CyberheistNews Vol 7 #49 Which of Your Employees Are Most Likely to Expose Your Company to a Cyber Attack?

CyberheistNews Vol 7 #48
Which of Your Employees Are Most Likely to Expose Your Organization to a Cyber Attack?

Kon Leong at Harvard Business Review wrote an excellent article about the problem of employees exposing your organization to cyberthreats through human error. Here is a short quote:

"Today, cybersecurity has expanded far beyond its traditional domain of external threats, typified by external hackers attacking network vulnerabilities. It now includes insider threats, which are much more complex and difficult to manage, as evidenced by some very serious recent insider breaches, such as those involving Edward Snowden and Chelsea Manning. The nature of insider threats can be categorized into malicious, accidental, or negligent."

Now, which departments are causing the biggest cybersecurity problems at your office?

TechRepublic wrote: "People are always the weak link when it comes to enterprise cybersecurity—but some departments are more likely to get hit and fall victim to attacks than others.

"Everyone is susceptible to these attacks. Nobody is immune," said Wesley Simpson, COO of (ISC)2. "It doesn't matter what type of organization, how strong you think you are, how much money that you're investing into your hardware and software environment to have the latest and greatest technology. We're all vulnerable, and you can't do it alone."

Here are three departments that are often most likely to fall victim to cyberattacks:
    1. IT and development. They are not immune to mistakes or attacks that result in security breaches, as 2017 has proved, said Forrester analyst Jeff Pollard. For example, we saw that Amazon S3 storage buckets were a constant source of data exfiltration, often by security researchers and bug bounty hunters, but also by attackers.

    2. Finance. A large number of attacks in 2016 and 2017 targeted procurement and finance teams, Pollard said. These attacks attempted to get employees of the company to transfer large sums of money to the attackers, bypassing normal accounts payable procedures and controls. There's no reason to believe those attacks will drop in 2018, he added.

    3. The C-Suite. C-level executives—including the CEO—are the most at risk of being hacked when working outside the office, according to a recent report from iPass. These employees often work long hours, are rarely confined to the office, and have unrestricted access to the most sensitive company data, making them highly valuable and highly available targets, the report found.

The Harvard Business Review article suggests four areas where you can significantly mitigate this risk:
  1. Rethink employee training
  2. Identify high-risk users and intervene
  3. Shape the solution to the human user and not vice versa
  4. Constantly adapt to changing threats
They make a few excellent suggestions on how to get a program like this really effective, because recent research by the Ponemon Institute indicates that employee training is the third-most-effective method of decreasing the per capita cost of a breach, right after extensive use of encryption and assignment of an incident response team.

They recommend:
  • Consider frequent and interactive training sessions
  • It’s a case of train, retrain, and repeat
  • Use the tried and true method of simulation, sending out mock-phishing emails
However, 48% in a major recent survey say they do not have an employee security awareness training program

A recent report by PriceWaterhouseCoopers (PwC) called "Strengthening digital society against cyber shocks", covering key findings from the global state of information security survey 2018 showed that:
    • "Forty-four percent of the 9,500 executives in 122 countries surveyed by the 2018 say they do not have an overall information security strategy.

    • Forty-eight percent say they do not have an employee security awareness training program, and 54% say they do not have an incident response process.

“Many organizations need to evaluate their digital risk and focus on building resilience for the inevitable,” said Sean Joyce, PwC’s US Cybersecurity and Privacy Leader. A human firewall is a critical piece of that puzzle.

We can add to this the following from a ransomware report by AlienVault:
  • Security professionals rank user awareness training the most effective tactic to prevent and block ransomware (77%) followed by endpoint security solutions (73%), and patching of operating systems (72%) as preventive approaches to ransomware threats.
Harvard Business Review ends off with: "It’s true that to err is human, and humans will keep erring. But increasingly, technology and improved practices can help you identify those employees who are most at risk of exposing your company to a cyberattack — before it becomes a major problem.

Excellent ammo to add to a request for IT security budget for security awareness training. Here is a direct link to the article:

I strongly suggest you get a quote for new-school security awareness training

And find out how affordable this is for your organization. You simply have got to start training and phishing your users ASAP, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised:

You can also find this post at the KnowBe4 blog with links to all the referenced reports and graphs:
Report: Email Attacks Increasing, But None As Much As Impersonation Phishing

Email filtration is getting good enough to catch most malware, but it's not anywhere near capable of stopping a well-targeted impersonation attack.

