CyberheistNews Vol 7 #33 New Study: Phishing Is Still the Top Threat Faced by Organizations




CyberheistNews Vol 7 #33
This Is a First: Spear Phishing Attack Uses Compromised PowerPoint Slide Deck

Bad guys are exploiting the CVE-2017-0199 vulnerability to bypass endpoint security software and deliver the Remcos remote access Trojan via Microsoft PowerPoint decks.

This particular flaw in the Windows Object Linking and Embedding (OLE) interface is normally used to deliver infected RTF documents, but researchers at Trend Micro have spotted cyber criminals using it to compromise PowerPoint slide show files for the first time.

Critically, since most methods of detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack vector means attackers can code the malware to avoid antivirus detection.

More at the KnowBe4 blog, with links and screenshots:
https://blog.knowbe4.com/this-is-a-first-spear-phishing-attack-uses-compromised-powerpoint-slide-deck
Inside the New York Hospital That Was Down for 6 Weeks Due to Ransomware

If you ever needed ammo to convince budget holders that you need more IT security resources, this is the link to send them. It is a great discussion-starter how an attack like this would play out in your own organization.

On Monday August 18th, "CBSN: On Assignment" did a special, visiting an upstate New York hospital, the Erie County Medical Center. Criminal hackers took down the level one trauma center's computer systems for six weeks by encrypting all machines with a ransomware strain and demanding a whopping ransom. Here is the article and video:
https://www.cbsnews.com/news/cbsn-on-assignment-hackers-targeting-medical-industry-hospitals/
How Vulnerable Is *Your* Network Against Ransomware Infections?

KnowBe4’s updated, complimentary Ransomware Simulator "RanSim" gives you an instant look at the effectiveness of your existing network protection.

RanSim will simulate 10 ransomware infection scenarios and show you if a typical workstation is vulnerable to infection. Here's how RanSim works:
  • 100% harmless simulation of a real ransomware infection
  • Does not use any of your own files
  • Tests 10 types of infection scenarios
  • Just download the install and run it
  • Results in a few minutes!
How will your endpoint protection software perform in these scenarios?
Download RanSim Now: https://info.knowbe4.com/ransomware-simulator-tool-1chn
Survey of 2600 IT Pros: "Password Procedures Still Are a Cyber Security Fail"

After the NIST passwords bombshell, we surveyed 2,600 IT professionals to find out how they were managing passwords. The answers show that IT pros are generally receptive to the proposed pass phrase concept suggested by NIST.

NIST Special Publication 800-63B, “Digital Identity Guidelines,” states: “Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones. This means that password complexity has failed in practice."

KnowBe4’s survey showed that 44% of respondents overall, (large organizations with 1,000+ employees and small to mid-size businesses), think a roughly 25-character pass phrase could work versus 35% who don’t believe it to be a viable option for their organization.

The highlights from the survey are:
    • Nearly 97% of large organizations have an enforced password policy compared to almost 88% in small to mid-size organizations.
    • A majority (63%) of organizations do not allow password re-use, however this does not prevent employees from using the same password on multiple sites.
    • Almost half (49%) of large organizations believe their current password policy is insufficient, while 48% of small to mid-size organizations believe their password policy is good enough.

    • Enterprise-size organizations (1,000+ users) prefer multi-factor authentication (MFA) with only 38 % stating they do.
Here are the full survey results (PDF):
https://blog.knowbe4.com/survey-of-2600-it-pros-password-procedures-still-are-a-cyber-security-fail
New Study: Phishing Is Still the Top Threat Faced by Organizations

The new 2017 SANS Threat Landscape survey from the well-known research and education specialist finds that security professionals rate phishing at 72 percent, spyware at 50 percent, ransomware at 49 percent, and Trojans at 47 percent as being the top threats today. We strongly recommend you download the whole study and read it top to bottom. There is also an on-demand webcast you should watch.

From the new study's Executive Summary: "Endpoints—and the users behind them—are on the front lines of the battle: Together they represent the most significant entry points for attackers obtaining a toehold into the corporate network. Users are also the best detection tool organizations have against real threats."

"Users and their endpoints are still in the cross hairs," says Lee Neely, SANS analyst, mentor instructor and author of the survey report. "Traditional and malware-less threats keep popping up at every corner, making our jobs as defenders resemble an ongoing game of Whack-a-Mole to keep them at bay."

Full story, graphs, and links to the PDF and the webcast at the KnowBe4 Blog:
https://blog.knowbe4.com/new-study-phishing-is-still-the-top-threat-faced-by-organizations
Live Webinar: How to Phish Like the Bad Guys

Despite all the spectacular news stories about advanced persistent threats and targeted hacks from nation-states, the most common security challenge facing organizations today continues to be social engineering.

Successful hackers understand that the user is the weakest link in the security chain. Email phishing campaigns have proven to be the path of least resistance to get unsuspecting individuals to download and install their malicious software.

Getting users to identify phishing attacks and training them not to click on links in email messages has been challenging until recently.

In this 30-minute webinar, you’ll learn the strategies and techniques that social engineers are finding success with. You’ll also learn how to implement these techniques using KnowBe4’s simulated phishing platform and easily create a real-world phishing email to test your employees and see how phish-prone they really are.

Key topics covered in this webinar:
  • Latest phishing attacks strategies and techniques
  • Some of the top-clicked phishing emails from Q2-2017
  • How to create a simulated phishing attack in minutes with KnowBe4’s platform
Register Now! Wed, Aug 23, 2017 2:00 PM - 2:30 PM EDT
https://attendee.gotowebinar.com/register/7818773804792726019

Warm Regards,
Stu Sjouwerman

Quotes of the Week
"A dream you dream alone is only a dream. A dream you dream together is reality." - John Lennon

"A dream doesn't become reality through magic; it takes sweat, determination
and hard work."
- Colin Powell



Thanks for reading CyberheistNews
Security News
Large Insurance Company Settles for $5.5 Million over "Failed to Patch" Data Breach

A large insurance company (Nationwide) agreed to pay a total of 5.5 million dollars to settle charges brought by 32 states resulting from the loss of critical consumer information attributable to a criminal data breach.

According to the Settlement Agreement, the respondent lost the data for 1.27 million customer across the country when hackers exploited a security breach created when the respondent failed to implement a security patch.

As part of the settlement, the insurance company agreed to appoint a security patch supervisor, implement security patch policies and procedures, and perform internal assessments.

The New York State Attorney General criticized the respondent for its “true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.”

Here is the blog post with more detail and the PDF from the NY Attorney General site:
https://blog.knowbe4.com/large-insurance-company-settles-for-5.5-million-over-failed-to-patch-data-breach
Make the Training Stick: How to Engage Users in Cybersecurity Practices

Riverside HealthCare achieved a 99 percent compliance rate with phishing campaigns after it educated (and perhaps scared) its staff into being cautious.

Cyberattackers count on untrained computer users to react to electronic bait a certain way, and when they succeed it is because employees are not as engaged with cybersecurity practices as they should be. And that can include those who have already been through training.

Even though employees attend cybersecurity training programs, for instance, many come back afterward and do not apply what they just learned, according to Erik Devine, chief information security officer at Riverside HealthCare in Illinois.

Five years ago, Riverside had an 85 percent compliance rate when conducting phishing campaigns among its 3,000 employees, Devine said, and most did not know who to contact if they received a suspicious email.

“Our current rate is 97 to 99 percent compliance, depending on the type of test given,” he said. “It’s my job to engage the organization because without employees trained and engaged in information security, the landscape is just too large to protect.”

What can other hospitals learn from Riverside’s success? Devine shared what has worked during the training as well as what to look for once the employees go back to their jobs. Article at HealthCareITnews:
http://www.healthcareitnews.com/news/make-training-stick-how-engage-users-cybersecurity-practices
Los Angeles Health Care Provider Potentially Breached by Ransomware Attack

Pacific Alliance Medical Center’s servers were hit by a ransomware attack in June, and officials said the investigation couldn’t rule out whether patient data was accessed.

However, the notice to patients did not mention whether PAMC paid the ransom. Further, officials said the investigation couldn't rule out whether the patient data were viewed or stolen by the ransomware attack, although the organization didn't uncover evidence to suggest the data was stolen.

As you can see, ransomware infections are highly likely going to be seen as a data breach with reporting requirements. More:
http://www.healthcareitnews.com/news/los-angeles-provider-potentially-breached-ransomware-attack
Cybersecurity: The Hottest New Major in College

Large numbers of US colleges have added undergraduate cybersecurity majors, cybersecurity concentrations to other majors, and master's degree programs in cybersecurity. Most colleges, however, do not know what to teach, and many are teaching students only how to admire the cybersecurity problem, but not how to fix it.

Further, computer science graduates don't learn secure coding or other technical cybersecurity topics. None of the Top 10 undergraduate computer science and engineering programs at American universities (as ranked by the U.S. News & World Report) required its students to take a cybersecurity course in order to graduate. More:
https://www.villagevoice.com/2017/08/15/how-cybersecurity-became-2017s-hot-new-major/
Interesting News Items This Week

Ex-NSA Analyst Raises 10 Million to Stop Hackers Destroying Power Grids:
https://www.forbes.com/sites/thomasbrewster/2017/08/14/dragos-funding-to-stop-hacker-blackouts/#1cce01484f6f

Under the Radar: Three Ransomware Stories You Probably Didn’t See:
http://techspective.net/2017/08/14/radar-three-ransomware-stories-probably-didnt-see/

One Nigerian man's simple phishing campaign drains thousands from corporate coffers:
https://www.cyberscoop.com/phishing-get-rich-or-die-trying-nigeria-checkpoint-bec-attacks/

Seven More Chrome Extensions Compromised:
https://threatpost.com/seven-more-chrome-extensions-compromised/127458/

New Windows flaw could allow a WannaCry-like attack if not patched:
https://www.scmagazine.com/new-windows-flaw-could-allow-a-wannacry-like-attack-if-not-patched/article/681698/

Vaccine discovered for Cerber ransomware - based on its own evasion:
https://www.scmagazineuk.com/vaccine-discovered-for-cerber-ransomware--based-on-its-own-evasion/article/682120/

Rent the Latest Exploit Toolkit for $80 Per Day:
https://www.bankinfosecurity.com/rent-latest-exploit-toolkit-for-80-per-day-a-10201

HBO's Twitter accounts hacked in latest cyberattack:
http://www.foxnews.com/entertainment/2017/08/17/hbos-twitter-accounts-hacked-in-latest-cyberattack.html

The Hardest Working Office Design in America Encrypts Your Data–With Lava Lamps:
https://www.fastcodesign.com/90137157/the-hardest-working-office-design-in-america-encrypts-your-data-with-lava-lamps

U.S. Worried North Korea Will Unleash Cyberattacks:
http://www.nbcnews.com/news/north-korea/u-s-worried-north-korea-will-unleash-cyberattacks-n790831

FBI pushes private sector to cut ties with Kaspersky:
https://www.cyberscoop.com/fbi-kaspersky-private-sector-briefings-yarovaya-laws/

WannaCry Ransomware Chill Spurs China Interest in Purchasing Gobs of Cyber Insurance:
https://www.reuters.com/article/us-aig-china-cyber-idUSKBN1AP12E
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews