Financial Services & BEC – Phishing tales!

financial services phishing

Recently, Brent – MSI’s CEO – put together a Business Email Compromise checklist to help our clients combat phishing attempts, and prepare to discover and remediate successful attempts. The checklist:

  • Enumerates attack vectors
  • Briefly reviews impacts
  • Lists control suggestions mapped back to the NIST framework model

But, what does that mean for you? Our team put together an educational series based on the checklist, to help security programs at all levels. The next thing we’d like to share are a few war stories – tales from the field in various industries. These are drawn from our security and incident response work in these industries, and call out specific attack vectors and points to consider for these entities.

Continue reading

BEC #6 – Recovery

A few weeks ago, we published the Business Email Compromise (BEC) Checklist. The question arose – what if you’re new to security, or your security program isn’t very mature?

Since the checklist is based on the NIST model, there’s a lot of information here to help your security program mature, as well as to help you mature as a security practitioner. MSI’s engineers have discussed a few ways to leverage the checklist as a growth mechanism.

Part 1 and Part 2 covered the first checkpoint in the list – Discover. Part 3 covered the next checkpoint – Protect. Part 4 continued the series – Detect. Part 5 addressed how to Respond.

Continue reading

How to Respond – BEC Series #5

A few weeks ago, we published the Business Email Compromise (BEC) Checklist. The question arose – what if you’re new to security, or your security program isn’t very mature?

Since the checklist is based on the NIST model, there’s a lot of information here to help your security program mature, as well as to help you mature as a security practitioner. MSI’s engineers have discussed a few ways to leverage the checklist as a growth mechanism.

Part 1 and Part 2 covered the first checkpoint in the list – Identify. Part 3 covered the next checkpoint – Protect. Part 4 continued the series – Detect.

Now we’ll move along to one of the most important parts of the checklist – Respond.

Continue reading

Micro Podcast – Business E-mail Compromise – “Identify”

In this episode of the MSI podcast, we begin our series on the business email compromise checklist. While BEC is a significant issue and a common form of compromise leading to fraud, there are several things you can do to combat this form of attack. The first step is to “Identify” the threat at hand.

https://s3.amazonaws.com/MSIMedia/MSIMicro_004_Identify.mp3

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

About the Ohio Data Protection Act

The Ohio Data Protection Act differs from others in the country in that it offers the “carrot” without threat of the “stick.” Although companies are rewarded for implementing a cyber-security program that meets any of a variety of security standards, having a non-compliant program carries no penalty under this act.

The theory is that Ohio companies will be more willing to put resources into their information security programs proactively if a tangible return on their investment is available; like investing in insurance to hedge risk. Alternatively, if there is no threat of penalty for non-compliance, why wouldn’t a business simply adopt a wait and see attitude? After all, most companies do not have big data breaches, and developing and documenting a compliant information security program is expensive.

Continue reading

Incident Response: Practice a Must!

Whether you are trying to comply with HIPAA/HITECH, NAIC Model Laws, SOX, PCI DSS, ISO or the NIST Cybersecurity Framework, you must address incident response and management. In the time I have been involved in risk management, I have seen an ever-growing emphasis being placed on these functions.

I think that one of the reasons for this is that most of us have come to the realization that there is no such thing as perfect information security. Not only are data breaches and other security incidents inevitable, we are seeing that there are more and more of them occurring each year; a trend I don’t expect to change anytime soon. In addition, people are becoming increasingly concerned with their privacy and protecting their proprietary information. In response, regulators are becoming tougher on the subject too.

Continue reading

Get your magnifying glass – time to detect! BEC Series #4

A few weeks ago, we published the Business Email Compromise (BEC) Checklist. The question arose – what if you’re new to security, or your security program isn’t very mature?

Since the checklist is based on the NIST model, there’s a lot of information here to help your security program mature, as well as to help you mature as a security practitioner. MSI’s engineers have discussed a few ways to leverage the checklist as a growth mechanism.

Part 1 and Part 2 covered the first checkpoint in the list – Discover. Part 3 covered the next checkpoint – Protect. Now we’re going to move on to the next point – Detect.

Continue reading

Complex Does Not Equal Strong

Another year, and again, another annual report (this one from SplashData) lists the easy and bad passwords have remained relatively unchanged.

As a domain network administrator, you may not be terribly concerned. You think you have a robust password policy as well as an account lockout policy to prevent brute force attacks. Your users cannot use any of those simple passwords on that list. No simple guessing a password is going to let an attacker into your network. Think again.

Most corporate domain password policies require complex passwords with a minimum password length. Many implement a minimum password length of 7 through 10, and with most password complexity rules, passwords should contain characters from 3 of 4 categories: uppercase, lowercase, numerals and special characters. Often times, the password is also restricted from containing the account name as well.
Continue reading

The mathematician as extortionist: ransomware “smart” contracts

The mathematician as extortionist: ransomware “smart” contracts

Source: https://en.wikipedia.org/wiki/Brazen_head


A few weeks ago I wrote about the “proof of work” concept inherent in the implementation of the blockchain used to support bitcoin.  I have continued down the blockchain path and have been exploring another child of the blockchain revolution:  Ethereum.

Continue reading