The Middle East is changing, and we live in times where ego is pitted against action. In a Cyber Security universe, this is a quandary where it is more difficult for companies to ask for, or even obtain, help when it is needed. Why? Because what many may not know is more than half of Cyber incidents experienced by companies are NOT reported to the public. Case and point. Did you know a bank here in the Middle East is currently experiencing a Code-Napping incident. This is going on right now.
Let’s considering the recent climate of RansomWare or Code-napping. A relatively new phenomenon where by hackers leverage the below methods of intrusion. But instead of stealing the information hosted on your website, online bank, or retail store, they seize your data. By leveraging highly sophisticated techniques, your entire server, website, or database becomes encrypted with a countdown timer. If the ransom is not paid in the specific time frame, your data becomes forever lost. This is very nasty and very real. See below.
For small to medium sized businesses (SMBs) with an electronic retail (e-tail) store, you may be grappling with the looming question – how do I protect my e-tail business from becoming another statistic with little to no budgetary funds for hiring a consultant or CISO strategist?
8 Guarantees on How to “Ensure” Your Company becomes the next Hack Statistic.
1. Do Not use a secure connection for online checkout and credit card processing.
Not only with this imply you aren’t hip on PCI-DSS (Payment Card Industry Standard) compliance, but it will open the doors for hackers to sniff and obtain your clients personal and credit card information.
SSL/TLS certificates are a must for online transactions. Furthermore, it provides a level of coverage to your insurance and compliance objectives. (Heard of Data-At-Rest encryption?)
2. Store sensitive data. Please Do!!!
Again, deviating from the PCI-DSS requirements is a sure fire way to incur the fiscal penalties PCI/FTC and other federal impose. As an “E-Tail” vendor, there is absolutely no reason to store thousands of records on your customers – especially credit card numbers, expiration dates, and CVV2 [card verification value] codes.
While it’s strictly forbidden by the PCI standards, it’s also a way to paint the larger than life Target (no pun intended) on the digital walls of your organization. If you’re thinking about marketing campaigns and you absolutely must store such data elements, ensure it’s encrypted in accordance with the data security requirements the data falls under. But, we do not suggest this at all. If there is a will theres a way, and the penalties you will assume for doing so just don’t weigh out.
3. “Do not” leverage an address and card verification system.
Insure much? Go ahead and omit this safeguard and see what your legal and cyber insurance company says.
Enabling an address verification system (AVS) and requiring the card verification value (CVV) for credit card transactions to reduce fraudulent charges provides your company with the “Defense in Depth” coverage needed to thwart fraudulent charges. Who wants to pay back those charges? We sure wouldn’t want to.
4. “Do not” require complex passwords, or even a password history, for your user-base.
If you haven’t gotten this by now, here it is. Very to the point. Longer, more complex logins will make it harder for criminals to breach your site from the front-end. “Nuff-said”
5. “Do not” configure and implement system alerts for suspicious activity.
By not setting an alert notice for multiple and suspicious transactions coming through from the same IP address, or for machines leveraging masquerading techniques, you open the door wide open for fraudsters to have a field day with your site.
Many triggers should be implemented to ensure your site does not become the next breeding ground for fraudsters with IP Maskers and Virtual Machine black boxes to have fun on your site. Feel like you need help on this one? Contact bits & digits. We can show you how we’ve secured 10 Fortune 500 companies with basic detection schemes.
6. “Do not” layer your security. Defense In Depth – I shouldn’t need to say more.
Begin with firewalls, Intrusion Detection Systems, and secure code procedures. All are essential aspects in stopping attackers before they can breach your network and gain access to your critical information. Also add extra layers of security to the website and applications such as contact forms, login boxes, and search queries.
Having a 3rd party review your security boundary is the real way to see how you stand. This is also a requirement for PCI-DSS. Vulnerability Assessments are your friend, not just an expenditure you dread.
7. “Do not” train your workforce or provide security training for them.
Just as you need to understand the threats and security trends, your employee base needs to know them as well. From numerous spam and social engineering campaigns we have conducted, I assure you employees need to know what is and isn’t “cool” with regards to information security practices. Or as we called in my former life “Practices Dangerous to Security.”
Employees should be educated on the laws and policies affecting customer data and be trained on the actions required to keep it safe. Use strict written protocols and policies to reinforce and encourage employees to adhere to mandated security practices. This is paramount to maintaining your regulator compliance and keeping your company safe.
8. “Do not” Patch your systems.
This is my personal favorite. To this day, I have not walked into a client site which has had a breach or security incident with a mature patch management program. You as the CISO/CEO/COO/CIO should encourage your IT staff to patch everything immediately. Literally the day they release a new version. This includes the Web server itself, as well as other third-party code like Java, Python, Perl, WordPress, and Joomla, which are favorite targets for attackers.
“Breached sites are constantly found running a three-year-old version of PHP or ColdFusion from 2000 to present.” It’s critical you install patches on all software. Your Web apps, Xcart, OSCommerce, ZenCart, and any of the others all need to be patched regularly.
We hope these 8 Recipes for Cyber Disaster from Bits & Digits prove useful in helping your company further its information security objectives. The Middle East has become a breeding ground for Cyber Criminals because for the lack of Information Security awareness. Please remain vigilant and know what your weaknesses are.
Edited January 2020.
Original Exclusive article by J. Tate, Chief Intelligence Officer of bits&digits in BizBahrain Magazine December 2015, pg. 94 – 95.
The Middle East is changing and we live in times where ego is pitted against action. In a Cyber Security universe, this is a quandary where it is more difficult for companies to ask for or even obtain help when it is needed. Why? Because what many may not know is that more than half of Cyber incidents experienced by companies are NOT reported to the public. Case and point, did you know a bank here in the Middle East is currently experiencing a Code-Napping incident. This is going on right now.
Considering the resent climate of RansomWare, or Code-napping: a relatively new phenomenon where by hackers leverage the below methods of intrusion but instead of stealing the information hosted on your website, online bank, or retail store they seize your data. By leveraging highly sophisticated techniques, your entire server, website or database becomes encrypted with a countdown timer. If the ransom is not paid in the specific time frame your data becomes forever lost. This is very nasty and very real, see below.
For small to medium sized businesses (SMBs) with an electronic retail (e-tail) store, you may be grappling with the looming question – how do I protect my e-tail business from becoming another statistic with little to no budgetary funds for hiring a consultant or CISO strategist?
8 Guarantees on How to “Ensure” Your Company becomes the next Hack Statistic.
1. Do not Use a secure connection for online checkout and credit card processing.
Not only with this imply that you aren’t hip on PCI-DSS (Payment Card Industry Standard) compliance but it will open the doors for hackers to sniff and obtain your clients personal and credit card information.
SSL/TLS certificates are a must for online transactions, furthermore it provides a level of coverage to your insurance and compliance objectives (heard of Data-At-Rest encryption?)
2. Store sensitive data, Please Do!!!
Again deviating from the PCI-DSS requirements is a sure fire way to incur the fiscal penalties PCI/FTC and other federal impose. As a “E-Tail” vendor there is absolutely no reason to store thousands of records on your customers, especially credit card numbers, expiration dates and CVV2 [card verification value] codes.
While its strictly forbidden by the PCI standards, its also a way to paint the larger than life Target (no pun intended) on the digital walls of your organization. If your thinking about marketing campaigns and you absolutely must store such data elements, ensure its encrypted in accordance with the data security requirements that the data falls under. But we do not suggest this at all. If there is a will theres a way, and the penalties that you will assume for doing so just don’t weigh out.
3. “Do not” leverage an address and card verification system.
Insure much? Go ahead and omit this safeguard and see what your legal and cyber insurance company says.
By enabling an address verification system (AVS) and requiring the card verification value (CVV) for credit card transactions to reduce fraudulent charges provides your company with the “Defense in Depth” coverage needed to thwart fraudulent charges. Who wants to pay back those charges? We sure wouldn’t want to.
4. “Do not” require complex passwords, or even a password history for your user-base.
If you haven’t gotten this by now here it is, very to the point. Longer, more complex logins will make it harder for criminals to breach your site from the front-end “nuff-said”
5. “Do not” configure and implement system alerts for suspicious activity.
By not setting an alert notice for multiple and suspicious transactions coming through from the same IP address, or for machines leveraging masquerading techniques opens the door wide open for fraudsters to have a field day with your site.
There are many triggers that should be implemented to ensure your site does not become the next breeding ground for fraudsters with IP Maskers, and Virtual Machine black boxes to have fun on your site. Feel like you need help on this one? Contact bits & digits we can show you how we’ve secured 10 Fortune 500 companies with basic detection schemes.
6. “Do not” layer your security. Defense In Depth- I shouldn’t need to say more.
Begin with firewalls, Intrusion Detection Systems and secure code procedures. All are essential aspects in stopping attackers before they can breach your network and gain access to your critical information, also add extra layers of security to the website and applications such as contact forms, login boxes and search queries.
Having a 3rd party review your security boundary is the real way to see how you stand, this is also a requirement for PCI-DSS. Vulnerability Assessments are your friend, not just an expenditure you dread.
7. “Do not” train your workforce or provide security training for them.
Just as you need to understand the threats and security trends, your employee base needs to know them as well. From numerous spam, and social engineering campaigns we have conducted I assure you employees need to know what is and isn’t “cool” with regards to information security practices. Or as we called in my former life “Practices Dangerous to Security”.
Employees should be educated on the laws and policies that affect customer data and be trained on the actions required to keep it safe, using strict written protocols and policies to reinforce and encourage employees to adhere to mandated security practices is paramount to maintaining your regulator compliance and keeping your company safe.
8. “Do not” Patch your systems.
This is my personal favorite, to this day I have not walked into a client site that has had a breach or security incident that has a mature patch management program. You as the CISO/CEO/COO/CIO should encourage your IT staff to patch everything immediately, literally the day they release a new version. This includes the Web server itself, as well as other third-party code like Java, Python, Perl, WordPress and Joomla, which are favorite targets for attackers.
“Breached sites are constantly found running a three-year-old version of PHP or ColdFusion from 2000 to present. It’s critical you install patches on all software: Your Web apps, Xcart, OSCommerce, ZenCart and any of the others all need to be patched regularly.
We hope these 8 Recipies for Cyber Disaster from Bits & Digits prove useful in helping your company further its information security objectives. The Middle East has become a breeding ground for Cyber Criminals because for the lack of Information Security awareness. Please remain vigilant and know what your weaknesses are.
