CyberheistNews Vol 7 #9 Survey: Most Hackers Break in Within Six Hours



CyberheistNews | KnowBe4

CyberheistNews Vol 7 #09
Survey: Most Hackers Break in Within Six Hours

A recent survey of 70 professional hackers and penetration testers found that 60% of them take a maximum of just six hours to compromise a target. The research titled The Black Report, was done at Black Hat USA and Defcon.

Penetration testers try to break into the network of the client organization and then provide advice on how they can secure those networks, one of the things KnowBe4's Chief Hacking Officer does through his (separate) company Mitnick Security with a 100% success rate.

When the 70 hackers were queried about how often they encountered systems they could not crack, 9% said this never happened. But 53% said "sometimes", 22% "rarely", and 16% "often" faced this issue.

40% said phishing was their favorite method to get into a system

Asked about the use of social engineering, 43% of the group said they used it "sometimes" to gain access and only 16% did not use it at all, and 40% said phishing was their favorite method to get into a system. No wonder, as hacking a human is by far the easiest way to get into a network.

Regarding using vulnerability scanners to detect potential entry methods, 40% said they used this method "sometimes", but 60% said they used open-source tools to hack and custom tools were used by just over 20%.

A third of the pen testers said their presence was never detected by the security team at the organization they were testing. Only 2% were detected more than half of the time, while another third were always detected.

After a compromise, exfiltration of data took 20% of them less than two hours, another 29% took anything from two to six hours to get the goods out, while about another 20% took more than 12 hours.

Only 2% of the hackers found anti-virus software an obstruction

Only 2% of the hackers found anti-virus software an obstruction to compromising systems. The biggest hurdle was endpoint security which 36% found to be an effective countermeasure to their plans; another 29% cited intrusion detection and prevention systems.

Advice for Company Boards: There Is a Return on Investment

When the survey asked what main message they had for the boards of companies that were penetrated, 25% of the hackers said the boards should realize that it was a matter of when, not if, a company was hacked, and about the same percentage stated that boards should realize that there was a return on investment for security and it was not a waste of time or money. To add to that, 10% said boards should be aware that the ability to detect an attack was much more important than being able to deflect one.

KnowBe4 recently commissioned Forrester to conduct a Total Economic Impact™ (TEI) study, examining the potential Return on Investment (ROI) enterprises might realize by implementing the KnowBe4 Security Awareness Training and Simulated Phishing Platform.

Whitepaper Download: Forrester Total Economic Impact Study

The research paper assesses the performance of the KnowBe4 Platform. How does 127% ROI with a one-month payback sound?

At the end of the study, you will have a framework to evaluate the ROI of the KnowBe4 Platform on your organization, and how you can leverage your end-users as your last line of defense using KnowBe4.

The value of KnowBe4 goes beyond ROI. Download the study here:
https://info.knowbe4.com/whitepaper-forrester-tei
January 2017 Data Breach Report

You may have heard of Piper Jaffray & Co. Since 1895, they have been active in the stock markets, based out of Minneapolis. They are a thoroughly modern company though, and two of their research analysts - Nowinsky and Boyce - are keeping track of data breaches. The picture has thunderclouds with some silver lining.

"We conducted our monthly analysis of breaches reported in the month of January. There were 92 breaches reported in the month of January, which was up 48% y/y. The month of January also had the highest number of breaches since May of 2016, when there were 106. The three largest breaches all occurred within the Medical/Healthcare sector.

"For the full year 2016, there were 1,011 total breaches, up 30.3% from 2015. There were 1.54B records exposed in 2016, up from just 163.5M in 2015. However, excluding the two Yahoo breaches, there would have only been 35.8M records exposed, which is down 78% from the 2015 level. While the total number of breaches in 2016 was up 30%, the total number records exposed (excluding Yahoo) was down 78%."

How Do Breaches Correlate With Sales of Security Companies?

They calculated a 61.8% correlation between breach activity and revenue growth within the security industry. Their correlation calculation assumes a one-quarter lag between breach activity and revenue growth, meaning revenue growth tends to trend higher following an increase in breach activity. They also noted an acceleration in breach growth to 35% in 4Q16, suggesting 1Q17 vendor revenue growth could be better than normal seasonality." Learn more at piperjaffray.com.
Security Awareness Training to Explode in Next 10 Years

Tara Seals at InfoSec Mag reported: "Security awareness training is the most underspent sector of the cybersecurity market, but it’s poised to become a multi-billion-dollar industry in 2017.

That’s according to a report from Cybersecurity Ventures, which also said that the market will top $10 billion by 2027.

According to Steve Morgan, founder and editor-in-chief at Cybersecurity Ventures, Fortune 500 and Global 2000 corporations will consider security awareness training as fundamental to their cyber-defense strategies by 2021, with small businesses following shortly thereafter.

Organizations of every size are starting to recognize that inside threats are as significant as outside threats, the research postulates, and users will be a crucial part of any organization’s information security program. So, training those users to recognize the overtures of malicious actors will be critical to hardening the “people layer,” also known as the last line of defense against cyberattacks.

Awareness training that combines interactive training in the browser with frequent simulated phishing attacks straight into the user’s email inbox has “proven to be very effective in creating a human firewall, a company’s last line of defense,” said Stu Sjouwerman, CEO of report sponsor KnowBe4.

“New-school security awareness training has by far the best ROI of any security layer. Users see phish-prone percentages go from an average of 15 to 20% down to 1% or 2% after a year.” Full article:
https://www.infosecurity-magazine.com/news/security-awareness-training-to/
Don’t Miss the March Live Demo: New-School Security Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, March 8, 2017, at 2:00 p.m. (EST) for a 30-minute live product demonstration of KnowBe4's game-changing Security Awareness Training Platform to see the latest features and how easy it is to train and phish your users:
    • NEW Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
    • NEW Access to the world's largest library of awareness training content through our innovative Module Store.
    • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
    • Active Directory Integration allows you to easily upload and synch manage users, set-it-and-forget-it.

    • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 8,000+ organizations have mobilized their end-users as their last line of defense.

Register Now: https://attendee.gotowebinar.com/register/3367146988510458370

Warm Regards,
Stu Sjouwerman

Quotes of the Week
"Opportunities are usually disguised as hard work, so most people don't recognize them."
- Ann Landers (1918 - 2002)

"To succeed, jump as quickly at opportunities as you do at conclusions." - Benjamin Franklin



Thanks for reading CyberheistNews
Security News
KnowBe4's Chief Hacking Officer Kevin Mitnick Interviewed by WSJ

Kevin Mitnick, who spent time on the FBI's Most Wanted List for hacking 40 corporations in the 1990s, discusses his new book, "The Art of Invisibility," on Lunch Break with Tanya Rivero. He also explains why hackers breach data with relative ease, and why we should never link our devices:
http://www.wsj.com/video/former-convicted-hacker-on-how-to-protect-your-data/165951D3-CEDF-4752-BF16-A9B9D19F7E4C.html
Phishing Attack Uses Stuxnet Technology and Makes PCs Into Roombugs

Researchers have uncovered an advanced malware-based operation that siphoned more than 600 gigabytes from about 70 targets in a broad range of industries, including news media, and scientific research.

The operation uses malware to capture audio recordings of conversations, screen shots, documents, and passwords, according to a blog post published last week by security firm CyberX. Targets are initially infected using malicious Microsoft Word documents sent in phishing e-mails.

Once compromised, infected machines upload the pilfered audio and data to Dropbox, where it's retrieved by the attackers. The researchers have dubbed the campaign Operation BugDrop because of its use of PC microphones to bug targets and send the audio and other data to Dropbox.

To become infected, targets had to open the malicious Word document attached to the phishing e-mail and enable macros. To increase the chance targets would change this default setting, the Word document included a graphic that looked like an official Microsoft notification.

It read: "Attention! The file was created in a newer version of Microsoft Office programs. You must enable macros to correctly display the contents of a document."

CyberX researchers stopped short of identifying a specific country involved (Russia) but said Operation BugDrop was almost surely the work of a government with nearly limitless resources.

"Skilled hackers with substantial financial resources carried out Operation BugDrop," they wrote. "Given the amount of data analysis that needed to be done on [a] daily basis, we believe BugDrop was heavily staffed. Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience."

Some examples of the way Operation BugDrop is very sophisticated include:
    • Dropbox for data exfiltration. Organizations typically don't prevent end users from accessing Dropbox and often don't monitor connections. That helped the surveillance operation to remain stealthy.
    • Reflective DLL Injection, a malware injection technique that was also employed by the BlackEnergy malware used in the Ukrainian power grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API.
    • Encrypted DLLs that avoid detection by common anti-virus and sandboxing systems.

    • The use of legitimate free Web hosting sites for command-and-control infrastructure. The hosting sites required little or no registration information, making it hard for researchers to learn much about the attackers.
An employee stepped through new-school security awareness training would not have made an obvious error like that. Full story at Arstecnica:
https://arstechnica.com/security/2017/02/hackers-who-took-control-of-pc-microphones-siphon-600-gb-from-70-targets/
5 (No, 22) Ways to Spot a Phishing Email

Think you're clever enough to recognize a phishing attempt? Think again. Cybercriminals are getting smarter and their phishing skills are getting better, but we've put together this list of clues to help you avoid a costly error. Article at CSO, pointing to a bunch of things we have been saying here the last few years.
http://www.csoonline.com/article/3172711/security/5-ways-to-spot-a-phishing-email.html?

As a matter of fact, here is a unique job-aid: Social Engineering Red Flags™ with 22 things to watch out for. It's a free PDF and you can print it out for all employees to pin on their wall:
https://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/SocialEngineeringRedFlags.pdf
iPhone Robbers Try to iPhish Victims

Brian Krebs warned: "In another strange tale from the kinetic-attack-meets-cyberattack department, earlier this week I heard from a loyal reader in Brazil whose wife was recently mugged by three robbers who nabbed her iPhone. Not long after the husband texted the stolen phone -- offering to buy back the locked device -- he soon began receiving text messages stating the phone had been found. All he had to do to begin the process of retrieving the device was click the texted link and log in to the phishing page mimicking Apple's site. More:
https://krebsonsecurity.com/2017/02/iphone-robbers-try-to-iphish-victims/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews