Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol #5 #45

    CyberHeist News CyberheistNews Vol #5 #45 Oct 20, 2015
    Apple's OS X Security Honeymoon Is Over
    Stu Sjouwerman

    Unfortunately, bad guys are business people too. Their time is money, and they follow market leaders. By now, Apple's market share of desktop computers is close to 17 percent. OS X, Apple's operating system, is popular with consumers and enterprises, making it a more interesting target for hackers since it has not been "mined" a lot, and Apple users are under the false impression that their platform is "safe and does not even need antivirus".

    Well, a report that was released by security company Bit9 shows that more malware has been found this year for OS X than in the last five years combined. The company found 948 unique samples of malware this year compared to 180 between 2010 and last year. The malware is not yet super sophisticated, and is not hard to remove, but the increase is massive and much more than the increase in Windows Malware.

    Still, it's early days yet compared with the fire-hose of Windows based malware which is around 400,000 new strains per day at the moment. However, an interesting fact about OS X this year is that many more software vulnerabilities have been disclosed than in past years. A list shows 276 flaws have been found in the last 12 months, which is about four times higher than the average number found annually over the last 15 years.

    It looks like more and more researchers are focused on how to bypass OS X security mechanisms or how to get code to execute remotely.

    And looking at the mobile side of the house, according to Net Market Share's September figures, iOS claimed 38.6 percent of the global mobile OS market share. The number of iOS devices in the enterprise might actually be higher. According to Good Technology's Q2 Mobility Index Report iOS had 64 percent of worldwide enterprise market share, although this had dropped from 70 percent the previous quarter.

    From the perspective of security awareness training, Apple users need to be trained just as much as Windows users. More than half of the Apple malware found this year was aimed at forcing people to view ads, a malware class called adware. And infections were mostly dependent on social engineering end-users, like downloading what employees should "red flag" as dodgy software.

    It is loud and clear that effective security awareness training is a must for all employees, regardless their computer, Windows or Apple OS X. Find out how affordable that is for your organization and be pleasantly surprised.
    https://info.knowbe4.com/kmsat_get_a_quote_now
    How To Stop Gullible Employees From Doing Stupid Stuff

    Roger A. Grimes is an InfoWorld contributing editor. Roger holds more than 40 computer certifications and has authored eight books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. A frequent industry speaker and educator, he currently works for Microsoft as a principal security architect.

    Roger has another great column in InfoWorld about the biggest bang you can get for your Infosec budget. He started with: "Most organizations don’t do enough to educate users about computer security. The main purpose of user education programs is to decrease human-factor risk substantially. If they don’t accomplish that, the whole exercise is a waste of resources.

    Such programs, if they exist at all, consist of a sort of security orientation program for new employees, with an annual update and refresher course lasting 15 minutes to an hour. Occasionally, you’ll see an in-house security newsletter and/or periodic Web posts that employees might read on a slow workday.

    This lack of commitment is strange, considering the overall effectiveness of user education to stop employees from doing stupid stuff. In my opinion, doubling, tripling, or even quadrupling security education requirements and budgets should happen immediately in most organizations.

    Why? Because the most prevalent, successful threats rely on social engineering, one way or another. That could be a phishing email, a rogue link, or an offer of a free download that pops up on a trusted website. In rare instances, it’s a physical phone call asking for credentials to be reset or for the person to install “needed” diagnostics software to remove malware.

    The fastest and cheapest bang for your buck is user education training to counteract those threats. Unfortunately, such programs tend to focus on scenarios users will never face -- or were prevalent 10 years ago. Certainly, most education programs fail to cover the malicious tactics an organization is fighting at a given time."

    And in the rest of his column he gives some great suggestions how to manage this problem. Read it here, it's a Stu's Warmly Recommended:
    http://www.infoworld.com/article/2992011/security/the-most-important-security-question-to-ask-users.html
    Warm Regards,
    Stu Sjouwerman

    Quotes Of The Week

    "I believe that laughing is the best calorie burner. I believe in kissing, kissing a lot. I believe in being strong when everything seems to be going wrong. I believe that happy girls are the prettiest girls. I believe that tomorrow is another day and I believe in miracles."- Audrey Hepburn - Actress (1929 - 1993)

    "And the best of a man is gone when the best of his dreams is dead."- an old old poem.

    Thanks for reading CyberheistNews
    Security News
    This Week's Five Most Popular HackBusters Posts
      1. Engineer builds 'working' Thor's hammer that only he can lift:
        http://www.hackbusters.com/news/stories/425760-engineer-builds-working-thor-s-hammer-that-only-he-can-lift

      2. A Second Snowden Leaks a Mother Lode of Drone Docs:
        http://www.hackbusters.com/news/stories/427780-a-second-snowden-leaks-a-mother-lode-of-drone-docs

      3. First Ever Anti-Drone Weapon that Shoots Down UAVs with Radio Waves:
        http://www.hackbusters.com/news/stories/427529-first-ever-anti-drone-weapon-that-shoots-down-uavs-with-radio-waves

      4. Police: Stop posting pictures of your kids on social media!
        http://www.hackbusters.com/news/stories/428499-police-stop-posting-pictures-of-your-kids-on-social-media

      5. How Is The NSA Breaking So Much Crypto?
        http://www.hackbusters.com/news/stories/427740-how-is-the-nsa-breaking-so-much-crypto
    New iPhone6S Force Touch Causes New Phishing Wrinkle

    Lance Spitzner, Director of the SANS Securing The Human program alerted the subscribers to his forum to the following problem:

    "Folks, we did our monthly phishing assessment within SANS and ran into something new. One of our top instructors fell victim - but not because they were suckered. Instead it was due to the new Force Touch feature in the new iPhone6s. As you may know, with the new iPhone6s it can measure force when you touch the screen. In old iPhones, when you hold down on a link it brings up it’s true destination (i.e. ‘hovering’ over the link). With the new iPhone6s, it works the same EXCEPT if you push down too hard on it. Push down too hard and Force Touch kicks in and automatically opens the site for you. Just in case you were getting bored with your phishing training :)"

    Excellent observation Lance, thanks for letting everyone know.
    Tackle Insider Threat By Creating A Culture Of Security Awareness

    October is National Cyber Security Awareness Month (NCSAM), and this year’s theme is "Our Shared Responsibility," reflecting the notion that cyber space cannot be secured without the help of all users.

    Unfortunately, the weakest link in most organizations is the employees. In fact, many, if not most, security breaches involve internal users, a risk often referred to as insider threat. Read/see the slide show explaining how to tackle the insider threat by creating security awareness on IT Business Edge:
    http://www.itbusinessedge.com/slideshows/tackle-insider-threat-by-creating-a-culture-of-security-awareness.html
    [VIDEO] Hacking The Chip & Pin Card Technology Is Easy

    The banks are promoting that the so called new "Chip & Pin" cards are much safer. They are also called the EMV chip system and touted to be secure. However, this technology is 15 years old and the U.K. has had this in widespread use since 2003 — so cyber criminals have had more than a decade to figure out how to hack these cards and steal your money.

    In this video by Professor Ross Anderson from the Computer Labs at the University of Cambridge explains the different ways how the Chip & PIN can be hacked. You might think that these cards are harder to defeat, but technology can be used for good and for bad. The "evil" pin card machine is the scariest of them all. Video at the KnowBe4 Blog:
    https://blog.knowbe4.com/video-hacking-the-chip-pin-card-technology-is-easy
    Healthcare Pros Do Not Get Enough Security Awareness Training

    Healthcare pros surprisingly get very little security awareness training. Only 38 percent of these employees get security training at least twice a year -- 49 percent get training once a year, 7 percent only when they are first hired, and 6 percent received no security awareness training at all.

    It looks like healthcare organizations first need to get hacked before they get the message that it could have been prevented. There seems to be a "it can't happen to me" attitude. A recent Trustwave study called "2015 Security Health Check Report" shows some worrying numbers.

    Insufficient awareness training creates a large attack surface for health care organizations, and this is proven by the large number of health care breaches. In the past two years, hackers have stolen data from 81 percent of hospitals and health insurance companies, according to a report released by KPMG.

    The health care records value is so much higher (10x) because the lifespan of these records is measured in years, as opposed to credit card numbers where the lifespan is months or weeks. The study shows that both technical and non-technical employees are aware of the risks to their industry in general. More than 90 percent of technical staff and 77 percent of non-technical staff thought that cybercriminals were increasingly targeting health care organizations.

    Trustwave's Steve Kelley stated: "Annual vulnerability testing and annual security awareness programs really aren't enough to maintain a fully secure posture in what's becoming one of the biggest consumer data issues and privacy data issues in the world." Blog article with links:
    https://blog.knowbe4.com/healthcare-pros-do-not-get-enough-security-awareness-training
    Cyberheist 'FAVE' LINKS:
    This Week's Links We Like, Tips, Hints And Fun Stuff

     

    Return To KnowBe4 Security Blog
    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews