CyberheistNews Vol 5 #30 How To Get The OK To Phish Your Own Employees



                                                                                                               
CyberheistNews Vol #5 #30 July 28, 2015

  How To Get The OK To Phish Your Own Employees

       
IT people responsible for network security talk to us all the time. Almost  all of them agree that end-users are their number one headache and managing  that problem continues to be a big challenge. Social engineering is by far the easiest way for hackers to get in, either tailgating through the side door or (spear) phishing employees using email and social media.

Cybercrime has gone pro. They are very well funded, hire the smartest people out of college, have state-of-the-art tech labs with the latest versions of most commercial security software and they test, test, test until their attacks get through. Phishing attacks last less than 6 hours, making it hard for security software to catch up if ever.

So, it seems smart to protect against a threat like that with end-user  education, driven by some "social pen-testing". The IT teams that get the approval from management to do this get great results. Apart from budget issues, sometimes there is resistance at the C-level to sending phishing tests to all employees, often driven by other departments like Legal or HR who claim "we should not trick our employees". IT in those situations runs  into political headwinds that scuttle the phishing project.

However, today you have to consider a new approach to securing your IT assets.  Security awareness training has moved from the lunch room to board room. You simply can’t afford to passively wait for attacks. Instead, you should  take a lean-forward approach that proactively prevents you from being "low-hanging fruit".

Here is some ammo to get that approval, and more important, air cover from the top of your organization.
    1. First of all, let's confront that "tricking employees" issue. If we  don't do it, the bad guys will. Let's head them off at the pass. We do not want to wind up like Sony, Target, JP Morgan or Home Depot to  name just a few and see our organization on the front page with a highly damaging data breach, a fired CEO and massive legal costs (more about that below).

    2. The next hurdle is this; most small and medium business owners think that they are not a target for cybercrime. Well, if you think you are safe because you are just a little fish in a big pond, think again. Cybercrime has chosen small and medium sized businesses (SMBs) as their prime attack targets. The reason is that many SMBs lack the expertise, budget and time to really defend their network like the big companies do. You are the low-hanging fruit and they can automate their attacks.

    3. New vicious ransomware might cause users to sit on their hands for days  because all their files are encrypted and backups failed.

    4. The Wall Street Journal reported that the Target, Home Depot and Sony  hacking incidents grabbed the attention of executives everywhere, bringing  home the reality that cybersecurity has become a top risk consideration in the board room. These days getting air cover from the Board is much easier.

    5. Employees are not stupid, they are just trained in another field than  IT. Once it has been communicated by the CEO that this is a company-wide ongoing training initiative which includes regular phishing tests and needs everyone's cooperation to become security-aware, after stepping through the training the employees almost always say: "Wow, I did not know it was that bad on the web. How do I share this with my family?" If you position (frame) this correctly as part and parcel of safe Internet usage which also helps them keep their family safe online, you will get mostly very positive feedback from end-users.
So, here are the steps I recommend:
    1. Using the above five points to get the OK to do a complimentary phishing security test and see how bad the employee Phish-prone percentage actually is. Usually an unpleasant surprise but great to get budget.

    2. Find out how affordable this is for your organization. This is normally the pleasant surprise and essentially a no-brainer.

    3. Start the campaign with support from (and an intro by) your CEO or another  C-level executive and provide a deadline and incentives for the initial training.

    4. Schedule frequent phishing security tests, one a month minimum, and  create a game where you compare the click-percentages from different groups of employees. (This is supported by the KnowBe4 Admin console.)

    5. Report regularly to both employees and executives about the positive results and show everyone graphs of the progress.
Doing it this way could even improve the status of the IT department and make end-users understand much better what massive challenges you are faced with on a day-to-day basis. Good luck! Here is the link to Step 1, your complimentary Phishing Security Test:
http://www.knowbe4.com/phishing-security-test-offer

 

Appeals Court Reinstates Neiman Marcus Hacking Liability

Last Monday, the US Court of Appeals reinstated a liability case against  Neiman Marcus (which had been dismissed earlier) for potential damage to consumers from the data breach of 350,000 Neiman Marcus customers. 

Neiman Marcus admitted that more than 9,000 of these hacked accounts later were used for fraud. This is the first time that an appeals court  has recognized the actual damage associated with consumers having to research and repair credit card accounts after data breaches.

This spells class-action lawsuits for every data breach and this area is the legal industry's number one growth market. SANS's Allen Paller said: "One likely consequence will be a demand among CEOs to get a  definitive answers to the pair of questions they have been asking  for nearly a decade: "What do I need to do to avoid liability, and how much is enough?"  

"The growing consensus is that the minimum standard of due care will  be measured around full and constantly monitored implementation of  the basic "critical controls" published by NSA, the Australian ASD and the Center for Internet Security, because those are the only benchmarks that can demonstrate their controls stop attacks."

One of these controls is an effective security awareness training program, building your "human firewall". Here is the WSJ blog post, excellent ammo to get IT security budget:
http://blogs.wsj.com/cio/2015/07/23/appeals-court-revives-neiman-marcus-data-breach-suit/

Whitepaper: Legal Compliance Through Security Awareness Training

Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information  Systems Security Management Professional (ISSMP), and Certified Risk and Information System Controls (CRISC) certifications. He is a partner at Foley & Lardner LLP.

This whitepaper shows you the common threads in compliance laws and  regulations. Did you know that "CIA" means Confidentiality, Integrity, and Availability, and how lawmakers incorporated that language in infosec regulations?

Are you familiar with the concept of Acting “reasonably” or taking  “appropriate” or “necessary” measures? Find out how this can keep you from violating compliance laws or regulations.

Know you are supposed to "scale security measures to reflect the threat"? We have some examples of the Massachusetts Data Security Law and HIPAA  to explain what is required. Download this whitepaper here:
http://info.knowbe4.com/whitepaper-overly-kb4

I Was Interviewed On TV About The Recent Ashley Madison Hack

I was interviewed on TV about the recent Ashley Madison Hack, and what the  security repercussions can be for people that have their personal information  exposed. The TV crew came over to our new office. Check it out:
https://vimeo.com/134351507

Talking about our new digs, we moved to a new 15,000 square feet office with expansion space for 100 KnowBe4 employees, and this week we had our logo mounted on the top of the building. This is a 30-second time-lapse of the  old logo coming off and the new one being put up. Click on the image to  see the video on YouTube. Enjoy, we sure did!
http://blog.knowbe4.com/out-with-the-old-and-in-with-the-new-knowbe4-logo

BOOK Review: Ghost Fleet

Here is your required summer reading: Ghost Fleet: A Novel of the Next  World War. Ghost Fleet is a speculative Tom Clancy-like thriller in the spirit of The Hunt for Red October. This novel by two leading  experts on the cutting edge of national security is unique in that every trend and technology featured in the novel — no matter how  sci-fi it may seem — is real, or could be soon. I'm reading it myself now, it's exciting and earns a "Stu's Warmly Recommended!"
http://amzn.com/B00LZ7GOI4
Warm Regards,
Stu Sjouwerman

Quotes Of The Week
 
"No act of kindness, no matter how small, is ever wasted."
- Aesop, Author (620 - 560 BC)

" Kindness is the language which the deaf can hear and the blind can see."  - Mark Twain
       
     Thanks for reading CyberheistNews!
   
Security News
 

A New Ransomware Hostage Rescue Manual

Get this informative and complete hostage rescue manual on ransomware. The 20-page manual is packed with actionable info you need to prevent  infections, and what to do when you are hit with ransomware. You also get a Ransomware Attack Response Checklist and Ransomware Prevention Checklist. 

You will learn more about:
    1. What is Ransomware?

    2. Am I Infected?

    3. I’m Infected, Now What?

    4. Protecting Yourself in the Future

    5. Resources
Don’t be taken hostage by ransomware. Download now and forward/share to your friends, this is good stuff:
http://info.knowbe4.com/ransomware-hostage-rescue-manual-0

Or, read the article in BetaNews first, and then download:
http://betanews.com/2015/07/10/how-to-protect-yourself-against-ransomware/

This Week's Five Most Popular HackBusters Posts

   
    1. Hackers Remotely Kill a Jeep on the Highway—With Me in It:
      http://www.hackbusters.com/news/stories/353296-hackers-remotely-kill-a-jeep-on-the-highway-with-me-in-it

    2. Online Cheating Site Ashley Madison Hacked:
      http://www.hackbusters.com/news/stories/352692-online-cheating-site-ashleymadison-hacked

    3. 600TB MongoDB Database 'accidentally' exposed on the Internet:
      http://www.hackbusters.com/news/stories/353818-600tb-mongodb-database-accidentally-exposed-on-the-internet

    4. Apple Mac OS X Vulnerability Allows Attackers to Hack your Computer:
      http://www.hackbusters.com/news/stories/354437-apple-mac-os-x-vulnerability-allows-attackers-to-hack-your-computer

    5. NASA: This planet is the closest thing to Earth yet:
      http://www.hackbusters.com/news/stories/354626-nasa-this-planet-is-the-closest-thing-to-earth-yet

The Social-Engineer Toolkit (SET) v6.5 "Mr Robot" Released

The next major revision of The Social-Engineer Toolkit (SET) v6.5  codename "Mr Robot" has just been released. The codename is in celebration of the TV show Mr Robot featuring SET in a recent episode.

Kudos to them for having some amazing tech writers and appreciate the shout out on the show. If you have not seen Mr Robot yet, you can get Season 1 on Amazon, warmly recommended. This is a good show.

Version 6.5 incorporates a new HTA web attack vector. This attack allows you to clone a website and inject an HTA file which compromises  the system. Here are the specs with a video that show how it works:
https://www.trustedsec.com/july-2015/the-social-engineer-toolkit-set-v6-5-mr-robot-released/

Tools To Scan For Hacking Team Malware Infections

Darlene Storm at ComputerWorld dug up several no-charge tools to find out if you have any devices that are infected with the Italian Hacking Team malware up to now used mostly by governments. Now that they have been hacked themselves and all their zero-day vulnerabilities exposed, several cyber  scum-suckers re-purposed Hacking Team’s malware. So here they are:

Rook Security offers Milano, a complimentary tool to scan your PC for any possible  Hacking Team malware infection. Facebook offers osquery to detect Hacking  Team’s Remote Control System on OS X. Lookout has mobile covered and can  detect surveillance malware on Android and iOS platforms. Here is Darlene's story with links to the downloads for these tools:
http://cwonline.computerworld.com/t/9234223/987374514/747887/20/

Cyberheist 'FAVE' LINKS:
 
Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is: 33 North Garden Ave Suite 1200, Clearwater, Florida, 33755



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews