- Monthly Newsletter - May 2013

Welcome to the newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to:

Editor's Corner

Latest Attack Trend: 'Persistent Spear Phishing'

DarkReading had an article a few weeks ago: 'How Hackers Fool Your Employees' that was very interesting to read. What caught my eye were two quotes from thought leaders in our security training space: Lance Spitzner from SANS and Rohyt Belani from PhishMe.

Lance Spitzner, training director for the Securing The Human Program at SANS Institute said: "Computers store, process and transfer information, and people store, process and transfer information," he says. "They're another endpoint. But instead of buffer overflows, people suffer from insecure behaviors."

Rohyt Belani, CEO of security training firm PhishMe observed something interesting. He said: "Conversational phishing is the latest attack trend. The victim gets multiple emails that make it look like there's a human on the other end and that it's part of an email thread,". The attacker knows enough about the victim and his interests to convince him that, say, they had met at a busy convention such as RSA.

"From there, the attacker tells the victim about a blog post that he'd surely be interested in and attaches an infected version. The attacker even sends a follow-up message asking the user if he had a chance to look at the blog. "Now you're subconsciously convinced that it's a real human being so you open that document," Belani says. "The bad guys have been doing that for at least the last six months."

That's why I call it 'PSP' for Persistent Spear Phishing but the concept is clear. It's ultimately a human attacking a human via the Internet, either through a single email or a logical sequence of emails that can easily be automated. Here is the whole article, which ends with two VERY interesting graphs you should definitely check out!

I also created a page at Wikipedia for this new term, and you are welcome to go there and improve upon my first attempt to describe it.

Why Bring Your Own Device (BYOD) Needs Your Attention

We are in the middle of the biggest computer revolution since the PC; the explosive number of devices is descending on corporates. In some cases the personal devices can outnumber the corporate devices. This article will cover strategies that should be considered when securing your company.

Quotes Of The Month

"Success is not final, failure is not fatal: it is the courage to continue that counts." - Winston Churchill

"Things which matter most must never be at the mercy of things which matter least." - Johann Wolfgang von Goethe

"97% of the statistics found on the Internet are untrue" - Abraham Lincoln

Warm regards,

Stu Sjouwerman

Editor, Newsletter
Email me at

Released: Kevin Mitnick Security Awareness Training

Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.

Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did.

Security Detail

Verizon 2013 Data Breach Investigations Report

This is some pretty well researched data and you should check it out. It clearly shows the increasing prevalence of phishing attacks (due to increased espionage attacks primarily) which you could definitely use as ammo to get budget. There are lot of other nuggets, like the fact that 66% of breaches aren't discovered for months. Just tons of data. There is the full report plus a nice exec summary. Here is the PDF.

Four Ways To Defeat APT

Advanced Persistent Threats (APT) are essentially industrial espionage by nation-states. Several of these APT's are supported by their military (like China and Iran) and go after both civilian and military targets. APT really is a team of skilled hackers that have been given a target like AIRBUS and work day and night to penetrate that account.

Obviously cyber-espionage can be used for two things: 1) Exfiltrate intellectual property for competitive purposes, 2) Discover weak spots in a nation's critical infrastructure and use these for cyberwar (disruption).

This is the 30,000 feet perspective of what needs to be done. First you need to filter ingress, but also filter egress at the same time, then you analyze your network for hacker intrusions, and last but not least, you need to step your users through security awareness training. The filtering can be done with existing software layers. The analysis is a job for dyed-in-the-wool security researchers that dig into all your log files, the registry and other data. You know where to go for the training.

FAQ: Phishing Tactics And How Attackers Get Away With It

Network World reported: "Phishing attacks on enterprises can be calamitous in terms of compromised networks or damaged brand names, and the Anti-Phishing Working Group (APWG), which aggregates and analyzes phishing trends data worldwide, offers some of the best insight from industry into what's occurring globally in terms of this cybercrime. The following list of frequently asked questions about phishing is derived from the APWG's April report that covers the period July-December 2012 worldwide.


ViewPoint - Your Take

Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at 

SecOps: What You Need To Know

Do This Phishing IQ Test!

Did you know that SonicWall has an interesting Phishing IQ test on their website? It's a few years old but actually fun and interesting to do. You get a series of 10 emails and you need to indicate if it is a phishing attack or if it's legit. Go ahead and test if you get them all correct. At the end they have an explanation for each why it's either a scam or legit. Here you go and have fun!

Fraud-as-a-service Goes Mainstream

Researchers at RSA stumbled upon a Facebook page that had been up for several months, and was marketing the Zeus banking Trojan. This is something new as up to now, this type of marketing was limited to the 'darknet' criminal underground. The Facebook page has been taken down but Trojans being sold out in the open with 'hints and tips' on how to steal credit cards shows that cybercrime is going mainstream. RSA's Limor Kessem said: "Social networks are such a great place for malware infections and phishing, why not just market the botnet directly from there?" Full article over at BankInfoSecurity.

Why We Need Security Awareness Training Programs

I found a great article by Kai Roer, Senior Partner at the Roer Groupin Norway.

"Lately, some of the smartest people in Infosec decided that security awareness trainings are a waste of time. Last out is Bruce Schneier, who decided to speak up against awareness training.

"The claim that security awareness trainings are not working is, in my opinion, a claim based on wrong assumptions. It also shows a clear lack of understanding of the inner workings of the human mind, and a total lack of respect for your co-workers.

"If all you focus on is technology, code and cryptology, and you have very little real interaction with people, I can understand where you are coming from. It takes more than code to decrypt the subtleness of human interaction." He continues with a clear cut case for training that I think you will enjoy.

Hackers’ Haven

10 Classic Hacking, Phishing And Social Engineering Lies

Whether it is on the phone, online or in person, here are ten lies hackers, phishers and social engineers will tell you to get what they want. It might be an idea to send this link to your employees and let them step through these reminders as they are still used every day.

Yahoo Warns: "Your Small Business May Have Already Been Hacked"

Veteran IT reporter Dan Tynan has a very popular Yahoo SMB column. He interviewed me and I was quoted in his April 25 article about hacking. There is a lot of good ammo in there if you need (to increase) IT security budget: "While attacks on large enterprises have declined slightly over the last year, threats to SMBs have risen sharply. Cyber attacks targeting businesses with 250 employees or less doubled in the first six months of last year, according to Symantec. The average loss per attack: more than $188,000."

"One of the biggest fallacies about small-to-medium businesses is that they're too small to be noticed by hackers,” he says. “That's simply not the case.” In fact, for SMBs the opposite is true. Here is the article.

Watch Out For Waterhole Attacks -- Hackers' Latest Stealth Weapon

It's time to learn about waterhole attacks, where sites with tailored malware await visits by certain companies' employees. The bane of the computer security world is how long it takes to recognize and respond to new attack paradigms. Name a major threat -- the boot virus, macro virus, email attachment, or Web JavaScript redirect -- and it seems to take years to respond adequately. So here's an early warning: Waterholes should be on your radar!

Fave links & Cool Sites