CyberheistNews Vol 9 #43
[Heads-Up] "I Can Phish Anyone". Would You Be Able to Say This, and Would You Be Right?
Roger A. Grimes, KnowBe4's highly popular Data-Driven Defense Evangelist stated in a post this week:
"I’m a bit surprised by some aggressive corporate anti-phishing policies which say they will fire anyone for one accidental phishing offense. Send me the names and email addresses of the people who create those policies and I’ll successfully phish them. Anyone can be phished.
The goal of every anti-phishing policy should be to significantly decrease the likelihood that the organization and its members can be successfully phished. You want to promote a culture of healthy skepticism. KnowBe4 customers frequently go from 30% to 2% “phish prone” rates in a year.
I challenge you to find a decrease in cybersecurity risk that huge from any other single thing that you can do. But to demand perfection seems implausible, especially when they themselves can be successfully phished.
I’ve had many people over two decades tell me they couldn’t be phished as they chided others for falling prey to some phishing attack. I then ask them to give me two weeks to see if I can successfully phish them. I’ve never failed to be successful. Never. My email inbox is full of sour-faced apologies. Anyone can be tricked into clicking on a link. We are just human.
When I was a professional penetration tester, my favorite corporate phishing trick was to send all employees an email pretending to be from the CFO that claimed that the company was going to soon announce that they were merging with their second closest competitor (it takes me a few minutes to figure out who that is).
The memo is full of words and terms like synergy, mutual commitment, competitive pressures, market alignment, and empowerment. You know, like all those corporate memos full of blather. Then, I end the email with the following, “Please click on the attached spreadsheet to see if your department and position is still supported in the new combined organization.” Employees could not open the spreadsheet fast enough. It contained scripting which required that the user to enable it. They always did. I oftentimes started to get my first backdoor trojans installed and passwords returned in under 60 seconds of sending in. My “conversion” rates were over 60%. It worked so often that I got bored of using it.
I get that leaders who rarely to never get phished want to super-motivate those “super clickers” who seem to click on everything. But firing someone for a first offense is a little harsh…at least for most industries and organizations.
At KnowBe4, we believe in more carrot and less stick. It’s OK to have negative consequences for frequent clickers, some people won’t change their behavior any other way. But we also know that you’ll move your company faster and have happier employees if you encourage better cybersecurity behaviors by using proactive motivations, like friendly competitions, corporate recognition, gift cards, and pizza parties.
If you know of someone who thinks they cannot be phished, let me know. I’ll send you back some ideas that I have successfully used to phish the biggest skeptics over my career. I can send you one idea that works against nearly everyone and is very easy to pull off. Just make sure you have their written permission first and do not use the successful phish to harm the “victim” in any way. To do so would be illegal and unethical."
Continued at the KnowBe4 blog:
https://blog.knowbe4.com/i-can-phish-anyone
Roger A. Grimes, KnowBe4's highly popular Data-Driven Defense Evangelist stated in a post this week:
"I’m a bit surprised by some aggressive corporate anti-phishing policies which say they will fire anyone for one accidental phishing offense. Send me the names and email addresses of the people who create those policies and I’ll successfully phish them. Anyone can be phished.
The goal of every anti-phishing policy should be to significantly decrease the likelihood that the organization and its members can be successfully phished. You want to promote a culture of healthy skepticism. KnowBe4 customers frequently go from 30% to 2% “phish prone” rates in a year.
I challenge you to find a decrease in cybersecurity risk that huge from any other single thing that you can do. But to demand perfection seems implausible, especially when they themselves can be successfully phished.
I’ve had many people over two decades tell me they couldn’t be phished as they chided others for falling prey to some phishing attack. I then ask them to give me two weeks to see if I can successfully phish them. I’ve never failed to be successful. Never. My email inbox is full of sour-faced apologies. Anyone can be tricked into clicking on a link. We are just human.
When I was a professional penetration tester, my favorite corporate phishing trick was to send all employees an email pretending to be from the CFO that claimed that the company was going to soon announce that they were merging with their second closest competitor (it takes me a few minutes to figure out who that is).
The memo is full of words and terms like synergy, mutual commitment, competitive pressures, market alignment, and empowerment. You know, like all those corporate memos full of blather. Then, I end the email with the following, “Please click on the attached spreadsheet to see if your department and position is still supported in the new combined organization.” Employees could not open the spreadsheet fast enough. It contained scripting which required that the user to enable it. They always did. I oftentimes started to get my first backdoor trojans installed and passwords returned in under 60 seconds of sending in. My “conversion” rates were over 60%. It worked so often that I got bored of using it.
I get that leaders who rarely to never get phished want to super-motivate those “super clickers” who seem to click on everything. But firing someone for a first offense is a little harsh…at least for most industries and organizations.
At KnowBe4, we believe in more carrot and less stick. It’s OK to have negative consequences for frequent clickers, some people won’t change their behavior any other way. But we also know that you’ll move your company faster and have happier employees if you encourage better cybersecurity behaviors by using proactive motivations, like friendly competitions, corporate recognition, gift cards, and pizza parties.
If you know of someone who thinks they cannot be phished, let me know. I’ll send you back some ideas that I have successfully used to phish the biggest skeptics over my career. I can send you one idea that works against nearly everyone and is very easy to pull off. Just make sure you have their written permission first and do not use the successful phish to harm the “victim” in any way. To do so would be illegal and unethical."
Continued at the KnowBe4 blog:
https://blog.knowbe4.com/i-can-phish-anyone
[Live Demo] Identify and Respond to Email Threats Faster With PhishER
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!
With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?
Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!
See how you can best manage your user-reported messages.
Join us TOMORROW, Wednesday, October 23 @ 2:00 pm (ET) for a live 30-minute demonstration of the new PhishER platform. With PhishER you can:
Date/Time: TOMORROW, Wednesday, October 23 @ 2:00 pm (ET)
Save My Spot!
https://event.on24.com/wcc/r/2062219/E3C30B36C2C3A58E3056E249C3297467?partnerref=CHN2
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!
With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?
Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!
See how you can best manage your user-reported messages.
Join us TOMORROW, Wednesday, October 23 @ 2:00 pm (ET) for a live 30-minute demonstration of the new PhishER platform. With PhishER you can:
- Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
- Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
- Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
- See clusters of messages to identify a potential phishing attack against your organization
- Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
- Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Date/Time: TOMORROW, Wednesday, October 23 @ 2:00 pm (ET)
Save My Spot!
https://event.on24.com/wcc/r/2062219/E3C30B36C2C3A58E3056E249C3297467?partnerref=CHN2
Microsoft Recommends: "Top 6 Email Security Best Practices"... And One if Them Is Phishing Simulations
Girish Chander, Microsoft's Group Program Manager of Office 365 Security wrote an excellent post on their blog titled "Top 6 email security best practices to protect against phishing attacks and business email compromise".
He started out with: "Most cyberattacks start over email—a user is tricked into opening a malicious attachment, or into clicking a malicious link and divulging credentials, or into responding with confidential data.
"Attackers dupe victims by using carefully crafted emails to build a false sense of trust and/or urgency. And they use a variety of techniques to do this—spoofing trusted domains or brands, impersonating known users, using previously compromised contacts to launch campaigns and/or using compelling but malicious content in the email.
"In the context of an organization or business, every user is a target and, if compromised, a conduit for a potential breach that could prove very costly. "Whether it’s sophisticated nation-state attacks, targeted phishing schemes, business email compromise or a ransomware attacks, such attacks are on the rise at an alarming rate and are also increasing in their sophistication. It is therefore imperative that every organization’s security strategy include a robust email security solution."
I strongly recommend you read the whole post, but—since I'm partial— I'm highlighting one of them first:
"Your users are the target. You need a continuous model for improving user awareness and readiness. An informed and aware workforce can dramatically reduce the number of occurrences of compromise from email-based attacks. Any protection strategy is incomplete without a focus on improving the level of awareness of end users.
"A core component of this strategy is raising user awareness through Phish simulations, training them on things to look out for in suspicious emails to ensure they don’t fall prey to actual attacks. Another, often overlooked, but equally critical, component of this strategy, is ensuring that the everyday applications that end-users use are helping raise their awareness. Capabilities that offer users relevant cues, effortless ways to verify the validity of URLs and making it easy to report suspicious emails within the application — all without compromising productivity — are very important.
"Solutions that offer Phish simulation capabilities are key. Look for deep email-client-application integrations that allow users to view the original URL behind any link regardless of any protection being applied. This helps users make informed decisions. In addition, having the ability to offer hints or tips to raise specific user awareness on a given email or site is also important. And, effortless ways to report suspicious emails that in turn trigger automated response workflows are critical as well."
Could not have said it better myself. Glad to see that Redmond has seen the positive effects of simulated phishing attacks on employees to inoculate them against the real threat.
Here is the full KnowBe4 blog post with links to Microsoft's article and Girish' twitter account which I recommend you follow:
https://blog.knowbe4.com/microsoft-recommends-top-6-email-security-best-practices...-and-one-of-them-is-phishing-simulations
Girish Chander, Microsoft's Group Program Manager of Office 365 Security wrote an excellent post on their blog titled "Top 6 email security best practices to protect against phishing attacks and business email compromise".
He started out with: "Most cyberattacks start over email—a user is tricked into opening a malicious attachment, or into clicking a malicious link and divulging credentials, or into responding with confidential data.
"Attackers dupe victims by using carefully crafted emails to build a false sense of trust and/or urgency. And they use a variety of techniques to do this—spoofing trusted domains or brands, impersonating known users, using previously compromised contacts to launch campaigns and/or using compelling but malicious content in the email.
"In the context of an organization or business, every user is a target and, if compromised, a conduit for a potential breach that could prove very costly. "Whether it’s sophisticated nation-state attacks, targeted phishing schemes, business email compromise or a ransomware attacks, such attacks are on the rise at an alarming rate and are also increasing in their sophistication. It is therefore imperative that every organization’s security strategy include a robust email security solution."
I strongly recommend you read the whole post, but—since I'm partial— I'm highlighting one of them first:
"Your users are the target. You need a continuous model for improving user awareness and readiness. An informed and aware workforce can dramatically reduce the number of occurrences of compromise from email-based attacks. Any protection strategy is incomplete without a focus on improving the level of awareness of end users.
"A core component of this strategy is raising user awareness through Phish simulations, training them on things to look out for in suspicious emails to ensure they don’t fall prey to actual attacks. Another, often overlooked, but equally critical, component of this strategy, is ensuring that the everyday applications that end-users use are helping raise their awareness. Capabilities that offer users relevant cues, effortless ways to verify the validity of URLs and making it easy to report suspicious emails within the application — all without compromising productivity — are very important.
"Solutions that offer Phish simulation capabilities are key. Look for deep email-client-application integrations that allow users to view the original URL behind any link regardless of any protection being applied. This helps users make informed decisions. In addition, having the ability to offer hints or tips to raise specific user awareness on a given email or site is also important. And, effortless ways to report suspicious emails that in turn trigger automated response workflows are critical as well."
Could not have said it better myself. Glad to see that Redmond has seen the positive effects of simulated phishing attacks on employees to inoculate them against the real threat.
Here is the full KnowBe4 blog post with links to Microsoft's article and Girish' twitter account which I recommend you follow:
https://blog.knowbe4.com/microsoft-recommends-top-6-email-security-best-practices...-and-one-of-them-is-phishing-simulations
[NEW WEBINAR] A Former CIA Cyber Threat Analyst Shows You How to Make Your Organization a Hard Target
Having spent over a decade as part of the CIA’s Center for Cyber Intelligence and the Counterterrorism Mission Center, Rosa Smothers knows the ins and outs of leading cyber operations against terrorists and nation-state adversaries. She has seen first-hand how the bad guys operate, she knows the threat they pose, and she can tell you how to use that knowledge to make organizations like yours a “hard target”.
In this exclusive webinar, find out why Rosa, now KnowBe4’s SVP of Cyber Operations, encourages organizations like yours to maintain a healthy sense of paranoia as she and Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer, walk you through the murky underworld of threats and exploits that your organization can't afford to ignore.
Get the inside (spy-)scoop on:
Save My Spot!
https://event.on24.com/wcc/r/2107071/72FBF31CE83227F6428A3A3DC350B455?partnerref=CHN2
Having spent over a decade as part of the CIA’s Center for Cyber Intelligence and the Counterterrorism Mission Center, Rosa Smothers knows the ins and outs of leading cyber operations against terrorists and nation-state adversaries. She has seen first-hand how the bad guys operate, she knows the threat they pose, and she can tell you how to use that knowledge to make organizations like yours a “hard target”.
In this exclusive webinar, find out why Rosa, now KnowBe4’s SVP of Cyber Operations, encourages organizations like yours to maintain a healthy sense of paranoia as she and Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer, walk you through the murky underworld of threats and exploits that your organization can't afford to ignore.
Get the inside (spy-)scoop on:
- Surprising data collection techniques – both physical and cyber
- The two easiest ways to break into any existing network
- Hidden threats of social media connections
- And how to prepare your end users to defend against them all
Save My Spot!
https://event.on24.com/wcc/r/2107071/72FBF31CE83227F6428A3A3DC350B455?partnerref=CHN2
[LAST CHANCE] Does Your Domain Have an Evil Twin? Find out for a Chance to Win Two Pair of Beats Headphones
Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.
Our Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization.
Plus, if you’re in the US or Canada, you'll be entered for a chance to win two pairs of Beats Studio3 Wireless Headphones*, "one for you and one for your evil twin".
With Domain Doppelgänger, you can:
Domain Doppelgänger helps you find the threat before it is used against you.
Find Your Look-Alike Domains!
https://info.knowbe4.com/domain-doppelganger-102019
*Terms and conditions apply.
Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.
Our Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization.
Plus, if you’re in the US or Canada, you'll be entered for a chance to win two pairs of Beats Studio3 Wireless Headphones*, "one for you and one for your evil twin".
With Domain Doppelgänger, you can:
- Search for existing and potential look-alike domains
- Get a summary report that identifies the highest to lowest risk attack potentials
- Generate a real-world “domain safety” quiz based on the results for your end users
Domain Doppelgänger helps you find the threat before it is used against you.
Find Your Look-Alike Domains!
https://info.knowbe4.com/domain-doppelganger-102019
*Terms and conditions apply.
A New Attack Category Is Born: You Now Need to Also Worry About "Evasive Spear Phishing"...
Researchers have combed through 25 million emails and found a new method of attack that blends two previously seen attack types combined into a single attack focusing on technology companies.
A cybercriminal needs to overcome two basic hurdles to infect a machine: First, they need get past any security solutions that inspect attachments looking for signs of maliciousness. Second, they need to get users to click on said attachment. If you can do both of these things, you have yourself a pretty good chance of infection.
Thus far, we’ve only seen attacks that do one or the other well, or use two completely separate tactics to accomplish this. But, according to research from security vendors Glasswall and Forcepoint, a new attack method effectively combines these two tactics into a single attack. Dubbed evasive spear phishing, involves both very targeted spear phishing campaigns using contextual details that indicate a fair amount of diligence and sophisticated malware delivery mechanisms that leverage older Office file types.
Full blog post here:
https://blog.knowbe4.com/a-new-attack-category-is-born-you-now-need-to-also-worry-about-evasive-spear-phishing
Let's stay safe out there.
https://www.knowbe4.com/job?gh_jid=4488799002
Researchers have combed through 25 million emails and found a new method of attack that blends two previously seen attack types combined into a single attack focusing on technology companies.
A cybercriminal needs to overcome two basic hurdles to infect a machine: First, they need get past any security solutions that inspect attachments looking for signs of maliciousness. Second, they need to get users to click on said attachment. If you can do both of these things, you have yourself a pretty good chance of infection.
Thus far, we’ve only seen attacks that do one or the other well, or use two completely separate tactics to accomplish this. But, according to research from security vendors Glasswall and Forcepoint, a new attack method effectively combines these two tactics into a single attack. Dubbed evasive spear phishing, involves both very targeted spear phishing campaigns using contextual details that indicate a fair amount of diligence and sophisticated malware delivery mechanisms that leverage older Office file types.
Full blog post here:
https://blog.knowbe4.com/a-new-attack-category-is-born-you-now-need-to-also-worry-about-evasive-spear-phishing
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
https://www.knowbe4.com/job?gh_jid=4488799002
Quotes of the Week
"Whether one believes in a religion or not, and whether one believes in rebirth or not, there isn't anyone who doesn't appreciate kindness and compassion." - Dalai Lama (born 1935)
"Our human compassion binds us the one to the other - not in pity or patronizingly, but as human beings who have learnt how to turn our common suffering into
hope for the future." - Nelson Mandela
Thanks for reading CyberheistNews
"Our human compassion binds us the one to the other - not in pity or patronizingly, but as human beings who have learnt how to turn our common suffering into
hope for the future." - Nelson Mandela
Thanks for reading CyberheistNews
Security News
Scam of the Week: Bogus Performance Review as Phishbait
New phishing attacks are imitating performance appraisals in order to steal employees’ credentials, according to IBM SecurityIntelligence. The attackers are posing as HR employees and sending emails with links to a phishing site.
The phishing site appears to be a simple login portal that doesn’t attempt to imitate any well-known sites. Employees are asked to enter their username, password, and email address, in order to receive an email with additional instructions. If they enter their credentials, the attackers receive the information, and the attack concludes.
Performance Review Phishbait Is a New Angle of Attack
SecurityIntelligence notes that attackers often use corporate-focused phishing attacks to gain access to businesses. Similar attacks include spearphishing with fake invoices, malicious links contained in SharePoint files, and HTML attachments posing as voicemail notifications. Performance review phishbait is a little out-of-the-ordinary, although not unheard of, and the urgency of completing such reviews on time can rush the unwary into swallowing a hook they might otherwise spit.
Employees need to be extremely careful about where they enter their credentials, and they need to report potential phishing attacks even if they’ve already fallen for them. New-school security awareness training can ensure that your employees are watching out for these attacks.
I suggest you send the following to your employees, friends and family. Feel free to copy/paste/edit:
ALERT: Bad guys are sending phishing emails trying to get you worried about "your performance review". However, they are trying to steal your username and password. These low-lifes pose as HR and send you an email with a link to a bogus website where they try to trick you into filling out a login screen so that you can "receive the information" about your performance review. It's a nasty trick trying to get you to worry about your job. Don't fall for it and Think Before You Click.
New phishing attacks are imitating performance appraisals in order to steal employees’ credentials, according to IBM SecurityIntelligence. The attackers are posing as HR employees and sending emails with links to a phishing site.
The phishing site appears to be a simple login portal that doesn’t attempt to imitate any well-known sites. Employees are asked to enter their username, password, and email address, in order to receive an email with additional instructions. If they enter their credentials, the attackers receive the information, and the attack concludes.
Performance Review Phishbait Is a New Angle of Attack
SecurityIntelligence notes that attackers often use corporate-focused phishing attacks to gain access to businesses. Similar attacks include spearphishing with fake invoices, malicious links contained in SharePoint files, and HTML attachments posing as voicemail notifications. Performance review phishbait is a little out-of-the-ordinary, although not unheard of, and the urgency of completing such reviews on time can rush the unwary into swallowing a hook they might otherwise spit.
Employees need to be extremely careful about where they enter their credentials, and they need to report potential phishing attacks even if they’ve already fallen for them. New-school security awareness training can ensure that your employees are watching out for these attacks.
I suggest you send the following to your employees, friends and family. Feel free to copy/paste/edit:
ALERT: Bad guys are sending phishing emails trying to get you worried about "your performance review". However, they are trying to steal your username and password. These low-lifes pose as HR and send you an email with a link to a bogus website where they try to trick you into filling out a login screen so that you can "receive the information" about your performance review. It's a nasty trick trying to get you to worry about your job. Don't fall for it and Think Before You Click.
Why Hack When You Can Con?
Most people would be shocked at how easily anyone might physically infiltrate an organization and gain access to sensitive data. In most cases, social engineering is a much more efficient choice than trying to hack into a company’s computer systems. The magazine Computing reports on a presentation by an ethical hacker at DTEXPO which illustrates this.
The hacker recounted a job in which he was tasked with breaking into a restricted site (with permission) and gaining enough access that he would have been able to blow up a vat of chemicals. He dressed the part by donning a high-visibility jacket and acted like he knew what he was talking about, which successfully tricked the employees into thinking he was supposed to be there.
He then made friends with an employee in the smoking area outside the restricted site, and tagged along when the employee went back inside. This granted him all the access he needed.
The hacker emphasized that tricking humans can be very easy, and you don’t really need any technical expertise to do it. If you have some social engineering talent, you can cause just as much damage as a sophisticated computer hack.
“This is not a James Bond industry. This is not a super-skilled role where only the most technically capable can infiltrate a company,” the hacker said. “Sometimes, it just takes a bit of effort to infiltrate. I genuinely don’t feel like I can rob a bank, even though I’ve been in three scenarios in my job with banks.
I know I could never hack a bank, but I know that if we narrowed down the actual people, we can hack the people once they've been segregated from the business. It's about separating the weak away from the pack.”
The threat isn’t insurmountable, however. The hacker stressed that if employees are prepared, they can identify and stop these attacks.
“It’s just a person, and we can defend against this person if we all work together,” he said. New-school security awareness training can build a security culture within your organization so your employees can cooperate with each other to defend against social engineering attacks. Computing has the story:
https://www.computing.co.uk/ctg/news/3082485/ethical-hacker-social-engineering
Most people would be shocked at how easily anyone might physically infiltrate an organization and gain access to sensitive data. In most cases, social engineering is a much more efficient choice than trying to hack into a company’s computer systems. The magazine Computing reports on a presentation by an ethical hacker at DTEXPO which illustrates this.
The hacker recounted a job in which he was tasked with breaking into a restricted site (with permission) and gaining enough access that he would have been able to blow up a vat of chemicals. He dressed the part by donning a high-visibility jacket and acted like he knew what he was talking about, which successfully tricked the employees into thinking he was supposed to be there.
He then made friends with an employee in the smoking area outside the restricted site, and tagged along when the employee went back inside. This granted him all the access he needed.
The hacker emphasized that tricking humans can be very easy, and you don’t really need any technical expertise to do it. If you have some social engineering talent, you can cause just as much damage as a sophisticated computer hack.
“This is not a James Bond industry. This is not a super-skilled role where only the most technically capable can infiltrate a company,” the hacker said. “Sometimes, it just takes a bit of effort to infiltrate. I genuinely don’t feel like I can rob a bank, even though I’ve been in three scenarios in my job with banks.
I know I could never hack a bank, but I know that if we narrowed down the actual people, we can hack the people once they've been segregated from the business. It's about separating the weak away from the pack.”
The threat isn’t insurmountable, however. The hacker stressed that if employees are prepared, they can identify and stop these attacks.
“It’s just a person, and we can defend against this person if we all work together,” he said. New-school security awareness training can build a security culture within your organization so your employees can cooperate with each other to defend against social engineering attacks. Computing has the story:
https://www.computing.co.uk/ctg/news/3082485/ethical-hacker-social-engineering
What KnowBe4 Customers Say
A potential customer asked the SpiceWorks community about KnowBe4 and there were several positive responses, here is a particular standout quote:
"100% YES! Been using them now for going on 3 years. We have a monthly training video that every employee must watch, and is a mandatory part of everyone's position with our company. We have a new employee training package of videos that every new employee automatically gets put in with AD sync. We have tidbit emails that go out to everyone with short snippets of reminders and info of the latest threats. AND, we have monthly fake training emails to keep them on their toes. I can't speak any more highly of this training program. I will never be without it again." Here is the whole thread at Spiceworks:
https://community.spiceworks.com/topic/2237886-would-you-recommend-knowbe4-for-it-security-training-or-something-else?page=1#entry-8609827
Quarterly Product Update Video (Q3, 2019)
Every quarter, the KnowBe4 Technical Content team creates an update of all the new content and features that have been added to our products over the last three months. Here is the October 2019 issue, covering a ton of cool new stuff that was added to your platform.
Four members of the Technical Content team created this new short video that covers the following items and more!
https://support.knowbe4.com/hc/en-us/articles/360015575313-Video-Quarterly-Product-Update-October-2019
A potential customer asked the SpiceWorks community about KnowBe4 and there were several positive responses, here is a particular standout quote:
"100% YES! Been using them now for going on 3 years. We have a monthly training video that every employee must watch, and is a mandatory part of everyone's position with our company. We have a new employee training package of videos that every new employee automatically gets put in with AD sync. We have tidbit emails that go out to everyone with short snippets of reminders and info of the latest threats. AND, we have monthly fake training emails to keep them on their toes. I can't speak any more highly of this training program. I will never be without it again." Here is the whole thread at Spiceworks:
https://community.spiceworks.com/topic/2237886-would-you-recommend-knowbe4-for-it-security-training-or-something-else?page=1#entry-8609827
Quarterly Product Update Video (Q3, 2019)
Every quarter, the KnowBe4 Technical Content team creates an update of all the new content and features that have been added to our products over the last three months. Here is the October 2019 issue, covering a ton of cool new stuff that was added to your platform.
Four members of the Technical Content team created this new short video that covers the following items and more!
- 400+ new phishing templates, 25 new landing pages, and new landing page categories
- 75+ new ModStore items
- New addition to our knowledge base: A Whitelisting Wizard
- New PhishER feature: Machine learning functionality called PhishML
- New feature for the Phish Alert Button: Custom confirmation messages
- Our brand-new free tool: Multi-factor Authentication Security Assessment (MASA)
- KCM GRC now supports single sign-on and SAML 2.0
https://support.knowbe4.com/hc/en-us/articles/360015575313-Video-Quarterly-Product-Update-October-2019
The 10 11 Interesting News Items This Week
- Exclusive: U.S. carried out secret cyber strike on Iran in wake of Saudi oil attack, officials say:
https://www.reuters.com/article/us-usa-iran-military-cyber-exclusive/exclusive-u-s-carried-out-secret-cyber-strike-on-iran-in-wake-of-saudi-oil-attack-officials-say-idUSKBN1WV0EK - Russia cyber aggression fuels tensions with west:
https://www.ft.com/content/0aa7a6e0-ca52-11e9-af46-b09e8bfe60c0 - Now the cost of an (often killer) cyber-attack on a small business is 200,000 dollars:
https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html - Baltimore to purchase $20M in cyber insurance as it pays off contractors who helped city recover from ransomware:
https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-cyber-attack-insurance-20191016-4owu233bmfgnjmqu3yf2rzjxt4-story.html - Texas Chief Information Officer Shares Lessons Learned from Ransomware Attack:
https://www.nextgov.com/cybersecurity/2019/10/texas-chief-information-officer-shares-lessons-learned-ransomware-attack/160598/ - Microsoft Authenticator App To Get Real-Time Phishing Protections:
https://redmondmag.com/articles/2019/10/11/microsoft-authenticator-app-phishing-protections.aspx?m=1 - What CISOs need to do to maximize Cybersecurity Awareness Month:
https://www.zdnet.com/article/what-cisos-need-to-do-to-maximize-cybersecurity-awareness-month/ - Domain Typosquatters Target the 2020 Presidential Election:
https://www.bleepingcomputer.com/news/security/domain-typosquatters-target-the-2020-presidential-election/ - Cryptojacking worm uses Docker to infect over 2,000 systems to secretly mine Monero:
https://thenextweb.com/hardfork/2019/10/16/cryptojacking-worm-uses-docker-to-infect-over-2000-systems-to-secretly-mine-monero/ - New botnet nabs victims by sending 30,000 “sextortion” emails per hour:
https://www.fastcompany.com/90417865/new-botnet-nabbed-victims-by-sending-30000-sextortion-emails-per-hour - BONUS China: "We are a 'Huge Fan' of Your Work, and we are stealing it so we can build our own airplane":
https://www.crowdstrike.com/resources/wp-content/brochures/reports/huge-fan-of-your-work-intelligence-report.pdf
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Here is your 4-minute Virtual Vacation in Italy in 4K. OMG I am moving there...GORGEOUS!!!
https://www.flixxy.com/4-minute-vacation-in-italy-in-4k.htm?utm_source=4
- Awesome people performing amazing and extraordinary feats in this weekly compilation of 'People Are Awesome.'
https://www.flixxy.com/people-are-awesome-best-of-the-week-66.htm?utm_source=4
- Penn & Teller FOOLED David Copperfield with this super cool card trick!:
https://www.youtube.com/watch?v=FbpBItF-COo
- Jet Launch From USS Theodore Roosevelt • Cockpit View. WOO HAAA!!
https://www.youtube.com/watch?v=HBYzzkiEVVs
- 'Didga' the cat holds a Guinness World record and is considered the most talented cat in the world:
https://www.flixxy.com/the-worlds-most-talented-cat-lives-in-australia.htm?utm_source=4
- Massive, AI-Powered Robots Are 3D-Printing Entire Rockets:
https://www.wired.com/story/massive-ai-powered-robots-are-3d-printing-entire-rockets/
- Divers Looking for a WWII Sunken Ship Unexpectedly Encounter Giant Gelatinous Egg Sac Full of Baby Squid:
https://www.youtube.com/watch?v=wJMHsi0HBUo&feature=youtu.be
- Hubble's New Image of Interstellar Object: Comet Borisov:
https://www.youtube.com/watch?v=JG9x6tkf8mg&feature=youtu.be
- The Largest Arctic Expedition Ever Is Freezing Itself in the Ice, Here’s Why:
https://www.youtube.com/watch?v=YQEWgD_MBXE
- Turkish Man Feeds Cat That Walks in Butcher Shop Every Day:
https://www.youtube.com/watch?v=1hqss5MIBsU&feature=youtu.be
- Robotic Spy Puppy Meets Wild Dogs:
https://youtu.be/bfJUciAxxyo
- Fantastic stop-motion animation of playing card control. This is a video created by combining 1667 photos:
https://www.youtube.com/watch?v=LYSPaCiKpQw&feature=youtu.be
- Wing Launches America's First Commercial Drone Delivery Service to Homes in Christiansburg, Virginia:
https://youtu.be/wCTKwkYzVzo
- Does Elliot's Mother Know There Is Someone Else? Flashback to when Elliot was a kid, it appears that his mother knew there was a third personality other than Elliot and Mr. Robot inhabiting her son’s consciousness:
https://www.usanetwork.com/mrrobot/videos/does-elliots-mother-know-there-is-someone-else - For the Kids: Ravens can talk! (and are extremely smart animals by the way):
https://www.youtube.com/watch?v=AfsnHVaScjg&feature=youtu.be