How email attacks stack up

The latest ESRA report from Mimecast sifted through nearly 56 million emails. More than 12 million of them were spam, 9,055 contained harmful files, 2,535 came with malware, and 18,971 were impersonation attacks—a 50% quarter-over-quarter increase.

Attacks of all kinds are bound to increase in quantity, but 50% is staggering, especially when harmful files and malware only increased by 15% over the same time frame. The top three takeaways:

  1. Impersonation attacks have experienced a 50% quarter-over-quarter increase, making them the fastest growing form of email-based cyber attack.
  2. Impersonation attacks are spear phishing emails that attempt to mimic an internal email, or something from another trusted source. Their goal is to trick a user into giving up financial information or confidential data.
  3. It's practically impossible for email filters to catch well-crafted impersonation attacks. Security teams need to be on top of user training and penetration testing to be sure an attack doesn't hit them.
Full article at TechRepublic:
Announcing a Brand-New Email Security Tool: Second Chance

Wouldn't it be great if your users had a way to "roll back time" when they forgot to "think before they clicked"?

What if they could have a second chance, to decide one more time if they *really* wanted to go to that link, or if it actually was too high a risk?

Now they can!

KnowBe4 is excited to announce Second Chance, a brand-new security tool for the Outlook email client that you can download and deploy at no cost.

As the name implies, Second Chance enables your user to make a smarter security decision by giving them a way to back out of that click in the email body or links in email attachments like Office Docs or PDFs.

Second Chance takes a smart look at the clicked URL, and asks your user if they are sure they want to do this, in case they clicked on a potentially unsafe or an unknown website. Second Chance even prompts your user when they click on a Punycode link!

You can set the message your user gets through the Second Chance console, and you also are able to set "No Prompt" domains. You can install it standard, command-line or GPO.

You might ask: "What happens if my user continues or aborts their action?""

If they choose to abort their action, the prompt will be closed, and the URL will not be opened. If they choose to continue, their browser will navigate to the URL they clicked on. Either action taken will be recorded in the data and reports on your console.

Second Chance could one day be the difference between a ransomware infection and a free weekend. Give it a try!

Here is the form to download the install. Again, no charge:

Here is the Product Manual:
Live Webinar: Counter The Careless Click, Tools To Help You Train Your Users

Cybercriminals are successfully and consistently exploiting human nature to accomplish their goals. Employee training is tied as the third-most-effective method (higher than antivirus) of decreasing the cost of a data breach.*

Many IT pros know users are the weakest link in network security, but don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization.

Join this 30-minute webinar “Counter the careless click, tools to help you train your users” where Erich Kron CISSP, Security Awareness Advocate of KnowBe4, will provide a practical session with tips and free tools you can implement now to help you create your “human firewall”.

Erich will cover:
  • Current threat landscape
  • Top 5 tips for security awareness
  • How to easily create your security awareness program
  • Outlining how and where tools are helpful
Date/Time: Thursday, December 14th at 2:00 pm EST for 30 minutes
Register Now:

* Based on recent research by the Ponemon Institute

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Quotes of the Week
"Whether one believes in a religion or not, and whether one believes in rebirth or not, there isn't anyone who doesn't appreciate kindness and compassion." - Dalai Lama (born 1935)

"A positive attitude causes a chain reaction of positive thoughts, events and outcomes. It is a catalyst and it sparks extraordinary results." - Wade Boggs - Athlete (born 1959)

Thanks for reading CyberheistNews
Security News
Phishing And Social Engineering Are The Big Problems (Malware Not So Much)

We hear a lot about malware, and the picture of the hacker in popular culture is of the hoodied wizard typing his attack code and saying "I'm in." Well, maybe.

But really, not usually. The typical hack is a con. It's social engineering, convincing some user to act against their own best interest. A lot of that social engineering arrives in your email in-box. The first step is acknowledging (and teaching your people to acknowledge) that this is a problem. More at CSO:
Visual Hacking (That is, Reading Someone's Screen Over Their Shoulder)

Not all hacking involves sophisticated coding skills. And social engineering isn't always as elaborate as running a con game. Sometimes the bad actors can get everything they want by looking over your shoulder. 3M offers a timely reminder that visual hacking hasn't gone away, and that as we increasingly move through crowds, wait in lines, and ride buses, trolleys, and subways with our eyes locked on our phones or tablets, it can be a very easy way of stealing information from the distracted and the unwary.

It can also be a problem in your office, and here some of the more elaborate forms of social engineering, like the crooks' wearing badges identifying them as temps, employees, or contractors, can come into play. In 2015 and 2016 the Global Visual Hacking Experiment looked at awareness of this threat in forty-six companies located variously in China, France, Germany, India, Japan, South Korea, the United Kingdom, and the United States. (The experiment was a white-hat exercise conducted with the knowledge and permission of the participating countries.)

The white hat posed as a temporary employee, security badge in order and properly displayed, and set out to accomplish three "overt tasks": see and log sensitive information from a screen, on a desk, or on a printer; pick up business documents labeled "confidential" from a desk and put them in a briefcase, and use a phone to take a picture of sensitive information on a screen.

The visual hackers were depressingly successful. 91% of the time they were able to get away with sensitive business information. More than half the hacks, 52%, were committed by looking at an employee's unprotected computer screen. The information stolen was, in some 275 of the trials, significant: credentials, financials, even privileged attorney-client communication.

And the information loss was fast, too: in almost half the attempts the testers got what they were after in less than fifteen minutes.

The morals of this story are the familiar lessons of sound operational security. Be aware of your surroundings. Keep your desk clean. Lock your screens when they're unattended. And above all, ask questions. Don't assume that the person you've never seen before must be legitimate, badge or no badge, and don't assume that someone who seems closer to you than they need to be just has a different sense of personal space.

Education and training are key, here, and there's a role for human resources, too: introducing the new employees to their co-workers is more than just a nice thing to do. It can also make a contribution to security. More here:
What’s On The Horizon For Security And Risk Management Leaders?

By 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of business relationships, Gartner analysts believe.

They also predict that, by 2020, 60% of organizations engaging in M&A (mergers and acquisitions) activity will consider cybersecurity posture as a critical factor in their due diligence process. Having a mature security awareness training program in place by then will count heavily, better start now:
Left of Boom

Security too often exists in tension with usability. This is as true of organizations as it is of individuals. Policies, however well-intentioned and however much they might improve security, won't be followed if they make it difficult or impossible for people to do their jobs. Email is of course a very common attack vector, and if no one in an enterprise used it, that enterprise would become immediately more secure.

But that's impractical. Email remains an essential business tool in all sorts of ways. So the challenge is to devise training and policies that help people use it safely. So communicate, educate, test, and patch. See more here:
48 Servers Of North Carolina County Held Hostage by LockCrypt Ransomware

One of the more common payloads a phishing email can carry is ransomware, either real criminal extortion as seen with Locky, Scarab, and other currently common strains, or destructive pseudoransomware like Notpetya.

Organizations that depend upon the availability of their data are especially vulnerable to ransomware, which is why some of the earliest and still most common targets are healthcare providers.

Even TV showrunners now know this: a recent episode of Grey's Anatomy, for example, recently featured a storyline about how Grey Sloan Memorial Hospital lost access to its medical records in a ransomware attack. It's dramatized, but it might serve as a teaching tool to convince the skeptical that this is a real problem.

Local governments and their agencies, down to transit systems and public libraries, have also figured prominently among ransomware victims. One local government, Mecklenburg County, North Carolina, offers a good example of what to do both left and right of boom. The county, whose largest city is Charlotte, was hit by ransomware that demanded 23,000.00 to return access to affected systems. The county said "no," a good response, and they were able to do so because their preparations were sound: they had a solid plan in place to back up their data.

So what might have been a disaster became an inconvenience. See the New York Times piece here:

I do not have to tell you how this could have been prevented.
Cyberattack: It Can't Happen to Us (Until It Does)

Just because your small or medium-sized business doesn't have tens of millions of customers, or the name recognition of a Target or a Yahoo, doesn't mean you're immune to becoming a cybercrime victim. In fact, there's a good chance that your SMB has been victimized and you don't know it.

The Identity Theft Resource Center has tracked security breaches since 2005. They estimate that 1,055,228,349 unique records containing personal identifying information have been compromised in nearly 8,000 data breaches that have occurred between January 1, 2005, and November 22, 2017.

If those numbers don't grab your attention, consider that the average cost for each lost or stolen record containing sensitive and confidential information is 141.00, according to the Ponemon Institute's "2017 Cost of Data Breach Study."

That cost jumps for businesses in financial services (245.00) and healthcare (380.00). Those dollar amounts do not include the cost of notifying affected parties. They also don't account for damage to your reputation.

Are your company's pockets deep enough to weather that financial storm? Even if they are, wouldn't you rather spend that money on marketing your products and services, new R&D, or business expansion?

What can a small business or a startup do to lessen the chance it becomes a cybercrime victim? Here are three commonsense steps that any business can take:
  1. Train Your Team
  2. Assess Your Risk
  3. Ask For Help
Full article at DarkReading:
Ransomware Up Nearly 2,000% In Two Years As “Cyber Mafia” Hit Business

Cyber attacks on businesses in 2017 grew in frequency, sophistication and malice, a report on the new age of organized cyber crime reveals.

The new generation of cyber criminals increasingly resembles traditional mafia organizations, requiring a new approach to dealing with it, according to a report by security firm Malwarebytes.

Cyber criminals have the same professional organization as mafia gangs of the 1930s, but they also share a willingness to intimidate and paralyze victims, the report shows.

Malwarebytes’ analysis also shows that, in spite of acknowledging the severe reputational and financial risks of cyber crime, many business leaders greatly underestimate their vulnerability to such attacks.

“The new mafia, identified by our report, is characterized by the emergence of four distinct groups of cyber criminals: traditional gangs, state-sponsored attackers, ideological hackers and hackers-for-hire,” said Marcin Kleczynski, CEO of Malwarebytes. More:

And what’s behind the rising tide of ransomware? IBM explains:
KnowBe4 Introduces New Feature: Security Roles

KnowBe4 is proud to announce the introduction of a new feature, Security Roles. Security Roles can be used to assign granular access throughout the KnowBe4 console. Each Security Role is completely customizable to allow for the creation of the exact roles needed by your organization.

Because the roles are not simply a set of predefined permissions it is possible to create the exact permission model that fits your needs. Below are some common scenarios where Security Roles will allow the console administrator to give users access to only the portions of the KnowBe4 console that are needed to obtain their results:
  • Auditors that need to review training history
  • HR departments that want to see individual user results
  • Training groups that want to review training content prior to deployment
Here are a few examples of access controls that can be set:
  • Review (but don't touch!) results of phishing tests
  • Management of Users and Groups
  • Create new Phishing Security Campaigns
  • Review of training content available in the ModStore
Security Roles are available to all customers at Platinum and Diamond subscription levels. If you are not a KnowBe4 customer yet, request a demo now!

In other related news, We are extremely pleased to tell you that KnowBe4 hase won a prestigious award. Frost & Sullivan is a global research and consulting firm and they recently announced that we received their 2017 North American Cybersecurity Awareness and Training Platform Customer Value Leadership Award.

This is a pretty big deal. More here:
Interesting News Items This Week

Bitcoin uses about as much electrical power as the country of Denmark. This has led to belated concerns about the sustainability of the cryptocurrency, and perhaps other blockchain-based systems:

Here’s How Boards Should Measure Anti-Phishing Programs:

Customers are leaving a personal data trail behind in rental vehicles:

Krebs on Security — Phishers Are Upping Their Game. So Should You:

Security Awareness Training company, KnowBe4, has stepped up to the plate and started to talk about Artificial Intelligence Driven Agent or AIDA:

Security Think Tank: Employees are in the cyber attack firing line, so educate them well:

100,000-strong botnet built on router 0-day could strike at any time:

Russian hackers hold UK to ransom. Article in The Times (paywall):

Salted Hash Episode 10: Office 365 phishing examples, the bad and the ugly:

Social Engineer Shows How to Get Easy Cash at Black Hat Europe:

Despite Equifax Breach Causes, Social Engineering Still Biggest Threat to Data Security:

8 security breaches that got someone fired:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews