security news

Dexphot malware uses fileless techniques to install cryptominer

Security Awareness - Phishing Responses

Stay on top with IT Security.org

Any organisation comprises of three essential elements: People, Process & Technology. In recent times most of the cyber-attacks materialised because of weakness in people. Humans blamed for the weakest part of information security do not get enough controls to protect them from cyber-crimes. Security awareness training is emphasised to be the only effective control, however it is not implemented with same zeal and vigour as firewalls or antivirus solutions.

Any security control is implemented to achieve its control objectives. However security awareness is limited to annual sessions, posters and some weekly security news emails. The results of security awareness are not collected or analysed to verify whether control objectives are met or not. Like any control which is tested and evaluated, awareness program must be subject to testing by evaluating the awareness levels and comparing it with business objectives.

Tools that verify the security awareness program provide insights and effective performance indicators. Organisations can evaluate the results to identify their weak and strong areas. This allow for risk mitigation in weaker areas by utilising resources in cost effective manner. You can seek our services regarding phishing responses. We can assist you in developing your weakest link into strongest.

computer code on screen

Catching the phish

There are various tools to evaluate the readiness of users regarding phishing attacks. They are tested with phishing emails and phone calls to check their awareness level.

A security aware workforce will:

phishing risk on email

Awareness is key

Phishing is one of the major causes of massive breaches. Using phishing, trust of humans is exploited to gain unauthorised information, install malware, bypass authentication mechanisms and steal sensitive data. Phishing uses emails or phone calls. Emails with malicious attachment, links to fake websites or spoofed to look legitimate, are sent to the recipients. In case users are not properly trained to identify or differentiate phishing emails, they fall prey to hackers. One unaware employee can cause damage to the entire organisation as he provides a door for the attacker.

Any business. Every solution.

If you’d like to work with us to help establish or improve your phishing awareness, please get in touch with us today. Or, whilst you’re here, why not have a look at our other services in this category?

About

IT Security.org are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227

Black Friday, Cyber Monday scams are on the loose, businesses need to prepare

Consumers
stumbling to the couch in a turkey-induced coma with their laptop or phone in
hand ready to hit the cyber-holiday sales are not alone in being targeted by
cybercriminals.

Retailers and
businesses also may be affected by the dramatic increase in malicious threats that
target shoppers looking for buys on Black Friday and Cyber Monday. This can
include being hit with ransomware and having to make the decision whether or
not to pay up or risk losing sales during the busiest shopping period of the
year.

For
retailers much of the damage done may be to their reputation as malicious actors
generate hundreds of brand and website-specific email scams and fake websites
designed to confuse and entice anxious shoppers.

A study by
Zerofox’s Alpha Team has already identified 61,305 potential scams spread across
26 brands. Brick and mortar retailers are the primary focus with 92 percent of
the campaigns spotted using a store brand in some manner.

“Scammers
likely target brick and mortar retailers in such high quantities because these
kinds of scams will be attractive to a larger pool of consumers and thereby
potential victims. Fewer consumers are in the market for luxury goods and high-end
jewelry than are shopping at large brick and mortar stores that appeal to
multiple price points. Brick and mortar stores also carry a wide range of
goods, from electronics to jewelry, versus stores that only sell one kind of
good,” the report
stated.

The threats
are generally centered on email campaigns that use the one lure every shopper
is interested in, something for nothing. This is usually in the form of a gift
card or coupon, but to obtain these items the shopper/victim is required to
enter some level of information, at the very least an email or physical
address.

The
permanent members of Santa’s naught list also use social media to attract victims.
This is done by creating fake accounts and then loading posts with hashtags
designed to catch a shopper’s eye, such as #blackfriday or #cybermonday.

Some of the
more technical threats involve typsquatting or  creating domains based on popular shopping
sites like Amazon, Apple and Target.

“ZeroFOX
Alpha Team found 124,000 domains that contain the brand name out of the list of
26 selected for this report. The team filtered the 124,000 domains by
Certificate Issuer for legitimate domains,” the security company said.

Source: Zerofox

The massive
uptick in internet traffic also presents an opportunity for attackers and a
danger to corporate entities whose workers may use either company equipment or
its network to make purchases. Tim Erlin, vice president of product management and strategy at Tripwire,
cited a recent Tripwire Twitter survey that found 84 percent of security
professionals are concerned there is not enough security awareness for
consumers to keep them safe online during the holiday shopping season.

“For
businesses, there are two ways to look at cyber risks around Black Friday. The
first is that, simply because it’s a busier time and more money is flowing
through their systems, attackers will be more likely to target them, hoping for
the busyness to serve as a diversion. The second way to look at it is from an
employee perspective: staff may be shopping online from business-owned assets,
thus potentially opening them up to Black Friday scams. For this reason, it
would be worth it for business to focus on education and training on how to
recognize scams and phishing attempts,” Erlin said.

Then there
are the direct threats to business. A retailer, delivery company or distributor’s
worst fear is not being able to operate during this time.

“Ransomware
and other types of malware are also a concern for businesses around this time
of the year. Those that are targeting the business itself ultimately just want
the organization to pay the ransom, which can be avoided by having good
incident response measures in place and secure, up-to-date backups,” Erlin
said.

In addition
to being shut down another huge potential headache is discovering credit card
skimming malware like Magecart residing in a chain’s POS system, noted a Sucuri
study. It could also mean a retailer could be held liable for any fraudulent charges
made on a customer’s card in cases where the cards was not present for the
purchase.

“New
consumer habits, such as buy online, pick up in store (BOPIS), now allow
customers to pick up products at a physical locations after purchasing them on
the retailer’s website – so these transactions become classified as
card-not-present. Unfortunately,
there are still retail merchants that have little to no authentication process
for in-person pickups, making them likely targets for abuse due to a lack of
security controls,” Sucuri said.

There are steps e-commerce
sites and retailers with an online presence can take to protect themselves not only
during the holiday season, but all year long, said Kaspersky.

  • Use
    a reputable payment service and keep your online trading and payment platform
    software up to date. Every new update may contain critical patches to make the
    system less vulnerable to cybercriminals.
  • Use
    a tailored IT and cybersecurity solution to protect your business and customers.
  • Pay
    attention to the personal information used by customers who buy from you. Use a
    fraud prevention solution that you can adjust to your company profile and the
    profile of your customers.

The post Black Friday, Cyber Monday scams are on the loose, businesses need to prepare appeared first on SC Media.

Fin7 behind DiBella’s data breach affecting 305,000 cards

Fifteen
months after DiBella’s Old Fashioned Submarines was notified by the FBI and
credit card companies of a data breach the sandwich shop chain has issued a
notice informing its customers of the incident.

The company
reported its stores in Connecticut, Indiana, Michigan, Ohio, New York and
Pennsylvania may have had the information on as many as 305,000 payment cards
compromised. DiBella’s said it was informed by the FBI and its credit card
firms on August 27, 2018 of the data breach and that Fin7 were the likely
actors behind the attack gaining access to the company’s payment card data and
computer system.

The majority
of the locations were victimized between March 22, 2018 and December 28, 2018
with its Cranberry, Penn. store possibly being hit as early as September 2017.
The customer data involved included individual names, payment card numbers,
expiration dates, and CVV numbers, DiBella’s
stated
.

DiBella’s
has not yet returned an SC Media inquiry into why the company waited until now
to disclose the issue.

The company
does not know which individuals were impacted and said it has not received any
customer complaints about their payment cards being misused. But it is warning
anyone who visited the locations in questions to  

The leaders
behind FIN7,
aka the Carbanak gang, were caught by law enforcement starting in January and
June of 2018. In August 2018 the U.S. Department of Justice made public arrests
of the three Ukrainian men who allegedly were key players in the cyber gang. However,
the arrests did not stop other members of the gang from continuing their activities.

The security
notice said the malware found on the company’s system ties the attack to Fin7.

The post Fin7 behind DiBella’s data breach affecting 305,000 cards appeared first on SC Media.

Facebook, Twitter ban malicious SDK that removed member info

Policies and Standards Documentation

Stay on top with IT Security.org

Documentation plays a pivotal role is establishing any effective management system. It formalises objectives, strategies and processes. Documentation often acts as an adhesive for three components of organisation i.e. people, process and technology. In information security the importance of documentation is increasing with each passing day. New regulations and frameworks demand detailed and comprehensive documentation to effectively implement information security program.

Policies form the back bone of any program. In simple words policies depict the intent and direction of senior management. It determines the entire strategy and course of action. Policies are top level documents approved by senior management to guide the organisation in achieving its strategic goals. Information security policies (like data privacy policy, security policy, access control policy, encryption policy) show senior management commitment and set out rules for entire organisation. It’s pivotal that security policies are written by experience individuals after in depth understanding of organisational objectives and senior management intent.

computer code on screen

Catching the phish

There are various tools to evaluate the readiness of users regarding phishing attacks. They are tested with phishing emails and phone calls to check their awareness level.

A security aware workforce will:

phishing risk on email

Awareness is key

Phishing is one of the major causes of massive breaches. Using phishing, trust of humans is exploited to gain unauthorised information, install malware, bypass authentication mechanisms and steal sensitive data. Phishing uses emails or phone calls. Emails with malicious attachment, links to fake websites or spoofed to look legitimate, are sent to the recipients. In case users are not properly trained to identify or differentiate phishing emails, they fall prey to hackers. One unaware employee can cause damage to the entire organisation as he provides a door for the attacker.

Any business. Every solution.

If you’d like to work with us to help establish or improve your phishing awareness, please get in touch with us today. Or, whilst you’re here, why not have a look at our other services in this category?

About

IT Security.org are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227

Finland agency launches smart device infosec certification program

The National Cyber Security Centre Finland (NCSC-FI) within Finnish regulatory agency Traficom today kicked off a smart device certification program designed to inform consumers if certain products meet basic information security standards.

Devices that meet certification criteria, which are based on consumer Internet of Things standards from the European Telecommunications Standards Institute (ETSI), will receive an official label designating it as NCSC-FI-approved. In a press release, Traficom claims the program makes Finland the first European country to issue certificates for safe smart devices.

“The security level of devices in the market varies, and until now there has been no easy way for consumers to know which products are safe and which are not,” said Jarkko Saarimaki director of the National Cyber Security Centre Finland (NCSC-FI) at Traficom, in the release. “The Cybersecurity label launched today is a tool that makes purchase decisions easier by helping consumers identify devices that are sufficiently secure.”

The NCSC-FI commenced development of its Cybersecurity label in late 2018 in a pilot project involving smart device manufacturers Cozify Oy, DNA Plc and Polar Electro Oy. A label was granted to Cozify’s Hub for smart homes, DNA’s Wattinen smart heating system and Polar Ignite’s fitness smartwatch, the release states.

The post Finland agency launches smart device infosec certification program appeared first on SC Media.

Stantinko botnet’s monetization strategy shifts to cryptomining

IT Security Consulting

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu. Aenean ornare sem urna, vel aliquet lacus hendrerit non. Mauris cursus lectus nec dui fringilla viverra. Phasellus molestie erat non risus blandit, eu tincidunt felis aliquet. Pellentesque enim massa, vulputate eu quam in, interdum pellentesque leo. Aliquam non scelerisque dui, quis semper turpis. Nam eget semper dolor.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu. Aenean ornare sem urna, vel aliquet lacus hendrerit non. Mauris cursus lectus nec dui fringilla viverra. Phasellus molestie erat non risus blandit, eu tincidunt felis aliquet. Pellentesque enim massa, vulputate eu quam in, interdum pellentesque leo. Aliquam non scelerisque dui, quis semper turpis. Nam eget semper dolor.

it security consulting

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu.

A solution for every business need

We offer a wide range of services within this category. Please contact us today to further explore the areas in which you can improve your IAM systems.

About

IT Security.org are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227

Sen. Kennedy reverses course, says Russia, not Ukraine hacked DNC

Sen. John Kennedy, R-La., Monday walked back claims he made during an on-air interview that Ukrainians could have been behind the hack of the Democratic National Committee (DNC) and Clinton campaign during the 2016 presidential election cycle.

“I was wrong. The only evidence I have and I think it overwhelming
is that it was Russia who tried to hack the DNC computer,” the senator told
CNN’s Chris Cuomo regarding remarks he had made Sunday to Fox News host Chris
Wallace.

After Wallace asked him who he thought was responsible for
hacking the DNC and Clinton campaign and pilfering emails, Kennedy replied, “I
don’t know. Nor do you. Nor do any of us.” When the news host pointed out that
the whole intelligence community agreed the culprit was Russia, Kennedy said, “Right.
But it could also be Ukraine. I’m not saying I know one way or the other.”

On Monday, though, Kennedy said he misheard Wallace, believing
he was speaking about election interference. On the more narrow issue of the
DNC and Clinton campaign hacks, the senator said, “I’ve seen no indication that
Ukraine tried to do it.”

Kennedy’s initial remarks came after Fiona Hill, the former
senior White House adviser on Russia, asked lawmakers during
an impeachment hearing
to stop spreading “a
fictional narrative” about Ukraine meddling in the 2016 U.S. presidential
election and report revealed that senators and their aides recently were told
by U.S. intelligence officials that the tale was part of a multiyear Russian
disinformation campaign.

“The Russians have a
particular vested interest in putting Ukraine, Ukrainian leaders in a very bad
light,” Hill said. “Based on questions and statements I have heard, some
of you on this committee appear to believe that Russia and its security
services did not conduct a campaign against our country — and that perhaps,
somehow, for some reason, Ukraine did. This is a fictional narrative that has
been perpetrated and propagated by the Russian security services themselves.”

But that warning has not stopped many GOP lawmakers from
repeating the narrative in defense of President Trump’s pressure on Ukraine to
investigate political foe former Vice President Joe Biden and his son Hunter,
who sat on the board of a Ukrainian energy company.

The post Sen. Kennedy reverses course, says Russia, not Ukraine hacked DNC appeared first on SC Media.

Catch NYC, Catch Steak hit with payment card skimming malware

Our Services

A solution for every security need

Solutions for every need

Whether you’re a global company or a local business, you have one thing in common: important information that’s at risk of a security breach. IT Security.org services help you overcome challenges specific to your business—whether that’s making you compliant with the latest regulations or designing your security framework. Take a look at our services to see how we can help you today.

compliance

Assess your organization against UK, EU and US legislation and regulations: GDPR, PCI-DSS, ISO27001, Money Laundering, Sarbanes-Oxley.

GDPR Compliance
ISO27001 Compliance
PCI-DSS Compliance
ISO22301 Business Continuity Compliance
ISO29100 - Privacy Compliance

Data protection

Assess your Data Protection environment against recent regulatory and legislative requirements including GDPR.

Virtual Data Protection Officer
Data Security Services

IDENTITY & ACCESS

Ensure that the right individuals to access the right resources at the right times and for the right reasons.

IAM Design
IAM Policies, Standards, Procedures And Guidelines

Incident Management

Provision of Incident Management Services to your organisation including personnel, policies, standards procedures and guidelines in line with International Standards and Best Practice.

Emergency Incident Response
Forensic Support
Incident Response

INFORMATION SECURITY

Our Consultants are able to lead and deliver any aspect of Information Security.

Emergency Incident Response
Forensic Support
Incident Response

IT Risk Management

ITSecurity.Org can deliver to you a complete risk management framework in line with ISO27005 through to identifying areas of potential risk and designing a customized, complete security solution.

Risk Management Framework
Auditing
Risk Acceptances And Waivers

IT Security Consulting

Whatever your IT Security requirements, ITSecurity.Org can lead and deliver with our experienced IT Security Consultants.

IT Security Governance Services
IT Security Policies And Standards

additional security

ITSecurity.Org have consultants that have extensive experience and expertise in providing the following security services.

Risk Management Framework
Auditing
Risk Acceptances And Waivers

physical security

Physical Security is the first line of defence. ITSecurity.Org is proud to be able to offer the following Physical Security Services.

IT Security Governance Services
IT Security Policies And Standards

policies & standards

ITSecurity.Org provide a wide range of services covering policies and standards throughout their lifecycle including: Framework, Initial risk assessment, creation and authoring, review, compliance and gaps assessments, checklists, evangelising, training and publishing.

IT Security Governance Services
IT Security Policies And Standards

Programme & Project

ITSecurity.Org have consultants that have extensive experience and expertise in leading, delivering and supporting all sizes of Security Initiatives including International and Enterprise-wide Security Initiatives.

Risk Management Framework
Auditing
Risk Acceptances And Waivers

risk management

ITSecurity.Org can lead and deliver an International Standard of Risk Management for you ISO27005. Or do you have a more internal focus? Do you need a Risk Management tool such as Abriska setting up or a risk framework that needs to be created?

IT Security Governance Services
IT Security Policies And Standards

security awareness

Ensure that you instil a security culture within your organisation. We offer and ensure bespoke security awareness courses and training. We guarantee the best fit with your particular organisation.

IT Security Governance Services
IT Security Policies And Standards

security design

ITSecurity.Org can provie for all All Security Design and Architectural Services Security Design and Architecture.

Risk Management Framework
Auditing
Risk Acceptances And Waivers

security metrics

ITSecurity.Org can deliver the Security Metrics that your business needs in line with ISO27004. From specific individual KPIs and KRIs through to full security metrics frameworks with dashboard reporting.

IT Security Governance Services
IT Security Policies And Standards

Technical Security Assessment

Securing online assets and supporting regulatory compliance by exposing the vulnerabilities on the network.

IT Security Governance Services
IT Security Policies And Standards

Third-Party And Supplier Assurance

Many organisations are not conducting third-party assurance services as efficiently as they could do. Let us show you how we can help.

Risk Management Framework
Auditing
Risk Acceptances And Waivers

About

IT Security.org are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227