CyberheistNews Vol 5 #9 Mar 3, 2015 How To Get The OK To Phish Your Own Employees




 
                                                                                                               

CyberheistNews Vol 5 #9 Mar 3, 2015

How To Get The OK To Phish Your Own Employees

IT people responsible for network security talk to us all the time. Almost  all of them agree that end-users are their number one headache (see below)  and managing that problem continues to be a big challenge. Social engineering  is by far the easiest way for hackers to get in, either tailgating through  the side door or (spear) phishing employees using email and social media.

So, it seems smart to protect against a threat like that with end-user  education, driven by some "social pen-testing". The IT teams that get the  approval from management to do this get great results. Apart from budget  issues, sometimes there is resistance at the C-level to sending phishing  tests to all employees, often driven by other departments like Legal or  HR who claim "we should not trick our employees". In those situations IT  runs into political headwinds that scuttle the phishing project.

However, today you have to consider a new approach to securing your IT  assets. You simply can’t afford to passively wait for attacks. Instead,  you should take a lean-forward approach that proactively prevents "being low hanging fruit". 

Here are five points of ammo to get that approval, and more important,  air cover from the top of your organization. [Continue to read at our blog because there are a bunch of relevant links in this post]:

https://blog.knowbe4.com/how-to-get-the-ok-to-phish-your-own-employees

New Survey Confirms: Number One Infosec Headache Is End Users

A new survey by an IT security company shows that 80 percent of IT pros  point at end-users as the cause of their security problems.

Yes, unpatched workstations and configuration problems with servers are  certainly ongoing issues for infosec pros, but untrained end-users are  really what keeps them awake at night. It's a known problem that continually  needs to be managed. It was again confirmed by a new survey conducted by  IT Security firm Bromium which shows almost 80% of IT pros responsible for  security point at end-users as their number one security headache.

Things that bubbled up in the survey as the most dangerous things end users  do are clicking on suspicious or malicious links, opening suspicious or  malicious attachments, and bypassing security controls in some way or another. 

A recent Aberdeen Group study confirms this and showed that end-user  security awareness training can reduce IT security risk up to 70 percent.  In many cases, employees do things that are risky simply due to a lack  of awareness of what dangerous links or emails look like, or why certain  security measures are in place. "Actions that are taken by individual  end-users – the networks and devices we use, the files we send and  receive, the apps we install and run, the links we click on, the emails  we open – are behaviors that result in a high percentage of security  infections," stated Derek Brink, analyst for Aberdeen Group.

Bromium had some more things to report though. "In addition to struggling  to maintain control over their users, many information security professionals  are struggling to maintain control over their current security systems,"  the Bromium survey showed.

IT security pros are overwhelmed by the sheer volume of attacks and trying  to manage endpoint security products with overlapping functionality.  Almost fifty percent of IT pros observed that multiple redundant solutions  cause the highest cost and complexity into their networks. Last but not  least, over 60 percent came clean on the worrisome fact that they can  only investigate or respond to about half of their security alerts.

Ouch. Well, at least getting effective user education in place should be  a good start. Stepping end-users through Kevin Mitnick security awareness  training makes them aware of what things are dangerous to do on the  Internet and significantly cuts down on risky behavior. Find out how  affordable this is for your organization today:
https://info.knowbe4.com/kmsat_get_a_quote_now

Take The IT Governance Cyber Security Quiz

Check out the IT Governance’s Cyber Security Quiz. This is your opportunity  to prove how much (or little) you know about the latest data breaches,  hacks and other cyber security news from the past week. It's hard. Good luck!
   https://www.itgovernanceusa.com/blog/take-our-cyber-security-quiz-14/


Warm Regards,
Stu Sjouwerman



Quotes Of The Week

 

Quotes of the Week:

"Life isn't about finding yourself. Life is about creating yourself.  "  - George Bernard Shaw

" The greatness of a man is not in how much wealth he acquires, but in  his integrity and his ability to affect those around him positively."  - Bob Marley

 


 

 

 

Security News

 

Get Away From The Cold: InfoSec World Conference & Expo 2015

Put this in your calendar: March 23-25, 2015 - InfoSec World 2015,  coming to Disney’s Contemporary Resort this March, is now just a  few weeks away! Don’t miss this 7-track event featuring a lineup of  conference sessions, workshops and summits that address the most  pressing matters in information security today. And, just for being  Cyberheist News subscriber, register with the special discount code  OS15/CHN and you'll receive 10% off the conference registration fee.

To register, simply call the Customer Service department who can  sign you up over the phone: 508-879-7999 ext. 501, and don't forget  to mention your discount code - OS15/CHN!
www.misti.com/infosecworld

Suburban Chicago Cops Pay $500 In Bitcoin After Ransomware Infection

The Chicago Tribune reported that police in Midlothian—located south of  the city—first encountered Cryptoware in January. Someone initially opened  an e-mail carrying the malware, thus inviting Cryptoware into the department  to access a computer. As is standard in the ransomware script, soon a  message popped up demanding money in exchange for a code that could free  the device from Cryptoware.

Local IT professionals assured the paper that the hacker didn't access  files in the police department's system, rather the Cryptoware scheme  only encrypted swaths of department computers and made certain documents  inaccessible. "It didn't encrypt everything in the police department.  It was just that computer and specific files," Calvin Harden Jr., an  IT vendor who works with the village, told the Tribune. More:
https://arstechnica.com/tech-policy/2015/02/suburban-chicago-cops-pay-up-500-in-bitcoins-after-latest-ransomware-scheme/

What Are Our Customers Saying?

Chad Edwards, Information Technology Officer, First National Bank  of River Falls said:

"We have been using KnowBe4’s Internet Security Awareness Training and  phishing tests for several years. Prior to that, we were performing  in-house training in a seminar type environment and hiring a company  to do annual phishing tests. Our phishing test failure rate was higher  than we were comfortable with and we were looking for a more hands-on  approach to training.

"When we implemented the KnowBe4 solution, which is MUCH less expensive  than even the fee for the phishing tests we had previously, there was  an immediately noticeable difference in the awareness of our employees. 

"The training does a great job of showing real world examples of exploits,  shows employees that “this stuff is real”, and shows them how the  compromises can happen. It engages them by making them answer questions  on the screen and they are still done with the training in less than an hour.

"They provide us tips to give to our employees about newly arising threats. The phishing tests provide us several benefits. They ensure us that our  employees are ready to recognize real phishing and scam emails since the  tests are updated to simulate current attacks. Also, since our employees  know they will be tested, they are constantly watching for the phishing  tests, which inherently means they are watching for real phishing emails  as well.

"When we used to do our in-house training, we would occasionally have an  employee approach us to discuss something they recognized in a real  world example that they recalled from training. After implementing  KnowBe4, we constantly had employees contact us to let us know they  recognized a phishing or scam email. They were proud of the knowledge  they had gained and were not falling for the tests!

"Everyone knows the human factor can be your weakest link. Even very large  companies with immense budgets and all kinds of controls in place have  been hacked by something as simple as an employee clicking a link in  an email. I can say with 100% confidence that KnowBe4 makes our employees  smarter, more aware, and less susceptible to attacks!"

FBI: $3M Bounty for ZeuS Trojan Author

The FBI this week announced it is offering a USD $3 million bounty for  information leading to the arrest and conviction of one Evgeniy  Mikhailovich Bogachev, a Russian man the government believes is  responsible for building and distributing the ZeuS banking Trojan.

Bogachev is thought to be a core architect of ZeuS, a malware strain  that has been used to steal hundreds of millions of dollars from bank  accounts — mainly from small to mid-sized businesses based in the  United States and Europe. Bogachev also is accused of being part of  a crime gang that infected tens of millions of computers, harvested  huge volumes of sensitive financial data, and rented the compromised  systems to other hackers, spammers and online extortionists.

So much of the intelligence gathered about Bogachev and his alleged  accomplices has been scattered across various court documents and  published reports over the years, but probably just as much on this  criminal mastermind and his associates has never seen the light of  day. What follows is a compendium of knowledge — a bit of a dossier,  if you will — of Bogachev and his trusted associates. At Brian Krebs' excellent site:
https://krebsonsecurity.com/2015/02/fbi-3m-bounty-for-zeus-trojan-author/

RO-BOW - A Robot that Plays a Violin by Seth Goldstein:
https://m.youtube.com/watch?v=EPTUM2_bxnQ

World record size Cat Fish caught in Italy:
https://www.youtube.com/watch?v=BR9mW5NSVKo

Ransomware on TV: Computer and smartphone viruses are holding an increasing  number of devices hostage using “ransomware.”:
https://www.msn.com/en-us/news/technology/cyber-criminals-holding-phone-and-computer-data-to-ransom/vi-BBhYXOx                           

                                                                   
                                           
       

Topics: Phishing



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews