Take a Deep Dive Against the Wave of New Threats and Compliance Risks

by Gary S. Miliefsky, Publisher, Cyber Defense Magazine

KnowBe4’s second annual user conference was held at the World Center Marriott in Orlando, Florida and is open to KnowBe4 customers.  This was the ideal location and conference for CISOs, security awareness training administrators and other InfoSec professionals who want to get one step ahead of the next threat.

I enjoyed, like most attendees, the new information shared on upcoming social engineering methods and tactics, some of which were very scary, such as DeepFake, which I’ll tell you more about shortly.  They also covered some great topics such as how to create a security culture and get the budget you deserve for your InfoSec initiatives.  There was an incredible line up of speakers and I had time to catchup with my friend and favorite InfoSec genius Winn Schwartau.

I always promote Winn’s 1999 invention of Time-based Security, which goes simply like this:

Et = Dt + Rt

Exposure time = Detection time + Response time.

The formula is simple, yet most CISOs have never written it down or considered a deeper understanding of it, until suffering a breach and wondering, ‘what could I have done to defeat the hackers or cybercriminals?’  Could I have gone faster?  Would new technologies like deception-based security solutions ‘slow down’ the breach or the threat actors?  Could better training of my team helped us be more responsive?  Within this simple formula, we see a better way forward, that a better understanding of Time and it’s impact upon a breach is so crucial.

Simply put, the faster you can detect and respond to a threat, the lower the Exposure time.  The closer to Zero Et becomes, the better your comprehensive InfoSec platform and reduced risk of data loss during a breach, which is surely going to happen to everyone, at this pace.  Winn was kind enough to give me a copy of another GAME CHANGER – his new book Analogue Network Security.

Once again, he plays genius like the Tesla or Einstein of cybersecurity in creating new ways to easily make InfoSec measurable.  I hope, and am suggesting to Winn and the Fair team, that he will be a keynote one day at https://www.fairinstitute.org where they are also working to reach the same conclusion, except that as always, Winn is about two decades ahead of all of us.

This one-of-a-kind conference will include social engineering methods and tactics from industry experts, compliance and security insights, how-to’s and platform knowledge, how to create a security culture and get budget for IT, product roadmap with upcoming features and thought-provoking best-practice discussions with your peers.

There was an entire breakout area dedicated to showcasing the latest products and services updates from KnowBe4 and I must say it was incredibly impressive.

Back to some of the amazing speakers and peek into new threat vectors, they shared with us.

KB4-Con Predictions on DeepFake

According to Dr. Lydia Kostopoulos, one of the amazing keynote speakers, DeepFake is loosely defined as fabricated “fake” media created through the use of Artificial Intelligence and/or deep learning methods.  She went on to explain that “with each day deepfakes become more convincing, accessible and easier to create and distribute. In parallel to this, other emerging technologies are developing such as augmented reality and virtual reality.”  Her talk highlighted some of the cognitive challenges we will face with sophisticated deepfakes as we attempt to navigate changing times and make sense of the world around us.  She talked about and even demonstrated how we will be impacted by social engineering in new ways – cyber criminals will have plethora of new tools and techniques as part of DeepFake.  For example, just try this out: https://thispersondoesnotexist.com and keep refreshing the page – every image you will see is of a non-existent person, dynamically generated by a computer.  Fake photos, however, are just the tip of the iceberg.  How about fake voices, people you know having their voices reproduced perfectly by a computer, such that a cyber criminal or even an enemy nation state can make it sound like that person said something they did not.

Beyond that, she demonstrated even more potentially notorious and damaging DeepFake technology – requiring new forms of countermeasures – Voice and Facial alternation and fabrication – getting someone to appear to be in a live video chat or on television, saying something they never said – making you believe it is really them.  What if it were your CEO over Skype saying ‘yes, it’s me, now wire the funds immediately out to the following bank account?’ or ‘email all the company/employee records to this email address of a new Board member I’m meeting with right now’.  Future attacks will be even harder to predict, given where DeepFake is headed.  Watch this as an example: https://www.youtube.com/watch?v=9Yq67CjDqvw and then remember that we need to have awareness in understanding what our ‘real’ reality is.  Cybersecurity awareness should expand to DeepFake awareness.  Start learning about it and researching this subject now, so you are prepared for the future.

Also, try a thought-provoking game online at https://www.sapien2-0.com/ by Dr. Lydia Kostopoulos.  She’s a very impressive educator in the field of disruptive technologies and national security, a designer of functional suits for women under the label Empowering Workwear, a maker of art about artificial intelligence – #ArtAboutAI, a creator of experiences, a researcher of new tech, a persistent wellness advocate, and a promoter of women’s ability to pursue their lives without barriers.  She is a foodie who admires architecture, is fascinated by urban design, enjoys traveling, learning languages, enjoys baking cupcakes, and she hopes you will enjoy Sapien 2.0.

You can find Dr. Lydia Kostopoulos online at https://www.Lkcyber.com, track her on twitter @LKCYBER and join her on LinkedIn, here: http://www.linkedin.com/in/lydiak.  If what she shared about our future, re: DeepFake is impressive, you really need to come to KB4-Con next year to meet even more amazing speakers like her.  Bookmark this url: https://www.knowbe4.com/kb4-con

In addition to hearing from great speakers, I could not keep up with the plethora of tools I discovered that are freely available from KnowBe4.  From a Mail Server Security Assessment to a Phishing Security Assessment. Go to their website at https://www.knowbe4.com and click on the Topmost FREE TOOLS menu and you’ll see the list.  It’s extensive.

By the way, did you know that 91% of successful data breaches started with a spear phishing attack?  Why not find out what percentage of your employees are Phish-prone™ with your free phishing security test. Plus, see how you stack up against your peers with the new phishing Industry Benchmarks! https://www.knowbe4.com/phishing-security-test-offer

During lunch I overheard so many attendees talking about how much they love KnowBe4.  They said ‘this management team is so accessible’ and ‘love their products’ and ‘blown away by the speakers and live hacking demonstration by Kevin Mitnick’ and on and on.  KnowBe4 is run by an impressive management team, by the way.

Stu Sjouwerman (pronounced “shower-man”, and is seen above in the center of the photo) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform.  A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired 2010.  Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training and founded KnowBe4.

Stu brilliantly brought Kevin Mitnick into the fold and the rest is history.  The company has a phenomenal track record of success and growth with over 23,000+ organizations in a variety of industries, including highly-regulated fields such as healthcare, finance, energy, government and insurance have mobilized their end users as a first line of defense using KnowBe4.

What I learned at KB4-Con is that KnowBe4 is passionate about building a very high I.Q. team of experts who are subject matter experts in cybersecurity and highly accessable.  For example, below, you can see Perry Carpenter, Chief Evangelist and Strategy Officer for KnowBe4 discussing some of his ideas with the attendees.

Perry recently authored a fantastic book, with Foreword by Kevin Mitnick called “Transformational Security Awareness” – What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Security Behaviors.  Like Winn’s book, I highly recommend you pickup a copy and read it more than once.

According to Perry Carpenter, from his live presentation at KB4-Con, ”Security Awareness and Secure Behavior are NOT the Same Thing; Traditional awareness programs fail to account for the knowledge-intention-behavior gap…”  He went on to add, “We need to model and design secure behaviors to help shape good security hygiene and find ways to actually debug behavior (ie, making security measurable, from the ‘human firewall’ perspective)”.

One excellent idea he shared is to attempt to ‘nudge’ your employees to do the right thing.  From his presentation, “a nudge, as we will use the term, is any aspect of the choice architecture that alters people’s behavior in a predictable way without forbidding any options or significantly changing their economic incentives.

To count as a mere nudge, the intervention must be easy and cheap to avoid. Nudges are not mandates. Putting fruit at eye level counts as a nudge. Banning junk food does not.”  For example, from the picture above (taken from his slides), your password change portal is a great place to insert a nudge, offering, for example:

  • Strength Meters
  • Videos on how to create & remember strong passwords
  • Elective LMS modules

What I learned at KB4-Con is that KnowBe4 is way more than just an ‘anti-phishing company’ – they are loading up with brilliant ‘grey matter’ (brainpower) for security awareness training, education, compliance beyond phishing testing tools.  In fact, if you face challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments, they developed the KCM GRC platform.

The KCM GRC (governance, risk management and compliance) platform helps you get audits done in half the time, is easy to use, and is surprisingly affordable.  In fact, it’s rare I see a vendor like this put their pricing and full feature list online: https://www.knowbe4.com/kcm-price-list – talk about making it transparent and easy.  Kudos to the leadership for sharing their pricing.

“So, I polled one of the thousand folks attending this event, just randomly, ‘what do you think of KnowBe4 and their offerings?’ Here’s the answer from a security executive of a mid-market company, Radian at https://www.radian.com who offers a full spectrum of mortgage and real estate solutions…

“Like many companies in regulated industries, Radian navigates a complex set of controls that ensure good governance and regulatory compliance.  Companies often struggle with the overlap between efforts, such as SOX ITGCs, SOC 2 criteria, PCI DSS, NY CRR 500, NIST 800-53 and mapping to other related frameworks.   To tackle this problem, Radian unified its control descriptions, which eliminated duplicative controls and streamlined the language.  To help with this effort, Radian deployed KCM. KCM allowed us to create different templates for each regulation or requirement and then map our unified controls to the individual requirements.  We are also able to reach out to control owners, a single time, through an automated process to request control evidence. Requesting evidence once thorough a self-service model allows us to capture the evidence we need but avoid control owner burnout.  With the evidence safely stored in KCM, we can then allow our auditors access.  That separation of collection and processing allows both parties more flexible scheduling.”

Lucas Burke, VP, Security Compliance & Assurance, Radian

There’s so much more to share from KB4-Con

Because of the richness in content, crammed into only a few days, it’s hard to decompress all this information and OSINT into a single article, so I plan to write more on what I learned at KB4-Con and I’m asking KnowBe4 to send content and articles our way, to keep you informed on some of the cutting edge ideas and best practices in security awareness and regulatory compliance, so keep an eye out for these #CDM exclusives on our home page.

I was incredibly impressed with the conference and the management team of KnowBe4, one of our recent InfoSec Awards winners, who also has been named a leader by Gartner in their Magic Quadrant for Security Awareness Computer-Based Training.  If you are not yet a KnowBe4 customer, check them out and consider their offerings at https://www.knowbe4.com and they I hope to see you there next year, once again in Orlando.  I’m hearing the conference is growing so large, so quickly that they just hit an inflection point in number of attendees and may have to move to even larger conference space, nearby – so stay tuned and bookmark this url:

https://www.knowbe4.com/kb4-con

 

by Gary S. Miliefsky, CISSP
Publisher, Cyber Defense Magazine

CEO Cyber Defense Media Group

www.cyberdefensemediagroup.com