Security Awareness Training Blog

    CyberheistNews Vol 5 #23 How The NSA Killed Internet Security in 1978 & Scam Of The Week

                                                           
    CyberheistNews Vol 5 #23 June 9, 2015
                                                                        
    How The NSA Killed Internet Security in 1978 & Scam Of The Week
    Need to get ammo for your IT security budget, but the people holding the purse  strings lack some understanding? Here is a great little article that gives  them 5-minute Cliff Notes on Internet Security in (mostly) understandable  terms:

    "The Internet grew from the work of many people over several decades.  Few predicted how essential it would become to our lives or the ways that  it would make us more vulnerable to scam artists, snoops and spies. Here  are some of the milestones in the development of our insecure online world."

    Read how Internet security has evolved from its early days to present  time, and how the NSA killed Internet security in its crib in 1978:
    http://blog.knowbe4.com/how-the-nsa-killed-internet-security-in-1978
    Warm Regards,
    Stu Sjouwerman
    feedback@knowbe4.com

    Scam Of The Week: "Your Data Was Hacked, How To Protect Yourself"

    It is all over the news, the 4-million Federal Employee OPM database was  hacked and lots of employee information leaked to probably the Chinese.  This weekend on CNN they said that in the coming few days all Fed employees  will receive an email something like: "You've been hacked, here's what  you need to do to protect yourself." 

    The press has a tendency to jump to the "who" but it is more interesting  to focus on the how and why. The real issue here is how the attackers  penetrated the OPM again, just after a major data breach a year ago. The focus on this recent breach should be how come they did not  fix an apparently systemic problem, and it is my prediction that they  were hacked with a spear-phishing attack with by zero-day malware as  a payload, which could have been prevented with effective security  awareness training. 

    Also in the news this week, it came out that in 2012 the NSA was granted  the authority to conduct surveillance on US Internet traffic without a  warrant to investigate foreign cyber attacks. The documents indicate that  the NSA pursued attackers even if there was no proof that the attacks  originated outside the US. So we have the "guvmint" hoovering up massive  amounts of data, and not protecting that data very well. Recipe for  disaster? 

    Having said that, many people work (or used to work) for all kinds of  government institutions, and will not know if their data was in that  database or not. Sometimes they will have family members working for  either local, county or state government and will be worried that their  data is exposed too. This is a phishing bonanza and I'm willing to bet  a hundred bucks that the cyber mafia is already working on campaigns  to exploit this fear. 

    I would email your employees, family and friends something to this  extent. Edit if you want:

    "It's all over the news, again. A large database with information of  Federal employees has been hacked and millions of employee records  are now out there. Cyber criminals are going to use this hack to scare  you into clicking on phishing emails and infect your computer with  malware or manipulate you into giving out personal information. 

    "If you receive an email that claims your personal information has been  hacked, and that you need to click on links or open attachments to  find out how to protect yourself, be very careful. Do not click on  links, do not open attachments, and if there is a reference to a  website with more information, type the web address in your browser,  and do not click on any links."

    For KnowBe4 customers, inoculate your employees before they get hit,  at the house or in the office. Send them this new template from the  Current Events campaign: "Federal Database Breach - Action Required"

    Top 5 Phishing Templates CTR This Month

    Our almost 1,500 enterprise accounts are sending many thousands of  simulated phishing attacks to their employees every month. We thought  it would be interesting to let you know which ones have the highest  Click Through Rates (CTR) for the last 30 days:
      1. Change Of Password Required Immediately - 16.49%

      2. Email Account Updates - 9.92%

      3. Low Balance Alert On Primary Savings - 7.59%

      4. Your Friend Tagged a Photo of You - 7.49%

      5. Join my network on LinkedIn - 7.45%
     And the recent Current Events template: "Hey, has your Adult Friend Finder  Secret come out?" was clicked on 3.4% of the time. Draw your own  conclusions about what that means.
    Quotes Of The Week
     
           
    " Happiness resides not in possessions, and not in gold, happiness dwells  in the soul." - Democritus, Philosopher

    " To change things, don't try to fight the existing reality. Build a  new model that makes the old model obsolete"  - Buckminster Fuller
           
         Thanks for reading CyberheistNews!
       
    Security News
     

    Accept Credit Cards? Your Liability Will Shift: Oct. Deadline

    Heads-Up! If your organization accepts cards from customers, the  liability for card-present fraud shifts to your bottom line this  October, not the bank's. This is a very important change that 42%  of C-level execs are not aware of, but may cost them dearly. 

    The EMV (Europay, MasterCard, and Visa) deadline will shift the  liability for card-present fraud to merchants which have not updated  their systems to accept chip-and-pin or chip-and-signature cards,  as opposed to such costs falling upon payment processors or issuing  banks, as has been the case. Published last week, the survey was  commissioned by financial management solutions firm Intuit. More at:
    http://www.scmagazine.com/a-survey-shows-that-42-percent-small-businesses-werent-clear-on-emv-deadline/article/419074/

    This is also a good time to step your employees that are handling  any kind of card data through our brand new module: Basics of Credit  Card Security. More at:
    http://www.knowbe4.com/knowbe4-training-modules-overview/

    Phishers Registered More Malicious Domain Names Than Ever in 2014

    In its Global Phishing Survey: Trends and Domain Name Use in 2H2014  report, the APWG found that the number of domain names used for phishing  reached a record number. According to the report, there were at least  123,972 unique phishing attacks worldwide during the final half of  last year, and those attacks occurred on 95,321 unique domain names.  That represents the most the APWG has ever seen during a half-year period.

    Read more about the Global Phishing Survey report at Security Week:
    http://www.securityweek.com/phishers-registered-more-malicious-domain-names-ever-second-half-2014-report

    Make Sure To Check Your Vendors’ Cyber Security Practices

    A weak link in many cyber security plans is the outside companies that  help you run your businesses, such as all kinds of Managed Service and Cloud Providers. Your organization wants to focus on delivering great  service to your customers, so your vendors’ cyber security practices  are often not top of mind.  

    In many cases, organizations are trusting their vendors to look out  for their best interests. That might cause some real problems,  and there are some best practices you should read and apply. It's  an article over at Reuters slanted towards financial  advisers, but these rules really apply to anyone:
    http://www.reuters.com/article/2015/06/05/us-advisers-cybersecurity-comply-idUSKBN0OL1JS20150605

    70% Of Breaches Are Detected By A Third-Party

    46 percent of organizations that have suffered a data breach took more  than four months to detect a problem, and more than three months to  mitigate the risk. Worryingly, the survey of 1,000 IT professionals,  conducted by OnePoll on behalf of LogRhythm, also revealed that 70  percent of breaches were detected by a third-party, rather than the  organization itself.

    Ross Brewer, vice president and managing director for international  markets at LogRhythm said: “While the maturity of an organization's  security can vary dependent on budgets and its own risk tolerances,  today’s threat landscape is such that if a hacker wants to get in,  they will, which means every single organization should seriously  consider putting systems in place that will immediately alert them  to suspicious activity.”

    “What’s more, even the most bare-bones business needs to take greater  responsibility for educating employees,” continues Brewer. “As the  front-line of any business there is the very real danger that, without  increased education, an employee could easily and unwittingly leave the  door to sensitive information wide open. Read more about the survey at:
    http://www.net-security.org/secworld.php?id=18475

    Study Shows Kids' Willingness To Meet People They Interact With Online

    Danielle Walker at SCMag wrote about an issue that you can do something about. 

    In the survey, 27 percent of kids aged 8 to 16 said they would meet,  or have met, someone in person they first interacted with online. The  study, commissioned by Intel Security, surveyed 1,001 young people,  aged 8 to 16, and a matching number of parents in the U.S. The online  poll was conducted from April 28 to May 12 by MSI International. 

    While a significant number of kids were OK with meeting individuals from  online, the survey revealed that 28 percent of parents were most concerned  about their children “unknowingly interacting with predators/pedophiles.”  Furthermore, 21 percent of parents feared that their children might  interact with any strangers online, an Intel Security release detailing  the findings said. 

    In a Thursday interview with SCMagazine.com, Intel Security's Online  Safety Expert Stacey Conner, said that the break in attitudes among  parents and kids was “cause for concern” regarding online habits that  could impact children's physical safety. More at:
    http://www.scmagazine.com/children-engage-in-risky-behavior-online-study-says/article/418815/

    And here is what you can do about it right now. SANS just announced their  June issue of OUCH!: "This month, led by Guest Editor Bob Rudis of  Verizon DBIR fame, we focus on kids -specifically, educating kids on  cyber safety. We feel this is an important message and one we want to  share with the world. You are encouraged to share OUCH! newsletters  with anyone you want, including family, friends or as part of your  security awareness program. All we request is you do not modify or  sell the newsletters." Send it out to anyone you know with kids!  English Version (PDF)
    http://www.securingthehuman.org/u/4TS
    Cyberheist 'FAVE' LINKS:
     

    This Week's Links We Like. Tips, Hints And Fun Stuff.
    Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.                                                            
    Our mailing address is: 33 N. Garden Suite 1200, Clearwater, Florida, 33755

     

    Return To KnowBe4 Security Blog

    Subscribe To Our Blog


    Security Awareness Training
    Blog RSS Feed
    Anti-Phishing Guide ebook
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews