AN EYE-OPENING LOOK INSIDE A NOT-FOR-PROFIT CYBERATTACK

high ransomware risk.jpg

In the first quarter of 2018, we’re already seeing reports of a dangerous ransomware campaign in full swing. Ransomware continues to be a popular cybercriminal approach because of the sheer number of targets that can be infected. Everyone from individual users to large  enterprises have been attacked, and small to expansive infections won’t stop anytime soon.

One of many areas of a not-for-profit organization that appears enticing to cybercriminals is the information held on individuals who the organization serves. Not-for-profits can collect health information and act as an intermediary with requesting, through State and Federal Assistance Programs, aid for their constituents. Even though not-for-profits are targets like any other business and generally have exposure to other types of data, there is an added emphasis on your attractiveness to hackers because of PHI “protected health information.”

Ransomware is big business. As organizations increasingly depend on electronic data and computer networks to conduct their daily operations, growing pools of personal and financial information are being transferred and stored online aka “the cloud.”

By now, most organizations of all sizes, as well as, individuals are well aware of the deceptive nature of ransomware. As its name implies, ransomware is a malicious software that holds electronic files hostage pending the payment of a ransom, typically with untraceable bitcoin as the currency of choice. The main problem is the ransomware encrypts a series of files or worse, the entire hard drive preventing access to those files. Absent the victim’s ability to restore a backup, the attacker (aka “hacker”) may hold the encryption keys required to access the files until the ransom demand is met or only for a number of hours.

“Unfortunately, ransomware threats continue to emerge as they prove successful for cybercriminals, and more high-profile business targets fall victim to this kind of infection nearly every day. There’s no doubt that ransomware will maintain its reputation as a formidable threat in the cybersecurity industry,” says Rob Kleeger, Managing Director of Digital4nx Group, Ltd.

Organizations must treat mitigating the risks associated with ransomware — data loss, interruption of business operations, and more—as a strategic imperative by implementing a layered security approach that maps to and thus thwarts ransomware attack campaigns.

ransomeware.jpg

INCREASINGLY SOPHISTICATED VARIANTS ARE EMERGING

Ransomware is evolving using increasingly sophisticated tactics, techniques, and procedures to execute attacks. 

Ransom amounts are typically measured in the tens of thousands of dollars or less, which is indicative of a business model predicated on a large number of quick and small transactions across a broad set of targets.  While attack methods vary across types of vulnerabilities, the most commonly exploited is human vulnerability via spear phishing.  Traditionally, most infections are launched with a spam email that includes a malicious link or attachment, providing hackers entry into the system and enabling them to deliver the ransomware and lock down the system. 

“Drive-by downloading” is another frequently tapped vector to deliver ransomware payload. The hackers inject malicious code into legitimate webpages, or redirect traffic to spoofed sites, which has proven successful as well. 

The majority of ransomware variants are either known as crypto-based, or data-locker based. These variants leverage sophisticated encryption algorithms that lock down the infected device’s operating system – meaning that all files and data, as well as applications and other system platforms, are rendered unavailable, in addition to making system files and associated data inaccessible to the victim. CryptoLocker is one of the most well-known variants of this kind.  The recent Petya attacks fall into this category as well. 

The world has seen its fair share of ransomware attacks — the WannaCry and NotPetya attacks were in the past year alone. These attacks were direct ransom worms that had to do with informational warfare between countries, managing to affect large entities and causing organizations to rebuild active directories.

Dharma is a ransomware-type infection which targets to encrypt the most valuable information on the victimized computer. Dharma ransomware is a variant of CrySiS ransomware that has been increasingly tied to brute force Remote Desktop Protocol (RDP) attacks. Dharma made its first appearance in November 2016, shortly after the master decryption keys for CrySiS ransomware were publicly posted to the BleepingComputer.com forum.

In addition to bearing technical similarities to CrySiS, Dharma has also been observed infecting victims in similar ways. Both have been tied to a recent spike in brute force attacks on victims with open RDP ports. 

RDP was developed by Microsoft as a remote management tool. It’s commonly exposed in internal networks for use in administration and support, but when exposed to the wider Internet it can be a dangerous beacon for attackers.  Remote Desktop Protocol (RDP) attacks sometimes begin with the infection of one machine and then spreads to all other connected computers and then hold the victim hostage for ransom.

WE DO NOT EXPECT RANSOMWARE TO GO AWAY ANYTIME SOON. On the contrary, it can only be anticipated to make further rounds in 2018, even as other types of digital extortion become more prevalent. Cybercriminals have been resorting to using compelling data as a weapon for coercing victims into paying up. With ransomware-as-a-service (RaaS) still being offered in underground forums, along with bitcoin as a secure method to collect ransom, cybercriminals are being all the more drawn to the business model, according to Trend Micro.
Phish_Advise_Danger Keys.jpg

In a recent case for a Digital4nx Group, Ltd. not-for-profit client, we responded to a ransomware attack and learned that one ransomware (Dharma) had only locked up files on the local user’s computer.  A week later, there was an attack from a RDP connection from a user which then affected the entire user directory on one server and then worked its way across to the domain controller and email server, which effectively encrypted the entire operation.  

During the investigation, it was learned that the backup’s maintained by a third-party provider were actually stored on the encrypted server and the redundant backup was an external USB hard drive, which also was connected to the server.  Unfortunately, the only off-premises backup was months ago, thus the organization is beginning the process of recreating their efforts from re-entering data, paper files, and emails. The organization’s insurance coverage is woefully inadequate to cover the incident investigation and notification process. The potential regulator fines have not yet been determined. Could this ransomware event cause an operational going concern? Time will tell.

Ransomware isn’t spread indiscriminately. Instead, attackers typically gain access to target
servers via weak or stolen credentials, often identifying prospective victims by scanning the Internet for computers with exposed RDP connections.
 

By using port scanning tools like masscan, attackers can easily hone in on systems with open ports (port 3389 is standard for RDP). Once found, the standard drill is to try to gain access by conducting brute force attacks designed to guess weak or default passwords.

SamSam is one of a growing list of ransomware families that primarily infects victims via exposed RDP ports.  SamSam resurfaced, this time targeting organizations with RDP connections exposed.

SECURING RDP IS THEREFORE KEY

Ransomware is also exploiting application vulnerabilities, as is the case with SamSam, which takes advantage of vulnerabilities in certain web application stacks, and others that exploit vulnerabilities in Adobe Flash.  Trend Micro has reported the most consistent target of those attacks has been healthcare providers in the United States. One Dharma victim, ABCD Children’s Pediatrics in San Antonio, was forced to notify 55,447 patients that their personal data had been encrypted and therefore potentially exposed to hackers.

We know that some not-for-profit organizations can collect health information and act as an intermediary with requesting, through State and Federal Assistance Programs, aid for their constituents. Even though not-for-profits are targets and generally have exposure for other data (see the following use cases), we want to emphasize your added attractiveness to hackers because of PHI “protected health information” and related ransomware example.
 

DIGITAL4NX GROUP, LTD. HAS BEEN RESPONDING TO OTHER CYBER BREACHES COVERING SPEARPHISHING FOR WIRE TRANSFERS, PURCHASE OF GIFT CARDS, W2 TAX AND PAYROLL INFORMATION, AND VARIOUS CRIMINAL ACTIVITIES WHERE WE SEE AS A PATTERN CONNECTED TO THIRD PARTY IT PROVIDERS, WHERE SECURITY PERFORMANCE LEVELS ARE SUBPAR.
 

Because hackers have an array of variants and infection techniques to choose from, ransomware infections do not all look or operate the same way. While one infection may begin with an email and result in all data being encrypted, another may come from a malicious website and end with the entire operating system being locked down. This variation makes it difficult for users to guard against threats — but protection is not impossible.

Everyone with sensitive or important data should make backups, preferably on external disks or some combination of cloud servers and external disks that one has physical access to.

Part of the problem is a disparity in perception of risk between those on the ground — the IT teams that see the vulnerabilities and understand the threats — and those higher up. Board members don’t see the risk if everything is status quo. CFOs are focused on spending time and money on efforts that will result in profit and gains, not the far less glamorous idea of protecting their data. Business leaders need to ensure they’re doing everything they can to prevent successful infections in the first place. Ask yourself if it’s pragmatic to restore from your backups if you become a ransomware victim.

Ransomware victims should avoid paying ransoms to their cyber attackers, as sometimes an attacker won’t decrypt files even when a ransom is paid, and all payments made to  ransomware cyber attackers make ransomware profitable for criminals and encourages those actions to continue.

Best Practice Tips:

DO THE BASICS AND PLAN:
Security really doesn’t have to be difficult, or even expensive. Strong passwords, two-factor
authentication, security patches, continuous end-user training, isolated backups and hardened
systems and networks can make all the difference

SECURE RDP:
Remote Desktop has become one of the most popular tools for attackers to abuse. Make sure you secure it by doing the following:

  • Restrict access behind firewalls and by using a RDP Gateway, VPNs
  • Use strong passwords and two-factor authentication
  • Limit users who can log in using remote desktop

T est your backup systems:

In order to ensure that you survive a ransomware attack. The often missed fundamental best practices such as automating full and differential backups, keeping backups offline provide for a defense in depth approach are required to combat ransomware. 

Patching is fundamental.

What won’t help is throwing money at the problem and investing in thousands or hundreds of thousands dollar software if employees are neglecting basic system updates. Attackers are opportunists looking for an easy way in, and they look where they think you’ll have your guard down. 

Cyber Insurance:

Make sure you have a standalone cyber insurance policy and not a rider with minimum Coverage of $25,000 or $50,000. These are inadequate coverage values given public documented costs as this risk continues to grow as a result of high-profile data breaches and awareness of the almost endless range of exposure businesses face. 

Whether it’s credit card fraud, identity theft, email hacking, ransomware, account stealing or any other number of activities — you’re in the midst of an online war and you may not even know it.

Employee Awareness Training:

The goal is to ensure that employees at all levels are aware of how to identify, control, and mitigate loss of confidential data in a secure technical environment that meets acceptable security standards. Protecting an organization from cyber-threats, such as malicious hackers, requires everyone’s participation.

We find the weakest link in many organizations is an untrained employee who does not understand the value of the information that they control. They are often susceptible to social engineering and other human-based attacks. 

Billions of dollars are spent each year combating cybercrime and yet the number, intensity and severity of attacks keeps increasing.
 

Why doesn't data security get the respect it deserves?

Data breach “horror” stories have become a new staple in today’s business environment.  The frequency of attacks which threaten (or compromise) the security of business networks and information systems continually increases.

Wells Fargo accidentally leaked thousands of sensitive documents, but not in the sophisticated way it’s often in the media. The bank wasn't hacked, and its computers weren't encrypted by Ransomware. 

A lawyer representing Wells Fargo in a lawsuit has to now explain how she inadvertently turned over confidential information about thousands of bank clients.  She just inadvertently sent 1.4 gigabytes of files to a former financial adviser who subpoenaed the company as part of a lawsuit against one of its current employees.  The data set includes at least 50,000 customers' names, Social Security numbers and sensitive financial info according to The New York Timeswhich confirmed the contents of the documents, the affected clients are some of Wells Fargo's wealthiest, with investment portfolios worth tens of billions of dollars.

Will the NJ based law firm have potential liability exposure to it’s lawyers? 

Only time will tell. 

Judges in New York and New Jersey have issued orders barring further release of the documents, requiring the plaintiff to delete any document copies, and requiring the plaintiff to give the digital file to the court for safekeeping.

For nearly two decades, I have been assisting businesses of all sizes dealing with ESI (Electronically Stored Information) being misappropriated, lost, stolen, or spoliated.  Over 50% of the cases deal with theft of trade secrets, restricted covenant and non-compete's, spoliation and within the past decade data breaches.   

Seventy-four percent of organizations felt vulnerable to insider threats, while almost half of surveyed security professionals said that insider risks had increased in the past year, resulting in greater rates of stolen data and security breaches. (Source : A recent industry study by Delta Risk).

The business sector continues to have the highest percentage of total breaches reported — 54.7 percent at the six-month mark.

NOTE: I SAID REPORTED! 

MUCH OF THE MEDIA AND WHAT IS KNOWN IS ONLY A SMALL PERCENTAGE OF CASES REPORTED.

Although data security and breach response are constantly in the headlines, studies demonstrate that organizations remain unprepared to effectively respond to a data breach.

Is your organization ready? 

Business leaders need to take a different approach and peel the bandages off from the past and identify what and where their "crown jewels" are.  Information security has, by necessity, changed a lot from a strategic perspective.   Back in the day, tall walls and clever architecture were all we needed to keep criminals out… Castles emerged in Europe in the Medieval period during the 10th century, built to provide protection from enemies. Later, castles became status-symbol residences for monarchs and royalty (the crown jewels).   The weakest part of the castle’s defenses was the entrance. To secure access to the castle, drawbridges, ditches and moats provided physical barriers to entry. 

It's no longer good enough to ensure end-to-end protection within the walls of your enterprise.

In the case of Wells Fargo and their outside law firm, this should prove as a wake up call for third parties, any one of whom could cause real financial and reputational damage if compromised.

So why are firms not spending more time focusing on understanding what and where the sensitive data is?

Throwing Money at Cyber Security is NOT the Answer. 

Before spending a penny, or a dollar, more on any technology, one must ask:

Have we got the basics right?

It’s often the basic hygiene, the basic controls that are overlooked in the search for the panacea that does not exist. Most security breaches can be prevented by having layered cyber security controls throughout the enterprise, however most organizations are spending a large amount of money protecting their perimeter from the hacker hooligans, however while that is necessary, it’s something that is often unstoppable.  Meaning, if your firm is targeted by a hacker, or a hacking organization...no matter how secure your perimeter is, most security experts will confirm that there is nothing you can do to prevent it from happening.  

For years, I’ve been saying “People are the weakest link”.  In converse, they are also the best front line of defense to prevent or determine a possible cyber incident.

Unfortunately, Cyber ignorance or "cyber fatigue" has set in. 

As stated earlier, most organizations are building defenses around the castle, however don’t have good controls around the data in their business which is the most vulnerable.  

Please feel free to contact me for a fixed fee "Ethical Hacking" assessment or if I can be of any assistance to you.

Digital4nx Group, Ltd. provides Digital Forensic Investigations, Electronic Discovery Consulting and Advisory Service, Incident Response to Data Breaches and Cyber Security services such as “Ethical Hacking”. 
LinkedIn | Twitter | Email | Speaking Events

The official NY DFS Cyber Security Regulations are in...

The New York State Department of Financial Services (NYDFS) has launched a significant initiative to impose detailed cyber security requirements on covered financial institutions. The Final Rules, published here, go into effect on 1 March 2017.

The New York Department of Financial Services (NYDFS) has proposed regulations that require all financial services businesses operating in New York to develop and maintain a comprehensive cybersecurity program.  The regulations impose significant, yet minimum cybersecurity requirements, and mandate board of director involvement and accountability. 

Where does this have an impact?

The NYDFS proposed regulations apply to every business operating in New York that is required to have a “license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s banking insurance or financial services law. 

Who are the Institutions regulated by DFS?

While this includes banks and insurers, it also includes related businesses. Brokers, including mortgage and insurance brokers, as well as bail bond agents, check cashers, non-profit credit counselors and budget planners, licensed lenders, premium finance agencies, and others, are potentially subject to the regulations. You can see the other NYDFS supervised businesses discussed here.  Below you will find a brief definition of each of the above types of institution that we supervise and a brief description of the laws under which we regulate them.

What Do You Need to Know?

A a first step, determine whether your organization is covered. Note, The scope of the regulations are broad, but there are exemptions.

Step 1 - Is my company exempt? If so, an exemption certificate of exemption must be filed with NYDFS within 30 days of that determination. **

**Exemptions: 

1- “fewer than 10 employees, including any independent contractors of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity.” (Section 500.19(a)(1)).

2-  Covered Entities with less than US$5M in gross revenue from its New York business operations (or its affiliates’ operations). Note - Some larger financial institutions with a smaller New York “footprint” may qualify for either (or both) of these new limited exemptions. 

3- Certain captive insurance companies that do not control, use, or possess Nonpublic Information beyond that information relating to its parent and affiliate companies.

Step 2 - Retention a Chief Information Security Officer (CISO) must be designated no later than 28 August 2017.  

Step 3 - Organizations need to understand and/or update their risk profile.

NOTE- The types of entities listed above receive only limited exemptions under the regulations. 

How does this impact my business?

The requirements for cybersecurity program must serve six core functions:

  1. IDENTIFY INTERNAL AND EXTERNAL CYBER RISKS;

  2. USE DEFENSIVE INFRASTRUCTURE;

  3. DETECT CYBERSECURITY EVENTS;

  4. RESPOND TO AND MITIGATE IDENTIFIED OR DETECTED CYBERSECURITY EVENTS;

  5. RECOVER FROM CYBERSECURITY EVENTS AND RESTORE NORMAL OPERATIONS; AND,

  6. MEET REGULATORY REPORTING OBLIGATIONS.

In addition, the cybersecurity programs must include regular employee training on cybersecurity, and contain controls sufficient to monitor user activity and detect unauthorized user access.

When does this compliance go into effect?

The requirement dates for the Final Rules are as follows:  

* September 1, 2018 is a Saturday. New York law provides that when a compliance date falls on a weekend or holiday, the due date is the next business day – in this case, Tuesday, September 4, 2018 (as Monday the 3  is Labor Day).

Questions:

For several years, Digital4nx Group has been providing "Ethical hacking" Security assessments, which we define as, a service where we attack your network and computer systems using real-world tools and techniques in order to find security weaknesses. Having an independent team of experts audit your security is a valuable tool that is guaranteed to uncover vulnerabilities and greatly increase your level of security.  

For many organization and especially organizations which are regulated by DFS, Digital4nx Group will providing a solution called Cyber Vigilance™.   This annual service is a set of proactive services designed to simulate a real-world attack on your network, without the end-goal of causing harm, in order to identify, prioritize and remediate information security issues and potential exposures which could cause various risks for the organization.  

For more information, please give us a call or learn more about the program here and return the attached questionnaire for a fixed fee price.

Always seek experienced legal advice.

Is Cyber Fatigue putting everyone in danger?

I am sure that most people today are simply tired with the consistent news about hacking the election, a financial services firm who has been compromised, or worse your PII (Personally Identifiable Information) and PHI (Protected Health information) is being sold on the Dark Web. 

A majority of computer users suffer from “security fatigue” — a weariness of or reluctance to engage with cybersecurity — that leads them into risky behavior online, according to a new study by scientists from NIST (The National Institute for Standards and Technology).  In short, they found that users’ weariness led to feelings of “resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue.”  In turn, that made them prone to “avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules” both at work and in their personal online activities including banking and shopping.

The report’s authors write, “Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security. All of this leads to security fatigue, which causes a sense of resignation and a loss of control.”

These findings have direct implications for businesses that are legally required to protect personal and financial data, including retailers, financial and healthcare businesses, law and other professional services firms. 

Cybercrime activities like phishing, spear phishing, business email compromise and social engineering all rely on innocent but unwary employees being led to do the cyber criminal’s dirty work. 

If the US Government, Fortune 500 companies, High Tech firms, Financial Institutions, Health Care Organizations and Universities with all of their resources were unable to stop the attacks... 

What possible chance can a small/medium business have?

The answer is: more than you would think.  

Digital4nx Group, Ltd. recognizes that the greatest vulnerability in most organizations comes from their own people.  

We have been providing fixed fee "ethical hacking" Security assessments, which we define as, a service where we attack your network and computer systems using real-world tools and techniques in order to find security weaknesses.  The goal of an ethical hack security exercise is not to reveal deficiencies in the performance of your IT team, but rather to support them. We often find that IT teams are pressured to make things easy-to-use and functional, maintain software updates and patches, and keep the users up and running.  

Our ethical hacking assessment aids the IT team, giving them a road-map for making their networks much more secure, identify the sensitive information which the organization maintains, and improve the best reasonable security measures for that organization.

Having an independent team of experts audit your security is a valuable tool that is guaranteed to uncover vulnerabilities and greatly increase your level of security. 

Even small businesses can interrupt this chain of events at several points, making it much more difficult for a cyber criminals to gain a foothold.  

We commonly find that we gain some of the initial access to a companies systems by tricking users into providing their passwords.  Once we have those passwords, we can leverage them to gain additional access to other systems.  

The below techniques are simple and inexpensive:

  • Make sure everyone in your company understands phishing schemes and how to recognize them.  A phishing scam is an attempt to trick someone into providing username and password information to a hacker.  Spearphishing is a phishing attack customized to a particular individual.
  • Do not allow people to have administrative privileges on their computers.  This prevents them (or viruses acting under their credentials) from installing hacking tools on a computer.
  • Change passwords regularly and use different passwords for different accounts.  In other words, the password to your work computer should be different from the one you use on, say, your Yahoo account.  Password manager software (such as LastPass, KeePass, Dashlane,...) makes it easy to track and change passwords.
  • Ensure your computers install security updates from Microsoft, Apple, and Adobe automatically.
  • Install antivirus software on your computers
  • Install a firewall if you don’t have one, and review your firewall to tighten it up as much as possible.  A firewall is a device that stands between your network and the rest of the world, blocking unauthorized access.
  • Configure spam filters to be as restrictive as possible and use Sender Policy Framework (SPF) records to reduce the likelihood of phishing messages.
  • Confirm backups run regularly and periodically test those backups.

 

Questions?  Concerns?  Want some help conducting a cyber security risk assessment?  Give us a call, we’re happy to help.

PS- For those who are not cyber fatigued and interested in reading about the Department of Homeland Security report detailing Russian civilian and military efforts to hack organizations, companies, and educational institutions in the United States, you can read it here.

CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

The New York Department of Financial Services (NYDFS) has proposed regulations that require all financial services businesses operating in New York to develop and maintain a comprehensive cybersecurity program.  The regulations impose significant, yet minimum cybersecurity requirements, and mandate board of director involvement and accountability. 

The NYDFS proposed regulations apply to every business operating in New York that is required to have a “license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s banking insurance or financial services law. 

While this includes banks and insurers, it also includes related businesses. Brokers, including mortgage and insurance brokers, as well as bail bond agents, check cashers, non-profit credit counselors and budget planners, licensed lenders, premium finance agencies, and others, are potentially subject to the regulations. You can see the other NYDFS supervised businesses discussed here.

The requirements for cybersecurity program must serve six core functions:

  1. identify internal and external cyber risks;

  2. use defensive infrastructure;

  3. detect cybersecurity events;

  4. respond to and mitigate identified or detected cybersecurity events;

  5. recover from cybersecurity events and restore normal operations; and,

  6. meet regulatory reporting obligations.

In addition, the cybersecurity programs must include regular employee training on cybersecurity, and contain controls sufficient to monitor user activity and detect unauthorized user access.

For several years, Digital4nx Group has been providing "Ethical hacking" Security assessments, which we define as, a service where we attack your network and computer systems using real-world tools and techniques in order to find security weaknesses. Having an independent team of experts audit your security is a valuable tool that is guaranteed to uncover vulnerabilities and greatly increase your level of security.  

For many organization and especially organizations which are regulated by DFS, Digital4nx Group will providing a solution called Cyber Vigilance™.   This annual service is a set of proactive services designed to simulate a real-world attack on your network, without the end-goal of causing harm, in order to identify, prioritize and remediate information security issues and potential exposures which could cause various risks for the organization.  

For more information, please give us a call or learn more about the program here and return the attached questionnaire for a fixed fee price.

What is the right type of security assessment for your firm?

The most common question when evaluating which solution is the best fit for your organization is:

" What's the difference between a vulnerability assessment and penetration assessment? "

 

The two are often incorrectly used interchangeably due to marketing hype and other influences which has often created much confusion.  

With that in mind, I’d like to try to clarify the distinctions between vulnerability assessments and pen tests and hopefully eliminate some of the confusion.

From our perspective, a Vulnerability Assessment, deploys an automated tool which scans the IT infrastructure and reports the results. The tool's job is to identify all systems and the associated applications and services they are running.  Based on this information, the tool attempts to identify issues such as missing patches, default passwords, and known exploits. All the problems the tool has identified are then presented in a vulnerability assessment report.

It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them. 

"vulnerability assessments are most often confused with penetration tests and often used interchangeably, but they are worlds apart."

A Penetration Assessment simulates a real-world attacker which takes actions on the external and/or internal systems that aim to breach the information security of the organization. Using many tools and techniques, the penetration tester aka "ethical hacker", attempts to exploit critical systems and gain access and/or administrative control to sensitive data. 

This assessment typically uses vulnerability scanning as well as other manual proprietary methods tools to efficiently get a picture of a company's fundamental security and to identify attack vectors into the organization.  

Unlike vulnerability assessments, ethical hacking takes into account mitigating controls and the potential impact of a vulnerability. Using the human factor, aka "Social engineering", often piecing together identified vulnerabilities in order to understand the potential impact of those vulnerabilities and to dive deeper into the environment, well past layer one of your systems security.

Many factors are considered when performing a risk analysis.  A risk analysis doesn't require any scanning tools or applications – it’s a discipline that analyzes a specific vulnerability (such as a line item from a penetration test) and attempts to ascertain the risk – including financial, reputational, business continuity, regulatory and others -  to the company if the vulnerability were to be exploited.    

When a risk analysis is completed, a final risk rating with mitigating controls that can further reduce the risk. Business decision makers can then take the risk analysis, suggested mitigation controls and decide whether or not to implement them.

In summary,  a technician runs a vulnerability scan while a hacker performs a penetration test. The tools used for a penetration test are varied and dynamic, but it is not the tool that performs the test; rather it is actually the tester. 

Vulnerability Assessments are often automated and looks for known vulnerabilities in your systems and reports potential exposures. A vulnerability assessment answers the question: “What are our weaknesses and how do we fix them?”

Penetration Assessments are designed to actually exploit weaknesses in the architecture of your systems.  A penetration assessment simply answers the questions:     “Can someone break-in and what can they attain?”    

Ideally, you will want to run a penetration test once a year.  Vulnerability scans should be run continuously.

  NOTE: Penetration tests should be run by an outside consultancy so that the benefit of independence can be garnered.  

Together penetration testing and vulnerability scanning are powerful tools used to monitor and improve information security programs.

Misunderstanding can put your company at risk – and cost you a lot of money!

Still have more questions on where to get started or need assistance on conducting an evaluation of your organization’s security posture? 

Contact Digital4nx Group, Ltd. to find your organizations information security weaknesses and the valuable assets an advanced threat can obtain.

Digital4nx Group, Ltd. provides Digital Forensic Investigations, Electronic Discovery Consulting and Advisory Service, Incident Response to Data Breaches and Cyber Security services such as “Ethical Hacking”. 
LinkedIn | Twitter | Email | Speaking Events

Don't be harpooned...

Business Email Compromise, or BEC attacks have been observed targeting top executives in companies large and small. The fraudsters who specialize in this fraud have a new trick up their sleeves.

In a recent case, a firm hired a new CFO in January. Within weeks of his arrival, he received spoofed emails from the organization’s CEO, asking human resources and the accounting department for employee W-2 information.

Fraudsters go for W-2 information because it contains virtually all of the data they would need to fraudulently file someone’s taxes and request a large refund in their name.
These scams are quite sophisticated and have been very successful.  What's different about them is that the thieves are not taking the money directly, they are persuading employees in trusted positions unknowingly to send it to them.

They often attempt to find out when the executive might be travelling and often compromise other employees’ inboxes beforehand via a phishing attack to gain access and scan the content for keywords that show whether the company regularly wires transfers. Once access has been gained, they will tailor the emails with wording to make it appear as though the executive is in urgent need and not in the office by adding “sent from my mobile device” as the signature. 

Be Wary!

What exactly is Spoliation?

What is Spoliation? Spoliation is simply the Destruction Of Evidence. In its simplest form, spoliation is the destruction or failure to preserve evidence that is necessary for use in contemplated or pending litigation. It may be willful, negligent or, in some situations, accidental, and has even been used in situations of destroyed evidence that would have been helpful in litigation that is not yet contemplated.

Real Time Analytics