[metaslider id=2951] … Read More
KnowBe4 Releases Email Exposure Check Pro
KnowBe4 Releases Email Exposure Check Pro to Help Organizations Identify At-Risk Users
KnowBe4, provider of the most popular security awareness training and simulated-phishing platform, today announced the release of the new version of its Email Exposure Check (EEC). The new version is called the EEC Pro, has powerful additional features and is still provided at no cost.
While employees give out their corporate email for various reasons, IT is hard-pressed to keep track and
manage the risk. EEC Pro helps IT by identifying an organization’s at-risk users by crawling social media information and scouring hundreds of breach databases to identify risk associated with user emails and identities. The more at-risk email addresses a company has, the bigger its attack surface, and the higher its risk. EEC Pro only requires filling out a form, and works in two stages. The first stage performs deep web searches to find publicly available organization data provided on sites such as LinkedIn and Facebook. This allows the EEC Pro to show what organizational structure an attacker would be able to easily pull together and use to craft targeted attacks.
The second stage of EEC Pro utilizes the Have I Been Pwned data breach service to find users that have had their account information released in any of several hundred breaches. These users are particularly at-risk because an attacker knows more about them, potentially including their actual passwords. As the final step, EEC Pro provides a detailed summary report to the IT team, including an overview of the data found, a summary of organizational risk levels, and a link to a web report that contains a full list of all users found, the breaches the users were found in, and an overview of the data included in the breach. This allows IT managers to ensure exposed emails or exposed passwords are modified.
“Since 91% of data breaches start with a successful phishing attack, an organization must act reasonably or do what is necessary or appropriate to protect its data and take steps to identify weaknesses that expose their employees,” said Stu Sjouwerman, Founder and CEO of KnowBe4. “Employees are the last line of defense within an organization. We want to make it as easy as possible for IT professionals to reduce their attack surface and strengthen their weakest links. You need to create a ‘Human Firewall.’”
Exposed emails and passwords can lead to recent data breaches such as those experienced by security companies Mandiant and Enigma where compromised passwords were not changed.
For more information on KnowBe4 or the Email Exposure Check Pro, contact us via email or give us a call.
10 Cyber Security Threats to keep you awake at night
Businesses have cause to celebrate the benefits of technology – but fear it as well – as cyber-security journalist Tom Reeve explains.
From word processing, accounting packages and emails to process automation, just in time shipping and online sales and marketing, the hardware and software that drives modern businesses have enabled massive jumps in productivity while driving down costs.
However, the very internet service (check this link right here now to know more) that enables your business – your entire IT infrastructure from the boardroom to the shop floor – may be hijacked by attackers to eat your organisation from within. This goes beyond losing control of your Twitter account or the front page of your website being defaced – it is a battle for your data and your money.
You may consider cyber-security as an IT issue or something that falls under the remit of the audit committee, but IT is everywhere and organisations ignore cyber-security at their peril – just ask TalkTalk, Tesco Bank and Camelot, to name just a few.
In a series of articles I will look at who these attackers are, what they are looking for and how you and your board of directors can fight back against the hackers.
But first, let’s take a quick tour through 10 of the biggest threats facing organisations, large and small.
1. Network infiltration is the basis for many high-profile attacks, and it involves exploiting weaknesses in software, systems, hardware or staff to gain privileged access to servers and workstations. There are many ways to hack your network and cyber-security experts will tell you that it’s not a matter of if you get hacked – but when.
Once the attacker has gained entry to a trusted device on your network, then he’s spoilt for choice: steal the data on the computer, spy on the user to glean further usernames and passwords to other devices, lock the user out (see ransomware) or exploit weaknesses in the corporate network to force his way into other machines. Or he could harness the machine as part of a botnet, using it to send spam or attack computers outside your network.
Last year, it was revealed that Australian government systems, including a branch of the Defence Department, had been infiltrated repeatedly in the past five years, leading to the loss of plans for a geostationary satellite system among other things.
2. Ransomware is pretty much what it says on the tin, a new wrinkle on an attack that’s about as old as humanity itself. Ransomware is notable for being the one cyber-attack that goes out of its way to advertise itself. While other malicious software conceals itself, ransomware only hides for as long as it takes to encrypt your files. Then it launches a big banner proclaiming your new status as its victim.
Ransomware creators are noted for their excellent “customer” service. Their business model relies on teaching the victim how to do something that they probably haven’t done before: purchase bitcoins. They often include tutorials and even videos detailing each step.
Angela Sasse, professor of human-centred security at UCL, has interviewed victims about their experience of being attacked, and she says they often rave about how helpful the ransomers have been. However, this is to miss the point: by paying them, you are supporting their criminal business model and the advice from law enforcement, at least officially, is not to pay.
3. Trojan horses are a class of attack in which the harmful payload is hidden inside another ‘beneficial’ program, the most insidious examples of this being programs that claim to rid your computer of viruses or fix common configuration problems. Once downloaded, they will often ask for administrator rights on your device, be it a desktop, tablet or mobile phone.
Having enslaved your machine, a Trojan will typically open a connection to the internet and attempt to connect to a command and control server. Sometimes it will lie dormant, making it harder to detect and investigate the source of the attack. But when he’s ready, the attacker can download his choice of malware including keyloggers for sniffing passwords, botnet controllers to turn your machine into a DDoS robot and network intrusion tools to gain access to other machines.
Some Trojans have even been known to eliminate the competition by installing antivirus software and cleaning out other malware it finds on its host. Trojans are an effective and popular way to control computers, and even intelligence agencies have been known to employ them.
In the past year we have seen Trojans which bypass security on the Chrome browser, target customers of online Russian banks and even one designed to manipulate currency rates.
4. Phishing is an attack on your staff aimed at luring them into giving away passwords and other sensitive information. Dressed up as an email from a trustworthy source, it can appear to come from someone the person knows such as a friend or colleague or a bank or government agency.
Through training and vigilance, the incidence of successful phishing attacks can be reduced, but even so, the most savvy of users can fall for this attack if they aren’t paying attention.
Phishing attacks are usually sent to thousands of users at a time, but a more refined version of the attack, called spear-phishing, targets individuals. After carefully researching their victim, often using sources such as social media and publicly available corporate records, the attacker will write an email that sounds as if the the sender knows the recipient personally.
Phishing and spear-phishing were used to gain access to the email accounts of Democratic Party officials in the US ahead of the presidential election, and is also the most common type of malicious email that most people receive. Learning to spot them is one of the most effective skills you can learn for online survival.
5. Whaling is considered a variation of phishing even though it doesn’t contain any malware. Instead, it seeks to deceive the recipient into believing that it was written by a trusted figure – such as the company boss or a supplier – with instructions for wiring money.
In one well-known case, Ubiquiti, a manufacturer of network devices, was scammed out of $46.7 million ( 37 million) by “an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” according to an SEC filing.
And slightly closer to home, last year, two European manufacturers – Leoni AG and FACC – lost €40 million each in separate whaling attacks. In the case of FACC, the CEO and CFO were both sacked.
6. Supply chain attacks come from trusted suppliers who have privileged access to your corporate network. Organisations often trust their suppliers with sensitive information and access to their internal affairs while forgetting that suppliers don’t always have perfect control over their own IT networks.
To mitigate the risks of supply chain data leaks, it could be beneficial to use technology such as supply chain software that can restrict access to sensitive information while also tracking who is retrieving the data from the system. A little bit of carefulness and tech upgrades could help to reduce supply chain attacks while also making inventory management an easier task for the employees.
In one well-known case in 2013, Target Stores in America was compromised by an HVAC service provider which had access to the retailer’s internal networks through a purchase order management system. Attackers gained access to Target through the HVAC supplier and then waited several months, until the Black Friday shopping weekend, to launch a massive attack against thousands of point-of-sale terminals, stealing details on 110 million people.
7. Zero-day vulnerabilities are a class unto themselves. All software packages are thought to have vulnerabilities, and responsible developers patch them as quickly as they can once they become aware of them. Responsible disclosure is a process whereby security researchers inform companies of the problem and give them the opportunity to patch the problem before it is announced to the wider computing community.
However, malicious researchers, sometimes called black hats, don’t disclose vulnerabilities when they discover them because hidden vulnerabilities are valuable. Zero-days – so-called because developers have zero days to respond to them – are traded by criminal groups and even nation states for up to half a million dollars in some cases.
However, most organisations don’t need to worry about zero-days for the simple reason that they only retain their value for as long as they remain unknown. The more a zero-day is used, the more likely it is to be discovered. Organisations need only ask themselves, are we worth a zero-day attack? If not, move on – there are enough other things to worry about.
8. Vulnerable equipment and software is less about deliberate attacks and more about manufacturers’ sloppy security practices. In the rush to get a product to market, or keep costs as low as possible, security often takes a backseat.
When acquiring new hardware or software, ask yourself if you can trust the supplier. A little research on the internet can reveal whether the manufacturer has been cited in many security research reports. You may also want to hire Denver IT services or others in your location so that there’s someone to keep an eye on everything software-related.
Not only should you look for reliable equipment and software, but you should also look for an ISP who will not misuse your data. You can use a VPN on your device to secure your data as well. It’s best to go with a reputable internet service provider (like viasat satellite internet). You can also consider the add-on features provided by many ISPs, such as providing an internet connection in addition to antivirus, to protect your device from external malware.
Even brand names are not immune. It was recently revealed that Honeywell SCADA controllers – network-connected devices for controlling industrial processes – contained insecure password data and were also vulnerable to “path traversal” attacks. And CISCO regularly publishes security alerts alongside software updates, detailing vulnerabilities that it has discovered and fixed.
9. BYOD are those personal devices that staff use to connect to your network. Whether it’s a mobile phone or a tablet, every time you allow a member of staff to connect their device to your network, you are shaking hands with a computer of unspecified pedigree and unknown hygiene.
Consider why you are allowing these mobile devices to access your network, and if it is just to allow them to use the Wi-Fi, consider setting up an isolated network for this purpose.
10. Denial of service is an attack that can bring your website or cloud services grinding to a halt. A common attack method, known as distributed denial of service (DDoS), typically employs a botnet of thousands of compromised computers to flood a victim’s server with packets of useless information.
The target becomes bogged down in the sheer number of requests it is forced to handle in attacks lasting minutes or days, slowing and sometimes crashing the device.
In a new wrinkle on this tried and tested attack, attackers are using the Mirai malware to take over internet-connected CCTV cameras and digital video recorders and launching the biggest DDoS attacks ever seen. Last year, Twitter, Spotify, Netflix, Amazon and Reddit were among the many websites taken offline for several hours by an attack on the Dyn DNS service which appears to have been enabled, at least in part, by a Mirai botnet.
So there you have it – ten cyber-threats facing your organisation.
Cerber Ransomware Now Evades Machine Learning
From Dark Reading
New variant has been broken into separate harmless-looking components to fool ML-based detection systems, Trend Micro says.
Cybercriminals have repeatedly shown an ability to innovate past whatever security controls organizations and industry have been able to throw in their way. So it is little surprise that some have begun taking a crack at machine learning tools.
Researchers at security vendor Trend Micro recently discovered a new version of the Cerber ransomware sample that appears designed specifically to evade detection by machine learning algorithms.
“The Cerber changes are really interesting as they’re a direct response to changes in how some products are detecting malware,” says Mark Nunnikhoven, vice president of cloud research for Trend Micro.
The newest version separates the different stages of the malware into multiple files and dynamically injects them into a running process, he says. “This helps to conceal them from various detection methods.”
Like other ransomware threats, the new version of Cerber also is distributed via email. The email contains a link to self-extracting archive stored in a Dropbox account controlled by the attackers. The archive contains three files—one containing a Visual Basic script, the second a DLL, and the third, a binary file. The script is designed to load the DLL, which then reads the binary file and executes it. The binary file contains a new loader for Cerber and also the configuration settings for the malware.
The loader first checks to see if it is running in a sandbox or other protected environment. If it discerns that it’s not in a protected environment, it injects the entire Cerber binary into one of several running processes, Trend Micro said in an alert this week.
“In their current form, some static machine learning-tools can have a hard time seeing the various pieces of the new configuration of Cerber,” Nunnikhoven says. The malicious parts of it don’t get analyzed, so the malware doesn’t get flagged.
The reason is that static machine learning approaches look at the content of a file and evaluate the contents to see if they match malicious behaviors and attributes, he says.
But if the malicious content of the file is hidden for instance via encryption, or it is injected in real-time into a legitimate process, the content is not evaluated for suspicious behavior and attributes, he says.
“Say someone walks up to the door and they’ve got their hands behind their back. You look through the peephole and don’t see an immediate threat so you let them in,” he says. You don’t know until they are already in the house whether whatt they have in their hands is malicious or benign.
The latest innovations only make Cerber harder to detect via machine learning algorithms, he says. It can still be detected by other mechanisms. “The take-home message is that only using one technique to detect malware leaves you vulnerable if the criminals adapt to it.”
News of Cerber’s latest tricks comes even as a new report from Carbon Black shows that many organizations remain unconvinced about the benefits of applying artificial intelligence and machine learning techniques to detect and stop cyber threats.
Nearly 75% of 410 security researchers that Carbon Black surveyed for the report describe AI-driven cybersecurity tools as being flawed, while 70% are convinced cyberattackers are capable of bypassing machine learning-based systems.
Mike Viscuso, co-founder and CTO of Carbon Black, says many current machine learning-based anti-malware tools are designed to stop attacks based on an inspection of files rather than behavior. They therefore miss the growing number of attacks that involve no malware files at all, he says.
Static, analysis-based approaches relying exclusively on files have been useful in the past. AI and ML-based tools can be useful in augmenting human decision-making and in spotting non-obvious relationships in massive volumes of security data. But they are of somewhat limited use in detecting non-malware attacks, he says.
Rather than using ML tools to look at individual files, organizations should be monitoring application and service activity, communications among processes, unauthorized requests to run applications, and changes to permission and credential levels, Vicuso says.
“If security tools are looking for just malware, they are missing an entire class of attacks that rely on native operating system tools to carry out nefarious actions. Attacks are evolving. So should [be] our defenses.”
Scam of the Week: The Evil Airline Phishing Attack
Our friends at Barracuda run their Email Threat Scanner over hundreds of thousands of customer mailboxes and discovered a highly effective phishing attack that tricks a whopping 90% of the victims. You need to tell your users about this right away.
The campaign targets companies that deal with frequent shipping of goods or employee travel, for instance logistics, shipping, or manufacturing, but almost any organization has people that frequently visit customers or business partners.
The phishing attack targets these employees, and the attackers do quite a bit of research before sending the phishing emails. The messages are constructed with subject lines and bodies that include destinations, airlines, and other details that are specific to each victim, helping them appear more authentic. Here is an example subject line:
Fwd: United Airlines: Confirmation – Flight to Tokyo – $3,543.30
“After getting the employee to open the email, the second tool employed by the attacker is an advanced persistent threat embedded in an email attachment. The attachment, usually a flight confirmation or receipt, is typically formatted as a PDF or DOCX document. In this attack, the malware will be executed upon the opening of the document,” Asaf Cidon, vice president of content security services at Barracuda, said in a post explaining the attacks.”
To start with, send this to all employees, no matter if they travel or not. Feel free to copy/paste/edit:
There is a new spin on an existing phishing scam you need to be aware of. Bad guys are doing research on you personally using social media and find out where and when you (might) travel for business. Next, they craft an email especially for you with an airline reservation or receipt that looks just like the real thing, sent with a spoofed “From” email address that also looks legit.
Sometimes, they even have links in this email that go to a website that looks identical to the real airline, but is fake. They try to do two things: 1) try to steal your company username and password, and 2) try to trick you into opening the attachment which could be a PDF or DOCX. If you click on the link or open the attachment, your workstation will possibly get infected with malware that allows the bad guys to hack into our network.
Remember, if you want to check any airline reservations or flight status, open your browser and type the website name in the address bar or use a bookmark that you yourself set earlier. Do not click on links in emails to go to websites. And as always…. Think before You Click!
What To Do About It
Barracuda recommends the following. (Here at KnowBe4 we call it defense-in-depth but it is the same concept):
“Companies should use a multi-layered security approach to block this type of attack.
- The first layer is sandboxing. Effective sandboxing and advanced persistent threat prevention should be able to block malware before it ever reaches the corporate mail server.
- The second layer is anti-phishing protection. Advanced phishing engines with Link Protection look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document.
- The third layer is employee training and awareness. Regular training and testing of your employees will increase their awareness and help them catch targeted attacks without compromising your internal network.”
We could not agree more.
If you want to spend less time putting out fires, get more time to be proactive, and get the things done you know need to be done, step your employees through effective security awareness training. It will help you prevent compromises like this or at least make it much harder for the bad guys to social engineer your users. More than 9,000 of your peers are using KnowBe4. Find out how affordable this is for your organization.
Contact us for more information.
Phishing Your Employees for Schooling & Security
Dark Reading – Corey Nachreiner, March 22, 2017
Your education program isn’t complete until you test your users with fake phishing emails.
Imagine this fictional scenario: A student, hoping to become a surgeon, attends hours of medical courses. She never misses a class, always listens, and takes copious notes. Finally, after receiving the years of training necessary, the student receives her medical degree having never taken a test. Would you let this surgeon operate on you?
I sure hope not! Testing is a crucial part of any form of education, for both teachers and students.
That’s why I believe your phishing education program isn’t complete until you phish your own company’s tank. By that, I mean sending fake (but realistic) phishing emails to all your users to see if they fall for them. There are plenty of tools and services that can do this for you. To me, this is the real test of your phishing and user awareness security training.
I’m assuming those of you reading this already have a security education program that includes a phishing curriculum. Some information security experts don’t believe user education works. I’m not one of them. There’s significant evidence that the right kind of education does work. In fact, for phishing specifically, the Ponemen Institute found that user education had a staggering 50x return on investment. If you aren’t already educating your users through training, that number alone should convince you to start. So, let’s talk about how you can improve your general security education program, and why phishing your users is such a valuable piece of the puzzle.
- Practical tests are the best measure of understanding. Most security awareness training I’ve seen ends with a basic multiple choice test. These tests are only a partial measurement of whether or not the pupil can put that knowledge to use in the real world. Take a driving test, for instance. Sure, there’s a written test, but you wouldn’t allow a teenager on the road until after he passed the practical one, too.
- Practical assessment can reveal training gaps. By sending fake phishing emails, you can learn which ones your users fell for most often. Was there a certain type of email that contained a certain “lure” that tricked your employees? Perhaps that might be a missing piece you can add to your next phishing training, or a concept you haven’t covered in enough detail.
- They help employees recognize their own level of understanding. Your fake phishing emails should immediately inform the user when they clicked on a bad link. The goal isn’t to shame the user — that’s detrimental to education. Rather, the goal is to let the user know they missed something, so they realize that they have a gap in their practical understanding, and don’t overestimate their preparedness.
- They provide another training opportunity. The best training involves repetition. Besides informing a student they’ve made a mistake, fake phishing emails allow you to immediately share training with the user that specifically addresses the mistake they just made. For instance, say a user clicked a link that obviously went to a domain having nothing to do with the email. After informing the user of their mistake, your phishing link could forward the user to a training page specifically telling them what to look for in URLs. In fact, these fake phishing exercises provide an easy way to regularly reintroduce training materials to your users (at least the ones making mistakes), without having to repeat a training course.
- Practical tests are more likely to change behaviors. The true measure of security education is if its recipients change their bad behaviors. One reason some security pundits complain that training is ineffective is because of a certain type of user that knows the right behavior but continues to do the wrong one when it’s easier. Failing these internal phishing tests regularly should eventually get even the most stubborn users to change their behavior, simply because they know their boss might be watching.
- They help you measure the actual value of your training. I believe that security training is effective, but not all training is equal. Phishing your own tank measures your training’s efficacy. Send out fake phishing emails before your trainings and record the results. Then send similar emails out after the training and compare the results. Give your organization at least two cycles of training to really understand the long-term trends. (Education takes some time!) However, if you aren’t seeing a change in behavior, then perhaps you should cancel that particular training course and identify one that works better. In any case, you’re not going to be able to calculate this risk vs. efficacy vs. cost equation unless you actually measure how well your users do against phishing emails — and the only way to do that is to phish your company’s tank.
Contact us for more information on security training.