Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
7 Shortcuts To Get Your Network Hacked
Yes, that was on purpose! In October we asked system administrators: "In your opinion, what are the most gruesome errors a system admin can make which will result in getting their network hacked?" Now we have the final results with about 100 replies, here is the final tally of shortcuts that -will- get your network hacked. The Top 7 are:
- No or Poor Patching
- Poor end-user and admin password management
- Using default passwords
- No or badly configured firewall
- End-users with local admin rights
- No security awareness training
- BYOD without good Mobile Device Management
So there you have it. Keep these seven points under control and it gets a lot harder to hack into your network! How's that for some 2013 New Year's Resolutions?
It Only Took One Click
NBC News just reported that "a single malicious email sent to workers at the South Carolina Department of Revenue last August enabled an international hacker to crack into state computers and gain access to 3.8 million tax returns, including Social Security numbers and bank account information, in what experts say is the biggest cyber-attack ever against a state government, according to details in a report released Tuesday." And think for a moment what could have been done to prevent that... Here
is the article.
Quotes Of The Month
“Never, never be afraid to do what's right, especially if the well-being of a person or animal is at stake. Society's punishments are small compared to the wounds we inflict on our soul when we look the other way.” -- Martin Luther King Jr.
“Trust starts with truth and ends with truth.” -- Santosh Kalwar
Editor, WindowSecurity.com Newsletter
Email me at email@example.com
Released: Kevin Mitnick Security Awareness Training
Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.
Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did.
Critical Vulnerabilities Found In Sophos Enterprise Protection
Deb Shinder posted on her blog: "If your company uses Sophos enterprise protection software, you’ll want to be aware of this: a Google security researcher recently announced the discovery of critical security flaws in all platform versions of the antivirus, which can be easily exploited by a hacker to send malicious PDF or VB files, but Sophos says most of the vulnerabilities have already been patched. Read more here.
WinITPro 2012 Best Product Awards
You all need tools to get your job done. Once a year, Windows IT Pro magazine does a major awards program
that allows you to save an incredible amount of time. These are all the popular tools, with both the Editor's Choice and the Community Choice so you have a great shortlist of the best tools in the most common categories. Worth checking out the security tools, there are some surprises!
ViewPoint - Your Take
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at firstname.lastname@example.org
SecOps: What You Need To Know
"Passwords Are Not Dead, They Just Smell Funny."
Over at the Quora site I was asked to answer; "Has the age of the password come to an end?" My response was the following: "To paraphrase Frank Zappa: "Passwords are not dead, they just smell funny." But really, they have dramatically failed to be a reliable authentication process. Combinations of biometrics and/or 2-factor are the only thing that will be used for authentication, however 2-factor can also be spoofed in some cases, so biometrics is the safest. Fingerprint technology is pretty mature now, and Apple has recently acquired a well-known biometrics company which shows that this will be integrated in their next platforms. Personally I have been using fingerprint technology for years, this is mature and does not cause any problems."
However, there is trouble in biometrics paradise. You cannot replace a finger or a retina, so if that file describing your unique identifier is stolen somehow, you really are out of luck. Wired's Mat Honan was recently completely pwned. Hackers erased all his i-devices and deleted 8 years of gmail traffic. He has written a great essay about passwords, which was on the front cover of the December Wired Magazine. This is one good read, with a few very good Do's and Dont's. He even writes about a social engineering exploit of my business partner Kevin Mitnick. Warmly recommended for the holidays!
Venture Capital Validates Security Awareness Training
I am very encouraged to see our friends at PhishMe getting 2.5 Million in Venture money to expand their business. With this new investment, Christopher Steed, Vice President at Paladin Capital, is joining PhishMe’s Board of Directors. This means our increasingly important part of IT Security has been validated by smart money, which obviously sees that there is an incredible growth opportunity in this segment. It also shows that phishing training is growing up to be a mature industry, and that competition will increase. That is good for everyone. It improves overall IT security and keeps the players on their toes. Good news all around!
Alarming Number Of Merchants Unaware Of PCI DSS
Help Net Security had the story: The last four years have been marked by continued growth in small business data compromise, yet small business owners are still missing the point of the PCI DSS, a ControlScan report reveals.
The report uncovers a stubborn, multi-year trend of minimal growth in data security awareness and overall indifference in small merchants’ perceived risk of breach. For brick-and-mortar merchants the trend is even more disturbing, because their levels of awareness and concern fall well below those of the survey’s ecommerce merchant respondents.
“Just under half of this year’s respondents indicated they are unaware of the PCI DSS,” said Joan Herbig, CEO of ControlScan. “That finding, combined with the fact that 79% of respondents think their business has little-to-no risk of breach, indicates a serious disconnect between Level 4 merchants and the ISOs and acquiring banks serving them.”This is hair-raising. More.
The 2012 Top 10 Holiday Scams
We recommend you send this to your employees as the bad guys are coming out in full force this holiday season and will try to trick and scam users both at the office and at their house.
10) 'The Charity Tricksters'. The holidays are traditionally the time for giving. It's also the time that cyber criminals try to pry money out of people that mean well. But making donations to the wrong site could mean you are funding cybercrime or even terrorism. So, watch out for any communications from charities that ask for your contribution, (phone, email, text, tweets, snail mail and even people ringing your door bell) and make sure they are legit and show their ID. It is safest to only donate to charities you already know, and refuse all the rest.
9) 'The Grinch E-Card Greetings'. Happy Holidays! Your email has an attachment that looks like an e-greeting card, pretty pictures and all. You think that this must be from a friend. Nope, not so. Malicious e-cards are sent by the millions, and especially at the office, never open these things as they might infect your workstation.
8) 'The Fake Gift Card Trick'. Internet crooks promote a fake gift card through social media but what they really are after is your information, which they then sell to other cyber criminals who use it for identity theft. Here is an example: A recent Facebook scam offered a “free $1,000 Best Buy gift card” to the first 20,000 people who signed up for a Best Buy fan page, which was a malicious copy of the original.
7) 'The Copied Site'. Bad guys build complete copies of well-known sites, send you emails promoting great deals, sell products, take the credit card, but never deliver the goods. These sites live only a few days and the money usually goes abroad. Your credit card company will refund the purchase, but apart from not getting your gift(s) your card number is now compromised and will be sold and used by cyber criminals. Always check for the https:// rather than just http:// .
6) 'The DM-Scam'. You tweet about a holiday gift you are trying to find, and you get a direct message (DM) from another twitter user offering to sell you one. Stop - Look - Think, because this could very well be a sophisticated scam. If you do not know that person, be -very- careful before you continue and never pay up front.
5) 'The Extra Holiday-money Fraud'. You always need some extra money during this season, so cyber fraudsters are offering work-from-home scams. The most innocent of these make you fill out a form where you give out confidential information like your Social Security number which will get your identity stolen. The worst of them offer you work where you launder money from a cyberheist which can get you into major trouble.
4) 'The Fake Recession Relief' Internet swindlers target people that are vulnerable due to the recession with pay-in-advance scams and credit offers. Spam emails advertise "prequalified, super low-interest" credit cards and loans if you pay a processing fee, which goes straight into the scammer’s pocket.
3) 'The Search Term Trap'. Bad guys do their research and find out what people want. They then build a site that professes to have the item. They push that site high onto the search engines and you might click on that link. But the site contains malware and will infect your PC. Make sure that your web-browser is fully updated, and will warn you if it sees that the site is unsafe.
2) 'The Evil Wi-Fi Twin'. You bring your laptop and go to the mall to scout for gifts. Then you check if you get it cheaper somewhere online. But the bad guys are there too, shopping for your credit card number! They put out a Wi-Fi signal that looks just like a free one you always use. Choose the wrong Wi-Fi and the hacker now sits in the middle and steals your credit card data while you buy online. When you use a Wi-Fi connection in a public place, it is better not to use your credit card.
1) 'The Black Friday Racket'. Black Friday is the start of great holiday shopping deals, unless they are too good to be true and you get tricked into buying an iPad for a 90% discount. Be extra careful with online buying this holiday season. Happy and Safe holidays ! This Top 10 is also available as a post at the KnowBe4 Blog.
Tenable Nessus: WindowSecurity.com Readers' Choice Award Winner
If you want to be ahead of the hackers getting in your network, start hacking your own network! And Nessus is just the tool to start with. We use it too here for our customers.
Tenable Nessus was selected the winner in the Security Scanner Software category of the WindowSecurity.com Readers' Choice Awards. Acunetix Web Vulnerability Scanner and ManageEngine Security Manager Plus were runner-up and second runner-up respectively. More.
SPF, DKIM, and DMARC Explained
In the beginning, there was no email threat. Senders were confident that messages weren't tampered with and receivers were confident that email was from a trusted source - until... Check out this infographic which will make SPF, DKIM, and DMARC a lot clearer.
Fave links & Cool Sites
In a tribute to 007, Top Gear attempts to turn a Lotus Excel into a submarine car. This is a classic Top Gear moment:http://www.flixxy.com/james-bond-style-submarine-lotus-drives-underwater.htm