CyberheistNews Vol 9 #40 Your New KnowBe4 2019 Security Threats Report and What to Watch out for Next Year




CyberheistNews Vol 9 #40
Your New KnowBe4 2019 Security Threats Report and What to Watch out for Next Year

We have just published our yearly, independent, 2019 Security Threats and Trends Survey. We polled 600 organizations worldwide mid-2019 on the major security issues they will face in the next 12 to 18 months.

A majority of them – 86% – have proactively amplified security initiatives over the last year to combat the increase in cybersecurity attacks. Nearly nine out of 10 organizations – 89% – say they’re currently better equipped to deal with security threats than they were in 2018.

However, organizations still face significant challenges when it comes to their security initiatives. Three quarters or 76% of organizations say the biggest and most persistent security threat comes from careless end users who regularly clicks on bad links, placing organizations at higher risk of falling victim to email phishing, ransomware, CEO fraud scams and various forms of malware.

And 58% of organizations cite budgetary constraints as an ongoing challenge in upgrading security. Of the 89% of respondents who say that their firms are more prepared to cope with security threats, 36% say they’re “much better equipped.” However, a 53% majority of those polled more cautiously characterize their companies as “somewhat more prepared,” than they were 12 to 18 months ago, and added the caveat that “we need to do more to secure our environment.”

Only a six percent minority believed that their firms were less prepared to deal with security issues in 2019 than they were the same time a year ago.

A near unanimous 96% of organizations say that email phishing scams pose the biggest security risk.

Here is the whole report, in both blog post and 15-page PDF format, great ammo to get budget, and no registration required:
https://blog.knowbe4.com/knowbe4-2019-security-threats-and-trends-report-october-2019
National Cybersecurity Awareness Month Is Here! [FREE RESOURCE KIT]

Not sure where to start? We've got you covered. Get this handy Cybersecurity Awareness Resource Kit that you can use throughout the month to help your users make smarter security decisions every day.

The Resource Kit includes:
  • A sample Cybersecurity Awareness Month training plan
  • A training module for your users: "Captain Awareness: Perils of Pretexting"
  • Resources to share with your users including infographics, awareness posters and a helpful cybersecurity awareness tip sheet
  • Printable assets that you can use to promote cybersecurity awareness in your organization throughout the month of October
Plus you’ll get free resources including our most popular security awareness on-demand webinar and whitepaper.

Get Your Resource Kit Now!
https://www.knowbe4.com/ncsam-resource-kit
A Short, Very Useful Guide to Social Engineering

Knowing how to identify indicators of social engineering can alert you when someone tries to manipulate you, according to Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist. In an article for CSO, Grimes laid out several common red flags that are often present in social engineering attacks.

The most common warning sign is any email, website, or phone call asking for your password. Always make sure you’re on the legitimate website before logging in, and use multifactor authentication wherever possible.

The second most common red flag is anything online that asks you to execute content. This can be a download from a website or a Microsoft Office document that needs you to “Enable Content.” The file you are executing is usually a simple dropper which will download more complex and damaging forms of malware.

A third sign is a suspicious URL. Employees need to know how URL structures work and how attackers can disguise domain names and links to appear legitimate. Another extremely important indicator to be wary of is unusual requests for money transfers or changes to payment account information, even if the requests come from a trusted email contact. Business email compromise scams have caused $26 billion in losses since June 2016.

CSO has the story with all the other ones:
https://www.csoonline.com/article/3439103/10-signs-youre-being-socially-engineered.html
See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us, Wednesday, October 9 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 28,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, October 9 @ 2:00 pm (ET)

Save My Spot!
https://event.on24.com/wcc/r/2062218/69F8478972B877C9D1F2CF88FF26FB94?partnerref=CHN1
Scam of the Week: Yahoo Massive Data Breach Settlement Phishing Attacks

Yahoo is close to reaching a $117.5 million settlement in a class-action lawsuit over a series of data breaches that affected users between 2012 and 2016 — and your employees are potentially eligible for a $100 check and/or free credit monitoring if they had an account during that period.

From 2012 through 2016, several hacks penetrated Yahoo systems and stole billions of records.

While the $117.5 million is not nearly as big as the $700 million settlement that credit agency Equifax agreed to for its 2017 data breach involving 147 million records, it's still enough of a phish bait to use social engineering and deceive people in disclosing their personal information. Bad guys are going to benefit from Yahoo Settlement phishing scams.

Here is a blog post with links, a ready-to-send blurb for your users, and the topics of templates you can use immediately to inoculate your users:
https://blog.knowbe4.com/scam-of-the-week-yahoo-massive-data-breach-settlement-phishing-attacks
What if the World's Largest Cyber Insurers Recommended Just *One* Security Awareness Training Platform as the Most Effective in Reducing Cyber Risk?

Well, that just happened. September 25th 2019, Marsh, the world’s leading insurance broker and risk adviser, announced the inaugural class of cybersecurity solutions receiving a Cyber Catalyst designation as part of a first-of-its-kind evaluation program designed to bring organizations greater clarity in the crowded cybersecurity marketplace.

Cyber Catalyst by Marsh launched earlier this year, convened leading cyber insurers Allianz; AXIS; AXA XL, a division of AXA; Beazley; CFC; Munich Re; Sompo International; and Zurich North America to identify products and services they consider effective in reducing cyber risk.

More than 150 cybersecurity offerings were submitted for evaluation, but ultimately only 17 were chosen, and KnowBe4 is one of them!

Cyber Catalyst participating insurers rated the KnowBe4 platform highest on the criteria of flexibility, performance, viability, and efficiency.

“Cyber Catalyst is a ground-breaking approach to help organizations make well-informed decisions in the complex $125 billion cybersecurity marketplace,” said Tom Reagan, US Cyber Practice Leader, Marsh. “This year’s class of 17 Cyber Catalyst designated solutions leverages the experience and insights of the insurance industry to broaden the discussion around best practices and drive improved cyber risk management outcomes.”

Now, Check This Out:

Marsh said: "Organizations that adopt Cyber Catalyst-designated solutions may be considered for enhanced terms and conditions on individually negotiated cyber insurance policies with participating insurers."

Marsh has worked with each participating insurer to establish endorsement wordings that reflect the coverage enhancements that those insurers might offer to Marsh clients that adopt one or more Cyber Catalyst-designated solution.

KnowBe4 has a special product page with the Cyber Catalyst Designation and a PDF Fact Sheet:
https://www.knowbe4.com/cyber-catalyst
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!

Join us, Tuesday, October 8 @ 2:00 pm (ET), for a 30-minute live product demonstration of the KCM GRC platform from KnowBe4. See how you can simplify the challenges of managing your compliance requirements within your organization and across third-party vendors and ease your burden when it’s time for risk assessments and audits:
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with 80+ pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Tuesday, October 8 @ 2:00 pm (ET)

Save My Spot!
https://event.on24.com/wcc/r/2062216/811D59767C9058C33E092A3854946D99?partnerref=CHN1

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: End-users love the KnowBe4 training modules. IT pros get super positive notes from them like these:
https://community.spiceworks.com/topic/2234465-compliment-from-new-user-on-security-training?
Quotes of the Week
"How wonderful it is that nobody need wait a single moment before starting to improve the world."
- Anne Frank

"Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has." - Margaret Mead



Thanks for reading CyberheistNews
Security News
Russian Secret Weapon Against U.S. 2020 Election Revealed in New Cyberwarfare Report

You may have sensed this, but you need to confront the fact the Planet Earth is an anarchy of nations. The UN is ineffective and thoroughly corrupt. A few good things have come out of it, but overall their results are more than negative. Zak Doffman at Forbes has a good story that illustrates the geopolitical risks we are running into because of this:

"The FBI has warned that “the threat” to U.S. election security “from nation-state actors remains a persistent concern,” that it is “working aggressively” to uncover and stop, and the U.S. Director of National Intelligence has appointed an election threats executive, explaining that election security is now “a top priority for the intelligence community, which must bring the strongest level of support to this critical issue.”

With this in mind, a new report from cybersecurity powerhouse Check Point makes for sobering reading. “It is unequivocally clear to us,” the firm warns, “that the Russians invested a significant amount of money and effort in the first half of this year to build large-scale espionage capabilities. Given the timing, the unique operational security design, and sheer volume of resource investment seen, Check Point believes we may see such an attack carried out near the 2020 U.S. Elections.”

None of which is new—it would be more surprising if there wasn’t an attack of some sort, to some level. What is new, though, is Check Point’s unveiling of the sheer scale of Russia’s cyberattack machine, the way it is organized, the staggering investment required.

And the most chilling finding is that Russia has built its ecosystem to ensure resilience, with cost no object. It has formed a fire-walled structure designed to attack in waves. Check Point believes this has been a decade or more in the making and now makes concerted Russian attacks on the U.S. “almost impossible” to defend against." Here is the full story at Forbes:
https://www.forbes.com/sites/zakdoffman/2019/09/24/new-cyberwarfare-report-unveils-russias-secret-weapon-against-us-2020-election/
Social Engineering via the US Mail

KrebsOnSecurity has come across a Nigerian prince scam sent via the US Postal Service. Krebs points out that while email is a much more common vector for these frauds, advance fee scams are nothing new, and were conveyed by snail mail long before email was invented. These scams take many forms, but at their core they consist of a scammer promising a victim a large amount of money if the victim sends a small payment in advance.

In this case, the scammer claims to be an account manager at a bank in London. He explains that one of the bank’s wealthy customers died ten years ago and didn’t name an heir to receive his fortune. The banker was unable to locate the customer’s next-of-kin, so he’s settled upon disbursing the funds to someone who has the same last name, which happens to be the recipient of the letter. The money will be split between the banker and the recipient, so each will receive $5.8 million. Full story and a picture of the letter here:
https://blog.knowbe4.com/social-engineering-via-the-us-mail
The Emotet Botnet Is Back in Business

The Emotet botnet is up and running again after four months of inactivity, according to Ars Technica. Multiple security firms have reported seeing phishing emails delivering the malware via malicious Word documents. The attackers are using improved social engineering techniques, with around a quarter of the emails being sent as replies to existing email threads.

Emotet is a banking Trojan that spreads itself by accessing the email services of infected computers. It uses this access to send phishing emails to the victim’s contacts by replying to previous email threads, and sometimes adds the target’s name to the subject line of the email. This is an effective social engineering tactic, since the target sees the email coming from a trusted contact. It also helps the emails bypass security filters.

These emails contain Word documents purporting to be a “printer friendly version” of a new message. When a user opens the document to read their message, they’ll see what appears to be an alert from Microsoft telling them to accept a license agreement by clicking the “Enable Content” button.

If someone clicks this button, their computer will be infected and incorporated into the botnet, and their own contact list will be targeted with phishing emails. The malware will also attempt to infect other devices on the network.

Emotet’s purpose isn’t just to infect other computers, however. The Trojan has become a malware-as-a-service platform that’s used by criminals to deliver additional malware to infected computers, and it’s often a precursor to ransomware attacks.

Emotet is one of the most dangerous threats facing organizations today, and its revival is noteworthy. Users should be particularly wary of the botnet’s tactic of replying to their email threads. New-school security awareness training can help your employees stay up-to-date on these types of threats so they know what to watch out for. Ars Technica has the story:
https://arstechnica.com/information-technology/2019/09/worlds-most-destructive-botnet-returns-with-stolen-passwords-and-email-in-tow/
What KnowBe4 Customers Say

"Stu, I love KnowBe4. I love it because you have technology that actually works well and you have a process in place to ensure our success. Our customer success manager is Chrystal Timmer. Chrystal is very good about following up to make sure we are using the product to meet our needs.

She knows the product inside and out and takes the time to walk me through every step to implement the product. It takes time and energy on our part to really get value from this tool and Chrystal helps push us along to maximize our value. I'm very happy with our experience so far. Thanks for asking."
- R.B., Director of Information Security



"Hi Stu, yes, life is good for us here. I am very happy with the platform and all that it has to offer. More importantly, I am impressed with the simplicity of its deployment and configuration. You and your team have done a nice job of making the process complementary to and improves our overall Security Awareness Program.

Lastly, your sales and support teams have been stellar. It's nice to know we have a partner in our pursuit of Security Education."
- H.T., Chief Information Officer
The 10 11 Interesting News Items This Week
    1. Quantum Supremacy Achieved and What it Means to Your Company:
      https://www.linkedin.com/pulse/quantum-supremacy-achieved-what-means-you-your-company-roger-grimes/

    2. Phishing Scammer jailed for £41.6m fraud:
      https://www.cps.gov.uk/london-south/news/bulgarian-scammer-jailed-ps416m-fraud

    3. This Map Shows the Code Connections Between Russia's Main Hacker Groups but they hardly share anything:
      https://betanews.com/2019/09/24/hooked-by-phishing-attacks/

    4. Why we get hooked by phishing attacks (Some of these stats are jaw dropping):
      https://betanews.com/2019/09/24/hooked-by-phishing-attacks/

    5. How to fight deepfakes and ransomware: Better security training:
      https://enterprisersproject.com/article/2019/9/security-training-how-fight-deepfakes-ransomware

    6. State Justice Department urges businesses to train employees in basic cyber security:
      https://www.wrn.com/2019/09/state-justice-department-urges-businesses-to-train-employees-in-basic-cyber-security/

    7. Russian national confesses to biggest bank hack in US history:
      https://arstechnica.com/tech-policy/2019/09/russian-national-confesses-to-biggest-bank-hack-in-us-history/

    8. Malicious RDP Behavior Detected in 90% of Organizations:
      https://www.infosecurity-magazine.com/news/malicious-rdp-behavior-detected/

    9. Chinese State Hackers Suspected Of Devious New Attack On U.S. Companies:
      https://www.forbes.com/sites/zakdoffman/2019/09/23/chinese-state-hackers-suspected-as-nasty-new-cyberattack-hits-us-utilities-report/#fd0054173e56

    10. Iranian Government Hackers Target US Veterans:
      https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897

    11. BONUS Former NSA Operator: "Almost Every Hack Starts With Hacking A Human"
      https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog


Domain Spoof Test Contest




Get the latest about social engineering

Subscribe to CyberheistNews