CyberheistNews Vol 7 #47 Your Cybercrime Insurance Policy May Not Cover You for Social Engineering Fraud

CyberheistNews Vol 7 #47
Your Cybercrime Insurance Policy May Not Cover You for Social Engineering Fraud

I have talked about this potentially extremely expensive and very disappointing "CEO fraud" or "Business Email Compromise" problem several times before.

Your cybercrime policy may not include damage caused by sophisticated scams that "hack your humans" using social engineering tactics.

This is true worldwide, and last week another example came up in Canada where an article about a legal case appeared in Canadian Underwriter, asking insurance brokers to make sure that their customers were covered for social engineering fraud.

The insurer denied coverage for a 224,000 dollar claim because the end-users were duped by a social engineering scam. More details at the KnowBe4 blog, and a link to an extremely useful complimentary CEO Fraud Prevention Manual:
Proposed New Legislation: "Train Your Users or Go to Jail"?

OK, it may be hyperbole, but since 91% of data breaches are caused by successful spear phishing attacks, it's not entirely crazy to say: "step your users through new-school security awareness training or go to jail..." when you read the following.

A new-but-old U.S. bill introduces prison time for execs who conceal data breaches, and it's not the first time senators try to regulate breach disclosure.

This is the second time a bill like this has been introduced. Four senators, including Nelson, tried to push a previous version of this bill in 2014, during the Obama administration, but failed to get the support they needed.

The 2014 bill came shortly after the Target and Neiman Marcus breaches, and its main objective was to force companies to store data in a more secure manner and ensure all customers receive breach notifications in due time.

This new bill comes as a response to the recent Uber debacle, where the company paid 100,000 dollars as hush money to two hackers to keep quiet about a security incident that took place in late 2016. The company came clean about the breach a year later, after a change in management, revealing that hackers stole details for almost 57 million drivers and customers. More detail and links at the KnowBe4 Blog:
New CyberThreat Survey Confirms: Biggest Security Obstacle Is Low User Security Awareness

The CyberEdge Group is an award-winning research firm that serves information security vendors and service providers. They recently surveyed 1,100 qualified IT security decision makers & practitioners, all from organizations with more than 500 employees, representing 15 countries and 19 industries.

The 37-page report was sponsored by vendors like Symantec, HP, SecureWorks and Webroot and is excellent ammo for your IT security budget requests.

The Results Are Eye Opening

The percentage of respondents affected by successful attacks has risen the last three years from 62% in 2014, to 71% in 2015, to 76% in 2016, and to 79% in 2017 with no end in sight.

When asked about perceptions and concerns, here are the top problems:
    • Employees still the weak link: Low security awareness among employees continues to be the greatest inhibitor to defending against cyberthreats, followed closely by a shortage of skilled personnel and too much data for IT security teams to analyze (page 17).
    • Threats keeping us up at night: Malware, phishing, and insider threats give IT security the most headaches (page 13).
    • Ransomware’s bite out of the budget. Six in 10 respondents said their organization was affected by ransomware in 2016, with a full third electing to pay the ransom to get their data back (page 14).
    • Ransomware’s biggest nightmare. The potential for data loss is the greatest concern stemming from ransomware, while the potential for revenue loss trails the field (page 15).

    • Microsoft leaving the door open? With two-thirds of respondents not fully satisfied with Microsoft’s security measures for Office 365, the door remains open for third-party security solutions (page 16).
When asked to assess on a scale of 1 to 5, the adequacy of their organization’s capabilities (people and processes) they scored "User security awareness / education" third from the bottom.

The report observed: "Far less surprising is the appearance of user education/ awareness and secure application development/testing at the bottom of the rankings. The former is consistent with the later finding of users being the greatest inhibitor to achieving effective defenses.

Their comments on this topic could have come straight from my mouth:

"Once again, respondents cited users as the greatest obstacle to their organization’s establishing effective defenses, as “low security awareness among employees” topped the chart for a remarkable fourth consecutive year.

“Ahem... enterprise security teams, can you hear us?” Given the consistency of this finding, don’t you think it makes sense to try investing a bit more in all of those human firewalls at your disposal? Call us crazy, but armed with the proper knowledge, we think they could easily flip the script, and go from being your biggest security burden to your biggest security asset."

More at the KnowBe4 blog with link to the report download and InfoGraphic:
Don’t Miss the December Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Thursday, December 7, 2017, at 2:00 p.m. (EST) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
    • NEW see our latest feature: Security Roles with granular permissions.
    • NEW Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
    • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
    • Access to the world's largest library of awareness training content through our innovative Module Store.
    • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.

    • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 14,000+ organizations have mobilized their end-users as their last line of defense, and why KnowBe4 has made it as a Gartner's Magic Quadrant Leader:
Register Now:
Send This to Your Users Now: Here Is Your Safe Holiday Shopping Reminder Video

We created a Safe Holiday Shopping PSA for your employees, friends and family. Don't lose those hard-earned dollars to cyber scammers. Direct link, copy & paste to your browser:

Have a great Holiday Season!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Quotes of the Week
"Happiness resides not in possessions, and not in gold, happiness dwells in the soul."
- Democritus - Philosopher (460 - 370 BC)

"Success is not the key to happiness. Happiness is the key to success. If you love what you are doing, you will be successful." - Albert Schweitzer

"Yesterday's the past, tomorrow's the future, but today is a gift. That's why it's called the present."
- Bil Keane - Cartoonist (1922 - 2011)

Thanks for reading CyberheistNews
Security News
Criminals Look to Machine-Learning to Mount Cyber Attacks

Cyber-criminals will use artificial intelligence and machine learning to outwit IT security and mount new forms of cyber-attacks, according to predictions made by McAfee.

Speaking at the launch of the IT security company's threats predictions report, launched at its MPower conference held in Amsterdam, McAfee chief scientist Raj Samani said in an interview that criminals will increasingly use machine learning to create attacks, experiment with combinations of machine learning and artificial intelligence (AI), and expand their efforts to discover and disrupt the machine learning models used by defenders.

He said that machine learning will “help criminals to speak in a native language when carrying out a phishing attack”. This would improve their social engineering, making phishing attacks more difficult to recognize.

In response, those charged with defending IT infrastructure will need to combine machine learning, AI, and game theory to probe for vulnerabilities in both software and the systems they protect, to plug holes before criminals can exploit them. More at SC Mag:

KnowBe4 is working to head off the bad guys at the pass, with an AI-driven social engineering engine called AIDA. More about the Beta here:
Right to Be Forgotten: 75% of Employees Likely to Exercise Rights Under GDPR

New research by data security company Clearswift, has shown that 75% of employees are likely to exercise their right to be forgotten (RTBF). The principle also known as ‘right to erasure’ dictates that an individual can request their data to be removed or deleted when there is no compelling reason for a business to continue processing that information:
Even Highly Skilled Cyber-Thieves Make Stupid Mistakes, or Do They?

Cobalt, a highly-skilled group of hackers who target banks and financial institutions, may have committed a mistake and accidentally leaked a list of all their current targets, according to Yonathan Klijnsma, a security researcher with RiskIQ.

The error occurred in a spear-phishing campaign that took place last week, on November 21. Klijnsma says the group sent out a mass email, but instead of including the campaign's targets in the email's BCC field, they added their targets' emails in the "To:" field.

By doing so, the Cobalt group let researchers know who they were targeting, giving cyber-security firms a chance to reach out to potential victims and warn them of the ongoing campaign. Or, was this misdirection? 

According to Klijnsma, the group targeted the emails of employees at financial institutions all over the world, with most targets located in Russia and Turkey. More:
If Willie Sutton Were Working Today, He'd Be Stealing Cryptocurrency, Not Wasting Time on Banks

"Because that's where the money is." Criminals have been installing cryptocurrency miners on victim machines that turn them into sources of money. These operate without the users' knowledge, and they operate even when your browser's closed.

Apart from being criminal, they're troublesome because coin-mining is a resource hog.

Our friends at Malwarebytes have discovered one new campaign that's mining the cryptocurrency Monero. It affects Windows machines running the Chrome browser. When a user visits an infected site, an ad network (Ad Maven) opens a pop-up and loads a page hosted on elthamely[dot]com, which, via cloudfront[dot]net, proceeds to retrieve a payload from hatevery[dot]info. This opens a hard-to-find pop-under window that hides on the task bar, beneath the clock.

You'll want to check task manager to see if something suspicious is running, and you can expect new phishing campaigns solely dedicated to infecting workstations with cryptominer malware! More at the KnowBe4 blog:
Google Kicks Harmful Apps Out of Google Play and Offers 5 Steps Against Social Engineering

You're always better off getting apps from reputable stores like Google Play than you are from potentially dodgy, at best unknown, third-party sites. But even Google Play isn't immune from problems.

Mountain View periodically has to kick badly behaved apps out of its store, and last week saw one such eviction. A number of apps infected with the Tizi backdoor were booted out. Tizi was able to root devices via old, known vulnerabilities. Google published a reminder of five steps your users can take to protect themselves against social engineering by potentially harmful apps:
    • "Check permissions," and always be suspicious of apps that make unreasonable demands. There's no reason a flashlight, for example, should need to send SMS messages.
    • "Enable a secure lock screen," with some factor (password, PIN, gesture, whatever your device accommodates) that's easy for you to remember but hard for others to guess.
    • "Update your device." Patch. Note that Tizi took advantage of old bugs for which patches exist. If your system is up-to-date, it's a bit more secure.
    • "Google Play Protect." If you're an Android user, Google Play Protect will help keep you safe.

    • "Locate your device," that is, "practice finding" it. Losing your phone is the security misstep you're most likely to make.
More at:
Interesting News Items This Week

We created a Safe Holiday Shopping PSA for your employees, friends and family. Don't lose those hard-earned dollars to cyber scammers:

Which technology trends will create the Year of Transition? Here are the top 7 technology trends for 2018 that will affect organizations and governments:

10 tips to optimize security during the holidays:

Holy Bitcoin Batman. 90 percent of top cryptocurrency apps carry security and privacy risks:

Blockstack Counterattacked a Phishing Attempt on Its ICO and turned the tables:

A security researcher has identified thousands of Serial-to-Ethernet devices connected online that leak Telnet passwords that could be used to attack the equipment that is placed behind them. The leaky devices are various Serial-to-Ethernet "device servers" manufactured by Lantronix:

Researcher discovers classified Army intel app, data on open public AWS bucket:

Cybercrime selling like hotcakes: Ransomware sales soar 2500% in one year (Security Brief) The way criminals ply their trade has changed dramatically since the rise of the digital era, and not for the better – at least for the victims:

Websites use your CPU to mine cryptocurrency even when you close your browser (Ars Technica) Resource-draining code hides in pop-under windows that can remain open indefinitely.

Former NRCC aides used their old passwords to break into a database of highly valuable information on contributors:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • We created a Safe Holiday Shopping PSA for your employees, friends and family. Don't lose those hard-earned dollars to cyber scammers:

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Phishing & Social Engineering Trends On-Demand Webinar

Recent Posts

Get the latest about social engineering

Subscribe to CyberheistNews