CyberheistNews Vol 9 #21 What's Wrong With the New Bill That Proposes Cyber Security Training for U.S. House Members?

CyberheistNews Vol 9 #21
What's Wrong With the New Bill That Proposes Cyber Security Training for U.S. House Members?

A bill introduced last week requires all members, officers and employees of the U.S. House of Representatives to undergo cybersecurity training.

The Congressional Cybersecurity Training Resolution of 2019 is sponsored by Rep. Kathleen Rice and Rep. John Katko. It requires the U.S. House’s Chief Administrative Officer to carry out annual cybersecurity trainings to ensure that members and staff are aware of the threat of cyberattacks and they have the knowledge and skills needed to protect government systems.

This type of training is already required for House employees and officers, but the bill wants to make it mandatory for all members. The annual training would need to be completed every year by January 31. The bill orders new members to undergo cybersecurity training within 30 days after beginning service as part of their onboarding.

“If we want to effectively counter those threats, then we need to make sure Members of Congress are equipped with the tools and knowledge to play an active role in this fight. Our employees and House officers are already required to take mandatory information security training, and it is past time that Members are held to the same standard and bear the same responsibility,” Rep. Rice said.

Well, my take on this is that we want to make sure we avoid the mistakes of the past, using the old-school awareness training model --- herding newbies in the break room, keeping them awake with coffee and donuts and then stepping them through the death-by-PowerPoint that gave awareness training a bad rap in the first place:

"While it is encouraging to see that lawmakers are looking to improve cybersecurity training to house members, it is unfortunate to realize that they are a few years behind when it comes to best practices. In the past couple of years, the majority of companies that fell prey to cyber-attacks had an annual training in place which proved to be worthless when a real attack was launched,” Shlomi Gian, CEO at CybeReady, a provider of autonomous cyber security awareness solutions, told SecurityWeek.

Could not agree more! Congress needs to be protected with new-school security awareness training! More DC news at the KnowBe4 blog:
[LIVE WEBINAR] Empowering Your Human Firewall: The Art & Science of Secure Behavior

You know that "security awareness" is key to a comprehensive security strategy. But just because someone is aware doesn't mean they care. So how can you design programs that work with, rather than against, human nature? Here's the great news. Creating a security awareness strategy that not only educates, but reinforces good behaviors can be achieved and we'll show you how.

Join us, TOMORROW, May 22nd at 2:00 pm when Perry Carpenter, Chief Evangelist and Strategy Officer for KnowBe4 will unpack a number of key elements from his new book Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors.

Drawn from his experience as an awareness practitioner, CISO mentor, researcher, and author, Perry will dive into ideas like how to use "Trojan Horses for the Mind," how to leverage social dynamics to drive behavior and shape culture, and will unveil some exciting new behavior models that will help you stop the bad guys in their tracks.

This presentation will take a deep (and practical) dive into:
  • How to understand and design for behavioral segments
  • How to successfully debug bad behaviors
  • How to influence motivation in three different ways
  • And why it is important to live your awareness program through the eyes of your audience
Date/Time: TOMORROW, May 22nd at 2:00 pm (ET)
Chinese Cyberspies Breached TeamViewer in 2016

The Register had their usual funny, snarky comments about this PR debacle.

"Remote-desktop and web conferencing software maker TeamViewer confirmed on Friday it was hacked in autumn 2016, though said nothing about it at the time. Details of the break-in emerged this week in German mag Der Spiegel.

The biz kept quiet because no customer data nor computer systems were, it is believed, compromised, and it didn't want us to worry our pretty little heads about it all.

"Our systems detected the suspicious activities in time to prevent any major damage," TeamViewer's comms director Martina Dier claimed in an email to The Register.

"An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way.

"We came to the joint conclusion that informing our users was not necessary and would have been counterproductive to the effective prosecution of the attackers. Against this backdrop, we decided not to disclose the incident publicly in the interest of the global fight against cybercrime and thus also in the interest of our users."

How thoughtful. More:
[May Live Demo] Identify and Respond to Email Threats Faster with PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats — and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a new product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us, Thursday, May 30 at 2:00 pm (ET), for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Thursday, May 30 at 2:00 pm (ET)

Save My Spot!
Global GozNym Takedown Shows the Anatomy of a Modern Cybercrime Supply Chain

A multi-national collaborative law enforcement effort has arrested individuals allegedly behind Nymaim and Gozi, also known as GozNym.

The global crime network is reportedly responsible for stealing an estimated $100 million from banks around the world.

It’s a nice story and some believe it should serve as a blueprint for future operations. Which is all well and good until you start looking through the details, squint a bit and tilt your head when looking at the details.

Something Phishy

The criminals infected computers of over 40 thousand victims via phishing emails. That’s right, it boils down to plain old simple phishing. Users would receive an email with a link, they’d click on the link which would redirect them to a website after which malware got downloaded.

Once victims machines were compromised, they would steal their banking credentials. While the impact of the criminal group was huge, a couple of measures taken by the financial institutions could have helped a great deal. More:
Get Your Ransomware Hostage Rescue Manual (Attack Prevention Included)

Sophos recently released its discovery of a scary new strain of very sophisticated ransomware called MegaCortex. It was purpose-built to target corporate networks, and once penetrated, the attackers infect your entire network by rolling out the ransomware to all servers and workstations, using your own Windows domain controllers.

Prevent ransomware attacks by planning ahead. Get the most informative and complete hostage rescue manual on ransomware. This 20-page manual is packed with actionable info that you need to prevent infections, and what to do when you are hit with malware. You also get a Ransomware Attack Response Checklist and Prevention Checklist. You will learn more about:
  • What is Ransomware?
  • Am I Infected?
  • I’m Infected, Now What?
  • Protecting Yourself in the Future
  • Resources
Don’t be taken hostage by ransomware. Download your rescue manual now!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: KnowBe4 was announced as one of Inc. Magazine’s Best Workplaces for 2019:
Quotes of the Week
"Humanity should question itself, once more, about the absurd and always unfair phenomenon of war, on whose stage of death and pain only remain standing the negotiating table that could and should have prevented it." - Pope John Paul II (1920 - 2005)

"War is the greatest plague that can afflict humanity, it destroys religion, it destroys states, it destroys families. Any scourge is preferable to it." - Martin Luther (1483 - 1546)

Thanks for reading CyberheistNews
Security News
Eventually Someone Opens a Malicious File. Then What?

Weaponized documents are so effective at compromising organizations that attackers of all skill levels use them, from state-sponsored hackers to criminal skids, according to Lisa O’Reilly from SlashNext.

Nearly every targeted cyberattack begins with social engineering, usually in the form of a phishing email. Phishing attacks work so well because they allow attackers to bypass technical defenses.

“These phishing exploits, like most of today’s phishing efforts, prey on the human element,” O’Reilly writes. “Emails continue to be the most common attack vector with an attachment or link that appears as if it were sent by a familiar co-worker, relative, or close business associate that the target trusts and communicates with on a regular basis.”

In response to improved security technologies, attackers simply turn to new techniques and exploits. O’Reilly notes that attackers are increasingly abusing legitimate tools to avoid detection by antivirus programs, and they’re constantly taking advantage of previously unknown vulnerabilities.

“Regardless of their motivation or target, security vendors are reporting that the use of weaponized documents by bad actors is on the rise,” she says. “Zero-day and zero-hour attacks are evolving and designed to elude traditional security techniques.”

All organizations are vulnerable to social engineering, since no human has perfect judgement all the time. O’Reilly says the difficulty of defending against these attacks increases with the sheer volume of emails that employees interact with on a day-to-day basis.

“Most businesses (and employees) exchange hundreds of emails and attached documents every day never giving a recognized senders email address a second thought, meaning it’s just a matter of time before a weaponized document gets downloaded and opened,” she writes.

Attackers have a significant starting advantage, since they can launch as many phishing attacks as they want against a target, while an employee only has to fall victim to one in order for an organization to be compromised. New-school security awareness training can even the odds by equipping your employees with the knowledge and skills to recognize and resist these attacks. Security Boulevard has the story:
Trends in Dangerous Attachments

The most popular file types used for malicious attachments this year are ZIPs, PDFs, and Microsoft Office files, with an increasing number of campaigns using ISO and IMG disc image files, Lindsey O’Donnell at Threatpost reports.

Researchers from F-Secure revealed these trends last week, and outlined several campaigns of particular interest.

First, the researchers observed major spam campaigns in February and March that were delivering the GandCrab ransomware via ZIP files. The files purported to be photos, but would execute a JavaScript downloader and then a PowerShell script to download GandCrab.

In March, F-Secure tracked phishing campaigns that took advantage of tax season by distributing phony tax documents to spread the Trickbot banking Trojan. These documents were Word (.doc or .docx) and Excel (.xlsm) files containing malicious macros. Once installed, Trickbot would steal “as much data as possible” from the victim’s computer.

Another phishing campaign in March used PDF files to deliver malicious links to American Express customers. The link in the document would take victims to a fake American Express login page to harvest their credentials.

PDFs were also used in a massive spam campaign purporting to come from Google, which claimed that recipients had won $1.4 million in an online sweepstakes. These files asked victims to send their personal and financial information to a Gmail address imitating that of Google CEO Sundar Pichai.

Finally, the researchers noted that use of ISO and IMG files to deliver malware has been slowly but steadily rising over the past year. Two of these campaigns are delivering the AgentTesla information stealer and the NanoCore remote access Trojan.

O’Donnell points out that using new file types can make people more likely to let their guard down. “Spam campaigns continue to adopt new tactics that make them harder to spot – and the usage of new types of attachments, such as the ISO image file described above – only makes it easier for attackers to deceive their victims,” she says.

New-school security awareness training can help your employees stay on top of these evolving trends so they can identify potentially malicious attachments. Threatpost has the story:
InfraGard Recommends User Education

Education is crucial in defending against evolving social engineering attacks, according to Jack Plaxe, president of the Kentucky InfraGard Alliance. During a presentation last week, Plaxe pointed to a recent business email compromise scam that targeted schools in Scott County, Kentucky.

A scammer sent a fraudulent email posing as a vendor that the school district regularly does business with, and tricked employees into wiring payments to the wrong account. The criminal nearly made off with $3.7 million, but the bank was able to recover the money before it disappeared.

“These types of scams rely on the fallibility of humans, and since we are all human, we are fallible,” said Plaxe. “It relies on someone who is working and maybe trying to accomplish many tasks and may not identify the warning signs in an email.”

Plaxe emphasized that most cyberattacks require an employee within the organization to make a mistake, such as clicking on a link, opening an attachment, or falling for a spoofed email. These attacks can be prevented if employees know the potential dangers and the warning signs to watch out for.

“Defending critical infrastructures requires diligence and educating yourself on security and how attackers are adapting and changing their tactics,” he said. “An estimated 70% of cyber exploitation starts or is introduced with an email, not a hacker. They know that humans are the weak link and try to exploit that. Nobody is exempt from cyber crime and everyone needs to be prepared.”

While technical defenses can assist in blocking malicious emails and identifying known malware, the best way to thwart social engineering attacks is by teaching employees about the tactics used by attackers. The Georgetown News-Graphic has the story:
How to Always Send the Most Current Phishing Templates to Your Users

We had a fun idea come up after one of our customers asked a question at KB4-CON. The customer asked, with all the templates that we have available in Current Events, how can he be sure that his users always get the latest and greatest one?

Out of that, we came up with the Current Event of the Week and Current Event of the Month category. Each category will contain a single Current Events or Holiday template, hand-selected by the Tech Content team each week and month to ensure that end users will receive a high-quality, timely, and relevant template.

The Current Event of the Week category is updated on Mondays, while the Current Event of the Month category is updated on the first Monday of each month. Once a Current Event of the Week/Month campaign is set up, it will run automatically and will test users with a new Current Events or Holiday phishing template each time the campaign runs.

Here is a support KB article to help explain how to set up a campaign that works with these new categories:
What KnowBe4 Customer Say

"I just wanted to say thank you for an excellent conference. I had a great time, your staff did an awesome job, and I am looking forward to attending next year. I had the opportunity to walk and talk with you one morning on the way to breakfast. I needed that conference, the energy from that place charged me up, and I have brought that back with me.
Thank you." - C.C. - Systems Administrator

Stu, I am a happy camper thanks for checking! Also I received a book from you yesterday, thank you very much. I’m very impressed with your company. The way you can turn real world phishing emails into actionable data, and even take it one step further use it to enhance training is remarkable.

My project manager Brady has been a fantastic resource guiding me through all of this. I feel I wouldn’t be nearly as satisfied with your product without someone confident and knowledgeable as Brady working with me throughout. Simply put he has been of enormous value, please give me a pat on the back for me.

The way you have reached out to me and other customers is a testament to your commitment to us your customers and the confidence you have in your products and services."
Thank you, - H.A. IT Information Technology Specialist

"I wanted to drop you a quick note to say how much we are enjoying the KnowBe4 training videos and the phishing system. I just watched The Inside Man video and even though it didn’t really totally apply to our small Bank, the principles do and the video was absolutely awesome! I thought I was watching a good movie. I have to say that the money we pay KnowBe4 for training and phishing test is money very well spent!"
- W. G. SVP, CTO
The 10 Interesting News Items This Week
    1. Does Your Cybersecurity Insurance Cover Social Engineering? Better Read the Fine Print!:

    2. Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers:

    3. HSB Introduces Farm Cyber Insurance. Coverage Protects Farmers from Hackers and Malware, Seems A Natural Fit:

    4. Virtual kidnappings are rattling families across the US:

    5. Cybercrime Magazine interviews Kevin Mitnick at KnowBe4's KB4-CON 2019 Conference:

    6. Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs:

    7. House Homeland Gives Thumbs Up for Permanent DHS Cyber Response Team:

    8. Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign:

    9. The CyberWire podcast #HackingHumans went LIVE! They recorded this show last week live at KB4-CON. Check it out: Dave & Joe are joined by KnowBe4's Stu Sjouwerman & Kevin Mitnick?. Listen to the podcast:

    10. Microsoft releases new version of Attack Surface Analyzer utility:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews