CyberheistNews Vol 7 #50 The Top 5 Reasons Why You Need to Deploy New-School Security Awareness Training in 2018




CyberheistNews Vol 7 #50
The Top 5 Reasons Why You Need To Deploy New-school Security Awareness Training In 2018

2017 was a dumpster fire of privacy and security screw-ups.

To start 2018 with a simple, effective, IT security strategy is an excellent New Year's resolution and helps your CEO to keep their job. Better yet, thousands of your peers will tell you this was the best and most fun IT security budget they ever spent... hands-down.

This list is the high-power ammo you need to get budget and roll out new-school security awareness training, ideally right now.

Here are the Top 5 reasons...
  1. Social Engineering is the No. 1 go-to strategy for the bad guys. Unfortunately their time is money too. Why spend 2 months of research uncovering a 0-day when you (literally) can create an effective spear-phishing attack in 2 hours? They are going after the human—the weakest link in IT security—and your last line of defense.
  2. Ransomware is only going to get worse in 2018. Email is still their favorite attack vector, and their sophistication is increasing by the month. The downtime caused by ransomware can be massive.
  3. Compliance requirements for awareness training are being sharpened up. Thinking that today you can get away with a yearly one-time, old-school awareness training session is whistling past the graveyard. A good example is May 25, 2018 when enforcement actions for GDPR begin. We have compliance training for GDPR ready in 24 languages.
  4. Legally you are required to act "reasonably" and take "necessary" measures to cope with a threat. If you don't, you violate either compliance laws, regulations, or recent case law. Your organization must take into account today's social engineering risks and "scale security measures to reflect the threat". Don't trust me, confirm with your lawyer, and next insist on getting budget. Today, data breaches cause practically instant class action lawsuits. And don't even talk about all employees filing a class action against your own company because your W-2 forms were exfiltrated with CEO fraud.
  5. Board members' No. 1 focus today is cyber security. Some very pointed questions will be asked if they read in the Wall Street Journal that your customer database was hacked and the breach data is being sold on the dark web. Once it becomes clear that your organization did not deploy a simple, effective strategy that could have prevented this, a few (highly placed) heads will roll. Target's CEO and CISO are just an example. Help your CEO to keep their job.
So now that it's clear you just have to do this ASAP, why choose KnowBe4?

OK, let's list the 5 reasons why KnowBe4 is the complete no-brainer option—after casually mentioning we are the fastest growing vendor in this field and have 15,000+ customers, more than all our competitors combined:
  1. KnowBe4 was recognized by Gartner as a Leader in the Magic Quadrant
  2. Goldman Sachs recently invested a 30 Million Series B in KnowBe4 because they believe in our mission
  3. The KnowBe4 platform was built from the ground up for IT pros that have 16 other fires to put out
  4. The KnowBe4 ModStore has the world's largest choice in fresh awareness training content
  5. Pricing is surprisingly affordable, and gives you a 127% ROI with a one-month payback
  6. BONUS: It's actually a lot of fun to phish your users and get the conversation started!
I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP because your filters have an average 10.5% failure rate. Get a quote now and you will be pleasantly surprised.

Get a Quote Now:
https://info.knowbe4.com/kmsat_get_a_quote_now

PS: It would be awesome if you could forward this to any friends who might be helped with this! Here is a blog post with links: https://blog.knowbe4.com/the-top-5-reasons-why-you-need-to-deploy-new-school-security-awareness-training-in-2018
Former US CISO on Why Awareness Training Is Priority Number 1

In an information technology environment where personnel are on the cyber front line at work and also at the house, the key to ensuring security is still awareness training, says former U.S. CISO Gregory Touhill, who was the Air Force General responsible for Cyber Training before he became the first US CISO.

"A congressman asked me when I took my post as the first federal CISO: 'If I gave you an extra dollar, how would you spend it on cybersecurity?' And I told him I would spend it on better training my people. I find a very well-trained, well-informed workforce is better prepared to help an organization buy down their cyber risk," Touhill says in an interview with Information Security Media Group.

Training at All Levels

Touhill calls for daily security drills and exercises at all levels of an organization to help reinforce defensive strategies.

"Board and C-suite officers are increasingly large targets for whale phishing," Touhill says. "Everybody has a stake in cybersecurity and I would contend everyone is on cyber front lines. That training needs to be tailored and continuous for the entire workforce."

Touhill discusses:
  • The effectiveness of techniques such as gamification;
  • Why he believes one-and-done annual training fails;
  • Continuous phishing training;
  • His recommendations for improving training in 2018.
Touhill is now president of the Cyxtera Federal Group and teaches cybersecurity and risk management for the CISO certification program at Carnegie Mellon University's Heinz College.

To listen to this 8-minute interview, click on the player beneath image. I recommend you forward this to any C-level exec who needs a quick update to approve new-school awareness training budget:
https://www.bankinfosecurity.com/interviews/former-us-ciso-on-awareness-training-priority-number-1-i-3815
Last Chance: Find Out if You Can be Spoofed For A Chance to Win

Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.

KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test and enter you to win an awesome First Order Stormtrooper Helmet Prop Replica at the same time. Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless-steel lock-pick business card!

To enter just go here fill out the form, it's quick, easy and often a shocking discovery. Yep, it’s that easy! Hurry, deadline to enter is Dec. 31st...
https://info.knowbe4.com/dst-sweepstake-dec2017
InfoSec World 2018 Conference & Expo March 19-21, 2018 Orlando

InfoSec World is the “business of security” conference. To manage today’s threats, security practitioners must have the skills to be both a business partner and enabler, and have the technical expertise to prevent, detect and respond to security challenges. Head to Disney’s Contemporary Resort on March 19-21, 2018 and learn from the best. CyberheistNews readers receive 15% off the Main Conference or World Pass with discount code OS18-CHN at checkout! Disney’s Contemporary Resort | Lake Buena Vista, FL:
https://infosecworld.misti.com/
Scam of the Week: New Massive Data Breach Poses Major Threat

Here’s a fun question to pose to the family dinner table: Have you ever heard of Alteryx?

100 to 1 you never heard of them, but chances are good that they have heard of you. Alteryx is a data analytics company that makes its money by repackaging data that it’s collected from different sources. And it became the latest reminder of how much data little-known companies have collected on us – and how little oversight there is over the security of that data.

Companies You’ve Never Heard of Are Exposing Your Personal Data

Earlier this week, an analyst from the security firm Upguard shared that Alteryx had not properly protected detailed information it had collected on 123 million U.S. households (All told, there are about 126 million American households, according to the Census Bureau.)

This data leak was discovered by a researcher, and not (we hope) by a criminal. But the leak affects about as many people as the massive hack Equifax reported in September, which affected 145.5 million Americans, or nearly every adult.

Another Leaky AWS Bucket

The data had been left unprotected in an Amazon Web Services storage bucket available to anyone with a free AWS account. After being informed of the data breach, Alteryx secured the information, however, it had been available to identity thieves and scammers for a considerable period of time.

Alteryx and credit reporting agency Experian—which was the source of the data—both downplayed the risk of identity theft because no names were included in the data included in the data breach. This response is just PR and disingenuous as 248 data fields for every household were included in the data breach which are easy to map to the names.

This is just another example of the lack of important laws in the United States protecting people from data aggregators' negligence and requiring these companies to employ security measures to protect our personal data. Many other countries require such measures by law, the new European GDPR is an excellent example.

What to Do About It

I suggest you send the following to your employees, friends, and family. You're welcome to copy, paste, and/or edit:

"There is another major data breach, that pretty much covers every living adult in the United States. At this point you have to assume that cyber criminals have highly personal information that they can use to trick you. You need to watch out for the following things:
  • Phishing emails that claim to be from your financial institution where you can "check if your data was compromised"
  • Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information
  • Calls from scammers that claim they are from your bank or credit union
  • Fraudulent charges on any credit card because your identity was stolen
Here are 5 things you can do to prevent identity theft:
  1. First sign up for credit monitoring - dozens of companies do that.
  2. Next freeze your credit files at the three major credit bureaus Equifax, Experian and TransUnion. Remember that generally it is not possible to sign up for credit monitoring services after a freeze is in place. Advice for how to file a freeze is available here on a state-by-state basis:
    http://consumersunion.org/research/security-freeze/
  3. Check your credit reports via the free annualcreditreport.com
  4. Check your bank and credit card statements for any unauthorized activity
  5. If you believe you may have been the victim of identity theft, here is a site where you can learn more about how to protect yourself:
    www.idtheftcenter.org.
You can also call the center’s toll-free number (888-400-5530) for advice on how to resolve identify-theft issues. All of the center’s services are free.

And as always, Think Before You Click!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Quotes of the Week
"By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is the bitterest." - Confucius

"Wisdom comes from experience. Experience is often a result of lack of wisdom." - Terry Pratchett

"Here is an example of a young man gaining wisdom by experience. LOL:"
http://mashable.com/2017/12/22/man-fails-slide-london-tube-escalator/#leLSSc2WJqqR



Thanks for reading CyberheistNews
Security News
Yuletide Phishing: Attacks and Clicks Are on the Rise

The holidays are no time for cheer for security specialists: They’re seeing a spike in the number of phishing emails, and in the people who are gullible enough to open them.

For example, Barracuda Networks detected a higher-than-usual number of people clicking on malicious links on Cyber Monday — around 53,000. Granted, the number of general clicks also rose — to 36 million, maybe a 50% increase over a normal Monday.

The actual threat volume was not that high in comparison with normal days. But it did spike in the days after Cyber Monday.

On Wednesday, November 29, for example, the phishing numbers alone rose to 27 million. These emails largely consisted of fake shipping notices and invoices attempting to take advantage of shoppers tracking their purchases.

On a typical Monday, Barracuda will see between 20 million and 27 million emails.

“The centers of phishing attacks are going to redouble their efforts if they see this seems to be working right now,” Weiss says. “If an email gets a good record of response, they’re going to send a lot more of them, just as a legitimate business does.”

Weiss notes that seasonal spam emails are designed to look like “the large volume of e legitimate holiday marketing email. The idea is, you fill out a survey or get a free gift card.” Instead of just being a marketing survey, however, they are gathering information for phishing.”

The problem is worsened by the fact that some consumers will open almost anything in their holiday shopping frenzy.

One thing is to “personalize the emails to greatest extent possible,” Weiss says. “It makes it easier to establish that you have some knowledge of person you’re sending it to, as opposed to being a generic thing.”

Barracuda tracks emails through its Link Protect tool, which “wraps a link on an email message and sends to Barracuda’s server and blocks it at that point or forwards it on,” Weiss explains. More:
https://www.mediapost.com/publications/article/311964/yuletide-phishing-attacks-and-clicks-are-on-t
One in Five Britons Falls Victim to Phishing

Every fifth Briton has been a victim of a phishing attack, new reports from email provider GMX have shown. The company also issued a warning, saying the holiday season is usually when phishing attacks are on the rise, so consumers should be extra careful.

The increase in phishing attacks at the end of the year is due to the fact that the numbers of legitimate ecommerce and parcel service emails also goes up.

And consequently, cybercriminals adapt to the time of year. They can counterfeit parcel suppliers emails to link to malware instead of tracking links. Paired with the fact that many consumers in the UK expect to get a parcel tracking email, it is easy to see why holidays are a great time of year for criminals.

“During the festive period not only does the number of phishing scams increase, but also the quality. Cybercriminals are highly professional and manage to copy invoices or newsletters so well that they can hardly be differentiated from the original. Therefore, users should keep an eye on their mailbox with increased attention”, says Jan Oetjen, CEO of GMX. More:
https://www.itproportal.com/news/every-fifth-briton-a-victim-of-phishing/#

More UK phishing: Warning after parents are conned out of THOUSANDS by hackers who send fake school bills using a Google app:
http://www.dailymail.co.uk/sciencetech/article-5201669/Hackers-defraud-private-school-parents-THOUSANDS.html
WSJ: Where the Cybersecurity Threats Are

Two articles in the WSJ that your C-level execs may not have seen, which both indicate the need for training employees.

Stephen Schmidt, CISO of Amazon Web Services and Scott Smith of the FBI talk about what companies should be most concerned about.

Schmidt states at the very beginning of the article when explaining the top threats, "The biggest threat that most organizations are facing right now is a combination of excessive access for their employees and an increased focus by nation-state actors on access to sensitive information."

He later goes on to say "What we’re seeing more is a focus on exploiting the humans that we all have in our organizations, to find access to data that they’ve got authorized access to." Link:
https://www.wsj.com/articles/where-the-cybersecurity-threats-are-1513653001

In an article about the fight against Nation States, Michael Chertoff, former secretary of Homeland Security states:

"A nation-state may co-opt an insider either by corrupting him or her intentionally or simply by fooling him or her. An important part of this is to recognize that we tend to talk about this as if it is about the adversary having some fantastic tool. Sadly, often what gets by our defenses is someone inside who maliciously or even more often negligently or carelessly admits the attacker." Link:
https://www.wsj.com/article_email/the-fight-against-nation-state-cyberthreats-1513653060-lMyQjAxMTA3NzIyMDMyNTA2Wj/
For Crypto-Nerds: Exploiting ROBOT like Mr. Robot

It was late Friday afternoon when the email arrived saying he’d won a free cruise.

Philip quickly opened the email and clicked the link for more information, but there was nothing there.

What he didn’t know is that this cruise offer actually came from a hacker and not Cruise Giveaways of America. This was no ordinary link, either.

That link exploited Philip’s home router using cross-site request forgery. Whoever’s in control of the routers is also in control of the traffic, making the hacker the one in control.

All the way back in 1998, Bleichenbacher had demonstrated that by revealing specific decryption errors, SSLv3 was leaking information an attacker could exploit. An attacker in possession of some secret encrypted information (like SSL key material) could ask the server if it can decrypt a series of carefully chosen encrypted messages. Each time the decryption succeeds, the attacker is able to narrow down the range of possibilities for the unknown encrypted value.

In cryptography, this is known as a side-channel attack, and more specifically, it is an adaptive chosen-ciphertext attack leveraging a padding oracle. More of this tech story at TripWire:
https://www.tripwire.com/state-of-security/vert/exploiting-robot-like-mr-robot/
Russia's Fancy Bear APT Group Gets More Dangerous

Fancy Bear, the Russian advanced persistent threat group associated with the infamous intrusion at the Democratic National Committee last year among numerous other break-ins, may have become just a little bit more dangerous.

The group — also referred to as Sednit, APT28, and Sofacy — appears to have recently refurbished its primary malware tool, Xagent, and added new functionality to make it decidedly stealthier and harder to stop, security vendor ESET said in an advisory Thursday.

The modular backdoor has been a central component of Fancy Bear's campaigns for several years. Initial versions of the tool were designed to break into Windows and Linux systems. But it has been updated in the past two years to include support for iOS, Android, and, since the beginning of this year, OS X:
https://www.darkreading.com/attacks-breaches/russias-fancy-bear-apt-group-gets-more-dangerous/d/d-id/1330702
Interesting News Items This Week

Top 8 Cybersecurity Skills IT Pros Need in 2018 - slideshow:
https://www.darkreading.com/careers-and-people/top-8-cybersecurity-skills-it-pros-need-in-2018/d/d-id/1330657

The rise of the Satori botnet and the fall of the Andromeda (Gamarue) botnet are the main two factors that have led to a 50% growth of the Spamhaus Exploits Block List (XBL) during the past month:
https://www.bleepingcomputer.com/news/security/xbl-ip-blacklist-grows-50-percent-because-of-andromeda-and-satori-botnets/

2017 Worst Passwords PDF:
https://13639-presscdn-0-80-pagely.netdna-ssl.com/wp-content/uploads/2017/12/Top-100-Worst-Passwords-of-2017a.pdf

Malware hit these 3 verticals the hardest in 2017:
https://www.techrepublic.com/article/malware-hit-these-3-verticals-the-hardest-in-2017/#ftag=RSS56d97e7

The path for SMEs and GDPR - IT SECURITY GURU:
http://www.itsecurityguru.org/2017/12/22/the-path-for-smes-and-gdpr/

How Employees Unknowingly Gamble with Your Data:
https://www.tripwire.com/state-of-security/featured/employees-unknowingly-gamble-data/

Snowden’s new app uses your smartphone to physically guard your laptop:
https://theintercept.com/2017/12/22/snowdens-new-app-uses-your-smartphone-to-physically-guard-your-laptop/

Yet another bucket spill - Nissan Finance Canada Suffers 1.13 Million Record Data Breach:
https://thehackernews.com/2017/12/nissan-finance-breach.html?m=1

Man Threatened Company with Cyber Attack to Fire Employee and Hire Him Instead. For Realz:
https://www.bleepingcomputer.com/news/security/man-threatened-company-with-cyber-attack-to-fire-employee-and-hire-him-instead/

Latest Hacker News and IT Security News - UK hounded 100 Hacking Groups:
http://www.ehackingnews.com/2017/12/uk-hounded-100-hacking-groups.html?m=1

A study conducted by Verizon finds that online criminals are turning to cyberespionage and ransomware more frequently, with phishing emails among their most common tactics:
https://www.studyfinds.org/cyberespionage-ransomware-phishing-study/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews