CyberheistNews Vol 7 #24
[FINALLY] Next Windows Version 10 Stops Ransomware Cold 
OK, finally there is some good news in the fight against ransomware!
(In case you did not know, I was the Editor-in-Chief for WServerNews for 15 years, and I have been following the Win OS closely since 1995. Glad to be back on my old stomping grounds for a bit here!)
Microsoft has been closely watching the onslaught of this new ransomware epidemic and added a slew of new features to the second major update of Win10 which is called "Creators Update" — Win 10 CU for short — which has been rolling out for a few weeks, consumers first.
Presenting new anti-ransomware protection features added in Win 10 CU, Robert Lefferts, Director of Program Management, Windows Enterprise and Security, said that no Windows 10 customer was affected by the recent WannaCry ransomware outbreak that took place in mid-May and no currently known ransomware strain can infect Windows 10.
From a security perspective, CU is a massive improvement.
The new security features include the following list, apart from a host of non-security related additions like a 3D version of MS Paint. :-)
Overall, it's a good update, but it stands out for its incremental tweaks and behind-the-scenes improvements to matters such as security, updates and privacy, rather than for spectacular new features.
Obviously, you will not be able to roll this out immediately in your organization, despite the CU security improvements. Implementing CU is likely not a priority if you have just started to deploy Win10, and you might jump straight to the next major update, codenamed Redstone 3 which is due later this year.
The update is available to MSDN/TechNet subscribers running the Enterprise, Education and IoT Core edition. Organizations that have Windows via the Volume License Service Center have been able to get the update since May 1.
These Goodies Only Come in the Latest Version
Microsoft has a very good 14-page PDF with all these features detailed and illustrated. You can download that at the blog. It is obvious that they are adding all these features only to the most recent version, giving you an incentive to accelerate your wall-to-wall upgrades to the latest rev of the OS, which in this case you should be looking at seriously.
https://blog.knowbe4.com/finally-next-windows-version-10-stops-ransomware-cold
The whitepaper contains excellent ammo for budget requests, but is too technical for average C-level execs since it talks about data science, machine learning, automation, behavioral analysis, and other exotic subjects like that. :-D
You Need a Full Security Stack, Including Your Human Firewall
Organizations defend their networks on each of the six levels in the green graph you see in the blog. End-user Security Awareness Training resides in the outer layer: ‘Policies, Procedures, and Awareness’.
As you see, this is the outer shell and in reality it is where security starts. You don’t open the door for the bad guy to come freely into your building, right?
Here is a short blog post that gives you a quick and admittedly highly simplified look at the rest of the layers of defense-in-depth.
https://blog.knowbe4.com/finally-next-windows-version-10-stops-ransomware-cold
Does *Your* Antivirus Block the Latest Ransomware Strains?
How vulnerable is your network against ransomware attacks??
KnowBe4 has been working hard on something brand new! Bad guys are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?
KnowBe4’s Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection.
Here's how RanSim works:
Download RanSim Here:
https://info.knowbe4.com/ransomware-simulator-tool-1chn
OK, finally there is some good news in the fight against ransomware!
(In case you did not know, I was the Editor-in-Chief for WServerNews for 15 years, and I have been following the Win OS closely since 1995. Glad to be back on my old stomping grounds for a bit here!)
Microsoft has been closely watching the onslaught of this new ransomware epidemic and added a slew of new features to the second major update of Win10 which is called "Creators Update" — Win 10 CU for short — which has been rolling out for a few weeks, consumers first.
Presenting new anti-ransomware protection features added in Win 10 CU, Robert Lefferts, Director of Program Management, Windows Enterprise and Security, said that no Windows 10 customer was affected by the recent WannaCry ransomware outbreak that took place in mid-May and no currently known ransomware strain can infect Windows 10.
From a security perspective, CU is a massive improvement.
The new security features include the following list, apart from a host of non-security related additions like a 3D version of MS Paint. :-)
- Click-to-run for Adobe Flash in Edge — which prevents ransomware and other malware from landing on Windows 10 PCs via exploits kits and drive-by downloads.
- Instant cloud protection via Windows Defender — According to Microsoft, starting with CU, Windows Defender AV can suspend a suspicious file from running and sync with the cloud protection service to further inspect the file.
- Fast remediation mechanism at detection — Microsoft says it has made great strides to "remediate ransomware infection and limit ransomware activity from minutes to seconds, reducing its damage from hundreds of encrypted files to a few." Microsoft credits this to Windows Defender AV’s behavioral engine, who can aggregate malware behavior across processes and stages.
- Improved detection for script-based attacks — Microsoft says its Antimalware Scan Interface (AMSI) was modified to intervene during the strategic execution points of JS or VBS script runtimes, two infection vectors often used by ransomware.
- Wow64 compatibility scanning — In CU, Windows Defender AV added a process-scanning feature that uses the Wow64 compatibility layer, enabling it to better inspect system interactions of 32-bit applications running on 64-bit operating systems.
- Process tree visualizations — feature added to Windows Defender ATP, the commercial version of Windows Defender.
- Artifact searching capabilities — feature added to Windows Defender ATP.
- Machine isolation and quarantine — feature added to Windows Defender ATP.
- Windows Edge browser — better protection against remote code execution attacks.
Overall, it's a good update, but it stands out for its incremental tweaks and behind-the-scenes improvements to matters such as security, updates and privacy, rather than for spectacular new features.
Obviously, you will not be able to roll this out immediately in your organization, despite the CU security improvements. Implementing CU is likely not a priority if you have just started to deploy Win10, and you might jump straight to the next major update, codenamed Redstone 3 which is due later this year.
The update is available to MSDN/TechNet subscribers running the Enterprise, Education and IoT Core edition. Organizations that have Windows via the Volume License Service Center have been able to get the update since May 1.
These Goodies Only Come in the Latest Version
Microsoft has a very good 14-page PDF with all these features detailed and illustrated. You can download that at the blog. It is obvious that they are adding all these features only to the most recent version, giving you an incentive to accelerate your wall-to-wall upgrades to the latest rev of the OS, which in this case you should be looking at seriously.
https://blog.knowbe4.com/finally-next-windows-version-10-stops-ransomware-cold
The whitepaper contains excellent ammo for budget requests, but is too technical for average C-level execs since it talks about data science, machine learning, automation, behavioral analysis, and other exotic subjects like that. :-D
You Need a Full Security Stack, Including Your Human Firewall
Organizations defend their networks on each of the six levels in the green graph you see in the blog. End-user Security Awareness Training resides in the outer layer: ‘Policies, Procedures, and Awareness’.
As you see, this is the outer shell and in reality it is where security starts. You don’t open the door for the bad guy to come freely into your building, right?
Here is a short blog post that gives you a quick and admittedly highly simplified look at the rest of the layers of defense-in-depth.
https://blog.knowbe4.com/finally-next-windows-version-10-stops-ransomware-cold
Does *Your* Antivirus Block the Latest Ransomware Strains?
How vulnerable is your network against ransomware attacks??
KnowBe4 has been working hard on something brand new! Bad guys are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?
KnowBe4’s Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection.
Here's how RanSim works:
- 100% harmless simulation of a real ransomware infection
- Does not use any of your own files
- Tests 10 types of infection scenarios
- Just download the install and run it
- Results in a few minutes!
Download RanSim Here:
https://info.knowbe4.com/ransomware-simulator-tool-1chn
New PowerPoint Social Engineering Attack Installs Malware Without Requiring Macros
Researchers at security firm SentinelOne reported that a group of hackers is using malicious PowerPoint files to distribute "Zusy," a banking Trojan, also known as "Tinba" (Tiny Banker).
They said in a blog post: "A new variant of a malware called 'Zusy' has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like 'Purchase Order #130527' and 'Confirmation.' It's interesting because it doesn't require the user to enable macros to execute. Most Office malware relies on users activating macros to download some executable payload which does most of the malicious stuff, but this malware uses the external program feature instead."
This new social engineering attack doesn't trick users to enable macros; instead it executes malware on a targeted system using PowerShell commands embedded inside the PPT file, and does not rely on Javascript or VBA for the execution method either.
Best yet, the malicious PowerShell code hidden inside the document triggers as soon as the victim moves/hovers a mouse over a link, which downloads an additional payload on the compromised machine -- even without clicking it.
However, it's not all that bad, the code doesn’t execute automatically as soon as the file is opened. Instead, both Office 2013 and O2010 display a severe warning by default. It is not clear yet how O2016 behaves. For a screenshot, see the KnowBe4 blog:
https://blog.knowbe4.com/new-powerpoint-social-engineering-attack-installs-malware-without-requiring-macros
Users might still somehow enable external programs because they have not been stepped through new-school security awareness training. Also, some configurations may possibly be more permissive in executing external programs than they are with macros.
The researchers said the attack doesn't work if the infected file is opened in the PowerPoint Viewer, which simply refuses to execute the program. But this attack vector could still work in cases where end-users are getting successfully social engineered with a spoofed email that looks like it comes from the CEO for instance.
Can You Be Spoofed? Find out for a Chance to Win.
Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.
KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test and enter you to win an awesome Stormtrooper Helmet Prop Replica at the same time.
Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless steel lock-pick business card!
To enter just go here fill out the form, it's quick, easy and often a shocking discovery, as 82% of mail servers are not configured correctly:
https://info.knowbe4.com/dst-sweepstakes-062017
Researchers at security firm SentinelOne reported that a group of hackers is using malicious PowerPoint files to distribute "Zusy," a banking Trojan, also known as "Tinba" (Tiny Banker).
They said in a blog post: "A new variant of a malware called 'Zusy' has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like 'Purchase Order #130527' and 'Confirmation.' It's interesting because it doesn't require the user to enable macros to execute. Most Office malware relies on users activating macros to download some executable payload which does most of the malicious stuff, but this malware uses the external program feature instead."
This new social engineering attack doesn't trick users to enable macros; instead it executes malware on a targeted system using PowerShell commands embedded inside the PPT file, and does not rely on Javascript or VBA for the execution method either.
Best yet, the malicious PowerShell code hidden inside the document triggers as soon as the victim moves/hovers a mouse over a link, which downloads an additional payload on the compromised machine -- even without clicking it.
However, it's not all that bad, the code doesn’t execute automatically as soon as the file is opened. Instead, both Office 2013 and O2010 display a severe warning by default. It is not clear yet how O2016 behaves. For a screenshot, see the KnowBe4 blog:
https://blog.knowbe4.com/new-powerpoint-social-engineering-attack-installs-malware-without-requiring-macros
Users might still somehow enable external programs because they have not been stepped through new-school security awareness training. Also, some configurations may possibly be more permissive in executing external programs than they are with macros.
The researchers said the attack doesn't work if the infected file is opened in the PowerPoint Viewer, which simply refuses to execute the program. But this attack vector could still work in cases where end-users are getting successfully social engineered with a spoofed email that looks like it comes from the CEO for instance.
Can You Be Spoofed? Find out for a Chance to Win.
Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.
KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test and enter you to win an awesome Stormtrooper Helmet Prop Replica at the same time.
Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless steel lock-pick business card!
To enter just go here fill out the form, it's quick, easy and often a shocking discovery, as 82% of mail servers are not configured correctly:
https://info.knowbe4.com/dst-sweepstakes-062017
This Ransomware Targets HR Departments With Fake Job Applications
I missed this one a few months ago, but it's a great example how focused the bad guys are getting with their attacks, and you need to watch out for this social engineering attack vector year-round.
You should create special simulated phishing campaigns and send them to your high-risk users in HR and Accounting, or use one of our 1,000+ ready-to-send templates.
Cybercriminals are posing as job applicants as part of a phishing campaign to infect victims in corporate human resources departments with GoldenEye ransomware -- and they're even providing a cover letter in an effort to lull HR people targets into a false sense of security.
A variant of the Petya ransomware, GoldenEye targets HR departments in an effort to exploit the fact that HR employees must often open emails and attachments from unknown sources.
The initial email contains a short message from the fake applicant, directing the victim to two attachments. The first is a cover letter within a PDF which doesn't actually contain any malicious software, but is intended to reassure the target that they're dealing with a standard job application. However, the second attachment is an Excel file supposedly containing an application form but which in fact contains the malicious GoldenEye payload.
