CyberheistNews Vol 11 #32 [Heads Up] The Cyber Insurance Industry Is Wrongly Hedging Its Bets On MFA

CyberheistNews Vol 11 #32
[Heads Up] The Cyber Insurance Industry Is Wrongly Hedging Its Bets On MFA

By Roger Grimes

Because of ransomware attacks, I have been covering the cybersecurity insurance industry for a few years, including here. I even have a whole chapter dedicated to cybersecurity insurance in my forthcoming Wiley book, “The Ransomware Protection Playbook."

The damage caused by ransomware gangs has increased so much over the last two years that average cybersecurity insurance policy coverage amounts are plummeting, premiums are rising (doubling in many cases), deductibles are increasing, and exclusionary policy “outs” are increasing.

It is a moment of reckoning for both potential victims and the cybersecurity insurance industry. Insurance brokers are also responding by requiring better computer security from a customer before they can even get insurance. Usually that means that they pass a vulnerability scan and prove to have at least average cybersecurity hygiene to even begin to think about getting a policy.

The cybersecurity insurance industry, and many other guides and regulatory agencies, seem to think that requiring the use of multi-factor authentication (MFA) is the ultimate answer to everyone’s concerns. And it is not!

Last week, I was watching a great speaker from one of the world’s biggest insurance companies, talking about ransomware, discuss how using MFA would prevent 99% of attacks. It is not true. It will never be true.

The 99% figure pops up all over the place. Just use MFA and you will never need to worry about hackers or malware, they claim. You will have a very hard time getting cybersecurity insurance without proving you use MFA. It is the binary litmus test. You either use MFA or you do not. You want cybersecurity insurance, then get MFA. MFA is being sold as the Holy Grail of computer security. And it is not.

I even wrote a book on the subject, “Hacking Multifactor Authentication”. You do not need to buy the book because KnowBe4 offers a ton of free content that we created about the same subject, including these:
  • Many Ways to Hack MFA webinar
  • 12 Ways to Hack 2FA eBook
  • Multifactor Authentication Security Assessment tool
If you do not have time for even those, let me give you the very shortened Cliffs Notes version:
  • MFA is good, it significantly reduces the risk of many types of popular attacks
  • Use MFA where you can, but you will not be able to use it to protect most things
  • A very sizable portion of hacking either does not care about your MFA solution or can hack around it, sometimes easily so
  • If you deploy or use MFA, make sure to educate yourself about what attacks can still bypass or ignore your type of MFA solution
  • If MFA is used by 100% of people, hacking and malware will still be highly successful
There is a huge difference between saying that MFA significantly reduces the risk of many types of hacking and malware and saying you do not need to worry about hackers and malware!

Or let me put it this way. I spent much of my 34-year computer security career helping companies get significantly more secure. A lot of that effort was spent helping to deploy advanced computer security systems and a lot of MFA. And every company that deployed MFA was just as likely to be successfully exploited after they deploy MFA as before. How? Usually, social engineering and unpatched software.

This conclusion was the majority of the reason I left Microsoft and decided to go to work for KnowBe4. KnowBe4 is tackling the biggest risk to any environment – social engineering. I wanted to help people focus on and fight the biggest cybersecurity risk they have. I have dedicated the rest of my life to doing the same.

[New PhishER Feature] Turn The Tables On The Cybercriminals With PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature which automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, August 18 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER product including our new PhishFlip feature. With PhishER you can:
  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, August 18 @ 2:00 PM (ET)

Save My Spot!
Spear Phishing Becomes A Bigger Problem As The Average Org Is Targeted 700 Times A Year

With threat actors honing their trickery skills to craft the perfect email used to fool a would-be victim recipient, new data shows cybercriminals are stepping up their game on a number of fronts.

Spear phishing only works when the misleading email content is relevant to the recipient. It’s one of the reasons social engineering plays such a critical role in today’s email-based attacks. According to security vendor Barracuda’s latest report, Spear Phishing: Top Threats and Trends, organizations are experiencing far more convincing and impactful campaigns that are focused on a wider range of roles in the organization than ever before:
  • 1 in 10 attacks are Business Email Compromise (BEC) attacks
  • 77% of BEC attacks target employees outside of finance and executive roles
  • Even so, the average CEO receives 57 targeted phishing attacks each year
  • IT staff still receive an average of 40 per year
  • Microsoft remains the top impersonated brand with WeTransfer in at number two
According to Barracuda, the roles targeted within an organization extend well-beyond that of the CEO or IT, making every employee a potential target. There is an interesting graph that shows the different employee groups and the attacks per mailbox at the KnowBe4 blog:
Do Users Put Your Organization At Risk With Browser-Saved Passwords?

Cybercriminals are always looking for easy ways to hack into your network and steal your users’ credentials.

Verizon’s Data Breach Investigations Report shows that attackers are increasingly successful using a combo of phishing and malware to steal user credentials. In fact, Password Dumpers takes the top malware spot making it easy for cybercriminals to find and “dump” any passwords your users save in web browsers.

Find out now if browser-saved passwords are putting your organization at risk.

KnowBe4’s Browser Password Inspector (BPI) is a complimentary IT security tool that allows you to analyze your organization’s risk associated with weak, reused, and old passwords your users save in Chrome, Firefox, and Edge web browsers.

BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately.

With Browser Password Inspector you can:
  • Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
  • Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization’s key business systems
  • Better manage and strengthen your organization's password hygiene policies and security awareness training efforts
Get your results in a few minutes! They might make you feel like the first drop on a roller coaster...

Find Out Now:
DarkSide Ransomware Returns As BlackMatter After Sudden Shutdown Of Operations

Probably the world’s most notorious ransomware gang disappears completely and subsequently reappears with new branding in an attempt to separate themselves from the types of attacks that originally brought them fame.

Darkside was the group behind most of the recent attacks on critical infrastructure companies in the U.S. and even faced scrutiny from the U.S. Government. After being shut down in May, the group announced it would shut down operations. What has turned out to be a law enforcement exercise that recovered most of the bitcoins paid in the attack on Colonial Pipeline, seems to have made a loud statement by the U.S. to the DarkSide folks: stay away from our critical infrastructure.

From the ashes rises BlackMatter - encryption algorithms were the giveaway – a rebranding of DarkSide with a clear message that they are officially not attacking specific types of businesses that would put them back into the same mess.

From their BlackMatter website on the dark web:
Mission Possible: Turning Compliance Into Tangible Security

The average compliance document is dozens to hundreds of pages long and includes numerous controls. And you’re expected to meet all those controls to regulatory satisfaction. The problem with that is most organizations are forced to do “checklist security” with very little consideration given to actually improving their security stance.

Your mission, should you choose to accept it (i.e. Mission Possible), is to determine how to turn compliance into meaningful risk reduction. And luckily, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, 30-year security veteran, and former auditor is here to help!

In this on-demand webinar, Roger will help you develop a plan to prioritize these controls so you turn compliance requirements into tangible security improvements.

In this session you will learn:
  • Why compliance and security goals conflict rather than complement
  • How to ensure compliance improves your security posture
  • How to create a data-driven compliance management plan
Gain the insight you need to turn compliance into a security asset.

Watch the Webinar Now!
[Eye Opener] AI Wrote Better Phishing Emails Than Humans In A Recent Test

I have been talking about this here for a few years now, but it's almost a scary reality today.

Researchers presented at Defcon how they used OpenAI's GPT-3 platform in an automated workflow together with other AI-as-a-Service products to create spear phishing emails that were tailored to their 200 co-worker's personalities and background.

They created a pipeline that used multiple services to refine the attack before it was sent to the recipients. They mentioned that the emails sounded "weirdly human" and mentioned local specifics like Singapore data security regulation.

Granted, this was done by insiders with a bit more insight in what would work, but they were surprised to find that more colleagues clicked the links in the AI-generated messages than the human-written ones—by a significant margin.

Eugene Lin, associate cybersecurity specialist at GTA said: "When we added personalization, the AI pipeline performed even better, reaching up to 60% clicks in the first engagement." Moreover, the researchers found that the AI pipeline was very effective at getting test subjects to not only click on a link, but also fill out a form field — with conversion rates of up to 80%.

Bruce Schneier commented: "It’s just a matter of time before this is really effective. Combine it with voice and video synthesis, and you have some pretty scary scenarios. The real risk isn’t that AI-generated phishing emails are as good as human-generated ones, it’s that they can be generated at much greater scale."

Here are a few articles with more background data. The researchers commented that employee anti-phishing training needs to be further emphasized. We could not agree more.

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: You Can Now Get Your Official Security Awareness and Culture Professional SACP™ Credentials:

PPS: Your KnowBe4 Fresh Content Updates from July:

Quotes of the Week
"Whatever you can do, or dream you can, begin it. Boldness has genius, power and magic in it.":
- Johann Wolfgang von Goethe - Writer (1749-1832)

"Friendship improves happiness and abates misery, by the doubling of our joy and the dividing of our grief."
- Marcus Tullius Cicero - Orator and Statesman (106 - 43 BC)

Thanks for reading CyberheistNews

Security News
FTC Warns Against Unemployment Insurance Phishing Face Plants

The US Federal Trade Commission (FTC) has issued a warning about smishing scams targeting unemployed people through their phone.

“Identity thieves are targeting millions of people nationwide with scam phishing texts aimed at stealing personal information, unemployment benefits, or both,” the FTC says. “The phishing texts try to dupe you to click a link to ‘make necessary corrections’ to your unemployment insurance (UI) claim, ‘verify’ your personal information, or ‘reactivate’ your UI benefits account.

The link takes you to a fake state workforce agency (SWA) website that may look very real. There, you’re asked to input your website credentials and personal information, like your Social Security number. Fraudsters can use the information to file fraudulent UI benefits claims or for other identity theft.”

One of the phishing templates purports to come from either the Wisconsin or Minnesota unemployment insurance agencies. The text includes a deadline to ensure recipients act quickly.

“We are making some exciting changes to improve your UI & PUA Benefit security features,” the text reads. “You are required to verify your UI & PEUC Benefit Profile information with us to activate these features. Your Benefit Profile will be deactivated 48 hours if no response was received. Visit [Link] to verify now.”

Another text states, “The department of labor has noticed some discrepancies in your unemployment claim profile.” The text includes a link for the recipient to make corrections to their profile, which will presumably steal their information.

The FTC stresses that state governments will not send you text messages that ask for sensitive information.

“Know that state agencies do not send text messages asking for personal information,” the FTC says. “If you get an unsolicited text or email message that looks like it’s from an SWA, don’t reply or click any link.”

New-school security awareness training enables your employees to make smart security decisions and avoid falling for social engineering scams in their professional and personal lives.

The FTC has the story:
What KnowBe4 Customers Say

"I wanted to give our rep Kirstie H some props. She has been awesome. She answers all of my matter how simplistic they are. She gives very good advice. She really is great, always enthusiastic and willing to help right away. Please tell her she owes me $20.00 for saying this stuff. Kidding.

I really do think she is a very valuable asset to your company. She is well trained and has excellent customer service skills. She has made our experience with KB4 a pleasant one."
- U.R., System Administrator
The 10 Interesting News Items This Week
    1. Putin Is Crushing Biden’s Room to Negotiate on Ransomware:

    2. [HUMOR] Huawei to America: "You're not taking cyber-security seriously until you let China vouch for us":

    3. BlackMatter ransomware gang rises from the ashes of DarkSide, REvil:

    4. U.S. senators target ransomware by targeting countries that allow it:

    5. New Chinese Spyware Being Used in Widespread Cyber Espionage Attacks:

    6. LockBit ransomware recruiting insiders to breach corporate networks:

    7. Gartner: "3 Actions Help You Train Employees to Be More Cybersecurity Conscious":

    8. More than 12,500 vulnerabilities disclosed in first half of 2021: Risk Based Security:

    9. Disgruntled ransomware affiliate leaks the Conti Ransomware gang’s technical manuals:

    10. WSJ: U.S. taps tech giants to bolster defenses against cyber threats after a string of high-profile cyberattacks:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews