.jpg)
CyberheistNews Vol 5 #1 Jan 6, 2015
Kim Zetter did her homework and extrapolated for WIRED magazine the current threats and looked at how they would unfold in the coming 12 months. She has cast a wider net than normal, now that nation-states are up to their elbows in cyber warfare. I will give a short excerpt of each of the six biggest threats, and I recommend you read the whole article at WIRED. Link at the end.
Nation-State Attacks
The NSA and the UK’s GCHQ hacked Belgium’s state-owned telecom Belgacom. New revelations about the Regin malware used in the hack, however, show how the attackers also sought to hijack entire telecom networks outside of Belgium. These and other efforts the NSA has employed to undermine encryption and install backdoors in systems remain the biggest security threat we face in general.
Extortion
Controversy still swirls around the Sony hack and the motivation for that breach, but hacker shakedowns are likely to occur again. The Sony hack wasn’t the first hacker extortion we’ve seen, but most of them until now have occurred on a small scale—using ransomware. The Sony hack is the first high-profile extortion breach that involved threats of data leaks and could could become a bigger problem for prominent targets like Sony.
Data Destruction
The Sony hack announced another kind of threat we haven’t seen much in the U.S.: the data destruction threat. This could become more common in 2015. The attackers behind the breach of Sony Pictures Entertainment didn’t just steal data from the company; they also deleted it. It’s a tactic that had been used before in attacks against computers in South Korea, Saudi Arabia and Iran.
Bank Card Breaches Will Continue
In the last decade there have been numerous high-profile breaches involving the theft of data from millions of bank cards. Card issuers and retailers are slowly moving to adopt more secure EMV or chip-‘n’-PIN cards and readers, which use an embedded microchip that generates a one-time transaction code on in-store purchases and a customer-entered PIN that makes stolen data less useful. With the shift to EMV cards, hackers will simply shift their focus.
Third-Party Breaches
In recent years we’ve seen a disturbing trend in so-called third-party hacks, breaches that focus on one company or service solely for the purpose of obtaining data or access to a more important target. We saw this in the Target breach when hackers got into the retailer’s network through a heating and air-conditioning company that did business with Target and had access to its network. But this is low-level compared with more serious third-party breaches against certificate authorities and others that provide essential services. These kinds of breaches are significant because they undermine the basic trust that users have in the Internet’s infrastructure.
Critical Infrastructure
One sign that hackers are looking at industrial control systems in the U.S. is a breach that occurred in 2012 against Telvent, a maker of smart-grid control software used in portions of the U.S. electrical grid as well as in some oil and gas pipeline and water systems.
The hackers gained access to project files for the company’s SCADA system. Vendors like Telvent use project files to program the industrial control systems of customers and have full rights to modify anything in a customer’s system through these files. Hackers can use project files to infect customers or use the access that companies like Telvent have to customer networks to study the customer’s operations for vulnerabilities. Just like hackers used third-party systems to gain access to Target, it’s only a matter of time before they use companies like Telvent to gain access to critical industrial controls—if they haven’t already.
Here is the full (warmly recommended) article:
https://www.wired.com/2015/01/security-predictions-2015/
And if you have missed my 2015 Crystal Ball issue that has 10 security predictions for 2015, you can find it archived on our blog:
https://blog.knowbe4.com/2015-crystal-ball-/-three-scams-to-warn-your-users-about
Cybersecurity Is Now Top Risk Consideration In Board Room
An excellent article for forward to your C-Level execs.
The Wall Street Journal polled its readers and asked them to rate the top compliance issues of 2014. The answers were very interesting! They asked what the top compliance-related crisis from 2014 was, and readers chose a clear winner—the Target, Home Depot and Sony hacking incidents grabbed the attention of executives everywhere, bringing home the reality that cybersecurity has become a top risk consideration in the board room. Poll participants picked the breaches 54.3% of the time, more than double the second-place finisher, the scandal surrounding the London Interbank offered rate.
Seeing the support for cyber breaches in that question, it probably comes as no surprise that cybercrime/data privacy emerged as the issue WSJ readers most expect to grow in importance in 2015. The final tally had 71.9% picking this answer, making it a runaway winner over the next pick, money laundering. Here is a link to the full article at the KnowBe4 blog.
PS: You should subscribe to the blog and get these posts sent to your inbox the moment they come out!
https://blog.knowbe4.com/cybersecurity-top-risk-consideration-in-board-room
Warm Regards,
Stu Sjouwerman
Quotes of the Week:
"At the center of your being you have the answer; you know who you are and you know what you want." Lao Tzu, Philosopher (604 - 531 BC)
"An investment in knowledge pays the best interest." - Benjamin Franklin (1706 -1790)
Updated Security Awareness Training Modules For 2015
- Kevin Mitnick Security Awareness Training was updated for 2015 with a new focus on ransomware and how employees can arm themselves against getting all the company files encrypted.
- PCI 3.0 Compliance Simplified has been released, which updates the earlier course and covers the changes related to 3.0. The intended learners are people who are responsible for keeping credit card information secure.
- The Mobile Device Security Module has been updated for 2015 with a new video that shows how easy it is to spoof a phone number or text, and how mobile devices are used for social engineering.
You can find all our training modules here:
https://www.knowbe4.com/knowbe4-training-modules-overview/
The Most Popular Blog Post In 2014
Viewed by many thousands of system administrators, the most viewed blog post in 2014 was the one where Symantec admitted that antivirus was dead:
"An article in the Wall Street Journal of May 5, 2014 summarized what I have been talking about these last few years. 25 years ago, Symantec was one of the first IT security companies to develop commercial antivirus software to protect computers from hackers. Now the company says that's no longer working. Antivirus "is dead," says Brian Dye, Symantec's senior vice president for information security. "We don't think of antivirus as a moneymaker in any way." Mr. Dye estimates antivirus now catches just 45% of cyberattacks.
"Antivirus products try to keep the bad guys out of a computer. But hackers often get in anyway, using 0-day threats, social engineering and other tactics. So Brian Dye is reinventing Symantec; instead of protecting against the bad guys, he is now focusing on detection and response, following FireEye which recently paid $1 billion for Mandiant who act like hackbusters after a data breach.
"Ted Schlein, who helped create Symantec's first antivirus product, describes such software as "necessary but insufficient." As a partner at venture-capital firm Kleiner Perkins Caufield & Byers, Mr. Schlein invests in new cybersecurity companies that compete with Symantec.
"It is clear that new strategies need to be deployed to make sure defense-in-depth is effective. Providing effective Kevin Mitnick Security Awareness Training is the starting point, but moving toward whitelisting as a measure to block unauthorized executables is another way to stop malware from taking hold on a computer.
Here is the original blog post with several links embedded.
https://blog.knowbe4.com/bid/384862/Shocker-Symantec-Admits-That-Antivirus-Is-Dead
Forcing Apple To Fix An iCloud Infrastructure Hole
Suppose you are a security researcher and you find a hole in Apple's iCloud authentication big enough to drive a truck through? And they drag their heels in fixing it? You release a hacking tool on Github so that everyone can download it and unleash it against iCloud.
That's what happened just now. Any employee with a weak password is now a risk until this vulnerability has been fixed by Apple. The tool is called iDict, released by a hacker who calls himself Pr0x13, and makes use of an exploit in Apple's iCloud security infrastructure to bypass restrictions and Apple's two-factor authentication which prevents brute force attacks and keeps attackers away from getting access to iCloud accounts.
As part of your ongoing security awareness program, tell any employees who use Apple devices that as a New Year's security measure, they need to make sure they have a STRONG password!
Schneier: Sony Hackers May Have Had Inside Help
Well-known IT Security guru Bruce Schneier commented on recent discoveries related to the Sony Hack. First of all, an analysis of the timestamps on some of the leaked documents shows that they were downloaded at USB 2.0 speeds -- which implies help from an insider who downloaded the file to a USB stick.
Other evidence implies insiders as well. Some investigators believe the disgruntled former employee or employees may have joined forces with pro-piracy hacktivists, who have long resented the Sony's anti-piracy stance, to infiltrate the company's networks.
The FBI still blames North Korea, although it is now thinking that the North Koreans hired outside hackers.
He also wrote that bluffing about this is a smart strategy for the US government: "...from a diplomatic perspective, it's a smart strategy for the US to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term US interest is to discourage other nations from engaging in similar behavior. If the North Korean government continues denying its involvement, no matter what the truth is, and the real attackers have gone underground, then the US decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this."
Of course, this strategy completely backfires if the attackers can be definitely shown to be not from North Korea. Stay tuned for more.
When insiders become hackers and are able to walk out with hundreds of megabytes of data, it's obvious that the defense-in-depth of that organization has failed. The outer layer of your defense-in-depth strategy is Security Policy, Procedures and Awareness, with security awareness training being a crucial part of this.
I recommend you read his full blog post - Schneier is a great guy to follow as well, always excellent insights.
https://www.schneier.com/blog/archives/2014/12/more_data_on_at.html
Cyberheist 'FAVE' LINKS:
This Week's Links We Like. Tips, Hints And Fun Stuff.
Slide Show: 15 sci-fi technologies that are (almost) here:
https://www.infoworld.com/article/2606741/computer-hardware/146149-Science-vs.-fiction-15-sci-fi-technologies-that-are-almost-here.html?
And last but not least, here are 20 videos we couldn't stop watching in 2014:
https://www.fastcodesign.com/3040111/20-videos-we-couldnt-stop-watching-in-2014?
