CyberheistNews Vol 7 #34
Scam of the Week: Hurricane Harvey Charity Fraud 
Hurricane Harvey hit hard and especially Houston, TX got badly flooded. The death toll is rising and you can also count on low-life cyber-scum exploiting this disaster.
Disgusting.
Scammers are now using the Hurricane Harvey disaster to trick people in clicking on links, on Facebook, Twitter and phishing emails trying to solicit charitable giving for the flood victims.
Here are some examples:
I suggest you send employees, friends and family an email about this Scam of the Week, you're welcome to copy/paste/edit:
"Heads-up! Bad guys are exploiting the Hurricane Harvey disaster. There are fake Facebook pages, tweets are going out with fake charity websites, and phishing emails are sent out asking for donations to #HurricaneHarvey Relief Funds that they keep for themselves. Don't fall for any scams. If you want to make a donation, go to the website of the charity of your choice and make a donation. Type the address in your browser or use a bookmark. Do not click on any links in emails or text you might get. Whatever you see in the coming weeks about Hurricane Harvey disaster relief... THINK BEFORE YOU CLICK.
For KnowBe4 customers, at Monday Morning 8/28 at 10:00am we will have a new template in Current Events about "Hurricane Harvey." Send this to your employees as soon as possible to inoculate them against disaster relief scams like this.
Let's stay safe out there.
Warm Regards,
Hurricane Harvey hit hard and especially Houston, TX got badly flooded. The death toll is rising and you can also count on low-life cyber-scum exploiting this disaster.
Disgusting.
Scammers are now using the Hurricane Harvey disaster to trick people in clicking on links, on Facebook, Twitter and phishing emails trying to solicit charitable giving for the flood victims.
Here are some examples:
- Facebook pages dedicated to victim relief contain links to scam websites.
- Tweets are going out with links to charitable websites soliciting donations, but in reality include links to scam sites or links that lead to a malware infection.
- Phishing emails dropping in a user's inbox asking for donations to #HurricaneHarvey Relief Fund.
I suggest you send employees, friends and family an email about this Scam of the Week, you're welcome to copy/paste/edit:
"Heads-up! Bad guys are exploiting the Hurricane Harvey disaster. There are fake Facebook pages, tweets are going out with fake charity websites, and phishing emails are sent out asking for donations to #HurricaneHarvey Relief Funds that they keep for themselves. Don't fall for any scams. If you want to make a donation, go to the website of the charity of your choice and make a donation. Type the address in your browser or use a bookmark. Do not click on any links in emails or text you might get. Whatever you see in the coming weeks about Hurricane Harvey disaster relief... THINK BEFORE YOU CLICK.
For KnowBe4 customers, at Monday Morning 8/28 at 10:00am we will have a new template in Current Events about "Hurricane Harvey." Send this to your employees as soon as possible to inoculate them against disaster relief scams like this.
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4
[ALERT] The RopeMaker Exploit Can CHANGE an Already Delivered Email
Our friends at Mimecast are warning against something scary. This is a sobering example of why scanners and filters will always be behind in the security arms race...
They wrote: "Most people live under the assumption that email is immutable once delivered, like a physical letter. A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing." The attack works by remotely altering cascading style sheets (CSS) in HTML emails."
Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.
So what is ROPEMAKER?
The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.
Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing. As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.
Mimecast continued: "To date, Mimecast has not seen ROPEMAKER exploited in the wild. (yet) We have, however, shown it to work on most popular email clients and online email services. Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them. However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks."
What to Do About It
This topic is in the very early stages, mitigation is still being worked on. Turn off HTML in email? Not a chance. However, SANS commented: "A network filter could be added blocking remote CSS download by email clients."
The exploit doesn’t work on browser-based emails such as Gmail, Outlook Web Access, or iCloud, but Mimecast warns that both the desktop and mobile versions of Microsoft Outlook, the desktop and mobile versions of Apple Mail, and Mozilla’s Thunderbird could fall victim to ROPEMAKER.
The problem is that Micecast showed in great detail how this exploit works, so you can expect the bad guys to jump on this immediately. Mimecast has shared its research privately with all of the primary email client vendors, but so far not one of them has acknowledged ROPEMAKER as a vulnerability or exploit.
