CyberheistNews Vol 6 #7 New Surveys: "Users Are #1 Risk And Pain In The Neck"

I'm sure this is not a surprise for you. For us, it isn't either. Problem is, employees simply are the low-hanging fruit, so why spend 3 months uncovering a zero-day threat when in 3 hours you can have a phishing website up & running and an email out to a million gullible end-users?

The following two headlines report on surveys which show the vulnerability of organizations due to social engineering attacks like phishing. Cybercrime has gone pro and they are targeting your users. Good thing there is a great way to manage that ongoing problem. Did you see our new site? Check it out:
https://www.knowbe4.com

When it comes to presenting the largest risk to organizations, the insider threat is perhaps the most dangerous. In most cases, it’s not a malicious employee, but rather perpetrators using social engineering techniques to gain insider access.

A new survey of over 500 IT professionals shows that social engineering, which includes phishing, is the most popular hacking technique. The survey from security firm Balabit asked what the biggest threats and most popular hacking methods are.

More than 70% of those surveyed consider insider threats riskier than classic hacking techniques, which is why phishing techniques, which can turn a hacker from an outsider to an insider, are considered the most popular technique. This article provides good ammo for more budget:
http://www.infosecurity-magazine.com/news/faux-insiders-represent/

A new study released by IBM showed that malicious email links and attachments were the top reason for financial institution data breaches, followed by number 2 ShellShock and number 3 Denial of Service (DOS) attacks. Financial institutions had 20 million records breached last year.

The study conducted by the Ponemon Institute for IBM, said the average cost per lost record was 170 dollars with the average data breach costing a bank or financial institution 3.79 million dollars. And one of the prime causes is human error.

The report found 18 percent of the attacks resulted from employees specifically clicking on a dangerous link or falling prey to one of the advanced social engineering tricks being used and opening a malicious email attachment. When other forms of human error are included the total number of attacks to people hits 25 percent.

Even though human error is a huge problem in general, the top root cause of data breaches within the financial sector was found by IBM to be malicious or criminal attacks. These comprised 47 percent of all attacks, with system glitches causing 29 percent of the breaches and human error 25 percent.

The biggest change IBM saw in financial sector internet crime is a 55 percent increase in attacks focused on extortion or the direct theft of money from the institution. Here are three links with (increasingly) more information:

SC Magazine:
http://www.scmagazine.com/ibm-phishing-scams-a-major-cause-of-bank-breaches/article/473617/

Press Release:
http://www.prnewswire.com/news-releases/ponemon-institutes-2015-global-cost-of-data-breach-study-reveals-average-cost-of-data-breach-reaches-record-levels-300089057.html

The IBM research data with lots of detail:
http://www-03.ibm.com/security/data-breach/

Sara Peters, Senior Editor at Dark Reading wrote: "You invest in the slickest, smartest, security gear. The latest in threat intelligence, behavior analysis, and every other cutting-edge tech that widened your eyes on the trade show floor. It's excellent, exciting, expensive...and useless against a top-notch social engineer.

Okay, that might be a bit of an overstatement, but there are plenty of examples when social engineering bested the best security technology -- to sack Troy with a wooden horse or to steal diamonds with a charming smile.

These days, the social engineer's favorite tool isn't the smile; it's the humble phishing message. It's a very adaptable piece of kit. It can deliver any manner of malicious payloads, as attachments, embedded objects, or links. It can be customized to lure in any kind of game -- from John Q. Public to John Q. White House Ambassador. It can be used as part of attacks to steal data, steal money, or steal secrets.

Adaptable and successful. Take a peek behind some of the biggest breaches and costliest attacks and you may see a phishing message at the root of it. So, with some help from experts at KnowBe4 and PhishLabs, we've decided to recognize some of the most intriguing examples of phishing in recent history. The clever, the costly, the just plain creepy.

Read on to see which attack campaigns and categories earn the dubious honor of winning one of the coveted Phishie Awards." Good stuff here:
http://www.darkreading.com/endpoint/the-phishie-awards-(dis)honoring-the-best-of-the-worst-phishing-attacks-/d/d-id/1324135

Could you do me a big favor? I'll owe you one. Please vote for us at the Cybersecurity Excellence Awards. Here is a short summary of why we are asking for your vote:

• Highest growth in customers over all competitive products
• Most complete suite of anti-phishing tools
• Easy-to-use, "by-admins-for-admins"
• Based on real-world scenarios and attacks
• Proven to be effective in driving down the Phish-prone percentage of your users

Please Vote Here. Highly appreciated!
http://cybersecurity-excellence-awards.com/candidates/knowbe4/

"The spirit is the true self. The spirit, the will to win, and the will to excel are the things that endure."- Marcus Tullius Cicero - Roman Statesman (106 BC- 43 BC)

"One of the most beautiful qualities of true friendship is to understand and to be understood."- Lucius Annaeus Seneca (Roman Statesman) 5 BC to 65 AD

Thanks for reading CyberheistNews

1. The KnowBe4 Phish Alert Button Versus JSocket RAT:
   https://blog.knowbe4.com/the-knowbe4-phish-alert-button-and-jsocket-rat
   
   
2. When do end-users click on phishing links?:
   https://blog.knowbe4.com/when-do-end-users-click-on-phishing-links
   
   
3. Fresh KnowBe4 2016 Datasheet with new Phish Alert button:
   https://blog.knowbe4.com/new-knowbe4-2016-datasheet-with-new-phish-alert-button
   
   
4. Please vote for KnowBe4 at the Cybersecurity Excellence Awards:
   https://blog.knowbe4.com/please-vote-for-knowbe4-at-the-cybersecurity-excellence-awards
   
   
5. American Chamber Of Commerce Scam Is Spear-phishing Prep:
   https://blog.knowbe4.com/american-chamber-of-commerce-scam-is-spear-phishing-prep

Going to RSA in San Francisco this year? Stop by KnowBe4’s Booth 3024, North Hall

• Mitnick Monday! Meet Kevin Mitnick, KnowBe4's Chief Hacking Officer Monday, February 29, 5-7 PM at KnowBe4’s Booth.

• Also, EVERYONE will receive a real Kevin Mitnick collectible stainless steel lock-pick business card all week long.

• See a demo of the innovative Kevin Mitnick Security Awareness Training Platform to train and phish your users.
  
  
• Be entered to win an awesome Drone.

PS, Don't have your pass yet? We've got you covered. Use code XEKNWBE416 to register for your complimentary Exhibit Hall Only Pass. Hurry, the code expires February 26.
http://www.rsaconference.com/events/us16/register

See you in San Francisco!

Stu Sjouwerman,
CEO KnowBe4, Inc

Interestingly enough, antivirus company Kaspersky is promoting educating end-users. NO other AV company is doing this. You'd wonder why that is.

They wrote: "Human beings are the weakest link within any organization, presenting new opportunities for cybercriminals to infiltrate your company. But your employees can also be your first and best line of defense. With a robust security education program in place, your company can protect its most sensitive information by ensuring that cybercriminals cannot break through your employee firewall."

They then ask you to download Kaspersky Lab's "Threats From Within" to learn:

• The role that employees play in keeping your organization safe

• Common attack methods cybercriminals use and how to identify them
  
  
• How to build an effective employee cybersecurity education program

I read through the PDF and it's got excellent hints and tips. They omit that sending frequent simulated phishing attacks is a must but otherwise this is highly recommended. Thanks Kaspersky:
http://resources.idgenterprise.com/original/AST-0163231_Threats-From-Within-EDU-Ebook_FINAL.pdf

This new paper is based on the results of a 6-month experimental study testing the effectiveness duration of the 40-minute KnowBe4 "Kevin Mitnick Security Awareness Training" done by Dr. Lydia Kostopoulos (@LKCYBER), who holds a PhD in Security Policy and is a certified social engineering pen tester.

Overview:

Utilizing security awareness training and phishing security tests can be effective tools to reduce unintentional insider threats. However, if robust metrics are not put in place, phishing tests can create organizational social engineering blind spots.

Find out more. What is the breakthrough point in an organization's phishing awareness level?:
https://info.knowbe4.com/whitepaper-phishing-breakthrough-point

CSO presents an animated explainer on how data criminals exploit human psychology to gain access to a company's data, rather than by hacking or technical measures. They give an animated example of some ways data thieves get to your data without hacking. It's bare bones basics but it cannot hurt to remind people on a regular basis. Here it is:
http://www.csoonline.com/article/3029281/security/cso-explainer-what-is-social-engineering.html?

• 'OK Go' created their latest music video in weightlessness, using an airplane that flies in parabolic arcs to train cosmonauts for low-gravity space flight. See how they did it. The flight attendants are a riot:
  http://www.flixxy.com/ok-go-music-video-in-zero-gravity.htm?utm_source=4

• Luc Bergeron does it again - a compilation from 187 winter videos:
  http://www.flixxy.com/best-of-web-5-hd-by-zapatou.htm?utm_source=4

• Watch 'Connected,' an Exclusive New Sci-Fi Short Starring Pamela Anderson. Yeah _that_ Pamela Anderson, all these years later: [Warning NFSW]:
  http://motherboard.vice.com/read/connected?trk_source=popular

• A celebration of all the incredible women and their phenomenal skills:
  http://www.flixxy.com/people-are-awesome-girls-edition.htm?utm_source=4

• Nigerian Astronaut Lost in Space Needs 15 Million dollars to Come Home:
  http://www.neatorama.com/2016/02/12/Nigerian-Astronaut-Lost-in-Space-Needs-15-Million-to-Come-Home/

• Exceeding Expectations — What Smart Brands Know. Send this to your marketing folks:
  https://youtu.be/oHy9NWmwD6Q

• Hero, the Border Collie dog from Ontario, Canada, shows his amazing dancing skills together with his human, Sarah Carson:
  http://www.flixxy.com/dog-with-amazing-dancing-skills.htm?utm_source=4

• Fully loaded DARPA Quadcopter does 45 MPH on indoor obstacle course. Flying Terminators, here we come:
  https://m.youtube.com/watch?v=LaXc-jmN89U

• Volkswagen Trailer Assist. This is how you reverse with a trailer. In this video from Sweden you will see a driver backing up his car and trailer at high speed – through parking lots, roundabouts and intersections. Or is he really?
  http://www.chonday.com/Videos/trailerghu4

• A clever ginger cat makes his way from the roof of a house to the ground by sliding down a pole like a fluffy little fireman:
  http://www.flixxy.com/cat-slides-down-pole-like-a-fireman.htm?utm_source=4

• René Descartes, often called the father of modern philosophy, attempted to break with the philosophical traditions of his day and start philosophy anew:
  http://www.flixxy.com/the-philosophy-of-rene-descartes.htm?utm_source=4