CyberheistNews Vol 8 #17 New Large Email Security Gap Analysis Shows a Massive 15% Failure Rate

CyberheistNews Vol 8 #17
New Large Email Security Gap Analysis Shows a Massive 15% Failure Rate

We thought it was bad when we saw Cyren's recent analysis that 10.5% of bad emails made it through the filters.

It could even be worse than that.

"Mimecast's latest ESRA (email security risk assessment) report found more than 14,277,163 pieces of spam, 9,992 emails containing dangerous file types, and 849 unknown emails with malware attachments -- all missed by the incumbent providers and delivered to users' inboxes.

Overall, the Mimecast security service determined that more than 14 million of the more than 95 million emails, or 15%, were in fact “bad” or “likely bad.”

In other words, the overall false negative rate in aggregate for the incumbent security systems that were tested was 15% of all emails inspected by Mimecast.

Ouch. Full story and link to report (PDF) at the KnowBe4 blog:
Why Human Vulnerabilities Are a Higher Cyber Security Risk Than Software Flaws

Jonathan Greig at TechRepublic wrote an article based on recent Proofpoint research:

Cybersecurity firms and analysts have been sounding the alarm on vulnerabilities in most web-based systems, pointing to loopholes and lapses in security. But a recent report from Proofpoint, a cybersecurity firm, said most cyberattacks are designed to take advantage of human error instead of flaws in hardware or software.

In their 2018 Human Factor Report, Proofpoint analyzed cyberattacks throughout 2017, looking into attempted attacks on nearly 6,000 organizations across the world. They found that almost every industry suffered from a growth in the number of attacks, ranging from phishing to ransomware and cloud application breaches.

Most fraudulent emails used brand names like Dropbox and DocuSign to get users to click on malicious links. Hacking attempts focused on human vulnerabilities in a system instead of lapses in software or hardware.

"Email remains the top attack vector...Attackers are adept at exploiting our natural curiosity, desire to be helpful, love of a good bargain, and even our time constraints to persuade us to click," the report said. Full story at the KnowBe4 blog:
Don’t Miss the May Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, May 2, 2018, at 2:00 PM (ET) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • NEW Industry Benchmarking feature enables you to compare your organization’s Phish-prone percentage™ with other companies in your industry.
  • Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 17,000+ organizations have mobilized their end-users as their last line of defense.

Date/Time: Wednesday, May 2, 2018, 2:00 pm ET
Register Now:
Could Not Make It to RSA? Here Are the Social Engineering Highlights

First of all, here is a plus... your conference data was not stolen if you weren't there! RSA leaked all the attendees' personal details via unsecured public facing APIs using hard coded credentials in a mobile app. Epic Fail! More at Twitter:

Awards At RSA

SC Magazine published their 2018 Finalists and had the awards ceremony for around 30 categories. The selected products and services are actually quite useful as a start for your shortlist if you need to get a new product in place or replace an old one.

Note that in this award, the winners are not "voted for" by users of the products but awarded by a jury instead. This is not very common for awards like this but it prevents ballot box stuffing. Normally IT pros that use the product get to vote and the highest score wins, showing how many licenses are out there being used in real life.

In our space: "Best IT Security-related Training Program" the usual suspects and two others made it to the finalists: KnowBe4, Wombat and Cofense (formerly known as PhishMe). This year Wombat got the nod: congrats! Here is the full list, check it out:

Creating Human Firewalls

I was interviewed about battling social engineering attacks by BankInfo Security and the need to create 'Human Firewalls'. Video - 5:45m:

New-school Security Awareness Training Fully Legitimized

In the 2010-2011 timeframe, three pioneers started out this new category, and did a massive amount of evangelizing, building market awareness, and proved it was essential to create another security layer on top of all the existing (software) ones: your Human Firewall.

Fast forward 7-8 years and we have a mature segment with its own Gartner Magic Quadrant, the market consolidating with several of the existing players being acquired, and several smaller entrants that want to get a slice of the ever growing pie. Even Microsoft conceded this is essential and added a (very) limited "checkbox" phishing feature in Office 365.

Despite all this, at least 90% of the organizations out there are not yet sending frequent social engineering tests to their employees, waiting for the bad guys to do their "security audits" instead and potentially get into their network.

It's time to start phishing your own users to keep the bad guys out, and actually, it's quite fun as well—until you get caught yourself—which I was last week by my own team while I was at RSA! [redface] :-D

And to show some independent research on new ways to keep your network safe, CBInsights held a webinar about 2018 Cyber Defenders and highlighted KnowBe4 and Ironscales as the disruptors to watch in 2018 for Human-factor Security.

Here are links to the slide deck and the recording:
[LIVE Webinar] Levers of Human Deception: The Science and Methodology Behind Social Engineering

No matter how much security technology we purchase, we still face a fundamental security problem: people. This webinar will explore the different levers that social engineers and scam artists pull to make us more likely to do their bidding.

Join Stu Sjouwerman, CEO at KnowBe4, and Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4. Together, they’ll provide fun and engaging examples of mental manipulation in everyday life: from the tactics used by oily car dealers, to sophisticated social engineering and online scams.

Additionally, We'll look at how to ethically use the very same levers when educating our users.

Key Takeaways:
  • The Perception vs. Reality dilemma
  • Understanding the OODA (Observe, Orient, Decide, Act) Loop
  • How social engineers and scam artists achieve their goals by subverting its different components
  • How we can defend ourselves and our organizations
Seats are limited. Reserve your spot! Date/Time: Wednesday, April 25, 2018, 2:00 pm ET
Register Now:
Poll: What Security Measures Are Most Effective in Fighting Ransomware?

The Spiceworks staff wrote: "Years after CryptoLocker raised its ugly head — setting off an unfortunate security trend — ransomware continues to be a rather painful thorn in the side of IT professionals and organizations around the world.

There isn't one magic bullet that can solve all IT security problems. Instead, companies must employ a layered strategy to reduce the risk of a ransomware infection. But are all security measures created equal?

Ideally, organizations would be able to follow all security best practices; in reality, however, organizations have to prioritize. Here's our question: If you landed in a brand new environment and had to choose, where would you start or focus your security efforts? That is, which security measures do you think are most important / are most effective when it comes to fighting ransomware?

Pick your favorites in our anonymous poll below (you can choose up to three options) and join the conversation in the comments!"

The poll asked: "What security measures are most effective in fighting ransomware?" and 2209 IT pros answered, including me (which you see as the bolded options). Here they are:
How Many of Your Users' Credentials Are Compromised?

Did you know that many of the email addresses and identities of your organization are exposed on the internet and easy for cybercriminals to find? With that email attack surface, they can launch social engineering, spear phishing and ransomware attacks on your organization.

KnowBe4’s Email Exposure Check Pro (EEC Pro) identifies the at-risk users in your organization by crawling business social media information and hundreds of breach databases. It does deep web searches to find any publicly available organizational data. Next, it finds any users that have had their account information exposed in any of several hundred breaches.

Your EEC Pro Report:

We will email you back a summary report PDF of the number of exposed emails, identities and risk levels found. You will also get a link to the full detailed report of actual users found, including breach name and if a password was exposed.

Getting your EEC Pro will only take a few minutes and is often an eye-opening discovery.

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"No such thing as spare time. No such thing as free time. No such thing as down time. All you got is life time. Go!" - Henry Rollins

"I've actually not read any books on time management" - Elon Musk

Thanks for reading CyberheistNews
Security News
The Human Dimension of GDPR

The European Union's General Data Protection Regulation (GDPR) will affect any organization that handles data about a European citizen. It takes effect this coming May 25th. GDPR involves three elements: People, Process, and Technology.

Compliance with GDPR looks daunting, but should be within reach. Start by recognizing that there's no simple technological fix for compliance.

It will also have some positive effects. It will drive organizations to become more aware of the data they hold and handle. Protecting individuals' data is the point of the regulation.

Compliance requires a culture that puts responsibility on the employees who handle the data. The individual employee is often called the weakest link. In this case there's an opportunity to turn that employee into the strongest safeguard.

Developing a culture where safe data use policies are understood and acted on is a long-term and ongoing process. The last month before full GDPR implementation is an excellent opportunity to raise awareness through interactive training and education.

Keeping people, process and technology in the forefront will ultimately serve both compliance and security. KnowBe4 has GDPR training modules in 20+ languages:
ComputerWeekly has the story:
Fact-Checking vs. Social Engineering

Fake news isn't the only thing that can be fought with fact-checking. Social engineering can also be thwarted with fact-checking. Unfortunately fact-checking takes more awareness and mindfulness than people tend to use when opening email or responding to texts. Cybercriminals are well aware of this.

Cognitive psychologists at Vanderbilt and Duke Universities describe some of the ways in which people fall short. One of them is "knowledge neglect," the tendency people have to ignore information that's right in front of their eyes.

You can test this with people who think the answer to the question, "How many animals did Moses put on the Ark?" is "Two." In fact it's none—Noah, not Moses, populated the Ark. Someone stumped by the old joke "Who's buried in Grant's Tomb?" is also exhibiting knowledge neglect.

We also suffer from "truth bias," the tendency to believe what we hear or read. There's also the "illusory truth effect," in which people come to take for granted as true what's been repeated to them many times. Cyber criminals are well aware of these cognitive dispositions to error, and they exploit them when they phish.

The researchers find that it's very tough to shake people out of their dispositions to error. One way that seems to show some success is to ask people to edit a passage and find its errors. But some well-crafted awareness training can help employees become more critical readers of phishing emails. Tech Republic has the story:
People Are Exploited, Not Flaws in Software

Most compromises continue to occur because of human error. The criminals' first target is usually the user, not the technology. People are naturally curious. They want to help, and they're always on the lookout for a bargain.

As long as human nature is part of the equation, cyber criminals will continue to take advantage of weaknesses in people instead of flaws in the software.

Email is the tried-and-true tool of social engineering. A recent study shows that 80% of organizations experiencing cyber attacks found that the incidents began in emails.

Social engineers choose their phishbait to make it attractive. Subject lines containing a reference to legal advise or best practices increased the effectiveness of phishing emails dramatically. 30% percent of clicks in malicious messages are made within the first 10 minutes of receipt.

50% percent of the responses occur in the first hour. Users are also often tricked into swallowing malicious messages that contain links to file-sharing services like Dropbox. Those services are useful, but they need to used with care.

Intelligently designed, interactive training can help. The threat may not end with the click. Advanced Persistent Threats (APTs) are often carried by malicious email. Attackers use these to establish long-term presence in an organization's systems. No sector or organization is immune to APTs. Computing UK has the story:
Phishing in Alberta

Social media, email, and texting are replacing paper mail. What used to arrive by letter carrier now often arrives by smartphone. Their efficiencies are accompanied by new opportunities for fraud, especially phishing and smishing.

Alberta residents were recently the victims of a phishing scam. Clients of Energy Efficiency Alberta, a provincial agency that helps citizens to more intelligently consume energy, were recently phished by a legitimate looking text message.

The message directed the reader to click on a link to have their “energy efficient rebate” directly deposited into their bank account. The link actually took the unknowing victim to a website where they were instructed to enter their personal banking information. This in turn was harvested by the phishers.

This social engineering ploy compromised bank accounts. The director of Public Affairs and Communication for Energy Efficiency Alberta assured the public that they never use texting as a means of asking for personal information.

She encouraged anyone receiving such a text to contact the Energy Efficiency Alberta offices immediately. There's good news: apparently none of the recipients of the bad texts took the bait.

The incident highlights the importance of educating customers and stakeholders as well as employees. Organizations should make it clear that they won't solicit personal information in ways that lend themselves to social engineering. Global News has the story:
Business Email Compromise in the Shipping Industry

A new wave of business email compromise is hitting the maritime shipping industry and their customers. Secureworks is warning of a gang, apparently based in Nigeria, that attempts to steal an average of $6.7 million annually.

They call the threat group "Gold Galleon." In business email compromise, criminals pose as a senior executive in an organization. They send an email spoofing the executive's account to employees who are asked to transfer funds to accounts controlled by criminals.

Gold Galleon supports its efforts with keyloggers and password-stealers acquired in the black market. The shipping industry is an attractive target because it operates globally in many countries and across many time zones.

It routinely uses email as its basic communication tool. Gold Galleon isn't technically sophisticated. It relies on commodity tools for infection and obfuscation. It is, however, operationally sophisticated, adept at covering its tracks and making effective use of its resources.

Business email compromise can be fought with policies that prevent employees from taking certain actions, especially wire transfers of funds, on the strength of a single email. Those policies must of course be made a matter of training and emphasis.

Organizations that rely on email should consider realistic interactive training to make employees aware of the danger of business email compromise. SecurityWeek has the story:
Interesting News Items This Week
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews