one-word response. Ryuk did not respond or acknowledge one organization that claimed to be involved in poverty relief and lacked the means to pay.”

The researchers conclude that technical defenses are often insufficient to thwart a ransomware attack once the attackers have gained a foothold within a network.

“Something that becomes glaringly apparent in analyzing ransomware incidents is that the current industry and government-accepted approaches and frameworks for dealing with malware problems aren’t effective,” the researchers write.

“Enterprises that suffer from ransomware aren’t infected because they lack up to date antivirus software or because they chose the blue vendor instead of the red vendor.

They’re encountering ransomware because they haven’t considered developing countermeasures that will prevent the initial foothold that is obtained by precursor malware like Emotet, Zloader, and Qakbot (to name a few).”

The researchers recommend that organizations restrict the execution of Microsoft Office macros, secure all remote access points with two-factor authentication, and lock down Citrix and Remote Desktop Protocol tools. Most ransomware attacks are a result of unsecured remote access tools or an employee being tricked into enabling macros in an Office document.

New-school security awareness training enables your employees to follow security best practices and thwart social engineering attacks.

Advanced Intelligence has the story:
How to Spit the (Phish) Hook

Users should act as quickly as possible after they realize they’ve fallen for a phishing attack, according to Mallika Mitra at Money. The faster your IT department can contain a malware infestation or a compromised account, the less damage an attacker can cause.

“If you do fall for a phishing scam on your work email, immediately alert your IT department so they can mitigate the damage on their end and stop it from spreading,” Mitra writes. “If the phish happened on your personal email, run an antivirus scan on your computer by downloading and installing antivirus software to ensure no malware has been installed.”

Mitra also offers useful advice to people who may have handed over personal or financial information to a scammer.

“The FTC lists additional steps to take based on what kind of information you gave the scammer,” Mitra says. “If he got your Social Security number, the agency advises, sign up for regular credit reports, file your taxes early to get a jump on the scammer trying to do the same and consider placing a credit freeze on your report.

If he got your banking information, call your bank and ask to close your account and open a new one. Keep a close eye on future transactions: monitor your bank statement for charges you don’t recognize or set up alerts for account balance changes.”

Obviously, it’s still best to avoid falling for a phishing attack in the first place. Mitra says users can thwart these attacks by keeping an eye out for known warning signs as well as being wary of suspicious requests for information.

“The best thing you can do to protect yourself against phishing emails is to be vigilant,” she says. “We’re not telling you to double-check for every red flag we’ve listed in every email you receive, but trust your instincts. If an email seems at all fishy—or makes you panic—take those extra precautions to ensure you’re not giving bad actors free rein over your personal information or compromising your computer system.

Keep in mind that Amazon, Target or any of the other organizations scammers pretend to be from probably aren’t going to ask you for details like financial information via an email.”

Money has the story:

And oh, get your users the free Phish Alert Button so that they can report anything phishy to your Incident Response Team immediately.
What KnowBe4 Customers Say

"Dear Mr. Sjouwerman, your Security Awareness platform is Awesome! Our organization has been a KnowBe4 client for almost two years and we are happy we made the switch from one of your competitors. The content, functionality and support have been outstanding.

As we moved into the COVID world in March 2020, it became clear that we, as an organization, needed to elevate the intensity and awareness for staff around security education and readiness in a remote environment. By using the KnowBe4 platform, we have been able to accomplish the education and readiness of our staff!

As we all know, the cybercriminals only have to be right once so staff need to be continuously trained. Whether it is the simulated phishing tests, security training videos and games, or vishing, we have been pleased with all of the modules/products available to us from KnowBe4.

And I would like to acknowledge our Success Manager, ArthurA who has been with us from the beginning and his support and encouragement have been tremendous. We all feel that Arthur really does care about our success. Please keep doing what you are doing!
- H.P., IT Director
The 10 Interesting News Items This Week
    1. New Sunspot malware found while investigating SolarWinds hack:

    2. SolarLeaks site claims to sell data stolen in SolarWinds attacks. Misdirection?:

    3. SolarWinds hackers also used common hacker techniques, CISA revealed:

    4. Scam-as-a-Service operation made more than $6.5 million in 2020:

    5. Ransomware attacks now to blame for half of healthcare data breaches:

    6. Hackers leaked altered Pfizer data to sabotage trust in vaccines:

    7. Ultra-sophisticated "Harvard Professor" Phishing Scam:

    8. Hackers bypass MFA to access cloud service accounts. Shocking! Who could have ever thought that was possible? They used phishing to do it:

    9. Further Fall-Out from Russian Hacking of SolarWinds:

    10. Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews