PCI Compliance Small Biz Simplified

There are 12 pieces to PCI compliance, let’s list them and find if they are applicable, or if we can minimize our attention.

first of all it is not a major point in the standards, but creating an inventory of devices is paramount in becoming PCI compliant. Being compliant will also be easier for you if you make a proper inventory (with all the software and hardware that is applicable), but it is also good for general security even if not needed due to not touching payment card data.  Basically for PCI compliance anything that touches payment card data is going to get some extra scrutiny.

So guess what, you need to have documentation and procedures to make sure only the right people will access the data and not abuse the data. I.e. do not send payment card data in an unencrypted format over Internet for example. Another example is do not send customer data via fax or chat sessions.

So if you have documentation and have signed employee statements that they read this, then PCI compliance is easier.

 

Let’s work our way form bottom:   Must have security policy(documentation), must have testing of network and all systems, must have a firewall, must have antivirus or anti-malware software, must change default passwords, do not develop your own software (as that is much more difficult), authenticate to systems and restrict access to payment card data also physically.  Do not store cardholder data will simplify your compliance needs.

Encrypt the actual transaction from cardholder (merchant to financial institution). This machine should be an approved mechanism from your financial institution.    Although it complicates things if you have it on one of your computers. Easier if on a machine specific for swiping cards, or inserting cards.

If you focused on no development of your own software and used only a specific PCI compliant machine with documentation for your employees that would go a long way to solving your PCI compliance.  If you can segment the network (if the payment card machine needs to access the Internet which a lot do now) that will cut down on the number of machines to test by the auditor.

Monitoring the log system is just prudent, as well as making sure that the access of systems is properly authenticated.  Many of these steps are just common sense computer security items (changing default passwords).

 

Some general topic headings from PCI document:

Build and Maintain a Secure Network and Systems

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
  5. Protect all systems against malware and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need to know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for all personnel

 

 

 

We will test your network and give you a specific list of making PCI compliance easy to follow and complete.  Contact us to discuss.

 

Phishing #1 Attack – Includes Email Scams

Have you received an email saying your password has been stolen in broken English?

Subject: "Security Notice. Someone have access to you system"

As you may have noticed, I sent you an email from your account.

This means that I have full access to your acc: On moment of crack (youremail@youremaildomain.com)  password: jfwqu6qoizxahofj0qkw

You say: this is my, but old password!
Or: I will change my password at any time!
Of course! You will be right,
but the fact is that when you change the password, my malicious code every time saved a new one!
I've been watching you for a few months now.
But the fact is that you were infected with malware through an adult site that you visited.
If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
I also have access to all your contacts and all your correspondence from e-mail and messangers.
Why your antivirus did not detect my malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use.
If you want to prevent this, transfer the amount of $770 to my bitcoin address (if you do not know how to do this, write to Google: "Buy Bitcoin").
My bitcoin address (BTC Wallet) is: 1MrUDSrZiqD3ijxsBUPt2SukoFy534orP2
After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

—————————————————–

So this trickster extortionist  actually makes several mistakes (besides the spelling errors).

First of all the email says ” As you may have noticed, I sent you an email from your account.”  there is a basic issue with this statement.  All email can be ‘spoofed’ thus making it a form of spam. Spoofed means all text in the ‘From:’ means nothing it can be changed to whatever the spammer wants to make it look like.   (In fact you can change your From field yourself if you choose as an experiment)

So if your email is “youremail@emaildomain.com” then the spammer can make it look that way.

 

The other problem the spammer sextortionist has is they have to make assumptions of a video camera that is on the computer.

What if there is no video camera on the computer? then how can the video sextortion work?

So the scammer makes several assumptions:

  1. you don’t know about From spoofing
  2. ignore misspelling and bad grammar
  3. email owner used porn
  4. email owner has videocam functioning on the computer
  5. at one time there was a password that is included in email
  6. knows enough about bitcoin or can learn how to transfer money into bitcoin

Those are a lot of assumptions, and on top of that the scammer is leaving an electronic trail in Bitcoin or at least how they access bitcoin(we will not go into detail of how this is done). The scammer leaves an electronic trail as to how they access bitcoin to experienced investigators, which is why you should goto bitcoinabuse website and file a report (link below).

One thing people should do is to see how many others this has happened to and to decide what to do from here  Internet Storm Center  also had one of these (i.e. google or startpage.com a portion of the email and see what comes up).

 

What did I do you may ask?  Of course you NEVER pay the extortionist.  But one can also help the Internet denizens to reduce this type of email:  goto Bitcoin Abuse website

Go to the website and File a report by adding the bitcoin address that is included in the email so that law enforcement and other people who track and try to find these spammers can start to do something about it.

Or you can View a report with the bitcoin address to see how many others has this email gone to??  check the FAQ on bitcoinabuse.com

Above image is from Bitcoinabuse FAQ

We at oversitesentry and fixvirus.com help others with a variety  of Internet Security issues.

Update 02/02/2019 (Groundhogs Day)   Sextortion Follow the money part 3 – The Cashout begins!

So the short story is the scammers have accumulated a lot of money in hundreds(434) Bitcoin addresses which slowly started to move the money into a few addresses, as much as $21.5mil  plus $18.5mil .  Then from there the bitcoin addresses will be “mixed” so experts like in the link above will not be able to tell where the money goes (anonymity) using bestmixer.io.

So again please do not pay these scammers if you receive an email like the one included in this blog.

