Security Management Partners News Feeds http://www.smpone.com/ (Reuters) - VeriSign Inc, the company in charge of delivering people safely to more than half the world's websites, has been hacked repeatedly by outsiders who stole undisclosed information from the leading Internet infrastructure company.Read more.... http://www.smpone.com/News-more-93.html (Reuters) - At least a half-dozen major U.S. companies whose computers have been infiltrated by cyber criminals or international spies have not admitted to the incidents despite new guidance from securities regulators urging such disclosures.Read more.... http://www.smpone.com/News-more-92.html Security experts predict 2012 will be a breakthrough year for cyber-attacks on smartphones.    Read more http://www.smpone.com/News-more-91.html With the holiday shopping season upon us, the FBI Denver Cyber Squad would like to advise citizens of a new spear phishing campaign involving personal and business bank accounts, financial institutions, money mules, and jewelry stores.Read more http://www.smpone.com/News-more-90.html Welcome to Security Management Partners' inaugural newsletter!   Once per quarter, SMP will publish a newsletter on timely IT security topics--this month the subject is Social Engineering.     Read more http://www.smpone.com/News-more-89.html Please join us for a *free* educational luncheon seminar on security risks to your organization's IT assets resulting from cybercriminals' Social Engineering tactics, featuring Peter Bamber, VP of Information Consulting Services for Security Management Partners, New England's leading IT auditor for the biopharmaceutical and life sciences industries. The presentation will be followed by a roundtable discussion led by Rick McMorrow, Director of IT for PerkinElmer.  What: Complimentary luncheon seminar on social engineering & IT securityGuest Speaker: Rick McMorrow, Director of IT for PerkinElmer For Who: Biopharma & life sciences IT professionalsDate:  December 13, 2011 from 11:30 am - 1:30 pm Where:   ArtBar at the Royal Sonesta Hotel Boston, 40 Edwin Land Boulevard, Cambridge, MA 02142; (617) 806-4122RSVP: to Michael Kanarellis by Friday, December 9, 2011 Agenda: Social engineering attacks are on the rise....are you certain that your organization's IT assets are as secure as they should be?  Are you familiar with the latest social engineering threats and ways to mitigate them?  Do you know what your IT peers are doing to protect their data from cybercriminals and social engineering attacks?    Do you have a clear incident response program in place and regular training for your employees? If you answered 'no' to one or more of these questions, we encourage you to attend this event! Space is limited to 20 attendees. Please call or email me today.Michael Kanarellis Director of Sales, Security Management PartnersM: (978) 239.4441 http://www.smpone.com/News-more-88.html The Wall Street Journal recently reported “What’s a Company’s Biggest Security Risk?  You.” (WSJ, September 26, 2011)    More than ever, people are an organization’s weakest security link, not technology.   Security awareness is paramount to protecting the IT assets of every company and employees must understand the importance of their role in your security program.   So, what is Social Engineering and what can you do to prevent financial and information loss?     Social Engineering –Then and NowSocial Engineering uses non-technical or low technology means of exploitation, such as lies, impersonation, tricks and invented scenarios to achieve unauthorized access, potentially breaching a valued system and the information that resides on that system.  It used to be that cybercriminals would hack into a targeted company to disrupt services, cause public embarrassment to the company,  to get their name in the news,  or call attention to a cause.  While those threats may still exist, cyberthieves are not just hacking networks, they’re now hacking US.Take, for example, the 2010 security breach at RSA, The Security Division of EMC Corporation.  A hacker simply sent ‘Phishing’ emails to two small groups of employees that looked innocent enough, including a spreadsheet titled “2011 Recruitment Plan”.  Some of the employees opened the attachment and, by doing so, introduced a virus inside of RSA’s network that eventually gave the cyberintruders access to sensitive company data and enabled later attacks against RSA’s customers. While email SPAM filters can help prevent such messages from entering your organization’s network, these programs only work once an email domain address has been identified as coming from a potential hacker.  Cybercriminals are infinitely faster when it comes to websites and email servers!What Are Employees Doing Wrong?    Cybercriminals are targeting US, the employee, because we have more opportunities than ever to compromise our companies’ information.  Not only do workers click on emails from hackers that download viruses and malware that bypass firewalls, but many employees also compromise network security by going to external personal websites, including social media, web mail, and other consumer web-based services by clicking on virus infected links disguised as advertisements. Once the malware is downloaded on the network it collects information, watching for activities such as login to financial institution secure transaction web sites.  Malware logs your user id and passwords.  It also sees how often you perform certain activities such as balance transfers between banking accounts.  In one common scenario, the thieves change the “Transfer To” account so that when an employee conducts a transaction from the organization’s main account to a payroll account, the funds are actually transferred into one of the hacker accounts overseas or to one of many money mules.  Typically, companies don’t discover this breach until several days after the transaction has occurred, and by then the money is long gone.  What Can You Do?   Prevention 101.    Social engineering assessments, training and education lead to employee vigilance.  Partnering with independent IT audit security consultants, such as Security Management Partners (SMP) is a first step.     Companies like SMP offer Social Engineering Assessments.   The goal of testing is NOT to confirm the level of the IT auditors’ trickery, but to examine and validate your organization’s current training and security posture by testing employee comprehension and compliance with existing policies, controls and procedures.     Types of Social Engineering Assessments   There are three main types of social engineering assessments offered by an IT security consultancy:1) Physical - Physical security is a combination of people, processes, procedures, and equipment to protect resources.    IT security consultants work with clients to create a physical social engineering testing plan that makes sense.  The testing can be passive such as looking for passwords out in the open and observing physical controls, or more active where the auditor attempts to breach physical security, gain physical access to the premises, obtain records, realize network access, remove equipment, and more.    2) Phone Calls – IT security consultants phone designated personnel in a series of calls, attempting to manipulate employees into performing actions or divulging confidential data such as passwords, usernames, and other useful information that would allow an intruder access to a system and acquire protected information.    3)  Phishing Emails – The IT security organization crafts a phishing-style e-mail intended to trick recipients into clicking on a link within a bogus e-mail, either by spoofing the organization’s email address (i.e.  from sender@smpone.net instead of smpone.com) or by creating an external phishing message (i.e.  ‘You have received a greeting card’).  Emails are sent to multiple individuals in a number of corporate locations identified by the Client. Moving Forward   There are many steps a company can take in preventing social engineering attacks.    Most importantly, an organization must implement improved policies and procedures to protect IT assets.   Begin with the basics and be prepared.  To name a few suggestions:   Put policies and procedures within physical reach of all employees.  Identify the correct information required from a caller in order to divulge sensitive company data.  Lock your workstation when stepping away.   Report someone who doesn’t belong.  Create policies for use of company computers for personal use.  If it’s not a business-related email, don’t open it!    Finally, be sure to conduct annual reviews on and training in company security policies.  http://www.smpone.com/News-more-87.html  IT Executives:  You’re Invited to a Luncheon RoundtableOn September 26, 2011, The Wall Street Journal wrote: "What's a Company's Biggest Security Risk? You. Employees don't mean to be the primary entry point for hackers. But they are." We invite you to join Carol Fano, Manager of Network Engineering from the VNA of Cape Cod, and Peter Bamber, VP of Information Security for Security Management Partners, as we discuss security risks to your organization's IT assets resulting from cybercriminals' Social Engineering tactics.Date: Wednesday, October 19, 2011Time: 11:30 am - 1:30 pmPlace: The Tavern at Quarry Hills, Granite Hills Country ClubAddress: 100 Quarry Hills Drive, Quincy, MA 02169 RSVP by: Monday, October 17, 2011Seating is limited, so please call or email Doug Gerth today.  Doug Gerth, Account ExecutiveSecurity Management Partnersdgerth@smpone.com339-222-0382 Agenda-Examine how non-technical or low technology means of exploitation, such as lies, impersonation, and tricks allow hackers to achieve unauthorized access to your company's critical information assets.-Learn about the social engineering tests that are available to validate the strength of your policies, the comprehension and compliance of staff, and the viability of technical controls.-Roundtable discussion of attending organizations' experiences with social engineering.-Question and answer period with our special guest speaker and VP of Information Security Consulting. http://www.smpone.com/News-more-86.html Take a lunch break and learn about security risks to your organization's IT assets resulting from cybercriminals' Social Engineering tactics.  We welcome you to join Peter Bamber, Director of Information Security for Security Management Partners, and our special guest speaker, Abigail Smith, member of SMP's Security Council and Director IT Security & CollaborationServices for Purdue Pharma, LLP, as they discuss how non-technical or low technology means of exploitation, such as lies, impersonation, and tricks allow hackers to achieve unauthorized access to your company’s critical information assets. You will learn the social engineering tests that are available to validate the strength of your policies, the comprehension and compliance of staff, and the viability of technical controls.    Seating is limited, so please call or email today. Date: Wednesday, October 5, 2011 Time: 11:30 am - 1:30 pm Place: Mitchell’s Fish Market Seafood Restaurant & Bar Address: 230 Tresser Blvd. Stamford, CT 06901, 203.323.3474 RSVP by: Tuesday, September 28,  2011 to:Bill Lodovico, Account ExecutiveSecurity Management Partnersblodovico@smpone.com860-582-8080-- Office860-977-5736 – Cell http://www.smpone.com/News-more-85.html Despite previously announced plans to appeal last month's ruling in the ACH fraud lawsuit filed by Experi-Metal Inc., Comerica Bank now says it has resolved to pay the $560,000 in damages and close the case.Read the full article here: http://www.bankinfosecurity.com/articles.php?art_id=3905&search_keyword=comerica&search_method=exact http://www.smpone.com/News-more-84.html