Category Archives: Security

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

Plan Now for the Political and Risk Landscape Ahead

Posted on by

With a new president in office in 2017, there are sure to be changes ahead for businesses in the United States. Yet of risk professionals surveyed, fewer than half are actively preparing. Organizations are expected to see impact in areas including regulation and enforcement strategies, a new national trade policy, and a potential rollback of Affordable Care Act (ACA) provisions, according to Marsh.

Speakers on Marsh’s webcast, The New Reality of Risk, noted that the new administration appears to favor deregulation across several industries including financial services, although a complete repeal of the Dodd-Frank Wall Street Reform and Consumer Protection Act is unlikely, said Arthur Long, a partner at Gibson, Dunn & Crutcher LLP. The Trump administration is also expected to reduce regulation in the energy industry and others.

Areas to watch, according to the webcast:

  • Regulation and Taxes
    Less regulation and lower taxes are the most significant changes that are expected next year, both of which are expected to benefit businesses, said Michael Poulos, president of Marsh Risk Consulting. A stronger dollar could also help larger companies with extensive operations overseas, while others could benefit from changes in credit and monetary policies.
  • Trade Policy
    Changes in trade policy — including a move away from free-trade agreements — could alter the trade credit market, said Michael Kornblau, Marsh’s US Trade Credit Practice leader. These changes could lead to balance-sheet pressures — including reductions in sales and working capital — on companies with more than half of their revenues outside of the US.
  • Health Care
    Meanwhile, the future of the ACA (commonly referred to as Obamacare) remains uncertain for health care organizations and employers, said Mark Karlson, Marsh’s US HealthCare Practice leader, as transition officials have made sometimes conflicting statements about whether they will pursue repeal, replacement, or amendment of the existing law. If any changes are made to the law, it may be some time before they take effect.
  • Cyber Risk
    The election also highlighted cyber risks for businesses, including the potential threat of hackers and the need to encrypt corporate emails, said Tom Fuhrman, Cybersecurity Consulting and Advisory Services Practice leader at Marsh Risk Consulting. Generally, cyber regulations are expected to focus more on ensuring effective risk management for businesses rather than the existence of specific controls.

Although uncertainty remains about many specific policy changes to be made under the new administration, businesses should be thinking about the potential effects of new policies on their operations. Among other steps, businesses should:

  • Stay up-to-date on policy and regulatory proposals from transition and administration officials and develop a post-election game plan that includes actions and strategies that can be taken in preparation for regulatory changes.
  • Assess how reliant they are on global economic models that could become further strained.
  • Plan to reassess their risk more frequently than they have in recent years, according to Marsh.
  • marsh-polling-questions-12-2016

Fed Program Initiates Life-Saving Training for Shootings, Terror Attacks

Posted on by

The length of time victims wounded in school shootings and terror attacks must wait for help from an EMT could be minutes or hours—during which time they could bleed to death.

online pharmacy flagyl with best prices today in the USA

This has happened in a number of cases, including a shooting at an Orlando nightclub in June, when a woman bled to death while waiting for help to arrive.

online pharmacy stendra with best prices today in the USA

These incidents have prompted the Department of Homeland Security’s Stop the Bleed campaign, a nationwide initiative to empower individuals to act quickly and save lives in emergency situations. Bystanders are asked to take simple steps to keep an injured person alive until medical care is available.

online pharmacy clomid with best prices today in the USA

Security guards, custodians, teachers and administrators are being trained at schools and other places to administer first aid until help arrives.

stop-the-bleed

Stony Brook University Hospital’s trauma center is spearheading training for school districts and colleges across the country. According to the Associated Press:

At a recent training session, paramedics and doctors brought in fake body parts—blood spurting from the wounds—to show staffers of a Long Island school district how to tie tourniquets and pack open wounds with whatever they have.

“Seconds matter. It really can be minutes when you can lose your life,” said Dr. James Vosswinkel, the chief of trauma and emergency surgery at Stony Brook University Hospital, who led the training.

Doctors emphasized that in the critical seconds after an attack it’s important for teachers and other school staff to stay calm and begin assessing injuries. Teachers learned to apply tourniquets in case a student is shot in the arms or legs—using T-shirts or belts, if necessary—and to stick anything they can to pack wounds in the torso.

Stony Brook doctors have reached out to local schools to offer the training, but are looking to expand the program as part of a federal Department of Homeland Security initiative to other schools, colleges and police departments across the country.

“Nobody should die from preventable hemorrhage,” Vosswinkel said.

Retail Data Security: Preparing for the Top Threat for Holiday Breaches

Posted on by

holiday shopping retail risk

Here’s the question of the season: What is the true cause of the retail breaches we read about year after year? While malware or ransomware may get most of the scary security press, they aren’t in fact the main culprit. The primary cause of most retail breaches is, by far, stolen credentials. These are the usernames and passwords of employees, contractors or partners of a retail firm. Victim firms such as Target Corp., Home Depot, eBay and others have fallen prey to similar attacks in recent years: a trusted insider’s credentials were stolen and hackers used those to access the network. In some cases, the credentialed access led to the installation of malware on card reader systems, while in others, hackers took different paths.

The point is clear, however: the access credentials of trusted insiders are in fact the biggest risk factor for a breach in the retail sector. Verizon’s annual data breach survey, released earlier this year, confirms this, with credential attacks identified as the top source of data breaches as 63% occurred via weak or stolen credentials.

This isn’t a particularly new insight. The Target and Home Depot breaches, both via stolen vendor credentials, happened more than two years ago.

And yet, as the Verizon report indicates, large firms are still quite vulnerable to credential attacks. Why is a credential-based attack so hard to detect? The point of the attack is to impersonate a valid user (an employee, contractor or some other insider) going about his or her daily job. When a financial analyst logs into a financial system using her regular ID and password, for example, we do not expect an alarm to sound.

The retail environment has some unique factors that make detection more difficult.

For example, retailers employ large numbers of seasonal workers, so knowing whether a particular person should be allowed near a secure server in the back room of a store may be difficult. The general buzz and chaos in retail stores may weaken security checks, and sheer volume of transactions, returns, special orders, and the like can distract employees and open up security gaps.

There are, however, concrete steps that can be taken.

The first is simple: most if not all retailers have two networks, one corporate and one retail (in-store). Human resources, research and development, accounting, and other corporate functions operate on the corporate network. Point of sale systems, cashiers, and store managers operate on the retail network. In theory, these networks are completely walled off from each other, using two-factor authentication and other security systems. A temporary sales clerk should not be able to access the payroll system at corporate headquarters and download employee social security numbers, just as an HR specialist at headquarters should not be able to access the credit card database within a store point-of-sale (POS) server. This is especially sensitive since many retailers haven’t yet rolled out chip-and-pin readers. If a card number is stolen from a POS system, it’s usable in many places.

A basic check would be to ensure that the two-factor authentication system between the corporate and retail networks is working correctly, is updated with patches, and is applied as broadly as possible. However, this is not always the case, and there have been instances where hackers have been able to steal a corporate user’s credentials (using a keylogger or other type of malware) and then bypass the authentication system to connect to hundreds of in-store POS systems. Perhaps the system configuration has “drifted” over time and needs re-certification. This is an easy check on network security risk.

Another step relates to context—in other words, understanding what is normal. As mentioned above, a retailer during the holiday season manages chaos on a daily basis. It is too easy for attacks to slip by without notice during the noise and commotion. Recall the advice given to New Yorkers after 9/11: “If you see something, say something.” While relying on employees to notice unusual behavior is fine, a better approach is to augment humans with smart technology that understands normal behavior and can raise an alarm when behavior is suddenly not normal.

For example, a specialist in IT is accessing hundreds of POS systems in multiple stores via the corporate network. Is that okay? It is hard to say. Perhaps he is doing it as part of a backup process or maybe he is helping restore systems after a failure. Without knowing what is normal for this person, as well as for his peers, it is very difficult to judge the riskiness of his actions. Behavioral analytics systems are built for this problem. They analyze past behavior and build baselines, just as VISA and MasterCard do for every credit card owner. When an employee suddenly starts logging into store POS systems but has never done so before, behavioral baselines can provide the context needed to alert that this user might in fact be a hacker.

Retailers are getting better about security every year, improving risk management processes and rolling out new security technologies. Credential attacks remain the top threat for retail breaches, however, and retail firms must both verify their processes and also look to new solutions, such as behavioral analytics, to close the risk gap.

Best Practices for Protecting Against Fraud

Posted on by

detecting fraud

In 1987, during arms control negotiations between the United States and the USSR, President Ronald Reagan popularized the phrase “trust but verify.” The maxim is pithy and oft-quoted, but for companies looking to mitigate risk and financial fraud, it should be reworded slightly to “Verify and monitor continuously.”

Fraud is often hard to detect—the Association of Certified Fraud Examiners (ACFE) estimates that the average fraud goes undetected for years. Some of the largest and most damaging frauds, including Bernie Madoff and Allen Stanford, spanned a decade or more. Fraud is also costly; it is estimated that U.S. businesses lose 7% of annual revenues to fraud, and it is responsible for one out of three business failures. The financial implications of fraud are bad enough, but reputational damage can be equally harmful.

Fraud is a potential danger for companies in all industries. In a survey my firm conducted in 2012, nearly 40% of private equity firms said they had experienced fraud. The statistics are sobering, but there is much that companies can do to protect themselves.

The biggest trend we are seeing is that corporate boards are implementing a tip line, which is a great way for employees and others to anonymously report wrongdoing. ACFE studies show 42% of frauds are uncovered through hotlines. You want employees to come forward and tell you what is wrong to give CEOs a chance to fix it. The average EEOC complaint costs between $50,000 and $100,000 in legal fees to settle, not to mention the potential damage to morale and reputation—wouldn’t you want a heads up to fix it before it gets to that?

Instituting rigorous hiring practices, including screening temps and contract workers, is another important tool in preventing fraud. It is not realistic to have the same level of scrutiny for an entry-level employee as you would for a senior executive, but the best way to avoid fraud is by carefully culling the bad apples before they are hired.

buy apixaban online medilaw.com/wp-content/uploads/2015/03/jpg/apixaban.html no prescription pharmacy

Look for criminal or regulatory issues, limited references, job-hopping, trouble making eye contact and a pattern of lawsuits. A number of our clients have begun to ask us to vet their information technology hires. The IT department has access to the most sensitive files and so it is imperative to investigate potential hires in that department.

Every firm should also have a code of conduct, which describes the culture of a company and what is expected of each employee in terms of actions and conduct. Each company is different, but some rules are universal: sexual harassment cannot be tolerated; discrimination against anyone based on color or religion is strictly forbidden; the workplace should be free of illicit drugs and alcohol; and employees cannot accept gifts from customers or vendors. Consequences for violating any of these codes should be clearly spelled out.

A system of basic financial checks and balances is another way to protect against fraud. Even in smaller firms, the same person should not be in charge of both accounts payable and accounts receivable. Larger payments from the company should be signed by two executives. Regular meetings should be arranged with IT officials to insure that cyber-crime is being monitored at all times.

buy avodart online medilaw.com/wp-content/uploads/2015/03/jpg/avodart.html no prescription pharmacy

Also, consider installing security cameras to serve as a deterrent for rogue employees.

buy cellcept online medilaw.com/wp-content/uploads/2015/03/jpg/cellcept.html no prescription pharmacy

In the wake of the Madoff scandal, the role of compliance officers has taken on greater importance. Compliance officers often have a seat at the C-level table and are valuable in helping companies to stay on the right side of regulations. As discussed, however, the best way to prevent fraud is by having several layers of protection.

Preventing fraud is an ongoing endeavor that requires a commitment to maintaining vigilance each day. Some red flags are easier to spot than others. Some of the most common “tells” of disgruntled or risky employees who may commit fraud include:

  • Living beyond their means
  • Financial difficulties
  • Too-close relationships with customers or vendors
  • Secretiveness
  • Drug or alcohol problems
  • Major stressors, like family problems, including divorce and bankruptcies

In the event that fraud is suspected, every company needs to have a playbook to help guide their actions. This should include having a process to address a tip or complaint, leveraging the expertise of investigators and attorneys and following a plan that keeps the company operating with minimum disruption.

The vast majority of companies prefer to keep things quiet and resolve matters in a private setting. No company wants to have one of its employees be the subject of a “perp walk,” where the alleged offender is shown by the media in handcuffs accompanied by police on their way to being charged.

The surge in cyber-crime is proof that fraud never truly disappears; it just changes shape and form. Therefore, it is up to each company to become a hardened target and make fraudsters want to look for an easier mark.