Back To Basics in 2019 – Must Have Cybersecurity Issues

What was different about 2018 that will confound us in 2019?  Is there anything new in 2019 that will cause problems for us?

By ‘us’ I mean businesses trying to keep going with their business lives. I.e. run your business, try to make profits, grow product lines or services.

None of us are in tune with new technologies that can be used to upend  our current world that we live in until it is too late and we have to play catch -up. In 2007 how many people actually went and bought a smartphone before it was obvious everyone was going to get one?

This next picture is of an IBM Quantum computer as written about in Wired UK among others:

If you have not heard your computers and phones are built on an old architecture(from the 50’s and 60’s) The quantum computer is a new architecture much faster the current binary machines.

What can possibly be created with a quantum computer?

  1. Unbreakable encryption for one.
  2. Artificial Intelligence and Machine learning (similar yet different)
  3. Molecular Modeling and other sophisticated modeling
  4. Optimization programs
  5. Financial Modeling
  6. Sophisticated new attacks on hardened targets

My point is not that a new Armageddon is coming, it may be but most important is that new days may bring new challenges, and you have to be ready to take them on.

Most important you must take a little time to review new technologies and techniques to see if these methods can create security headaches for your organization.

Practically though the place where we all will get hit is regulations. As more high profile cyber attacks make inroads in organizations the regulations will make life more difficult(more paperwork).

More paperwork means risk based analysis and scanning / audits of networks and computers.

End result is we need more vigilance even if our computers are in “the cloud”.

In the above AWS youtube video   some common sense:

The first thing any auditor will want to see is your documentation.  What is your documentation? Do you have a security policy? Do your employees read it and sign off on it? I.e. is Cybersecurity at least a little bit important?

We are in the business of Computer Cyber audits to help your business be more secure and thus handle the coming challenges in 2019 wherever they may come (technological or regulatory).

Contact Us to discuss

 

Is Compliance Enough for Your Company?

If you accept credit cards you need PCI compliance

If you have health data then you need HIPAA compliance.

A financial company gets many pieces of compliance which depends on what types of financial instruments you sell. You may need other types of compliance.

Unfortunately PCI compliance does not require a backup of your critical data , so if you have critical data then it is up to your judgement to set up processes to make sure if they are corrupted then can be recovered.

This point of corruption of data to recovery is the single most likely reason for small businesses to fail six months after a major cybersecurity event.

In 2019 your company could be doing business as usual in January, then in February the right attack could cause problems for your company…  if you are not ready for it, six months later you could be out of business.

Which is why we want to highlight it and make sure you understand the inattention that can cause disaster.

We are here to go over your processes to make sure that this type of disaster does not happen. You can make it go away for a few dollars and attention. That is all it takes.

Contact Us to discuss – Three-One-Four-five -zero-four, three,nine, seven, four.  Leave me a message and I will get back to you.

TonyZ

 

 

Unknown Risks – Are you ready for 2019?

Are you ready for new year surprises?

Why is it that 60% of businesses fail after a major Cyber attack?

  1. Spam Email – most attacks come in through well crafted emails (spear phishing)
  2. Social Engineering – An attacker can use 1 and 4 to call you to craft a sneaky method to get on your network.
  3. Darkweb – all information created from 1,2,4, and 5 are here and for sale to other hackers. I.e. a cyber attacker does not need to be an expert at all things, only at 1 and buy the others.
  4. Facebook Hacks – or other social media. Hackers use social media to profile you and then use 1&2 to attack you
  5. IoT (Internet of Things) in House – vulnerabilities are not patched and attacks come into IoT devices
  6. Unknown Zero-Day – unknown sophisticated attack using non-defensible methods(i.e. cannot defend against this)

The following is per Smallbiztrends.com ,  and it looks like that is what it says: 60% of small companies go out of business within 6 months of a cyber attack.

I want to discuss why that is?

Let’s assume our small business is like most small businesses, they are living “paycheck-to-paycheck” in a small biz manner. I.e. there is enough business to make payroll and to do a few things for the business: small changes for new technological improvements(new computer, new phones, website improvements).  But is there enough time and effort to overhaul IT cyberdefense?  Why overhaul when you can make adjustments, since with adjustments we can still stay alive and keep on surviving another year.

What if an unforeseen attack occurs? That we are not ready for? So that means we have to reconstruct our IT information “from scratch”. I.e. from non-electronic sources. In that case a lot of things can go wrong, and if expenses go too high or it takes too long to reconstruct, one can easily see how it might be easier for the small business to go out of business rather than create a huge debt burden. This is why 60% of small business goes out of business with a successful cyber attack.

The attacks coming into your business are no longer from loner hackers or your neighborhood Geek with too much time on his hands… The attackers are sophisticated and in great breadth, which are certainly coming daily  because it is easy to setup thousands and millions of attacks on previously purchased databases with information stolen in years past hacks on the Darkweb. The hacker uses his computer knowledge and this information to craft sneaky spear phishing attacks. Once on the network it could be months before you actually find out what is happening, since he will sell his access to your network to others who are experts at extracting money out of you.

So the hacker goal is to employ a number of experts over time to infiltrate and eventually extract extortion scams out of ransomware schemes…   FBI news and tips for dealing with Ransomware.

New IoT attack examples from Anson McCade’s Twitter feed:

 

So in the future a crafty sneaky attacker could control more than your business servers, but also your fitness devices and more. I.e. Pay the hacker $1000 or else …

 

Contact us to update and overhaul your cyberdefense methods.