CyberheistNews Vol 5 #9 Mar 3, 2015 How To Get The OK To Phish Your Own Employees

CyberheistNews Vol 5 #9 Mar 3, 2015

How To Get The OK To Phish Your Own Employees

IT people responsible for network security talk to us all the time. Almost all of them agree that end-users are their number one headache (see below) and managing that problem continues to be a big challenge. Social engineering is by far the easiest way for hackers to get in, either tailgating through the side door or (spear) phishing employees using email and social media.

So, it seems smart to protect against a threat like that with end-user education, driven by some "social pen-testing". The IT teams that get the approval from management to do this get great results. Apart from budget issues, sometimes there is resistance at the C-level to sending phishing tests to all employees, often driven by other departments like Legal or HR who claim "we should not trick our employees". In those situations IT runs into political headwinds that scuttle the phishing project.

However, today you have to consider a new approach to securing your IT assets. You simply can’t afford to passively wait for attacks. Instead, you should take a lean-forward approach that proactively prevents "being low hanging fruit".

Here are five points of ammo to get that approval, and more important, air cover from the top of your organization. [Continue to read at our blog because there are a bunch of relevant links in this post]:

https://blog.knowbe4.com/how-to-get-the-ok-to-phish-your-own-employees

New Survey Confirms: Number One Infosec Headache Is End Users

A new survey by an IT security company shows that 80 percent of IT pros point at end-users as the cause of their security problems.

Yes, unpatched workstations and configuration problems with servers are certainly ongoing issues for infosec pros, but untrained end-users are really what keeps them awake at night. It's a known problem that continually needs to be managed. It was again confirmed by a new survey conducted by IT Security firm Bromium which shows almost 80% of IT pros responsible for security point at end-users as their number one security headache.

Things that bubbled up in the survey as the most dangerous things end users do are clicking on suspicious or malicious links, opening suspicious or malicious attachments, and bypassing security controls in some way or another.

A recent Aberdeen Group study confirms this and showed that end-user security awareness training can reduce IT security risk up to 70 percent. In many cases, employees do things that are risky simply due to a lack of awareness of what dangerous links or emails look like, or why certain security measures are in place. "Actions that are taken by individual end-users – the networks and devices we use, the files we send and receive, the apps we install and run, the links we click on, the emails we open – are behaviors that result in a high percentage of security infections," stated Derek Brink, analyst for Aberdeen Group.

Bromium had some more things to report though. "In addition to struggling to maintain control over their users, many information security professionals are struggling to maintain control over their current security systems," the Bromium survey showed.

IT security pros are overwhelmed by the sheer volume of attacks and trying to manage endpoint security products with overlapping functionality. Almost fifty percent of IT pros observed that multiple redundant solutions cause the highest cost and complexity into their networks. Last but not least, over 60 percent came clean on the worrisome fact that they can only investigate or respond to about half of their security alerts.

Ouch. Well, at least getting effective user education in place should be a good start. Stepping end-users through Kevin Mitnick security awareness training makes them aware of what things are dangerous to do on the Internet and significantly cuts down on risky behavior. Find out how affordable this is for your organization today:
https://info.knowbe4.com/kmsat_get_a_quote_now

Take The IT Governance Cyber Security Quiz

Check out the IT Governance’s Cyber Security Quiz. This is your opportunity to prove how much (or little) you know about the latest data breaches, hacks and other cyber security news from the past week. It's hard. Good luck!
https://www.itgovernanceusa.com/blog/take-our-cyber-security-quiz-14/

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

Quotes of the Week:

"Life isn't about finding yourself. Life is about creating yourself. " - George Bernard Shaw

" The greatness of a man is not in how much wealth he acquires, but in his integrity and his ability to affect those around him positively." - Bob Marley

Security News

Get Away From The Cold: InfoSec World Conference & Expo 2015

Put this in your calendar: March 23-25, 2015 - InfoSec World 2015, coming to Disney’s Contemporary Resort this March, is now just a few weeks away! Don’t miss this 7-track event featuring a lineup of conference sessions, workshops and summits that address the most pressing matters in information security today. And, just for being Cyberheist News subscriber, register with the special discount code OS15/CHN and you'll receive 10% off the conference registration fee.

To register, simply call the Customer Service department who can sign you up over the phone: 508-879-7999 ext. 501, and don't forget to mention your discount code - OS15/CHN!
www.misti.com/infosecworld

Suburban Chicago Cops Pay $500 In Bitcoin After Ransomware Infection

The Chicago Tribune reported that police in Midlothian—located south of the city—first encountered Cryptoware in January. Someone initially opened an e-mail carrying the malware, thus inviting Cryptoware into the department to access a computer. As is standard in the ransomware script, soon a message popped up demanding money in exchange for a code that could free the device from Cryptoware.

Local IT professionals assured the paper that the hacker didn't access files in the police department's system, rather the Cryptoware scheme only encrypted swaths of department computers and made certain documents inaccessible. "It didn't encrypt everything in the police department. It was just that computer and specific files," Calvin Harden Jr., an IT vendor who works with the village, told the Tribune. More:
https://arstechnica.com/tech-policy/2015/02/suburban-chicago-cops-pay-up-500-in-bitcoins-after-latest-ransomware-scheme/

What Are Our Customers Saying?

Chad Edwards, Information Technology Officer, First National Bank of River Falls said:

"We have been using KnowBe4’s Internet Security Awareness Training and phishing tests for several years. Prior to that, we were performing in-house training in a seminar type environment and hiring a company to do annual phishing tests. Our phishing test failure rate was higher than we were comfortable with and we were looking for a more hands-on approach to training.

"When we implemented the KnowBe4 solution, which is MUCH less expensive than even the fee for the phishing tests we had previously, there was an immediately noticeable difference in the awareness of our employees.

"The training does a great job of showing real world examples of exploits, shows employees that “this stuff is real”, and shows them how the compromises can happen. It engages them by making them answer questions on the screen and they are still done with the training in less than an hour.

"They provide us tips to give to our employees about newly arising threats. The phishing tests provide us several benefits. They ensure us that our employees are ready to recognize real phishing and scam emails since the tests are updated to simulate current attacks. Also, since our employees know they will be tested, they are constantly watching for the phishing tests, which inherently means they are watching for real phishing emails as well.

"When we used to do our in-house training, we would occasionally have an employee approach us to discuss something they recognized in a real world example that they recalled from training. After implementing KnowBe4, we constantly had employees contact us to let us know they recognized a phishing or scam email. They were proud of the knowledge they had gained and were not falling for the tests!

"Everyone knows the human factor can be your weakest link. Even very large companies with immense budgets and all kinds of controls in place have been hacked by something as simple as an employee clicking a link in an email. I can say with 100% confidence that KnowBe4 makes our employees smarter, more aware, and less susceptible to attacks!"

FBI: $3M Bounty for ZeuS Trojan Author

The FBI this week announced it is offering a USD $3 million bounty for information leading to the arrest and conviction of one Evgeniy Mikhailovich Bogachev, a Russian man the government believes is responsible for building and distributing the ZeuS banking Trojan.

Bogachev is thought to be a core architect of ZeuS, a malware strain that has been used to steal hundreds of millions of dollars from bank accounts — mainly from small to mid-sized businesses based in the United States and Europe. Bogachev also is accused of being part of a crime gang that infected tens of millions of computers, harvested huge volumes of sensitive financial data, and rented the compromised systems to other hackers, spammers and online extortionists.

So much of the intelligence gathered about Bogachev and his alleged accomplices has been scattered across various court documents and published reports over the years, but probably just as much on this criminal mastermind and his associates has never seen the light of day. What follows is a compendium of knowledge — a bit of a dossier, if you will — of Bogachev and his trusted associates. At Brian Krebs' excellent site:
https://krebsonsecurity.com/2015/02/fbi-3m-bounty-for-zeus-trojan-author/