Newsletter - February 2013 Sponsored by: NetWrix

Welcome to the newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to:

Change Auditing for Critical IT Systems

NetWrix Change Reporter Suite, a simple IT infrastructure auditing tool that tracks changes made to all critical IT systems and shows exactly Who changed What, When and Where.

Download Free Trial

Editor's Corner

Which Antivirus Has The Best Phishing Protection? Surprise!

I ran across some very interesting research done by NSS Labs. They compared twelve of the most popular antivirus engines (they call them endpoint protection products) and tested these tools specifically for blocking phishing attacks. The results are surprising, as Trend Micro wins this battle with 92%, closely followed by Kaspersky with 85% and the rest do not score above an abysmal 64%.

Now, do not get too worried right away. They also said that the browser is actually a better frontline against phishing attacks, and they also tested four popular browsers, which add protection against new phishing sites twice as fast: five hours instead of an average of 10 hours for the endpoint products.

I strongly suggest you read the whole report for yourself. One thing to note is that there were twelve products tested, one of which is Microsoft Security Essentials, but that product is mysteriously missing from all the graphs. You wonder if that's just an error, or if there are more sinister reasons for that.

Here are some of the key findings and recommendations:

  • Nearly 90% of consumers are inadequately protected against phishing by endpoint protection products (EPP). The effectiveness of AV products claiming to offer phishing protection ranges from 3% to 92%.
  • End users should use current web browsers as a first line of protection against phishing attacks. Invest time in understanding phishing attacks and modify behavior to avoid becoming a victim. Assign a higher priority to exploit prevention, socially engineered malware blocking, and general detection capabilities over phishing detection when selecting EPP products.
Here is the report with a link to the downloadable PDF.

Quotes Of The Month

"Freedom is the sure possession of those alone who have the courage to defend it." - Pericles

"May we think of freedom, not as the right to do as we please, but as the opportunity to do what is right." - Peter Marshall

Warm regards,

Stu Sjouwerman

Editor, Newsletter
Email me at

Released: Kevin Mitnick Security Awareness Training

Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.

Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did.

Security Detail

IT Security Equals Job Security

Did you ever expect that our IT networks would be a worldwide battleground for highly sophisticated cyber warfare? IT security certainly will provide job security for the next decade or until we rebuild the Internet from scratch.

The New York Times reported a few days ago that “A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review.”

In short, the legal beagles have concluded that the U.S. President has the broad power to order cyberattacks on any country preparing to launch a major digital attack against the U.S. There is an ongoing campaign by the Administration to create new ground rules for any U.S. engagement in cyberspace. We soon expect more approvals for rules on how the military can defend or retaliate against cyberattacks launched by unfriendly nation states.

These new rules will also clarify the depth that U.S. intelligence agencies are allowed to go when they look for and try to stop imminent threats against U.S. assets in cyberspace. Attacks in cyberspace are often on civilian targets as we have seen recently during the DDoS attacks on U.S. Banks. We all need to be aware that our own network is potentially vulnerable.

The price of freedom is constant alertness and willingness to fight back. Implementing a mandatory security awareness training for all employees is no longer optional. Here is the article.

DMARC Anti-Phishing Technology Gains Acceptance

John Mello at CSO wrote:" A technology aimed at blunting phishing attacks on organizations appears to be finally gaining steam a year after its introduction. Domain-based Message Authentication, Reporting and Conformance
DMARC) is a security framework that offers a way to identify phishing messages by standardizing how email receivers perform email authentication.

Although only a year old, the technology is already protecting 60% of the email boxes in the world -- and 80% of email boxes in the United States, according to Agari, an email security company. Agari was one of the founding
companies behind DMARC, along with Google, Microsoft, Facebook, Bank of America and JP Morgan Chase.

As with any new technology, particularly something that affects email, acceptance can be a hurdle. But it's one that DMARC is poised to leap over, according to Agari founder and CEO Patrick Peterson. "We are at escape velocity," he said in an interview. "When we started, people said they thought it was an interesting idea, but wondered if it was going to be one of these things you hear about and nothing ever comes of it. That's not going to happen."

When DMARC was introduced, it was seen as a bridge between two competing email authentication schemes -- Sender Policy Framework (SPF) and DomainKeys Identified Mail(DKIM). This is an interesting article to check out.

Keeping Your Company, Personal Info Safe from Social Engineering Hacks

It was all over the news, the New Your Times, Washington Post and the Wall Street Journal were all hacked. What was not so clear is how. Well, this PBS article puts the finger on the likely sore spot: social engineering. This article has great ammo you can send to C-level management and make the case for (more) security awareness training.

Change Auditing for Critical IT Systems

NetWrix Change Reporter Suite, a simple IT infrastructure auditing tool that tracks changes made to all critical IT systems and shows exactly Who changed What, When and Where.

Download Free Trial


ViewPoint - Your Take

Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at 

SecOps: What You Need To Know

Serious Data Breaches Take Months To Spot, Analysis Finds

John Dunn at TechWorld reported: "More than six out of ten organizations hit by data breaches take longer than three months to notice what has happened with a few not uncovering attacks for years, a comprehensive analysis of global incidents by security firm Trustwave has found.

During 2012, this meant that the average time to discover a data breach for the 450 attacks looked at was 210 days, 35 more than for 2011, the company reported in its 2013 Global Security Report (publicly released on 20 February).

Incredibly, 14 percent of attacks aren't detected for up to two years, with one in twenty taking even longer than that. Almost half - 45 percent - of breaches happened in retailers with cardholder data being the main target. The food and beverage sector accounted for another 24 percent, hospitality 9 percent, and financial services 7 percent.

Questions arise from this; how are attackers getting into organizations so easily and why do IT staff not notice until long after the event?" This is a good article to check out:

5 Myths About Awareness

Lance Spitzner of SANS Securing the Human program outlines five common misconceptions about security awareness programs, this is an interesting and quite instructive read.

How Do I Shift To An IT Security Career From A Network Admin?

Familiar with Quora? People ask questions and others answer them, often detailed, highly informative and concise briefings that are meant to be a braindump and more or less a global knowledge management repository. The question was asked: "How do I shift to an IT security career from a network admin?" and a few people answered. Most of these answers were better than mine! Here they are - this is plain good advice:

Change Auditing for Critical IT Systems

NetWrix Change Reporter Suite, a simple IT infrastructure auditing tool that tracks changes made to all critical IT systems and shows exactly Who changed What, When and Where.

Download Free Trial

Hackers’ Haven

Feb SANS Monthly Awareness Video

You may be familiar with our friends at SANS. For their ‘Securing The Human’ team, every month is security awareness month, same as here at KnowBe4.
On the first of every month they post a new security awareness video. Ultimately, their goal is to help people to change behavior so they can leverage technology more safely and effectively. Now, this month’s video is on the Advanced Persistent Threat (APT). You can learn what APT is, how it actively targets organizations and individuals, and what you can do to protect yourself.
I especially like this APT video but remember it will disappear by the end of Feb 2013. Send the link to your C-level executives, this is important. And then use KnowBe4's cloud infrastructure to send regular simulated phishing attacks to keep all your employees on their toes! Here is the link.

Want To Read Something REALLY Interesting?

Brian Krebs wrote a blog post that has become very popular with security pros. The title is: "Security firm Bit9 was hacked, and was used to spread malware". He continues with: "Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software.

Waltham, Massachusetts-based Bit9 is a leading provider of “application whitelisting” services, a security technology that turns the traditional approach to fighting malware on its head."

What is assumed is that state-sponsored hackers broke into their network and used Bit9's own encryption keys to digitally sign their malware. Obviously Bit9 was a means to an end, they needed to breakinto a U.S. organization and went through Bit9 to get there. Bit9 though failed to keep their own IT security up to snuff though.

Ouch, *facepalm*. But what is far more interesting is the discussion that ensued in the comments. Very instructive:

Cute: Keep Essential Information Hidden in Plain Sight with a UV Pen

Considering the amount of passwords, PINs, and other vital information, such as Social Security numbers, that we have to keep handy it's not surprising that many people write down information like this and keep it on a sticky note or the back of a business card. If you want to keep essential information readily available and yet hard to decipher, consider picking up a UV pen and LED flashlight so you can write down your passwords on any paper source. Here is the lifehacker blog post

Change Auditing for Critical IT Systems

NetWrix Change Reporter Suite, a simple IT infrastructure auditing tool that tracks changes made to all critical IT systems and shows exactly Who changed What, When and Where.

Download Free Trial