Can my IT staff perform a vulnerability assessment?

Yes, of course your IT staff are able to do these assessments.

However, it depends on the certifications, skills, and focus of your staff. The most common pitfall found is that the IT staff are too “complacent, and not outsiders” such that they are bound to overlook their own errors.

Thus, it is better to let UFI as an impartial, “third party” do the vulnerability assessment.

What is the difference between a vulnerability assessment and a penetration test?

The easiest way to distinguish these two tests, is by looking at the reports.

In general, a penetration test is more focused, more direct, and more detailed. A vulnerability assessment is designed to enumerate the threats to your internal critical resources; penetration testing, alternatively, is designed to exploit vulnerabilities as a proof-of-concept.

Penetration tests are intended for organizations that have developed strong information security practices over time and are ready to put their efforts to the test.

Vulnerability assessments are intended for organizations of all sizes and maturity levels and tend to be utilized more often.

What will be delivered to me after the assessment is completed?

We provide you with the complete report of your systems and actionable suggestions. We make sure that this report is acceptable not only by IT people but also by the C-Suite. This way, the executives are able to decide if what they spend on IT security is cost effective.

Welcoming 2015: New Year, New Security Threads

Welcoming 2015: New Year, New Security Threads

In December, 2014 Sony was attacked, according to the FBI, by North Korea, and possibly an “insider” and was threatened by the cyber attackers who requested them not to release a movie, pay ransom, or the hackers would post damaging private Sony data.

This incident showed that no matter how secure we may think that we are, unfortunately, an incident such as this demonstrates, that cyber security, is not an option, it’s an enterprise attitude, and if not implemented, can be so devastating-it is estimated that 100TB of Sony data was exfiltrated, including sensitive medical files on employees, their families and children.

Sony’s reported revenues in 2014 showed an approximately $1.26 billion net loss, and $1.21 loss per share, had only 11 people working in cyber security.

This should be a wakeup call for all!

Moreover, the risk of many attack vectors for cyber-attacks may put a company’s reputation in danger and worst of all, lose credibility, loyalty, and tarnish their brand.

The news about the Sony breach, closed 2014 and left many with a higher awareness with the fact that we need to give more attention and devote more resources to cyber security, and the predictions are that this massive breach, and subsequent breaches will only worsen in 2015.

Some experts predict that in 2015, there will be more attacks on online payment systems, among other potential targets.

 “We expect to see cyber criminals focus more on new payment systems as they are adopted and the potential for criminal financial gain thus increases. This will be in the shape of attacks against banks/virtual currency operators, the end users and their devices, and everything in-between. In fact, we already have some examples of malware stealing virtual wallets from users’ devices, and very high-profile incidents of banks themselves being infiltrated,” said Patrick Nielsen, a senior security research at Kapersky Lab.

Another trend is that is Malware is spreading at alarming rates, it is predicted that malware will be harder to detect and remediate.

It’s time we stopped thinking about malware as a nuisance that has to be kept out of our systems  and networks, and  recognize what it actually is – big business.

Most business want to grow stronger and increase their earnings, malware developers will continue to create  products that will be sneakier, with far more stealth, one step ahead of law enforcement,  and harder to detect, for their financial gain.

Businesses, large and small, need to know where their critical information is at all times and who is accessing it.

Flagging content and communication before it leaves the office is a good start, but it is not enough and due to the tactics used in recent cyber-attacks, it is crucial to build a strong infrastructures to protect company data.


To subscribe to our UFI News Letter-click here!

Financial Services Are Still The Most Targeted Victim

Financial Services Are Still The Most Targeted Victim

Are you sure that bank is a secure place to safe your money? Think twice! Our money in the bank is changed to numbers that is written on the paper. It is technically digitally printed, instead of physical money. The bad news is, when digital criminals screw up the number, then boom! We lose our money.

What even worse is, based on IBM report index, finance and insurance are still the number one industry that potentially being attacked by the hackers. As expected, the most favorite thing is still credit card identity stolen, with United States as the number one market of this type of criminality as the target. The probable reason is that American use credit card a lot for daily transaction.

Knowing this fact, it is important for every bank to check their system on regular basis. Financial institutions must meet regulatory requirements, and this is frequently the driver for contracting a penetration test. Penetration testing should identify vulnerabilities that arise from improper configuration and patch management processes.  This is not an indictment that corporations cannot manage their infrastructure, but a testament to the reality that attackers only need to be right one time to exploit a vulnerability, whereas the IT organization needs to be right 100% percent of the time when managing vulnerabilities.  Penetration testing is a tool in the vulnerability management arsenal that helps bridge the gap between human fallibility and the need to be right 100% percent of the time.

Banking has to take care of their web based application and their internal banking application. Web-based applications should be coded using secure coding practices and should be tested using automated  code scanners that can identify vulnerabilities.  There are a number of vendors that provide automated web -application testing suites, as characterized by the growing maturity and functionality of tools in this space.   Also, to compliment the efficiency of automated scanners, manual code review of high risk Web based banking applications is a necessity.   Automated scanners should be used to test code in the development phase. Internal banking applications can be compromised in the same fashion as Web -base banking applications.  Secure coding practices, application testing and t he use of strong authentication mechanisms are methods to minimize the risk of running internal banking applications.  In this case we also have to consider enforcing segregation of duties as a vital control necessary to protect the financial institution.

Testing is costly, so companies may perform a thorough penetration test once a year and then rotate between other firms for the remaining quarters of the year. This allows the hiring financial institution to compare results between vendors, and to confirm previous results by doing a retest to ensure that new faults have not been introduced or uncovered as a result of changes to the environment.   All penetration testing artifacts should be stored securely and encrypted, including hard -copies that should b e shredded after a period of time.  Hard copies are helpful when making comparisons from quarter to quarter  when regression testing is done.

Home Isn’t Safe Anymore

Home Isn’t Safe Anymore

House that knows what to do to serve us, gets dinner ready by the time we arrive home, or turns on the light when it is too dark – which is known as smart house – has become a forever dream for many people. With the current development of IoT (Internet of Things), it is not impossible anymore to have all of our devices connected and monitor our house from distance. At the moment, there are smart devices that are available in the market already, such as smart washing machines, smart TV, smart LED, or a garden sprinkler control.

As everything else in the world, these sophisticated devices come with some holes, which is privacy and security concerns. Since its development, many security firm, experts, and researchers studied the effect of privacy and security of these devices.

As reported by HP experiment and research, one of biggest concerns was that most devices did not require consumers to use hard-to-hack log-ins. usually, password used are the standard combination, such as pass123. Moreover, a lack of encryption – the digital scrambling of data to make it unreadable without a special key – was also flagged as a worry. As these personal devices require log-in, it will also store our personal data, such as name, birth, health details, email, phone, and even financial information. Even more, it becomes a higher concern when it is stored in the cloud. Once hackers have the access to these devices, all our information will leak. In addition, with many devices transmitting this information unencrypted on the home network, users are one network misconfiguration away from exposing this data to the world via wireless networks.

Few times ago, BBC conducted an experiment of smart house with seven computer security experts involved to find out how easy it is to hack a smart house. The answer was not surprising: it was easy for all of them. The vulnerabilities in the device emerged from the very basic web server software it used to post images online. That insecure software is currently being used by more than five million gadgets that are also already online.

The work that Microsoft and other PC software vendors were doing to make a better security was already making dedicated cyber criminals look elsewhere for targets. This explained the rise in ransom-ware, technical support scams and attacks on computers at checkout points in shops.

The “ridiculously easy” way it was possible to subvert many smart gadgets was likely to make them a candidate for attack in the near future. There had already been examples of attackers looking to subvert domestic hardware in a bid to grab online banking data.

So, the question is, when it comes to smart house, are you sure that your home is safe and secured? Looks like home is not a secured place anymore!