|Excerpted from CyberheistNews Vol 7 #50
2017 was a dumpster fire of privacy and security screw-ups.
To start 2018 with a simple, effective, IT security strategy is an excellent New Year’s resolution and helps your CEO to keep their job. Better yet, thousands of your peers will tell you this was the best and most fun IT security budget they ever spent… hands-down.
This list is the high-power ammo you need to get budget and roll out new-school security awareness training, ideally right now.
Here are the Top 5 reasons…
- Social Engineering is the No. 1 go-to strategy for the bad guys. Unfortunately, their time is money too. Why spend 2 months of research uncovering a 0-day when you (literally) can create an effective spear-phishing attack in 2 hours? They are going after the human—the weakest link in IT security—and your last line of defense.
- Ransomware is only going to get worse in 2018. Email is still their favorite attack vector, and their sophistication is increasing by the month. The downtime caused by ransomware can be massive.
- Compliance requirements for awareness training are being sharpened up. Thinking that today you can get away with a yearly one-time, old-school awareness training session is whistling past the graveyard. A good example is May 25, 2018 when enforcement actions for GDPR begin. We have compliance training for GDPR ready in 24 languages.
- Legally you are required to act “reasonably” and take “necessary” measures to cope with a threat. If you don’t, you violate either compliance laws, regulations, or recent case law. Your organization must take into account today’s social engineering risks and “scale security measures to reflect the threat”. Don’t trust me, confirm with your lawyer, and next insist on getting budget. Today, data breaches cause practically instant class action lawsuits. And don’t even talk about all employees filing a class action against your own company because your W-2 forms were exfiltrated with CEO fraud.
- Board members’ No. 1 focus today is cyber security. Some very pointed questions will be asked if they read in the Wall Street Journal that your customer database was hacked and the breach data is being sold on the dark web. Once it becomes clear that your organization did not deploy a simple, effective strategy that could have prevented this, a few (highly placed) heads will roll. Target’s CEO and CISO are just an example. Help your CEO to keep their job.
Former US CISO on Why Awareness Training Is Priority Number 1:
In an information technology environment where personnel are on the cyber front line at work and also at the house, the key to ensuring security is still awareness training, says former U.S. CISO Gregory Touhill, who was the Air Force General responsible for Cyber Training before he became the first US CISO.
“A congressman asked me when I took my post as the first federal CISO: ‘If I gave you an extra dollar, how would you spend it on cybersecurity?’ And I told him I would spend it on better training my people. I find a very well-trained, well-informed workforce is better prepared to help an organization buy down their cyber risk,” Touhill says in an interview with Information Security Media Group.
Training at All Levels
Touhill calls for daily security drills and exercises at all levels of an organization to help reinforce defensive strategies.
“Board and C-suite officers are increasingly large targets for whale phishing,” Touhill says. “Everybody has a stake in cybersecurity and I would contend everyone is on cyber front lines. That training needs to be tailored and continuous for the entire workforce.”
- The effectiveness of techniques such as gamification;
- Why he believes one-and-done annual training fails;
- Continuous phishing training;
- His recommendations for improving training in 2018.
Touhill is now president of the Cyxtera Federal Group and teaches cybersecurity and risk management for the CISO certification program at Carnegie Mellon University’s Heinz College.
Scam of the Week: New Massive Data Breach Poses Major Threat
Here’s a fun question to pose to the family dinner table: Have you ever heard of Alteryx?
100 to 1 you never heard of them, but chances are good that they have heard of you. Alteryx is a data analytics company that makes its money by repackaging data that it’s collected from different sources. And it became the latest reminder of how much data little-known companies have collected on us – and how little oversight there is over the security of that data.
Companies You’ve Never Heard of Are Exposing Your Personal Data
Earlier this week, an analyst from the security firm Upguard shared that Alteryx had not properly protected detailed information it had collected on 123 million U.S. households (All told, there are about 126 million American households, according to the Census Bureau.)
This data leak was discovered by a researcher, and not (we hope) by a criminal. But the leak affects about as many people as the massive hack Equifax reported in September, which affected 145.5 million Americans, or nearly every adult.
Another Leaky AWS Bucket
The data had been left unprotected in an Amazon Web Services storage bucket available to anyone with a free AWS account. After being informed of the data breach, Alteryx secured the information, however, it had been available to identity thieves and scammers for a considerable period of time.
Alteryx and credit reporting agency Experian—which was the source of the data—both downplayed the risk of identity theft because no names were included in the data included in the data breach. This response is just PR and disingenuous as 248 data fields for every household were included in the data breach which are easy to map to the names.
This is just another example of the lack of important laws in the United States protecting people from data aggregators’ negligence and requiring these companies to employ security measures to protect our personal data. Many other countries require such measures by law, the new European GDPR is an excellent example.
What to Do About It
I suggest you send the following to your employees, friends, and family. You’re welcome to copy, paste, and/or edit:
“There is another major data breach, that pretty much covers every living adult in the United States. At this point you have to assume that cyber criminals have highly personal information that they can use to trick you. You need to watch out for the following things:
- Phishing emails that claim to be from your financial institution where you can “check if your data was compromised”
- Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information
- Calls from scammers that claim they are from your bank or credit union
- Fraudulent charges on any credit card because your identity was stolen
Here are 5 things you can do to prevent identity theft:
- First sign up for credit monitoring – dozens of companies do that.
- Next freeze your credit files at the three major credit bureaus Equifax, Experian and TransUnion. Remember that generally it is not possible to sign up for credit monitoring services after a freeze is in place. Advice for how to file a freeze is available here on a state-by-state basis:
- Check your credit reports via the free annualcreditreport.com
- Check your bank and credit card statements for any unauthorized activity
- If you believe you may have been the victim of identity theft, here is a site where you can learn more about how to protect yourself:
Quotes of the Week
“By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is the bitterest.” – Confucius
“Wisdom comes from experience. Experience is often a result of lack of wisdom.” – Terry Pratchett
“Here is an example of a young man gaining wisdom by experience. LOL:”