CyberheistNews Vol 8 #42 [Heads-Up] U.S. Government: "Your Weak Cyber Security Violates Federal Law"

CyberheistNews Vol 8 #22
[Heads-Up] U.S. Government: "Your Weak Cyber Security Violates Federal Law"

Reuters just made me aware of a very interesting U.S. Securities and Exchange Commission report. The SEC recently investigated nine companies that had been victims of CEO fraud and made their findings public. They specifically wanted to know if the victims had sufficient internal controls in place as required by law.

The report focused on what the FBI calls “business email compromise” and what in InfoSec circles is known as CEO fraud: cyber criminals pose as company executives to dupe staff into sending company funds to bank accounts controlled by the hackers. The FBI estimates such scams have led to a whopping 12 billion dollars in losses since 2013.

In some cases, attacks on these companies lasted months and were only discovered when law enforcement intervened. Each had securities listed on a national stock exchange and lost at least 1 million, though two lost more than 30 million and one lost more than 45 million.

Stephanie Avakian, Co-Director of the SEC Enforcement Division, said in a statement: "We did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations."

Regulators and lawmakers are increasingly focused on the risks cyber criminals pose to companies and their customers following a series of high-profile incidents.

Not Just Public Companies

And it's not just public companies that are required to have internal controls to protect against risks like this. There is a lot of recent case law that shows you need to have defenses against social engineering in place. Any organization needs to have what the courts view as "Reasonable Cybersecurity".

Here is the KnowBe4 blog post with links, and three free resources you can immediately download. There is a video, a whitepaper and a no-charge Phish Alert Button for your users, which now also works on Outlook Mobile:
Here Is Some New Powerful Ammo to Get InfoSec Budget Approval!

The team at Forbes Magazine's Tech Council asked me to write up the lessons we have learned over the last 8 years of helping you keep the bad guys out of your network. It took me a while, but the article was finally published. :-D

The editorial process was professional, and they asked me to provide links to pretty much every claim I made. Turned out to be a very interesting exercise, because it allowed me to summarize a lot of what I have said here in the last few years.

It was written for C-level executives, and has three business lessons that are powerful ammo to get InfoSec budget approval. This is a 3-minute read. I strongly recommend you read it yourself, and then forward the link to your C-level execs.

The Russia Problem: What Businesses Can Learn From Cyberwarfare

The story starts with: "As someone who has built IT security companies from the ground up and dealt with the growing issue of malware for well over 15 years now, the last thing I expected when I started my current company is that I would have to become somewhat of a Kremlinologist." Full story:

PS: While in gmail, testing this link, I got a popup that 'malicious emails often link to this site" and if I wanted to proceed to Forbes. Interesting, but this article is legit and the link is OK. Please forward this Forbes link to your friends? It may help them too.
Scam of the Week: Sextortion With a RATty Twist

Sextortion is a form of blackmail where the extortionist claims to have photos or video of the victim watching adult entertainment on their computer. The criminal threatens to send the compromising images out to the victim's email address book.

We've described this sort of crime before, and in the past, typically, that's as far as classic sextortion went. The extortionist almost never had pictures, video, screen captures, browser history, or anything else. It's typically been an empty threat.

The scammers are vague on the details of the sites the victims are said to have visited, and that's no accident. The extortionists usually have no access at all to their marks' devices and the attacks are "spray-and-pray".

This new sextortion version has a twist: the hacker claims to have placed a RAT (Remote Access Trojan) on your computer, making it possible to take control of the device. And that's the twist: the criminal threatens to send the embarrassing material from the victim's own device.

Perhaps the most convincing element of the scam is that the extortion email has been crafted to look as if it were sent from the victim's own email account, spoofing their email address. This can help convince someone that yes, they really have been infected by a RAT.

Victims are told they have one day to come up with the ransom, to be sent in Bitcoin of course. If they fail to pay, they'll be humiliated from their own email account. Analysis of the Bitcoin transactions associated with the sextortion emails found that victims had handed over seven Bitcoin in a short period of time, making it one of the more successful extortion emails seen.

RATs are real, and they've been spotted in all sorts of devices. But there's no RAT here: it's a pure hoax. The scammers are simply spoofing the victims' email address, which is easy enough to do, but which can be surprising and unsettling enough to spook a victim into paying. The extortionist's email seems real, and urgent, and all the more convincing.

I suggest you send the following to your employees in accounting specifically. You're welcome to copy, paste, and/or edit:

The bad guys are getting very deceptive with sextortion scams. They now send you an email that looks like it is coming from yourself—spoofing your email address— and claim that they have infected your workstation with a backdoor which allows them to take control of your computer.

Next, they accuse you of watching adult entertainment and that they have recorded that. And here comes the kicker, unless you pay them bitcoin, they threaten to use your own computer to send embarrassing content to all your contacts.

If you get emails like that, please follow our organization's email security policy, and Think Before You Click! [OPTIONAL] Click on the Phish Alert Button to delete it from your inbox and at the same time alert IT about this scam.
Let's stay safe out there.
Live Webinar: How to Make Your Cybersecurity Awareness Program Stick Year-Round

National Cybersecurity Awareness Month (NCSAM) is here and hopefully you've had some great events and success stories. But no matter how good it has been, a 'once-and-done' event will never create sustainable behavior change in your organization. Don't fall victim to the tendency to put all your energy, budget, and hopes into NCSAM.

In this webinar, KnowBe4's Chief Evangelist and Strategy Officer, Perry Carpenter, will share practical strategies for creating awareness programs that work year-round.

You will learn:
  • The benefits and limitations of NCSAM
  • Reasons why employees make secure or insecure decisions
  • Thoughts on how marketers, public relations departments, behavior scientists, and storytellers approach motivating behavior change in others
  • How to create an impactful and sustainable security awareness training program
Date/Time: Wednesday, October 24, 2018 at 1:00 PM (ET)
Save My Spot!
Find out If Hackers Can Spoof Your Domain

Are you aware that one of the first things hackers try is to see if they can spoof an email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test.

Find out now if your email server is configured correctly, many are not!
What Keeps You Up at Night

When it comes to security concerns, IT has a lot to deal with. Issues like ransomware, external attacks, data breaches and compliance mandates are all sources of major headaches and stress. Take this short survey for a chance to win a $500 Amazon gift card.

So, what aspects of IT security have you worried?

In this fast, 5-minute “2018 What Keeps You up at Night” online survey, we want to hear about what issues are of the greatest concern to you and your organization.

Hurry and take the survey now - be one of the first 500 to take the survey and have a chance to win one of several $500 Amazon gift cards!

Whitepaper: The Critical Need to Improve Your Compliance Processes

Compliance is time-consuming and fraught with risk. However, most organizations have not implemented the processes and tools necessary to manage the compliance process efficiently.

This new Osterman research report delivers insights you need to streamline and centralize audit and compliance processes across your entire organization.

The research discussed in this survey report found that most organizations like yours must comply with a large and growing number of compliance obligations.

However, compliance is time-consuming and takes your already limited staff time away from other tasks. It’s fraught with risk because of the potentially severe consequences associated with a failure to adequately satisfy these obligations.

In many situations, the current processes in place within your organization may not be adequate to meeting current compliance obligations, nor are they scalable to meet your future needs.

In this paper, you'll learn:
  • The growing role of compliance
  • The need to comply with multiple regulations and regulatory frameworks
  • Problems associated with complex and overlapping requirements
  • Ways to simplify the compliance process in your organization
Download Your Whitepaper Now

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
I'm reading "Measure What Matters" by John Doerr and wanted to share this quote from Intel's Andy Grove with you:

"You know, in our business we have to set ourselves uncomfortably tough objectives, and then we have to meet them. And then after ten milliseconds of celebration we have to set ourselves another set of highly difficult-to-reach objectives and we have to meet them. And the reward of having met one of these challenging goals is that you get to play again."

Thanks for reading CyberheistNews
Security News
Hackers Hit North Carolina Utility

Organizations under stress can be attractive targets for cybercriminals. In North Carolina the Onslow Water and Sewer Authority (ONWASA) was the victim of an attack that affected its internal systems even as it was recovering from hurricane Michael damage. The attack was a multistage operation in which phishing emails delivered first the Ryuk ransomware, then the Emotet Trojan.

Jeffrey Hudson, the utility's CEO, noted that customers personal data were not compromised in what is being called “a sophisticated ransomware attack.” The FBI, Department of Homeland Security and the state of North Carolina have all been called in to investigate the breach.

Hudson stated the utility experienced attacks on October 4th, but that the attack was now believed to be under control. Local governments have not been immune to cyberattacks.

Sometimes preparation pays off. The city of Baltimore, Maryland, was also hit in March, when its 911 dispatch system was disrupted for seventeen hours. Baltimore rode out the attack more successfully. The city quickly moved to manual backups for 911 dispatch, and remediation was complete in less than a day.

As has often fortunately been the case in such attacks, business and not operational control systems were the ones affected. ONWASA was able to continue functioning, albeit with inconvenience, and its customers got their water.

But the timing of the attack is worth noting. Onslow County, like many other areas in the Carolinas, has been heavily hit this hurricane season. In fact, ONWASA only lifted a storm-induced "boil-water" advisory on September 22nd.

Hackers will often time their attacks to coincide with periods during which organizations are likely to be distracted and more prone to let their guard down. The aftermath of a natural disaster is one of those times.

So, preparation is important, and so is situational awareness about heightened vulnerability. Organizations can help their employees with both if they conduct tailored, interactive security awareness training. SecurityWeek has the story:
Tech Support Scams' Impact Down

Most of us have received an unsolicited phone call from a reputable sounding tech support organization informing us that a problem was detected with our computer. The old response, years ago, was to grab a credit card and ask how quickly the issue could be resolved. That was then, but now the educated individual knows how to spot a scam, and more people are educated. It shows in the numbers.

It's appropriate that the study should have been done by Microsoft, which is the usual false flag of convenience the scammers try to fly. After polling 16,000 Internet users in sixteen countries, Microsoft has determined that global exposure to tech scams along with the monetary losses associated with them are declining.

Microsoft’s findings showed 63% of consumers had been recently subjected to a tech support scam. This is down 5% from 2016. Those suffering financial loss as a result of the scams fell to 3%, and that’s down from 6%. Among the unwary who fell for the scam, 76% reported stress as a result of being the victim of fraud.

This is insult on top of the injury of monetary loss. 8% spent time and money repairing their computer as a result of an attack. The Microsoft report noted that exposure to scams dropped in proportion to lower exposure to pop-up ads.

But skepticism about unsolicited tech support calls also played a role in the decrease. Nearly one third of those contacted by scammers about an alleged issue declined the bogus help and chose to research it themselves.

Surprisingly, younger avid Internet users were more likely to fall prey to tech scams and were more likely to fork over cash to fix the problem. This vulnerability seems to come from the frequency with which younger users visit high-risk sites.

Looking at the issue globally, tech support scams are on the decline. The UK seems to be the exception here. In Great Britain 62% of those surveyed by Microsoft said they'd experienced a scam, and 6% reported losing money. That's an outlier, internationally: an increase in the UK from the 2% who lost money in 2016.

On balance this is a good news story, because public awareness about the hoary old help-desk scam is clearly up. It shows the value of awareness campaigns and training generally. Organizations investing in training their employees show a good return in terms of increased awareness of social engineering.

Training and education are helping shape a safer Internet experience, both at work and at home. InfoSecurity Magazine has the story:
Three Out of Ten People Would Fall for Impersonation Scams

Phony police calls in the US have been telling people they need to pay a fine for missing jury duty. In the UK the scams take a different form: the bogus police are asking for the victims' help, or are advising the victims on how to avoid being trapped by fraud.

30% of people in the UK would voluntarily transfer money out of their bank account at the request of someone posing as law enforcement, a survey by the Nationwide Building Society has found. Additionally, 29% of those surveyed said they would be willing to withdraw their own cash from their bank and give it to the Police or the National Crime Agency (NCA) to check for fingerprints.

The survey also shows that that young people aged 16-24 are four times more likely to fall for such scams than people who are over 55 years old. Nearly half (48%) of the younger crowd would move their money into another account if they were told they were at risk of being a victim of fraud.

Nationwide stresses the fact that neither the Police nor the NCA would ever ask a member of the public to do these things.

“It might be surprising that many people believe it is credible that the Police would request them to use their own money to help with an investigation, but people do fall for this scam. It shows that the key to thwarting the scam artists and fraudsters is education.

We’d urge people to learn as much as they can about the tricks that scammers use,” said Stuart Skinner, Nationwide’s Director of Fraud. “Our branches are running fraud awareness events and anyone can go along for free to find out how to avoid becoming a victim and what they should look out for. The dates of the events vary from branch to branch, so call in to a local branch to find out more.”

These scams take advantage of victims’ helpfulness and sense of civic duty to trick people into handing over their money. Education, as Mr. Skinner suggests, is the primary defense against these criminals. New-school, interactive awareness can give your employees a sense of vigilance that will help them recognize these scams in the real world. Action Fraud has the story:
What KnowBe4 Customers Say

"Hi Stu, Thanks for checking in – we’re very happy with the service so far, and startup is going well. I’d like to compliment your team on putting together an excellent onboarding/startup process, I love the ASAP tool and how it lays out a schedule for busy IT departments to do what needs doing each week, so there’s no excuse for the project to bog down or stall.

Also, Brandie Leffler has been outstanding, she knows what questions I’m getting ready to ask and how to answer them, and she’s been a great resource – the perfect balance of staying on top of things vs. bugging me too much. She’s a pleasure to work with.

Quite a few of our staff members have expressed thanks to our organization for offering this training, they’ve already gained useful skills and knowledge just in our first month or so." - M.J. IT Manager

"Hi Stu, Thank you for reaching out to me. I think you’ll be pleased to know that I am a happy customer. We are attaining very good results by teaming up with KnowBe4 as part of our security training program. I particularly value the responsive customer service, the rich content, and the easy-to-use management website.

I would also like to thank you for sending Roger Grimes’s book. I enjoyed reading it and got a lot out of it. I shared excerpts with my staff and peers. It’s a pleasure doing business with KnowBe4". Best regards, T.P, Chief Information Security Officer

PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. Forbes Tech Council Article By Yours Truly: "The Russia Problem: What Businesses Can Learn From Cyberwarfare":

    2. Most executives around the world see untrained staff as the greatest cyber risk:

    3. An A.I. Glossary in the NY Times for your C-level execs:

    4. Ransomware Report - "$20B in global damages by 2021. Attack every 11 seconds":

    5. Editor's Notes: A Dangerous New Class of Weapons Emerges:

    6. U.S. Charges Russian With Trying to Influence 2018 Midterms:

    7. Who gets spear phished, and why?

    8. Cybercrime-as-a-Service: No End in Sight:

    9. Artificial intelligence is automating attacks on political campaigns:

    10. How to Boost Remote Productivity While Remaining Secure:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews