now browsing by tag


#cybersecurity | hacker | Equifax CISO touts company’s transparency it as seeks breach redemption

Source: National Cyber Security – Produced By Gregory Evans

Fresh off a financial settlement over its 2017 data breach that affected roughly half the U.S. population, Equifax is forging ahead with a $1 billion-plus investment in a new security plan — and CISO Jamil Farshchi was eager to tout the credit reporting agency’s progress so far in a session this week at the RSA Conference in San Francisco.

Farshchi, who was hired as CISO in February 2018 after previously helping Home Depot clean up its security practices following its own breach, said that moving forward, the company is focusing on three key pillars: assurance in its data and controls, automation and generating security awareness among senior leadership, as well as lower-level employees, who will be scored on their security practices.

Farshchi asserted that Equifax has already succeeded in improving its corporate culture, controls and compliance, while also partnering with customers and industry organizations to share lessons learned. Indeed, he was particular effusive about the company’s openness about its recovery efforts so far.

“[I]t is extraordinarily rare for an organization to be transparent about what they’re doing and the initiatives that are underway to be able to transform after that breach,” said Farshchi. “Most organizations, you put your head down, you grind it out and that’s that. The problem what that approach, in my opinion, is that it doesn’t afford the opportunity for everyone else to learn from the things that you’ve gleaned trough that crisis event.”

Since the breach, the company has hired more than 1,000 employees in IT and cybersecurity, despite a shortage of talent in this field. The company also had to regain its compliance certifications after losing them as a result of the incident.

“[I]t is infinitely more difficult to be able to regain a certification once you’ve lost it than it is to get it in the first place and certainly to renew it on an annual basis. So we went through a huge effort to do that,” noted Farshchi, who had undergone the experience perviously with Home Depot.

Farshchi spent a bulk of his presentation further detailing plans and objectives for improving assurance, automation and awareness.

The assurance component involves maintaining focus on basic fundamentals and regularly testing data controls and the entire security stack to make sure the company is not making false assumptions about its security profile. In essence, Farshchi wants multiple data points that offer a multi-layered view of the network environment, rather than relying on a single source of truth that might be unreliable.

Farshchi cited the company’s migration to the cloud using the Google Cloud Platform, noting the company has instituted assurance on top of its controls there. “So as of today, we can measure around 120 of our controls in that space — and the beauty of it is, unlike an on-prem environment, everything is standardized, so I can know real time, all the time, the effectiveness of every single one of those controls across the entire estate, which is really, really powerful…”

Meanwhile, Equifax’s effort to increase automation — in areas such as risk-scoring and remediation of network weaknesses, for example — is intended to streamline activities and get controls in place faster by relieving IT employees of burdensome, time-consuming manual processes. Farshchi asserted that the company is not trying to displace employees or downsize, but rather optimally leverage its employees.

Finally, to improve awareness, Farshchi’s team is instituting measures to better communicate with Equifax’s board of directors and the general workforce.

For the former, the team has developed framework designed to plainly communicate current security goals and posture to senior leadership. The framework includes a control map that details what controls the company has already implemented, as well as the predominant threat vectors Equifax must watch out for. This allows the directors to see where the company is best protected, where risk still exists and how the security team intents to reduce that risk. Equifax plans to open source this framework for other organizations to use.

To address the general workforce, the company is instituting a system to score employees on their security practices much like they rate consumers’ credit scores. For example, if employees click through on a simulating phishing email, that will adversely affect the scorecards they receive on a monthly basis, and hopefully influence more responsible behavior in the future.

“We’re doing this because our DNA in Equifax is obviously credit scoring and so we know how to do analytics… on this and we’re just applying that same skill set to this problem,” said Farshchi.

Original Source link

The post #cybersecurity | hacker | Equifax CISO touts company’s transparency it as seeks breach redemption appeared first on National Cyber Security.

View full post on National Cyber Security

Local #company’s #system #hacked; employee #info #stolen

Source: National Cyber Security – Produced By Gregory Evans

 Green Bay Police say they are investigating the hacking of a local corporation’s computer network, resulting in the theft of “significant amounts of money” from victims in the organization.

Police did not immediately identify the company that was attacked. Action 2 News will work to find that out.

Officers say the hackers stole human resources information.

“In this case, it appeared the cyber actors utilized a known vulnerability to access the company’s computer systems and human resources software to steal personal identifying information from employees,” reads a statement from Capt. Jeremy Muraski.

Police say the vulnerability was a known issue and a security patch had not been installed and updated.

“This incident demonstrates how vital it is to maintain public facing computer systems with the latest security patches from the server companies as cyber actors will attempt to use exploits as long as they are finding vulnerable systems,” reads the statement from Capt. Muraski.

The post Local #company's #system #hacked; employee #info #stolen appeared first on National Cyber Security .

View full post on National Cyber Security


These days, everyone is on social media, and customers expect you to be too. No matter what industry you’re in, if you don’t have a social media presence, you may not be visible or accessible to a large proportion of … View full post on National Cyber Security Ventures hacker proof, #hackerproof


View full post on | Can You Be Hacked?

Hackers intercept NZ taxidermy company’s invoices, trick clients

Source: National Cyber Security – Produced By Gregory Evans

A  South Canterbury business has been hit by hackers who intercepted its invoices and prompted clients to deposit money into foreign bank accounts. Kerry O’Rourke, a part-owner in  Pleasant Point’s O’Rourke Brothers Taxidermy, said far only one of O’Rourke’s clients has been sucked into the scam, losing “probably about €2000 ($3583) into an account”. “We first realised something was amiss with our emails when we got rung up by an English client who we were sending some mounts to. He had paid his money into an English Building Society account supposedly that we’d sent him, which we hadn’t sent him. “It probably wouldn’t be legal to do what I want to do to them. It’s a thing you can’t do anything about until its happened.” O’Rourke said his reaction was to immediately alert the rest of his overseas clients. “We got in contact with all our other foreign clients who we had invoices out to by email. Some of them have been approached (by the hackers). Our emails have been intercepted and reconstructed giving them Russian bank accounts. “So it’s a network that’s fairly global thievery,” O’Rourke said. O’Rourke said he was still to hear from some offshore clients who have […]

For more information go to, http://www., or

The post Hackers intercept NZ taxidermy company’s invoices, trick clients appeared first on National Cyber Security.

View full post on National Cyber Security