CyberheistNews Vol 11 #04 [NEW] The 10 Phases of Organizational Security Awareness

CyberheistNews Vol 11 #04

[NEW] The 10 Phases of Organizational Security Awareness

After 10 years of continued expansion in the security awareness space and providing our platform to tens of thousands of customers, we have observed a certain progress of organizational security awareness over time.

The speed of this progress is different by org size, geolocation, and industry, but we see this same pattern return over and over. In certain cases some steps are omitted. In other cases a few steps are taken at the same time. Ultimately however, most orgs see the same ultimate ideal scenario. Let's step through these 10 phases and you can determine where you are in your own organization in this process.

1) Increased Technical Awareness for InfoSec and IT Pros

InfoSec and IT Pros feel the pain first. Infected workstations and ransomware attacks keep them on the defense and backlogged. Many of these professionals see the need for security awareness, but sometimes have been discouraged by the unworkable old-school practice of stepping users through 15 minutes of compliance-driven training. Quite a few of these pros understand the risks of relying on software-driven controls only.

2) Awareness Content Delivery for End-Users

Here is where first-generation training videos replace the break-room death-by-PowerPoint presentations, usually not very well trackable but it's a start.

3) Platform Automation Enables Compliance Requirements

Automating the process of training delivery through a (in- or external) Learning Management System (LMS) so that compliance requirements are easier to fulfill. This is very dependent on the size of the org; larger ones have an on-prem or cloud-based LMS used for general training purposes.

4) Continuous Testing

This phase demonstrates a significant shift toward the 'Zero Trust' model where the employee after training gets tested frequently to make sure that the acquired knowledge has actually become a skill that is applied in practice and does not disappear over time (use it or lose it).

5) Security Stack Integrations

At this stage, "phish alert buttons" are deployed to the end-users' email client so that they can report any phishy emails to the Incident Response team or SOC who can then take action.

6) Security Orchestration

The next phase is that these reported emails are integrated into a security workstream which quickly evaluates the risk level and in case an active attack is in progress, can automatically reach into the inbox of all users and rip out malicious messages before further damage is done.

7) Advanced User Behavior Management

Having in-depth risk metrics about both individual and groups of users, orgs can now create tailored campaigns based on observed risky behavior. An example is scanning the dark web for breached org credentials, bad password usage and send individual training modules to those high-risk users.

8) Adaptive Learner Experience

The next phase is the end-user having a localized UI where they go and can see their individual risk score, get badges, and start to participate in the learning experience. Also, this phase is when advanced metrics allow AI-driven campaigns where each user gets highly individualized security awareness training.

9) Active User Participation in Security Posture

Here is where the user becomes aware of their role in your orgs' defense and actively chooses additional training to reduce their risk score. They participate in awareness campaigns, become a local awareness champion, and understand they themselves have become the endpoint.

10) Human Endpoint as Strong Last Line of Defense

The ultimate state where each employee is sufficiently aware of the risks related to cyber security, and makes smart security decisions every day, based on a clear understanding of those risks. The current WFH environment has accelerated the need for this significantly.

Blog Post With Slide for Your Presentations:
https://blog.knowbe4.com/the-10-phases-of-organizational-security-awareness

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, February 3 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users:

NEW! AI Recommended training suggestions based on your users’ phishing security test results.
NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
NEW! 2021 Training Modules now available in the ModStore.
Did You Know? You can upload your own SCORM training modules into your account for home workers.
Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.

Find out how 35,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, February 3 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2975711/71D4ED42FCD12AB606628DAA70DB612F?partnerref=CHN

Charming Kitten Phishing and Smishing Attacks Use Legitimate Google Links and a Tricky Redirection Strategy to Fool Security Solutions

This breakdown of the latest attack from the Charming Kitten cybercriminal gang shows just how much thought goes into obfuscating their tactics and evading detection.

I’ve covered stories in the past where phishing attacks utilized well-known domains to keep from being detected, such as SharePoint Online, where the initial target site is credible enough to keep some security solutions from seeing the link as being malicious.

In the case of a recent attack by Cybercriminal group Charming Kitten (also known as APT35), the attack uses some pretty sophisticated tactics to avoid detection:

The initial link sent in text or email is a google(.)com link that points to a script.google(.)com address with some specific parameters including an identifier so the bad guys know it’s one of their redirects
The script.google(.)com matches the included identifier and redirects the visitor to a predefined unique URL for that specific victim
The third URL used is a redirection short URL. The really brilliant part is that initially, when used in conjunction with email-based phishing, the redirect points to a legitimate and benign webpage so that email scanners that traverse redirection will see it as legitimate. Once the email hits the Inbox, the redirect is changed to the malicious address
Once the victim hits the final malicious address, a spoofed logon page is presented to attempt to steal the victim’s google credentials
The user-specific malicious redirect is reconfigured back to a legitimate domain to hide the tracks of Charming Kitten

It’s evident that folks like Charming Kitten are putting a lot of effort and thought into avoiding detection before, during, and after the attack. This makes it nearly impossible for security solutions alone to protect users from such attacks. Users themselves need to be educated using Security Awareness Training to be watchful for unsolicited email and text messages – even when they appear to come from Google.

Blog post with links:
https://blog.knowbe4.com/charming-kitten-phishing-and-smishing-attacks-use-legitimate-google-links-and-a-tricky-redirection-strategy-to-fool-security-solutions

See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, February 3 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we’ve added to make managing your compliance projects even easier!

NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
Vet, manage and monitor your third-party vendors' security risk requirements.
Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
Quick implementation with pre-built requirements templates for the most widely used regulations.
Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.

Date/Time: Wednesday, February 3 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2975704/23D8274B09DF6E16EB18A4F12A51632C?partnerref=CHN1

[INFOGRAPHIC] Q4 2020 Work From Home Phishing Emails on the Rise

KnowBe4's latest quarterly report on top-clicked phishing email subjects is here. These are broken down into three different categories: social media related subjects, general subjects, and 'in the wild' attacks .

Hackers Continue to Prey on a Remote Workforce

Phishing email attacks leveraging COVID-19 were on every quarterly report in 2020, but there were not as many at the top of the list in Q4 as in previous quarters. However, we still see a lot of subjects related to working remotely as well as security-related notifications.

It’s no surprise that phishing attacks related to working from home are increasing given that many countries around the world have seen their employees working from home offices for nearly a year now.

Just because employees may be more used to their home office environment doesn’t mean that they can let their guard down. The bad guys deploy manipulative attacks intended to strike certain emotions to cause end users to skip critical thinking and go straight for that damaging click.

Don't Dismiss Social Media as a Phishing Concern

We have seen a pattern of fake LinkedIn messages topping this list for the past three years. There is likely a perception that these emails are legitimate because they appear to be coming from a professional network. It's a significant problem because many LinkedIn users have their accounts tied to their corporate email addresses. Top-clicked subjects in this category reveal password resets, tagging of photos and new messages.

Share the Infographic with Top Messages in Each Category With Your Users:
https://blog.knowbe4.com/infographic-q4-2020-work-from-home-phishing-emails-on-the-rise

Do Users Put Your Organization at Risk With Browser-Saved Passwords?

Cybercriminals are always looking for easy ways to hack into your network and steal your users’ credentials.

Verizon’s 2020 Data Breach Investigations Report shows that attackers are increasingly successful using a combo of phishing and malware to steal user credentials. In fact, Password Dumpers takes the top malware spot making it easy for the bad guys to find and “dump” any passwords your users save in web browsers.

Find out now if browser-saved passwords are putting your organization at risk.

KnowBe4’s Browser Password Inspector (BPI) is a complimentary IT security tool that allows you to analyze your organization’s risk associated with weak, reused, and old passwords your users save in Chrome, Firefox, and Edge web browsers.

BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately.

With Browser Password Inspector you can:

Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization’s key business systems
Better manage and strengthen your organization's password hygiene policies and security awareness training efforts

Get your results in a few minutes! They might make you feel like the first drop on a roller coaster!

Find Out Now:
https://info.knowbe4.com/browser-password-inspector-chn

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: KnowBe4 Unveils Official Trailer for ‘The Inside Man’ Season 3:
https://blog.knowbe4.com/knowbe4-unveils-official-trailer-for-the-inside-man-season-3

PPS: Every year, Glassdoor recognizes the top 100 employers dedicated to cultivating a best-in-class company culture. This year’s winners all have one thing in common: their employees say they feel supported and empowered to do their best work, even amid unprecedented challenges. Check #16:
https://www.glassdoor.com/Award/Best-Places-to-Work-LST_KQ0,19.htm

Quotes of the Week

"A purpose is the eternal condition of success."
- Theodore T. Munger, Author (1830 - 1910)

"Yesterday's the past, tomorrow's the future, but today is a gift.
That's why it's called the present."
- Bil Keane, Cartoonist (1922 - 2011)

Thanks for reading CyberheistNews

Security News

User Risks Lead to Remote Device Malware Infections During Weekends

More than half of organizations surveyed had a remote device compromised by malware last year, according to Wandera’s Cloud Security Report for 2021.

Wandera’s researchers found that “52% of organizations experienced a malware incident on a remote device in 2020, up from 37% in 2019.” Meanwhile, 37% of these compromised devices maintained access to corporate emails, while 11% had access to the organization’s cloud storage.

Many of these incidents occurred because users either fell for a social engineering attack or exercised poor security habits, such as downloading suspicious apps.

“Phishing remains the number one threat impacting users on portable devices,” the researchers say. “Phishing attacks typically focus on topics, brands or themes that have a high chance of luring victims. For example, each year around tax season, there is an uptick in phishing attacks posing as the IRS, the HMRC (UK), and the ATO (Australia).

Likewise, during the first half of this year we identified an uptick in traffic going to COVID-19-related phishing sites, and even the emergence of a fake Clorox e-commerce site.”

Interestingly, the researchers found that phishing attempts were slightly more common on the weekends. “While looking for other phishing trends that emerged in 2020, we noticed phishing attacks are reaching users the most on Saturdays,” the report states. “At their peak during the weekend, phishing attacks are 6% more frequent than during the weekday peak.

This reinforces the idea that while employees are not in ‘work mode,’ they are more susceptible to phishing attacks on corporate devices due to being in a relaxed state of mind.”

Wandera also found that 80% of employees accessed public Wi-Fi for work-related activities, and 3% of mobile devices used for work had their lockscreens disabled. It only takes one employee to fall for a phishing email for an attacker to gain a foothold within your organization’s network. New-school security awareness training can teach your employees to recognize social engineering attacks and follow security best practices. (And follow them especially on the weekends.)

Wandera has the story:
https://www.wandera.com/cloud-security-report-2021eapvoeasdasdasdcaz/wandera-cloud-security-report-2021/

FBI Warns of Vishing Attacks

The US FBI has issued a Private Industry Notification warning companies to be on the lookout for voice phishing attacks, also known as “vishing.” The Bureau says criminals have used these tactics to successfully infiltrate large companies in the US and around the world.

“The cyber criminals vished these employees through the use of VoIP platforms,” the alert says. “Vishing attacks are voice phishing, which occurs during a phone call to users of VoIP platforms. During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password.

After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees ’ accounts, thus allowing them to gain further access into the network often causing significant financial damage.”

The Bureau offers the following advice for organizations:

“Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.
“When new employees are hired, network access should be granted on a least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network.
“Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.
“Network segmentation should be implemented to break up one large network into multiple smaller networks which allows administrators to control the flow of network traffic.
“Administrators should be issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize social engineering attacks and follow security best practices.

