(ISC)2 Austin Chapter September Meeting: Software Defined Secured Networks

Join us on Monday, September 12th at 7PM on Indeed.com’s Austin campus at 6433 Grand Champion Way, Building 1, Austin TX 78750 for the ISC2 Austin Chapter September Meeting, as Oliver Schureman, Senior Systems Engineering Director at Juniper Networks discusses Software Defined Secured Networks or SDSNs and how this technology is changing the way firewalls, routers and other edge devices are deployed by protecting assets at the perimeter, the core or even in the cloud.

Food and drink will be served. CPEs will be submitted automatically for chapter members. Please RSVP at the link below and get a ticket which is now required for entrance. Free tickets are available as well as donation tickets which go towards chapter operations.

We hope you can make it!

https://www.eventbrite.com/e/isc2-austin-chapter-septembermeeting-software-defined-secured-networks-tickets-27395951027

Posted in Events

Is Cloud Security a Pie-In-The-Sky?

Many companies are moving to the “cloud” these days. It’s an amorphous term, indicating using a shared network, usually the Internet, to save costs and increase efficiency. It often makes sense financially. Rather than operating your own data centers or owning servers, why not rent those of a company who specializes in that area and focus on your core business? But, with recent breach of Microsoft 365, used to send infected ransomware emails to a large portion of its user base, does it make sense for you from a security standpoint? There have been many other less publicized breaches and given the increasing popularity of this technology, let’s take a moment to evaluate the “cloud” from a security standpoint.

There are several security challenges for cloud services. First of all, they will generally have a larger exposed attack surface from the Internet than private servers hosted behind a corporate firewall. By its nature, cloud services must be available from a about all of the public Internet. Some cloud Application Servers often sit at the edge of the Internet, with very little blocking unlimited access. DMZing, or walling off your applications, while possible, is more difficult in the cloud than with a private network. With a private network, a separate physical segment can be created with only one firewall interface in or out.

Second, because the services are usually at least partially shared, they will have a large user base and more generic security rules than a service just run for your company. These rules are often “dumbed down” for general use. An example is password self-service where most cloud services allow users to reset their password with a simple click that sends them an email with a reset link. This means if your email gets hacked, it is easy to own every cloud service that you subscribe to. If you are the administrator of an Office365 domain for your company, that can be a huge security breach. Authentication is problematic too. When you control your computing environment, you can count on using physical location as an additional authenticator (not allowing logins remotely). You can also implement more stringent controls such as dual factor authentication for certain sensitive services or areas. Your cloud provider may not give you these options or flexibility on these important elements. Kudos to Amazon Web Services who are offering token based dual factor authentication for their virtual server offerings, but it’s by no means mandatory or universal for its entire service platform yet.

Finally, this latest high profile incident illustrates a further danger to service in the cloud. When viruses sit on cloud servers accessed via a web browser, traditional antivirus and anti-spyware tools don’t help nearly as much. The files and links sit on a remote server that you don’t control and your local protections can’t scan. You must rely on the cloud vendor to provide those services. Many do, but if they are incomplete or not up to date, lapses can happen. Either way, you lose control. The Microsoft incident is just one example.

So, bottom line, can you depend on the security of cloud services? The answer, frustratingly, is that it depends on how you are using it your applications and your specific vendor. First of all, what are you using it for? Just email or entire data center operations? Do you use a public cloud or private cloud? What are the security protections the vendor offers? Don’t take the cloud vendor’s salesperson’s word for it. Talk to the technical staff and get detailed answers. In the end, if you aren’t comfortable with the vendor’s answers, reconsider your cloud strategy or find a vendor who can answer your questions. So, in conclusion, it is possible to be secure in the cloud. Just don’t let your head get stuck in the clouds, ask the right questions and get the answers that satisfy you before deploying.

Posted in News

August 8th, 8PM – (ISC)2 Austin Chapter: New Approaches to Threat Modeling

The meeting of the Austin Chapter of (ISC)2 will meet on Monday, August 8th at 7PM at the Indeed.com campus in Austin as Brian Engle, Executive Director of R-CISC presents “New Approaches for the Lost Art of the Threat Model”. This presentation will walk through a practical and simple methodology for threat modeling real world incidents as well as a new twist on evaluate how threat modeling can put a spotlight on vectors occurring in the converged space of cybersecurity and fraud.

Food and drink will be served. CPEs will be submitted automatically for chapter members. Please RSVP and get a a ticket which is now required for entrance.

https://www.eventbrite.com/e/isc2-austin-chapter-august-2016-meeting-new-approaches-in-the-lost-art-of-threat-modeling-tickets-26472151919

Posted in Events

June 27, 3:00PM – IT Security Awareness: Ransomware and Defense in Depth

In this seminar, Michael Villarreal, Vice President of the PCI Compliance Division for Network Security Services will discuss the different types of ransomware, it’s impact and reducing the attack threat by implementing defense-in-depth. This session is recommended for executives, financial and operations managers and technical staff. It is designed for the average user not the security expert. He will also provide an update on the latest cyber threats. Tickets are required for this event and can be purchased at the link below

This workshop also fulfills PCI DSS requirement 12.6.1.b: “Verify that personnel attend security awareness training upon hire and at least annually” and may qualify for continuing education credit for some professional certifications.

“Let’s Talk More” Mixer will be held from 4:30 PM to 6:30 PM at a location that will be announced at the meeting. Appetizers will be provided by a sponsor. RSVP requested for mixer.

Speaker Bio: Michael Villarreal has been actively involved in the security and technology fields for over thirty years. He has previously been conducting Security Awareness Workshops and providing security advice through his company Game Face Solutions, Inc. Now with NSS, he helps companies down the road to PCI Compliance. Mr. Villarreal is a certified Project Management Professional (PMP), Certified Information System Auditor (CISA) and a Certified Information System Security Professional (CISSP). He is also President of the (ISC)² Alamo Chapter.

When: Monday, June 27, 2016 from 3:00 PM to 4:00 PM (CDT) – Add to Calendar
Where: 10100 Reunion Place #250, San Antonio, TX 78216 – View Map
Tickets: https://www.eventbrite.com/e/it-security-awareness-workshop-ransomware-vs-defense-in-depth-tickets-26052342257
Cost: $49.97

Posted in Events

June 27, 1:30PM – PCI Compliance 12 Requirements Workshop

In this free seminar, Michael Villarreal, Vice President of the PCI Compliance Division for Network Security Services will discuss the twelve PCI Data Security Standard (PCI DSS) requirements. Previously mentioned in the “Overview” workshop, the specific requirements are discussed in further detail. Complimentary refreshments will be served. Prerequisite: PCI Compliance Overview Workshop. Please RSVP at the link below for a free ticket which is required for admittance

“Let’s Talk More” Mixer will be held from 4:30 PM to 6:30 PM at a location that will be announced at the meeting. Appetizers will be provided by a sponsor.

Speaker Bio: Michael Villarreal has been actively involved in the security and technology fields for over thirty years. He has previously been conducting Security Awareness Workshops and providing security advice through his company Game Face Solutions, Inc. Now with NSS, he helps companies down the road to PCI Compliance. Mr. Villarreal is a certified Project Management Professional (PMP), Certified Information System Auditor (CISA) and a Certified Information System Security Professional (CISSP). He is also President of the (ISC)² Alamo Chapter.

When: Monday, June 27, 2016 from 1:30 PM to 2:30 PM (CDT)
Where: Silotech Group – 10100 Reunion Place #250, San Antonio, TX 78216
Tickets: https://www.eventbrite.com/e/pci-compliance-twelve-requirements-workshop-tickets-26052281074

Posted in Events

June 27, 12:00PM – PCI Compliance and Credit Card Security Overview Workshop

In this free seminar, Michael Villarreal, Vice President of the PCI Compliance Division for Network Security Services will discuss the Payment Card Industry Data Security Standard or PCI DSS, the cybersecurity standard that all companies accepting credit and debit cards must comply with. He will review the new requirements of PCI DSS 3.2 as well as the shift in legal liability from bank to merchant that was instituted in 2015. Strategies on how to achieve PCI compliance and better digital security for your business will be revealed. This session is recommended for executives, financial and operations managers and technical staff. A complimentary lunch and refreshments will be served. Please RSVP at the link at the bottom for a free ticket, required for admittance.

“Let’s Talk More” Mixer will be held from 4:30 PM to 6:30 PM at a location that will be announced at the meeting. Appetizers will be provided by a sponsor.

Speaker Bio: Michael Villarreal has been actively involved in the security and technology fields for over thirty years. He has previously been conducting Security Awareness Workshops and providing security advice through his company Game Face Solutions, Inc. Now with NSS, he helps companies down the road to PCI Compliance. Mr. Villarreal is a certified Project Management Professional (PMP), Certified Information System Auditor (CISA) and a Certified Information System Security Professional (CISSP). He is also President of the (ISC)² Alamo Chapter.

When: Monday, June 27, 2016 from 12:00 PM to 1:00 PM (CDT) – Add
Where: Silotech Group – 10100 Reunion Place #250, San Antonio, TX 78216
Tickets: https://www.eventbrite.com/e/pci-compliance-and-credit-card-security-overview-tickets-26052230924

Posted in Events

NSS Info-Security Newletter May 2016

IT SECURITY NEWSLETTER

IN THIS ISSUE:

• WE MOVED!
• WHAT IS PCI DSS?
• RANSOMWARE AND HOW TO AVOID IT
• INFOSECURITY SEMINARS AND WORKSHOPS

NSS HAS A NEW ADDRESS

In major news for our Houston office staff, we moved our offices shortly after the first of the year to 118 Vintage Park Blvd., Suite W117, Houston TX 77070. Our new office is right across the freeway from our old one, in a hip, new shopping center and office complex complete with an Alamo Drafthouse (handy for ending the day in style!). It was fortunate we moved when we did, as our old office parking lot was inundated during the recent floods in Houston and was closed for a whole week. Please note the new address for your accounting department and other correspondence.

What is PCI DSS?
You may have heard this term and you may even know it has something to do with credit cards. But do you know that it is the mandatory security standard that all credit card merchants and issuers must comply with? And are you aware of the dramatic shift in legal liability for cyber-fraud that happened last October because of changes to the PCI DSS standard? PCI DSS stands for Payment Card Industry Data Security Standard. It represents the efforts of all major credit card issuers to institute and enforce a uniform level of security amongst the merchant who accept their cards and the Banks that issue them. This standard was voluntary up until a few years ago but became mandatory after PCI DSS version 2.0 was released. And after Oct 15th of last year, all major credit card companies modified their contracts to make the merchant liable for any credit card fraud that occurs as a result of a lack of security on the merchant’s part if they have not complied with the PCI standard. This represents a huge shift in liability for credit card merchants that many may not fully be aware of. NSS now offers PCI compliance services to help companies improve their data security and comply with the PCI standard. We are also offering free seminars on PCI DSS as part of our IT Security Seminar Series. Click here to find out if there is a seminar in your area.
www.netsecuritysvcs.com/events

Ransomware: The New Cyber-threat for Businesses

They go by names like Crypto-Locker or Crypto-Wall and others but they are all part of a new malicious software breed that seeks to encrypt your servers and valuable data and then ransom it back to you for a payment. These viruses usually get loaded by clicking on an attachment or visiting a sketchy website. Once your machine is infected, it immediately encrypts all the data on the hard drive. It also searches for share drives it can encrypt as well. It then displays a message asking for a specific ransom to decrypt the data, which can either be paid by wire transfer or bitcoins, the untraceable digital currency. Many businesses have no choice but to pay, given the damage that would be done to their business by the loss of that data. In some cases, it has caused a direct threat to public health when hospital systems have been infected and disabled. Law enforcement both local and national offer little recourse since the perpetrators and bank accounts usually sit overseas in countries without extradition treaties with the US. However, if you take the right steps before hand, you can stop ransomware before it infects your network or at least limit the damage if it does. Here are three steps that will not only inoculate your company from ransomware but also make it more secure from all manner of cyber-threats:

1. Make sure you regularly back up your data and test the backups. You should backup your data at least daily or more often if loss of a partial day’s operations would be traumatic to your business. But just backing up your data isn’t enough. Make sure you test the backups on a regular basis to make sure that the backup is being done properly. Otherwise, they may not work properly when you need them the most.
2. Enforce Least Privilege. This data security concept means that each employee only has access to what they need to do their job. Having generic logins where everyone knows the password, or having share drives that are open to everyone allows ransomware to spread to multiple systems and do the most damage. Have a separate login for every user and only give them rights to the systems, drives and parts of the network that are required for their job duties. This will also prevent other viruses from spreading and keep entry-level employees from going where they shouldn’t.
3. Train your employees on IT Security Awareness and test them. Ransomware infections happen because an employee clicks on something they shouldn’t have. Training them on the dangers will make it much less likely they will click on that bad attachment or link. Also you should test them via an exercise known as a Social Engineering test. This involves sending fake email viruses that look similar to the type of emails that carry the real viruses. This “live fire” test is the best way to educate your employees of the very real dangers of ransomware, viruses and other malware. Through training and testing, you can avoid ever having to deal with a ransomware infection.
NSS offers both IT Awareness Training and Social Engineering Testing to help secure your company from Ransomware and other cyber-threats. See below for a list of scheduled classes or call us for a quote for on-site training customized for your environment.

Posted in News

June 23rd – Houston – PCI Compliance and Credit Card Security Workshop

In this seminar, Michael Villarreal, Vice President of Network Security Services will discuss the Payment Card Industry Data Security Standard or PCI DSS, the cybersecurity standard that all companies accepting credit and debit cards must comply with. He will review the requirements of PCI DSS 3.1 as well as the shift in legal liability from bank to merchant that was instituted in 2015. Strategies on how to achieve PCI compliance and better digital security for your business will be revealed. This session is recommended for executives, financial and operations managers and technical staff. A complimentary lunch and refreshments will be served. Please RSVP at the link below to get a free ticket:
https://www.eventbrite.com/e/pci-compliance-and-credit-card-security-workshop-houston-tickets-25746871586

Posted in Events

June 13, 7PM – (ISC)2 Austin Chapter Meeting: Mobile Payments Security

Join the Austin Chapter of (ISC)2 on Monday, June 13th at 7PM for “Mobile Payments: Provisioning Payments to your Pocket” presented by Dr. Branden R. Williams, Vice-President and Head of Strategy for Security and Fraud Solutions at First Data. Dr. Williams will review Apple Pay, Samsung Pay, and other e-Wallet technologies to discuss how they work, how they can break, and how people can game them.
Cost: FREE (requires a free ticket with the link below)
Ticket info: https://www.eventbrite.com/e/isc2-austin-chapter-june-2016-meeting-mobile-payments-security-tickets-24546686801

Posted in Events

Top 10 Cyberattacks of 2015

Here at the end of the year, I normally produce a top ten list of information security breaches or “opps” moments of companies that got hacked during that year. But there are so many companies having cybersecurity issues and so many big breaches, that type of list has become obsolete. So instead I will call out the top ten cyberattacks that are being perpetrated on banks and small and medium-sized businesses. So without further ado, here they are.

1. Wire Transfer Fraud
This area has long been a target for fraudsters but they are getting more and more sophisticated. They are targeting firms that tend to transfer large amounts to overseas companies. To avoid wire fraud on your account, be sure that if you don’t use these services, they are specifically turned off in the online banking system. And if you do use them, insist on a call back verification and dual factor authentication devices such as a security token to approve transfers.

2. ACH Fraud
Automated Clearing House or ACH is the system used to execute most transfers from your bank account to pay recurring bills and other electronic payments. With the tighter controls over wire transfer and the spread of ACH transfers of all kinds, this fraud is growing fast as many banks now offer online banking access to ACH transfers. Many banks are implementing cybersecurity controls such as tokens required for large ACH transactions. And as before, a call back verification for large amounts tends to stop fraudsters in their tracks.

3. CATO
CATO or Corporate Account Take Over is one of the fastest growing areas of online banking fraud. Since the banks are tightening their standards and policies, the bad guys often go after the companies online banking accounts instead. By infecting a top level officer’s PC with malware, criminals can the take over their online banking and initiate ACH or wire transfers. Good company security and training are key to avoiding being “CATO’d”. Also, unless you frequently execute transfers from the road, let your bank know not to allow it. If you do, deputize a company employee to approve them in your absence. Criminals will often take advantage of traveling executives to execute fraudulent transactions.

