CyberheistNews Vol 6 #9 How To Suck At Information Security – A Cheat Sheet

Lenny Zeltser is a business and tech leader with extensive experience in Infosec. His areas of expertise include incident response, cloud services and product management. He also teaches digital forensics and anti-malware courses at SANS Institute, speaks at conferences, writes articles and has co-authored books. He created this cheat sheet, it's very entertaining and oh-so-true. Enjoy!

He wrote: "This cheat sheet presents common information security mistakes, so you can avoid making them. Yeah, the idea is that you should do the opposite of what it says below. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs.":
https://zeltser.com/suck-at-security-cheat-sheet/

Cyberattacks on taxpayer accounts affected more people than previously reported, the Internal Revenue Service said Friday.

The IRS statement, originally reported by Dow Jones, revealed tax data for about 700,000 households might have been stolen: Specifically, a government review found potential access to about 390,000 more accounts than previously disclosed.

In August, the IRS said that the number of potential victims was greater than 334,000 — more than twice the initial estimate of more than 100,000.

So, file your own tax return as soon as you can because the bad guys may get your refund if they file a bogus return in your name:
http://www.nbcnews.com/tech/security/irs-cyberattack-total-more-twice-previously-disclosed-n526846

When you read this, the RSA Conference 2016 will be in full swing with some 30,000 people mobbing the Moscone center in San Francisco. Many of the world’s famous cybersecurity experts will be there.

The week-long conference, Feb. 29 through March 4, offers sessions, workshops, and events focusing on all manner of security topics. The agenda is overwhelming, so I picked 5 sessions I recommend if you are interested in managing the problem of bad guys social engineering your employees:

1. Breaking In Is Easy—Breaking Bad Habits Is HARD! (March 1, 1:10 p.m. to 2 p.m.): Infosec expert and author Jayson Street discusses three common roles attackers often play when trying to break into targets.
   
   
2. Trends in Social Engineering: How to Detect and Quantify Persuasion (March 2, 8 a.m. to 8:50 a.m.): ZapFraud CTO and security research Markus Jakobsson lays out how an improved understanding of persuasion will can help lay the foundation for more effective anti-spam tools.
   
   
3. The Art of Hacking a Human (March 2, 10:20 a.m. to 11:10 a.m.): In-vehicle security designer Zee Abdelnabi reviews how to navigate different personalities using information gleaned from traditional hacking techniques.
   
   
4. They’re People—Not Data! The Human Side of Insider Cyberthreats (March 3, 9:10 a.m. to 10 a.m.) The risk director and chief HR officer from Rockwell Automation review lessons learned from several real cases highlighting the human and technical aspects of inside risk.
   
   
5. Securing the “Weakest Link” (March 3, 11:30 a.m. to 12:20 p.m.): Author, technologist and entrepreneur Adam Shostack lays out proven, actionable ways to secure what security experts often call a company’s weakest link: their people.

And obviously come see KnowBe4 at booth 3024 in the North hall. We'll show you the latest features we have added to the world's most popular platform for awareness training and simulated phishing.

"Study the past, if you would divine the future."
- Confucius - Philosopher (551 - 479 BC)

"You cannot escape the responsibility of tomorrow by evading it today."
- Abraham Lincoln

Thanks for reading CyberheistNews

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, March 9 at 2:00 p.m. (EST) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform and see how easy it is to train and phish your users:

• Send Phishing Security Tests to your users and get your Phish-prone percentage.
• Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.
• Point-of-failure training auto-enrollment.
• NEW Phish Alert Button for Outlook so employees can report phishing attacks.
• NEW Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.

Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:
https://attendee.gotowebinar.com/register/7563326455549377539

The top technology official at the federal agency hit by massive hacks last summer has resigned after months of calls from some members of Congress for her firing.

Donna Seymour, the chief information officer at the Office of Personnel Management (OPM), was scheduled to testify on Wednesday before the House Oversight Committee about the hacks. The intrusions exposed sensitive information of more than 20 million people, including highly personal security clearance background check forms.

"Leaving OPM at this time was a very tough decision for me, but I feel it is in the agency’s best interest that my presence does not distract from the great work this team does every single day for this agency and the American people," Seymour wrote in an email to her OPM colleagues.

Oversight Chairman Jason Chaffetz (R-Utah) has been leading the charge to oust Seymour since last June. On at least five occasions, he called for Seymour’s firing via letters to the OPM and White House. More:
http://thehill.com/policy/cybersecurity/270305-top-opm-tech-official-resigns-under-pressure

Healthcare IT News wrote: "Last week we all read another sobering account of the disruption that cyber incidents can cause. The ransomware attack at Hollywood Presbyterian Medical Center was despicable in its nature and alarming in what it says about the overall preparedness of healthcare to deflect these threats.

Healthcare is one of our most critical infrastructures and important to every American. The CEO for this institution eventually opted to pay the ransom to return his institution's systems back to service. A decision only he and the leadership of that hospital could make and one I'm sure not easily arrived at. More:
http://www.healthcareitnews.com/blog/ransomware-what-will-it-take-be-prepared

The Arizona Superior Court in Pima County was hit with a ransomware attack earlier this week that was thwarted shortly after being discovered by the county's IT department.

The attack was discovered on Tuesday when court workers could not gain access to certain files, according to Tuscon Local Media. The malware was injected into the court's computer system most likely when an employee downloaded a malicious file, the local news report said.

The IT team shut down the system to limit damage and clean out the malware and it was up and running again later that day. No court information was compromised. No details on the ransom were available and an inquiry to the court for further information had not been answered. Good for them, their backups were apparently in place and the restore function worked as advertised. More:
http://www.scmagazine.com/arizona-court-hit-with-ransomware-attack/article/479292/

Many of us will have been in a situation where, in our quest for connectivity, we've connected to an authentic or otherwise familiar-sounding public hotspot without giving it much thought. Yet as Avast points out, this practice is fraught with risks. Cyber criminals often set up password-free Wi-Fi networks using generic-sounding SSIDs in order to trick users into logging on. After doing so, hackers can spy on users' web habits and any personal information they share while online.

In four hours, Avast was able to view more than eight million data packets from more than 2,000 MWC attendees who had been tricked into connecting to the company's bogus networks. Not only was the company able to learn the device and user identity of 63.5% of those visitors, but it also picked up on some much more amorous habits – namely that 1% were observed using dating apps. More about the Avast test:
http://www.ibtimes.co.uk/avast-tricks-mobile-world-congress-attendees-into-revealing-browsing-info-wi-fi-experiment-1545550

So, whatever electronic device your employees are using to connect to a Wi-Fi network, whether it is a smartphone, tablet or laptop, they should run a VPN which sends their communications through a separate and secure private network even while they are on a public network. I am currently testing a few VPNs for my iPad Pro and I will let you know what I have found. First observation is that there seems to be a problem with iOS 9x and VPNs that cause lost connections. For instance, sending an email with the CyberGhost VPN switched on is impossible because the connection with gmail's SMTP server gets cut. That kind of thing. Stay tuned.

IT security firm Webroot just released their 2016 Threat Brief. One of the highlights was that 97 percent of the malware encountered by its user base in 2015 was unique. That means hackers are relying almost exclusively on malware that is polymorphic; constantly creating new variants to avoid detection.

Webroot noted that the number of observed malware family variants skyrocketed from 14,000 in 2014 to 130,000 in 2015. Similarly, the number of observed family variants of adware, spyware and other unwanted non-malware apps jumped from 1,000 in 2014 to 90,000 in 2015.

This suggests attackers are making their code "more difficult to detect, using polymorphic distribution models and rapid new variant generation to circumvent traditional detection methods," Webroot reported.

Meaning, the bad guys are working really hard to bypass endpoint security products and social engineer your end-user. Here is the full Webroot report:
http://webroot-cms-cdn.s3.amazonaws.com/7814/5617/2382/Webroot-2016-Threat-Brief.pdf

• A stunning adventure on skis - including jumping over a helicopter, hijacking a horse and skiing through a delivery truck:
  http://www.flixxy.com/possibly-the-greatest-skiing-video-you-have-ever-seen.htm?utm_source=4

• This super-high resolution image of the Andromeda Galaxy taken by the NASA/ESA Hubble Space Telescope will leave you breathless:
  http://www.flixxy.com/super-high-resolution-image-andromeda-galaxy-hubble-space-telescope.htm?utm_source=4

• Something else high up, but on earth. James Kingston climbs a crane to above Dubai's Marina 101 - the tallest residential building in the world:
  http://www.flixxy.com/climbing-the-worlds-tallest-residential-building.htm?utm_source=4

• Feast your eyes on a collection of some of the most satisfying video clips - gears working in perfect synchronization, a cake frosted with great precision and more...
  http://www.flixxy.com/the-most-satisfying-moments.htm?utm_source=4

• Always had trouble with how Encryption and Key Exchange worked? Here is a A simple demonstration of how two people can agree on a secret key, even though all of their communications are carried out in public:
  http://www.flixxy.com/how-encryption-and-key-exchange-works.htm?utm_source=4

• Now here is someone with an innovative way to use drones and save lives!
  https://youtu.be/4qrHLymXokM

• Padlock Brute force attack. So simple, yet devastating:
  https://www.youtube.com/watch?v=jI1cCfBmTbw&feature=youtu.be

• Adrienn Banhegyi is a skip-rope World Champion. What one might consider child’s play is for her a sport of Olympian proportions:
  http://www.flixxy.com/world-jump-roping-champion-adrienn-banhegyi.htm?utm_source=4

• If You Dare Hackers To Hack You, They'll Hack You Good. Fusion's Kevin Roose asked some of the best hackers at DEF CON to do their worst to him. He didn't even know what was coming. Great for a short break:
  https://www.youtube.com/watch?v=bjYhmX_OUQQ

• From the weird Japanese Department: This wooden clock that writes the hour is the most beautiful way to tell time:
  https://www.youtube.com/watch?v=WEbmYp5VVcw&feature=youtu.be