CyberheistNews Vol 12 #14 | Apr. 5th., 2022
A new report suggests that everything from endpoints, to passwords, to training, to security policies, to a lack of awareness is all contributing to much higher risk of cyberattack.
Employee cyber risk is a multifaceted issue that revolves a lot around cyber hygiene, according to new data in Mobile Mentor’s inaugural Endpoint Ecosystem Report. It involves a number of issues that organizations are going to need to address effectively and quickly.
A few issues I really want to highlight here include passwords, device use, and a lack of proper training. Despite most phishing attacks focusing on credentials, employees still have terrible password hygiene:
- Gen-Z employees have more than 20 work passwords and type more than 16 passwords daily
- 69% of employees admit to choosing passwords that are easy to remember
- 29% of employees write their passwords down in a journal
- 24% store passwords in a Notes app on their phone
But the device is secure, right? Wrong.
Only 43% of organizations have BYOD securely enabled, with just one-third of employees able to securely access corporate systems, data, and apps from personal devices. With 64% of employees using a personal device for work, this is a massive risk.
So, these companies are making up for it by properly training their employees about cyberattacks, vigilance, good hygiene, etc., right? Again, wrong.
According to the report only 25% of in-office workers receive security training monthly. Remote employees have it a bit better (with 43% receiving training), but it's evident by just the poor password hygiene that organizational leadership isn't taking this seriously and aren't looking to elevate the individual employee's mindset around the need to be secure while working – and the employee's role in helping to maintain that state of security.
Those organizations focused on continual Security Awareness Training which includes monthly simulated phishing tests demonstrate a commitment to seeing every aspect of the employee's interaction with corporate resources, applications, and data on the one hand (with email and the web on the other) be as secure as possible. And that starts with the employee’s own awareness being elevated to a state of vigilance to ensure better cyber hygiene and a more secure organization.
Blog post with links:
https://blog.knowbe4.com/lack-of-employee-cyber-hygiene-next-big-threat
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, April 6 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at TWO NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
- NEW! AI-Driven training recommendations for your end-users
- Brandable Content feature gives you the option to add branded custom content to select training modules
- Did You Know? You can upload your own SCORM training modules into your account for homeworkers
- Active Directory Integration to easily upload user data, eliminating the need to manage user changes manually
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: TOMORROW, Wednesday, April 6 @ 2:00 PM (ET)
Save My Spot!https://event.on24.com/wcc/r/3713692/A0F62AB082A6F2814D84F39AD155AB32?partnerref=CHN
To start off, we do not use Okta in any of our products.
During the time period indicated in the Okta incident blog post, KnowBe4 was in the process of switching from a different SSO/IdP to Okta and was not using Okta for employee authentication or user management.
The Okta account configuration setting for allowing Okta support access to our account was disabled at the time and still remains disabled. KnowBe4's Infosec team has performed a complete review of all Okta log activity from the time period given by Okta until now. No suspicious or anomalous activity has been detected.
KnowBe4's Infosec team has verified that all security alerts based on Okta event logs are functioning properly. No third-party service providers have access to KnowBe4 products or KnowBe4 customer data. At this time, there is no indication that the Okta incident has affected KnowBe4 or KnowBe4 customer data.
Blog post with links:https://blog.knowbe4.com/knowbe4-and-okta-update
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us TOMORROW, Wednesday, April 6 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
- Vet, manage and monitor your third-party vendors' security risk requirements
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
- Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulation
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due
Date/Time: TOMORROW, Wednesday, April 6 @ 1:00 PM (ET)
Save My Spot!https://event.on24.com/wcc/r/3713873/AB7A284602361ED47712A0975D85D2AC?partnerref=CHN2
Making Better Push-Based MFA
By Roger Grimes
I used to be a huge fan of Push-Based Multifactor Authentication (MFA), but real-world use has shown that most of today's most popular implementations are not sufficiently protective against real attacks.
In short, using social engineering, hackers have been able to bypass most Push-Based MFA like it was not even there.
It does not have to be that way. Push-Based MFA solutions can be improved to make it a lot harder for hackers to be successful, and some vendors are already offering more advanced forms that are more resistant to hacking. You should be using phishing resistant MFA when you can, rather than more easily phishable forms. What features make Push-Based MFA more resistant to hacking? Read on.
What Is Push-Based MFA?
Push-Based MFA is MFA that proactively sends an "out-of-band" approval message to the user to review when someone is trying to authenticate to a push-based MFA login portal/service. The message will indicate that the user's related identity account is attempting to log in and asks for the user to approve or deny the request. Here is a very common example from me logging on using Microsoft Authenticator:
CONTINUED at the KnowBe4 blog:https://blog.knowbe4.com/making-better-push-based-mfa
Skyrocketing attack rates, double and triple extortion, increasing ransom demands...cybercriminals are inflicting pain in every way imaginable when it comes to today's ransomware attacks. And you need to be prepared to protect your network, NOW.
Find out the steps you need to take to minimize damage to your network and your organization when a ransomware attack strikes.
In this webinar Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist and security expert with over 30-years of experience, will take you step-by-step through best practices for preventing ransomware attacks and a post-attack response plan.
You'll learn:
- Critical first steps to take when you think you’ve been hit with ransomware
- Tips for protecting your data and your network from further infiltration
- How to determine whether network credentials or data have been compromised
- Step-by-step actions to guide your response, recovery and mitigation
Don't let cybercriminals run rampant within your network. Find out how to protect yourself before it’s too late and earn CPE credit for attending!
Date/Time: Wednesday, April 13 @ 2:00 PM (ET)
Save My Spot!https://event.on24.com/wcc/r/3734584/36B35925792B6BD0093449CDA5716910?partnerref=CHN
- Check out the 74 new pieces of training content added in March, alongside the always fresh content update highlights and new features.
- We're thrilled to announce the long-awaited fourth season of the award-winning KnowBe4 Original Series - 'The Inside Man' is now available in the KnowBe4 ModStore!
- KnowBe4 now supports System for Cross-domain Identity Management (SCIM) integration services. We have added SCIM support for Azure Active Directory and Okta.
- In the month of March, 456 new translations were added.
- To see the full list of new content added this month and get an inside look into the KnowBe4 platform, sign up for the ModStore Training Preview today:
https://blog.knowbe4.com/fresh-content-updates-march-2022
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: [THE PLOT THICKENS] Wiper Malware Deployed In Mysterious Ukraine Satellite Hack With Victims Far Beyond Ukraine:
https://blog.knowbe4.com/wired-a-mysterious-satellite-hack-has-victims-far-beyond-ukraine
PPS: Russia threatens 'grave consequences' over cyberattacks, blames U.S.:
https://venturebeat.com/2022/03/29/russia-threatens-grave-consequences-over-cyberattacks-blames-u-s/
- Walt Disney - Animator (1901 - 1966)
"I like to listen. I have learned a great deal from listening carefully. Most people never listen."
- Ernest Hemingway - Novelist (1899 -1961)
Thanks for reading CyberheistNews
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-14-eye-opener-lack-of-employee-cyber-hygience-is-the-next-big-threat
Rather than take the usual path of sending an email and linking to a spoofed logon page, this attack takes a different set of actions that at first make no sense but may actually be brilliant.
So, you get an email that seemingly looks like every phishing email you've received – pretty bland and simple, but with a message that those not in IT could fall for, stating someone tried to log into your account.
Now, you're probably thinking that there's a link to a look-alike Facebook page so threat actors can steal your credentials, right?
In this case you're wrong. Security researchers at Malwarebytes have uncovered a multi-stage scam that starts with an email like the one above, but the link provided opens a new pre-filled email using a mailto: link to begin a dialog with a "customer support" person of some type.
At first glance, this seems like a really dumb step. But when you think about how the "email-to-logon page" method has been overdone, this may actually be an unexpected twist that may actually increase credibility. The emails contain the usual "good enough to pass a cursory glance" test, and the assumption is eventually the customer service person will ask for the victim's credentials, or perhaps credit card details, etc.
So, is this dumb or brilliant? Time will tell.
Blog post with screenshot and links:
https://blog.knowbe4.com/facebook-phishing-scam-takes-unexpected-turn
People in the US lost more than $6.9 billion to internet crimes last year, according to a new report from the FBI’s Internet Crime Complaint Center (IC3). Business email compromise (BEC) scams accounted for nearly $2.4 billion of the losses.
"As fraudsters have become more sophisticated and preventative measures have been put in place, the BEC/EAC scheme has continually evolved in kind,” the FBI says. "The scheme has evolved from simple hacking or spoofing of business and personal email accounts and a request to send wire payments to fraudulent bank accounts.
These schemes historically involved compromised vendor emails, requests for W-2 information, targeting of the real estate sector, and fraudulent requests for large amounts of gift cards. Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders' credentials to initiate the fraudulent wire transfers. These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult."
Meanwhile, romance scams led to nearly a billion dollars in losses last year.
"Confidence Fraud/Romance scams encompass those designed to pull on a victim's 'heartstrings,' the FBI says. "In 2021, the IC3 received reports from 24,299 victims who experienced more than $956 million in losses to Confidence Fraud / Romance scams. This type of fraud accounts for the third highest losses reported by victims."
Additionally, phishing remained one of the top three ways that ransomware actors gained access to organizations' networks.
"Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors' growing technological sophistication and an increased ransomware threat to organizations globally," the Bureau says.
"Although cyber criminals use a variety of techniques to infect victims with ransomware, phishing emails, Remote Desktop Protocol (RDP) exploitation, and exploitation of software vulnerabilities remained the top three initial infection vectors for ransomware incidents reported to the IC3.
Once a ransomware threat actor has gained code execution on a device or network access, they can deploy ransomware. Note: these infection vectors likely remain popular because of the increased use of remote work and schooling starting in 2020 and continuing through 2021.
This increase expanded the remote attack surface and left network defenders struggling to keep pace with routine software patching."
New-school security awareness training can give your organization an essential layer of defense by teaching your employees to follow security best practices.
The FBI has the story:
https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2021-internet-crime-report
"Stu, absolutely outstanding product. Above and beyond and I don’t say that lightly."
- L.D., Partner & Managing Director"Hi Stu, I wanted to report that we are very pleased with the training and phishing service from KnowBe4. KellyL has been a great resource to help our company become more secure and aware of threats that can put our company at risk for cyberattacks.
I am pleased with how Kelly makes herself available at any time to discuss rising concerns. Thank you for reaching out. This security education program is one of the best things that we have decided to do as a non-for-profit agency. Thank you."
- D.S., IT Coordinator- Kaspersky Named First Russian InfoSec Company on US Security Risk List:
https://www.bloomberg.com/news/articles/2022-03-25/fcc-calls-kaspersky-china-telecom-china-mobile-security-risks - Secret World of Pro-Russia Hacking Group Exposed in Leak:
https://www.wsj.com/articles/trickbot-pro-russia-hacking-gang-documents-ukrainian-leaker-conti-11648480564 - North Korean hackers target employees of news outlets, software vendors and more through Chrome vulnerability:
https://therecord.media/north-korean-hackers-target-employees-of-news-outlets-software-vendors-and-more-through-chrome-vulnerability/ - NOTABLE: White House Kleptocracy Asset Recovery Rewards Program:
https://home.treasury.gov/about/offices/terrorism-and-financial-intelligence/terrorist-financing-and-financial-crimes/kleptocracy-asset-recovery-rewards-program - Your UK co-workers have probably been involved in a data breach:
https://www.techradar.com/news/your-co-workers-have-probably-been-involved-in-a-data-breach - Germany warns of nation-state cyber espionage threat:
https://www.csoonline.com/article/3211405/germany-warns-of-nation-state-cyber-espionage-threat.html - Hackers Gaining Power of Subpoena Via Fake "Emergency Data Requests":
https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/ - Australian Budget 2022 delivers AU$9.9 billion for spicy cyber:
https://www.zdnet.com/article/australian-budget-2022-delivers-au9-9-billion-for-spicy-cyber/ - FBI warns election officials of credential phishing attacks:
https://www.bleepingcomputer.com/news/security/fbi-warns-election-officials-of-credential-phishing-attacks/ - Google: Russian phishing attacks target NATO, European military:
https://www.bleepingcomputer.com/news/security/google-russian-phishing-attacks-target-nato-european-military/
- This week's Virtual Vacay in Alaska in 8K 60p HDR... Fantastic:
https://www.youtube.com/watch?v=CHSnz0bCaUk
- Super Fave: New Top Gun 2 Maverick Final Extended Trailer:
https://www.youtube.com/watch?v=b1KJNW-iYlE
- Return to Space | Official Netflix Trailer Coming April 8th:
https://www.youtube.com/watch?v=sIME4sLR4-8
- POV | Amaury Pierron's Insane WINNING Run in Lourdes:
https://www.youtube.com/watch?v=PCvrdZOk_kk
- Building The World's Most Impressive Skybridge:
https://www.youtube.com/watch?v=tBgn2jxhYQ4
- How 'Dune' Composer Hans Zimmer Created the Oscar-Winning Score:
https://www.youtube.com/watch?v=93A1ryc-WW0
- Our Great National Parks | Official Netflix Trailer:
https://www.youtube.com/watch?v=KcI_xfryMD0
- Sports car money, Supercar Speed: Chevrolet Corvette, 184mph, 480+bhp | Top Gear:
https://www.youtube.com/watch?v=HMFQ0RvvsxI
- 15-year-old Sarah Ikumu receives the golden buzzer for her impressive performance of 'And I Am Telling You I’m Not Going':
https://www.flixxy.com/sarah-ikumu-golden-buzzer-and-i-am-telling-you.htm?utm_source=4
- The very interesting inside perspective on how “Comb Lock Picking” works:
https://www.youtube.com/watch?v=6DPCE1Ct8U8
- For Da Kids #1 - Wild Owl Rescued From The Grill Of A Car:
https://www.youtube.com/watch?v=23Mwo6Q7Jx0
- For Da Kids #2 - Cat Caught On Hidden Camera Stealing Human Sister's Toys At Night:
https://www.youtube.com/watch?v=waH-jkfH0Ng
- For Da Kids #3 - Tiny, Scared Puppy Falls In Love With A 120-Pound Great Dane:
https://www.youtube.com/watch?v=Zejp2kO4xoM
- For Da Kids #4 - Orangutan Kisses Baby:
https://www.youtube.com/watch?v=8PtPCCGDxxo - For Da Kids #5 - Mama Wolf Rescues Her Babies One By One From Flooded Den:
https://www.youtube.com/watch?v=QDnTQKayDKc