CyberheistNews Vol 12 #31 [Heads Up] Crafty Microsoft USB Scam Shows the Importance of Security Awareness Training



Cyberheist News

CyberheistNews Vol 12 #31  |   August 2nd, 2022

[Heads Up] Crafty Microsoft USB Scam Shows the Importance of Security Awareness TrainingStu Sjouwerman SACP

Just when you thought scammers couldn't get more tricky in their attacks, this example will prove you wrong.

One of our KnowBe4 colleagues shared this LinkedIn post on a recent very crafty USB scam:
Stu Sjouwerman SACP

As you can see, the Microsoft USB looks VERY similar to a USB you would receive from Microsoft in the mail as part of an Office Professional Plus delivery. Unfortunately, the USB was plugged into the victim's computer and ransomware infected the machine.

This should be a valuable lesson for anyone that receives something in the mail that is software - ALWAYS assume that it could be malicious and always double-check with your organization to ensure that it is safe.

New-school security awareness training helps your users identify common red flags. Here is the short blog post with the alert:
https://blog.knowbe4.com/reported-usb-scam-shows-the-importance-of-security-awareness-training

And here is a new blog post by Roger Grimes that digs deeper into this malicious USB problem:
https://blog.knowbe4.com/beware-of-sophisticated-malicious-usb-keys

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, August 3, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Support for QR-Code Phishing Tests
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven training recommendations for your end users
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, August 3, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3875311/223E5D3621E2CB4EE72B06F0B7C9FD51?partnerref=CHN2

IBM: Phishing Is the Most Common Way to Gain Access to Victim Networks and the Data Breach Costs Soar to $4.91 Million

These two reports from IBM this week about phishing are great ammo for your budget.

New research from IBM shows four reasons why phishing attacks are still effective and remain the primary attack vector in 41% of cyberattacks. Phishing has been around since the 1990's and yet it still works today. And despite security solutions blocking most phishing emails, the ones that do get through to the Inbox remain an effective tool for threat actors.

According to IBM Security, there are four reasons why phishing continues to prevail today:

  • Remote work heightens email's use as a primary communication medium
  • Cybercriminals are using email in conjunction with voice to increase message believability and scam credibility
  • Cybercrime-as-a-Service is booming, giving even the least experienced cybercriminal professional access, tools and malware to accomplish their attacks
  • Current security training efforts aren’t frequent enough and simply aren't getting it done

CONTINUED at the KnowBe4 blog:
https://blog.knowbe4.com/ibm-phishing-is-the-most-common-way-to-gain-access-to-victim-networks

Fresh data on data breach costs from IBM show phishing, business email compromise and stolen credentials take the longest to identify and contain.

There are tangible repercussions of allowing your organization to succumb to a data breach that starts with phishing, social engineering, business email compromise or stolen credentials – according to IBM's just-released 2022 Cost of a Data Breach report.

Phishing and social engineering go hand-in-hand, with business email compromise and stolen credentials being outcomes of attacks, used as launch points for further malicious actions.

According to the IBM report, the average cost of a data breach in 2022 is $4.35 million, with an average of 277 days to identify the breach and contain it. That's actually the good news. Why you ask? Because when you factor in the initial attack vector, it gets worse. According to IBM, the following are the average data breach costs based on the initial attack vector:

  • Phishing - $4.91 million
  • Business Email Compromise - $4.89 million
  • Stolen Credentials - $4.50 million
  • Social Engineering - $4.10 million

This is the second post detailing the cost per data breach:
https://blog.knowbe4.com/phishing-based-data-breaches-take-295-days-to-contain-as-data-breaches-soar-to-4.91-million

See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, August 3, @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!

  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18 and more
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulation
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met and are past due

Date/Time: TOMORROW, Wednesday, August 3, @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3875307/06081B1B24686723416BD26FE43658AF?partnerref=CHN2

Happy 23rd Annual SysAdmin Day from KnowBe4!

Last Friday was SysAdmin Day. It's been 23 years of celebrating all our fellow System Administrators! Your hard work maintaining your company's day-to-day computer operations definitely deserves kudos.

These last few years have not been easy with a pandemic resulting in a remote workforce. Your role has evolved in such a short amount of time - all with no (or little) complaints.

We've been very busy on the Spiceworks community forum to provide SysAdmins with helpful advice you can use to keep your networks up and running:

  • Javvad highlighted a USB scam that has been circling the Internet
  • Roger posted about long passwords and if hackers are cracking the long 20-passwords

We also have a video to say thank you from Javvad Malik and Erich Kron and a free ransomware resource kit:
https://blog.knowbe4.com/happy-23rd-annual-sysadmin-day-from-knowbe4

Is Your Organization Ready for a SOC 2 Compliance Audit? Find Out Now!

When it's time to complete a compliance audit, are you thinking, "Ugh, is it that time again?"

And, as more organizations demand proof their data is protected in the cloud, keeping up with risk assessments and audits to prove compliance is a continuous problem.

If you're trying to wrap your head around the Statement on Standards for Attestation Engagements no. 18 Trust Services Criteria (SSAE18) framework to obtain a System and Organization Controls 2 (SOC 2) certification, you likely have a lot of questions. You want answers and need guidance on how to best meet the requirements to get your organization ready for a SOC 2 compliance audit - fast.

KnowBe4's Compliance Audit Readiness Assessment (CARA) is a complimentary web-based tool that helps you take the first step toward assessing your organization's readiness for a compliance audit. Find out your organization's compliance audit readiness now. Get your results in a few minutes.

Here’s how CARA works:

  • You will receive a custom link to take your assessment
  • Rate your readiness for each requirement as Met, Partially Met or Not Met
  • Get an instant analysis of potential gaps in your cybersecurity preparedness
  • Use the custom report to help you define controls you need to have in place
  • Results in just a few minutes!

Find out your organization's readiness for a SOC 2 compliance audit now.

Start Your Assessment Here:
https://info.knowbe4.com/soc2-compliance-audit-readiness-assessment-chn


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from July 2022:
https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-july-2022/

PPS: [INFOGRAPHIC] KnowBe4 Top-Clicked Phishing Email Subjects for Q2 2022:
https://blog.knowbe4.com/top-clicked-phishing-emails-q2-2022-infographic

NOTE: The Audiobook for the best-selling Security Culture Playbook is now available:
https://www.amazon.com/Security-Culture-Playbook-Executive-Developing/dp/B0B78B1883

Quotes of the Week  
"Excellence is never an accident."
- Aristotle

"If you can't explain it simply, you don't understand it well enough."
- Albert Einstein - Physicist (1879 - 1955)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-31-heads-up-crafty-microsoft-usb-scam-shows-the-importance-of-security-awareness-training

Security News

Cybersecurity for UK Charities Part 3: Shifting Organization Culture and Educating Employees

Javvad Malik, lead security awareness advocate at KnowBe4, explains how to educate employees and change organization culture to prevent cyber attacks and respond to threats.

In a recent Third Sector and NCSC cybersecurity survey, fewer than half of charities said they have a dedicated member of staff responsible for cybersecurity. In addition, 70% said they don't have any plans to deliver cybersecurity training in the next six months.

In this video, the third part of a four-part cybersecurity series produced by Third Sector Insight, in partnership with the NCSC, Javvad addresses:

  • The role of human error in cybersecurity breaches
  • Why many charities need to change their cybersecurity culture
  • Top tips for educating employees about cybersecurity
  • How to make employees part of the process of change
  • How to make your digital infrastructure more user friendly
  • Advice on improving your cybersecurity culture

The NCSC offers a range of cybersecurity advice and guidance for charities including a Board Toolkit section on developing a positive cybersecurity culture and advice on how to support staff during an incident.

Link to site:
https://www.thirdsector.co.uk/cyber-security-charities-part-3-shifting-organisation-culture-educating-employees/article/1794017

Link to Video on YouTube:
https://youtu.be/u15cuwF7Hq8

Nearly Half of Organizations Have Experienced Vishing

Forty-seven percent of organizations have experienced voice phishing (vishing) attacks over the past year, according to researchers at Mutare. Additionally, the researchers found that 9% of all phone calls received by organizations are unwanted, and nearly half of these are malicious.

"45% of all unwanted traffic is tied to nefarious activity, while 55% is tied to nuisance activity. Remarkably, more than one-third of respondents to the Voice Network Threat Survey (38%) said their organizations do not collect any data on the amount of inbound, unwanted and potentially malicious voice traffic hitting their organizations.

"Of those that do collect such data, 23% of respondents estimated that 5% to 10% of inbound calls were unwanted, followed by 15% of respondents who estimated that over 10% of inbound calls were unwanted, and 10% of respondents who estimated that over 20% of calls were unwanted."

Most respondents cited employee errors and email as the greatest risk to their organization, while just ten percent recognized the risk from phone calls.

"The biggest source of security risk stems from employee errors, according to 43% of survey respondents," the researchers write. "That ranking was followed by the risk from email (36%), endpoints (35%), data networks (17%), data storage (12%), and applications/core systems (9%). Only 10% of respondents cited their voice networks and phone systems as the biggest source of security risk in their organizations, reinforcing a widespread lack of awareness about this problem."

Respondents varied in their responses on how best to respond to the threat of phone-based social engineering. "More than one-third (36%) of respondents cited security awareness training as the top solution to protect voice networks from Vishing (voice vishing) and Smishing (SMS phishing) attacks," Mutare says.

"That approach was followed by traffic firewalls (34%), spam blockers (26%), training for vishing attacks (20%), training for social engineering (23%), and threat detection (13%). In addition, more than one-fourth of survey respondents (26%) were unsure about which tools were being used to protect their voice networks, and 9% said their organizations had no solutions in place whatsoever to protect their voice networks."

Note well: most of the calls aren’t just irritating, but they're "nefarious," potentially damaging. New-school security awareness training can give your organization an essential layer of defense by teaching your employees how to thwart social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/nearly-half-of-organizations-have-experienced-vishing

What KnowBe4 Customers Say

"Hi Stu, I've been a KnowBe4 user for several years and it was a natural selection for me at my new employer. The team all did an outstanding job, from sales to implementation. Megan P. has been a top-notch CSM, very knowledgeable, and a pleasure to work with. My end users are actually excited to see the training and are engaged and learning. Thanks for following up, we are very happy campers!"

- H.C., Systems Administration and Security

The 10 Interesting News Items This Week
  1. How Ransomware Has Become a Geopolitical Risk for Governments:
    https://www.infosecurity-magazine.com/blogs/ransomware-geopolitical-risk/

  2. Apple network traffic takes mysterious detour through Russia.... BGP Hijacking:
    https://www.theregister.com/2022/07/27/apple_networking_traffic_russia_bgp/

  3. Your biggest cyber-crime threat has almost nothing to do with technology:
    https://www.zdnet.com/article/your-biggest-cyber-crime-threat-has-almost-nothing-to-do-with-technology/

  4. Feds Charge Russian Puppetmaster for Secretly Directing U.S. Political Groups:
    https://www.justice.gov/opa/pr/russian-national-charged-conspiring-have-us-citizens-act-illegal-agents-russian-government

  5. Report shows a third of employees don't understand importance of cybersecurity:
    https://www.tessian.com/blog/1-in-3-employees-do-not-understand-the-importance-of-cybersecurity/

  6. U.S. federal court system cyberattack is MUCH worse than previously thought:
    https://www.techradar.com/news/us-federal-courts-hit-by-incredibly-significant-cyberattack

  7. [DARWIN AWARD] Spain arrests suspected hackers who sabotaged radiation alert system:
    https://www.bleepingcomputer.com/news/security/spain-arrests-suspected-hackers-who-sabotaged-radiation-alert-system/

  8. Cyber Insurance Price Hike Hits Local Governments Hard:
    https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2022/07/27/cyber-insurance-price-hike-hits-local-governments-hard

  9. 1,000s of Phishing Attacks Blast Off From InterPlanetary File System:
    https://www.darkreading.com/risk/1000s-phishing-attacks-launch-interplanetary-file-system

  10. Best Phishing Simulators To Prepare Employees And Defend Your Network:
    https://www.forbes.com/advisor/business/best-phishing-simulators/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog


Ransomware Hostage Rescue Manual




Get the latest about social engineering

Subscribe to CyberheistNews