Search This Blog

Wednesday, May 29, 2013

WindowSecurity.com - Monthly Newsletter - May 2013

WindowSecurity.com - Monthly Newsletter - May 2013

Hi Security World,

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com

******* EDITOR'S CORNER

* Latest Attack Trend: 'Persistent Spear Phishing'

DarkReading had an article a few weeks ago: 'How Hackers Fool Your Employees'
that was very interesting to read. What caught my eye were two quotes from
thought leaders in our security training space: Lance Spitzner from SANS and
Rohyt Belani from PhishMe.

Lance Spitzner, training director for the Securing The Human Program at SANS
Institute said: "Computers store, process and transfer information, and people
store, process and transfer information," he says. "They're another endpoint.
But instead of buffer overflows, people suffer from insecure behaviors."

Rohyt Belani, CEO of security training firm PhishMe observed something
interesting. He said: "Conversational phishing is the latest attack trend.
The victim gets multiple emails that make it look like there's a human on
the other end and that it's part of an email thread,". The attacker knows
enough about the victim and his interests to convince him that, say, they
had met at a busy convention such as RSA.

"From there, the attacker tells the victim about a blog post that he'd surely
be interested in and attaches an infected version. The attacker even sends a
follow-up message asking the user if he had a chance to look at the blog.
"Now you're subconsciously convinced that it's a real human being so you
open that document," Belani says. "The bad guys have been doing that for
at least the last six months."

That's why I call it 'PSP' for Persistent Spear Phishing but the concept is
clear. It's ultimately a human attacking a human via the Internet, either
through a single email or a logical sequence of emails that can easily be
automated. Here is the whole article, which ends with two VERY interesting
graphs you should definitely check out!
http://www.darkreading.com/end-user/how-hackers-fool-your-employees/240152770?

I also created a page at Wikipedia for this new term, and you are welcome to go there and improve upon my first attempt to describe it:
http://en.wikipedia.org/wiki/Persistent_Spear_Phishing
--------------------------

* Why Bring Your Own Device (BYOD) Needs Your Attention

We are in the middle of the biggest computer revolution since the PC; the
explosive number of devices is descending on corporates. In some cases the
personal devices can outnumber the corporate devices. This article will
cover strategies that should be considered when securing your company:
http://www.windowsecurity.com/articles-tutorials/Mobile_Device_Security/why-bring-your-own-device-byod-needs-your-attention.html
---------------------------

* Quotes Of The Month:

"Success is not final, failure is not fatal: it is the courage to continue
that counts." - Winston Churchill

"Things which matter most must never be at the mercy of things which matter
least." - Johann Wolfgang von Goethe

"97% of the statistics found on the Internet are untrue" - Abraham Lincoln

Warm regards,

Stu Sjouwerman
Editor, WindowSecurity News
Email me at feedback@windowsecurity.com
==================================================================

**** SECURITY DETAIL

* Verizon 2013 Data Breach Investigations Report

This is some pretty well researched data and you should check it out.
It clearly shows the increasing prevalence of phishing attacks (due to
increased espionage attacks primarily) which you could definitely use
as ammo to get budget. There are lot of other nuggets, like the fact
that 66% of breaches aren't discovered for months. Just tons of data.
There is the full report plus a nice exec summary. Here is the PDF:
http://www.verizonenterprise.com/resources/reports/es_data-breach-investigations-report-2013_en_xg.pdf
---------------------

* Four Ways To Defeat APT

Advanced Persistent Threats (APT) are essentially industrial espionage
by nation-states. Several of these APT's are supported by their military
(like China and Iran) and go after both civilian and military targets.
APT really is a team of skilled hackers that have been given a target
like AIRBUS and work day and night to penetrate that account.

Obviously cyber-espionage can be used for two things: 1) Exfiltrate
intellectual property for competitive purposes, 2) Discover weak spots
in a nation's critical infrastructure and use these for cyberwar (disruption).

This is the 30,000 feet perspective of what needs to be done. First
you need to filter ingress, but also filter egress at the same time,
then you analyze your network for hacker intrusions, and last but not
least, you need to step your users through security awareness training.
The filtering can be done with existing software layers. The analysis
is a job for died-in-the-wool security researchers that dig into all
your log files, the registry and other data. You know where to go for
the training.
----------------------------

* FAQ: Phishing Tactics And How Attackers Get Away With It

Network World reported: "Phishing attacks on enterprises can be
calamitous in terms of compromised networks or damaged brand names,
and the Anti-Phishing Working Group (APWG), which aggregates and
analyzes phishing trends data worldwide, offers some of the best
insight from industry into what's occurring globally in terms of
this cybercrime. The following list of frequently asked questions
about phishing is derived from the APWG's April report that covers
the period July-December 2012 worldwide:
http://www.networkworld.com/news/2013/042913-apwg-269219.html?

======================================================================

***** SECURETOOL BOX

Free Service: Email Exposure Check. Find out which addresses of your
organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/

Frustrated with gullible end-users causing malware infections? Find out
who the culprits are in 10 minutes. Do this Free Phishing Security Test
on your users:
http://www.knowbe4.com/phishing-security-test/

======================================================================

****** VIEWPOINT â€" YOUR TAKE

Write me! This is the spot for your take on things. Let me know what you think
about Security, tools, and things that need to be improved.
Email me at feedback@windowsecurity.com

======================================================================

****** SECOPS: WHAT YOU NEED TO KNOW

* Do This Phishing IQ Test!

Did you know that SonicWall has an interesting Phishing IQ test on their
website? It's a few years old but actually fun and interesting to do. You
get a series of 10 emails and you need to indicate if it is a phishing
attack or if it's legit. Go ahead and test if you get them all correct.
At the end they have an explanation for each why it's either a scam or
legit. Here you go and have fun!:
http://www.sonicwall.com/furl/phishing/
---------------------

* Fraud-as-a-service Goes Mainstream

Researchers at RSA stumbled upon a Facebook page that had been up for
several months, and was marketing the Zeus banking Trojan. This is something
new as up to now, this type of marketing was limited to the 'darknet'
criminal underground. The Facebook page has been taken down but Trojans
being sold out in the open with 'hints and tips' on how to steal credit
cards shows that cybercrime is going mainstream. RSA's Limor Kessem said:
"Social networks are such a great place for malware infections and phishing,
why not just market the botnet directly from there?" Full article over at
BankInfoSecurity:
http://www.bankinfosecurity.com/facebook-used-to-market-banking-trojans-a-5714?
-------------------------

* Why We Need Security Awareness Training Programs

I found a great article by Kai Roer, Senior Partner at the Roer Group
in Norway.

"Lately, some of the smartest people in Infosec decided that security
awareness trainings are a waste of time. Last out is Bruce Schneier,
who decided to speak up against awareness training.

"The claim that security awareness trainings are not working is, in
my opinion, a claim based on wrong assumptions. It also shows a clear
lack of understanding of the inner workings of the human mind, and a
total lack of respect for your co-workers.

"If all you focus on is technology, code and cryptology, and you have
very little real interaction with people, I can understand where you
are coming from. It takes more than code to decrypt the subtleness
of human interaction." He continues with a clear cut case for training
that I think you will enjoy:
http://www.net-security.org/article.php?id=1833&p=1

======================================================================

****** HACKERS’ HAVEN

* 10 Classic Hacking, Phishing And Social Engineering Lies

Whether it is on the phone, online or in person, here are ten lies hackers,
phishers and social engineers will tell you to get what they want. It
might be an idea to send this link to your employees and let them step
through these reminders as they are still used every day:
http://www.csoonline.com/slideshow/detail/91543/9-classic-hacking--phishing-and-social-engineering-lies?
---------------------

* Yahoo Warns: "Your Small Business May Have Already Been Hacked"

Veteran IT reporter Dan Tynan has a very popular Yahoo SMB column. He
interviewed me and I was quoted in his April 25 article about hacking.
There is a lot of good ammo in there if you need (to increase) IT
security budget: "While attacks on large enterprises have declined
slightly over the last year, threats to SMBs have risen sharply. Cyber
attacks targeting businesses with 250 employees or less doubled in
the first six months of last year, according to Symantec. The average
loss per attack: more than $188,000."

"One of the biggest fallacies about small-to-medium businesses is that
they're too small to be noticed by hackers,� he says. “That's simply
not the case.� In fact, for SMBs the opposite is true. Here is the article:
http://smallbusiness.yahoo.com/advisor/warning--your-small-business-may-have-already-been-hacked-183345805.html
---------------------

* Watch Out For Waterhole Attacks -- Hackers' Latest Stealth Weapon

It's time to learn about waterhole attacks, where sites with tailored
malware await visits by certain companies' employees. The bane of the
computer security world is how long it takes to recognize and respond
to new attack paradigms. Name a major threat -- the boot virus, macro
virus, email attachment, or Web JavaScript redirect -- and it seems to
take years to respond adequately. So here's an early warning: Waterholes
should be on your radar!
http://www.infoworld.com/d/security/watch-out-waterhole-attacks-hackers-latest-stealth-weapon-218716?

======================================================================

***** FAVE LINKS & COOL SITES

---
* This Week's Links We Like. Tips, Hints And Fun Stuff.

In a battle of speed and wits Leonard Nimoy takes on newbie Zachary Quinto and his all-new Audi S7:
http://www.flixxy.com/spock-vs-spock-audi-s7-clip-with-zachary-quinto-and-leonard-nimoy.htm

What do you know about Holland? Picturesque canals? Windmills? Master paintings from the Golden Age? Holland has it all! But there is more that's really cool about Holland .... here is how you market a whole -country-, fun too:
http://www.flixxy.com/whats-really-cool-about-holland.htm

Find out why the all-electric Tesla Model S outscores every other car in Consumer Reports ratings:
http://www.flixxy.com/best-performing-car-ever-consumer-reports-tesla-model-s.htm

The devious art of cell tower camouflage. When is a tree not really a tree? When it's a wireless tower:
http://www.networkworld.com/slideshow/101594/the-devious-art-of-cell-tower-camouflage.html?

Consumer Federation of America has a cool public service announcement regarding online fraud. Fun to watch, send it to your users!:
http://youtu.be/VFsu1cWj4BM

It's no longer sci-fi. Killer energy beams are now reality. ADAM High Energy Laser Destroys Qassam-like Rocket Target:
http://youtu.be/kgUnDeED9MM

Terrafugia Already Planning Second Flying Car. I want one:
http://www.motorauthority.com/news/1084006_terrafugia-already-planning-second-flying-car?fbfanpage

We hired 3 more people here at KnowBe4, the office is getting full!:
http://blog.knowbe4.com/bid/279785/We-hired-3-more-people-the-office-is-getting-full



WindowSecurity.com Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.windowsecurity.com/articles-tutorials/)
- Products (http://www.windowsecurity.com/software/)
- Reviews (http://www.windowsecurity.com/articles-tutorials/Product_Reviews/)
- Free Tools (http://www.windowsecurity.com/software/Free-Tools/)
- Blogs (http://www.windowsecurity.com/blogs/)
- Forums (http://forums.windowsecurity.com/)
- White Papers (http://www.windowsecurity.com/white-papers/)
- Contact Us (http://www.windowsecurity.com/pages/contact-us.html)



Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org (http://www.msexchange.org/)
- WindowsNetworking.com (http://www.windowsnetworking.com/)
- VirtualizationAdmin.com (http://www.virtualizationadmin.com/)
- ISAserver.org (http://www.isaserver.org/)
- MSPanswers.com (http://www.mspanswers.com/)
- WServerNews.com (http://www.wservernews.com/)


--
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@WindowSecurity.com
Copyright WindowSecurity.com 2013. All rights reserved.

No comments: