It is a mystery that bad guys have not jumped on this in higher volume. However, a major malware phishing campaign claiming ISIS attacks, has been found in Australia.
What you may not know is that several cyber gangs use very modern techniques like Agile software development, beta testing and more. English speaking countries like Australia and the U.K. are used to test and fine-tune malware campaigns which are then unleashed on the U.S. of A.
So, thank you mister bad guy for the advance warning. We now have a heads-up about something that is going to happen in America in the very near future: malware campaigns claiming that ISIS will attack landmarks like the White House, Wall Street, or the new World Trade Center in New York. It's only a matter of time. So, let's inoculate our employees ahead of time! Send them this:
"Cyber criminals are using hoax "breaking news" events more and more to get people to click on links or open attachments. At the moment there is a scam email which claims that ISIS has warned Australian Police about new attacks in Sydney during 2015. The email tells recipients to open an attached Word document to read a detailed news story about the supposed attack threats.
"The claims in the email are bogus and the attached document is infected with malware. There are no credible news or police reports about such a warning from ISIS. You are very likely to get scam emails claiming ISIS attacks like this at the house or in the office. Do not open them, do not click links, do not open attachments and delete these emails. Remember: "When in doubt, throw it out!"
For KnowBe4 customers, we have a new template in Current Events, with the title: "Breaking News: ISIS Announces When and Where They Will Attack the US"
AV-Test: "There Are Now 12 Million New Malware Variants Per Month"
The AV-Test site reported that they found 143 Million new malware samples in 2014 and 12 million new variants per month.
The Independent IT security institute AV-Test regularly publishes a great statistic about the number of malware strains. Their new report reveals there are now a whopping 12 million new variants per month.
The AV-TEST Institute registers over 390,000 new malicious programs every day. These are examined using their proprietary analysis tools and classified according to their characteristic. Visualization programs then transform the results into diagrams that are updated regularly and produce current malware statistics.
Looking at the last year, the month with the greatest number of new threats was August, when over 18 million new samples were identified by AV-Test. No wonder that the average antivirus detection lag has expanded from 6 hours to 2 days. Antivirus is not dead but it cannot keep up anymore. See graph here:
The stats reported a total amount of 143 million new malicious software in 2014 , an amazing amount that shows this is automated on a (criminal) industrial scale. The data shows an exponential growth in new cyber threats recorded over the years. Mobile malware is also up 75% for 2014 compared to the year before, largely due to the proliferation of new ransomware campaigns such as ScarePakage. The number of new malware strains in 2014 is significantly higher than earlier years. Here are some graphs that illustrate all this at the KnowBe4 Blog. (By the way, you should subscribe to the blog and get these alerts real-time.)
These numbers show again that you need to work hard on your defense-in-depth. And to start out with, by far the best bang for your IT security budget is effective security awareness training. Find out how affordable this is for your organization now: https://info.knowbe4.com/kmsat_get_a_quote_now
Train Employees And Cut Cyber Risks Up To 70 Percent
It's a well-known fact that employees are the weakest link in IT security. There is good news though! New research from our friends at Wombat Security Technologies and the Aberdeen Group gives a solid foundation to the anecdotal evidence that end-user education cuts down on data breaches. When they are exposed to cyber risks like phishing, social media, and other attack vectors, security awareness training can reduce your organization's risk by as much as 70 percent.
The newly published report concludes that despite soft and hardware protection being in place, the vast majority of security incidents are caused by actions of untrained company employees. This new report clearly demonstrates that your relatively low investment in security awareness training helps you to significantly improve your level of defense-in-depth. It's a great tool to get budget allocated.
"It's important for security teams to communicate clearly about the risks that organizations are accepting when their employees' response to cyber threats is not addressed," says Derek Brink, VP and Research Fellow for Aberdeen Group, at Harte Hanks Company. "While the public disclosures of the past several months have provided some startling examples about what can happen when security awareness and training is ignored, Aberdeen and Wombat have developed this model to address the most basic and logical question that security teams so often struggle to address: How does an investment in changing end user behavior through innovative security education solutions actually reduce the organization's risk?"
The report concludes that creating budget for security awareness training is effective in changing employee behavior and measurably reduces security-related risks by between 45 and 70 percent. Well, I'm glad someone did the homework and came up with some hard numbers. You can get access at this report for FREE at the Aberdeen group or Wombat, but you do need to register. https://www.aberdeen.com/research/9910/RR-Changing-User-Behaviors.aspx/content.aspx
Warm Regards, Stu Sjouwerman
Quotes Of The Week
Quotes of the Week:
"A lie has to be tended, watched and guarded. A truth you send out on its own." - Rick Reilly, American sportswriter.
"He who dares not offend cannot be honest." - Thomas Paine
Are Your Email Addresses On A Russian Phishing Site?
We are finding many U.S. commercial email addresses at a Russian phishing website. It is really a 'staging' area for emails to be posted by the criminal underground. Sadly, Google indexes this site and it makes for easy searching. Unfortunately there is nothing you can do to get emails taken down from this site, but you should be aware of what is out there.
The (free) KnowBe4 Email Exposure Check (EEC) helps to give you a better understanding of your security posture in regards to exposed email addresses on the Internet. Call it your 'email attack surface'. The emails on this Russian site are more commonly spear-phished. You can use the EEC report to flag these email addresses so that you can better tune your spam traps and to monitor for email based attacks. And obviously you specifically need to give effective security awareness training to the employees with those exposed email addresses.
Quick Reminder: InfoSec World Conference & Expo 2015
Put this in your calendar: March 23-25, 2015 - InfoSec World 2015, coming to Disney’s Contemporary Resort this March, is now just 2 months away! Don’t miss this 7-track event featuring a lineup of conference sessions, workshops and summits that address the most pressing matters in information security today. And, just for being Cyberheist News subscriber, register with the special discount code OS15/CHN and you'll receive 10% off the conference registration fee. To register, simply call the Customer Service department who can sign you up over the phone: 508-879-7999 ext. 501, and don't forget to mention your discount code - OS15/CHN! www.misti.com/infosecworld
SMBs Are Now The Preferred Cybercrime Target
I have a great article that you can send to C-level execs in your constant quest for more IT security budget. The main message is simple and communicates a clear and present danger:
"Small and midsized businesses are now the preferred targets for cybercriminals – not because they are lucrative prizes individually but because automation makes it easy to attack them by the thousands, and far too many of them are easy targets."
Taylor Amerding at CSO magazine nailed it: "Does the size of your enterprise really matter to cybercriminals? Well, yes and no.
"Most experts would agree with Jody Westby, CEO of Global Cyber Risk, when she says, 'it is the data that makes a business attractive, not the size – especially if it is delicious data, such as lots of customer contact info, credit card data, health data, or valuable intellectual property.'
President Obama on Monday outlined a proposal that would require companies to inform their customers of a data breach within 30 days of discovering their information has been hacked. But depending on what is put in and left out of any implementing legislation, the effort could well could lead to more voluminous but less useful disclosure. Here are a few thoughts about how a federal breach law could produce fewer yet more meaningful notice that may actually help prevent future breaches. Article by the venerable Brian Krebs: https://krebsonsecurity.com/2015/01/toward-better-privacy-data-breach-laws/
This Week's Links We Like. Tips, Hints And Fun Stuff.