What are the four questions every CEO should ask after a breach? According to an article on inc.com they are:

1. What information was impacted?

All information is not created equal or valued equally. In general, Personally Identifiable Information (PII) is valued more highly by both cybercriminals and regulators. This means that the ramifications for losing this type of information are greater than for losing other types of more generic information.

2. How many customers were impacted?

Of course, the more customers, the worse the breach in general and the more likely you are to find yourself in the press. But beyond that, the size of the breach determines how you will notify the victims and whether or not you may find yourself in a class action law suit.

3. What geographies were impacted?

Breaches are handled differently in different parts of the world. Who you must report to, how quickly you must report and what is considered personal information all varies depending upon who has jurisdiction.

4. Do we have logs?

Logs are the history of what actions took place on a database or server. Logs are crucial! They hold the entire history of the event and the more accurate and detailed the better. Without good logs your technical team is at a huge disadvantage when attempting to piece together how the breach occurred and what actions were taken in response.

Your Quick-Start Road Map

In summary, knowing what information was compromised, how many individuals were impacted, where they were impacted and how well your team and security measures responded to the breach provides you and your C-Team the information you need in a capsule summary format.

You will quickly know what types of ramifications to expect and what other resources you will need. Of course, as the event continues to unfold you will need additional, more granular information but the answers to these four simple questions will serve you well as a “quick-start road map” to your journey ahead.

The Case for Managed Security Services

If an ounce of prevention is worth a pound of cure, then Konsultek’s managed security services may be the best way to keep your organization out of the headlines and focused on your core competencies. To learn more about the advantages of managed security services, please give us a call.

 

 

read more

It’s hard to imagine but the FBI’s IC3 turns 17 this year and in the spirit of National Cyber Security Month we thought we’d take a moment to highlight this valuable resource.

The Internet Crime Complaint Center (IC3)  was established in May 2000 as a partnership between the National White Collar Crime Center (NW3C) and the Federal Bureau of Investigation. The organization gives victims of cybercrime a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations. IC3 provides law enforcement and regulatory agencies at all levels a central referral system for complaints involving Internet-related crimes.

Here’s How the Process Works Today

Filing a Complaint with the IC3

The IC3 accepts online Internet crime complaints from either the actual victim or from a third party to the complainant. You can file yourself, or someone can file for you (for example, your security provider). The IC3 works best when they receive complete and accurate information so before you click the big red button we suggest you follow their recommendations regarding what information to have at the ready.

Here is that list:

  • Victim’s name, address, telephone, and email
  • Financial transaction information (e.g., account information, transaction date and amount, who received the money)
  • Subject’s name, address, telephone, email, website, and IP address
  • Specific details on how you were victimized
  • Email header(s)
  • Any other relevant information you believe is necessary to support your complaint

Konsultek and the FBI

In the past Konsultek has had the pleasure of having members of the FBIs cyber crime team join us for lunch-n-learn opportunities. We have an upcoming event in the works so be sure to check our events page frequently because the FBI appearances are always extremely popular and seating goes fast.

 

read more

While the alarming news about the massive Equifax breach is just days old, Joshua Browder, the entrepreneur behind the robo-lawyer DoNotPay.UK has already taken action on it.

Head over to the DoNotPay website and you’ll be greeted by this splash screen:

 

Browder and his team have built upon their “chatbot” technology which has reportedly already helped nearly 400,000 people successfully fight traffic tickets in New York.

The national aspect of the Equifax breach introduced complexities beyond the relatively simple types of legal matters, say parking tickets in Chicago, which the bot has been helping with so far.

According to reports, his biggest challenge was determining who to sue in each state and the various indiosyncracies of each state’s system.

You can learn more details at WashingtonPost.com and get a different perspective on this approach to suing Equifax over at dailydot.com.

Security Experts, Not Lawyers

Whether using a chatbot to sue Equifax in small claims court is a good decision or not is not our area of expertise. Keeping breaches from happening is! At Konsultek we develop customized, holistic security solutions for organization of all shapes and sizes.

When you’re ready to learn how we can make a difference in your organization’s security, just give us a call and talk to one of our real experts, not a chat bot!

 

read more

Today is the last day to file your federal income taxes. And the looming 12:00 a.m deadline has thousands, if not millions of citizens stressing out and more susceptible to phishing scams than usual.


Every good cybercriminal knows this and they are working overtime churning out fake emails from the IRS and other taxing authorities in the hopes of snagging victims, stealing valuable information and ultimately,  making some money.

IRS Phishing PSA

For those of you who stumble across this blog post hoping to find a quick answer to the question “How do I know if this email from the IRS is real?” here is the quick answer.
The IRS will NEVER ask you to send along personally identifiable information such as your social security number or bank account details. So, if you are looking at an email that purports to be from the IRS and it is asking for this information it is a fake, phishing email and you should discard it ASAP!

IRS Issues Scam Warning

The prevalence of phishing scams this tax season prompted the IRS to issue a warning on March 17, 2017.
In the warning the IRS urged both tax professionals and taxpayers to be on guard against suspicious activity.Two scams were highlighted in the warning. In the first, which targets tax preparers, a fake email is sent to the preparer, (ostensibly from the client) asking the preparer to change the refund destination, often to a pre-paid debit card.The second scam targets users of tax preparation software or similar services. Users receive emails from these entities asking them to update their online accounts.Of course, those nostalgic for the good old days should be happy to know that telephone scams are still plentiful with the “IRS” robo-calling with urgent messages that require immediate action.

From Phishing to Malware

The purpose of these phishing emails is often not to directly collect account information but rather to install malware that can then access all the information stored on the infected device and even hijack the camera. That, according to www.zscaler.com.

The Zscaler ThreatLabZ team has detected a rise in Java-based remote access Trojan variants — jRATs — which give attackers a backdoor into a victim’s system and can be capable of remotely taking control of the system once it’s infected. Malware authors are using numerous tactics to entice unsuspecting users to open infected attachments, which arrive as malicious JAR files. Most recently, we’ve seen filenames such as “IRS Updates.jar” and “Important_PDF.jar,” claiming to contain important tax deadline information from the IRS.

Security is a 24X7X365 Job

Today it’s tax filing, tomorrow the scam will focus on something else. It appears that cybercriminals never sleep and never take a day off. Somewhere in the world there is always someone or some bot attempting to fleece unsuspecting individuals and organizations. I think we have finally “progressed” as a society to the point when we can confidently say that the only things certain in life are death, taxes and cybercrime!

read more

This week McAfee became an independent security company for the first time since it was acquired by Intel in 2010.

The newly independent McAfee has an enterprise value of $4.2 billion, down from the $7.62 billion price tag that Intel paid.

Intel will retain a 49% ownership in McAfee with the remaining 51% being owned by private equity firm TPG Capital.

McAfee, arguably the world’s oldest and one of the largest pure security firms on the planet has over 7,500 employees worldwide and a substantial war chest of security IP including over 1,200 security related patents.

The newly independent McAfee should be better positioned to help its private and enterprise level clients deal with the rapidly evolving cyber-threat landscape.

In an interview with VentureBeat, McAfee’s Chief Technology Officer, Steve Grobman said “he believes both Intel and McAfee will be able to focus on their businesses better as separate companies. He said that cybersecurity is changing fast, and the company needs to think about challenges such as ransomware, the weaponization of data, and political leaks of digital information.”

In his letter to the public dated 4/3/17, McAfee CEO, Christopher Young states “Today, a new McAfee is born. One that promises customers cybersecurity outcomes, not fragmented products. One that vows to move this industry forward by working with competitors, not just partners. And, one that offers employees a calling, not simply a career.”

Konsultek  Welcomes McAfee Back

At Konsultek we are always looking to bring our customers the best solutions on the planet. We look forward to seeing what the newly independent McAfee can bring to the market in the way of innovative and world class solutions.

 

read more

Yet, Consumers Implicitly Trust Them According to a CapGemini Report

According to the CapGemini report, while banks and financial institutions enjoy an extraordinary 83% positive level of trust in the cybersecurity of their systems, just 1 in 5 banking executives surveyed are “highly confident in their ability to detect a breach, let alone defend against it.”

For comparison, e-commerce firms enjoy just a 28% positive level of trust while telecom companies and retailers score a paltry 13%.

The full CapGemini Report Can be downloaded here

Trust is a HUGE Factor In Consumer Choice

According to the report authors, trust in an institution’s ability to protect private data and provide a secure environment is a significant factor for 65% of consumers when choosing which bank to do business with.

And yet, while approximately 25% of all financial institutions have reported being a victim of some level of hack only 3% of consumers believe that their own financial institution has ever been breached. It would seem that indeed there is a “trust halo” being enjoyed by banks that the numbers suggest they do not deserve.

If this halo were to become tarnished banks could be in trouble. According to the report 74% of consumers would switch their bank or insurer if they became aware of a breach.

GPDR Regulations Will Likely Drive Transparency

The GPDR regulations set to be introduced next year should drive more transparency and quicker reporting of breaches and this may result in some tarnished halos.

“When GDPR is introduced and all breaches are likely to be made public soon after they occur, many people will be in for a surprise,” said Zhiwei Jiang, Global Head of Financial Services, Insights & Data at Capgemini. “The introduction of GDPR legislation next year is a prime opportunity for business transformation for banks and insurers to become the digital fortresses consumers believe them to be.”

Konsultek Knows Security

From financial institutions to university and healthcare organizations, Konsultek builds customized security solutions that protect networks and the data they house. If you are interested in learning exactly how your network may be vulnerable just give us a call and we’ll discuss how we can find your vulnerabilities before they are found by cybercriminals and hackers.

 

read more

A recent survey conducted by the Pew Research Center found that roughly half are not confident that the companies and organizations they do business with on a daily basis are keeping their personal information secure.

Interestingly enough, social media sites and the federal government came in dead last when it came to cyberprotection confidence! Perhaps those surveyed never had a Yahoo mail account?

The rather comprehensive report also highlights these rather disturbing figures:

41% of Americans have encountered fraudulent charges on their credit cards.

35% have received notices that some type of sensitive information (like an account number) had been compromised.

16% say that someone has taken over their email accounts, and 13% say someone has taken over one of their social media accounts.

15% have received notices that their Social Security number had been compromised.

14% say that someone has attempted to take out loans or lines of credit in their name.

6% say that someone has impersonated them in order to file fraudulent tax returns.

And beyond these specific experiences, roughly half of Americans (49%) feel that their personal information is less secure than it was five years ago.

Think about these figures as you enjoy the Super Bowl this Sunday with friends and family. Statistically speaking, if you are enjoying your Super Bowl viewing experience with 9 other adults the Pew findings mean that roughly:

  • 4 of your fellow game watchers experienced fraudulent credit card charges
  • At least 3 of your fellow game watchers have been notified that some sensitive personal information has been  leaked
  • Probably 1 perhaps 2 have had their Social Security numbers compromised!

Protecting Networks 24X7, Even on Game Day

At Konsultek we build custom security solutions for organizations of all sizes across virtually every area of interest. When you are ready to take your security to the next level or to outsource it someone who has the experience and resources your need please pick up the phone and give us a call.

 

read more

Woke up today to find this gem in the mailbox. Who knew that the FBI and the Central Bank of Nigeria would be looking for me!

This email is entertaining for a couple of reasons (at least!) beyond the alleged working relationship between Mr. Comey and the Central Bank of Nigeria.

Take a look at the portions highlighted with blue text! First a warning that “you should ignore any message that does not come from the above email address and phone number for security reasons.”

Next, look at Mr. Comey’s email address. I would have thought that after all the email scandals in Washington that Mr. Comey would not be using an AOL  email address for such important and sensitive business!

Re: Urgent January Notice…….

From: James B. Comey, Jr., <fbidirector@openmailbox.org> 

Jan 18 at 12:37 PM

OFFICE OF THE EXECUTIVE DIRECTOR,

MR. JAMES B. COMEY, JR,

FEDERAL BUREAUOF INVESTIGATION,

935 Pennsylvania Avenue, NW

Washington, D.C. 20535-0001. USA.

Attention: Beneficiary,After proper investigations, we, the Federal Bureau of investigation (FBI) discovered that your impending (over-due contract) payment with Central Bank of Nigeria is 100% legal and has been approved for release to you.

We recently had a meeting with the Executive Governor of the Central Bank of Nigeria, in the person of Mr Godwin Emefiele and other top officials of the concerned Ministries regarding your case and we were made to understand that your files have been held in abeyance pending on when you personally apply for the claim.

Investigations also revealed that a lady, by name Mrs. Joan B Melvin from New York has already contacted Central Bank of Nigeria with a power of attorney and some documents, which stipulated that you have mandated her to claim your fund of US$25,000,000.00 (Twenty Five Million United States Dollars) on your behalf due to your ill health.

In view of this, we have been urged to warn US citizens who have received information pertaining to their outstanding contract payment to be very careful and not to be a victim of ugly circumstance. In case you are already dealing with anybody or office of the Central Bank of Nigeria, you are strictly advised to STOP further communication with them in your best interest and thereby contact the real office of the Central Bank of Nigeria via the below information:

 

NAME: MR. GODWIN EMEFIELE

OFFICE ADDRESS: Central Bank of Nigeria,Central Business District,

Cadastral Zone, Abuja, Federal.

Capital Territory, Nigeria.

Email: central.bnk0015@aol.com

NOTE: In your best interest, you should ignore any message that does not come from the above email address and phone number for security reasons. And to enable the Central Bank of Nigeria to process and release the fund to you, you are required to re-confirm your full details such as

FULL NAMES: __________________________________

CITY: _________________________

STATE: __________________________________

ZIP: ______________COUNTRY: _______________________

SEX: _______________AGE: __________________

TELEPHONE NUMBER: _____________________

Ensure that you follow the Central Bank of Nigeria due process as enshrined in the International Banking Secrecy Act to avoid any form of discrepancy, which may hinder your fund transfer.Thanks for your understanding and cooperation as we earnestly await your urgent response.

Best Regards,

James B. Comey, Jr.,

Federal Bureau of Investigation

J. Edgar Hoover Building,

935 Pennsylvania Avenue,

NW Washington, D.C

E-mail: jjbcomeyjr@aol.com

 

read more

An Interview with a Hacker

On January 17th, 2017, posted in: Hackers, Information Security by konweb

TechRepublic.com published an interesting interview last week with the hacker Kapustkiy, part of the hacking group New World Hackers.

It’s a quick and interesting interview that covers his life from the early days of hacking as a teen to where he stands today, a member of New World Hacking (NWH) which he considers to be the most elite hacking group at the moment.

 

 

 

 

Here are some of the highlights:

He Makes Money as  Pen Tester, Not as a Hacker

Kapustkiy refers to himself as “penetration tester”. “I wanted to make money [with my skills], so I do bug bounties.”

“I’ll try to find vulnerabilities (most of the time XSS) in websites of my country and I help the administrators to fix them or I’ll report the vulnerable so they could do it on their own. PS: I only spend time on finding vulns in big websites like banks or universities.”

Pen Tester or Hacker? Which is it?

“A lot people are asking me these kind of questions and the reason that I describe myself as a Security Pentester instead of a hacker is, because I like to help websites to improve their security so they are secured. I have always put my focus on Web/Network Security instead of other stuff. A ”hacker” is in my opinion someone who has knowledge with everything.”

Database Bug Exploitation is His Specialty

He considers what he does “not hard at all” and “easy to learn. His inspiration came during his teen years when he read an article about LulzSec (one of his favorite hacking teams) and how they used simple attacks such as SQL injection.

Impressed by NWH Talent

After claiming to be behind the hacking of some high-profile embassies he reached out to NWH hoping to apply to their team. As he puts it “Other groups are good, he said, “but not as skilled as [New World Hackers].” NWH claimed responsibility for the crippling botnet attack that utilized IoT devices to bring a swath of the East Coast Internet providers late last year.

Is What He Does Legal?

“In my opinion, it is legal when you only leak a little bit database to make them aware of it. Also report the vulnerable always and let them know that you try to help them.”

Happy Customers

Kapustkiy offered up screenshots of ostensibly happy clients to TechRepublic who conducted the interview via encrypted applications that allowed the hacker to remain anonymous.

“The thing that motivates me a lot is that administrators appreciate that I try to improve their security better. I got a ”thank you” of the Indian Embassy and the Italian Government and I was very proud of myself that they have fixed the vulnerable.

Hacker or Pen Tester, Konsultek Has You Covered

By identifying weaknesses in your network security before they are discovered by external actors, Konsultek can build a custom security solution to close the gaps and prevent future breaches. If your organization is unclear as to how best protect your valuable information assets please give us a call. We’re here to help.

 

 

read more

2016 DARPA Grand Cyber Challenge

On January 4th, 2017, posted in: Information Security by konweb

One of the most interesting and also underreported Cyber activities of 2016 had to be DARPA’s Grand Cyber Challenge.

Beginning with a call for competitors all the way back in 2013, the challenge held on August 4th, 2016, was the world’s first all-computer Capture the Flag tournament. Out of all the entrants, just seven prototype systems made the final cut and competed in the ultimate information security showdown.

 

Machine Security Experts vs. Human Security Experts

The big benefit of machine security “experts” is that they are incredibly fast and almost instantaneously scalable. Their downfall of course is that they lack inherent expertise. The primary benefit of human security experts is that they have inherent expertise but are slow (as compared to machines) and lack scalability.

The goal of the DARPA challenge was to move the world of infosec towards a world where machines would have both inherent expertise as well as speed and scalability.

Set in Vegas complete with a cool looking stage, color commentary and enough power to run a city block, the DARPA challenge looked more like a pro-gaming event than a Department of Defense research project.

Ultimately though, the hype and sizzle of the show did not disappoint as all 7 machine contenders demonstrated “skills” normally found only in experienced human security engineers.

The Future is Machine AND Human Security Experts

The future of information security will rely upon both human and machines and you can bet that Konsultek will be there. As early adopters of the most cutting edge security technologies, Konsultek’s team of engineers have been and will continue to be at the forefront of security. We look forward to serving you in 2017 and beyond!

 

read more