More tactics on what to do about this, Links, Screen-shots, and in-depth technical background at the KnowBe4 Blog, where we will keep updating you with the latest news about ROPEMAKER:
https://blog.knowbe4.com/the-ropemaker-email-exploit-can-change-an-already-delivered-email
Our friends at Mimecast are warning against something scary. This is a sobering example of why scanners and filters will always be behind in the security arms race...
They wrote: "Most people live under the assumption that email is immutable once delivered, like a physical letter. A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing." The attack works by remotely altering cascading style sheets (CSS) in HTML emails."
Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.
So what is ROPEMAKER?
The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.
Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing. As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.
Mimecast continued: "To date, Mimecast has not seen ROPEMAKER exploited in the wild. (yet) We have, however, shown it to work on most popular email clients and online email services. Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them. However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks."
What to Do About It
This topic is in the very early stages, mitigation is still being worked on. Turn off HTML in email? Not a chance. However, SANS commented: "A network filter could be added blocking remote CSS download by email clients."
The exploit doesn’t work on browser-based emails such as Gmail, Outlook Web Access, or iCloud, but Mimecast warns that both the desktop and mobile versions of Microsoft Outlook, the desktop and mobile versions of Apple Mail, and Mozilla’s Thunderbird could fall victim to ROPEMAKER.
The problem is that Micecast showed in great detail how this exploit works, so you can expect the bad guys to jump on this immediately. Mimecast has shared its research privately with all of the primary email client vendors, but so far not one of them has acknowledged ROPEMAKER as a vulnerability or exploit.
More tactics on what to do about this, Links, Screen-shots, and in-depth technical background at the KnowBe4 Blog, where we will keep updating you with the latest news about ROPEMAKER:
https://blog.knowbe4.com/the-ropemaker-email-exploit-can-change-an-already-delivered-email
Here Is a Cool and Useful INFOGRAPHIC About Social Engineering
Kevin Mitnick, KnowBe4's Chief Hacking Officer retweeted a link to a well-executed infographic about social engineering, and here it is, courtesy of the team at Smartfile.com. You can share this with your users as part of your continued awareness training program. It's here at the KnowBe4 Blog:
https://blog.knowbe4.com/here-is-a-cool-and-useful-infographic-about-social-engineering
Kevin Mitnick, KnowBe4's Chief Hacking Officer retweeted a link to a well-executed infographic about social engineering, and here it is, courtesy of the team at Smartfile.com. You can share this with your users as part of your continued awareness training program. It's here at the KnowBe4 Blog:
https://blog.knowbe4.com/here-is-a-cool-and-useful-infographic-about-social-engineering
New Defray Ransomware Demands 5,000 Dollars in Customized Spear Phishing Attacks
This newly discovered ransomware strain is targeting healthcare, education, manufacturing and tech sectors in the US and UK, using customized spear phishing emails.
Defray is demanding a relatively high ransom amount - 5,000 dollars in Bitcoin, and ironically the word defray means "to provide money to pay a portion of a cost or expense."
The Defray ransomware infection vector is spear-phishing emails with malicious Microsoft Word document attachments, and the campaigns are as small as just a few messages each. The planning and sophistication of the attacks point to a highly-organized cybercrime gang. More detail at the blog:
https://blog.knowbe4.com/new-defray-ransomware-demands-5000-in-customized-spear-phishing-attacks
This newly discovered ransomware strain is targeting healthcare, education, manufacturing and tech sectors in the US and UK, using customized spear phishing emails.
Defray is demanding a relatively high ransom amount - 5,000 dollars in Bitcoin, and ironically the word defray means "to provide money to pay a portion of a cost or expense."
The Defray ransomware infection vector is spear-phishing emails with malicious Microsoft Word document attachments, and the campaigns are as small as just a few messages each. The planning and sophistication of the attacks point to a highly-organized cybercrime gang. More detail at the blog:
https://blog.knowbe4.com/new-defray-ransomware-demands-5000-in-customized-spear-phishing-attacks
Weak Password Test Contest – Last Chance
Last Chance! Try the Weak Password Test to win a Nintendo Switch...
Are your user’s passwords...P@ssw0rd? Verizon's recent Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security.
KnowBe4's Weak Password Test checks your Active Directory for 10 different types of weak password-related threats and reports any fails so that you can take action. Plus, you’ll be entered to win a Nintendo Switch!
Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless-steel lock-pick business card!
To enter just go here fill out the form, it's quick, easy and often a shocking discovery:
https://info.knowbe4.com/wpt-sweepstakes-082017
Last Chance! Try the Weak Password Test to win a Nintendo Switch...
Are your user’s passwords...P@ssw0rd? Verizon's recent Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security.
KnowBe4's Weak Password Test checks your Active Directory for 10 different types of weak password-related threats and reports any fails so that you can take action. Plus, you’ll be entered to win a Nintendo Switch!
Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless-steel lock-pick business card!
To enter just go here fill out the form, it's quick, easy and often a shocking discovery:
https://info.knowbe4.com/wpt-sweepstakes-082017
WSJ: The Disturbing Inevitability of Cyberattacks
This is a great article for forward to your C-suite who may have missed this. The data provided is excellent ammo for more IT Security budget.
Brian Finch started out with: "A small but growing number of cybersecurity experts warn that we are a few keystrokes away from a dystopian world with no lights, running water or modern communications. Some even argue that it will take such a disastrous attack to jolt us into finally building more effective virtual defenses.
While the possibility of large-scale cyberattacks gets the lion’s share of attention, chaos by small doses is more probable.
Government and private businesses have invested billions of dollars in cybersecurity measures to protect critical infrastructure, dramatically decreasing the likelihood that hackers could bring about another Stone Age.
While rogue squirrels nesting in utility components are responsible for thousands of blackouts, cyberattacks have caused few. Recent incidents reveal a far likelier scenario: paralyzed operations for countless businesses.
And even concerns about cyberattacks against business operations have historically taken a back seat to worries about personal data hacks, which can affect millions of individual consumers.
Hackers are increasingly turning to “ransomware,” a type of virus that encrypts computer systems and data without the owner’s approval. Unless prepared to pay a “ransom” to the hacker, the victim is effectively blocked from ever again accessing the system.
Ransomware attacks are bad enough, but their effect can be much worse if the damage is irreversible. And that is exactly how “NotPetya,” the latest in a string of global cyberattacks, appears to be playing out." Here is the link to the article. (Note, the WSJ has a paywall:)
https://www.wsj.com/article_email/the-disturbing-inevitability-of-cyberattacks-1503355170-lMyQjAxMTE3OTI2MjgyOTI3Wj/
This is a great article for forward to your C-suite who may have missed this. The data provided is excellent ammo for more IT Security budget.
Brian Finch started out with: "A small but growing number of cybersecurity experts warn that we are a few keystrokes away from a dystopian world with no lights, running water or modern communications. Some even argue that it will take such a disastrous attack to jolt us into finally building more effective virtual defenses.
While the possibility of large-scale cyberattacks gets the lion’s share of attention, chaos by small doses is more probable.
Government and private businesses have invested billions of dollars in cybersecurity measures to protect critical infrastructure, dramatically decreasing the likelihood that hackers could bring about another Stone Age.
While rogue squirrels nesting in utility components are responsible for thousands of blackouts, cyberattacks have caused few. Recent incidents reveal a far likelier scenario: paralyzed operations for countless businesses.
And even concerns about cyberattacks against business operations have historically taken a back seat to worries about personal data hacks, which can affect millions of individual consumers.
Hackers are increasingly turning to “ransomware,” a type of virus that encrypts computer systems and data without the owner’s approval. Unless prepared to pay a “ransom” to the hacker, the victim is effectively blocked from ever again accessing the system.
Ransomware attacks are bad enough, but their effect can be much worse if the damage is irreversible. And that is exactly how “NotPetya,” the latest in a string of global cyberattacks, appears to be playing out." Here is the link to the article. (Note, the WSJ has a paywall:)
https://www.wsj.com/article_email/the-disturbing-inevitability-of-cyberattacks-1503355170-lMyQjAxMTE3OTI2MjgyOTI3Wj/
NEW: On-Demand Webinar: How to Phish Like the Bad Guys
Despite all the spectacular news stories about advanced persistent threats and targeted hacks from nation-states, the most common security challenge facing enterprises today continues to be social engineering. Successful hackers understand that the user is the weakest link in the security chain.
Email phishing campaigns have proven to be the path of least resistance to get unsuspecting individuals to download and install their malicious software. Getting users to identify phishing attacks and training them not to click on links in email messages is not a trivial task.
