Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    The Six Biggest Security Threats We’ll Face in 2015



     
     
     

    CyberheistNews Vol 5 #1 Jan 6, 2015

    Kim Zetter did her homework and extrapolated for WIRED magazine the current  threats and looked at how they would unfold in the coming 12 months. She has cast a wider net than normal, now that nation-states are up to their elbows  in cyber warfare. I will give a short excerpt of each of the six biggest  threats, and I recommend you read the whole article at WIRED. Link at the end. 

    Nation-State Attacks

    The NSA and the UK’s GCHQ hacked Belgium’s state-owned telecom Belgacom.  New revelations about the Regin malware used in the hack, however, show  how the attackers also sought to hijack entire telecom networks outside  of Belgium. These and other efforts the NSA has employed to undermine  encryption and install backdoors in systems remain the biggest security  threat we face in general.

    Extortion

    Controversy still swirls around the Sony hack and the motivation for that  breach, but hacker shakedowns are likely to occur again. The Sony hack wasn’t  the first hacker extortion we’ve seen, but most of them until now have  occurred on a small scale—using ransomware. The Sony hack is the first  high-profile extortion breach that involved threats of data leaks and  could could become a bigger problem for prominent targets like Sony.

    Data Destruction

    The Sony hack announced another kind of threat we haven’t seen much in  the U.S.: the data destruction threat. This could become more common in 2015.  The attackers behind the breach of Sony Pictures Entertainment didn’t  just steal data from the company; they also deleted it. It’s a tactic  that had been used before in attacks against computers in South Korea,  Saudi Arabia and Iran. 

    Bank Card Breaches Will Continue

    In the last decade there have been numerous high-profile breaches involving  the theft of data from millions of bank cards. Card issuers and retailers  are slowly moving to adopt more secure EMV or chip-‘n’-PIN cards and readers,  which use an embedded microchip that generates a one-time transaction code  on in-store purchases and a customer-entered PIN that makes stolen data  less useful. With the shift to EMV cards, hackers will simply shift their  focus. 

    Third-Party Breaches

    In recent years we’ve seen a disturbing trend in so-called third-party hacks,  breaches that focus on one company or service solely for the purpose of  obtaining data or access to a more important target. We saw this in the  Target breach when hackers got into the retailer’s network through a  heating and air-conditioning company that did business with Target and  had access to its network. But this is low-level compared with more serious  third-party breaches against certificate authorities and others that provide  essential services. These kinds of breaches are significant because they  undermine the basic trust that users have in the Internet’s infrastructure.

    Critical Infrastructure

    One sign that hackers are looking at industrial control systems in the U.S.  is a breach that occurred in 2012 against Telvent, a maker of smart-grid  control software used in portions of the U.S. electrical grid as well as  in some oil and gas pipeline and water systems. 

    The hackers gained access to project files for the company’s SCADA system.  Vendors like Telvent use project files to program the industrial control  systems of customers and have full rights to modify anything in a  customer’s system through these files. Hackers can use project files to  infect customers or use the access that companies like Telvent have to  customer networks to study the customer’s operations for vulnerabilities. Just like hackers used third-party systems to gain access to Target, it’s  only a matter of time before they use companies like Telvent to gain access  to critical industrial controls—if they haven’t already.

    Here is the full (warmly recommended) article:
    https://www.wired.com/2015/01/security-predictions-2015/

    And if you have missed my 2015 Crystal Ball issue that has 10 security  predictions for 2015, you can find it archived on our blog:
    https://blog.knowbe4.com/2015-crystal-ball-/-three-scams-to-warn-your-users-about

    Cybersecurity Is Now Top Risk Consideration In Board Room

    An excellent article for forward to your C-Level execs.

    The Wall Street Journal polled its readers and asked them to rate the top  compliance issues of 2014. The answers were very interesting! They asked  what the top compliance-related crisis from 2014 was, and readers chose a  clear winner—the Target, Home Depot and Sony hacking incidents grabbed  the attention of executives everywhere, bringing home the reality that  cybersecurity has become a top risk consideration in the board room.  Poll participants picked the breaches 54.3% of the time, more than double  the second-place finisher, the scandal surrounding the London Interbank  offered rate.   

    Seeing the support for cyber breaches in that question, it probably  comes as no surprise that cybercrime/data privacy emerged as the issue  WSJ readers most expect to grow in importance in 2015. The final tally  had 71.9% picking this answer, making it a runaway winner over the next  pick, money laundering. Here is a link to the full article at the KnowBe4  blog. 

    PS: You should subscribe to the blog and get these posts sent to your  inbox the moment they come out!
    https://blog.knowbe4.com/cybersecurity-top-risk-consideration-in-board-room

    Warm Regards,
    Stu Sjouwerman

    Quotes Of The Week
     

    Quotes of the Week:

    "At the center of your being you have the answer; you know who you  are and you know what you want."  Lao Tzu, Philosopher (604 - 531 BC)

    "An investment in knowledge pays the best interest."  - Benjamin Franklin (1706 -1790)

    Security News
     

    Updated Security Awareness Training Modules For 2015

    1. Kevin Mitnick Security Awareness Training was updated for 2015 with a new focus on ransomware and how employees can arm themselves against getting all the company files encrypted.
    2. PCI 3.0 Compliance Simplified  has been released, which updates  the earlier course and covers the changes related to 3.0. The intended  learners are people who are responsible for keeping credit card  information secure.
    3. The Mobile Device Security Module has been updated for 2015  with a new video that shows how easy it is to spoof a phone number or text, and how mobile devices are used for social engineering.

    You can find all our training modules here:
    https://www.knowbe4.com/knowbe4-training-modules-overview/

    The Most Popular Blog Post In 2014

    Viewed by many thousands of system administrators, the most viewed blog post in 2014 was the one where Symantec admitted that antivirus was dead: 

    "An article in the Wall Street Journal of May 5, 2014 summarized what I  have been talking about these last few years. 25 years ago, Symantec  was one of the first IT security companies to develop commercial  antivirus software to protect computers from hackers. Now the company  says that's no longer working. Antivirus "is dead," says Brian Dye,  Symantec's senior vice president for information security. "We don't  think of antivirus as a moneymaker in any way." Mr. Dye estimates  antivirus now catches just 45% of cyberattacks.

    "Antivirus products try to keep the bad guys out of a computer. But  hackers often get in anyway, using 0-day threats, social engineering  and other tactics. So Brian Dye is reinventing Symantec; instead of  protecting against the bad guys, he is now focusing on detection and  response, following FireEye which recently paid $1 billion for Mandiant  who act like hackbusters after a data breach.

    "Ted Schlein, who helped create Symantec's first antivirus product,  describes such software as "necessary but insufficient." As a partner  at venture-capital firm Kleiner Perkins Caufield & Byers, Mr. Schlein  invests in new cybersecurity companies that compete with Symantec. 

    "It is clear that new strategies need to be deployed to make sure  defense-in-depth is effective. Providing effective Kevin Mitnick  Security Awareness Training is the starting point, but moving toward  whitelisting as a measure to block unauthorized executables is another  way to stop malware from taking hold on a computer.  

    Here is the original blog post with several links embedded.
    https://blog.knowbe4.com/bid/384862/Shocker-Symantec-Admits-That-Antivirus-Is-Dead

    Forcing Apple To Fix An iCloud Infrastructure Hole

    Suppose you are a security researcher and you find a hole in Apple's iCloud authentication big enough to drive a truck through? And they drag their heels in fixing it? You release a hacking tool on Github so that everyone can download it and unleash it against iCloud.

    That's what happened just now. Any employee with a weak password is now a risk until this vulnerability has been fixed by Apple. The tool is called iDict, released by a hacker who calls himself Pr0x13, and  makes use of an exploit in Apple's iCloud security infrastructure to  bypass restrictions and Apple's two-factor authentication which  prevents brute force attacks and keeps attackers away from getting access to iCloud accounts.

    As part of your ongoing security awareness program, tell any employees  who use Apple devices that as a New Year's security measure, they  need to make sure they have a STRONG password!

    Schneier: Sony Hackers May Have Had Inside Help

    Well-known IT Security guru Bruce Schneier commented on recent discoveries  related to the Sony Hack. First of all, an analysis of the timestamps on  some of the leaked documents shows that they were downloaded at USB 2.0  speeds -- which implies help from an insider who downloaded the file to  a USB stick.

    Other evidence implies insiders as well. Some investigators believe the  disgruntled former employee or employees may have joined forces with  pro-piracy hacktivists, who have long resented the Sony's anti-piracy  stance, to infiltrate the company's networks. 

    The FBI still blames North Korea, although it is now thinking that the  North Koreans hired outside hackers. 

    He also wrote that bluffing about this is a smart strategy for the US  government: "...from a diplomatic perspective, it's a smart strategy for  the US to be overconfident in assigning blame for the cyberattacks.  Beyond the politics of this particular attack, the long-term US interest  is to discourage other nations from engaging in similar behavior. If  the North Korean government continues denying its involvement, no matter  what the truth is, and the real attackers have gone underground, then  the US decision to claim omnipotent powers of attribution serves as a  warning to others that they will get caught if they try something like  this."

    Of course, this strategy completely backfires if the attackers can be  definitely shown to be not from North Korea. Stay tuned for more. 

    When insiders become hackers and are able to walk out with hundreds of  megabytes of data, it's obvious that the defense-in-depth of that  organization has failed. The outer layer of your defense-in-depth  strategy is Security Policy, Procedures and Awareness, with security  awareness training being a crucial part of this. 

    I recommend you read his full blog post - Schneier is a great guy to  follow as well, always excellent insights.
    https://www.schneier.com/blog/archives/2014/12/more_data_on_at.html

    Cyberheist 'FAVE' LINKS:

    This Week's Links We Like. Tips, Hints And Fun Stuff.

    Slide Show: 15 sci-fi technologies that are (almost) here:

    https://www.infoworld.com/article/2606741/computer-hardware/146149-Science-vs.-fiction-15-sci-fi-technologies-that-are-almost-here.html?

    And last but not least, here are 20 videos we couldn't stop watching in 2014:
    https://www.fastcodesign.com/3040111/20-videos-we-couldnt-stop-watching-in-2014?
                                               
     
                                               

     

    Return To KnowBe4 Security Blog
    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews