Do You Evaluate Your Security Controls?

Tony MasonBreach & Attack Simulation, Enterprise Security

Do You Evaluate Your Security Controls?
How Secure Is Your Security Posture?

With many now working from home and businesses changing, are you sure your security controls are robust enough? When checking your security posture, be sure to ask the right questions.

The only way you can really see if your security controls are working effectively is to test them.  There are many tools available to do this.  However, you need to decide what you specifically want to know and how the findings are relevant to you at the moment. After that, you can choose the best tool for the job.

Typically, security teams use various testing tools to evaluate their infrastructure. According to SANS, 69.9% of security teams use vendor-provided testing tools, 60.2% use pen-testing tools, and 59.7% use homegrown tools and scripts.

Pen Testing

Vendor provided tools test for a specific security solution. Whereas pen testing is often used to check that controls meet compliance requirements, eg PCI DSS regulations. Automated pen tests are good at showing you whether an attacker can get in, highlighting the vulnerable pathways. However, they don’t always cover the entire kill chain.

They can imitate many threat actor techniques and even different payloads.  However, they typically don’t copy and fully automate the full Tactics, Techniques, and Procedures (TTPs) of a real threat actor.

Also, it is difficult to get consistent data from automated pen tests.  This is because they rely on skilled human pen testers, who typically have varying levels of expertise. 

Added to this, the sheer variety of pen-testing tools and different approaches can really complicate testing. An example of this can be seen with different attack vectors requiring different testing tools. These tools also tend to be weak at recognising vulnerabilities in business logic, which can skew results.

Pen testing is costly and requires a significant amount of advance planning. This means testing can often be restricted to only annually or half yearly. In addition, organisations can still be slow to respond accurately to immediate threats even with automated pen tests.  This is because pen-testing takes time to scope, conduct, and analyse. 

The SANS poll found that most respondents test their controls quarterly at best.

However, as we know, the real-world threat landscape is evolving every day. This means cyber criminals have lots of time to exploit any gaps or weaknesses in between each pen test.

Security Questions To Ask

According to Cymulate, if you want visibility into the effectiveness of security controls – right here, right now – you’ll have additional questions that pen testing cannot easily answer:

  • Are your controls working as they are supposed to work, and as you expect?
  • Are interdependent controls correctly generating and delivering the right data? For example, are your web gateway, firewall, and behaviour-based tools correctly alerting the SIEM when they detect suspicious activity?
  • Have configurations drifted over time or been set incorrectly? For instance, are controls actively detecting threats, or were they left in monitoring mode?
  • If you have rolled out new technology or settings, how have they affected your security posture?
  • Are controls able to defend against the newest threats and variants?
  • Does your security defend against the latest stealth techniques, such as living off the land (LOTL) fileless attacks by sophisticated attackers?
  • Do you have visibility into security outcomes that require both human processes and technology?
  • Is your blue team able to identify and respond effectively to alerts?

Breach and Attack Simulation (BAS) Tools

Automated Breach and Attack Simulation (BAS) tools enable you to answer these questions.

BAS complements point-in-time testing to continually challenge, measure, and optimise the effectiveness of security controls. BAS is automated, allowing you to test as needed, and the best solutions assess controls based on the latest malware strains and threat actor TTPs—without having to assemble teams of security experts.

Organisations are using BAS to:

  • Simulate attacks without jeopardising production environments
  • Simulate attacks across the full kill chain against all threats, including the latest attacker TTPs
  • Test continuously with the flexibility to target specific vectors, infrastructure, and internal teams for awareness against the latest threats
  • Automate simulations for repeatability and consistency
  • Conduct testing at any time interval—hourly, daily, weekly, or ad hoc with results in minutes
  • Identify gaps and evaluate controls against the MITRE ATT&CK framework
  • Remediate security posture and the company’s exposure using actionable insights

As the threat landscape changes daily and the attackers continue to up their game, you and your executive team need assurance that controls across the kill chain are indeed delivering the protection you need – every day, every hour, or every moment.

Cymulate, Breach & Attack Simulation (BAS)

For a growing number of organisations, BAS is delivering the continuous security control and cyber risk assessment data needed to achieve that goal.

Cymulate is a Breach and Attack Simulation (BAS) platform that lets you protect your organisation at the click of a button. Operating thousands of attack strategies, Cymulate shows you exactly where you’re exposed, and how to fix it.

During the Coronavirus Pandemic, our security controls are currently more vulnerable with many of our workforce working from home, with home VPNs, and more distractions etc.

To help, Cymulate are currently offering 60 days Free use of their license, no strings attached.  Please get in touch to take advantage of this offer and test your security now.  It may bring up some surprises, but better earlier rather than later.

Tel: 01628 362 784  Email: sales@s3-uk.com

Should you phish test during the COVID-19 pandemic?

Tony MasonSecurity Awareness & Phishing

Phishing Templates

Perry Carpenter, KnowBe4 Chief Evangelist and Strategy Officer discusses the phishing dilemma, ‘Should you phish test users or not during the Covid-19 pandemic?’. 

There’s no question, these are challenging times. Employees and organisations around the world are doing their best to keep everyone safe. Plus we are settling in to a new normal for accomplishing work from home. Tensions are high. Fear and uncertainty abound. No one wants to add more stress to an already stressful situation.

Over the past week or so, I’ve seen a few social media postings and had a few discussions with people who believe that organisations should not phish test users during this time. They feel that the best way to practice “socially responsible awareness training” is to provide simple information-based awareness training and abstain from phish testing. Thoughts like this may be well-intended; but I believe that they are wrong. Here’s why:

Cybercriminals are ramping-up their real attacks right now. This brand-new graph shows the exponential growth of new COVID-19 malicious phishing templates:

The Growth & Development of COVID19 Phishing Templates

So, it is super-important to keep our end-users on their toes. In fact, because cybercriminals are in a COVID-19 feeding frenzy, I’ll be bold enough to say that *not* conducting phishing training during this time amounts to negligence. Cybercriminals prey on stress, distraction, urgency, curiosity, and fear. Not only that, they are also bringing that full force against your end-users and your organisation.

That being said, I totally understand where people are coming from when they feel hesitant to phish test users during this COVID-19 pandemic. Organisations don’t want to add additional stress to their people. They are afraid that they may make employees feel confused or alienated. Totally understandable… and totally addressable. The key factors: your tone and your process.

Tone

I’ll address tone first because I believe it is the single most important piece to getting this right. I’ve outlined the critical importance of tone before on webinars, in conference sessions, and in my book. But, because tone is so much easier to feel than to describe, I’ll use a video example.

This is from a COVID-19 awareness project that I kicked-off with.  It is designed specifically to help security awareness leaders conduct critical phish testing in a way that feels caring and compassionate. Have a look and hopefully you’ll get a feel for what I mean. This is a pre-campaign message for customers to send to their end-users:

There are a few key aspects that resonate through the videos in this series. In essence, those come down to:

  • Open with compassion and understanding: Things are new and different. We get it.
  • Explain the situation: The COVID-19 situation opens-up new work from home risks and cybercriminals are taking advantage of it.
  • Outline our responsibility: As a result, we all need to be more vigilant.
  • Say what we are doing: One of the ways we plan to do that is to send out simulated phishing tests.
  • Describe the intended outcome: The intent isn’t to trick anyone, shame anyone, or so on. It is to help us build secure reflexes.
  • Provide advice and direction: Cybercriminals are relying on distraction, stress, and panic. So, anytime you see anything related to COVID-19 in your inbox, always evaluate it with a sense of scepticism. Report suspected phish.
  • Close with a sense of community: “Keep Calm and Don’t Click. We’re all in this together.”

Process

The other key factor that you need to think about is process. Because we’ve entered a ‘new normal,’ you should send out a fresh message to your users letting them know that cybercriminals are having a heyday with COVID-19. And because of this, you are going to help prepare your people for what’s coming.

In essence,  your process should be the following:

  • Warn your people about the scams: Provide timely information about how cybercriminals are using this stressful time to their advantage.
  • Tell them that you are going to help prepare them by sending COVID-19 and other simulations. If you are a KnowBe4 customer, you can use the pre-campaign video from the series I described above. If not, you can create your own message based on the formula that I outlined. Remember: tone is key!
  • Ramp up testing to increase vigilance
  • Consider using a failure landing page with a video that explains how cybercriminals are using COVID-19 right now to capitalise on the situation. This needs to be encouraging. If you are a KnowBe4 customer, you can use the post-click video from the series I described above. If not, you can create your own message based on the formula I outlined. A key message here is something like, “Oops, you clicked… Don’t worry, this wasn’t a real phishing email. You’re safe and our organisation is safe. But beware, cybercriminals are using all of the news, panic, and disorientation around COVID-19 as a way to trick people into clicking on malicious links, open sketchy attachments, accidentally give away login/password info, and more. Your job is to be super-sceptical of any email that evokes strong emotion (fear, urgency, and so on)… especially if the email is related to COVID-19.
  • Reinforce vigilance with consistent encouraging messaging. (e.g. “Keep Calm and Don’t Click. We’re all in this together.”)

Conclusion

I hope this was helpful for you when deciding whether to phish test your users during this COVID-19 pandemic. To summarise, when you engage your employees with the right message and tone, there is nothing to fear. In fact, they will feel a sense of pride in helping protect the organisation. That’s all for now. “Keep Calm and Don’t Click. We’re all in this together.”

Finally, for KnowBe4 customers, we have a full campaign ready for you. It consists of a video for the KnowBe4 Platform Admin, one video to announce the campaign to your users, and a video that lives on the landing page after they clicked on your COVID simulated phishing test.

Call us on 01628 362 784 if you have any questions on how to set up this campaign and we will get you going.

Additionally, we also have coronavirus phishing and security awareness resources to help keep your network secure while users are working from home.

If you are not yet a KnowBe4 customer check out more information here or if you would like to preview the KnowBe4 Modstore click here.

Examples of COVID-19 Phishing Emails

Tony MasonSecurity Awareness & Phishing

Coronavirus Phishing Emails
Coronavirus Phishing Emails

The Epidemic of COVID-19 Phishing Emails Rages On. KnowBe4 customers using their Phish Alert Button (PAB) continue to share an ever-growing variety of emails from bad actors looking to capitalise on the crisis.

There are some rather unusual social engineering schemes. KnowBe4 are offering up a selection of those emails. IT administrators and users can then see for themselves what these scams look like.

The Tried & True

Spoofs of authoritative sources of information continue to be the most common malicious virus-themed emails. The top three spoofed organisations remain:

The CDC (Centers for Disease Control)…

coronavirus_phish-7a

The WHO (World Health Organisation)…

coronavirus_phish-13a

HR:

coronavirus_phish-8a

As with the earlier spoofs KnowBe4 reported, all three of these more recent emails lead to credentials phishes. The third (from HR) does take a bit of a novel approach. It instructs recipients to download an attachment billed as an informational poster/flyer for the walls. In reality, the alleged poster/flyer is just a standard credentials phish.

coronavirus_phish-8b

It’s also worth pointing out that the second email above (the WHO spoof) not only spoofs Docusign (a frequent target of malicious spoofs) as well as the World Health Organisation. It is also delivered through Sendgrid. Sendgrid is a well-known email service provider widely used by many companies.

Sadly, this isn’t the first time we’ve seen a malicious email campaign coming via what is almost certainly a compromised Sendgrid account. We also regularly encounter malicious emails phishing for Sendgrid account credentials. Indeed, malicious emails coming through Sendgrid are becoming more and more common. This is becoming a worrisome trend. Given that Sendgrid is likely whitelisted within many organisations, it’s worrying that emails are coming via that service to sail right through firewalls and email filtering straight into users’ inboxes.

The New & Novel

As we repeatedly advise, the bad guys are always innovating. They are always trying new approaches and experimenting with new social engineering schemes. Recently we’ve seen some rather striking and even unusual attempts to trick users into clicking through to malicious content. As we might expect, some of these newer social engineering schemes seem to work better than others.

As is currently being widely reported, malicious actors are now using a Coronavirus/COVID-19 dashboard. This is complete with a live map similar to the real thing built by folks at John Hopkins University. This is to lure users to sites that install malware of one sort or another.

This particular email spoofs HHS (the U.S. Department of Health & Human Services). It dangles a link to that malicious map application in front of users desperate for the latest information on the spread of the virus.

coronavirus_hhs_map-1

Although governmental agencies and organisations are the preferred targets for spoofing in virus-themed phishing emails, private companies are also targets as well.

In this malicious email the bad guys spoof the well-known health insurance giant Cigna. They hit users with a fake bill for “Coronavirus (COVID-19) insurance coverage.”

coronavirus_insurance-1

One might well wonder whether this is a viable approach. We don’t know at this point. Despite the fact the many users will recognise the improbability of Cigna signing them up for insurance coverage against a pandemic without even bothering to ask, there could well be plenty of freaked-out users who will immediately click that Big Blue Button to find out just what the heck is going on. Some may even find such (fake) news welcome and comforting.

The Utterly Bizarre

And then there is this spoof of Air Canada, which…well, maybe you’d just better take a look for yourself.

coronavirus_aircanada-1a

Well now. We’ve certainly seen Coronavirus survey emails before , both real and malicious (see KnowBe4’s second blog post from last week). This one, however, is off the charts. The malicious actors behind this spoof either: a) have an unusually warped and evil sense of humour; b) have it in for PR/Marketing at Air Canada (maybe the bad guys lost some frequent flyer points and weren’t too happy about it?); or, c) are just completely clueless and tone deaf.

Whatever the case, we wouldn’t expect many users to fall for this last phish. Then again, there’s one in every crowd.

Conclusion

Good information and education remain the best disinfectants for malicious online schemes trailing in the wake of the Coronavirus itself. Unlike toilet paper, hand sanitisers, and medical masks, good information is not in short supply and not subject to panic buying at your local grocery store.

Our hope is that by letting concerned users actually see the COVID-19-themed phishing emails that the media is widely reporting they can make better, more informed choices about how to navigate the flood of information landing in their inboxes at this stressful moment.

While your users are working from home, they are more likely to be phish-prone. Try this Free Phishing Test to see how vulnerable your business is.

KnowBe4 Security Awareness Training & Simulated Phishing well worth considering in the current climate as home workers are more susceptible to phishing emails.

The Impact Of Coronavirus & How Security Testing Comes Into Play.

Tony MasonBreach & Attack Simulation, Enterprise Security

Coronavirus Impact
Coronavirus Impact

The Coronavirus outbreak has caused a global panic. It has taken its toll on a number of major industries. Gily Netzer from Cymulate examines the impact it has left on the travel industry, supply chain and manufacturing, and on the world economy. She then advises how security testing comes into play. We need to make sure our security is ready.

Coronavirus Creating Worldwide Panic and Business Opportunities for Hackers

Amid the recent Coronavirus epidemic creating pandemonium worldwide, hackers have been exploiting the deadly outbreak to their advantage.  They are disguising information about the virus in the form of malicious emails aimed at Japan courtesy of the notorious Emotet gang.

The new campaign distributes Emotet payloads through emails that warn of the Coronavirus infection. Once the attachment is opened, the unsuspecting victim will then be directed to the familiar Office 365 document.  As a result, this will then allow the malware to install and infect the devices.

Another malicious email attack borrows the World Health Organisation as a “trusted source”.  They are trying to dupe victims into installing the AgentTesla Keylogger via a document attachment.  This is in an attempt to steal both personal and financial information.

Along with new phishing techniques comes other Coronavirus-related scams that have risen in the last couple of days amid the Coronavirus outbreak. One such scam recently circulating in the news was an online masks scam.   Sadly this tricked 3,000 people in Hong Kong to purchase the masks but they never received them or heard back from the seller.

Unfortunately the demand for masks has beyond exceeded production, causing a frenzy among concerned people in China and all across the continent. Since February 2020, there have been a reported 7,500 coronavirus-related fraud cases in China totalling over 192 million Yuan or $28 million.  

Coronavirus Impact on the Global Supply Chain

Global supply chains have been feeling the impact of the outbreak. Supplies and raw materials are becoming scarce as workers go into quarantine. As a result international businesses are having to rethink their supply chain strategy.

Furthermore, Chinese manufacturers are suffering immense financial setbacks as their PMI dropped to 35.7 in February from 50 in January.  This is the lowest it has been since 2004. In addition, production has also come to a halt as more workers remain in quarantine.  

Health guidelines and travel restrictions have caused manufacturers and international retailers to shift their methods of transportation.  Consequently, they are having  to consider alternative routes to move materials and reach customers abroad, potentially costing millions in the process.

Some of the biggest names in the industry have been hit hard too. Titans such as Apple, Starbucks, Nike, Home Depot, and Microsoft – have all begun cutting down on services and staff in China until the Coronavirus epidemic subsides.

The Financial Impact of the Coronavirus

Wall Street has felt the impact of the Coronavirus with substantial losses unseen in over a decade. Many investors have even speculated a global recession.  This could potentially be larger than the 2008 financial crisis which cost the U.S. economy trillions of dollars.

Fears of a widespread epidemic have left major market indexes such as NASDAQ, the S&P 500, FTSE, and the Dow Jones plunging by over 200 points a week ago down and hitting new record lows since the 2008 recession.  

The financial toll may rise even further as investors continue to panic and manufacturers cease production, at least for the foreseeable future.  

Coronavirus Impact on Travel

Not since 9/11 and the 2003 SARS outbreak has the travel industry been hit so hard. Cancelled flights and low tourism demand due to the Coronavirus outbreak could cost airlines over $30 billion as companies continue to limit business-related travel.  

Companies such as Google and Salesforce have taken safety precautions by suspending non-essential travel.  Others have been limiting on-site job interviews and asking employees not to bring any guests until things clear up.

Breach and Attack Simulation Runs Anywhere  ….. 24/7.

Quarantined? Don’t stop optimising your security posture. 

At a time when human interaction exposes us to infection and the world faces a global epidemic and slows down, hackers don’t.

They don’t need to be at the office to do their job. At a time like this, it’s good to know that continuous security testing can be performed remotely.

SaaS-based Breach and Attack Simulation can be done independently without the need to set up physical meetings or leave your house, if you are concerned about travelling. Even from the safety of your home, you can test and optimise your company’s network.

With just a few clicks, Cymulate challenges your security controls by initiating thousands of attack simulations, showing you exactly where you’re exposed and how to fix it—24/7 regardless of where you are. Whether you’re working from the comfort of your living room, at a local café, or even while relaxing on the beach.

Test it for yourself today with a 14-day free trial. Give us a call to hear about this new Breach & Attack Simulation from Cymulate and check how secure your security really is. Contact us here.

Modern Cloud SIEM Solutions from Rapid7

Tony MasonSIEM, Vulnerability Management & SIEM

As everything is moving to the cloud, Rapid7 explain why modern SIEM is in the cloud and what benefits you can expect from a cloud SIEM.

Modern cloud SIEM solutions enable three new use cases

In the past, SIEM has been most valuable around:

  • Correlation: Give me context, and help me investigate alarms triggered by my stack
  • Compliance: Help me prove that all access is logged, events are being tracked, and file integrity monitoring is in place

These use cases are foundationally valuable. However, getting to a successful deployment with traditional SIEMs requires a huge amount of up-front configuration, tuning, and ongoing maintenance. Historically, security teams had to spend more time tuning detection rules and filtering through the noise.  Instead they could have been acting on the outputs and progressing their security posture.

Cloud SIEM tools, like Rapid7 InsightIDR, are quickly gaining market share today. Security teams can now shed infrastructure and data management hats to focus on three key use cases:

Use case No. 1: Unify data (all of it!) with your cloud SIEM

Our networks now have important log and event sources sprawled across hundreds of log sources, endpoints, cloud services and hosting platforms. As a supporting visual, here’s Rapid7’s data architecture diagram:

Cloud SIEM solutions
Rapid7 Data Architecture Diagram

Combined with alerts from your monitoring tools and prevention systems, all of this information should be able to flow into your SIEM for reporting and data visualisation. This is where many on-premises SIEM deployments led to challenges.  That’s because hardware management, data parsing, and scaling requires continuous grooming and feeding to perform effectively.

Therefore, if you’re considering cloud SIEM, ensure that it has support for your critical data sources such as cloud hosting. Plus check it will actually relieve you from management and maintenance burdens as your business scales. You should be able to start sending data for analytics within minutes of starting a trial or POC.  You shouldn’t be waiting for an appliance shipment or professional services.

Be wary of cloud SIEMs that still require on-premises tuning and maintenance.

What’s next?

More native ingestion support for cloud hosting providers (e.g., Azure, AWS, and Google Cloud). Greater support for telemetry gathering from the endpoint. This enables more nuanced detections, investigations, and threat hunting. Endpoint data such as parent/child processes is essential to our MDR SOCs. These data collection and hunt capabilities will become more accessible to security teams of all sizes.

Use case No. 2: Proactive threat detection with your cloud SIEM solutions

Year after year, the Verizon Data Breach Investigations Report shows that the same attack vectors — phishing, malware, and stolen credentials — are being used successfully. Let’s say you need to detect malware. To identify modern threats, you need visibility into endpoint telemetry, such as PowerShell logs, which you may be able to access from your SIEM.

However, to investigate root cause and identify lateral movement, that information alone isn’t enough. Authentication tracking and user behaviour data is also needed to catch account takeover and the use of stolen credentials.

Modern cloud-based SIEMs should not only give you access to this information. They should also apply security analytics to this data to proactively flag compromise. Accurate threat detection is a bold promise.  However, as SIEM is the only technology with access to this disparate data, ensure the product has the analytics to expose the behaviours you want to see.

MITRE ATT&CK has gained massive traction as a quantitative framework to map out detection capabilities. A suggested approach is to identify gaps in your detection, then understand the data sources that would reveal malicious activity. Thereafter ensure your cloud SIEM either has appropriate out-of-the-box detections or the ability to build custom content.

What’s next?

While many SIEM providers claim user behaviour analytics to detect anomalous behaviour, few have out-of-the-box content for known-bad attacker behaviours. Put them to the test by performing attack simulation or POCing around penetration tests.

Use case No. 3: Automate and respond with your cloud SIEM solutions

SIEM exists to give you the information and context you need in order to respond to and contain threats. This may involve booting an asset off the network, killing a process, or disabling a user account. User behaviour analytics (UBA) can reveal the relationships between IP address → asset → user accounts. Consequently, this allows you to make stronger decisions without hours of laborious investigation.

Cloud SIEM allows you to take investigation findings, such as machine-readable threat intelligence, and with security orchestration, automation and response (SOAR), apply that to your prevention and detection defences. By automating mundane and repetitive tasks, you can focus on high-value work such as threat hunting and attack simulation.  As a result, you can make proactive changes to strengthen your network based on investigation findings.

What’s next?

Automated workflows will become commonplace. Teams with high alert volumes today are using SOAR for phishing triage, alert enrichment, and to automate communications (e.g., to ticketing systems and ChatOps). This will allow threats that target users, such as phishing or Office 365 brute forcing, to be better defeated at scale.

Rapid7’s approach to SIEM has been cloud-native since its inception as a user behaviour analytics tool in 2013. Part of the Rapid7 Insight Cloud, InsightIDR Cloud SIEM can help you unify, detect, and respond to threats across your environment within hours, not months.

For more, check out here, or contact us to start your full-featured 30-day trial today.

sales@s3-uk.com

01628 362 784

Top 10 Fraud Alert Tips for Black Friday & Cyber Monday

Tony MasonData Protection, Security Awareness & Phishing

Top 10 Fraud Alert Tips Black Friday & Cyber Monday

Black Friday attracts crowds, crowds attract scammers, and that means you need to take extra care when shopping online over the Black Friday and Cyber Monday weekend. Check out these Fraud Alert Tips to stay safe online throughout the festive season.

Top 10 Fraud Alert Tips for Black Friday from KnowBe4.

  1. Never click on links in emails. If you want to shop at a site, enter that site address in your browser. There are thousands of fake sites that look almost identical to the real thing. Don’t fall for evil-twin shopping sites.
  2. Don’t open attachments with special offers. It’s a classic scam. The offer should be in the email and you should be able to see it right away. 
  3. Watch for malicious ads and popups. Do not click on ads that sound too good to be true, and ignore popups that might propose the “best deal ever”. 
  4. Beware of e-skimmers. This is a new one. Do you know that bad guys sometimes skim your credit card at petrol stations or ATMs? Well, there is a new flavour of that, the shopping website you order from might be infected with an “e-skimmer” and they steal your card data when you check out. You can prevent that by using PayPal or Amazon. 
  5. Use a credit card to buy stuff online if possible. NEVER use a debit card to make online purchases but use that debit card to take out cash only.  
  6. Do not shop over a public Wi-Fi. You simply do not know if it’s secure and who is listening. Only shop using a secure, trusted network. If you have no other way to shop, use a VPN which encrypts your traffic.
  7. Be very careful when you see a free offer during the festive season. There is an explosion of all kinds of survey fraud and gift card scams. 
  8. Do not re-use any of your passwords. Instead, use a password manager to create hard-to-break passwords. Re-using any password is literally an invitation to get hacked. 
  9. Keep a close eye on your credit card and bank accounts. During this season, unexpected and strange charges might appear which could very well be the first sign your card or even your whole identity has been stolen. If you think you might have been scammed, stay calm and call your credit card company, cancel that card and get a new one.
  10. Be especially suspicious of gift card scams. They can be a perfect Christmas gift, but gift card scams are skyrocketing. Only buy gift cards from trusted sources.

Check out KnowBe4’s security awareness advocate, Javvad Malik’s, insights to Forbes.

So, especially at this time of year, do not let the bad guys exploit your festive spirit and use it against you.

Remember to stay alert when you shop online! Think Before You Click!

The Forrester Wave™: Vulnerability Risk Management, Q4 2019

Tony MasonVulnerability Management & SIEM

Rapid7 is named a leader, receiving the highest score possible in nine criteria for its InsightVM, vulnerability risk management tool.

Forrester Wave Vulnerability Risk Management

Forrester cites 14 key areas buyers should consider when evaluating VRM solutions. Rapid7’s own customers tell us that the following 5 capabilities are especially critical…

5 Capabilities Your Vulnerability Risk Management Solution Needs:

1 Visibility of your complete IT environment

Identify all of your externally-facing, internet-connected assets. In addition include those that may be undiscoverable with other tools. This helps to get a complete view of your risk. InsightVM received the highest possible scores for this capability in the Digital Footprinting criteria.

2 Extensibility & integration

Your VRM solution must enable integration, orchestration, and automation of the tools and processes across your stack. InsightVM also received the highest possible scores for its extensibility and Partner Ecosystem.

3 Reporting for the progress that matters most

Tracking the goals and metrics most relevant and impactful to your team is critical. Similarly it is important to communicate those milestones to peers and leadership. InsightVM is designed to track your progress and drive alignment across the organisation.

4 Simple pricing

Pricing and budgeting should be simple. InsightVM makes this easier with a price per asset model – no fine print needed.

5 Prioritisation for your business

Identify and prioritise risk with complete coverage of your environment and the addition of business criticality to assets. InsightVM also received the highest possible score in the criteria of Vulnerability Enumeration and Risk-Based Prioritisation.

What Else Should You Expect from Your VRM Vendor?

In addition to the key areas covered by the Forrester Wave, we’ve rounded up some additional considerations for vendor selection. Here are some we’ve heard from Rapid7 customers:

A unified security platform

As well as offering our full vulnerability risk management feature set for all InsightVM users, the Rapid7 Insight Cloud supports you across the entire security life cycle. In other words, this covers from prevention to detection and response.

Visibility across the organisation

Identifying and prioritising risk is table stakes, but proving the effectiveness of your program is key. Your solution should help you work in tandem with IT operations. In addition it should also help you communicate how you’ve tangibly reduced risk for your organisation. This should be both within your team and to leadership.

Commitment to service and success

Rapid7 guarantee 99.95% uptime. On the off-chance the system availability drops, only Rapid7 offers up to a 100% service credit of the prorated monthly fee paid. Other vendors cap service credits at a mere 10% or less.

Demonstrable ROI

In an exclusive case study from Forrester, Rapid7 customers offer visibility into the ROI of their programs. This features a significant decrease in incidents and spend when switching to Rapid7 from another VRM vendor. 

See the full report here.

Rapid7 InsightVM

Vulnerability Management & Cloud Security

Tony MasonData Protection, Enterprise Security, Vulnerability Management & SIEM

Cloud Security for IaaS, SaaS and PaaS.
Cloud Security

Cloud Security is becoming a top priority. Infrastructure as a Service (IaaS) is now the fastest growing area of the cloud. This is due to the speed, cost and reliability with which organisations can create and deploy applications, according to McAfee’s latest report –‘Cloud Native – Infrastructure as a Service Adoption & Risk Report’.

Unfortunately, the results of their survey show that 99% of IaaS misconfigurations go unnoticed.  Similarly it shows that awareness around the most common entry point to new “Cloud-Native Breaches” (CNB) is extremely low.

Securing Data In The Cloud

The surge in adoption of cloud-based technologies and IaaS means many companies are overlooking the need for shared responsibility for the cloud.  They are assuming that security is taken care of completely by the cloud provider. Above all companies need to remember that the security of what they put in the cloud, is their responsibility.

Rapid cloud adoption can be putting businesses and their sensitive data at risk. The speed of adoption means companies don’t yet have the correct tools in place nor the required visibility.  Therefore, they need to add security tools that are cloud-native, and purpose built for cloud security. This will ensure they secure themselves against new Cloud Native Breaches.  Too often security operations are taking a legacy approach to data security. This predates Cloud and often the web. As a result they are inadequate for securing your critical cloud data.  We need to work on a more modern approach to security, designed from the ground up in order to protect cloud environments from the start.

Cloud-First Security Strategies

Fortunately in a recent survey by Enterprise Strategy Group (ESG), they reveal that ‘cloud-first’ strategies are becoming more common and they will need to become more so. 58% of respondents say they will have more than 40% of their data stored in the cloud within the next 2 years and 45% said that will include their sensitive data.

According to McAfee, IaaS-based data loss incidents triggered by data loss prevention (DLP) rules have increased by 248 percent year-over-year.

However, despite this, 81 % of respondents still said their on-premises data security practices are more mature than those they use to secure their data in the cloud. Worryingly, 50% said their company had already lost data that they store in the cloud.

Misconfigurations

On the other hand, if only 1% of misconfigurations are being reported, this means that it is likely that many organisations worldwide are leaking data but are unaware of it. In total, 90% of McAfee’s respondents said they had come across security issues with IaaS.  Unfortunately, only 26% said they were equipped to deal with misconfiguration audits. As a result, this lack of visibility into their cloud usage may be contributing to an increased data breach risk.  90% of respondents to the ESG report said they were worried about not having visibility into misconfigured cloud services, server workloads, network security or privileged accounts.

Even in the case of the 1%, it can take longer than 24 hours to correct reported misconfigurations. In some serious cases, it can take over a month to fix them.

IaaS Breaches

IaaS breaches don’t look like a normal malware attack. They use native features of the cloud infrastructure to land an attack. Next they expand to other cloud instances and obtain your sensitive data. The majority of the time they manage to succeed by exploiting configuration errors in the way the cloud environment was initially set up.

Overall security has now become more complicated with the various platforms and 43% of those surveyed by ESG reported that maintaining consistency across the different infrastructures of a hybrid, multi-cloud environment where cloud-native apps are deployed as being the greatest challenge. 43% said that DevSecOps automation is the highest priority for cloud security. This could help address many of these concerns.

Full Visibility of the Risks

In summary what these research results show us is the need for security tools that help us keep up with IaaS-native issues, especially the ability to continuously audit IaaS deployments for initial misconfiguration and configuration drift over time.  

Monthly scanning is no longer enough when modern networks change every minute. Rapid7 InsightVM is a tool that can help you with this process.  It is built for your move into cloud, virtual, and containerised environments.

Rapid7 InsightVM gives you live visibility into your cloud, containerised, virtual, and remote infrastructure, so you can confidently understand the risk of your entire ecosystem.

As we’ve seen, containers, cloud services, and virtual devices are often spun up and down without direct involvement from the security team. To avoid creating unseen gaps in your defences, InsightVM integrates directly with dynamic infrastructure to give full visibility into the risks posed by these assets. 

Their Liveboards are live dashboards that update as soon as InsightVM gets data, letting you track your network and risk as it changes. The result? (It’s a pretty important one.) You can be confident in keeping your network secure as it expands into the cloud and beyond.

See here for more details.

The 2018 Forrester Wave for VRM says Rapid7 “has already implemented what vulnerability management will look like in the future.”…………..

KnowBe4 – Security Threats & Trends Report – October 2019

Tony MasonSecurity Awareness & Phishing

Executive Summary

The yearly, independent, KnowBe4 2019 Security Threats and Trends Survey polled 600 organisations worldwide mid-2019. They asked questions on the major security issues they will face in the next 12 to 18 months.

A majority of corporations – 86% – have proactively amplified security initiatives over the last year to combat the increase in cyber security attacks. Nearly 9 out of 10 businesses – 89% – say they’re currently better equipped to deal with security threats than they were in 2018.

However, organisations still face significant challenges when it comes to their security initiatives. Three quarters or 76% of organisations say the biggest and most persistent security threat comes from “the enemy from within” – careless end users. These end users regularly clicks on bad links, placing organisations at higher risk of falling victim to email phishingransomwareCEO fraud scams and various forms of malware. And 58% of organisations cite budgetary constraints as an ongoing challenge in upgrading security.

Of the 89% of respondents who say that their firms are more prepared to cope with security threats, 36% say they’re “much better equipped.” However, a 53% majority of those polled more cautiously characterise their companies as “somewhat more prepared,” than they were 12 to 18 months ago. They added the caveat that “we need to do more to secure our environment.” Only a 6% minority believed that their firms were less prepared to deal with security issues in 2019 than they were the same time a year ago.

Cyber Security Threats

KnowBe4’s latest survey results find that enterprises are well aware of the need to fortify security and safeguard data assets and intellectual property in light of various cyber security threats. These include but are not limited to: viruses and malware; sophisticated email phishing and CEO fraud scams—aka Business Email Compromise;— social engineering; password attacks; denial of service attacks; data leaks; open ports on servers and routers; targeted attacks by hackers; corporate espionage; attacks at the network edge; lost and stolen devices; and lack of security on employer and employee-owned bring your own devices (BYOD).

A near unanimous 96% of organisations say that email phishing scams pose the biggest security risk. This is followed by 76% who identify end user carelessness and 70% of respondents who cite social engineering as the biggest security threats facing their firms over the next 12 months (See Exhibit 1). And in a nod to the growing sophistication of the organised hacking community, nearly half or 46% of respondents fear their organisations may fall victim to a targeted attack. This is an increase of 11 percentage points from the 35% of organisations that perceived targeted hacks as a danger in KnowBe4’s 2014 Security Threats and Trends Survey.

Among the other survey highlights:

  • Despite the well-documented increase in cyber threats, 43% of KnowBe4 survey participants still don’t allocate a significant portion of their IT budgets towards security expenditures (See Exhibit 3). One-third or 30% of respondents don’t have a separate security budget and another 13% say the organisation’s security budget is less than $25,000 annually.
  • Only 14% of organisations say they’re concerned about insider attacks from internal employees.
  • Half – 50% – of participating companies report their security and IT staff are overworked. 40% say their organisations will face a shortage of skilled security professionals within the next 12 months.
  • An 82% majority of respondents say proactive security maintenance (e.g., installing upgrades and patches) is a top priority over the next 12 months. That was followed by 61% of organisations that cite the need to keep pace with the latest security threats. Plus 61% say updating and enforcing computer security policies is major concern for their organisation.
  • Some 27% of respondents identify their organisations’ inability to identify, quickly respond to and shut down hacks over the next 12 months as a top challenge and source of concern.
  • Only 18% of organisations calculate the hourly cost of downtime related to security hacks.
  • A 53% majority allow employees to access the corporate network and data using BYOD. However, only 39% of organisations currently have a plan to respond if a BYOD such as a laptop, tablet or smart phone is hacked, stolen or lost.

The KnowBe4 survey responses also underscore the importance of upgrading security and training internal security and IT administrators as well as end users. Hackers are continually upping their game. As Exhibit 1 below illustrates, organisations must contend with and defend their devices and networks against a wide array of security threats.

Exhibit 1. Organisations say phishing scams, end user carelessness and social engineering are top security threats

KnowBe4 Security Threats & Trends Report Oct 19

Source: KnowBe4 2019

This KnowBe4 2019 Security Threats and Trends Survey presents a comprehensive picture of organisations’ most pressing security issues and challenges over the next 12 to 18 months. It also offers actionable insights, via anecdotal essay comments and first-person interviews with C-level executives as well as IT and security administrators as to how organisations intend to proactively defend their data assets from hackers going forward.

Data and Analysis

The Survey results indicate that the overwhelming majority of organisations and their security and IT departments recognise the increasing danger posed by the growing number of cyber threats. And they are aggressively taking countermeasures to mitigate those threats.

The top three threats that respondents say pose the most danger are: email-based scams (e.g., phishing, ransomware and CEO fraud); end user carelessness and social engineering. This is not surprising because these three issues – along with BYOD and mobility – are inextricably intertwined by the common thread of the “human element.”

The KnowBe4 study delved into organisations’ most pressing security issues and challenges via essay comments and first-person interviews with C-level executives as well as IT and security administrators. Those conversations revealed that organisations of all sizes across a wide range of vertical markets are extremely concerned about budgetary constraints and the dearth of skilled IT administrators and resources necessary to secure their environments at a time when hacks are more targeted and pernicious.

The anecdotal data also suggests that IT and security administrators continue to find themselves caught in the crossfire between C-suite executives and end users. Security and IT departments must convince upper management to allocate the monies and resources to purchase security packages and security awareness training to safeguard their environments. At the same time, IT and security managers must police the organisation’s end users and instil a sense of urgency regarding the importance of being vigilant regarding security practices in the face of everyday threats such as phishing scams, malware, ransomware, sextortion emails and rogue code.

Careless End Users, Lax Security Policies and Tight Budgets Fuel Cyber Crime Success Rates

The increasing frequency and high success rate of email-based cyber attacks have organisations understandably on edge. This trend has been evident in all of KnowBe4’s surveys since 2013. KnowBe4 survey respondents directly attribute the high degree of successful email cyber attacks into their organisations on the willingness of end users – including management – to click on bad links without thinking. Other culprits include weak computer security policies, lax enforcement and a lack of IT budget dedicated to purchasing security devices and software, hiring security professionals and getting security awareness training.

As Exhibit 2 illustrates, the results of KnowBe4’s 2019 Security Threats and Trends Survey show that email-based hacks are among the most prevalent and dreaded of cybercrimes. They are also among the most successful.

Exhibit 2. Email Phishing, CEO Fraud Scams Top Companies’ List of Security Threats

KnowBe4 Security Threats & Trends Reports - Concerns

Source: KnowBe4 2019

KnowBe4 survey respondents accept the reality that cyber threats are a fact of computing life in the digital age. They are nonetheless rightfully concerned that they have little knowledge about when and where the next threat will present itself. Most concede that it’s a matter of “when not if” their organisations will get hit.

The network administrator at a mid-sized law firm near Washington, D.C., that has nearly 100 servers, summed up the sentiments of many IT professionals.

“The whens and wheres of cyber attacks are unknowns, and I’m particularly worried about the next attack vector we don’t know about yet,” he says.

KnowBe4 survey participants gave extremely detailed and insightful responses regarding their security safeguards and preparedness. During interviews with KnowBe4 analysts, many security and IT administrators described how they’ve adopted a multi-layered approach that pays particular attention to what they typically regard as the weakest link in the network ecosystem: end users.

An IT staff member at a federal government agency in California that spends $1 million to $4.9 million annually on security says his organisation has developed a thorough security framework with “limited resources, but an unlimited procurement policy.”

Defence in Depth

“We’ve achieved this level of security with an approach that boils down to one overarching principle: Defence-in-Depth, from the network to the endpoint. We have firewalls, both external and internal. In addition, we have SIEMs, including Alienvault, Splunk and Qradar. We’ve deployed multiple anti-malware solutions, including ESET, MalwareBytes, and Cylance, on a number of our servers and endpoints. Plus we use real-time traffic monitoring tools that help us manage the infrastructure, and other tools to monitor data as it travels through the network.

We have spotted ransomware and stopped it in its tracks. In addition, we have MAC-level, 802.1x authentication on switches and APs. Plus, we run virtual environments on thin clients throughout 99% of our agency. Any compromised image gets eliminated from the virtual server and replaced with a fresh image. Each of those endpoints, in turn, run various levels of software-based endpoint protection; you can’t even plug a USB without us knowing about it. Policy wise, we require two-factor authentication to use internal resources.

We restrict access to social media and personal emails during work hours on our domain, but they have access on a separate external network, not connected to the main domain, that they’re free to use at their own risk. But all of this begins with the end user; arguably the most challenging part of securing an environment. Running KnowBe4 campaigns as part of our security framework has given us the ability to assess the risks associated with email attacks and act accordingly. Staff [members] who repeatedly click on emails undergo security awareness training. Thanks to this product [KnowBe4], our last campaign reported the lowest click rate since the start of our campaigns, nipping a notoriously weak link in the bud.”

Budgets

As Exhibit 3 illustrates below, security budgets remain tight for many organisations. Nearly one-third or 30% of respondents say that their organisations do not have a security budget that is separate from their annual IT capital expenditure budget. Some 13% indicate they allocate less than $25,000 on security spending and 12% spend $25,000 to $50,000 annually on security.

Fifty percent of the organisations polled dedicate less than or up to $50,000 a year to purchase security products, software or security awareness training despite the well-documented rise in all types of cyber attacks and cyber crimes.

Still, this marks an improvement in security spending over KnowBe4’s 2018 Security Awareness Training Deployment Trends Survey, which polled 1,100 organisations. That survey found that 34% of respondents did not have a separate security budget; 16% spent less than $25,000 on security and 13% of respondents allocated $25,000 to $50,000 on annual security spending.

Although the fact that 50% of organisations spend less than or up to $50,000 annually on security products and training, that’s still an improvement over the KnowBe4 2018 survey results that found 64% of organisations spent $50,000 or less every year on security.

Exhibit 3. Security Budgets Tight: 50% of Firms Spend Less than $50K Annually

KnowBe4 Security Threats & Trends Report - Security Budget

Source: KnowBe4 2019

Dedicated security spending or budgets are crucial as users detailed in their anecdotal essay comments and first-person interviews because they often make the difference between the IT department’s ability to be proactive versus reactive.

That is the situation for a systems administrator at an SMB financial services firm in the Southeastern U.S., who says his company has no separate security budget.

“Being a small company, sadly most everything we do here is reactive. We have virtually no IT budget. So no, I don’t think we have a good approach to security, other than running manual scans and patching what we can.”

An IT manager at a mid-sized retailer in California who spends less than $25,000 on security says his business is challenged by a lack of security funds.

“Security for our organisation continues to be challenging. A lack of specific skills and training in IT security requires us to rely on partnerships with vendors. We continue to hope they are keeping up their responsibility for keeping the organisation safe. We often think about a more formal relationship with an MSSP.”

Limited Resources

The IT manager at an Auckland, New Zealand government enterprise organisation that also has no separate security budget, expressed his concerns. He notes that the lack of funds contributes to his IT staff being overworked; his inability to hire skilled security personnel and inadequate funding for security awareness training.

“We run a three-year cycle of investment to uplift security technologies and have added another staff member to the team in the last nine months. We are in the process of motivating [upper management] to add a third member to the security team. Plus, we understand that we need technology, trained and skilled people, processes and awareness training to ensure that our organisation’s security improves over the next few years. It is a marathon not a sprint; as long as we focus our efforts on the most critical threats first.”

Most survey respondents though, fell in the middle of the spectrum. That is, although they weren’t awash in security funds, they were nonetheless very proactive and believed that their organisations had made progress in the last 12 to 18 months.

Such is the case of a network architect at a K -12 school district in Iowa, who says he’s adopted a straightforward approach to security.

“We are a public school system and have very limited resources and a limited technical staff, so a simple plan works best. We train our users with KnowBe4. This has significantly cut down on users clicking on scam emails. We keep all hardware/software up to date no matter how difficult it becomes. Patching firmware and software is a security requirement, period. The last thing is monitoring using NGFW’s and rule-based monitoring of end user behaviour. This is our simple, easy to follow security process. Like the old saying goes, ‘keep it simple stupid.’”

Users’ Top Priorities: Daily Security and IT Vigilance

The KnowBe4 study results also reinforced the fact that vigilance in daily IT and security operations is crucial, particularly with respect to keeping pace with routine operational management and security tasks.

As Exhibit 4 indicates, security professionals and IT administrators are extremely concerned with the pragmatic issues that most directly impact their end users’ daily computing life and routine. Organisations’ top security priorities in the next 12 months are: performing proactive security upgrades and patches, cited by 83% of respondents; keeping pace with the latest security threats; and updating and enforcing security policies, both of which were cited by 60% of survey participants.

Exhibit 4. Upgrades, Enforcement and Training are Top Security Priorities

KnowBe4 Security Threats & Trends Report - Security Priorities

Source: KnowBe4 2019

Additionally, over half – 52% – of organisations say implementing security awareness training for IT departments and end users is high on their list of priorities.

4-in-10 organisations say that upgrading intrusion detection and authentication mechanisms is a top priority, followed closely by 37% of respondents who cite vulnerability testing as a key part of their security strategy in the next 12 months. 36% of organisations say that keeping up with technology hacks involving IoT, migrating to the cloud and upgrading security devices like firewalls are priorities.

Another 31% say correctly provisioning devices and applications is a priority and 26% referenced strengthening encryption/encrypting data. All-in-all, these types of tasks comprise much of a security and IT professional’s daily and weekly activities. And like everything security-related, these professionals must stay up to date to keep pace with the ever-evolving threat landscape.

Security Awareness Training

This explains why security awareness training initiatives have assumed a much more prominent and pivotal role in organisations’ security strategies in recent years, with 52% of survey participants saying it’s a priority for them. This is up from the 41% of respondents in KnowBe4’s 2013 survey who cited security awareness training education as crucial for their security operations.

Security awareness training makes sense on many levels. First and foremost, users are and likely will continue to be the weakest links in corporate security defences. Security awareness training also yields tangible results. The return on investment (ROI) is immediate according to the anecdotal data KnowBe4 received in essay comments and first-person customer interviews. Security and IT professionals were unanimous in stating that security awareness training greatly reduced the number of successful email-based cyber attacks like phishing, BEC, CEO fraud and ransomware hacks against their organisations.

The chief information security officer at a large government agency in Mississippi with 100-250 servers that spends $250,000 to $499,999 annually on security, just assumed her role in the last six months. She found that the organisation’s security was reactive and set about changing that by using a multi-faceted strategy.

From Reactive to Proactive

“I’m currently on a fast track to learn the security solutions we have and I’ve also been working on policies and compliance. In addition, I’m implementing an incident response plan and two-factor authentication. I want to take the organisation from reactive to proactive/prevention mode. We use the KnowBe4 security awareness training and it has helped us reduce our threats by 50% in the first year.”

The security administrator at a mid-sized healthcare organisation in the Midwest also takes a proactive approach to security to adhere to regulatory compliance laws and says that security awareness training plays a pivotal role in their security initiatives.

“We’re taking a much more proactive role in security now that our staff has grown, and we have more time to do so. We are subject to HIPAA for some of the data that we house so have always taken security very seriously. Now, we have confidence in our hardware and software regarding security and view employees as the weakest part of our security. We therefore employ KnowBe4 to train them and also send emails regarding current events in the security world. Our policies are ever-changing and evolving as the environment around them changes. Another challenge not listed above is keeping our office culture the same while improving security.”

Toughest Security Challenges: Reining in End Users; Getting More Budget and Hiring Skilled IT and Security Staff

The category of top security challenges in many ways mirrored the biggest security threats facing organisations and their security and IT departments over the next 12 months. Once again, the responses were similar. As Exhibit 5 illustrates below, the top three most challenging security issues in order are: end user carelessness (66%); cost/budget constraints (58%) and overworked security/IT staff (50%).

Interestingly, respondents were not as concerned about less pressing topics such as potential losses or litigation arising from security litigation or data theft (15%); too many entry points into the network (12%); failure to adhere to compliance regulations (11%) weak network edge (5%) and weak physical infrastructure security (5%).

Exhibit 5. Toughest Security Challenges: Careless Users, Tight Budgets and Overworked Security/IT Staff

KnowBe4 Security Threats & Trends Report 19 - Top Security Challenges

Source: KnowBe4 2019

The IT manager at a New Jersey-based mid-sized law firm that has no separate security budget says the paucity of funds places his company at higher risk of attack. He’s particularly worried about the threats posed by email, phishing scams and end user carelessness. The IT manager is also concerned by the potential for the corporate network to get infected when the law firm’s attorneys insert clients’ USB devices into the company’s computers. It took a brush with disaster to get management to loosen the purse strings.

“For years, I’ve been trying to educate management as to the need for user training in the way of cyber security. Money has never been made available and I had been reduced to developing ineffective in-house brochures and emails to address this need. However, that all changed when a user decided to use a third-party application in order to virtually install a program on his laptop to use.

Both the third-party app and the program were not approved by our organisation. Even though the user only had basic rights on his laptop, the application managed to launch a rogue program that corrupted over 60% of his system files. If it weren’t for our malware detection hardware from Carbon Black, our network could have been compromised. As it was, the infection was catalogued before he [the user] reconnected the laptop to the network.

Thus, we were able to isolate the laptop before any further damage was done. The laptop, however, required a complete rebuild. I used this opportunity to once again drive home to management the need to invest in a security awareness program to educate our users. Within 30 days, we purchased KnowBe4 and it is already yielding great results.”

Conclusions and Recommendations

In today’s interconnected digital age, it is imperative that proactive security measures be an integral part of the daily operations. No organisation can completely eliminate security threats and escape the attention of hackers – especially targeted hacks. However, the vigilance and knowledge gained by deploying security awareness training programs can thwart, identify and quickly isolate myriad security issues from social engineering hacks. The latest BEC and CEO frauds, phishing, ransomware and sextortion scams are increasingly sophisticated. They manage to dupe intelligent, experienced users and even government agencies into taking the bait and clicking.

To reiterate, there is no such thing as 100% foolproof security. But multi-layer security defences, bolstered by security awareness training can lessen the number of successful security penetrations and mitigate risk to an acceptable level.

Frequent security training also helps employees to recognise scams and “think before they click,” and potentially avoid an attack. In those instances where malicious/rogue code or other social engineering security threats do manage to gain entry into the network or devices, SAT can assist in early detection and quick removal before the cyber attack can cause serious damage.

The KnowBe4 2019 Security Threats and Trends Survey findings, anecdotal essay responses and first person customer interviews underscore the fact that organisations, security professionals and IT administrators recognise the value of SAT programs and actively deploy them, particularly as the first line of defence against email phishing scams, CEO and BEC frauds and ransomware attacks, that end users routinely and thoughtlessly click on, on a daily basis.

Methodology

The KnowBe4 2019 Security Threats and Trends Survey polled 600 organisations mid-year 2019.

The independent web-based survey included multiple-choice questions and essay responses. To supplement the survey data, KnowBe4 conducted over one dozen first-person phone and email interviews with security professionals, IT managers and C-level executives. The anecdotal data obtained from these customer interviews validates the survey responses and provides deeper insight around the security and the real-world business issues facing organisations. The subjects covered include topics like budgets and cost constraints, keeping pace with the latest security threats, finding the right products and tools for the business, educating end users and the challenges associated with finding skilled IT and security professionals to staff IT departments.

KnowBe4 did not accept any vendor sponsorship money for the online poll or the subsequent first-person interviews conducted in connection with this project. We also employed authentication and tracking mechanisms during the survey data collection to prevent tampering and to prohibit multiple responses by the same party.

Respondents were culled from 40 vertical market segments. The top five vertical market sectors in order were:

  • Financial
  • Manufacturing
  • Healthcare
  • IT/Services Provider
  • Non-Profit

Organisations of all sizes were represented. Some 44% of the participants were from SMB organisations with fewer than 200 employees; 26% came from midsize and smaller organisations with 201 to 500 end users and 30% of survey participants were from large enterprises with 500 to over 10,000 workers. Some 78% of respondents hailed from North America compared with 22% of international respondents. The countries represented by global respondents include: Australia, Belgium, Brazil, Canada, China, Denmark, Egypt, Germany, India, Ireland, Italy, Japan, Mexico, New Zealand, Netherlands, Poland, Spain and South Africa.

BEC Scams On The Increase

Tony MasonOffice 365 Security, Security Awareness & Phishing

BEC Scams & CEO Fraud

During the Gartner Security & Risk Management Summit this week it was reported that 2019 projects should include Incident Response, BEC Scams and Container Security.

This was swiftly followed by the news that a European subsidiary of Toyota lost more than £30 million following a business email compromise (BEC) scam. 

BEC or CEO Fraud is a scam in which cyber criminals spoof company email accounts and impersonate executives. They try and fool an employee in accounting or HR into sending money or giving out confidential tax information. With Toyota, it’s almost inconceivable to imagine how so much money can have been involved from one company. Sadly BEC fraud is worth billions and has now overtaken ransomware and data breaches in EMEA cyber insurance claims.

The size of the Toyota scam is alarming in itself. However the consequences will be huge. Others will see how lucrative this type of scam can be. Cyber criminals will be increasing their BEC campaigns and new actors will be attracted into this lucrative field.

Staff Training & Processes

As a result, it’s becoming ever more important that organisations apply security measures to their business practices. They must train staff to ensure they get third party approval for any financial transactions. In addition, new payment procedures must be introduced into the company where several people sign off on a financial transaction.

Unfortunately, junior staff are in a position where they trust their managers and do as they are instructed. Processes must be put in place where staff can question the requests from colleagues, managers or even suppliers and in fact must question them.

Despite a multi-layered cyber security system, IT security tools are not infallible against human behaviour.  Staff must be trained to be aware of the potential attacks.  These can come in various forms; phone, email, or even social media and the attackers will find the weakness in any business.

Javvad Malik, security awareness advocate at KnowBe4 advises that BEC is fundamentally based on socially engineering the victim into making the money transfer.

“The first step should be raising awareness amongst staff of these attacks. In particular focus on those who work in finance or have the ability to set up new payments or amend existing ones.”

“Secondly, and perhaps more importantly, procedures need to be in place which prevent one user from being able to authorise or create a new payment. Rather, segregation of duties should be put in place whereby more than one user approval is needed to initiate payment. In addition, established and trusted mechanisms are required through which any requests can be queried.”

AI & DMARC

Other measures can also be put in place.  Barracuda, who offer Sentinel advise taking advantage of artificial intelligence. Look for AI that deploys technology that doesn’t simply rely on looking for malicious links or attachments, as attackers are increasingly bypassing these tactics. They also recommend implementing DMARC authentication and reporting into your organisation.  This can help stop domain spoofing and brand hijacking. Plus they suggest utilising multi-factor authentication in your organisation.  Passwords alone are no longer enough to keep cyber-attackers out.

Defensive measures against BEC scams

IC3 provides the following guidelines for employees containing both reactive measures and preventative strategies:

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII in response to any emails.
  • Monitor their personal financial accounts on a regular basis for irregularities, such as missing deposits.
  • Keep all software patches on and all systems updated.
  • Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders’ address email address appears to match who it is coming from.
  • Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

BEC Fraud is on the increase because these highly lucrative attacks are succeeding and they will continue to attract more groups willing to attempt their methods. 

To add to this, KnowBe4 report that your email filters have a 10% failure rate.

Therefore you need a strong human firewall as your last line of defence.

KnowBe4 Recommend Eight Prevention Steps

Many steps must dovetail closely together as part of an effective prevention program:

  • Identify your high-risk users
  • Institute technical controls
  • Set a security policy
  • Develop standard procedures
  • Cyber-risk planning
  • Training for all users
  • Continuous simulated phishing
  • Stay aware of red flags

For more information see KnowBe4 Security Awareness Training