Pentesting every 3 months for entities with more than 20k transactions
annually for less than 20k transactions.
Why do you need to pentest?
Because things happen, and it is good to review your security profile
Have some Philotimo -
do the right thing - defend your site by scanning. http://oversitesentry.com/solutions/
Today's Fixvirus Security Video:
Also discussing the Oversitesentry blog post about QWERTY keylogger: http://oversitesentry.com/?p=1351
We are explaining a little more about pentesting and the service that we have (Sigma Scan) in tip of day.
In News of day we discuss #OpFrance where the political hackers are trying to attack various French Websites including France24:
Here is a tweet from "Anonymous Saudi hacker" off Twitter
SigmaScan info on Oversitesentry: http://oversitesentry.com/solutions/sigma/
What will be your solution to potential attacks on your machines? will it be to trust in your provider that they are doing everything they can? or will you be proactive and do some testing (like the Sigma Scan)
Contact Us as we can help you test your website to reduce the likelihood of hacker penetration and exploits.
Created a SVAPE & C only video as well:
"Do the right thing" = Philotimo
PCI compliance best practices(from page 13 PCI DSS 3.0 doc):
- Monitoring of security controls—such as firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), file-integrity monitoring (FIM), anti-virus, access controls, etc.—to ensure they are operating effectively and as intended.
- Ensure all failures in security controls, such as firewalls and IDS/IPS, file integrity monitoring, anti-virus.
- Review changes to environment
- Determine impact to PCI DSS scope
- Identify PCI DSS requirements applicable to item affected by the change
- Update PCI DSS scope and implement security controls as appropriate
- Changes to organizational structure (adding offices, mergers, etc)
- Periodic reviews and communications
- Review HW and SW at least annually that is continued to be supported by the vendor.
Fixvirus.com Alpha scan helps you review your systems.
We need a permission document
then we nmap scan your systems.
If you have certain ports open then I may perform vulnerability scan using tools.
I write a report - if problems exist
Your IT department fixes the problem
I run another scan to see if the problem was fixed.
Will write another report and discuss with you.$500/ip address for external IPs, if internal ips (requires onsite visit) then an onsite fee is assessed
http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/ CNN story of 4.5 mil records of Community Health Systems - why would hackers want these records?
Because the records have ss#, names and addresses.
" But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients' medical histories, clinical operations or credit cards. "
The patient data is supposedly protected by HIPAA, but it is only as good as the hospital network overseers.
And if the people in charge do not do the right things, like testing:
We test your systems to reduce your Security risks with our 4 service products (listed below: A,Σ, Ω, and Ψ)
Then it does not matter... One has to have a Security policy with stringent controls, physical and electronic. Wireless and wired, Internet and corporate network, Cloud and office. It must all work towards the goal of protecting your data.
Here is one of the latest on http://fortune.com/2014/12/20/sony-pictures-entertainment-essay/ the Nork story.
My Fixvirus Dec23 show video:
Some of posts I discussed on the show:
http://oversitesentry.com/cyberattack-lessons/ Here is what happened in Home Depot hack (56 mil emails harvested as well as 53 mil cc numbers)
http://oversitesentry.com/digital-security-in-risk-assessment/ Here is where the current environment is assessed, including the new 25 Billion Internet of things to come on line in the next year.
Do you really think the world will get less dangerous?
You must do something about this threat 🙂
http://oversitesentry.com/spoe-second-pair-of-eyes/ What you should be doing is testing your systems, making sure that your computers are not vulnerable (or at least as low as possible
Oh yes - Merry Christmas
Is risk management philosophy as we know it good enough?
What do we know in the current risk management philosophy? Categorize all systems and set up a level of risk number. Then set up an "important data" ranking number.
Following is an example with number system from 1 being low 5 being highest level.
SystemA risk number 5 important data 5
SystemB risk number 2 important data 2
SystemC risk number 4 important data 4
Risk management philosphy/strategy says that in a limited resources environment we have to do what we can and focus on SystemA since it is valued higher.
The problem is that in the 2014 risk environment SystemB will get hacked, and eventually SystemC will get hacked and now that the criminals are in the network we will get hacked in SystemA as well.
So what has risk management bought us? It has ensured that we got hacked, since we deliberately did not spend the time and resources in defending the whole network.
So from now on defend it all and up your game or just save all your money and get ready for the lawsuits.
Oversitesentry Blog post discussing a new security environment
Contact Us to discuss the security of your network in the new 2014 security risk environment (in a few days it will be 2015 security risk environment).
Today's show discusses News of day in the Threatpost blog about Coolreaper:
A backdoor is when software runs a piece of code that you are not aware of, and so CoolReaper phones seem to have malware built into the phones, which unknowingly install apps on their own.
The Tip of Day has a segment on the Red team versus Blue team concept as well as what scanning consists of in the OSI layer representation of the network stream.
We perform Alpha scans and Sigma scans and where they consist in the OSI layer.
Contact us for help scanning your computers and network.
Threatpost blog post: http://threatpost.com/microsoft-recalls-patch-tuesday-exchange-update/109844
about the exchange server patch rollback (uninstall).
The TipofDay is about PCI compliance - security policy must be created.
some parts of the PCI DSS3.0 standard is not very specific (since there are many different types of environments.
hacker process explained:
Don't get SVAPEC'd
Criminal Hackers use this method:
Scan-> Vulnerability Assessment --> Penetrate and Exploit --> Control = SVAPE&C
You should do the SVA - Scan--> Vulnerability Assessment --> Mitigate the vulnerability or fix the problem.
we can help you with SVA Contact US
2nd show Fixvirus Security Show
POODLE(Padding Oracle On Downgraded Legacy) resurfaces -
i.e. Not just the original issue https://www.openssl.org/~bodo/ssl-poodle.pdf -
But the new one: https://www.imperialviolet.org/2014/12/08/poodleagain.html
F5 has issued a list of products needing patches
You can scan your website (to see if vulnerable) from Qualys free Server test: https://www.ssllabs.com/ssltest/
Here is the screenshot of raspberry+ with wifi the hack of day: what if one of these devices is in your network (dropped off by a hacker to steal your network information)
it is a good idea to audit your network to uncover any devices that you may not be aware of. All IP addresses need to be accounted for.
We would help your IT department in the audit process, or audit using open source security(hacker) tools, then inform you and your IT department.