Security News Survey: Average Successful Hack Nets Less Than 15,000 Dollars: Finally, some real numbers about hackers and how much (or little) money they make.



CSO said: "The majority of cyber attackers are motivated by money, but make less than 15,000 dollars per successful attack, according to a survey of hackers in the U.S., U.K. and Germany released yesterday by the Ponemon Institute.



The hackers, who were promised anonymity, netted, on average, less than 29,000 dollars a year. "In the more established countries, that is not a lot of money," said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, which sponsored the study. "They're making a quarter of what a cybersecurity professional makes."



Hollywood may be promising them big payouts, he added, but the easy bucks just aren't there. More:

http://www.csoonline.com/article/3028787/cyber-attacks-espionage/survey-average-successful-hack-nets-less-than-15-000.html Hospitals Coming Under Increasing Hack Attacks Read why Joseph Goedert says that hospitals are coming under increasing hacking attacks on Health Data Management: "Phishing created big news in healthcare last year – the really bad kind.



This approach for gaining nefarious access to network credentials was reported to be the cause of two of the biggest attacks reported in the healthcare industry last year – the hack of 78.8 million identities from Anthem, and an additional 11 million identities hacked in a breach at Premera. Read his full article here.

http://www.healthdatamanagement.com/news/hospitals-coming-under-increasing-hack-attacks Seven Security Cultures That Can Help Or Hurt Your Organization This is a great article by Lance Hayden who asks if you know where your security culture is, because some cultures make the job easier than others.



He wrote: "It's hasn't been that long since my book People-Centric Security hit the shelves, but I'm already hearing "the question" pop up in my conversations. "What's the best security culture?"



There's no one answer. "Good" culture depends on what an organization hopes to achieve. But since most security programs follow a first principle of preventing breaches, I can offer some example cultures that are more or less suited ("good" or "bad" approaches) to meeting that goal.



These lists are not ranked, nor are cultures mutually exclusive. No organization has a single culture, and good ones may coexist with bad ones. What is clear is that some cultures are going to make security program success easier, and some not so much.



Good ones: Culture of Reporting

Awareness Culture

Evidence-based (Security) Management Bad ones: FUD-driven

Cult(ure) of Technology

Checkbox Culture

Culture of Arrogance Read it here:

http://www.csoonline.com/article/3027691/leadership-management/seven-security-cultures-that-can-help-or-hurt-your-organization.html What KnowBe4 Customers Say...



We asked a law firm if they were happy campers and they answered us back with this. It has some very good best practices about dealing with malicious emails so I am sharing this with you:



"Yes, we have been using it and are running campaigns this week. It is keeping our staff on their toes. We had a representative come by from our Professional Liability Insurance Carrier to discuss Cyber Security. He was amazed and very pleased that we were as up to date as we are. His stories scared the "c..p" out of the staff.



"Since we are a law firm, we are constantly sending and receiving attachments and links. Our staff has been trained to question everything. We currently have a policy that any attachments coming in via e-mail or CD or memory stick must first be opened on a non-network computer. We have various wireless machines around the office for this purpose. We would rather risk a standalone system than a production machine when opening things that might be legitimate.



"Anything that is received with a link or attachment in our office is forwarded to an e-mail account which is available on non-production network stand-alone computers using our wireless system. They can open legitimate e-mails there to reduce the chance of damage by clicking on a real "bad guy". Web browsing on our production network system has come to a halt and is only allowed on the wireless system devices.



"We use a court filing system called Eflex which is maintained by the court. We spoofed an email using the court's Eflex information and logo to request that they change their passwords with an imbedded (Click Here) link, due to a recent cyber attack on their Eflex system. No one clicked on this attack, and most sent it to suspect@ourdomain.



"At first the staff resented the fact that a trusted IT person, "ME", had spoofed them by sending a IT password change request with Knowbe4 links, 25+% clicked on it. We later had a serious meeting to discuss the threats, which the entire staff are now taking a lot more seriously after seeing the training videos. Now they seem to enjoy catching "bad guys".



"They have caught various real attacks using their new skills! We also know of more than one law firm in our area that has been attacked with Ransomware and lost data, time and credibility. With your software, we have used spear phishing attacks using our current cases. The attacks are generated solely from information that is readily available on the web."



We will continue random phishing to keep everyone aware of the threats."

- LM, IT Support Man Turns Tables On Scammers [FUN]



Seth was weary of the calls from bogus Windows support technicians, and decided to, if not get even, at least give them a taste of their own medicine.



"I was really tired [of the calls], and I really hate computer scammers," said Seth, whose last name Computerworld withheld for privacy reasons. "I got fed up."



Like millions of others, Seth had been on the receiving end of scammers' phone calls, who rang up and told him that they were with "Microsoft support" or "Windows support," then proceeded to claim that they had detected malware on his machine.



He grabbed an old box, installed Vista, poisoned it with malware and waited for the next call. This is a fun story. I also smell a business idea!

http://www.networkworld.com/article/3030210/computers/fed-up-with-bogus-computer-support-calls-man-turns-tables-on-scammers.html?