10 Vital Updates to Your Hiring Course of

North Korean IT Employee Menace: 10 Vital Updates to Your Hiring Course of

KnowBe4 was requested what modifications had been made within the hiring course of after the North Korean (DPRK) faux IT employee discovery. Right here is the abstract, and we strongly recommend you speak this over with your personal HR division and make these similar modifications or related course of updates.

Query: What remediations had been put in place from this incident?

Reply: Please be aware that our cybersecurity controls on this matter had been efficient at shortly detecting, stopping and remediating the incident in a really well timed method (below half-hour). There are nonetheless many corporations on the market who’re unaware a DPRK IT employee is of their atmosphere after months.

Query: We wish to know extra element about modifications within the recruitment course of itself. As an illustration, are you interviewing in individual now?

Reply: We aren’t requiring in-person interviews for all hiring, as it is a course of that won’t scale and we should not have all workers in-office. That is additionally not a requirement of many different tech corporations that rent distant staff, considered one of which reached out to me after studying our article on the subject to debate their challenges and what they applied on their aspect as effectively to stop the menace.

Query: What has KnowBe4 modified of their hiring course of?

Reply: Now we have made the next 10 speedy modifications to our hiring and recruitment course of. A few of these modifications embrace suggestions offered by menace intelligence companions and different safety corporations going through the identical points:

[CONTINUED ON THE KNOWBE4 BLOG (too long for the newsletter)]
https://weblog.knowbe4.com/north-korean-it-worker-threat-10-critical-updates-to-your-hiring-process

Lights, Digital camera, Hacktion! The Inside Scoop on Creating ‘The Inside Man’

During the last 5 years, KnowBe4’s binge-worthy sequence “The Inside Man” has been revolutionizing the best way organizations take into consideration safety consciousness coaching. Now, we invite you behind the scenes to study from the creators, and discover out what makes “The Inside Man” so successful in organizations around the globe.

Be a part of us for this will’t-miss webinar the place we’re spilling all of the tea with the masterminds behind “The Inside Man.” You will hear from Jim Shields, Director of “The Inside Man,” Wealthy Leverton, Director of Content material at Twist & Shout, and Perry Carpenter, Govt Producer and Chief Human Threat Administration Strategist at KnowBe4 as they share:

• Insights on how the idea got here to be, and behind the scenes antics from the solid and crew
• The key sauce that makes “The Inside Man” much more addictive than your favourite Netflix present
• Why storytelling is your new superpower within the combat in opposition to cybercriminals and making your safety tradition stick

We’ll even be dropping some juicy teasers concerning the upcoming season that’ll depart you on the sting of your seat. Whether or not you are a die-hard fan or new to “The Inside Man” get together, you will not wish to miss this!

Date/Time: Wednesday, October 30 @ 2:00 PM (ET)

Cannot attend dwell? No worries — register now and you’ll obtain a hyperlink to view the presentation on-demand afterwards.

Save My Spot:
https://information.knowbe4.com/inside-man-webinar?partnerref=CHN

What Spending 3 Hours in IKEA Taught Me About Cybersecurity Consciousness

By Javvad Malik

It was a Saturday morning, and I had grand plans. By “grand plans,” I imply sitting on the couch, watching reruns of “The IT Crowd,” and pretending I did not hear the garden mower calling my identify.

However my spouse had different concepts. “We will IKEA,” she introduced, with our children excitedly agreeing within the background. I groaned internally. The Swedish furnishings labyrinth was the final place I needed to be.

Little did I do know, I used to be about to stumble right into a masterclass on consumer expertise and consciousness that might open my eyes. Who knew that between the MALM dressers and POÄNG chairs, I might discover the strategies that can be utilized to make any safety consciousness program extra partaking.

As we entered the blue and yellow kingdom, it is laborious to overlook the clear path laid out earlier than us. It was like following the yellow brick street, however as a substitute of Oz, it led to inexpensive furnishings and meatballs. “Create a transparent path,” I muttered to myself, excited about most convoluted safety insurance policies.

If IKEA might information hundreds of shoppers each day with out confusion, certainly I might create a clearer path for our workers to observe safety finest practices. Then got here the meeting directions. As I stared at a diagram for the BILLY bookcase, it hit me, the straightforward and wordless directions visually confirmed the best way to assemble the furnishings.

No language limitations, no room for misinterpretation. Like these well-designed infographics which share volumes of analysis in a single easy to know picture.

As we meandered by way of the shop, my spouse and youngsters examined each chair, opened each cupboard, and lay on each mattress. I noticed IKEA was providing hands-on expertise with their merchandise. I started to check a “cybersecurity playground” the place workers might safely work together with phishing simulations and safety instruments.

An Allen key’s just about the one factor that you must assemble most IKEA furnishings. However I did see a bit of field offered with a screwdriver, nails, screws and some different fixing objects. Principally just a few important instruments that had been easy to make use of and will assemble any merchandise inside the retailer. Which received me excited about equipping workers with the proper safety software program and assets.

Lastly, as we loaded our automobile with way over the one bookshelf we got here for, I marveled at IKEA’s self-service mannequin. They offered the showroom inspiration, the instruments, and the assist workers, however finally, prospects assembled their purchases themselves. “Self-service with assist,” I stated out loud, inflicting my spouse to ask if I used to be feeling okay.

As we drove house, our automobile packed tighter than a SMÅSTAD storage mixture, I could not assist however smile. I had entered IKEA dreading the expertise however left with a trunk filled with furnishings and a thoughts filled with concepts.

The 5 steps to user-centric safety design that may assist foster and create a stronger safety tradition, will be summed up as follows:

• Create a Clear Path: Simply as IKEA designs a transparent path by way of its shops, create a transparent, intuitive path for cybersecurity practices. Information customers by way of safety processes as easily as IKEA guides you from sofas to kitchenware.
• Use Visible Directions: Change text-heavy safety insurance policies with visible guides. Assume IKEA’s wordless meeting directions — easy, common and efficient.
• Supply Arms-On Expertise: Arrange “cybersecurity showrooms” the place workers can work together with safety instruments and practices in a protected, sandbox atmosphere. It is like IKEA’s room setups, however for digital security.
• Present Important Instruments: Equip customers with the proper “instruments” for cybersecurity, simply as IKEA supplies that important Allen key. This may very well be password managers, methods to securely again up knowledge or two-factor authentication apps.
• Encourage Self-Service with Help: Foster a tradition the place customers can “assemble” their very own safe atmosphere, with knowledgeable assist available — like IKEA’s useful workers scattered all through the shop.

Weblog put up with hyperlinks:
https://weblog.knowbe4.com/-spending-3-hours-ikea-taught-about-cybersecurity-awareness

Establish Weak Consumer Passwords In Your Group With the Newly Enhanced Weak Password Take a look at

Cybercriminals by no means cease on the lookout for methods to hack into your community, but when your customers’ passwords will be guessed, they’ve made the unhealthy actors’ jobs that a lot simpler.

Verizon’s Knowledge Breach Investigations Report confirmed that 81% of hacking-related breaches use both stolen or weak passwords.

The Weak Password Take a look at (WPT) is a free device to assist IT directors know which customers have passwords which might be simply guessed or inclined to brute drive assaults, permitting them to take motion towards defending their org.

Weak Password Take a look at checks the Lively Listing for a number of forms of weak password-related threats and generates a report of customers with weak passwords.

This is how Weak Password Take a look at works:

• Connects to Lively Listing to retrieve password desk
• Exams in opposition to 10 forms of weak password associated threats
• Shows which customers failed and why
• Doesn’t show or retailer the precise passwords
• Simply obtain, set up and run. Leads to a couple of minutes!

Do not let weak passwords be the downfall of your community safety. Reap the benefits of KnowBe4’s Weak Password Take a look at and acquire invaluable insights into the power of your password protocols.

Obtain Now:
https://information.knowbe4.com/weak-password-test-chn

North Korean Hackers Proceed to Goal Job Seekers

A North Korean menace actor is launching social engineering assaults in opposition to job seekers within the tech business, based on researchers at Palo Alto Networks’ Unit 42.

The hackers are impersonating job recruiters and making an attempt to trick job seekers into putting in malware as a part of the phony interview course of.

“On this marketing campaign, the attackers focused job-seeking people on LinkedIn, luring them to obtain and execute malware that masquerades as a respectable video name software,” the researchers write. “This marketing campaign is a continuation of exercise we initially reported in November 2023.”

The menace actors arrange convincing on-line personas impersonating technical recruiters and attain out to software program builders with engaging employment gives. The hackers persuade the job seeker to put in a malicious model of a respectable video-conferencing software to be able to conduct a web-based interview.

Unit 42 notes that North Korean state-sponsored menace actors usually conduct each cyber espionage and monetary theft throughout their operations. On this case, the malware was designed to steal cryptocurrency, in addition to probably giving the hackers entry to delicate company info.

“North Korean menace actors are identified to conduct monetary crimes for funds to assist the DPRK regime,” the researchers write. “This marketing campaign could also be financially motivated, because the BeaverTail malware has the potential of stealing 13 totally different cryptocurrency wallets….One other essential threat that this marketing campaign poses is potential infiltration of the businesses who make use of the focused job seekers.

“A profitable an infection on a company-owned endpoint might end in assortment and exfiltration of delicate info. It’s important for people and organizations to pay attention to such superior social engineering campaigns.”

Human threat administration provides your group a necessary layer of protection in opposition to social engineering assaults. KnowBe4 empowers your workforce to make smarter safety selections on daily basis. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human threat.

Weblog put up with hyperlinks:
https://weblog.knowbe4.com/north-korean-hackers-continue-to-target-job-seekers

Registration is Open for KB4-CON 2025!

Thrilling information — registration for KB4-CON 2025 is now open! Be a part of us April 7-9, 2025, on the stunning Gaylord Palms Resort in sunny Orlando, Florida.

KB4-CON is the premier annual convention for KnowBe4 prospects, companions and the broader cybersecurity neighborhood, bringing collectively hundreds of attendees from throughout the business. For 3 days, you may discover the world of human threat administration, AI and efficient safety methods. As well as, get unique insights into KnowBe4’s product roadmap and upcoming options.

We’re designing a fascinating expertise that can remodel your method to managing human threat within the ever-changing cybersecurity panorama.

The perfect half? Now you can safe your spot for KB4-CON 2025 with a restricted time particular in honor of Cybersecurity Consciousness Month for $199 by way of October 31! Notice that the common value is $399, so register now! For those who need assistance with approval to attend, obtain our journey justification letter right here.

Save your spot on the cybersecurity occasion of the yr!

Save My Spot:
https://knowbe4.cventevents.com/00nVrz?RefId=emregoppros

Chinese language Menace Actor Targets OpenAI With Spear Phishing Assaults

OpenAI has disclosed that its workers had been focused by spear phishing assaults launched by a suspected Chinese language state-sponsored menace actor. The phishing makes an attempt had been unsuccessful. Notably, the menace actor additionally abused OpenAI’s personal merchandise to help within the marketing campaign.

“We recognized and banned accounts, which based mostly on an evaluation from a reputable supply possible belonged to a suspected China-based adversary, that had been making an attempt to make use of our fashions to assist their offensive cyber operations whereas concurrently conducting spear phishing assaults in opposition to our workers and governments around the globe,” OpenAI says.

“Publicly tracked as SweetSpecter, this adversary emerged in 2023. We perceive that is the primary time their focusing on has publicly been recognized to incorporate a U.S.-based AI firm, with their earlier exercise reported as having targeted on political entities within the Center East, Africa, and Asia.”

The menace actor despatched phishing emails to company and private electronic mail addresses of OpenAI workers, asking for assist with ChatGPT errors. The emails contained attachments designed to put in malware.

“In these emails, SweetSpecter posed as a ChatGPT consumer asking for assist from the focused workers,” the corporate says. “The emails included a malicious attachment referred to as ‘some issues.zip’, containing an LNK file. This file contained code that might, if opened, current a DOCX file to the consumer that listed varied obvious error and repair messages from ChatGPT.

“Within the background, nevertheless, Home windows malware often called SugarGh0st RAT could be decrypted and executed. The malware is designed to offer SweetSpecter management over the compromised machine and permit them to do issues like execute arbitrary instructions, take screenshots, and exfiltrate knowledge.”

Weblog put up with hyperlinks:
https://weblog.knowbe4.com/chinese-threat-actor-targets-openai-with-spear-phishing-attacks

Let’s keep protected on the market.

Heat regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [IMPORTANT BLOG POST] Meet SmartRisk Agent™: Unlock Your New Human Threat Administration:
https://weblog.knowbe4.com/meet-smartrisk-agent-unlock-your-new-human-risk-management

You possibly can learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-14-43-north-korean-it-worker-threat-ten-critical-updates-to-your-hiring-process

Cybercriminals Exploit Curiosity within the U.S. Presidential Election

Felony menace actors are focusing on customers in the USA with social engineering assaults that impersonate U.S. presidential candidates and their campaigns, based on a brand new report from Fortinet.

Crooks are peddling phishing kits designed to simply spin up phishing pages focusing on each Trump and Harris supporters. “In a single latest put up, we noticed an fascinating mission that includes phishing pages designed to impersonate political leaders Donald Trump and Kamala Harris,” the researchers write.

“The [threat actor] is providing two separate phishing kits for $1,260 every—one focusing on Donald Trump supporters and the opposite focusing on Kamala Harris supporters. These kits are designed to reap private info, together with names, addresses, and bank card (donation) particulars.

“The implications of those phishing threats are vital, as they will result in the widespread theft of non-public info, together with names, addresses, and bank card particulars. This places people susceptible to monetary fraud and undermines belief within the political course of.”

The researchers have additionally noticed over a thousand domains which may be utilized in election-themed phishing assaults.

“Greater than 1,000 new probably malicious domains have been registered because the starting of 2024 that observe specific patterns and incorporate election- associated content material and candidates, suggesting that menace actors are leveraging the heightened curiosity surrounding the election to lure unsuspecting targets and probably conduct malicious actions,” Fortinet says.

Fortinet recommends worker coaching as a layer of protection in opposition to social engineering assaults. “Conduct common coaching classes for election officers, political marketing campaign workers, and volunteers to teach them concerning the dangers of phishing assaults,” the researchers write.

“Increase consciousness about widespread phishing techniques, akin to misleading emails and faux web sites, and train workers the best way to determine and report suspicious emails.”

KnowBe4 allows your workforce to make smarter safety selections on daily basis. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human threat.

Fortinet has the story:
https://www.fortinet.com/company/about-us/newsroom/press-releases/2024/fortinet-fortiguard-labs-observes-darknet-activity-targeting-the-2024-united-states-presidential-election

FBI Warns Scammers Are Focusing on Regulation Corporations for Phony Debt Collections

The U.S. FBI warns that scammers are trying to trick legislation companies into transferring cash as a part of a phony debt assortment scheme.

The rip-off “could deal with any kind of illustration the place a lawyer is employed to help within the switch or assortment of cash, e.g. actual property, assortment issues, collaborative legislation agreements in household issues, and so forth.”

The schemes sometimes take the next steps:

• A legislation agency is contacted concerning illustration in an alleged debt assortment matter by what seems to be a respectable potential shopper (“the Creditor”)
• The legislation agency agrees to assist and sends a requirement letter to the alleged debtor (“Debtor”)
• The Debtor instantly agrees to pay the debt and sends what seems to be a sound cashier’s test to the legislation agency
• The legislation agency deposits the test into their shopper belief account and transfers the worth to the Creditor through wire, much less any authorized charges agreed upon
• The legislation agency’s financial institution then discovers that the test is definitely fraudulent and the belief account is charged again the worth of the test
• As a result of the wire has already been despatched to the Creditor, the legislation agency is left to endure the monetary loss

The FBI outlines some suggestions to assist organizations keep away from falling for these scams:

• “Be suspicious of requests or stress to take motion shortly. Plenty of potential victims had been capable of efficiently determine the fraudulent test by adhering to insurance policies which required a delay or maintain on the funds till affirmation that the debtor’s test had certainly cleared into their shopper belief accounts.
• Take into account further monetary safety procedures, akin to two-step verification or phone calls (topics are likely to want written correspondence), to confirm transaction particulars and identification info, previous to wiring funds.
• Contact your monetary establishment instantly and request that they contact the monetary establishment the place any wire switch was despatched to find out if it is ready to be recalled or the funds frozen within the deposit account.”

New-school safety consciousness coaching provides your group a necessary layer of protection in opposition to social engineering assaults. KnowBe4 empowers your workforce to make smarter safety selections on daily basis.

Weblog put up with hyperlinks:
https://weblog.knowbe4.com/scammers-targeting-law-firms-for-phony-debt-collections

What KnowBe4 Clients Say

“Hey Stu, good to listen to from you! Is that this a form of phishing take a look at?

Truly I’ve simply optimistic feedback concerning the platform, because it’s precisely what we had been on the lookout for, that may be a fully autonomous coaching platform with every kind of serving to options inside together with reviews for our HR.

Uncommon to search out this sort of completeness in merchandise, if not developed or led by people who skilled the identical wants, within the discipline.

Thanks and finest regards, Grazie e buon lavoro.”

– V.E., IT Infrastructure Supervisor