CyberheistNews Vol 12 #02
During 2019, I came to the conclusion we were way overdue for a vendor-neutral industry certification for professionals in our security awareness space. I literally scratched my head and asked myself why no one had done this yet.
I called all the usual "certification bodies," but none of them could fit this in their "foreseeable future roadmap." Being one of the pioneers in this industry, I decided I would take the initiative and sponsor the creation of an independent certification designed specifically for this new high-demand job role.
However, I had to find out how. That was a super interesting learning curve. It took quite a bit of research, calling experts, and finding out how certifications were developed, tested, validated, marketed and how they actually were run in testing centers.
I discovered the people behind some of those very prestigious certifications you have wanted yourself, and asked them how a new cert like this could be made into a reality.
To a large degree, it's a sizable group of subject matter experts spending quite a bit of time, following a well-defined and trusted process to make sure that the certification is recognized, valid and valuable.
We were able to gather the SMEs, money and time, and during 2021 the whole project was completed and the new certification was released by the great team of H Layer Credentialing (That "H" stands for Human). It was an impressive amount of work by dozens of people. Thank you so much, you know who you are.
But then there remained one small challenge, I had to pass the exam myself!
So, here are the three tips that helped me:
- Inside KnowBe4 there is a Slack SAP-study channel, so I subscribed and started cramming for the exam myself. It became clear that there was one book covering most of the exam topics: "Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors" by KnowBe4's Perry Carpenter who also helped with the creation of the certification. It links to a wealth of resources for further study if you want to drill down into topics. Here is the link to Amazon:
- If you have time during a commute, or like the "Lunch & Learn" concept, Perry's "8th Layer Insights" is a great podcast that goes into detail on a bunch of security awareness topics with industry celebrity interviews which definitely helps pass the exam:
- The third tip I got from Knowster Lisa Woffinden, who recently passed the SACP Exam: "You want to make sure to read the whole question, word by word, twice before even looking at the answers. Skipping a single word in the question may cause you to choose a wrong answer. No rushing or skimming! This is where 'Do it right the first time' is so important."
And fortified with these tips and cramming over the New Year's long weekend I trekked over to Pearson | VUE at the Clearwater Campus of the Pinellas Technical College, took the exam Thursday Jan 6, 2022, and PASSED. Woo Hoo! See my updated signature below.
Here is more about the credential. H Layer Credentialing has an extensive site with super useful resources, how to apply, and where to take the test. Good luck, this is worth it!
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, January 12 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at new features and see how easy it is to train and phish your users.
- NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history
- NEW! Brandable Content feature gives you the option to add branded custom content to select training modules
- NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry
- Did You Know? You can upload your own SCORM training modules into your account for home workers
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes
Date/Time: TOMORROW, Wednesday, January 12 @ 2:00 PM (ET)
Save My Spot!
Scammers are sending phony accusations of copyright infringement to Instagram users in a new phishing attack, Paul Ducklin writes at Naked Security. The scammers are taking advantage of the fact that many Instagram pages with large followings are concerned about being banned for posting copyrighted content.
The attackers are sending emails with a link to appeal the bogus accusation. If a user clicks the link, they’ll be taken to a spoofed Facebook page that has a picture of a real post from the user’s Instagram page. The page then asks the user to enter their password to login to their Instagram account, which will be sent to the attackers. After this, the user will be redirected to the real Instagram copyright page, which helps avoid any suspicion.
Ducklin offers the following advice to avoid falling for these scams, here are the highlights, the blog post has more detail you can send to users:
- Don’t click "helpful" links in emails. Learn in advance how to handle Instagram copyright complaints
- Think before you click. Although the website name in this scam is somewhat believable, it’s clearly not Instagram
- Use a password manager and 2FA whenever you can
- Talk to a friend you know face-to-face who’s done it before
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us TOMORROW, Wednesday, January 12 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
- Vet, manage and monitor your third-party vendors' security risk requirements
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
- Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due
Save My Spot!
Despite a drop in crypto scams in 2020 due to the pandemic, a new report highlights the massive 2021 growth in crypto scams and the profitable results they’re yielding.
I recently covered a new scam promoting the faux “presale” of Amazon tokens – this scam is one of countless others all taking a similar approach. The main motive is to gain interest in an either bogus token that doesn’t exist (as in the Amazon scam) or build interest in a new crypto and then ditch the project after victims invest. These scams are referred to as “rug pull” scams.
According to crypto analysis firm Chainalysis’ 2022 Crypto Crime Report, it’s these “Rug Pull” scams that account for the huge uptick in crypto scams in 2021. According to the report, the lion’s share of the growth in 2021 profits came from Rug Pulls.
In addition to Rug Pulls, investment scams – scams in which victims are promised high investment returns in exchange for putting up crypto assets they will never see again are also on the rise. According to the Chainalysis data, the number of investment scams rose in 2021 by over 60%.
Most investment scams last an average of just 70 days (that’s down from 192 in 2020). Even the U.S. Securities and Exchange Commission recently put out a notice about the danger of these investment scams.
Novice and professional investors alike should be wary of scams that claim to make much higher investment returns legitimately than, say, the stock market. An investor’s desire to make a quick buck because they’re “in early” on a new crypto, etc. likely isn’t going to pan out the way they hoped.
Blog post with charts, links and SEC Alert:
We thought it was bad enough when traditional ransomware started to steal data in its second generation of evolution, now dubbed "double extortion." The third stage of ransomware is beginning to happen now and will make us wish for the good, old days of Ransomware 2.0.
Attend this presentation to learn how ransomware is evolving to inflict maximum damage and more importantly how to protect yourself and your organization.
Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4, was among the first to warn the world about Nuclear Ransomware 2.0 - the almost accidental attacks that became a storm.
Here is his latest early warning.
In this webinar you'll learn:
- How ransomware is evolving beyond double extortion, what's coming next
- The likely end-state of ransomware and how it will extract maximum value from each victim
- Proven best practice defenses that you need to follow to avoid becoming a victim
- How to empower your users to be the best, last line of defense when everything else fails
Date/Time: Wednesday, January 19 @ 2:00 PM (ET)
Save My Spot!
Let's stay safe out there.
Stu Sjouwerman, SACP
Founder and CEO
PS: Your KnowBe4 Fresh Content Updates from December 2021:
PPS: This post remains super popular month after month: "Microsoft 365 vs. Office 365: What’s the difference?"":
- Carlos Castaneda - Author (1925 - 1998)
"Out of 6 billion humans, the troublemakers are just a handful."
- Dalai Lama (born 1935)
Thanks for reading CyberheistNews
A mere blip on the ransomware radar a quarter ago, the massive onslaught of attacks using Hive Ransomware demonstrates how dangerous the “as-a-Service” model really is.
If you looked at the industry data a quarter ago, Hive ransomware only represented 2.5% of all attacks. But this up-and-coming new ransomware variant is a blueprint of just how easy it can be for affiliates to setup shop, download the ransomware, and collect on their bounty.
According to a recent look into the Hive by security researchers at GroupIB, the Hive is making ransomware easy. Affiliates can generate a unique version of the ransomware in less than 15 minutes, victim companies can be registered into the Hive’s backend (much like a software partner registering a customer in a partner portal to ensure the deal is attributed to the partner), and transparency is key; with the Hive making sure all communications with victims is also visible to affiliates.
This is a well-oiled machine. And that’s scary.
Hive is responsible for the single largest ransom demand to date - $240 million – made in November of last year to electronics retail giant MediaMarkt. This should tell you that the Hive is only going to grow its’ operations and be a formidable tool in the belt of affiliate cybercriminals.
The good news is Hive attacks traditionally use spear-phishing attacks as their initial attack vector. This means that effective security awareness training can do a lot to thwart phishing attacks that use social engineering tactics to trick victims into engaging with malicious loaders that will, inevitably release the Hive. Be on the watch for this one; it’s going to sting.
Blog post with links:
ESET’s Phil Muncaster offers a useful summary of the most popular ways hackers can steal your passwords. These techniques often involve some form of social engineering, such as tricking users into entering their passwords on a phishing site or duping them into installing malware.
“Human beings are fallible and suggestible creatures,” Muncaster writes. “We’re also prone to make the wrong decisions when rushed. Cyber-criminals exploit these weaknesses through social engineering, a psychological con trick designed to make us do something we shouldn’t.
Phishing is perhaps the most famous example. Here, hackers masquerade as legitimate entities: like friends, family, and companies you’ve done business with etc. The email or text you get will look authentic, but includes a malicious link or attachment which, if clicked on, will download malware or take you to a page to fill in your personal details.”
Attackers can also use brute-forcing attacks, in which they use automated tools to simply guess your password. An extremely effective form of this attack is credential stuffing, which tests millions of leaked credentials against login pages.
Muncaster adds that hackers often don’t need to put much effort into these attacks, since many people still use very simple and obvious passwords. “Although hackers have automated tooling at their disposal for brute-forcing your password, sometimes these are not even needed: even simple guesswork – as opposed to the more systematic approach used in brute-force attacks – can do the job,” Muncaster says.
“The most common password of 2020 was ‘123456’, followed by ‘123456789’. Coming in at number four was the one and only ‘password’. And if you’re like most people and recycle the same password, or use a close derivative of it, across multiple accounts, then you’re making things even easier for attackers and put yourself at additional risk of identity theft and fraud.”
Muncaster offers the following advice to help safeguard your passwords:
- “Use only strong and unique passwords or passphrases on all your online accounts, especially your banking, email and social media accounts
- “Avoid reusing your login credentials across multiple accounts and making other common password mistakes
- “Switch on two-factor authentication (2FA) on all your accounts
- “Use a password manager, which will store strong, unique passwords for every site and account, making log-ins simple and secure
- “Change your password immediately if a provider tells you your data may have been breached
- “Only use HTTPS sites for logging in
- “Don’t click on links or open attachments in unsolicited emails
- “Only download apps from official app stores
- “Invest in security software from a reputable provider for all your devices
- “Ensure all operating systems and applications are on the latest version
- “Beware shoulder surfers in public spaces
- “Never log-on to an account if you’re on public Wi-Fi; if you do have to use such a network, use a VPN”
ESET has the story:
"I wanted to let you know how much I appreciate the work that AlyaH puts into our account. She has been accommodating when I’m running late but she also has put her personal touch and knowledge to educating our users. Really, she is a great asset for your team, and I am so happy that she is our rep. Here is to a great 2022."
- T.J. Information Technology Administrator
"Hello Stu, I am really happy with your service. At first I was concerned users would not take training seriously but we found it so simple to use my users dove right in. I appreciate the variety of content you offer and the "we're in this together" perspective presented.
I genuinely care about educating our users and they have found that these very same cyber security issues affect their personal email and accounts as well which helps to draw them in. Our first phishing campaign resulted in a 34.8% failure rate which dropped drastically after our first training campaign. KnowBe4 is bringing focus to cyber security awareness in our practice.
I would also like to mention that I greatly appreciate my customer success manager TimC. I would not have been successful deploying this to my users without his patience and guidance."
- R.J., Information Technology Director
- Cyber Command Task Force Conducted Its First Offensive Operation As The Secretary Of Defense Watched:
- Norton 360 and AVAST AV Now Come With a Cryptominer that seems hard to turn off. WHAT?:
- FTC warns companies to secure consumer data from Log4J attacks:
- Senators Ask DHS, DOT About Transportation Infrastructure Cybersecurity:
- North Korean Hackers Start New Year with Attacks on Russian Foreign Ministry:
- US arrests suspect who stole unpublished books in phishing attacks:
- A month in the life of a U.K. social engineer – part one:
- Google Voice Authentication Scam Leaves Victims on the Hook:
- Quantum Computing Is for Tomorrow, But Quantum-Related Risk Is Here Today:
- Hackers use video player to steal credit cards from over 100 sites:
- Your virtual Vaca to Alaska. The Last Frontier in 8K Ultra HD!:
- Second Virtual 7-min "Motocross Vaca" to DUBAI. The end is worth it. WHOA!:
- Bretford Combination Lock — An Excellent Fishing Sinker:
- Best Of The Week People Are Awesome:
- The Wildest POV Videos From 2021:
- Watch "Baby Steps" for behavior change: BJ Fogg on YouTube:
- 50 Gen Z Slang Words You Need to Know to Keep From Becoming 'Cheugy':
- This guy is awesome. Epic pool trickshots break Guinness World Records:
- GoPro Awards: Frozen Lake Freedive. Channel your inner penguin:
- Flying closer to the great pyramids of Giza than any wingsuit pilots than before is a whole new way to look at history:
- Mercedes EQXX concept EV can go 620 miles on a charge @ CES 2022:
- A Fascinating Animated Size Comparison of the World's Most Famous Statues:
- For Da Kids #1 - Wild Dolphin Loves Playing Tag With His Favorite Dog:
- For Da Kids #2 - Loyal Rottweiler Copies Everything Her Baby Sister Does:
- For Da Kids #3 - Horse Runs To Greet Her Favorite Dog Every Morning:
- For Da Kids #4 - 175 Pound Tortoise Is The King Of His Household | The Dodo:
- For Da Kids #5 - Russian Fisherman Posts Terrifying Creatures Of The Deep Sea (90 New Pics):