In this 30-minute webinar, you’ll learn the strategies and techniques that social engineers are finding success with. You’ll also learn how to implement these techniques, using KnowBe4’s simulated phishing platform to easily create a real-world phishing email to test your employees and see how phish-prone they really are.
Key topics covered in this webinar:
https://info.knowbe4.com/webinar-how-to-phish-like-the-bad-guys
Despite all the spectacular news stories about advanced persistent threats and targeted hacks from nation-states, the most common security challenge facing enterprises today continues to be social engineering. Successful hackers understand that the user is the weakest link in the security chain.
Email phishing campaigns have proven to be the path of least resistance to get unsuspecting individuals to download and install their malicious software. Getting users to identify phishing attacks and training them not to click on links in email messages is not a trivial task.
In this 30-minute webinar, you’ll learn the strategies and techniques that social engineers are finding success with. You’ll also learn how to implement these techniques, using KnowBe4’s simulated phishing platform to easily create a real-world phishing email to test your employees and see how phish-prone they really are.
Key topics covered in this webinar:
- Latest phishing attacks strategies and techniques
- Some of the top-clicked phishing emails from Q2-2017
- How to create a simulated phishing attack in minutes with KnowBe4’s platform
https://info.knowbe4.com/webinar-how-to-phish-like-the-bad-guys
Quotes of the Week
"Courage is resistance to fear, mastery of fear -- not absence of fear." - Mark Twain
"America was not built on fear. America was built on courage, on imagination and an unbeatable determination to do the job at hand." - Harry S Truman
Thanks for reading CyberheistNews
"America was not built on fear. America was built on courage, on imagination and an unbeatable determination to do the job at hand." - Harry S Truman
Thanks for reading CyberheistNews
Security News
100% of Government IT Workers Said Employees Are Biggest Threat to Cybersecurity
The government sector lags behind others in implementing modern cybersecurity defenses, according to a new report from security firm Netwrix. This failure to update has led to an increase in breaches: 72% of government entities worldwide had their security compromised in 2016, the report found.
Some highlights:
http://www.techrepublic.com/article/100-of-government-it-workers-said-employees-are-biggest-threat-to-cybersecurity/
The government sector lags behind others in implementing modern cybersecurity defenses, according to a new report from security firm Netwrix. This failure to update has led to an increase in breaches: 72% of government entities worldwide had their security compromised in 2016, the report found.
Some highlights:
- 72% of government entities worldwide had their security compromised in 2016.
- Only 14% of government organizations consider themselves to be well-protected against cyber threats.
- 100% of IT specialists working for government agencies worldwide said employees are the biggest threat to security.
http://www.techrepublic.com/article/100-of-government-it-workers-said-employees-are-biggest-threat-to-cybersecurity/
Microsoft Explains How Humans Are Your Weakest Link
The 800-pound Redmond Gorilla asks: "Should your security focus be on systems or people?"
They wrote: "In the latest Modern Workplace episode, “Cyber Intelligence—The Human Element,” we look at how organizations not only need to look at their systems but also have to address the security threats that stem from the behavior of their own employees, who oftentimes are the source of cyber-attacks. Phil Ferraro, CISO of Nielsen, explains how security is not a responsibility to be merely delegated to IT and how failures in security have a direct impact on the business.
In the past, organizations typically focused on ensuring their networks were secure. But today, so many attacks are a result of employee actions, taking advantage of human behavior because employees provide easier entry points for malicious attacks. For example, spear phishing emails are commonplace and becoming more sophisticated. Here is the promo video:
https://products.office.com/en-US/business/articles/cyber-risk-is-a-business-risk?
I suggest you register and watch this half-hour webcast about human error during lunch. It's a fabulous pitch for training your employees, and excellent ammo for security awareness training budget, courtesy Microsoft!:
https://products.office.com/en-us/business/modern-workplace/human-element
The 800-pound Redmond Gorilla asks: "Should your security focus be on systems or people?"
They wrote: "In the latest Modern Workplace episode, “Cyber Intelligence—The Human Element,” we look at how organizations not only need to look at their systems but also have to address the security threats that stem from the behavior of their own employees, who oftentimes are the source of cyber-attacks. Phil Ferraro, CISO of Nielsen, explains how security is not a responsibility to be merely delegated to IT and how failures in security have a direct impact on the business.
In the past, organizations typically focused on ensuring their networks were secure. But today, so many attacks are a result of employee actions, taking advantage of human behavior because employees provide easier entry points for malicious attacks. For example, spear phishing emails are commonplace and becoming more sophisticated. Here is the promo video:
https://products.office.com/en-US/business/articles/cyber-risk-is-a-business-risk?
I suggest you register and watch this half-hour webcast about human error during lunch. It's a fabulous pitch for training your employees, and excellent ammo for security awareness training budget, courtesy Microsoft!:
https://products.office.com/en-us/business/modern-workplace/human-element
Talent Shortage Labeled Security Market's Biggest Trend
Analyst Cybersecurity Ventures highlights growing skills gap as it unveils its Cybersecurity 500 list.
Intelligence analyst Cybersecurity Ventures has flagged up an "epidemic" skills shortage in the cyber security market as it unveiled its latest quarterly list of the world's hottest cyber security companies.
The California-based research firm has compiled a quarterly Cybersecurity 500 list since 2015, cataloging what it sees as the hottest and most innovative industry leaders in IT security based on a variety of factors (see bottom).
Feedback from 2017's top cohort - including first on the list, Herjavec Group, IBM Security (second) and Raytheon Cyber (third) - has revealed growing concern over the widening gap between security threats and the number of people qualified to tackle them, its chief executive, Steve Morgan, told Channelnomics' UK sister title.
"The single biggest trend, globally, is that there are chronic work shortages of qualified cyber security staff. It's an absolute epidemic." Morgan warned.
Meanwhile, Morgan said recent research his firm conducted predicts that cyber crime damages will cost the world 6 trillion dollars annually by 2021, up from 3 trillion dollars in 2015
"From the end of 2013 to 2015, Cisco published research on global cyber security that showed there were one million cyber security positions open globally." Morgan said, adding that Cybersecurity Ventures' own research suggests that this deficit will become more dramatic.
"Due to the growth in cyber crime, by 2021, we expect there to be 3.5 million vacant cyber security job openings. So, the pipeline of security talent isn't where it needs to be to help curb the rise in more widespread, and more sophisticated, cyber crime."
Morgan argued that shortfalls in specialized education in information technology and computer science around the world urgently needs to be addressed.
"Companies are already resorting to getting new graduates in, who simply don't have the experience… Our colleges and universities are not putting enough of these people out. And why is that? Because they don't have enough experienced professors to pass on this training."
However, Morgan praised what he described as innovative market leaders who are proactively trying to address this issue head on. He highlighted KnowBe4 for educating the workforce at large.
Run out of Florida, one of KnowBe4's equity partners is the former world-famous U.S. hacker Kevin Mitnick. The company's ethos is that every IT position is now a cyber security position and any naïve employee a potential weakest link.
KnowBe4 trains staff to recognize the warning signs of ransomware - which Cybersecurity Ventures said is trending up, and has resulted in 5 billion dollars in damages globally in 2017 alone - spearphishing and fraudulent emails.
"This lack of basic knowledge is plaguing the industry. For instance, some software developers don't understand IT security and vice versa." Morgan said.
"Every corporation must be providing their staff with that kind of training." Out of the top 10 ranked firms, seven are based out of the U.S., one in Canada, one in IT security hub Israel and one in the UK (Sophos). More:
https://www.channelnomics.com/channelnomics-us/news/3016138/talent-shortage-labeled-security-markets-biggest-trend
Analyst Cybersecurity Ventures highlights growing skills gap as it unveils its Cybersecurity 500 list.
Intelligence analyst Cybersecurity Ventures has flagged up an "epidemic" skills shortage in the cyber security market as it unveiled its latest quarterly list of the world's hottest cyber security companies.
The California-based research firm has compiled a quarterly Cybersecurity 500 list since 2015, cataloging what it sees as the hottest and most innovative industry leaders in IT security based on a variety of factors (see bottom).
Feedback from 2017's top cohort - including first on the list, Herjavec Group, IBM Security (second) and Raytheon Cyber (third) - has revealed growing concern over the widening gap between security threats and the number of people qualified to tackle them, its chief executive, Steve Morgan, told Channelnomics' UK sister title.
"The single biggest trend, globally, is that there are chronic work shortages of qualified cyber security staff. It's an absolute epidemic." Morgan warned.
Meanwhile, Morgan said recent research his firm conducted predicts that cyber crime damages will cost the world 6 trillion dollars annually by 2021, up from 3 trillion dollars in 2015
"From the end of 2013 to 2015, Cisco published research on global cyber security that showed there were one million cyber security positions open globally." Morgan said, adding that Cybersecurity Ventures' own research suggests that this deficit will become more dramatic.
"Due to the growth in cyber crime, by 2021, we expect there to be 3.5 million vacant cyber security job openings. So, the pipeline of security talent isn't where it needs to be to help curb the rise in more widespread, and more sophisticated, cyber crime."
Morgan argued that shortfalls in specialized education in information technology and computer science around the world urgently needs to be addressed.
"Companies are already resorting to getting new graduates in, who simply don't have the experience… Our colleges and universities are not putting enough of these people out. And why is that? Because they don't have enough experienced professors to pass on this training."
However, Morgan praised what he described as innovative market leaders who are proactively trying to address this issue head on. He highlighted KnowBe4 for educating the workforce at large.
Run out of Florida, one of KnowBe4's equity partners is the former world-famous U.S. hacker Kevin Mitnick. The company's ethos is that every IT position is now a cyber security position and any naïve employee a potential weakest link.
KnowBe4 trains staff to recognize the warning signs of ransomware - which Cybersecurity Ventures said is trending up, and has resulted in 5 billion dollars in damages globally in 2017 alone - spearphishing and fraudulent emails.
"This lack of basic knowledge is plaguing the industry. For instance, some software developers don't understand IT security and vice versa." Morgan said.
"Every corporation must be providing their staff with that kind of training." Out of the top 10 ranked firms, seven are based out of the U.S., one in Canada, one in IT security hub Israel and one in the UK (Sophos). More:
https://www.channelnomics.com/channelnomics-us/news/3016138/talent-shortage-labeled-security-markets-biggest-trend
Want to Improve Cybersecurity? Try Phishing Your Own Employees
Employees are a company's weakest security link. Here's why running internal phishing attacks can strengthen your cybersecurity posture.
More than 90% of cyberattacks and resulting data breaches start with a spear phishing campaign—and many employees remain unable to discern these malicious emails from benign ones. To improve cybersecurity education, some companies are turning to a nontraditional method: Phishing their own employees.
Too often, companies only offer annual training on cybersecurity that doesn't keep up with the evolving threat landscape, according to Wesley Simpson, COO of (ISC)2. "Using internal phishing exercises is a very inexpensive tool that helps fight the risk, and is an investment in staff's knowledge and education," Simpson said. "It's not something that should happen once a year—it should be continuous."
ISC(2) runs regular internal phishing exercises on employees. The IT team crafts the emails based on ones that employees actually receive, Simpson said: For example, those that mimic a coffee shop offering a complimentary beverage, or a postal service package notification.
Before making the campaign public, companies should take a baseline measurement of how employees react to one of the phishing exercises, according to Carl Leonard, principal security analyst at Forcepoint. Then, you have a metric to measure improvement against. Full article at TechRepublic:
http://www.techrepublic.com/article/want-to-improve-cybersecurity-try-phishing-your-own-employees/
Employees are a company's weakest security link. Here's why running internal phishing attacks can strengthen your cybersecurity posture.
More than 90% of cyberattacks and resulting data breaches start with a spear phishing campaign—and many employees remain unable to discern these malicious emails from benign ones. To improve cybersecurity education, some companies are turning to a nontraditional method: Phishing their own employees.
Too often, companies only offer annual training on cybersecurity that doesn't keep up with the evolving threat landscape, according to Wesley Simpson, COO of (ISC)2. "Using internal phishing exercises is a very inexpensive tool that helps fight the risk, and is an investment in staff's knowledge and education," Simpson said. "It's not something that should happen once a year—it should be continuous."
ISC(2) runs regular internal phishing exercises on employees. The IT team crafts the emails based on ones that employees actually receive, Simpson said: For example, those that mimic a coffee shop offering a complimentary beverage, or a postal service package notification.
Before making the campaign public, companies should take a baseline measurement of how employees react to one of the phishing exercises, according to Carl Leonard, principal security analyst at Forcepoint. Then, you have a metric to measure improvement against. Full article at TechRepublic:
http://www.techrepublic.com/article/want-to-improve-cybersecurity-try-phishing-your-own-employees/
Interesting News Items This Week
Is Antivirus Protection Still Relevant?:
https://securityintelligence.com/news/is-antivirus-protection-still-relevant/
Easy-to-Use Apps Allow Anyone to Create Android Ransomware Within Seconds:
http://thehackernews.com/2017/08/create-android-ransomware.html
CryptoMix Variant Can Communicate Offline:
https://www.infosecurity-magazine.com/news/cryptomix-variant-offline/
Most large companies don't use standard email security to combat spoofing:
https://www.cyberscoop.com/fortune-500-companies-dmarc-email-security-anti-spoofing-phishing/
There was discussion of a link-hovering exploit method back in early June but it is limited to links in Powerpoint presentations. No idea if Microsoft has subsequently issued a patch/fix for this hover vulnerability:
https://www.darkreading.com/endpoint/new-attack-method-delivers-malware-via-mouse-hover-/d/d-id/1329105?
Cyber Ransoms: Mr. Smith Attacks HBO's Loot Train. The legal perspective on the ongoing HBO ransom attack:
http://www.newyorklawjournal.com/id=1202796507725/Cyber-Ransoms-Mr-Smith-Attacks-HBOs-Loot-Train
Is Antivirus Protection Still Relevant?:
https://securityintelligence.com/news/is-antivirus-protection-still-relevant/
Easy-to-Use Apps Allow Anyone to Create Android Ransomware Within Seconds:
http://thehackernews.com/2017/08/create-android-ransomware.html
CryptoMix Variant Can Communicate Offline:
https://www.infosecurity-magazine.com/news/cryptomix-variant-offline/
Most large companies don't use standard email security to combat spoofing:
https://www.cyberscoop.com/fortune-500-companies-dmarc-email-security-anti-spoofing-phishing/
There was discussion of a link-hovering exploit method back in early June but it is limited to links in Powerpoint presentations. No idea if Microsoft has subsequently issued a patch/fix for this hover vulnerability:
https://www.darkreading.com/endpoint/new-attack-method-delivers-malware-via-mouse-hover-/d/d-id/1329105?
Cyber Ransoms: Mr. Smith Attacks HBO's Loot Train. The legal perspective on the ongoing HBO ransom attack:
http://www.newyorklawjournal.com/id=1202796507725/Cyber-Ransoms-Mr-Smith-Attacks-HBOs-Loot-Train
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Rally champion Ken Block takes his 600-horsepower Ford Fiesta ST RX43 to the beautiful desert of Southern Utah and rips!:
http://www.flixxy.com/rally-champion-ken-block-drifting-in-the-desert.htm?utm_source=4
- OK, drop what you are doing, take 6 minutes off and see this video! :-))) Retiring Admiral William H. McRaven delivers a most inspiring speech:
http://www.flixxy.com/inspiring-change-the-world-by-making-your-bed.htm?utm_source=4
- OK, Who -Is- This Stu Guy Anyway? [VIDEO] I had a freelance video PR crew follow me one day at Black Hat, to give you an idea of who the heck I am:
https://blog.knowbe4.com/ok-who-is-this-stu-sjouwerman-guy-anyway-video
- Watch a horde of robots (1,069) dance their way to a Guinness world record:
https://qz.com/1061372/watch-1069-robots-dance-their-way-to-a-guinness-world-record/
- "A Rare Look Inside North Korea And Its Luxury Ski Resort." This is well-done propaganda. See it as such and be amused:
http://www.flixxy.com/a-rare-look-inside-north-korea-and-its-luxury-ski-resort.htm?utm_source=4
- Someone asked if we had "Human Firewall" t-shirts. We didn't, but after 15 minutes at Cafepress we had at least some kind of solution!:
http://www.cafepress.com/knowbe4.104641077
- An amazing acrobatic dance performance recorded in Hanoi, Vietnam. Never seen this before. One guy, two girls:
http://www.flixxy.com/amazing-acrobatic-dance.htm?utm_source=4
- Magician Eric Jones amazes the judges and audience with his unbelievable magic tricks at America's Got Talent 2017 Quarter Finals:
http://www.flixxy.com/amazing-magic-by-eric-jones-americas-got-talent-2017.htm?utm_source=4 - From The Archives: The Bizarre Border Between Canada And The United States:
http://www.flixxy.com/the-bizarre-border-between-canada-and-the-united-states.htm?utm_source=4
