Daily Archives: May 3, 2019

German police shut down one of world’s biggest dark web sites

Arrests in Germany, Brazil and US relate to sale of drugs, stolen data and malicious software

German police have shut down one of the world’s largest illegal online markets in the so-called dark web and arrested the three men allegedly running it, prosecutors said on Friday.

The “Wall Street Market” (WSM) site enabled trade in cocaine, heroin, cannabis and amphetamines as well as stolen data, fake documents and malicious software.

Related: Dark web blamed for rise in drugs sent by post from Netherlands

Continue reading...

Google CTF 2019 is here



June has become the month where we’re inviting thousands of security aficionados to put their skills to the test...

In 2018, 23,563 people submitted at least one flag on their hunt for the secret cake recipe in the Beginner’s Quest. While 330 teams competed for a place in the CTF Finals, the lucky 10 winning teams got a trip to London to play with fancy tools, solve mysterious videos and dine in Churchill’s old chambers.

This June, we will be hosting our fourth-annual Capture the Flag event. Teams of security researchers will again come together from all over the globe for one weekend to eat, sleep and breathe security puzzles and challenges - some of them working together around the clock to solve some of the toughest security challenges on the planet.

Up for grabs this year is $31,337.00 in prize money and the title of Google CTF Champion.

Ready? Here are the details:


  1. The qualification round will take place online Sat/Sun June 22 and 23 2019
  2. The top 10 teams will qualify for the onsite final (location and details coming soon)
  3. Players from the Beginner's Quest can enter the draw for 10 tickets to witness the Google CTF finals
Whether you’re a seasoned CTF player or just curious about cyber security and ethical hacking, we want you to join us. If you’re just starting out, the “Beginner's Quest” is perfect for you. Sign up to learn skills, meet new friends in the security community and even watch the pros in action. See you there! For the latest announcements, see g.co/ctf, subscribe to our mailing list or follow us on @GoogleVRP.


Threat Roundup for April 26 to May 3

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 26 and May 03. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More >>

The post Threat Roundup for April 26 to May 3 appeared first on Cisco Blog.

Feds Bust Up Dark Web Hub Wall Street Market

Federal investigators in the United States, Germany and the Netherlands announced today the arrest and charging of three German nationals and a Brazilian man as the alleged masterminds behind the Wall Street Market (WSM), one of the world’s largest dark web bazaars that allowed vendors to sell illegal drugs, counterfeit goods and malware. Now, at least one former WSM administrator is reportedly trying to extort money from WSM vendors and buyers (supposedly including Yours Truly) — in exchange for not publishing details of the transactions.

The now-defunct Wall Street Market (WSM). Image: Dark Web Reviews.

A complaint filed Wednesday in Los Angeles alleges that the three defendants, who currently are in custody in Germany, were the administrators of WSM, a sophisticated online marketplace available in six languages that allowed approximately 5,400 vendors to sell illegal goods to about 1.15 million customers around the world.

“Like other dark web marketplaces previously shut down by authorities – Silk Road and AlphaBay, for example – WSM functioned like a conventional e-commerce website, but it was a hidden service located beyond the reach of traditional internet browsers, accessible only through the use of networks designed to conceal user identities, such as the Tor network,” reads a Justice Department release issued Friday morning.

The complaint alleges that for nearly three years, WSM was operated on the dark web by three men who engineered an “exit scam” last month, absconding with all of the virtual currency held in marketplace escrow and user accounts. Prosecutors say they believe approximately $11 million worth of virtual currencies was then diverted into the three men’s own accounts.

The defendants charged in the United States and arrested Germany on April 23 and 24 include 23-year-old resident of Kleve, Germany; a 31-year-old resident of Wurzburg, Germany; and a 29-year-old resident of Stuttgart, Germany. The complaint charges the men with two felony counts – conspiracy to launder monetary instruments, and distribution and conspiracy to distribute controlled substances. These three defendants also face charges in Germany.

Signs of the dark market seizure first appeared Thursday when WSM’s site was replaced by a banner saying it had been seized by the German Federal Criminal Police Office (BKA).

The seizure message that replaced the homepage of the Wall Street Market on on May 2.

Writing for ZDNet’s Zero Day blog, Catalin Cimpanu noted that “in this midst of all of this, one of the site’s moderators –named Med3l1n— began blackmailing WSM vendors and buyers, asking for 0.05 Bitcoin (~$280), and threatening to disclose to law enforcement the details of WSM vendors and buyers who made the mistake of sharing various details in support requests in an unencrypted form.

In a direct message sent to my Twitter account this morning, a Twitter user named @FerucciFrances who claimed to be part of the exit scam demanded 0.05 bitcoin (~$286) to keep quiet about a transaction or transactions allegedly made in my name on the dark web market.

“Make it public and things gonna be worse,” the message warned. “Investigations goes further once the whole site was crawled and saved and if you pay, include the order id on the dispute message so you can be removed. You know what I am talking about krebs.”

A direct message from someone trying to extort money from me.

I did have at least one user account on WSM, although I don’t recall ever communicating on the forum with any other users, and I certainly never purchased or sold anything there. Like most other accounts on dark web shops and forums, it was created merely for lurking. I asked @FerucciFrances to supply more evidence of my alleged wrongdoing, but he has not yet responded.

The Justice Department said the MED3LIN moniker belongs to a fourth defendant linked to Wall Street Market — Marcos Paulo De Oliveira-Annibale, 29, of Sao Paulo, Brazil — who was charged Thursday in a criminal complaint filed in the U.S. District Court in Sacramento, California.

Oliviera-Annibale also faces federal drug distribution and money laundering charges for allegedly acting as a moderator on WSM, who, according to the charges, mediated disputes between vendors and their customers, and acted as a public relations representative for WSM by promoting it on various sites.

Prosecutors say they connected MED3LIN to his offline identity thanks to photos and other clues he left behind online years ago, suggesting once again that many alleged cybercriminals are not terribly good at airgapping their online and offline selves.

“We are on the hunt for even the tiniest of breadcrumbs to identify criminals on the dark web,” said McGregor W. Scott, United States Attorney for the Eastern District of California. “The prosecution of these defendants shows that even the smallest mistake will allow us to figure out a cybercriminal’s true identity. As with defendant Marcos Annibale, forum posts and pictures of him online from years ago allowed us to connect the dots between him and his online persona ‘Med3l1n.’ No matter where they live, we will investigative and prosecute criminals who create, maintain, and promote dark web marketplaces to sell illegal drugs and other contraband.”

A copy of the Justice Department’s criminal complaint in the case is here (PDF).

Cyber News Rundown: FBI Phishing Scam

Reading Time: ~2 min.

“FBI Director” Phishing Campaign

A new email phishing campaign has been making its way around the web that claims to be from “FBI Director Christopher Wray,” who would love to assist with a massive wire transfer to the victim’s bank account. Unfortunately for anyone hoping for a quick payday, the $10 million check from Bank of America won’t be arriving anytime soon, unless they are willing to enter more personal information and send it to a Special FBI agent using a Yahoo email address. While most phishing campaigns use scare tactics to scam victims, taking the opposite approach of offering a large payout seems less likely to get results.

Magecart Skimming Script Works on Dozens of Sites

Following the many Magecart attacks of recent years, a new payment skimming script has been found that allows attackers to compromise almost any online checkout page without the need to customize it for the specific site. The script currently works on 57 unique payment card gateways from around the world and begins injecting both the loader and the exfiltration script when the keyword “checkout” is searched for in the address bar.

Scammers Target Google Search Ads

Scammers are now turning towards Google Ads to post fake phone numbers posing to be customer support for popular websites such as eBay and Amazon. These phone scammers will often tell those who call that there is something wrong with their account and ask for a Google Play gift card code before they can help. The ads will look as if they are legitimate which causes confusion to those who call the phony numbers listed.  

Citycomp Data Dumped After Blackmail Attempt

Shortly after discovering that their systems had been breached, Citycomp announced they would not be paying a ransom for a large chunk of stolen client data. Unfortunately for Citycomp, the hackers decided to make the data publicly available after not receiving their requested $5,000. Amongst the stolen data is financial and personal information for dozens of companies for which Citycomp provides infrastructure services, though it may only be an initial dump and not the entire collection.

Email Scam Robs Catholic Church of Over $1.7 Million

The Saint Ambrose Catholic Parish in Ohio recently fell victim to email scammers who took nearly $2 million from the church currently undergoing a major renovation. The scammers targeted monthly transactions made between the church and the construction company by providing “updated” bank information for the payments and sending appropriate confirmations for each transfer. The church was only made aware of the breach after the construction company called to inquire about two months of missing payments.

The post Cyber News Rundown: FBI Phishing Scam appeared first on Webroot Blog.

What is Phishing? Find Out with Gary Davis on the Latest Episode of Tech Nation

Gary Davis is now a regular contributor on the Tech Nation podcast!  In this episode, Gary Davis educates that phishing is more than just an innocent-looking email in your inbox and shares tips to avoid getting hooked.

Moira Gunn:   00:00   I’m Moira Gunn, you’re listening to Tech Nation.

Moira Gunn:   00:06   I was surprised to learn that on the internet nearly three quarters of all cyber attacks start with what’s calling a phishing email, or should we say, a fishy email. I was able to speak with regular Tech Nation contributor Gary Davis, the Chief Consumer Security Evangelist at McAfee.

Moira Gunn:   00:26   Now we always hear about phishing.

Gary Davis:     00:27   Yeah.

Moira Gunn:   00:28   It’s P-H-I-S-H-I-N-G.

Gary Davis:     00:31   Yes.

Moira Gunn:   00:32   Phishing.

Gary Davis:     00:33   Phishing with a “p”

Moira Gunn:   00:34   Not like “gone fishing”.

Gary Davis:     00:35   It’s not like gone fishing, but it’s very similar. If you think about how we fish, we put the … The concept is, let’s put a lot of lines in the water and see if we can snag a fish, right?

Moira Gunn:   00:45   Yeah.

Gary Davis:     00:45   So, it’s conceptually fishing, but it’s a different type of fishing.

Moira Gunn:   00:49   It’s phishing for you.

Gary Davis:     00:50   Yes. It’s phishing for the bad guys.

Moira Gunn:   00:52   71% of all cyber attacks start with a phishing email?

Gary Davis:     00:56   Yeah. Yeah. You know, phishing preys on, uh, our nature to, to act on email, right? We get an email, um, and, and quite honestly for, for your listeners, the, where phishing is usually most effective, targeting organizations in particular, is sending something to HR. HR is expecting to get resumes for candidates who are applying for jobs, right? More often than not, those include some sorta malicious payload which will allow them to get behind your firewall, then do something malicious in your company.

Gary Davis:     01:32   So, that’s one of the more popular techniques for, for accessing and trying to get inside a company, but yeah it just, phishing, 71% because, they know what works. They know that, that, that if they write it well enough and it looks like it’s from somebody you know and trust, that you’re gonna do the action they’re looking for, which is gonna la- enable them to get access to the information they’re trying to get access to.

Moira Gunn:   01:56   And, the initial thing they may have asked you for may not seem all that big, like, “Give us all your money,” or-

Gary Davis:     02:03   Yeah.

Moira Gunn:   02:03   “Give us all your passwords,” or, “Give us all your account,” or, “Just click here and we can resolve a fairly benign situation.”

Gary Davis:     02:11   Yeah.

Moira Gunn:   02:11   “Like we need to update the, the month and data on your credit card,” ’cause that frequently happens.

Gary Davis:     02:17   Yeah, yeah.

Moira Gunn:   02:18   You know, that your, your, your, you get a new credit card after a few years, it’s the same everything, it’s just the month and date ab- I was like, “Oh yeah. I guess so, I guess we need to … ”

Gary Davis:     02:26   Yeah.

Moira Gunn:   02:28   And it’s accounting, it’s accounting, from this global firm.

Gary Davis:     02:29   Yeah.

Moira Gunn:   02:31   You know, emailing me and saying you need to update it.

Gary Davis:     02:32   It happened to me a couple of weeks ago. I w- I was in Greece, and I was, went to the, I was staying in the Hilton there, and, you know, the, even though I’d paid using points, they said, “Well, we need a credit card for incidentals.” And they had my credit card on file. Well, typically I’m using a different credit card for, ’cause it’s usually company related, and since I was using points, I was putting it on my personal card. And, and after a little while, they call me, “Hey, look your credit card’s not working.” What do you mean it’s not working?

Gary Davis:     02:59   And, come to find out after I called my bank, it, it’d been such a long time since I accessed the application. You’re right, I got a new credit card, new, uh, expiration date, and I hadn’t updated it. But you’re right, it would be very benign to get, “Oh yeah, I do use that service, um, I should go and change it.” But that’s where d- you, this is where we, we need to change our behaviors, because instead of clicking on that email and just blindly following wherever it leads me, if I was to think, “Well geez, I need to go change my, um, my, my expiration date for Hilton.” I went to my Hilton app, opened that up and changed it in there, instead of trying to follow a link.

Moira Gunn:   03:37   So, they come at you and it’s valid, you have, what you do is you go around the other way-

Gary Davis:     03:43   Exactly.

Moira Gunn:   03:43   Have your own access, in the old days you’d say, “I’m gonna go and see the lady at the bank.”

Gary Davis:     03:46   (laughs)

Moira Gunn:   03:48   “Or the gentleman at the bank.” And now it’s like, no no, don’t go through what informs you-

Gary Davis:     03:53   Exactly.

Moira Gunn:   03:54   Whatever you do.

Gary Davis:     03:55   You think about it, e- every month we get a statement from our bank, right? And I get one from my bank, and, and I am 99.9% sure that that’s a good email. But I have trained myself not to click on that email. Instead I’ll go to my, I’ll login into my bank account, and I’ll look at my account there, because I just, I’ve conditioned myself not to click on links and email. Even if you think it’s from a known good source, because you just never know, that the bad guys are getting so good, it’s what’s called “spoofing”, where you think it’s coming from an organization but they, they’ve changed something ever so slightly that you’re going to someplace you shouldn’t be going.

Gary Davis:     04:33   So, if, if you can just teach yourself or train yourself, when you, when you get an email and you think it’s legitimate and you’re expecting it, and it’s from somebody you’d expect to get a notification from, instead of acting on the email, go directly to the source and interact that way. It’s gonna save you potentially a lot of heartache.

Moira Gunn:   04:51   And to make matters even worse, there’s different kinds of phishing.

Gary Davis:     04:54   Yeah.

Moira Gunn:   04:55   Spear phishing, whale phishing, all have-

Gary Davis:     04:58   Smishing.

Moira Gunn:   04:58   Shmishing.

Gary Davis:     04:58   (laughs)

Moira Gunn:   05:00   Oh my goodness. Okay, let’s go down through them in any order you would like.

Gary Davis:     05:03   Right. Well, well smishing is probably the most, well regular phishing is, is, is simple as sending a bunch of emails out en masse, hoping that somebody’s gonna, you know, take your bait. Um, smishing is actually when they’ll send it to your phone via an SMS or text message. So, imagine getting some sort of account information to your phone, which is not that unlikely. I, almost every place I go now-

Moira Gunn:   05:25   Your, your bill is due.

Gary Davis:     05:26   Yeah, yeah. You click here to pay. “Oh okay, I’m gonna click on it ’cause I, I’m expecting it.” So, getting it on your phone, that’s called smishing. Uh, spear phishing is where you actually do what’s called social engineering, or you try to collect information about a particular group of people, and then use it to target that group.

Gary Davis:     05:44   You know, a good example is, a couple of years ago the, um, I think it was, uh, one of the NBA teams, they had gotten an email from the owner saying, “Oh, send me your user name and password because we got this special thing we wanna do for you.” Well, so they, “Of course, it’s from our owner, it’s got our logo on it.” And we go ahead and send my user name, password, which of course opened up the, the-

Moira Gunn:   06:06   (laughs)

Gary Davis:     06:06   Door, having everybody going doing whatever they want so, but they used a combination of, you know, you know, techniques that use the imagery and the tone and the social engineer- socially engineered information about the players and organization, to go do something like that.

Gary Davis:     06:24   Another, a subset of spear phishing, it’s called whale phishing, and that’s where you, you tend to focus on a high net worth individual, let’s say the CEO or some high level executive in a company using other techniques. So you, let’s say that, you know, that, that they know that the CEO is on vacation, so they, they send an email, spoof the CFO to somebody else in the organization saying, “Well the CEO told me to do this.” So all these mechanics work using high net worth individuals to go do malicious deeds.

Gary Davis:     06:57   Then there’s other types of, of phishing. There’s search engine phishing, where you would basically put up a, a, a fake search site, in order to direct people to your own search results which would in turn take you to fraudulent pages. So there, there are a variety of different techniques around phishing, all of which has the intent of trying to extract information from you, do something that you wouldn’t otherwise do, and/or in a lot of cases they’re trying to install malware on your device of, of some type.

Moira Gunn:   07:30   Now, in all those cases, I guess you could say what we might call the bleeding heart phishing, that’s out there.

Gary Davis:     07:36   It, it happens more than you might know. Whenever there is a, a major event, let’s say there’s a natural disaster, a, um, you know, we saw a lot of traffic around the Boeing Max Eight, when you had those two crashes and there was a lot of pouring out to help those in need, then they would create these fake sites and to lure people and to give them money. Um, that’s another great example.

Gary Davis:     07:59   Big sporting events, the Super Bowl, the World Cup, all these big sporting events see, um, NCAA tournament, all these events, you know, po- everybody knows, or the, the bad guys know that there’s gonna be a lot of attention given to these, so they’re gonna try to leverage those in order to try to get you to do something you wouldn’t wise- you wouldn’t otherwise do.

Gary Davis:     08:20   But that’s a great point, that you almost always try to tie it to something that’s gonna be on your mind, some sort of pop culture reference, that wouldn’t, that wouldn’t, that would motivate you to go do something. And, it’s just, it’s too bad because, you know, people typically are, are engaging with these because they feel like they genuinely wanna help. And then to know that you’re taking of that, our, our good will, I just, uh, it’s just-

Moira Gunn:   08:46   And it’s perfect because you don’t expect anything back.

Gary Davis:     08:48   Yeah. Yeah.

Moira Gunn:   08:48   It’s not like I bought something, where is it? It’s like-

Gary Davis:     08:52   Exactly. Well, in some cases for example, you may have thought, “Well I’m gonna buy tickets to the game,” or the, whatever, where, when you don’t get the tickets that would be, an, a case where that wasn’t true, but you’re right. When it comes to good will, natural disasters, you know, just relief for things that have gone on in the world, you’re right, you’re not expecting anything in return except the, the, the knowledge that you did something good, and that just, it breaks my heart when I hear about things like that.

Moira Gunn:   09:16   You know, this result pre internet, people have been doing this for a long, long, long time.

Gary Davis:     09:21   Yeah. Yeah. Although, the internet has made it very automatic now. I guess the point is the, the barrier to entry to do this has been dramatically reduced, because it’s, it’s, it doesn’t take that much effort to dupe somebody into giving you money that, that, sh- you sh- shouldn’t otherwise be getting.

Moira Gunn:   09:40   And phishing per se isn’t illegal. It’s when you take money for fraudulent ends, that’s when we get into what’s legal and illegal, right?

Gary Davis:     09:48   Well, but by nature phishing it, you’re, you’re trying to access information that you shouldn’t have access to. So I think it’s, it’s, it’s probably out, call it legally gray, but right, and it’s not until you actually give your credit card to a fraudster and something bad happens that, that you-

Moira Gunn:   10:04   When the bad happens-

Gary Davis:     10:05   Yeah.

Moira Gunn:   10:06   They’ve crossed the line.

Gary Davis:     10:07   Yeah. Then they’ll act on it. I, I remember when my identity was stolen way back in the day, um, I remember the, the, the guy who did it lived up in Pennsylvania someplace. And the way it worked back then is, they would, they got a $20,000 credit card, ringing up $18,000 over the course of two days-

Moira Gunn:   10:26   Wow.

Gary Davis:     10:26   And then the bank decided, “Well, we should go check to make sure that this guy is legit.” And, and what they’d used to do, is they would go to electronic goods stores like Best Buy, and they would buy $18,000 worth of electronic goods, then take it to a different Best Buy for cash back. So that’s how they would cash out the, the value of the credit card, knowing that it had a limited life.

Gary Davis:     10:45   And, I remember I, I got a call once, it was from the, the police department in Pennsylvania saying, “We caught the guy, you know, trying to return your goods.” Or, “The goods he bought with your credit card at a Best Buy.”

Moira Gunn:   10:58   (laughs)

Gary Davis:     10:58   And, and, they, and I said, you know, to go, go get the guy. It’s not, it’s just too much work. So, there, there, it’s really hard to motivate law enforcement, ’cause they got other things they gotta focus on. They’ve got, you know, all these other, y- you know, bad criminals doing, you know, physical harm to, to whomever. That, that they…

Moira Gunn:   11:16   And, and much higher ticket items too.

Gary Davis:     11:18   Yeah.

Moira Gunn:   11:19   You know, when they were looking at it, they might have only been looking at five or $600.

Gary Davis:     11:22   Yeah.

Moira Gunn:   11:22   Because they had to go to a lot of Best Buy’s, buy a lot of stuff-

Gary Davis:     11:26   Yeah.

Moira Gunn:   11:26   Return a lot of stuff, going back and forth, it all is pretty small-

Gary Davis:     11:30   Yeah. Exactly.

Moira Gunn:   11:30   In comparison.

Gary Davis:     11:31   Yeah. It’s, ’cause it, the, the identity thief knew not to try to in- to, to return all to one Best Buy, ’cause then that would be a, even a bigger red flag. But you’re right, if I’m a, if I’m loca- local law enforcement, “Eh, it’s just a couple hundred dollars, well I got, you know, drug dealers I gotta go break up, and bad, other bad things. So I’m gonna go focus on that, and really not focus,” so it’s just, it but, you, that doesn’t make you feel like you’re less of a victim.

Gary Davis:     11:55   Nobody wants to be a victim of scam or identity theft. Nobody ever wants to be a victim. We, we, we empathize with victims, ’cause we can put ourselves in their shoes, and it, and that’s unfortunately one of the challenges in our space is, I think a lot of the reasons why people aren’t better about things like password hygiene and, you know, checking their credit history and stuff like that, is because, well they don’t think it’s gonna happen to them, they think it’s gonna happen to somebody else. And because of that, that can be a little bit more relaxing in what I do.

Moira Gunn:   12:24   And it’s not just, uh, your hygiene, you may not be able to prevent it. I was, I stopped off an interstate and bought a couple of things, uh, ah, and gassed up at a little place, but it wasn’t the, one of the really big ones. Just happened to go in there, it was convenient there.

Gary Davis:     12:41   Yeah.

Moira Gunn:   12:41   And we were kind of in the middle of nowhere. And, for some reason, it didn’t take, put this, put this in again. So I put it in again. So, I thought, “Oh they’re probably gonna double charge me.”

Gary Davis:     12:51   Yeah.

Moira Gunn:   12:52   They didn’t double charge me, they took the card and then here I was in Northern California, and within just a few hours, someone in a, in another gas station in San Antonio, Texas, bought $115 worth of towels, shop towels, (laughs) just-

Gary Davis:     13:13   (laughs)

Moira Gunn:   13:13   Windshield wiper stuff, I mean there was just like, “doo doo doo doo doo… [counting up]

Gary Davis:     13:15   Yeah.

Moira Gunn:   13:16   So, $115 worth of that. I don’t know how I could have stopped that.

Gary Davis:     13:21   Uh, you, you can’t. That’s just it. That they’re, part of this is, y- y- we, we can do all we can do to not be a victim online, but I think a big part of the, the educational process is knowing what to do. You know, in that case, knowing to reach out to our credit card immediately and, and stopping any other transactions and, and going through the process. You’re right. There are things like that, that was probably a skimmer, that probably when they scanned it twice, they probably scanned it once for the gas that you actually bought, and there where, you know, you didn’t see it probably going through a different, um, reader.

Moira Gunn:   13:49   And I actually put it in myself.

Gary Davis:     13:50   Oh really? Okay.

Moira Gunn:   13:52   Put it in, take it out, put it in, take it out.

Gary Davis:     13:53   Hmm.

Moira Gunn:   13:53   Yeah.

Gary Davis:     13:56   You’re right.

Moira Gunn:   13:58   They’re always one step ahead.

Gary Davis:     13:59   Well, the, you know, it, it’s, they’re in it to make money, right? It’s a for profit business for lack of a better word. So, they’re always gonna be trying to figure out more effective ways to dupe people into, to, either dupe people or just take advantage of people without their knowledge, and, and do it for as long as they can.

Gary Davis:     14:15   Imagine if you didn’t quickly catch the fact that you were getting charged for stuff in San Antonio, and it went on for a week or so.

Moira Gunn:   14:21   Yeah.

Gary Davis:     14:21   They would just keep on charging, charging, charging, until, you know, either-

Moira Gunn:   14:25   It said no. (laughs)

Gary Davis:     14:26   Yeah. Well, or, or hopefully your bank would it, would realize, “Well hold on, you just used your card in Northern California,” which you would expect, and now that same card is being used to buy something in San Antonio, that, that would, you would think that your, your bank will-

Moira Gunn:   14:39   She travels fast.

Gary Davis:     14:42   (laughs)

Gary Davis:     14:42   Oh yeah.

Moira Gunn:   14:43   But not that fast.

Gary Davis:     14:43   That’s, that’s-

Moira Gunn:   14:43   There you go.

Gary Davis:     14:43   The hypersonic speed for sure.

Moira Gunn:   14:45   Hypersonic. Gary, always a pleasure. Please come back. See you soon.

Gary Davis:     14:49   I’ll do that. Thanks for having me.

Moira Gunn:   14:50   Tech Nation regular contributor Gary Davis is the Chief Consumer Security Evangelist at McAfee, the website where you can check if your email plus password has been compromised is, have I, that’s the letter I, beenpwned.com. With pawned spelled without an A. That’s P-W-N-E-D. So, it’s haveibeenpwned.com, with pawned spelled P-W-N-E-D. And that link will be on the Tech Nation website also.

Moira Gunn:   15:26   Of course when Gary said it during our conversation, he said, “haveibeenpwned.com.” And yes that’s true. Gary is from Texas, and that’s part of his charm.

Moira Gunn:   15:39   For Tech Nation, I’m Moira Gunn.

The post What is Phishing? Find Out with Gary Davis on the Latest Episode of Tech Nation appeared first on McAfee Blogs.

Are Your Passwords Secure Enough?

Today, we'll take a deep dive into passwords, including what vulnerabilities weak passwords can open up and how to improve authentication security.

Online passwords are sensitive data. When they end up in the wrong hands, your private information is at risk. Since cybercriminals are always searching out new ways to break into those online accounts, you need to watch over the passwords to your accounts as if they were your children.

Since we typically access our accounts on a daily basis, using browsers and online apps for our banking and shopping, we need to periodically take some time to manage them, to ensure the security and strength of our passwords.

Here’s few tips to help you do that:

  • Create unique, strong password of some length for each of your online accounts – and change them often, particularly for the accounts you use for transactions.
  • Use a combination of characters, numbers, and symbols to add complexity to the password’s strength.
  • Whenever you can, enable a two-factor authentication process in your accounts for added security protection.

To further strengthen your online accounts, you should also use a password manager. Trend Micro Password Manager helps you manage all your online passwords and makes it easier to change them easily on a regular basis. It delivers your passwords across all your devices—whether they’re PCs, Macs, Android, or iOS devices—generates ultra-secure passwords, and safeguards them with AES 256-bit encryption, to protect them from hackers and crackers.

Used in conjunction with Trend Micro Pay Guard, which is enabled with every installation of Trend Micro Security (which also bundles Trend Micro Password Manager with every subscription of Trend Micro Maximum Security), you’ll be doing your part to protect yourself from the theft of your passwords, particularly on financial and banking websites.

The post Are Your Passwords Secure Enough? appeared first on .

Is Pornhub Safe? How to Browse Adult Websites Securely

This is a question we get asked a lot and one which is floating all over the internet too, especially on discussion forums where people can stay anonymous if they want: Is Pornhub safe? Is it a safe site to enter? We decided to address it here since we’d rather let people get their facts straight on cybersecurity directly from the industry instead of scraping for half-truths around the web.

So, is Pornhub safe to browse? What should you do and not do when browsing Pornhub? What are the cybersecurity risks associated with browsing Pornhub? Can you get viruses into your computer? How about malware? What about other adult websites, how safe are those?

What can you do to protect your computer when accessing Pornhub or other adult content websites? How about your privacy, who can see what sites you are browsing and how can you hide your activity?

We’ll answer all these questions and more, right below. Keep scrolling and learn how to stay safe when browsing Pornub and other adult websites.

Is Pornhub safe to browse for your cybersecurity?

The short answer is that no, Pornhub is not completely safe to browse, however, whenever, without taking some necessary precautions. That doesn’t mean that Pornhub is a malware or cybercriminal hub bent on causing its users harm on purpose, quite the contrary. However, there can be risks associated with browsing Pornhub which go beyond the website’s control.

Given that its popularity is so high (there were over 33.5 billion visits to Pornhub last year, according to the website’s official data) and that in many cases its visitors are not necessarily tech-savvy, it’s no wonder that Pornhub can attract cybercriminals bent on using this opportunity.

As we said, Pornhub in itself is safe and strives to stay that way, as a huge business employing lots of tech people tasked to keep the website primed. But you can still become a target for cybercriminal groups and hackers while visiting Pornhub and other adult-themed websites (especially less popular ones, with less developed security policies). This is mostly due to the ads displayed on the porn website, over which the website has little control.

Unfortunately, the prevalence of malware on porn websites is very high. According to security researcher Conrad Longmore, there’s a 53% chance of encountering malware while browsing Pornhub. Of course, security employees from Pornhub and similar websites are doing their best to keep it safe for their users and catch malware as fast as possible. But the truth remains that porn sites are still one of the most popular destinations for hackers and uploaders of malicious code.

What Are the Main Cybersecurity Risks of Pornhub?

What can these cybercriminals targeting the visitors of porn sites be after? What are the main risks you are exposed to while browsing?

#1. Computer viruses (Trojans)

Well, for one, to infect your computer with viruses. While the vast majority of viruses you can contract this way are mostly harmless, they can still slow your system significantly, as well as serve as a gateway for more dangerous stuff. These very common viruses to be found on ads displayed on porn websites can be Trojans, for the most part.

Such viruses don’t pose a huge security risk but they can make your computer slower, as well as create more vulnerabilities into your system, which can then be exploited for more dangerous malware to enter.

#2. Adware

Other viruses you can get from the ads displayed on Pornhub or similar websites are adware. This means that once they take root into your computer, they will cause more ads and spammy content to be displayed to you even if you’re not browsing Pornhub anymore.

This is not just annoying since it can also slow down your system, but it can also be privacy-infringing since the ads can be adult content related. If you share your computer with other family members, you probably don’t want indecent ads popping up when other people are using the device.

#3. Malware or Spyware

Other types of malware which you can contract from clicking ads on Pornhub or similar sites are more dangerous. The cybercriminals behind them can be after your data, and considering the nature of the content you are browsing, this can be very sensitive data related to the type of adult content you are interested in, your online behavior and so on.

Sextortion scams are very common. This is when you get an email from hackers claiming to have installed spyware into your computer and filmed you while you were browsing adult websites, recording also everything you have watched and so on. They will also tell you that unless you send them money, they will send this data to your employer, family, friends and so on.

For the most part, these claims are bogus and the hackers are just fishing for the users gullible or scared enough in order to make some easy money. But in some cases, they may be real. Don’t take that chance and make sure you stay safe, first and foremost by having your device protected by a reliable anti-malware solution.

How Safe Are Other Adult Content Websites?

What about other adult websites, besides Pornhub? Are their security risks the same?

Well, for the most part, we should stress again that Pornhub is still overall safe-ish. It’s the content from third parties (ads) that you need to be wary of. The same risks from ads are also true for every other adult-themed site out there, especially those who allow publishers to stream their own content (the ‘tube’ type of porn websites).

This is because such websites make money from allowing advertisers to run embedded ads from traffic networks. In many cases, this embedded content has malicious code included in it. While the host website (the porn website running these ads) removes all ads containing malicious scripts, it can take a while for these risky ads to get detected.

But in the case of lesser-known websites, with fewer employees and less of a security network in place, the risks may actually be greater than with Ponhub. If another website you’d like to browse is also a huge one, well-known and with millions of users, the risks are probably about the same.

If we’re talking about obscure porn websites, then not only they are more likely to get infected with malware from third parties (advertisers) but they may be a front for cyber-criminality in themselves.

How to Protect Your Privacy when Browsing Pornhub?

The issue of safety has two aspects: protecting yourself from viruses, extortion, hackers, and so on, rounded up under the umbrella term ‘cybersecurity’ and the second issue of protecting your privacy from everyone around you.

Let’s start by addressing privacy first.

You may be tempted to browse Pornhub incognito to make sure no one but you knows about it. While this can be a partial solution (not to store search history, cookies and so on), incognito browsing is not really private.

Major browsers like Google Chrome and Mozilla are very upfront about it whenever you open up a new incognito browser window.

browser incognito message

If your main concern is to prevent the people you live with or share a computer with from finding traces of your online activity, then incognito browsing is ok. But your internet service provider or your employer (if you ever get the bright idea of accessing such websites from your workplace’s network) can still find out the list of domains which got accessed from your computer. If people with access to your home network are a bit tech-savvy, they can figure it out too.

Also, as mentioned above, ads are one of the main sources of malicious code on porn websites. While a Chrome extension that works like an ad blocker can keep some of the risk at bay, you should know that ad blockers tend to be automatically disabled once you enter incognito browsing mode. You can manually set exceptions to ensure ad blockers work for incognito browser tabs too, but you need to do a bit of tinkering with it.

What else should you remember about your privacy when browsing Pornhub or other porn websites?

Even while browsing incognito, the website you are browsing will still collect some data about you via cookies. This is entirely normal and, in theory, protects your anonymity (they just store data about user statistics but without personally identifiable information). But if they ever get hacked, or if you install malicious software by clicking on ads while browsing, this data could be at risk of being misused or used to identify you.

The only thing which can completely protect your anonymity while browsing Pornhub and other adult websites is a VPN service. Lots of users opt for one in order to stay more anonymous online.

As for the issue of cybersecurity on adult websites as a whole, beyond privacy, here’s how you can make Pornhub browsing safe.

How to Access Pornhub Safely: 5 Tips

First and foremost, learn more about the dangers of the internet and about strengthening your online safety as a whole. It’s never too late to start educating yourself in cybersecurity for laymen. Just being here and reading this guide to Pornhub safety is a great start.

But beyond being simply aware of online risks, here’s what else you can do to stay safe while browsing Pornhub or other adult websites.

#1. Up your protection with a good anti-malware solution

This should be obvious, but to make sure you stay safe from any malware danger, you need to have an active next-generation anti-virus software. A product like our Thor Vigilance is trained to prevent the latest type of intelligent threats and protect your privacy as well.

#2. Go for a traffic filter-based security product (it’s a must!)

Next, and definitely, more importantly, traffic filtering is the advanced type of protection you most definitely need. This is especially true if you sometimes browse potentially risky websites like adult-themed ones.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

In today’s cybersecurity age, when the methods of hackers are getting more and more sophisticated, traditional anti-virus is not enough anymore. An anti-virus, no matter how good it is, reacts to known threats once they already reach your system. If you’re dealing with an APT (advanced persistent threat) this may be too late.

But a traffic filtering solution, like our Thor Foresight, is based on AI and can intelligently detect threats before they reach your system. Such protective software actively scans incoming traffic and blocks malicious code before it gets a chance to target you. This way, even if you accidentally click on a malicious ad while browsing Pornhub, you’re still safe.

#3. Don’t click on ads while browsing Pornhub

Speaking of ads on Pornhub or other adult websites, don’t click them. While some may be harmless, this is where the dangers associated with porn websites are usually hidden. If you really wish to support your favorite porn website, you can find other ways to do that (like signing up for a premium subscription, for example).

#4. Don’t download anything from adult websites or related pop-ups

If the ads displayed on Pornhub and porn websites, in general, are truly malicious, they will probably try to convince you to download something. They will promise you some more HD content completely free of charge or something similar, on condition that you install some no-name video player, etc. Don’t fall for this trap!

The software such ads are asking you to install is most likely spyware or malware. Don’t install anything and close all browser windows immediately if you are prompted to start a download.

#.5 Don’t buy anything (or enter credit card info) from 3rd parties

Under no circumstances should you enter your credit card info while browsing less-known, shady porn websites. You can buy a subscription from the major adult website you are browsing (like Pornhub and similar sites) if you want, this is safe.

But if you start browsing the independent websites of publishers or other websites you reached starting from your initial browsing, be mindful not to enter any sensitive information like credit card data. You may be tempted by a special access offer (either for a major discount or completely free, but only if you create a member account, which also asks for credit card info). Don’t fall for it!

The post Is Pornhub Safe? How to Browse Adult Websites Securely appeared first on Heimdal Security Blog.

Credit Union Sues Fintech Giant Fiserv Over Security Claims

A Pennsylvania credit union is suing financial industry technology giant Fiserv, alleging that “baffling” security vulnerabilities in the company’s software are “wreaking havoc” on its customers. The credit union said the investigation that fueled the lawsuit was prompted by a 2018 KrebsOnSecurity report about glaring security weaknesses in a Fiserv platform that exposed personal and financial details of customers across hundreds of bank Web sites.

Brookfield, Wisc.-based Fiserv [NASDAQ:FISV] is a Fortune 500 company with 24,000 employees and $5.8 billion in earnings last year. Its account and transaction processing systems power the Web sites for hundreds of financial institutions — mostly small community banks and credit unions.

In August 2018, in response to inquiries by KrebsOnSecurity, Fiserv fixed a pervasive security and privacy hole in its online banking platform. The authentication weakness allowed bank customers to view account data for other customers, including account number, balance, phone numbers and email addresses.

In late April 2019, Fiserv was sued by Bessemer System Federal Credit Union, a comparatively tiny financial institution with just $38 million in assets. Bessemer said it was moved by that story to launch its own investigation into Fiserv’s systems, and it found a startlingly simple flaw: Firsev’s platform would let anyone reset the online banking password for a customer just by knowing their account number and the last four digits of their Social Security number.

Bessemer claims Fiserv’s systems let anyone reset a customer’s online banking password just by knowing their SSN and account number.

Recall that in my Aug 2018 report, Fiserv’s own systems were exposing online banking account numbers for its customers. Thus, an attacker would only need to know the last four digits of a target’s SSN to reset that customer’s password, according to Bessemer. And that information is for sale in multiple places online and in the cybercrime underground for a few bucks per person.

Bessemer further alleges Fiserv’s systems had no checks in place to prevent automated attacks that might let thieves rapidly guess the last four digits of the customer’s SSN — such as limiting the number of times a user can submit a login request, or imposing a waiting period after a certain number of failed login attempts.

The lawsuit says the fix Fiserv scrambled to put in place after Bessemer complained was “pitifully deficient and ineffective:”

“Fiserv attempted to fortify Bessemer’s online banking website by requiring users registering for an account to supply a member’s house number. This was ineffective because residential street addresses can be readily found on the internet and through other public sources. Moreover, this information can be guessed through a trial-and-error process. Most alarmingly, this security control was purely illusory. Because some servers were not enforcing this security check, it could be readily bypassed.”

Bessemer says instead of fixing these security problems and providing the requested assurances that information was being adequately safeguarded, Fiserv issued it a “notice of claims,” alleging the credit union’s security review of its own online banking system gave rise to civil and criminal claims.

The credit union says Fiserv demanded it not disclose information relating to the security review to any third parties, “including Fiserv’s other clients (who presumably were affected with the same security problems at their financial institutions) as well as media sources.”

Fiserv did not immediately respond to requests for comment. But Fiserv spokesperson Ann Cave was quoted in several publications saying, “We believe the allegations have no merit and will respond to the claims as part of the legal process.”

Charles Nerko, the attorney representing Bessemer in the lawsuit, said to protect the credit union’s members, the credit union is replacing its core processing vendor, although Nerko would not specify where the credit union might be taking its business.

According to FedFis.com, Fiserv is by far the top bank core processor, with more than 37 percent market share. And it’s poised to soon get much bigger.

In January 2019, Fiserv announced it was acquiring payment processing giant First Data in a $22 billion all-stock deal. The deal is expected to close in the second half of 2019, pending an antitrust review by the U.S. Justice Department.

That merger, should it go through, may not bode well for Fiserv’s customers, argues Paul Schaus of American Banker.

“Banks should take this trend as a warning sign,” Schaus wrote. “Rather than delivering new innovations that banks and their customers crave, legacy vendors are looking to remain relevant by acquiring existing products and services that expand their portfolios into new areas of financial services. As emerging technologies grow more critical to everyday business, these legacy vendors, which banks have deep longstanding relationships with, likely won’t be on the leading edge in every product or channel. Instead, financial institutions will need to seek out newer vendors that have deeper commitments and focus in cutting-edge technologies that will drive industry change.”

This Week in Security News: BEC Attacks and Botnet Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the prevalence and impact of BEC attacks. Also, find out how botnet malware can perform remote code execution, DDoS attacks and cryptocurrency mining.

Read on:

Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers

Trend Micro discovered a new technical support scam (TSS) campaign that makes use of iframe in combination with basic pop-up authentication to freeze a user’s browser. 

Cybersecurity Pros Could Work for Multiple Agencies Under Bill Passed by Senate

Skilled federal cybersecurity workers could be rotated among civilian agencies under bipartisan legislation the Senate passed to help fill specific gaps in the workforce. 

New Cybersecurity Report Warns CIOs — ‘If You’re Breached Or Hacked, It’s Your Own Fault’

A new cybersecurity survey conducted by endpoint management specialists 1E and technology market researchers Vanson Bourne, a survey that questioned 600 IT operations and IT security decision-makers across the U.S. and U.K., and found that 60% of the organizations had been breached in the last two years and 31% had been breached more than once.

AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining

Trend Micro’s honeypot sensors detected an AESDDoS botnet malware variant exploiting a server-side template injection vulnerability in a collaboration software program used by DevOps professionals. 

U.K. Prime Minister Theresa May Fires Defense Secretary Gavin Williamson Over Huawei Leak

British Prime Minister Theresa May fired Defense Secretary Gavin Williamson, saying he leaked sensitive information surrounding a review into the use of equipment from China’s Huawei Technologies Co. in the U.K.’s telecoms network. 

This Hacker Is Selling Dangerous Windows 0-Day Hacks For Past 3 Years

report by ZDNet has revealed that a mysterious hacker is selling Windows zero-day exploits to the world’s most notorious cybercrime groups for the past three years. At least three cyber-espionage groups also known as Advanced Persistent Threats (APTs) are regular customers of this hacker.

Docker Hub Repository Suffers Data Breach, 190,000 Users Potentially Affected

In an email sent to their customers on April 26, Docker reported that the online repository of their popular container platform suffered a data breach that affected 190,000 users. 

IC3: BEC Cost Organizations US$1.2 Billion in 2018

In the recently published 2018 Internet Crime Report by the FBI’s Internet Crime Complaint Center (IC3), the agency states that in 2018 alone, it received 20,373 BEC/email account compromise (EAC) complaints that racked up a total of over US$1.2 billion in adjusted losses. 

Trend Forward Capital’s First Startup Pitch Competition in Dallas

Trend Forward Capital, in a partnership with Veem, is bringing its Forward Thinker Award and pitch competition to Dallas on May 20. 

BEC Scammers Steal US$1.75 Million From an Ohio Church

The Saint Ambrose Catholic Parish in Brunswick, Ohio was the victim of a BEC attack when cybercriminals gained access to employee email accounts and used them to trick other members of the organization into wiring the payments into a fraudulent bank account. 

Cybersecurity Experts Share Tips And Insights For World Password Day

May 2 is World Password Day. World Password Day falls on the first Thursday in May each year and is intended to raise awareness of password best practices and the need for strong passwords. 

Confluence Vulnerability Opens Door to GandCrab

A vulnerability in a popular devops tool could leave companies with a dose of ransomware to go with their organizational agility, according to researchers at Trend Micro and Alert Logic.

Were you surprised by the amount of business email compromise complaints the FBI received in 2018? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: BEC Attacks and Botnet Malware appeared first on .

Episode 485 – Tools, Tips and Tricks – DuckDuckGo Privacy Essentials

This week’s tools, tips and tricks epsiode is about an extension from DuckDuckGo. I have talked about DuckDuckGo in previous episodes. This epsiode talks about the browser extension and how it will make your browsing activity more secure and private. DuckDuckGo App Be aware, be safe. *** Support the podcast with a cup of coffee […]

The post Episode 485 – Tools, Tips and Tricks – DuckDuckGo Privacy Essentials appeared first on Security In Five.

President Trump Signs EO to Bolster Federal Digital Security Workforce

President Trump has signed an executive order (EO) that seeks to bolster the U.S. federal government’s digital security workforce. On 2 May, President Trump authorized the “Executive Order on America’s Cybersecurity Workforce.” This directive sets out various actions designed to strengthen the federal digital security workforce. For instance, it requires the Secretary of Homeland Security […]… Read More

The post President Trump Signs EO to Bolster Federal Digital Security Workforce appeared first on The State of Security.

How to create an ISO 27001-compliant risk treatment plan

An RTP (risk treatment plan) is an essential part of an organisation’s ISO 27001 implementation process, as it documents the way your organisation will respond to identified threats.

It’s one of the mandatory documents you must complete as part of your ISO 27001 implementation project, and forms the final stage of the risk assessment process.

What are your risk treatment options?

Once you’ve completed your risk assessment and defined your risk appetite, you’ll be left with a list of ‘unacceptable’ threats that need to be addressed.

ISO 27001 recommends that organisations take one of four actions:

  • Modify the risk by implementing a control to reduce the likelihood of it occurring. For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
  • Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too big to manage with a security control. For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them outside the premises. This option will make things less convenient for your employees but will drastically improve your security posture.
  • Share the risk with a third party. There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster. Neither option is ideal, because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
  • Retain the risk. This option means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.

Selecting appropriate controls

The most common risk treatment option is to modify the risk, because it typically offers the best combination of security and cost.

Organisations can determine the best way to modify a risk by looking at the controls listed in Annex A of ISO 27001. It lists 114 controls, which are split into 14 sections (or ‘control sets’), each one tailored to a specific aspect of information security:

  • Information security policies: how policies are written and reviewed.
  • Organisation of information security: the assignment of responsibilities for specific tasks.
  • Human resource security: ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles.
  • Asset management: identifying information assets and defining appropriate protection responsibilities.
  • Access control: ensuring that employees can only view information that’s relevant to their job role.
  • Cryptography: the encryption and key management of sensitive information.
  • Physical and environmental security: securing the organisation’s premises and equipment.
  • Operations security: ensuring that information processing facilities are secure.
  • Communications security: how to protect information in networks.
  • System acquisition, development and maintenance: ensuring that information security is a central part of the organisation’s systems.
  • Supplier relationships: the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept.
  • Information security incident management: how to report disruptions and breaches, and who is responsible for certain activities.
  • Information security aspects of business continuity management: how to address business disruptions.
  • Compliance: how to identify the laws and regulations that apply to your organisation.

Deciding which control to use is relatively straightforward. The ISO 27001 implementation team should meet with a senior employee from the relevant department to agree on the appropriate control.

For example, communications security issues should be discussed with IT, staff awareness issues with HR, and supplier relations which whichever department the third party is working with.

As with all major security decisions, you should run your decisions past senior management.

Once you’ve finalised which controls you should use, you should refer to ISO 27002 to learn more about implementing them.

Before you begin

It’s worth remembering that your RTP must be appropriate to your organisation. Implementing controls takes time, effort and money, so you need to pick your battles carefully.

You almost certainly won’t have the resources to apply controls to every risk, even if they are small controls, such as a new process or policy.

Even a new policy requires a team of people to write and approve it, generate awareness among employees and ensure that the rules are being followed and working as intended.

That’s not to say you should abandon a control if you think that it will be expensive to implement and maintain. However, you should constantly assess whether there’s a less expensive control that could generate similar results.

Help with creating your risk treatment plan

Below is an example of what a risk-based RTP might look like, extracted from our bestselling ISO 27001 ISMS Documentation Toolkit. The toolkit also contains an asset-based RTP template.

Risk Treatment Plan (RTP) Example Template

Example of the risk treatment plan template included in the ISO 27001 ISMS Documentation Toolkit

Developed by expert ISO 27001 practitioners and used by more than 2,000 clients worldwide, the toolkit includes:

  • A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 27001-compliant;
  • Helpful gap analysis and project tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Learn more >>

The post How to create an ISO 27001-compliant risk treatment plan appeared first on IT Governance Blog.