KnowBe4

Home » KnowBe4

by Carissa Carissa No Comments

Simple, Sneaky Ways Cybercriminals Access A Small Business’s Network

Sneaky Ways Cybercriminals Access Small Business Networks

Hackers prefer the little guy. The high-profile data breaches you read about in the news — your Facebooks and Equifaxes and T-Mobiles — are only the tip of the iceberg when it comes to the digital crimes being perpetrated day after day, especially against small businesses. Today, according to a report by the National Cyber Security Alliance, 70 percent of hackers specifically target small businesses. Attracted by the prospect of easy money, they search for those organizations who underspend on protection, who have employees untrained to spot security risks, and who subscribe to woefully out-of-date practices to protect their data. As a result, more than 50 percent of small businesses have been hacked, while 60 percent of companies breached are forced to close their doors within six months.

Most business owners have no idea the danger they are putting their livelihood in by leaving cyber security up to chance. According to a survey conducted by Paychex, 68 percent of small-business owners are not concerned about their current cyber security standards, despite the fact that around 70 percent of them aren’t adequately protected. In the face of an imminent, global threat to the very existence of small businesses everywhere, most CEOs offer up a collective shrug.

The tactics and software available to hackers become more sophisticated by the day, but with so many unwitting victims, most criminals do not even need to work that hard to net a six-figure income. By sticking to three tried-and-tested tools of the trade — phishing, ransomware and the subtle art of guessing users’ passwords — they leech comfortably off the earnest efforts of small businesses all over the world.

So, what has to be done? Well, first things first: You need to educate yourself and your team. Protect your organization against phishing by fostering a healthy skepticism of any email that enters your inbox. Make it a habit of hovering over hyperlinks to check their actual destination before you click. If an email is coming from someone you know, but the email address is different, verify it with the other party. And never, ever send passwords or personal details to anyone over the internet if you can avoid it.

Speaking of passwords, you probably need to upgrade yours. The majority of folks use the same password for everything from their Facebook account to their business email. The fact that this includes your employees should make you shudder. It may not seem like a big deal — who is going to take the time to guess SoCcErMoM666? — but aside from the fact that simple software enables hackers to guess even complicated passwords in minutes, that’s not even usually necessary. Instead, they can just look at the data dumps from a recent more high-profile breach — think the Equifax fiasco — pull your old website from there and type it into whatever profile they want to access. If you keep all your passwords the same across sites, it will not take them long to dig into your most precious assets. To avoid this, implement a strict set of password regulations for your business, preferably incorporating two-factor authentication and mandatory password changes every few weeks.

While educating yourself and training your team on the latest hacking techniques is a great line of defense, it is still always possible for a data breach to occur. Cybercrime is constantly evolving, and staying abreast of its breakneck pace takes a dedicated awareness of the latest protective tools and measures. That is why your single best weapon to defend you against the hackers at your door is to find a trusted technology partner with a background in defending against digital threats. With a proper backup and disaster recovery plan in place, if a crisis strikes, they will be able to help get your network back up in minutes rather than days.

In today’s digital world, leaving your cyber security up to a subpar antivirus and some wishful thinking is more than irresponsible — it’s an existential threat to your company. However, with a little savvy, a bit of investment and a second opinion on the circumstances of your company’s security, you can rest easy knowing that no matter what comes, you’re protected.

by Carissa Carissa No Comments

Top 4 Ways Hackers Will Attack Your Network

Know Before Think Before You ClickMost small and midsize business (SMB) owners exist in a bubble of blissful ignorance. They focus on the day-to-day operations of their organization, driving growth, facilitating hiring and guiding marketing, without a single thought given to the security of the computer networks these processes depend on. After all, they’re just the little guy – why would hackers go to the trouble of penetrating their systems for the minuscule amount of data they store? And eventually, often after years of smooth sailing through calm seas, they get hacked, fork out thousands of dollars to malicious hackers and collapse beneath the weight of their own shortsightedness.

The facts don’t lie. According to Verizon’s annual Data Breach Investigations Report, a full 71% of cyber-attacks are aimed squarely at SMBs. And while it’s unclear exactly how many of these attacks are actually successful, with the sad state of most small businesses’ security protocols, it’s a safe bet that a good chunk of the attacks make it through. But why? As Tina Manzer writes for Educational Dealer, “Size becomes less of an issue than the security network … While larger enterprises typically have more data to steal, small businesses have less secure networks.” As a result, hackers can hook up automated strikes to lift data from thousands of small businesses at a time – the hit rate is that high.

Today, trusting the security of your company to your son-in-law, who assures you he “knows about computers,” isn’t enough. It takes constant vigilance, professional attention and, most of all, knowledge. Start here with the four most common ways hackers infiltrate hapless small businesses.

PHISHING E-MAILS

An employee receives an e-mail directly from your company’s billing company, urging them to fill out some “required” information before their paycheck can be finalized. Included in the very professional-looking e-mail is a link your employee needs to click to complete the process. But when they click the link, they aren’t redirected anywhere. Instead, a host of vicious malware floods their system, spreading to the entirety of your business network within seconds, and locks everyone out of their most precious data. In return, the hackers want thousands of dollars or they’ll delete everything.

It’s one of the oldest tricks in the hacker toolbox, but today it’s easier than ever for an attacker to gather key information and make a phishing e-mail look exactly like every other run-of-the-mill e-mail you receive each day. Train your employees to recognize these sneaky tactics, and put in safeguards in case someone messes up and clicks the malicious link.

BAD PASSWORDS

According to Inc.com contributing editor John Brandon, “With a $300 graphics card, a hacker can run 420 billion simple, lowercase, eight-character password combinations a minute.” What’s more, he says, “80% of cyber-attacks involve weak passwords,” yet despite this fact, “55% of people use one password for all logins.”

As a manager, you should be bothered by these statistics. There’s simply no excuse for using an easy-to-crack password, for you or your team. Instead, it’s a good idea to make a password out of four random common words, splicing in a few special characters for good measure. To check the strength of your password, type it into HowSecureIsMyPassword.net before you make it official.

MALWARE

As described above, malware is often delivered through a shady phishing e-mail, but it’s not the only way it can wreak havoc on your system. An infected website (such as those you visit when you misspell sites like Facebook.com, a technique called “typosquatting”), a USB drive loaded with viruses or even an application can bring vicious software into your world without you even realizing it. In the past, an antivirus software was all that you needed. These days, it’s likely that you need a combination of software systems to combat these threats. These tools are not typically very expensive to put in place, especially considering the security holes they plug in your network.

SOCIAL ENGINEERING

As fallible as computers may be, they’ve got nothing on people. Sometimes hackers don’t need to touch a keyboard at all to break through your defenses: they can simply masquerade as you to a support team in order to get the team to activate a password reset. It’s easier than you think, and requires carefully watching what information you put on the Internet – don’t put the answers to your security questions out there for all to see.

We’ve outlined some of the simplest ways to defend yourself against these shady techniques, but honestly, the best way is to bring on a company that constantly keeps your system updated with the most cutting-edge security, is ready at a moment’s notice to protect you in a crisis, and can train your end-users. Hackers are going to come for you, but if you’ve done everything you can to prepare, your business will be safe. To discuss how Keller Schroeder can help you develop a comprehensive strategy to protect your business, contact your Keller Schroeder Account Manager today.

by Carissa Carissa No Comments

It’s OK to Ignore the CEO, When it is NOT the CEO!

ImagineBrad Mathis  – [Senior Consultant – Information Security]

Imagine the following scenario.

You are going through your daily routine and you receive an urgent email from the CEO.  The email is urgent, appears to be time sensitive, and is requiring you to act immediately.  You are aware the CEO is currently out on vacation or away on business, and is therefore unreachable.  However, the email is direct and to the point.  “Get this Done!”  The email is asking for you, a member of the financial team, to process a payment or monetary transfer.  It may even inform you someone from another company will be reaching out to you with further instructions, such as account numbers and routing information. An abbreviated example of such an email may look something like this:

CEO Email
What if you also received an email ahead of this one from someone in finance saying “Keep an eye out for an email from the CEO asking about a funds transfer”, followed by an email from the alleged company the CEO mentioned in their original email?  Transferring large sums of money from one account to another is a normal part of your job.  Although this chain of events is a bit out of the ordinary, it also seems perfectly legitimate.  Would you process the transfer?  Would a co-worker?

Sadly, far too many organizations are falling victim to these type of crimes known as CEO Fraud and Business Email Compromise (BEC).  Some of the email senders’ email accounts are spoofed, meaning the criminal sender is making the recipient think the email is from the actual sender.  Even more concerning is when the actual senders’ email account credentials are compromised and the criminal is able to send emails directly from the account of a CEO, CFO, Attorney, and so on.  This may sound complicated, but it isn’t.  With the advancement of malware laced email attachments and infected links, it is far too easy to install malicious software on a victim’s workstation, thereby allowing the criminal to capture every keystroke the legitimate user types.  Even more concerning, cameras and microphones can be controlled by the criminals.

The FBI estimates the organizational amount lost to Business Email Compromise between October 2013 and February 2016 to be $2.3 Billion.  Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss! Keep in mind, this is only the amount of loss actually reported.  Many businesses remain quiet and never report their losses for fear of public reputation damage.

Know Be 4Luckily, the risk of becoming a victim to this type of crime, as well as other email and web based threats can be reduced.  A modern and evolving layered security infrastructure is extremely important.  It cannot and should not be overlooked.  However, the most effective and most overlooked method to reduce your risk of becoming a cybercrime victim is effective and measurable End User Security Awareness Education.

While we constantly stress the importance of Vulnerability and Patch Management, this does not just apply to your technology.  User vulnerability levels need to be assessed in order to gauge their likelihood of falling prey to a Phishing email and other criminal scams.  This activity is most effective when supplemented with required security awareness training.  This is where it sometimes gets tricky.  The simulated phishing campaigns and security awareness training requirements must apply to ALL employees, up to and including the President and CEO.

Identifying your employee vulnerability baseline is an important and effective step toward lowering your overall risk profile, as well as empowering your workforce to always be on the lookout for malicious and criminal activity that can threaten your business.

So, Yes… It is OK to ignore the CEO’s request when it cannot be verified it is truly the request of the CEO.  When the business is on the line, they will thank you for your due diligence.

How vulnerable are your users?  How likely are they to fall prey to becoming a victim?  How have you taken steps to get data to support your answers to those questions?  When performing these employee vulnerability baseline assessments, we have already seen as high as a 75% failure rate for the initial Phishing test.  Launching an effective awareness solution that allows you to measure risk and track improvements is a critical first step in lowering your employee vulnerability risk, making your organization less likely to become a victim of cybercrimes such as CEO Fraud, Business Email Compromise, and Ransomware.

Contact Keller Schroeder today to find out how we can help you implement solutions that effectively reduce your employee vulnerability risk through ongoing security awareness training and testing.

by Carissa Carissa No Comments

Phish or Be Phished? The Choice is Yours

PhishingBrad Mathis, Senior Consultant, Information Security

It is mid-2015.  By now, we have all seen incoming emails claiming we have been bequeathed a huge sum of money from a Nigerian Prince, or we have won a foreign lottery we never entered.  Most employees have seen these scam emails long enough to know they are not real.

However,

  • What about the seemingly benign email coming in from a recognizable sender?
  • What if this legitimate looking email has an attached PDF or Word document?
  • What if it contains a seemingly real link to a web site?
  • How many of your employees would open the attachment or click on the link?
  • How many employees will assume it is safe since it made it unscathed through all of your layers of security, including email and web content filters?
  • Do your users understand the ramifications of introducing undetected malware into your environment? Do they know this malware can capture their keystrokes, turn on their web camera and microphone, and capture screen shots or data from their system and transmit this data to cyber-criminals completely undetected?

If you can answer these questions with a high degree of certainty, you are either a one-user environment, you are sitting at each user’s desk approving their every keystroke, OR, you have already identified and implemented the requirement for measurable security awareness training and the importance of recurring testing of your staff to see how Phish prone they are.

This would be a good time to stress the importance of continuing to maintain an effective defense-in-depth strategy.  What does this mean?  Defense-in-depth all comes down to remembering not one single defense mechanism will protect your environment.  It takes several layers to lower risk.  Examples of necessary defense-in-depth layers are:

  • Continuous Vulnerability Management
  • Continuous Patch Management of Applications and Operating Systems
  • System Hardening and Configuration Standards
  • Effective Next Generation Firewall Strategy
  • Intrusion Detection and Prevention
  • Malware Defenses and Content Filtering
  • Secure Perimeter and Network Security Architecture
  • Complete elimination of obsolete operating systems and applications, as well as the elimination of technologies no longer supported or considered best practice, such as RIP and WINS
  • Strengthened Controls such as Password Requirements and Rights Management
  • Policies, Procedures, and Standards

Data SecurityWon’t a strong defense-in-depth strategy prevent the introduction of cyberattacks into my network? Unfortunately, no amount of technical defenses can completely prevent the actions of a user lacking security awareness from clicking or opening something they should not.  The danger point is the window of opportunity the cyber-criminal are all too familiar with.  Cyber-criminals know there is a time lag between the time vulnerabilities are discovered and the time organizations get around to correcting the vulnerability.  The criminals know to attack swiftly while defenses are down and the chance of detection is low.

According to a recent information security study, it takes organizations an average of 176 days to remediate known vulnerabilities.  However, it only takes cyber criminals an average of 7 days to exploit known vulnerabilities.  During the 169-day delta between vulnerability remediation and cyber-criminal exploitation, your defense in depth layers may be at the mercy of your end user’s level of security awareness education.  On top of this, we have been seeing a window of several days before anti-malware providers can detect the newest malware strains.

Of the 150+ Million phishing emails being sent every single day, over 10% are making it through SPAM filters.  Of those, over 8 million are opened, and over 800,000 users are clicking on phishing links.  An average of 80,000 users a day are actually providing sensitive information to cyber-criminals because they believe the email or web link to be legitimate.  Every Day!  Are your users among the 80,000 daily victims?

Know Be 4If you haven’t figured it by now, Security Awareness Training and Effectiveness Testing is now a required layer to an effective Defense-In-Depth strategy.  Knowing this is critical, Keller Schroeder has partnered with KnowBe4 to offer effective and measurable Information Security Awareness Training, as well as perform ‘safe’ simulated phishing attacks to help determine what your current Phish-Prone percentage is and how to lower it.  For years, law enforcement learned their best crime prevention techniques from Criminals.  KnowBe4 has taken this approach, as well, with Security Awareness Training.  The training was co-developed with reformed cyber-criminal Kevin Mitnick, the Most Wanted Hacker in the World during the mid-nineties.

For more information about how Keller Schroeder and KnowBe4 solutions can help you determine and lower your Security Awareness Risk, please contact your Keller Schroeder Account Manager.

Top