4. Point of Sale (POS) Hijacking
If you are a business that accepts credit cards in any form, you could be the victim of POS Hijacking. From gas pumps to retailer credit card terminals, the bad guys are designing software and hardware attachments to steal credit cards directly from the point of sale. Good internal network security (firewalls, anti-virus and intrusion prevention systems) as well as frequent inspection of credit card terminals can help prevent your company from becoming a victim of this crime

5. RansomWare
Also known as Cyptolocker, this malware is particular insidious in that it targets all sizes of companies even down to a sole proprietorship. It encrypts a victim’s hard drive and then demands a ransom to unlock the data. The ransom is usually a relatively small sum (a couple of hundred dollars to a few thousand) and paid in Bitcoin so as to avoid tracking. If a small company is hit with this, they often just pay the ransom to get back in production versus the costs of hiring a forensic firm that might not be able to recover the data. The problem is, sometimes the ransomers will not unlock the data after the first payment and instead demand more. The best countermeasure for this attack is keeping good backups with a history feature. Just doing mirrored hard drives or servers is NOT sufficient to avoid this attack as the mirrored data will often have the malware as well.

6. BillPay Fraud
Many people and companies take advantage of these online services to easily pay bills and automate payments. Unfortunately, if cyber-thieves get access to your BillPay account (often accessed via your online banking), they can use it to empty your account. They typically initiate one-time payments to new vendors that are just fronts for their operations. Corporate BillPay accounts are particularly sought after as the amounts can be large. To avoid this fraud, keep a close eye on your BillPay account and if possible don’t allow payments to one-time vendors.

7. Accounts Receivable Fraud
Companies that receive payments from customers via wire or ACH transfers will want to be aware of this new type of fraud. Hackers get ahold of your customer list and send emails in the guise of a company official to change the routing number and bank account for their payments. They will have often set up domain names to mimic the company domain and have the correct name for company officers. If you transact business this way, be sure to let your customers know that they will never receive such information via email, only from a direct phone call from a specific officer they know.

8. Accounts Payable Fraud
In this scheme, cybercriminals will contact vendors for a company and send them a credit app to establish an account. They will usually have the information needed for an application such as references, banks used, etc. If the account is set up, they will then order small parts or electronics that can easily be fenced to be shipped to shared warehouse facilities. There, they can easily pick up the shipments anonymously and resell them. The issue with both this and A/R fraud is that it requires little or no direct access to a company’s systems. A/R and A/P information can often be “socially engineered” out of accounting staff with phone calls or emails. The best defense for this kind of fraud is a strict process for applying for credit, and good training for staff so they do not respond to inquiries without proper verification or give out this kind of information.

9. Payroll or HR fraud
This fraud involves tapping into the companies HR or payroll systems. It can often be done by gaining access to the CFO or financial clerk who inputs the company’s payroll info. Since most payrolls are paid out electronically these days, if a cybercriminal can gain access to this system, they can redirect employee’s paychecks into their own accounts. And companies often use large companies for this service such as ADP or Paychex who have poor authentication processes for authorizing payrolls. A good countermeasure for this is to insist on strong controls on payroll and HR admin accounts, ideally using a token or some two factor authentication method. Additional training for HR/financial employees is also highly recommended so they can catch any red flags or warning signals to this kind of activity.

10. Mortgage Fraud
This new fraud vector involves the stealing of entire houses! It sounds incredible, but savvy hacker groups are able to doctor up false deed and title information for houses using online public resources. They then sell the house via normal realtor listings. They typically target empty rental properties or investor properties that are not occupied. They use imposter realtors or title lawyers or sometimes they are able to fool legitimate professionals into representing and closing the sale. Once the payment is transferred from the Bank, they are long gone, leaving the new owners holding an invalid title. For property owners, make sure you or someone is checking on the property and neighbors know how to get ahold of you if something suspicious is going on. For Banks and other professionals in the transaction chain, use your intuition and double check ID’s, titles and other documents if something seems fishy.

These new methods are just some of the top ways that hackers are using to steal money from companies and banks. There are many more and new ones are being invented very day. To be sure your bank or company does not fall victim to them, make sure that you are using the latest information security technologies and train your staff frequently in the proper policies and procedures to avoid cyber-fraud. NSS is available to provide training on these methods and their countermeasures to bank employees or key customers. We are also available to perform FFIEC recommended cybersecurity assessments to make sure you are properly protected. Please contact us at 281-378-1551 or email info@netsecuritysvcs.com. You can also follow us on Facebook at:
https://www.facebook.com/Network-Security-Services-Inc-249473925219134/
or Twitter @fearlessecurity for the latest and up to date security bulletins.

Posted in News