The FBI has the story:
https://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/2/FBI+PIN+-+1.14.2021.pdf

Familiar Advice, But Worth Repeating

Researchers at ESET outline some security best practices to avoid falling for phishing emails. In an article for TechZone360, the researchers explain how to identify suspicious links.

“Before clicking on an embedded link in the body of an email, inspect it first!” ESET says. “Hackers often conceal malicious links within emails, and mix them with genuine links to trick you. If the hyperlinked text isn’t identical to the URL that pops up when you hover over the link, that’s a sign of a malicious link.

It might take you to a site you don’t want to visit, or even install a virus on your computer. To prevent this from happening, don’t trust any unmatching URLs or links that seem irrelevant to the content in the rest of the email.”

Additionally, attackers can easily create deceptive email addresses, in some cases after compromising a legitimate server. “Cybercriminals often create new email addresses for phishing scams,” ESET says. “Hover over the sender’s email address and make sure it matches other emails you’ve received from that person or company and doesn’t contain any additional numbers or letters.

For example, johnsmith@telstra[.]com is more legitimate than johnsmith24@telstra[.]com or johnsmith@telstra24[.]com. While some companies do use varied domains or third-party providers to send emails, that’s the exception — not the rule. So, be wary of any emails with unusual addresses.”

Finally, while some phishing emails will have perfect spelling and grammar, typos and awkward writing are major red flags.

“Poorly written or grammatically incorrect emails are a dead giveaway of a scam,” ESET writes. “If you spot typos or mistakes in the subject line, don’t open the email because it could be a phishing scam. And if you read an email and it’s riddled with mistakes or odd turns of phrase, that points to a potential scam. Emails from legitimate companies are often crafted by professional writers and edited for spelling and syntax.

Interestingly, many cybersecurity professionals believe that hackers write ‘bad’ emails on purpose to hook the most gullible targets.”

Phishing emails can target anyone, and attackers only need to fool one employee to gain a foothold within your network. New-school security awareness training with simulated phishing tests can help your employees recognize these attacks.

TechZone has the story:
https://www.techzone360.com/topics/techzone/articles/2021/01/14/447684-5-foolproof-signs-phishing-scams-how-react.htm

What KnowBe4 Customers Say

"I’ve leveraged your product at a prior organization, as well as for the last year in my new role with here. I’ve been a large proponent of the teams capabilities and the services your organization provides. Recently, I’ve been completely impressed with your PhishER platform and PhishRIP capabilities. They are quite honestly the simplest and most streamlined security tools I’ve used over my career.

All that to be said, while I’ve been a supporter of your brand and the value you provide to the organizations I’ve been with for the last several years – it is 100% the people that you’ve hired for support and customer engagement that has kept your organization as top tier when it comes to security awareness.

Over the last year, I’ve had the privilege of working with GregN as we implemented KnowBe4 into an organization with limited to no security awareness previously.

Greg has done an excellent job of coming along side me and working within me to tailor the right security awareness approach to the organization. He hasn’t just sent me instructions regarding how to implement any of the features / solutions, but has joined with me on the support calls to actively build out a sustainable and automated security awareness approach to the organization with me. All the best in your continued success! [edited for brevity]
- C.J., IT Manager, Security and Operations

"Mr. Sjouwerman, I want to commend KristinA for the excellent work she does. In my dealings with her, she has been extremely efficient and dependable. In addition, she is willing to go the extra mile. One example (and I could give you more): I am in Oregon and she is in Florida. I contacted her after 6:00pm Eastern time, and she got back to me that night. Kristin is a real credit to your company."
- N.D., Systems Administrator

"Hi Stu, just wanted to pass along that it was great to work with LoganG on our recent renewal of our KnowBe4 subscription. She was very responsive and effectively addressed my concerns about the renewal so we could move forward w/ executing that order."
- A.J., Sr. Director, Information Technology

The 10 Interesting News Items This Week