Blog
Insights for Reasonable Cyber Security and Compliance
What’s happening in the world of cybersecurity? How do you define 'reasonable' security controls? Which cyber threats can be prevented? What steps should you take to make your systems safer? Read our blog posts to gain new insights into cybersecurity news, security awareness, the latest threats and risks, penetration testing, compliance, regulations and so much more.
Why the Meltdown/Spectre Vulnerabilities are Important to You
Two distinct vulnerabilities dubbed Meltdown and Spectre potentially affect almost every system1. In a world that is already saturated with cyberattacks and vulnerabilities, it is easy to succumb to cyber threat fatigue when discussing two new outbreaks. Even though there have been no confirmed reports of attacks that have taken advantage of these newly exposed vulnerabilities, they are highly concerning. That is because they involve the CPU, the fundamental building block of the internet, corporate networks and PCs. (more…)
NEW BOTNET DISCOVERED CALLED JENX
Another day, another cyber threat discovered. Last week the world was introduced to yet another cyber menace referred to as Jen-X. No, not Generation-X, JenX, a new botnet that offers DDoS attacks for hire. Dubbed JenX, the new botnet is recruiting IoT devices and is marketing its ware over the Internet , openly offering up to up to 300Gbps attacks for as little as $20. The size of these advertised attacks are capable of disrupting organizations that lack the tools to combat DDoS attacks. The front of the operation is a gaming server rental business that operates under the domain name – sancalvicie.com. Behind the scenes of this seemingly innocent gaming site is the command and control server located at skids.sancalvicie.com that manages the devices within the Botnet. The DDoS service is listed as a rental offering on the website called Corriente Divina. (more…)
8 Things to Help Make This Year’s Penetration Testing a Success
8 Things to Help Make This Year’s Penetration Testing a Success – From a macro point of view, 2017 was a rough year when it comes to cyber security. As spring turned into summer last year, we watched the WannaCry and NotPetya malware viruses implement global infestation, creating lost productivity that negatively affected both quarterly earnings and stock prices, costing some companies billions. (more…)
VULNERABILITY N+1
VULNERABILITY N+1. AUTHOR: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
As Americans, we love lists. That fact is self-evident when browsing our favorite blog sites, as many blogs start out with catchy headlines like, “The Top 5 ______ (fill in the blank).” The love of lists is rooted deeply in our culture. We loved the Top 40 countdown for generations when it came to the hottest songs on the radio. Every New Year’s Eve we anticipate the unveiling of the Top X of all types of erroneous information concerning the past year. David Letterman made a living with a nightly “Top 10 Reasons” segment of his show. Lists are concise, abbreviated, and fun. It’s no wonder why this adoration for lists is carried into how we approach cyber security. Every three years or so, we look for the unveiling of the OWASP Top 10 Most Critical Application Security Risks because it compiles all those nasty potential risks and vulnerabilities into one simple list. (more…)
THE PASSWORD BY ITSELF IS NOW EXTINCT
Multi-Factor Authentication (MFA) is the New Standard
The use of a password for authentication is technically referred to as single factor authentication. The fact is that anything beyond a game site or online news source should be protected by more than just single factor authentication. In the hyper-connected world in which we live in today, it seems imprudent, at the very least, that we protect our most confidential information with merely 8 to 14 characters on average, sometimes even less. Yet that single password is a single line of defense from hackers trying to access finances or from hooligans trying to tarnish social media profiles. (more…)
Cleverly Disguised Ransomware Infecting Chrome Users
Cleverly Disguised Ransomware Infecting Chrome Users. A new variant of ransomware is spreading via poorly secured websites and the Chrome Web Browser. Users are fooled into downloading what they think is a missing font pack in order to resolve the error. This attack technique is not uncommon, and has been recently reported delivering click-fraud malware, and now, ransomware. Click-fraud malware is a less malicious variant of malicious code that generates revenue for attackers by browsing to predetermined websites and “clicking” on ads. (more…)
Evolution of Phishing Attacks and the Billions it is Now Costing Corporations
Evolution of Phishing Attacks and the Billions it is Now Costing Corporations
AUTHOR: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
It was 23 years ago that the first Nigerian phishing attacks appeared in the inboxes of users across the world. Known today as the Nigerian 419 scams, these emails of deceit were cleverly crafted around the premise of a Nigerian Prince and his financial accounts which were being frozen. As a result, his family was seeking “your” help to get his fortune out of the country. All that was required was an advanced fee to cut through the red tape and get the ball rolling. The “advanced fee scam” scheme can actually be traced back to 1898 and the Spanish-American War. Known as the Spanish Prisoner Con, the ploy was based on the same proposition in which a Spanish prisoner was attempting to escape with his fortune and would share a nice percentage with anyone willing to help pay an advanced fee. (more…)
Simple Ways to Prevent Multi-Million Dollar Losses from BEC
AUTHOR: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
In February of 2016, Fischer Advanced Composite Components (FACC), an Austrian aerospace parts maker servicing customers such as Airbus and Boing, fired its CEO of 17 years. The driving factor in the dismissal was the company’s reported income loss of 23.4 million euros during the encompassing fiscal year. As a comparison, the company had reported a loss of 4.5 million euros the year prior. The primary culprit for the spiked financial losses were not attributed to reduced revenues, profit margins or poor management. The overriding factor in the disappointing earnings was primarily due to a cyber fraud that cost it 42 million euros ($47 million) in a phishing attack scam known as Business Email Compromise (BEC) or CEO fraud. One single email, brought down a CEO as well as the profitability of a major company. (more…)
Clarifying the new PCI DSS 3.2 Requirements for Service Providers
By Viviana Wesley, PCI QSA, ISO 27001 Auditor
The process of securing cardholder data is a shared responsibility amongst multiple parties that play a role in the card transaction process. They include merchants, processors, acquirers, backup tape storage facilities, issuers and service providers just to name a few. All of these entities play a part in the far-reaching responsibility of protecting consumer data. The Payment Card Industry Data Security Standard or PCI DSS is the roadmap that they can turn to in order to prevent the compromising of primary account numbers (PAN) and other sensitive consumer credit card information. (more…)
BEC Phishing is a Bigger Threat than Ransomware
BEC Phishing is a Bigger Threat than Ransomware. AUTHOR: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
Ransomware stole a lot of headlines in 2016 as organizations across the world fell victim to it. From hospitals to city transit systems, the infectious malware invaded enterprises, encrypting files and generally wreaking havoc. For most of those afflicted, ransomware translated into lost productivity and gallant efforts by IT departments to restore data silos. For some, it meant coughing up a payoff that translated into several thousand dollars’ worth of bitcoin currency. (more…)