Wednesday, February 27, 2013

WindowSecurity.com Newsletter - February 2013

-------------------------------------------------------
WindowSecurity.com Newsletter - February 2013
Sponsored by: NetWrix
<http://url2open.com/oG>

-------------------------------------------------------

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com


1. Editor's Corner
-------------------------------------------------------

* Which Antivirus Has The Best Phishing Protection? Surprise!

I ran across some very interesting research done by NSS Labs. They compared
twelve of the most popular antivirus engines (they call them endpoint
protection products) and tested these tools specifically for blocking phishing
attacks. The results are surprising, as Trend Micro wins this battle with
92%, closely followed by Kaspersky with 85% and the rest do not score above
an abysmal 64%.

Now, do not get too worried right away. They also said that the browser is
actually a better frontline against phishing attacks, and they also tested
four popular browsers, which add protection against new phishing sites twice as fast: five hours
instead of an average of 10 hours for the endpoint products.

I strongly suggest you read the whole report for yourself. One thing to note
is that there were twelve products tested, one of which is Microsoft Security
Essentials, but that product is mysteriously missing from all the graphs. You
wonder if that's just an error, or if there are more sinister reasons for that.

Here are some of the key findings and recommendations:

- Nearly 90% of consumers are inadequately protected against phishing by
endpoint protection products (EPP). The effectiveness of AV products claiming
to offer phishing protection ranges from 3% to 92%.

- End users should use current web browsers as a first line of protection
against phishing attacks. Invest time in understanding phishing attacks
and modify behavior to avoid becoming a victim. Assign a higher priority
to exploit prevention, socially engineered malware blocking, and general
detection capabilities over phishing detection when selecting EPP products.

Here is the report with a link to the downloadable PDF:
https://www.nsslabs.com/reports/consumer-avepp-comparative-analysis-phishing-protection
------------------------

* Quotes Of The Month:

"Freedom is the sure possession of those alone who have the courage to
defend it." - Pericles

"May we think of freedom, not as the right to do as we please, but as
the opportunity to do what is right." - Peter Marshall

Warm regards,

Stu Sjouwerman
Editor, WindowSecurity News
Email me at feedback@windowsecurity.com


2. Prevent Email Phishing
-------------------------------------------
Want to stop Phishing Security Breaches? Did you know that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch spear-phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly "security awareness" trained.

IT Security specialists call it your phishing attack surface. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Find out now which of your email addresses are exposed with the free Email Exposure Check (EEC). An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.

Sign Up For Your Free Email Exposure Check Now http://www.knowbe4.com/email-exposure-check/



3. Security Detail
----------------------------------------

* IT Security Equals Job Security

Did you ever expect that our IT networks would be a worldwide battleground
for highly sophisticated cyber warfare? IT security certainly will provide
job security for the next decade or until we rebuild the Internet from scratch.

The New York Times reported a few days ago that "A secret legal review on
the use of America's growing arsenal of cyberweapons has concluded that
President Obama has the broad power to order a pre-emptive strike if the
United States detects credible evidence of a major digital attack looming
from abroad, according to officials involved in the review."

In short, the legal beagles have concluded that the U.S. President has the
broad power to order cyberattacks on any country preparing to launch a
major digital attack against the U.S. There is an ongoing campaign by
the Administration to create new ground rules for any U.S. engagement in
cyberspace. We soon expect more approvals for rules on how the military can
defend or retaliate against cyberattacks launched by unfriendly nation states.

These new rules will also clarify the depth that U.S. intelligence agencies
are allowed to go when they look for and try to stop imminent threats
against U.S. assets in cyberspace. Attacks in cyberspace are often on
civilian targets as we have seen recently during the DDoS attacks on U.S.
Banks. We all need to be aware that our own network is potentially vulnerable.
The price of freedom is constant alertness and willingness to fight back.
Implementing a mandatory security awareness training for all employees is
no longer optional. Here is the article:
http://www.nytimes.com/2013/02/04/us/broad-powers-seen-for-obama-in-cyberstrikes.html
-------------------------

* DMARC Anti-Phishing Technology Gains Acceptance

John Mello at CSO wrote:" A technology aimed at blunting phishing attacks
on organizations appears to be finally gaining steam a year after its
introduction. Domain-based Message Authentication, Reporting and Conformance
DMARC) is a security framework that offers a way to identify phishing
messages by standardizing how email receivers perform email authentication.

Although only a year old, the technology is already protecting 60% of the
email boxes in the world -- and 80% of email boxes in the United States,
according to Agari, an email security company. Agari was one of the founding
companies behind DMARC, along with Google, Microsoft, Facebook, Bank of
America and JP Morgan Chase.

As with any new technology, particularly something that affects email,
acceptance can be a hurdle. But it's one that DMARC is poised to leap over,
according to Agari founder and CEO Patrick Peterson. "We are at escape
velocity," he said in an interview. "When we started, people said they
thought it was an interesting idea, but wondered if it was going to be
one of these things you hear about and nothing ever comes of it. That's
not going to happen."

When DMARC was introduced, it was seen as a bridge between two competing
email authentication schemes -- Sender Policy Framework (SPF) and DomainKeys
Identified Mail(DKIM). This is an interesting article to check out:
http://www.csoonline.com/article/728386/dmarc-anti-phishing-technology-gains-acceptance
----------------------

* Keeping Your Company, Personal Info Safe from Social Engineering Hacks

It was all over the news, the New Your Times, Washington Post and the Wall
Street Journal were all hacked. What was not so clear is how. Well, this
PBS article puts the finger on the likely sore spot: social engineering.
This article has great ammo you can send to C-level management and make
the case for (more) security awareness training:
http://www.pbs.org/newshour/rundown/2013/02/keeping-your-company-personal-info-safe-from-social-engineering-hacks.html


4. SecureToolBox
-----------------------------------------------

* Free Service: Email Exposure Check. Find out which addresses of your
organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/

* Frustrated with gullible end-users causing malware infections? Find out
who the culprits are in 10 minutes. Do this Free Phishing Security Test
on your users:
http://www.knowbe4.com/phishing-security-test/


5. ViewPoint – Your Take
-------------------------------------------

Write me! This is the spot for your take on things. Let me know what you think
about Security, tools, and things that need to be improved.
Email me at feedback@windowsecurity.com


6. SecOps: What You Need To Know
--------------------------

* Serious Data Breaches Take Months To Spot, Analysis Finds

John Dunn at TechWorld reported: "More than six out of ten organizations hit
by data breaches take longer than three months to notice what has happened
with a few not uncovering attacks for years, a comprehensive analysis of
global incidents by security firm Trustwave has found.

During 2012, this meant that the average time to discover a data breach for
the 450 attacks looked at was 210 days, 35 more than for 2011, the company
reported in its 2013 Global Security Report (publicly released on 20 February).

Incredibly, 14 percent of attacks aren't detected for up to two years, with one
in twenty taking even longer than that. Almost half - 45 percent - of breaches
happened in retailers with cardholder data being the main target. The food and
beverage sector accounted for another 24 percent, hospitality 9 percent,
and financial services 7 percent.

Questions arise from this; how are attackers getting into organizations so
easily and why do IT staff not notice until long after the event?"
This is a good article to check out:
http://www.networkworld.com/news/2013/021313-serious-data-breaches-take-months-266681.html
-----------------------

* 5 Myths About Awareness

Lance Spitzner of SANS Securing the Human program outlines five common
misconceptions about security awareness programs, this is an interesting
and quite instructive read:
http://www.networkworld.com/news/2013/021113-5-myths-about-266605.html
------------------------

* How Do I Shift To An IT Security Career From A Network Admin?

Familiar with Quora? People ask questions and others answer them, often
detailed, highly informative and concise briefings that are meant to
be a braindump and more or less a global knowledge management repository.
The question was asked: "How do i shift to an IT security career from
a network admin?" and a few people answered. Most of these answers
were better than mine! Here they are - this is plain good advice:
http://www.quora.com/Computer-Security/How-do-I-shift-to-an-IT-security-career-from-a-network-admin


7. Hackers' Haven
--------------------------

* Feb SANS Monthly Awareness Video

You may be familiar with our friends at SANS. For their 'Securing The Human'
team, every month is security awareness month, same as here at KnowBe4.

On the first of every month they post a new security awareness video.
Ultimately, their goal is to help people to change behavior so they can
leverage technology more safely and effectively. Now, this month's video
is on the Advanced Persistent Threat (APT). You can learn what APT is, how
it actively targets organizations and individuals, and what you can do to
protect yourself.

I especially like this APT video but remember it will disappear by the end
of Feb 2013. Send the link to your C-level executives, this is important.
And then use KnowBe4's cloud infrastructure to send regular simulated
phishing attacks to keep all your employees on their toes! Here is the link.
http://www.securingthehuman.org/resources/ncsam
-----------------------------

* Want To Read Something REALLY Interesting?

Brian Krebs wrote a blog post that has become very popular with security
pros. The title is: "Security firm Bit9 was hacked, and was used to spread
malware". He continues with: "Bit9, a company that provides software and
network security services to the U.S. government and at least 30 Fortune
100 firms, has suffered an electronic compromise that cuts to the core of
its business: helping clients distinguish known "safe" files from computer
viruses and other malicious software.

Waltham, Massachusetts-based Bit9 is a leading provider of "application
whitelisting" services, a security technology that turns the traditional
approach to fighting malware on its head."

What is assumed is that state-sponsored hackers broke
into their network and used Bit9's own encryption keys to digitally sign
their malware. Obviously Bit9 was a means to an end, they needed to break
into a U.S. organization and went through Bit9 to get there. Bit9 though
failed to keep their own IT security up to snuff though.

Ouch, *facepalm*. But what is far more interesting is the discussion that
ensued in the comments. Very instructive:
http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
------------------------

* Cute: Keep Essential Information Hidden in Plain Sight with a UV Pen

Considering the amount of passwords, PINs, and other vital information,
such as Social Security numbers, that we have to keep handy it's not
surprising that many people write down information like this and keep it
on a sticky note or the back of a business card. If you want to keep
essential information readily available and yet hard to decipher, consider
picking up a UV pen and LED flashlight so you can write down your passwords
on any paper source. Here is the lifehacker blog post:
http://lifehacker.com/5981146/


8. Fave links & Cool Sites
--------------------------

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Motorcycle Ridge Riding. This video will give you a physical reaction!:
http://screen.yahoo.com/motorcycle-ridge-riding-084000429.html
---
Master speed-painter D. Westry shows off his creative skills during the
"Anderson's Viewers Got Talent" competition. Surprising End!:
http://www.flixxy.com/speed-painter-has-talent.htm
---
A scary demo of software capable of tracking people's movements and
predicting future behavior by mining data from social networking websites:
http://www.flixxy.com/be-aware-of-what-you-share-online.htm
---
Kaiser the Bengal cat performs amazing tricks:
http://www.flixxy.com/amazing-cat-tricks-by-kaiser-the-bengal.htm
---
A Detroit musician living in poverty didn't know that in South Africa, he
was more popular than the Beatles:
http://www.flixxy.com/the-rock-star-who-didnt-know-he-was-one.htm
---
Girl meets boy in the office and they find a new way of expressing their
affection in this endearing short film. CUTE:
http://www.flixxy.com/post-it-love-short-film.htm?utm_source=4
---
The million dollar 650 horsepower Ferrari Enzo is not usually driven as a
rally car ...
http://www.flixxy.com/ferrari-enzo-rally-car.htm
---
A 9-ton meteorite streaked across the sky over the Ural mountains in Russia
and exploded at 25 miles above the ground:
http://www.flixxy.com/meteorite-over-russia.htm


TechGenix Sites
----------------------------------------------------------------
ISAserver.org <http://www.isaserver.org/>
MSExchange.org <http://www.msexchange.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
WServerNews.com <http://www.wservernews.com/>

----------------------------------------------------------------
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@windowsecurity.com

Copyright c WindowSecurity.com 2012. All rights reserved.

No comments:

Post a Comment