Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol 5 #17 Apr 28, 2015 FUN CARTOON: The 5 Generations Of Security Awareness Training

     
                                                                                                                    
                   
                                                                                                                                              
                                                                                                                                           

    FUN CARTOON: The 5 Generations Of Security Awareness Training

    For a change, let's have some fun for a moment. InfoSec is gloomy enough  as you will see if you keep on reading. So first the fun part; we have  created a cartoon that shows the 5 generations of security awareness  training. Use it to make the point that creating a Human Firewall is the  thing to do these days and please share this link with your friends.  Thanks! It's at our blog:
    https://blog.knowbe4.com/the-5-security-awareness-training-generations-cartoon

    How Criminals Exploit Gaps In Your Security Awareness Training

    I was at RSA in San Francisco last week. Great show, with ~30,000  attendees and packed exhibit halls at the Moscone Center. We invited KnowBe4 customers who were attending RSA for a dinner with Kevin  Mitnick. We did an "Ask Me Anything" session, which everyone thought  was very cool.

    Kevin's got tons of highly entertaining stories. Everyone walked out  with a personalized signed copy of his bestseller Ghost In The Wires  and we decided to do the same thing at BlackHat this year.

    There is a TON of news that was released at RSA 2015 this year. For  instance Steve Ragan at CSO came out with a slide show that showed the  more common phishing techniques were less effective last year, so  criminals changed their game in order to adapt.

    Why do people click?

    "The Phishing campaigns in 2014 were so successful because criminals  didn't use tactics that end-users were trained to spot. Previously, the  focus was on social media invites and other unsolicited messages. But  when that changed, users couldn't keep up.

    "When attackers changed their strategy to targeting corporate users  with attachments in high-volume campaigns, while piggybacking on  legitimate messages, such as email newsletters and opt-in marketing  emails, end-users were faced with a large number of malicious email  that they could not recognize as a threat," the report says.

    "For example, there was a high volume of Microsoft Outlook Web Access  (OWA) credential phish, as it is very easy to spoof these pages, and  they produce high-value results."

    Using data gathered from their own customers, Proofpoint, a  Security-as-a-Service provider in Sunnyvale, California, says that  while old school awareness training is working, criminals are still able  to obtain a high degree of success in their phishing campaigns.

    The company published their findings in a report released on Wednesday  during the RSA Conference in San Francisco. The Proofpoint study concluded: "The central lesson of 2014 for CISOs is that while user education may  have an impact, attackers can always adapt and adjust their techniques  more rapidly than end-users can be educated," 

    That is why you need new school Kevin Mitnick Security Awareness Training  which combines interactive web-based training with frequent simulated  phishing attacks which are adaptable and allow you to send campaigns to  inoculate end-users against active criminal campaigns happening in real  time. For instance, we already have an Outlook Web Access Template in  our extensive library at the System Templates -> Phishing For Sensitive  Information. Here is the article at CSO:
    https://www.csoonline.com/article/2910940/social-engineering/rsa-conference-2015-criminals-targeting-gaps-in-user-awareness-training.html?

    Ransomware Mafia Now Uses Bitcoin As Obfuscation Layer

    Bitcoin is a very speculative currency, still relatively easy to manipulate compared to the major currencies, and subject to massive increases and drops in value. Currently the falling BTC value forces ransomware mafia to immediately convert their ill gotten Bitcoins to hard currency.

    "I've seen this discussion in underground forums among Russian criminals," Etay Maor, senior fraud prevention strategist at IBM Security, told The  Register during RSA in San Francisco.

    "They use Bitcoin for the money laundering part and take payment with it, but they'll move it out almost immediately. Most of them won’t keep Bitcoins – they don't like the valuations Bitcoin has – so they just use it as a layer of obfuscation, and move it to a different form of money."

    Maor said the malware operators are adept at laundering their ransoms into other online currencies or farming the job out to money mules who launder the funds through their accounts in exchange for a commission. He stated that botnet owners are also getting in on the scam by offering to install ransomware on thousands of machines, and net a tidy cut.

    What To Do About It

    • The rule "Patch Early, Patch Often" still applies, but these days, better  to "Patch Now" all workstations for both OS fixes and popular third party apps that are part of your standard image rolled out to end-users. A product like Secunia can scan for all unpatched third party apps.
    • Make sure your Backup/Restore procedures are in place. Regularly TEST, TEST, TEST to verify your restore function actually works. The latter is often overlooked.
    • End users need to be stepped through effective security awareness training so that they are on their toes with security top of mind when they go through their email or browse the web.

     

    NEW: This Week's Five Most Popular HackBusters Posts

    What are IT security people talking about? Here are this week's five most  popular hackbusters posts:

     

    1. Man guns down Dell box after getting fed up with Blue Screen of Death:
      https://www.hackbusters.com/news/stories/310749-man-guns-down-computer-after-getting-fed-up-with-blue-screen-of-death
    2. Google To Speed Up The Internet With Its New QUIC Protocol:
      https://www.hackbusters.com/news/stories/307681-google-to-speed-up-the-internet-with-its-new-quic-protocol
    3. Earn up to $15,000 for Hacking Microsoft Spartan Browser:
      https://www.hackbusters.com/news/stories/311046-earn-up-to-15-000-for-hacking-microsoft-spartan-browser
    4. iOS 8 Vulnerability Lets Hackers Crash Any iPhone and iPad Within Wi-Fi Range:
      https://www.hackbusters.com/news/stories/310224-ios-8-vulnerability-lets-hackers-crash-any-iphone-and-ipad-within-wi-fi-range
    5. You Have to Hack This Massively Multiplayer Game to Beat It:
      https://www.hackbusters.com/news/stories/310038-you-have-to-hack-this-massively-multiplayer-game-to-beat-it

     


    Warm Regards,
    Stu Sjouwerman
    Email me: feedback@knowbe4.com



    Quotes Of The Week
     

     

    "There are no constraints on the human mind, no walls around the human spirit, no barriers to our progress except those we ourselves erect." - Ronald Reagan

    "A happy arrangement: Many people prefer cats to other people, and many cats prefer people to other cats."  - Mason Cooley

    Security News
     

     

    New KnowBe4 Training Module: Basics of Credit Card Security

    You asked for it, and we created it for you. As the title implies, this  course covers the basics of credit card security and will help you prevent data breaches.

    It is meant for all employees in any organization who handle credit cards  in any form, whether they take orders on the phone, swipe cards on terminals  or through devices connected to smart phones. It teaches employees to  handle credit card information securely in any situation.

    Different types of cards are covered, which specific elements the hackers  are after, and explains how malware like keyloggers, password crackers,  and spyware can endanger credit card information.

    Employees are taught the rules for paper copies of credit card data, and  things to remember during data entry, including things NOT to do like  sending credit card information through email, text and more. A quiz  ends off this 20-minute course.

    Add this essential training to your existing modules! Call your Rep or  Reseller for a quote, or fill out this web form to get a quote:
    https://info.knowbe4.com/kmsat_get_a_quote_now

    Somber Message at RSA

    Pacific Crest Securities had former cyber czar Richard Clarke as a guest speaker at their RSA event. NetworkWorld's Jon Oltsik was there and roughly jotted down what Clarke observed, a somber message indeed:

    "A lot of us have been to this show for at least 10 years. Now if you  had asked anyone in this room ten years ago to predict the state of the  cybersecurity industry in 2015, I don’t believe that anyone would have  dreamed that the industry would be as big as it is today. So we’ve all  had a good ride and made a little bit of money along the way.

    "But here’s the problem: If you asked a second question 10 years ago about the state of cybersecurity ten-years hence, few if any of us would have guessed that the cybersecurity risks to our nation, our critical  infrastructure, and our sensitive data would be worse today than it was  10 years ago.

    "So while we enjoy our dinner tonight, it’s important to remember that  we remain way behind so we as a group of cybersecurity leaders must  stay focused and committed to the task at hand."

    Richard Clarke’s brief toast at the Pacific Crest Securities dinner may  have been the most poignant words spoken at RSA.

    Hackers Got Into Sony With Apple ID Spearphishing Attack

    Hackers gained access to Sony's network last year after a series of  spear phishing emails targeted at system engineers, network admins and others who were asked to verify their Apple IDs. Stuart McClure,  founder and CEO of Cylance, and formerly the CTO of McAfee revealed this last week in an interview.

    "It was clear to us that this was the likely scenario, there were  multiple attempts at spear phishing from the Oct. 3 to Nov. 3 timeline  that were getting incredibly more sophisticated as they went on."

    Those emails, which appeared to be from Apple but were not, demanded  that recipients verify their Apple ID credentials because of purported  unauthorized activity. If an included link was clicked, the victim  ended up at a site that hosted an official-looking request for account  verification.

    The hackers may have used the harvested Apple ID credentials to guess  the internal passwords used by employees -- working on the assumption  that password reuse is commonplace. "A number of these users whose  credentials had been captured and then hard-coded into the malware were  folks who had significant access to the network," McClure contended. Story at CIO:
    https://www.cio.com/article/2913955/security0/sony-hackers-targeted-employees-with-fake-apple-id-emails.html

    Hot Security Products At RSA 2015

    Tim Greene at Network World did the best job rounding up the  hottest security products that were released at RSA. It's a slide show you can quickly step through here:
    https://www.networkworld.com/article/2912422/security0/hot-security-products-at-rsa-2015.html? 

    Oh, and while you are at it, step through this one too: "Check  out RSA minus the booth babes". Find a famous hacker... LOL!
    https://www.networkworld.com/article/2913840/security0/check-out-rsa-minus-the-booth-babes.html

    New ISACA Survey at RSA: Phishing Most Popular Attack Vector

    New ISACA Survey respondents identified phishing and malware as the  most popular initial means of attack on organization, an indication  that the industry still needs to work on some of the fundamentals of  security.

    The main motivation for attacks was financial gain. Out of 741 people  who answered this question, 33 percent said financial gain was the  motivation for attacks, followed by disruption of service (24 percent)  and intellectual property theft (19 percent). More than 90 percent of  respondents said that their organization had experienced a loss of  one or more mobile devices in 2014. Read the full article here:
    https://www.scmagazine.com/cyber-security-professionals-identify-cyber-criminals-as-biggest-threat/article/410680/

    This Week's Links We Like. Tips, Hints And Fun Stuff.

    "How it's Made" - Dream Cars Tesla Model S. Especially interesting is how  they put the electric drive train together:
    https://www.youtube.com/watch?v=cHRMDYXBJdc

    From the weird Japanese Robots Department. These things are getting scary. LOL:
    https://www.youtube.com/watch?v=T3fWhG-TM7A&sns=em
                                                           

     

    Return To KnowBe4 Security Blog
    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews