Category Archives: Cyber Crime

Игроки всегда ценят удобный и стабильный доступ к играм. Для этого идеально подходит зеркало Вавады, которое позволяет обходить любые ограничения, обеспечивая доступ ко всем бонусам и слотам.

10 Tips for Securing Responsive Cyber Coverage

Posted on by

SAN DIEGO—With hacking incidents becoming all too common, risk managers are under increasing pressure to help protect their companies from the inevitable breach. Insurance is an option but policy forms are still developing. In a session at RIMS 2016, Joshua Gold, a shareholder with Anderson Kill and Debbie Gramer, director of global risk management at Arrow Electronics, Inc., offered the following 10 tips to risk mangers looking to secure the best possible coverage for their organizations.

  1. Be careful with insurance applications.
    buy anafranil online www.nicaweb.com/images/layout1/gif/anafranil.html no prescription pharmacy

    Use precise language to convey your exposures to underwriters. Never answer “yes” or “no” to a question that doesn’t really have a yes or no answer.

  2. Retro dates. Hackers can be in systems for days, months or even years so it is important push retro dates back as far as possible.
  3. Look for clear policy coverage. Forms and terms change over time as the risks shift. Having clear language can remove ambiguity.
  4. Symmetry with other insurance (e.g., CGL, property). Review existing policies to determine where there may or not be coverage gaps.
  5. Get endorsements of special coverage needs. If you have exposures from cloud providers and third-party vendors, for example, you will need to specifically address these. Exclusions matter.
  6. If you accept payment cards, be aware of PCI issues and card brand fines and penalties.
  7. Address sub-limit concerns. Losses can be expensive. Make sure sub-limits are adequate.
  8. Beware of breach of contract exclusions.
  9. Beware of conditions on “reasonable” cybersecurity measures. “Reasonable” is a  subjective term. Specifically define security measures to remove any grey areas that could lead to a coverage dispute.
    buy vibramycin online www.nicaweb.com/images/layout1/gif/vibramycin.html no prescription pharmacy

  10. Business interruption and reputational damage insurance may be vague but they are becoming more relevant. Business disruption is quickly becoming the most important operational consequence of a hacking incident.
    buy zofran online www.nicaweb.com/images/layout1/gif/zofran.html no prescription pharmacy

    Make sure you are protected.

Cyber, Regulation Seen as Top Emerging Risks, Report Finds

Posted on by

SAN DIEGO—Forecasting risk is not expected to get easier in the next three years, with cyberattacks and regulation topping the list of emerging risks, according to a new report published jointly by Marsh and RIMS.

online pharmacy spiriva with best prices today in the USA

The 13th annual Excellence in Risk Management report found that while risk professionals are increasingly relied upon to identify and assess emerging risks, there are still organizational and other barriers to identifying those risks. In fact, nearly half of survey respondents—48%—predicted that forecasting critical business risks will be more difficult three years from now, while just over one-quarter said it would be the same.

“Whether emerging risks are on your doorstep, around the corner, or on the far horizon, they have the potential to catch organizations unaware,” said Brian Elowe, Marsh’s U.S. client executive leader and co-author of the report. “It’s important for risk professionals to maintain awareness of global risk trends, and to make the connection to their organizations’ business strategy.”

Where do risk professionals turn when trying to understand the impacts of emerging risks on their organization? According to the report:
One of the goals of this year’s Excellence survey’s goal was to better understand how organizations view the emerging risks facing them, what tools they use and the barriers they face in assessing, modeling, and understanding the risks. According to the findings, a majority of respondents—61%—cited cyber-attacks as the likely source of their organization’s next critical risk. This was followed by regulation, cited by 58% of the respondents, and talent availability, cited by 40% of the respondents.

Based on survey responses and insights from numerous focus group discussions, it became clear that risk professionals generally agree on the importance of identifying emerging risks, and also that there is no clearly established framework for doing so. More can be done to better identify, assess, and manage the impact emerging risks may have on organizations.

For example, a majority—60%—of the risk management respondents said they use claims-based reviews as one of the primary means to assess emerging risks, compared to 38% who said they use predictive analytics.

“The widespread use of claims-based reviews means that a majority of organizations are relying on studying past incidents to predict how emerging risks will behave rather than using predictive analytic techniques like stochastic modeling and game theory to help inform their decision making,” Elowe said.

Survey respondents also cited several barriers to understanding the impact of emerging risks on their business strategy.

online pharmacy vilitra with best prices today in the USA

Decisions with lack of cross-organization collaboration ranked first among risk professional respondents.

“Lack of collaboration across the organization is still an issue for many risk professionals. On the other hand, breaking down silos has become less of a concern for executives,” said Carol Fox, vice president of strategic initiatives for RIMS and co-author of the report. “Tackling emerging risks often requires creative yet pragmatic approaches. It has to encompass internal cross-functional conversations — formal and informal — around the intersection of risk and strategy, senior-leadership engagement, and tapping into external information sources. Risk professionals are encouraged to broaden the scope and collaboration around emerging risk issues within their organizations.”

According to the report:

As the risk environment becomes increasingly complex and more entwined with financial decisions, risk strategy is increasingly a boardroom issue. As we have seen in past Excellence surveys, senior leaders’ expectations of the risk management department have increased in everything from leading enterprise risk management to providing better risk quantification and analysis.

However, while more is being asked of risk professionals, investment is not necessarily keeping pace. For example, the percentage that say they expect to hire more staff dropped to 25% this year from 37% when we asked in 2015. “We’ve all experienced this elevation of risk management at our institutions, but…as we are battling for budget, it becomes pretty easy for risk management to get pushed over to the side,” said the assistant vice president of risk management at a major university.

The survey is based on more than 700 responses to an online survey and a series of focus groups with risk executives in January and February 2016.

Phishing: Understanding Your Cyber Adversaries

Posted on by

Nearly two years ago, an infamous incident occurred where stolen pictures of celebrities flooded the internet. Originally, it was thought that this was due to an iCloud vulnerability that allowed a brute force attack. But it now turns out it was because of a simple social engineering phishing hack.

Phishing usually involves sending mass emails that masquerade as legitimate communications, coming from a trustworthy source like a big bank or credit card company. The phisher seeks to trick the recipient into clicking on a link or opening an attachment that downloads malware onto the victim’s computer. The malware can then be used for criminal activity including theft of sensitive data or money. While phishers may send thousands of emails, all they need are a few or even one individual to fall for their trick to get into the IT system. It’s easy to forget that security threats aren’t always the work of sophisticated technology geniuses with malevolent intent. As in the case of the celebrity photos, the method was relatively simple. However, it still caused reputational damage.

Cyber attacks don’t appear out of nowhere.

buy valtrex online www.delineation.ca/wp-content/uploads/2023/10/jpg/valtrex.html no prescription pharmacy

At the beginning and right through development and attack, humans are involved. Recently, we profiled half a dozen types of attackers. We call them the “Unusual Suspects.” An attack might start with the Professional working in the digital shadows seeking to make the most money possible from the damage they cause. Then you’ve got the Mules and Getaways who are on the front line, and will be the first to get caught when the law comes knocking. There are also Activists and Nation State Actors who are looking to change the world or steal information on behalf of their country’s government. And then there’s the Insider leaking sensitive information accidentally or on purpose with malicious intent.

bae - the usual suspects

These are all just some of personas BAE Systems recently identified as key threats to businesses and without them, cybercrime can’t exist.

Wising up to phishing attacks

In the IT space, one of the most common ways cyber criminals target employees of a company is through phishing. In the aforementioned celebrity photos case, court documents said Ryan Collins, 36, of Pennsylvania, hacked more than 100 people. According to reports in the press he used email names like ‘e-mail.protection318@icloud.com’ and asked for password details.

With these credentials, the hacker was able to go through email accounts looking for photos and videos, managing to get into around 50 iCloud accounts and 72 Gmail accounts mostly belonging to celebrities. It’s quite easy to imagine the damage hackers could cause if they got hold of corporate emails – think of the damage the 2014 Sony hack inflicted.

You can’t patch a human

Employees will always be a weak spot, and clever social engineering is leading to more examples of how this weakness can be exploited. The effects can be devastating. For example: a company that collects credit card data from its customers is at risk of a major data breach from a single employee clicking on an email leading to a website laced with malware. The financial and/or reputational damage and the related fines or compensation claims that result could be significant.

At its core, combating social engineering is a human problem that requires human solutions. In certain cases victims may violate policies, but it may often be the case that the rules or training were not clear enough for the employee to know they were doing something that could have serious consequences. And because humans are behind social engineering attacks, they are capable of evolving, matching the way the business world is using technology.

buy amoxil online www.delineation.ca/wp-content/uploads/2023/10/jpg/amoxil.html no prescription pharmacy

To mitigate against social engineering attacks, there needs to be security awareness and culture from top to bottom. This might mean ongoing training for employees to understand the threats, as well as the right policies and procedures in place. This helps employees understand the risk from social engineering and what role they have in preventing it. Remember, this all has to be done in tandem with putting the right technology in place.

Defeating the Unusual Suspects

Defending against cyber threats is all well and good, but what about catching these Unusual Suspects? This is difficult, because they use sophisticated tactics to escape detection–they are located all over the world, and use secure software to escape detection and remain anonymous, often routing communications through multiple countries to avoid being caught.

buy rybelsus online www.delineation.ca/wp-content/uploads/2023/10/jpg/rybelsus.html no prescription pharmacy

Fortunately this is a case where human fallibility is a good thing–criminals will make mistakes and leave digital finger prints that sophisticated analytics and forensic analysis can pick up. Finally don’t underestimate the power of human ingenuity–thanks to the efforts of security professionals, we’re finally getting to a point where the investigation of online crime is being slowly demystified and defenses put in place to mitigate the threat.

Dip, Don’t Swipe: How the EMV Liability Shift Impacts Merchants

Posted on by

shutterstock_287890574

More than 575 million chip-cards have been issued by financial institutions to consumers, and you’ve probably been walking around with one in your pocket since June of last year. Since October 2015, merchants may have requested you begin to ‘dip’ rather than ‘swipe’ your card. Why? Although the transition to chip-card technology may be confusing at first, it’s ultimately a benefit to privacy and security.

For merchants, however, the transition to accepting chip-card technology is essential to avoiding what the industry is calling the EMV ‘liability shift.’

What is EMV?

EMV is a global standard for secure credit card transactions utilizing microchip technology embedded in debit and credit cards. The name derives from EuroPay, MasterCard and Visa (EMB), the companies that originally developed the technology.

Although Europe adopted the practice long ago, the United States was late in transitioning to the EMV technology standard.

By the end of 2015, 70% of U.S. credit cards were issued as EMV cards, but only 59% of retail locations were expected to be EMV-compliant.

What is the EMV “liability shift”?

As of Oct. 1, 2015 (2017 for fuel-pump stations), many card brands have instituted a “liability shift” policy to incentivize both merchants and card issuers (banks and credit unions) to transition to EMV technology, which has shown to increase card security and reduce counterfeit fraud. The liability shift means that between merchant and card issuers, liability for counterfeit card-present transactions resides with the party using the least secure EMV-related technology.

In other words, prior to Oct. 1, 2015, the liability for fraudulent transactions largely fell upon the card issuer. Now, non-EMV compliant merchants could be liable for the costs associated with any chargebacks.

What does EMV mean for merchants?

Consumers were provided their new chip-cards by card issuers, but what are the next steps for merchants? Although 78,000 merchants have already installed EMV chip-activated technology, tens of thousands are still risking exorbitant costs due to fraudulent charges and the ‘liability shift.’

The average cost of an EMV-compliant point-of-sale terminal is around $500. Chip-reading mobile devices such as Square can be purchased for $29-$39. While the initial costs of EMV technology may appear large for some merchants, ultimately merchants will pay far less than the potential fines, penalties and assessments levied by major card brands against non-compliant merchants.

Under Visa’s Global Compromised Account Recovery process (GCAR), for example, Visa can levy an assessment against a non-PCI compliant merchant that suffers a breach, that includes fraud recovery (an amount to reimburse issuing banks for fraud perpetrated on cards subject to a data breach) and operating expense recovery amounts (such as an amount to reimburse issuing banks for the costs to reissue payment cards subject to a data breach). The contractual clauses governing this exposure are generally found in the Merchant Services Agreement (MSA). This portion of a merchant’s exposure is insurable, but not all cyber liability policies respond the same way. It is important to note any breach of contract exclusions or sub-limits pertaining to both PCI Fines/Penalties and PCI Assessments.

Mitigate the risk

The first step to mitigating the risk is to become EMV compliant. While each of the card brand’s EMV-compliance certification program may vary, in general, merchants must apply for and receive certification through its acquiring bank to become EMV-compliant, which entails three phases:

  • Hardware Certification: installing EMV-enabled terminals that are certified by EMVCo to process payments.
  • Software Certification: implementing payment application software.
  • End-to-end Certification: holistic testing and approval of point-of-sale configuration, where the card brands check and confirm the integrity of the payment chain as a whole.

The certification process and level of involvement will vary across merchants, depending largely upon the size and complexity of the merchant’s business; the timeframe to completion can take anywhere from a few weeks to several months.