Upon opening the Excel attachment, the target is presented with a document which claims to be 'Loading' and requires them to enable Macros to view the file. When Macros are enabled, GoldenEye executes a code and begins encrypting the users' files before presenting them with a ransom note using yellow text -- rather than the red or green used by other Petya variants.
It's believed by researchers that the developer behind Petya ransomware is going by the alias Janus -- apparently borrowing the name of a cybercrminal group in the 1995 James Bond film GoldenEye.
I missed this one a few months ago, but it's a great example how focused the bad guys are getting with their attacks, and you need to watch out for this social engineering attack vector year-round.
You should create special simulated phishing campaigns and send them to your high-risk users in HR and Accounting, or use one of our 1,000+ ready-to-send templates.
Cybercriminals are posing as job applicants as part of a phishing campaign to infect victims in corporate human resources departments with GoldenEye ransomware -- and they're even providing a cover letter in an effort to lull HR people targets into a false sense of security.
A variant of the Petya ransomware, GoldenEye targets HR departments in an effort to exploit the fact that HR employees must often open emails and attachments from unknown sources.
The initial email contains a short message from the fake applicant, directing the victim to two attachments. The first is a cover letter within a PDF which doesn't actually contain any malicious software, but is intended to reassure the target that they're dealing with a standard job application. However, the second attachment is an Excel file supposedly containing an application form but which in fact contains the malicious GoldenEye payload.
Upon opening the Excel attachment, the target is presented with a document which claims to be 'Loading' and requires them to enable Macros to view the file. When Macros are enabled, GoldenEye executes a code and begins encrypting the users' files before presenting them with a ransom note using yellow text -- rather than the red or green used by other Petya variants.
It's believed by researchers that the developer behind Petya ransomware is going by the alias Janus -- apparently borrowing the name of a cybercrminal group in the 1995 James Bond film GoldenEye.
Proofpoint:"Cyber Criminals Shifting to Social Engineering."
In their new "The Human Factor Report 2017" Proofpoint wrote: "Cyber criminals relied less on automated attacks and exploits, shifting instead to social engineering."
The change to social engineering as an attack vector increased the impact and effectiveness of the massive recent ransomware email campaigns. Proofpoint continued: "From email to software as a service, from social media to mobile apps, cyber criminals carried out social engineering at scale.""
They further pointed out that: "By the second half of 2016, the shift to human-driven exploits was well-established. A full 99% of email-based financial fraud attacks relied on human clicks rather than automated exploits to install malware."
Users tend to receive the most emails with malicious attachments on Thursdays and they’re most likely to click on messages in the morning purporting to be from the local postal service, according to an analysis of email attacks that has reinforced the importance of time and human factors for cybersecurity protection.
Full story, links, graphics at the KnowBe4 blog:
https://blog.knowbe4.com/proofpointcyber-criminals-shifting-to-social-engineering
In their new "The Human Factor Report 2017" Proofpoint wrote: "Cyber criminals relied less on automated attacks and exploits, shifting instead to social engineering."
The change to social engineering as an attack vector increased the impact and effectiveness of the massive recent ransomware email campaigns. Proofpoint continued: "From email to software as a service, from social media to mobile apps, cyber criminals carried out social engineering at scale.""
They further pointed out that: "By the second half of 2016, the shift to human-driven exploits was well-established. A full 99% of email-based financial fraud attacks relied on human clicks rather than automated exploits to install malware."
Users tend to receive the most emails with malicious attachments on Thursdays and they’re most likely to click on messages in the morning purporting to be from the local postal service, according to an analysis of email attacks that has reinforced the importance of time and human factors for cybersecurity protection.
Full story, links, graphics at the KnowBe4 blog:
https://blog.knowbe4.com/proofpointcyber-criminals-shifting-to-social-engineering
Don’t Miss the June Live Demo: Simulated Phishing and Awareness Training
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, June 14, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
https://attendee.gotowebinar.com/register/4537952052044265473
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, June 14, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
- Social Engineering Indicators patented technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
- Access to the world's largest library of awareness training content through our innovative Module Store.
- Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
- Active Directory Integration allows you to easily upload, sync and manage users, set-it-and-forget-it.
- Reporting to watch your Phish-prone percentage drop, with great ROI.
https://attendee.gotowebinar.com/register/4537952052044265473
Warm Regards,
Stu Sjouwerman
Quotes of the Week
"Study the past, if you would divine the future." - Confucius - Philosopher (551 - 479 BC)
"Correction does much, but encouragement does more." - Johann Wolfgang von Goethe
- Writer (1749 - 1832)
Thanks for reading CyberheistNews
"Correction does much, but encouragement does more." - Johann Wolfgang von Goethe
- Writer (1749 - 1832)
Thanks for reading CyberheistNews
Security News
Federal Contractor? Insider Threat Training Deadline June 1- Don't Lose Your Clearance
SANS just alerted US federal contractors that wish to maintain their clearances must have completed an insider threat training course by June 1, 2017. The requirement is described in the National Industrial Security Program Operating Manual (NISPOM) Change 2. The course is the second step of a new compliance requirement. The first part took effect late last year and required contractors implementing changes to protect their systems from insider threats.
The June 1 deadline focuses on individual training with all third-party vendor employees who hold a security clearance having until that day to have completed their training course. The courses teach the workers to how to recognize types of suspicious activity, identify information likely to be targeted by cyberespionage attacks, and be able to identify foreign collection attempts targeting U.S. critical technologies.
Specifically, the DoD Instruction 5220.22, "National Industrial Security Program" NISP Operating Manual which was updated May 18, 2016 lists:
e. Initial and annual refresher cybersecurity awareness training for all authorized IS users (see chapter 8, paragraph 8-101c, of this manual). Here is a short excerpt out of the NISP Operating Manual:
"8-101. ISs Security Program. The contractor will maintain an ISs security program that incorporates a risk-based set of management, operational and technical controls, consistent with guidelines established by the CSA. The ISs security program must include, at a minimum, the following elements:
a. Policies and procedures that reduce information security risks to an acceptable level and address information security throughout the IS life cycle.
b. Plans for providing adequate information security for data resident in the IS or on the networks, facilities, or groups of ISs, as appropriate.
c. In addition to the training requirements outlined in paragraphs 3-107 and 3-108 of chapter 3 of this Manual, all IS authorized users will receive training on the security risks associated with their user activities and responsibilities under the NISP.
The contractor will determine the appropriate content of the security training taking into consideration, assigned roles and responsibilities, specific security requirements, and the ISs to which personnel are authorized access."
If you have not stepped employees through their initial or annual cybersecurity refresher training, you need to do this ASAP. The KnowBe4 Kevin Mitnick Security Awareness Training 45-minute qualifies for this training:
This is a high quality, 45-minute web-based interactive training using common traps, live demonstration videos, short tests and the new scenario-based Danger Zone exercise. Kevin Mitnick Security Awareness Training specializes in making sure employees understand the mechanisms of spam, phishing, spear phishing, malware, ransomware and social engineering, and are able to apply this knowledge in their day-to-day job. The training is split in 4 modules that an employee can do over time. This module is available in SIX additional language versions: French - European, French - Canadian, German, Polish, Spanish, and British English.
You Can Be up and Running in an Hour
If you need to immediately train employees to maintain their clearances, KnowBe4 can help. You can be up & running in an hour, all users uploaded and a training invitation emailed to them.
I strongly suggest you get a quote for our new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the GRU or the Chinese cyber army will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.
https://info.knowbe4.com/kmsat_get_a_quote_now
SANS just alerted US federal contractors that wish to maintain their clearances must have completed an insider threat training course by June 1, 2017. The requirement is described in the National Industrial Security Program Operating Manual (NISPOM) Change 2. The course is the second step of a new compliance requirement. The first part took effect late last year and required contractors implementing changes to protect their systems from insider threats.
The June 1 deadline focuses on individual training with all third-party vendor employees who hold a security clearance having until that day to have completed their training course. The courses teach the workers to how to recognize types of suspicious activity, identify information likely to be targeted by cyberespionage attacks, and be able to identify foreign collection attempts targeting U.S. critical technologies.
Specifically, the DoD Instruction 5220.22, "National Industrial Security Program" NISP Operating Manual which was updated May 18, 2016 lists:
e. Initial and annual refresher cybersecurity awareness training for all authorized IS users (see chapter 8, paragraph 8-101c, of this manual). Here is a short excerpt out of the NISP Operating Manual:
"8-101. ISs Security Program. The contractor will maintain an ISs security program that incorporates a risk-based set of management, operational and technical controls, consistent with guidelines established by the CSA. The ISs security program must include, at a minimum, the following elements:
a. Policies and procedures that reduce information security risks to an acceptable level and address information security throughout the IS life cycle.
b. Plans for providing adequate information security for data resident in the IS or on the networks, facilities, or groups of ISs, as appropriate.
c. In addition to the training requirements outlined in paragraphs 3-107 and 3-108 of chapter 3 of this Manual, all IS authorized users will receive training on the security risks associated with their user activities and responsibilities under the NISP.
The contractor will determine the appropriate content of the security training taking into consideration, assigned roles and responsibilities, specific security requirements, and the ISs to which personnel are authorized access."
If you have not stepped employees through their initial or annual cybersecurity refresher training, you need to do this ASAP. The KnowBe4 Kevin Mitnick Security Awareness Training 45-minute qualifies for this training:
This is a high quality, 45-minute web-based interactive training using common traps, live demonstration videos, short tests and the new scenario-based Danger Zone exercise. Kevin Mitnick Security Awareness Training specializes in making sure employees understand the mechanisms of spam, phishing, spear phishing, malware, ransomware and social engineering, and are able to apply this knowledge in their day-to-day job. The training is split in 4 modules that an employee can do over time. This module is available in SIX additional language versions: French - European, French - Canadian, German, Polish, Spanish, and British English.
You Can Be up and Running in an Hour
If you need to immediately train employees to maintain their clearances, KnowBe4 can help. You can be up & running in an hour, all users uploaded and a training invitation emailed to them.
I strongly suggest you get a quote for our new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the GRU or the Chinese cyber army will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.
https://info.knowbe4.com/kmsat_get_a_quote_now
CEOs' Risky Behaviors Compromise Security
If shadow IT is a problem with business decision makers, that may be a sign your senior security person isn't engaged at a high enough level.
When business decision makers decide to circumvent security controls, they typically are trying to gain operational efficiency, not put the organization at risk. But even when done with good intention, they are creating risk.
A recent study by Code42 found that CEOs are the top perpetrators of shadow IT, even though they know it’s a risk. The study showed that 75 percent of CEOs and more than half (52 percent) of business decision makers (BDMs) admit that they use applications or programs that are not approved by their IT department.
Rick Orloff, VP & CSO at Code42, said this is a prime example of the adage we want to have our cake and eat it too. Great story at CSO by Kacy Zurkus:
http://www.csoonline.com/article/3198492/security/ceos-risky-behaviors-compromise-security.html
If shadow IT is a problem with business decision makers, that may be a sign your senior security person isn't engaged at a high enough level.
When business decision makers decide to circumvent security controls, they typically are trying to gain operational efficiency, not put the organization at risk. But even when done with good intention, they are creating risk.
A recent study by Code42 found that CEOs are the top perpetrators of shadow IT, even though they know it’s a risk. The study showed that 75 percent of CEOs and more than half (52 percent) of business decision makers (BDMs) admit that they use applications or programs that are not approved by their IT department.
Rick Orloff, VP & CSO at Code42, said this is a prime example of the adage we want to have our cake and eat it too. Great story at CSO by Kacy Zurkus:
http://www.csoonline.com/article/3198492/security/ceos-risky-behaviors-compromise-security.html
Why People Are at the Heart of Your Information Security Success
In this podcast, Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4, talks about the human side of security. Are humans the weakest link? Why do people fall for phishing attacks and what can we do? He’ll also talk about how to put security at the front of our minds for organizations, where data protection and compliance mandates like EU GDPR fit in, and why people are ultimately at the heart of your business and security success.
Here is the podcast and also the transcript for your convenience:
https://www.helpnetsecurity.com/2017/06/06/human-side-security/
In this podcast, Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4, talks about the human side of security. Are humans the weakest link? Why do people fall for phishing attacks and what can we do? He’ll also talk about how to put security at the front of our minds for organizations, where data protection and compliance mandates like EU GDPR fit in, and why people are ultimately at the heart of your business and security success.
Here is the podcast and also the transcript for your convenience:
https://www.helpnetsecurity.com/2017/06/06/human-side-security/
Harvard Business Review: Why Senior Executives Underinvest in Cybersecurity
Harvard Business Review reports that some decision makers use the wrong mental models to help them determine how much investment is necessary and where to invest. Wrong models include:
(1) thinking of cyber defense as a fortification process - if you build strong firewalls, with well-manned turrets, you'll be able to see the attacker from a mile away;
(2) assuming that complying with a security framework like NIST or FISMA is sufficient security -just check all the boxes and you can keep pesky attackers at bay; and
(3) failing to consider the counterfactual thinking - We didn't have a breach this year, so we don't need to ramp up investment - when in reality they probably either got lucky this year or are unaware that a bad actor is lurking in their system, waiting to strike.
This is interesting and recommended reading:
https://hbr.org/2017/06/the-behavioral-economics-of-why-executives-underinvest-in-cybersecurity
Harvard Business Review reports that some decision makers use the wrong mental models to help them determine how much investment is necessary and where to invest. Wrong models include:
(1) thinking of cyber defense as a fortification process - if you build strong firewalls, with well-manned turrets, you'll be able to see the attacker from a mile away;
(2) assuming that complying with a security framework like NIST or FISMA is sufficient security -just check all the boxes and you can keep pesky attackers at bay; and
(3) failing to consider the counterfactual thinking - We didn't have a breach this year, so we don't need to ramp up investment - when in reality they probably either got lucky this year or are unaware that a bad actor is lurking in their system, waiting to strike.
This is interesting and recommended reading:
https://hbr.org/2017/06/the-behavioral-economics-of-why-executives-underinvest-in-cybersecurity
ITIC / CyberheistNews Top 10 IT Security Recommendations May 2017
There is no such thing as a 100% fully secure environment. And there never will be.
Security is not static; it is an ongoing work in progress. Organizations must be ever-vigilant and assume responsibility for their system and network security.
The ongoing and increasingly pernicious spate of cyber attacks – Ransomware, DDoS, Phishing, Bots, Trojans and targeted corporate espionage and malware, all underscore the need for heightened security and security awareness training.
Corporations, C-level executives, IT and security administrators and end users need to be aware of, proactively identify and thwart the innumerable potential existing security risks.
An overwhelming 80% majority of survey participants indicated that the “carelessness of end users” poses the biggest threat to organizational security. This far outpaces the 57% who cited malware infections as the largest potential security problem.
Security is a 50-50 proposition between technology and the human element which involves implementing strong, effective computing security policies.
In Part One of a two-part article, we outline the Top 10 business and procedural must-do steps organizations should take to safeguard all aspects of the corporate ecosystem and mitigate risk. Part Two, which will appear in the next issue of CyberheistNews will detail the Top 10 list of technology safeguards businesses should install to protect their data assets.
Here Are Your Top 10 Business Steps to Defend Against Cyber Security Threats:
https://blog.knowbe4.com/itic-/-cyberheistnews-top-10-it-security-recommendations-may-2017
There is no such thing as a 100% fully secure environment. And there never will be.
Security is not static; it is an ongoing work in progress. Organizations must be ever-vigilant and assume responsibility for their system and network security.
The ongoing and increasingly pernicious spate of cyber attacks – Ransomware, DDoS, Phishing, Bots, Trojans and targeted corporate espionage and malware, all underscore the need for heightened security and security awareness training.
Corporations, C-level executives, IT and security administrators and end users need to be aware of, proactively identify and thwart the innumerable potential existing security risks.
An overwhelming 80% majority of survey participants indicated that the “carelessness of end users” poses the biggest threat to organizational security. This far outpaces the 57% who cited malware infections as the largest potential security problem.
Security is a 50-50 proposition between technology and the human element which involves implementing strong, effective computing security policies.
In Part One of a two-part article, we outline the Top 10 business and procedural must-do steps organizations should take to safeguard all aspects of the corporate ecosystem and mitigate risk. Part Two, which will appear in the next issue of CyberheistNews will detail the Top 10 list of technology safeguards businesses should install to protect their data assets.
Here Are Your Top 10 Business Steps to Defend Against Cyber Security Threats:
https://blog.knowbe4.com/itic-/-cyberheistnews-top-10-it-security-recommendations-may-2017
Other Interesting News Items This Week
Bad guys come in all ages, these days a kid can have lots of technology & coding experience. 14-Year-Old Japanese Boy Arrested for Creating Ransomware:
http://thehackernews.com/2017/06/japanese-ransomware-malware.html
Healthcare, the Top-Targeted Vertical for Cybercrime:
https://www.infosecurity-magazine.com/news/healthcare-the-toptargeted-vertical/
This article shows the need for awareness training even with MFA - NSA Leaked Report Points to Users as 2FA’s Critical Flaw:
http://www.informationsecuritybuzz.com/expert-comments/nsa-leaked-report-points-users-2fas-critical-flaw/
ICO less likely to fine charities for data breaches if they show staff training. See more at:
https://www.civilsociety.co.uk/news/ico-less-likely-to-issue-fines-for-data-breaches-if-organisation-s-can-evidence-staff-training.html
Fireball Malware Infects 20 Percent of Corporate Networks:
http://www.silicon.co.uk/security/cyberwar/fireball-malware-security-213723
Bad guys come in all ages, these days a kid can have lots of technology & coding experience. 14-Year-Old Japanese Boy Arrested for Creating Ransomware:
http://thehackernews.com/2017/06/japanese-ransomware-malware.html
Healthcare, the Top-Targeted Vertical for Cybercrime:
https://www.infosecurity-magazine.com/news/healthcare-the-toptargeted-vertical/
This article shows the need for awareness training even with MFA - NSA Leaked Report Points to Users as 2FA’s Critical Flaw:
http://www.informationsecuritybuzz.com/expert-comments/nsa-leaked-report-points-users-2fas-critical-flaw/
ICO less likely to fine charities for data breaches if they show staff training. See more at:
https://www.civilsociety.co.uk/news/ico-less-likely-to-issue-fines-for-data-breaches-if-organisation-s-can-evidence-staff-training.html
Fireball Malware Infects 20 Percent of Corporate Networks:
http://www.silicon.co.uk/security/cyberwar/fireball-malware-security-213723
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- People Are Awesome - Best of June 2017 - Awesome people doing amazing things:
http://www.flixxy.com/people-are-awesome-best-of-june-2017.htm?utm_source=4
- The 'fastest, safest and most maneuverable personal aviation system' demonstrated by its inventor Franky Zapata. Looks like fun!
http://www.flixxy.com/flyboard-air-show-by-zapata-racing.htm?utm_source=4
- This doorlock from 1680 has lots of cool security features. Watch the short video!
http://boingboing.net/2017/06/09/this-doorlock-from-1680-has-lo.html
- NASA's Near-Earth Object Wide-Field Infrared Survey Explorer (NEOWISE) mission has released its third year of survey data of asteroid and comet discoveries: it's crowded out there, wow...:
https://www.nasa.gov/feature/jpl/nasa-s-asteroid-hunting-spacecraft-a-discovery-machine
- This cool Mars explorer one day will drive on the Red Planet's surface! This video lives in Facebook, that explains the long and weird URL:
https://www.facebook.com/plugins/video.php?locale=en_US&href=https%3A%2F%2Fwww.facebook.com%2FNASAKennedy%2Fvideos%2F10154590169973091%2F&show_text=1&width=552
- What the mass media wants us to be scared about is a clear case of misdirection. Here are the real leading causes of death in perspective:
https://mobile.twitter.com/Jason_Pollock/status/871483305295609856/photo/1
- Amazing, unusual and thrilling friendships between predatory animals and human beings:
http://www.flixxy.com/friendship-and-trust.htm?utm_source=4 - Funny video of two cats bickering over who should be next to drink the milk out of the dish they share:
http://www.flixxy.com/two-cats-one-bowl-of-milk.htm?utm_source=4
