CyberheistNews Vol 8 #51 Dec 26th Welcome to the CyberheistNews 2019 Crystal Ball Issue.




CyberheistNews Vol 8 #51
Welcome to the CyberheistNews 2019 Crystal Ball Issue.

Every year, in December I spend a few days analyzing our space, and predict the coming year. The Crystal Ball issue takes the longest to write, but it's fun to do!

And as usual, I'm donning my asbestos undies, so you can safely flame my poor behind after reading the new 2019 predictions. And again, we go gazing in the crystal for the coming 12 months, but remember, the future ain't what it used to be. It's already here, but unevenly distributed.

I looked at my predictions for 2018, and unfortunately in most respects, 2019 won’t change much: untrained users will still fall for increasingly sophisticated social engineering tactics. IT will still have trouble with patching. The bad guys will still attack and bad news from data breaches will continue. Cyberattacks will become increasingly destructive and devolve into cold cyberwar. IT pros find themselves in the trenches of this war that they did not sign up for.

What matters most is whether your organization will be a victim or not. Of course you could do nothing and be lucky. But the only way to control your destiny is make your organization a hard target based on a top-down, security-first culture.

To start off, also as usual, I'm repeating the tradition of my same New Year's wish as a newsletter editor since 1996: "A world without war, crime and insanity, where honest people can flourish, prosper and reach greater heights".

Warm Regards,
Stu Sjouwerman
2019 Crystal Ball

While we’re often busy staying focused on the present, it can be an interesting exercise to take a step back and see where you’re heading in the future. Let’s take a look into the crystal ball and highlight some of the cybersecurity trends that I predict 2019 has in store for us.
  1. Next year, AI-based attacks will increase attacker capabilities and scale. These types of attacks will become the new norm. We’ll see our first AI-driven phishing attack at scale (20 million+). This attack will consist of highly personalized laser phishing, with an all-time high click-through rate of more than 50 percent.

  2. The day when quantum computers outperform traditional, binary, computers will happen in 2019. The incredible advancements made in quantum computing on a routine basis are going to make 2019 the year of the ultimate digital crossing-the-Rubicon. This may or may not also be coupled with enough quantum accuracy to make anything traditional public key crypto (e.g., RSA, Diffie-Hellman, etc.) protects suddenly not protected.

  3. Data exfiltration will become the hot new topic. There is value in data, and immense amounts of data are being collected by both the private and public sectors. Attackers will not only continue to ransom data for recovery; but will also find creative ways to exfiltrate data then demand a ransom for its destruction, or keep silent about the fact that they exfiltrated the data in the first place.

  4. 2019 is the year that third-party antivirus products will be generally acknowledged as dead. Antivirus has been dying off over the years, however 2019 will be the year that it’s truly considered a dead and useless technology. People will simply upgrade to Windows 10 and not bother with antivirus or third-party firewalls.

  5. When it comes to security awareness training, we’ll see for the first time legislation signed into law that requires yearly security awareness training to be expanded with frequent social engineering tests. This is a critical addition, as users are truly your last line of defense.

  6. The future of computer security and hacking are competing algorithms which simultaneously war against each other in a digital battle of good vs. evil. Taking advantage of the improvements in AI, humans will have less and less involvement in their security consoles. Basically, once set up, they take over and do a better job defending networks and computers than those that have a more hands-on approach. The computer scientists who perfect these algorithms are the rock stars of 2019 and beyond.
Want more, and want to know the "Wild-Ass-Guesses" for 2019? Listen to the on-demand webinar “2019 Crystal Ball: What Security Experts Worry About for 2019” that Perry Carpenter and I conducted on December 13. You can also download the PDF slide deck:
https://blog.knowbe4.com/live-webinar-2019-crystal-ball-what-security-experts-worry-about-for-2019
Did You Know That 91% of Successful Data Breaches Started With a Spear Phishing Attack?

Find out what percentage of your employees are Phish-prone™ with your free phishing security test. Plus, see how you stack up against your peers with the new Phishing Industry Benchmarks!

IT pros have realized that simulated phishing tests are urgently needed as an additional security layer. Today, phishing your own users is just as important as having antivirus and a firewall 20 years ago. It is a fun and an effective cybersecurity best practice to patch your last line of defense: USERS

Here's how it works:
  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Go Phishing:
https://info.knowbe4.com/phishing-security-test-chn
New Clickbait Warning: "Captain America Star Hayley Atwell Nude Photos Hacked"

And another one... will these stars ever learn? We suggest you send a simulated phishing attack to inoculate your users. There is a new template available in our Controversial/NSFW category. On our blog is a screen shot of the email, and a link to one of the many news articles. Keep your users on their toes with security top of mind!
https://blog.knowbe4.com/new-clickbait-warning-captain-america-star-hayley-atwell-nude-photos-hacked
Don't Miss the January Live Demo: Simulated Phishing and Awareness Training in Action

Old-school awareness training does not hack it anymore. Your email filters have an average 10.5-15% failure rate; you need a strong human firewall as your last line of defense.

Join us for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Identify and respond to email threats faster. Enhance your incident response efforts with the brand-new PhishER add-on!
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 23,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, January 9th at 2:00 pm (ET)
https://event.on24.com/wcc/r/1887533/EF5E7F1A7C5B577E6CC5013FF87FD673?partnerref=CHN
Report: The 2018 Phishing Industry Benchmarking

As a security leader, you’re faced with a tough choice.

Even as you increase your budget for sophisticated security software, your exposure to cybercrime keeps going up!

IT security seems to be a race between effective technology and clever attack methods. However, there’s an often-overlooked security layer that can significantly reduce your organization’s attack surface: New-school security awareness training.

This 2018 Phishing by Industry Benchmarking Report compiles results from a study by KnowBe4 and reveals at-risk users that are susceptible to phishing or social engineering attacks. Taking it a step further, the research reveals radical drops in careless clicking after 90 days and 12 months of security awareness training.

Do you know how your organization compares to your peers of similar size? Download the report:
https://info.knowbe4.com/2018-phishing-by-industry-benchmarking-report
[Heads-Up] Chinese Hackers Specifically Target IT Service Providers

If you are an IT pro working in any type of IT service provider, you have a target on your back. Adrian Nish, head of threat intelligence, BAE Systems PLC, stated referring to a group of hackers allegedly working on behalf of the Chinese government to break into U.S. companies and government agencies:

“This group has been one of the most prolific cyber threats we’ve investigated in recent years. Their targeting of Western businesses, whilst not exceptional from a technical perspective, was distinctive in that they compromised IT service providers, using their accesses to jump into victim environments.

"These indictments may not stop the attackers, but they should serve as a wake-up call to businesses around the continued threat from cyber intrusions.” U.S. prosecutors last week unsealed indictments charging two Chinese nationals with cybercrimes. The story was all over the news, here is the Washington Post's take:
https://www.washingtonpost.com/world/national-security/us-and-more-than-a-dozen-allies-to-condemn-china-for-economic-espionage/2018/12/20/cdfd0338-0455-11e9-b5df-5d3874f1ac36_story.html?

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: I'm super excited about the PhishER release.
It's a brand-new KnowBe4 product that helps your team prioritize and manage potentially malicious messages reported by your users. Identify and respond to email threats fast!
https://www.knowbe4.com/products/phisher
Quotes of the Week
"He who knows others is wise; He who know himself is enlightened."
- Lao-Tzu, Philosopher (6th Century BC)

"If you can't explain it simply, you don't understand it well enough." - Albert Einstein, Physicist (1879 - 1955)



Thanks for reading CyberheistNews
Security News
How Wellcome Trust Executives Got Whaled by Oldest Trick in the Phishing Playbook

Forbes contributor Davey Winder wrote an excellent comment: "It hasn't been the greatest week for the non-profit sector with the revelation that two well-known charities have fallen victim to less than charitable cyber con-artists.

In the same week that the Save the Children Federation confirmed it had been scammed out of $1 million by email fraudsters, so the Wellcome Trust has revealed the email of four senior executives was compromised and sensitive information monitored for several months. Without wishing to be uncharitable, both of these cyber-attacks fall firmly into the 'oldest trick in the book' category.

Let me start by saying that I am not in the habit of victim shaming; the focus must be on the threat actor when it comes to attributing bad guy status. That said, as we fast approach 2019, I also think the time for pussy-footing around the lack of security awareness issue within many large organizations has long since passed.

The Wellcome Trust is most certainly a large organization any which way you look at it; in fact, with some £26 billion of assets, it is the biggest charity in Britain. Full story at the KnowBe4 blog:
https://blog.knowbe4.com/how-wellcome-trust-executives-got-whaled-by-oldest-trick-in-the-phishing-playbook
First Ever SANS Security Awareness Executive Report Provides Unique Insight to Help Awareness Programs Succeed

Our friends at SANS Security Awareness, a division of SANS Institute, released their first ever SANS Security Awareness Executive Report, which is designed to demonstrate to executives how they can become an essential figure in their program's overall success and maturity.

It outlines actionable steps drawn from the 2018 Security Awareness Report and focuses on providing leadership with the understanding of why managing human risk is imperative to a security awareness program's overall success.

"Managing human risk is one of the top growing concerns with CISO and executives around the world," says Lance Spitzner, Director of Community and Research at SANS Security Awareness. "The 2018 SANS Security Awareness Executive Report is one of the very few data-driven resources designed for leadership to not only better understand the problem, but to formulate the solution."

While the SANS Security Awareness Report enables security awareness professionals to make improvements in their awareness programs and benchmark their programs against others, key findings in this executive report show a clear correlation between support from executive leadership and program maturity. Ultimately, the more support from the top down that an awareness program has, the better the likelihood it has to offering consistent culture change. Download here:
https://www.sans.org/security-awareness-training/reports/2018-sans-security-awareness-executive-report?
Operation Gold Phish' Sting Results in 7 Arrests Over $2 Million in Scams

The U.S. Dept of Justice announced that a few bad guys were arrested. Good riddance!

Seven people in the Chicago area were arrested Tuesday for allegedly bilking Internet users of at least $2 million in online scams over the past two years.

Their arrests took place two weeks after each was charged with conspiracy to commit a wire fraud scheme, according to a statement from the U.S. Attorney for the Northern District of Illinois. If convicted, the defendants face a maximum 20 years in prison.

The seven in the Chicago area were: Daniel Samuel Eta, 35, of Skokie; Babatunde Ladehinde Labiyi, 20, of Chicago; Barnabas Oghenerukevwe Edjieh, 29, of Chicago; Sultan Omogbadebo Anifowoshe, 26, of Chicago; Babatunde Ibraheem Akarigidi, 39, of Chicago; Miracle Ayokunle Okunola, 21, of Chicago; Olurotimi Akitunde Idowu, 55, of Chicago. Another person was arrested in Texas, and the ninth was arrested in Nigeria.

For two years, their victims became an “unwitting money mule” for the defendants, according to an FBI affidavit. The defendants slowly built a connection with the victims, posing as their romantic partner or boss before requesting deposits into bank accounts they opened under fake passports. Some platforms used to seek out these victims include Facebook, Instagram, LinkedIn and Match.com. Link:
https://www.justice.gov/opa/pr/alleged-nigerian-ringleader-international-investment-scam-charged-fraud-money-laundering-and
What KnowBe4 Customers Say

"We are absolutely loving it. I have had several people reach out to me about the first training video I sent them and how scary and informative it was. HR is looking forward to taking advantage of your training videos next year. The support in getting us setup has also been excellent. I wish more companies were as competent. Thank you so much.
- W.R., IT



"I wanted to briefly reach out and state that Jackie Maines has been fantastic to deal with in our implementation of KnowBe4. I find superlatives are overused, but I can say truthfully, her customer support is the best I’ve experienced from a vendor. I don’t know who her manager is but would appreciate if you could drop this line over to her manager. In a world where 95% of calls are to complain, I’d like to throw in my share towards 5% the other way.

I suppose while thanking people, I’d like to thank you for being patient in the purchase process. We are a quick shifting company where our initiatives and priorities can change rapidly. You completed the sale with the right amount of persistence, patience, and helpfulness. I’m already happy with the product and we’ve barely scraped the surface a month in. Thank you!"

Regards, W.J.
- IT Infrastructure and Security Manager



P.S. If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
https://www.gartner.com/reviews/market/security-awareness-computer-based-training
The 10 Interesting News Items This Week

    1. The Cybersecurity 202: The Supreme Court could decide how bad a hack must be for victims to sue:
      https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/12/17/the-cybersecurity-202-the-supreme-court-could-decide-how-bad-a-hack-must-be-for-victims-to-sue/5c166fb91b326b2d6629d4c2/?utm_term=.85bd428dc083

    2. How Instagram Became the Russian IRA's Go-To Social Network:
      https://www.wired.com/story/how-instagram-became-russian-iras-social-network/

    3. Artificial General Intelligence is nowhere close to being a reality:
      https://venturebeat.com/2018/12/17/geoffrey-hinton-and-demis-hassabis-agi-is-nowhere-close-to-being-a-reality/

    4. Disk-Wiping 'Shamoon' Malware Resurfaces With File-Erasing Malware in Tow:
      https://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509

    5. eWEEK - KnowBe4 Launches PhishER to Improve Email Security:
      http://www.eweek.com/security/knowbe4-launches-phisher-to-improve-email-security

    6. Most Trusted Top Cybersecurity Companies of 2019. Check out #12, just before IBM:
      https://indilens.com/515153-most-trusted-top-cybersecurity-companies-of-2019/

    7. Charming Kitten Iranian Espionage Campaign Thwarts 2FA:
      https://threatpost.com/charming-kitten-iranian-2fa/139979/

    8. How one hacked laptop led to an entire network being compromised:
      https://www.zdnet.com/google-amp/article/how-one-hacked-laptop-led-to-an-entire-network-being-compromised/

    9. Hackers Breach Dozens of Local Government Payment Portals to Steal Credit Card Data:
      http://fortune.com/2018/12/18/click2gov-local-government-portals-hackers-credit-card-breach/

    10. The scariest security horror stories of 2018:
      https://www.itpro.co.uk/security/32572/the-scariest-security-horror-stories-of-2018
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog


ransomware-hostage-rescue-manual

Recent Posts




Get the latest about social engineering

Subscribe to CyberheistNews