Mar 27 2021

The importance of the Statement of Applicability in ISO 27001 – with template

Category: ISO 27kDISC @ 11:32 am
The importance of the Statement of Applicability in ISO 27001 – with template

The importance of the Statement of Applicability in ISO 27001 – with template

Chloe Biscoe  23rd March 2021

Documentation is a crucial part of any ISO 27001 implementation project, and one of the most important documents you need to complete is the SoA (Statement of Applicability).

In this blog, we explain what an SoA is, why it’s important and how to produce one.

What is a Statement of Applicability?

An SoA summarises your organisation’s position on each of the 114 information security controls outlined in Annex A of ISO 27001.

Clause 6.1.3 of the Standard states an SoA must:

  • Identify which controls an organisation has selected to tackle identified risks;
  • Explain why these have been selected;
  • State whether or not the organisation has implemented the controls; and
  • Explain why any controls have been omitted.

Every control should have its own entry, and in cases where the control has been selected, the SoA should link to relevant documentation about its implementation.

Which controls do you need to implement?

Organisations are only required to implement controls that are appropriate to the risks they face. They should determine which controls apply to them by conducting an ISO 27001 gap analysis and risk assessment.

These processes help organisations identify the risks they face, which they can match to the relevant control.

Annex A provides a useful outline of each control. Still, you’ll probably need something more in-depth when it comes to the implementation process. That’s where ISO 27002 comes in. It’s a supplementary standard in the ISO 27000 series, providing a detailed overview of information security controls.

ISO 27002 provides detailed information on each control, explaining how each one works and providing advice on how to implement it.

You’ll therefore benefit from having copies of both standards when creating your SoA.

Why is the Statement of Applicability important?

The SoA is a useful document for everyday operational use because it provides comprehensive coverage of your organisation’s information security measures.

You can refer to it to understand how and why your organisation is tackling certain risks and accepting others.

This is especially important when ensuring continual improvement within your organisation. You can assess whether the controls you’ve implemented are working as intended and assess whether other controls might be more suitable.

Likewise, you can review why you chose to accept risks and determine whether the threat landscape has increased significantly enough to warrant a change.

An SoA also has significant regulatory consequences. If you are investigated for a data breach, you can use the document to demonstrate that your defences were the result of an ISO 27001-compliant risk assessment.

Completing the Statement of Applicability

Completing the SoA can seem like a daunting task, but there are a few things you can do to simplify the process.

For a start, you should consider delegating each part of the process to the relevant person. You can ask someone in the HR department to provide information regarding the way they process personal data, and do the same for IT, marketing and so on.

Breaking it down this way saves time – as you aren’t relying on one person or a small team to understand every part of your organisation. It also makes it easier to understand specific issues that your business faces.

Another way to simplify the SoA is by consulting ISO 27002. This is a supplementary standard that focuses on the information security controls that organisations might choose to implement.

These controls are listed in Annex A of ISO 27001, but whereas that document simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.

Finally, you should consider pooling together the documents you’ve created as part of your ISO 27001 implementation project – namely, the inventory of information assets, the risk assessment, the risk treatment plan.

Each of these documents provides a partial picture of your information security practices, but when you consider them altogether, you get a much clearer picture, which you can use to inform your SoA.

Save time writing your Statement of Applicability

Those looking for help creating their SoA should take a look at our ISO 27001 Toolkit.

The toolkit includes:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Simple dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Tags: Statement of Applicability in ISO 27001

Mar 26 2021

Hacking Weapons Systems

Category: Cyber Attack,Cyber War,Cyberweapons,HackingDISC @ 1:33 pm
Hacking Weapons Systems

The Cyberweapons Arms Race

Tags: cyberattack, cyberweapons, Hacking, infrastructure, military, national security policy, weapons

Mar 26 2021

70% of organizations recognize the importance of secure coding practices

Category: App SecurityDISC @ 10:03 am
70% of organizations recognize the importance of secure coding practices

A research from Secure Code Warrior has revealed an attitudinal shift in the software development industry, with organizations bucking traditional practices for DevOps and Secure DevOps.

secure coding practices

The global survey of professional developers and their managers found 70% of organizations recognize the importance of secure coding practices, with results indicating an industry-wide shift from reaction to prevention is underway.

Dr. Matias Madou, CTO at Secure Code Warrior, said, “We are seeing a fundamental shift in mindsets across the world, as the industry slowly moves from reactive, band-aid solutions rolled out after a breach, to the proactive and human-led practice of writing quality software that is intrinsically free from vulnerabilities right from the very first keystroke.”

“This research shows that ‘secure code’ is becoming synonymous with ‘quality code’ within software development, and security is becoming the responsibility of development teams and leaders—not just AppSec professionals,” he said.

Secure coding practices

Reactive practices like using tools on deployed applications and manually reviewing code for vulnerabilities were the top two practices respondents associated with coding securely.

However, a proactive shift in mindset was evidenced across the globe, with 55% of the developers surveyed also recognising secure coding as the active, ongoing practice of writing software protected from vulnerabilities.

More on: 70% of organizations recognize the importance of secure coding practices

Secure by Design teaches developers how to use design to drive security in software development. 

Tags: DevOps, SecDevOps, Secure Code

Mar 26 2021

Alan Turing’s £50 banknote officially unveiled

Category: cyber security,Information SecurityDISC @ 9:25 am
Alan Turing’s £50 banknote officially unveiled

Regular Naked Security readers will know we’re huge fans of Alan Turing OBE FRS.

He was chosen in 2019 to be the scientist featured on the next issue of the Bank of England’s biggest publicly available banknote, the bullseye, more properly Fifty Pounds Sterling.

(It’s called a bullseye because that’s the tiny, innermost circle on a dartboard, also known as double-25, that’s worth 2×25 = 50 points if you hit it.)

Turing beat out an impressive list of competitors, including STEM visionaries and pioneers such as Mary Denning (first to unravel the paleontological mysteries of what is now known as Dorset’s Jurassic Coast), Rosalind Franklin (who unlocked the structure of DNA before dying young and largely unrecognised), and the nineteenth-century computer hacking duo of Ada Lovelace and Charles Babbage.

The Universal Computing Machine

Turing was the groundbreaking computer scientist who first codified the concept of a “universal computing machine”, way back in 1936.

At that time, and indeed for many years afterwards, all computing devices then in existence could typically solve only one specific variant of one specific problem.

They would need rebuilding, not merely “reinstructing” or “reprogramming”, to take on other problems.

Turing showed, if you will pardon our sweeping simplification, that if you could build a computing device (what we now call a Turing machine) that could perform a certain specific but simple set of fundamental operations, then you could, in theory, program that device to do any sort of computation you wanted.

The device would remain the same; only the input to the device, which Turing called the “tape”, which started off with what we’d now call a “program” encoded onto it, would need to be changed.

So you could program the same device to be an adding machine, a subtracting machine, or a multiplying machine.

You could compute numerical sequences such as mathematical tables to any desired precision or length.

You could even, given enough time, enough space, enough tape and a suitably agreed system of encoding, produce all possible alphabetic sequences of any length…

…and therefore ultimately, like the proverbially infinite number of monkeys working at an infinite number of typewriters, reproduce the complete works of William Shakespeare.

More on: You can extend the halting problem result in important ways for cybersecurity

Tags: Alan Turing

Mar 25 2021

OpenSSL Project released 1.1.1k version to fix two High-severity flaws

Category: Access Control,CryptograghyDISC @ 10:46 pm
OpenSSL Project released 1.1.1k version to fix two High-severity flaws

Tags: High-severity flaws, OpenSSL

Mar 25 2021

Chrome to Enforce HTTPS Web Protocol (Like It or Not)

Category: Information Security,Web SecurityDISC @ 1:58 pm
Chrome to Enforce HTTPS Web Protocol (Like It or Not)

If you type in securityboulevard.com, Chrome version 90 will send you directly to the secure version of the site. Surprisingly, that’s not what it currently does—instead, Google’s web browser relies on the insecure site to silently redirect you.

That’s slow. And it’s a privacy problem, potentially. This seemingly unimportant change could have a big—if unseen—impact.

So long, cleartext web. In today’s SB Blogwatch, we hardly knew ye.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Making breakfast.

What a Difference an ‘s’ Makes

What’s the craic? Thomas Claburn reports—“Chrome 90 goes HTTPS by default”:

 Lack of security is currently the norm in Chrome. … The same is true in other browsers. … This made sense in the past when most websites had not implemented support for HTTP.

But these days, most of the web pages loaded rely on secure transport. … Among the top 100 websites, 97 of them currently default to HTTPS. [So] when version 90 of Google’s Chrome browser arrives in mid-April, initial website visits will default to a secure HTTPS connection.

Chrome to Enforce HTTPS Web Protocol (Like It or Not)

Tags: HTTPS Web Protocol

Mar 25 2021

Using memory encryption in web applications to help reduce the risk of Spectre attacks

Category: App SecurityDISC @ 10:08 am
Using memory encryption in web applications to help reduce the risk of Spectre attacks

The Spectre vulnerability, which stems from vulnerabilities at the CPU design level, has been known for over 3 years now. What’s so interesting about this PoC is that its feasibility for leaking the end-user’s data has now been proven for web applications, meaning that it’s no longer just theoretical.

The vulnerability in affected CPUs has to do with speculative execution, which in certain situations can leave behind observable side-effects and result in data leakage to the attacker. All the attacker needs is a way to execute exploit code in the same executing context as other JavaScript handling sensitive data.

The attacker could use the web supply chain, for instance, presenting itself as a useful library so that victims voluntarily add it to their webpages, or deliberately compromise a third-party library as a way to attack websites that use it. Another vehicle would be to find an injection vulnerability on the website and combine that with the Spectre exploit.

Regardless of the method, the list of victims would be long, as Spectre exploits the JavaScript engines of browsers across several different operating systems, processor architectures, and hardware generations.

Searching for better solutions

Tags: Spectre attacks

Mar 24 2021

Microsoft says China-backed hackers are exploiting Exchange zero-days

Category: Email Security,Zero dayDISC @ 9:58 pm
Microsoft says China-backed hackers are exploiting Exchange zero-days

Tags: Exchange zero-days

Mar 24 2021

Billions of FBS Records Exposed in Online Trading Broker Data Leak

Category: Data Breach,data security,pci dssDISC @ 4:34 pm
Billions of FBS Records Exposed in Online Trading Broker Data Leak

Ata Hakcil led the team of white hat hackers from WizCase in identifying a major data leak on online trading broker FBS’ websites.

The data from FBS.com and FBS.eu comprised millions of confidential records including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions and more.

Were such detailed personally identifiable information (PII) to fall in the wrong hands, it could have been used in the execution of a wide range of cyber threats. The data leak was unearthed as part of WizCase’s ongoing research project that randomly scans for unsecured servers and seeks to establish who are the owners of these servers. We notified FBS of the breach so they could take appropriate action to secure the data. They got back to us a few days later and secured the server within 30 minutes.

What’s Going On

Forex, a portmanteau of foreign currency and exchange, is the process of converting one currency into another for a wide range of reasons including finance, commerce, trading and tourism. The forex trading market averages more than US$5 trillion in daily trading volume. Forex trading may be dominated by banks and global financial services but, thanks to the Internet, the average person can today dabble directly in forex, securities and commodities trading.

In the rush toward online trading though, users have entrusted terabytes of confidential data to online forex trading platforms. With financial transactions being at the core of forex trading, the nature of user data held in these trading databases is highly sensitive. This has made online trading sites a lucrative target for cybercriminals.

FBS, a major online forex trading site, left an unsecured ElasticSearch server containing almost 20TB of data and over 16 billion records. Despite containing very sensitive financial data, the server was left open without any password protection or encryption. The WizCase team found that the FBS information was accessible to anyone. The breach is a danger to both FBS and its customers. User information on online trading platforms should be well secured to prevent similar data leaks.

Billions of FBS Records Exposed in Online Trading Broker Data Leak

Tags: FBS Records Exposed

Mar 24 2021

BlackKingdom ransomware still exploiting insecure Exchange servers

Category: RansomwareDISC @ 11:50 am
BlackKingdom ransomware still exploiting insecure Exchange servers

It’s three weeks since the word HAFNIUM hit the news.

The word Hafnium refers to a cybergang who are said to focus on stealing data from pretty much anyone and everyone they can infiltrate, across an eclectic range of industry sectors, and this time they hit a sort-of cybercrime jackpot.

The Hafnium crew, it turned out, not only knew about four zero-day vulnerabilities in Microsoft Exchange, but also knew how to exploit these bugs reliably in order to walk into unprotected networks almost at will.

The Exchange bugs didn’t include a remote code exeution (RCE) hole to give the crooks the direct and immediate access to a compromised server, but the bugs did allow the crooks to rig up RCE using a trick known as a webshell.

Greatly simplified, the attack goes like this:

  • Exploit the Exchange bugs to write a booby-trapped web file called a webshell onto a vulnerable server.
  • Trigger the booby-trapped web page hosting the webshell to run a Powershell (or similar) command to download further malware, such as a fully-featured backdoor toolkit.
  • Enter at will and, very loosely speaking, commit whatever cybercrimes are on today’s “to do” list.

BlackKingdom ransomware still exploiting insecure Exchange servers

Tags: BlackKingdom ransomware

Mar 24 2021

What businesses need to know to evaluate partner cyber resilience

Category: Cyber resilience,Vendor AssessmentDISC @ 9:32 am
What businesses need to know to evaluate partner cyber resilience

Many recent high-profile breaches have underscored two important cybersecurity lessons: the need for increased scrutiny in evaluating access and controls of partners handling valuable customer data, and the imperativeness of assessing a third party’s (hopefully multi-layered) approach to cyber resilience.

Given the average number of tech tools, platforms and partnerships today, having a clear and consistent partner evaluation process is critical for the protection of customer data and in limiting overall risk of exposure to cyber attacks. It is not an area where a business can “cut corners” to save time or dollars if the partnership cost seems too good to pass up – the long-term risk is simply not worth the short-term gain.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) included security ratings or scorings as part of its cyber risk reduction initiative. This is significant as it showcases there’s a need for consistent industry measurement to give businesses an objective, quantifiable way of determining an entity’s cyber risk and the level of trust they may incorrectly give to their partners who handle their data. While severalagencies and government stakeholders are starting to use security ratings, this idea of a uniform scoring system is still a pretty novel concept that will continue to evolve.

In the meantime, here are four questions businesses should ask when determining a partner’s cyber resilience to reduce the possible risks that come with giving external parties access to sensitive data.

What are your current standards for protecting customer data?

IT Vendor Risk Management A Complete Guide - 2021 Edition by [Gerardus Blokdyk]

Tags: evaluate partner cyber resilience

Mar 23 2021

Accellion Supply Chain Hack

Category: App Security,File Security,Vendor AssessmentDISC @ 11:37 pm
Accellion Supply Chain Hack

Tags: Hacking, patching, supply chain, vulnerabilities

Mar 23 2021

Best Practices for Data Hygiene

Category: data security,Information Security,MetadataDISC @ 2:28 pm
5 Data Hygiene Best Practices To Keep Your Data Reliable - Winpure

Data hygiene consists of actions that organizations can, and should, take as a matter of following not only compliance requirements, but also as part of basic risk management program practices. Consistent, risk-specific data hygiene practices supports not only a very wide range and number of data protection compliance requirements, but performing data hygiene activities also demonstrably improves an organization’s data security effectiveness without significantly increasing IT or information security costs. Most of these actions involve people performing activities that all personnel within an enterprise can take. No specialized tools are typically needed—just some training and ongoing awareness reminders, or periodic use of data management tools.

These actions serve to:

  • limit the amount of data collected to only that which is necessary to support the purposes of the data collection
  • keep data from being modified in unauthorized ways, or accidentally
  • destroy/delete data when it is no longer needed to support the purpose(s) for which it was collected and to meet legal retention requirements
  • prevent access to data to only those entities (devices, individuals, accounts, etc.) that have a business/validated need to access the data
  • not share data with others unless necessary and with the consent of those about whom the data applies, as applicable
  • keep your own personal and business data from being used and posted in ways for which you did not consent or is not necessary to support the purposes for which you originally allowed the data to be collected or derived
  • keep unauthorized entities from accessing data

Source: Best Practices for Data Hygiene

Tags: Data Hygiene

Mar 23 2021

MITRE ATT&CK® Framework

Category: Attack MatrixDISC @ 10:56 am
What Is MITRE ATT&CK and How Is It Useful? | From Anomali

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

Mar 23 2021

Tackling cross-site request forgery (CSRF) on company websites

Category: Web SecurityDISC @ 9:42 am
Tackling cross-site request forgery (CSRF) on company websites

CSRF arises because of a problem with how browsers treat cross origin requests. Take the following example: a user logs into site1.com and the application sets a cookie called ‘auth_cookie’. A user then visits site2.com. If site2.com makes a request to site1.com, the browser sends the auth_cookie along with it.

Normally this doesn’t matter, if it’s a GET request then the page is served, and the same-origin policy stops any funny business. But what if site2.com makes a POST request instead? That request came from the same computer as the valid session and uses the correct authentication cookie. There’s no way to tell the difference, and any state-changing operation can be performed.

During the course of a recent penetration test I noticed that, on the application I was assessing, admins had the ability to add web pages: a pretty reasonable action for the site in question. Unfortunately, the action of adding a page was vulnerable to CSRF. My pen test attack not only created a new page, but also stole administrative credentials from the site, using some unorthodox HTML.

Now, the start of any CSRF attack is always the payload. The first thing to note here is that when an iframe loads, it sends a GET request to whatever is specified in the ‘src’ parameter. Normally this is a standard page, and the content is displayed. But what if you framed a ‘log-off’ page which invalidated your authentication cookie and then redirected you back to ‘index.html’?

Well, turns out it does exactly what it says on the tin, but, importantly, it doesn’t redirect the entire page, only the contents of the iframe. The following code logs a user out without causing a redirect, so any malicious JavaScript injected will still execute.

CSRF

Source: Tackling cross-site request forgery (CSRF) on company websites

Rethinking Cross-Site Request Forgery in Light of Big Data

Emerging Trends in ICT Security: Chapter 20. CSRF and Big Data: Rethinking Cross-Site Request Forgery in Light of Big Data (Emerging Trends in Computer Science and Applied Computing) by [Maria Angel Marquez-Andrade, Hamzeh Roumani, Natalija Vlajic]

Tags: cross-site request forgery, CSRF

Mar 23 2021

Taking a Security-First Approach to Cloud Migration

Category: Cloud computingDISC @ 9:22 am
Taking a Security-First Approach to Cloud Migration

The pandemic and lockdowns hit their first anniversary mark, and many companies continue to have their employees work from home for the foreseeable future. Over the past year, organizations have seen how important cloud computing is to business operations.

In fact, according to a MariaDB survey, 40% of respondents said that COVID-19 accelerated their migration to cloud, and IDC found that while cloud spending increased slightly during the early months of the pandemic, other IT-related spending decreased.

If nothing else, 2020 showed organizations the advantages of cloud services. Of course, with more cloud use, there is more cloud risk. With almost all cloud teams working remotely, there has been an uptick in security vulnerabilities and a concern that there are ongoing cloud security issues that have yet to be discovered. Organizations are migrating so quickly to the cloud that security is an afterthought, and that has consequences.

Instead, a new Deloitte study recommended, this move to the cloud should work with cybersecurity as a differentiator to gain consumer trust. “An integrated cloud cyber strategy enables organizations to use security in their transformation in a way that promotes greater consumer trust, especially in today’s digital age,” the report stated. Any migration to the cloud should take a security-first approach.

Why Security First?

With an integrated, security-by-design cloud cybersecurity strategy, organizations can use security in digital transformation as a driver rather than as an afterthought, said Bhavin Barot, a Deloitte risk and financial advisory principal in the cyber and strategic risk practice, in an email interview. Leveraging secure design principles during a digital transformation or cloud migration helps organizations in the following ways, Barot added:

  • Incorporating leading-edge, innovative approaches such as intelligent threat detection.
  • Reducing risks related to technology, insider threats and the supply chain.
  • Elevating the DevSecOps posture for developers and engineers and
  • Establishes a cyber-forward approach that reinforces business objectives, enabling security principles such as zero trust.

Taking a Security-First Approach to Cloud Migration

Tags: cloud computing risks, Cloud Migration, cloud security

Mar 22 2021

Details of a Computer Banking Scam

Category: CybercrimeDISC @ 11:09 pm
Details of a Computer Banking Scam

Types Of Online & Banking Frauds And How To Be Safe ?: Online Banking Scams and tips to be safe by [Sayed Mahboob Hasan Hashmi]

Tags: Computer Banking Scam

Mar 22 2021

The MITRE Att&CK Framework

Category: Attack Matrix,Information SecurityDISC @ 3:55 pm

A recent article from Gartner states that, “Audit Chiefs Identify IT Governance as Top Risk for 2021.” I agree that IT governance is important but I question how much does the IT governance board understand about the day to day tactical risks such as the current threats and vulnerabilities against a companies attack surface? How are the tactical risks data being reported up to the board? Does the board understand the current state of threats and vulnerabilities or is this critical information being filtered on the way up?

If the concept of hierarchy of needs was extended to cyber security it may help business owners and risk management teams asses how to approach implementing a risk management approach for the business.

There are three key questions to ask:

  1. How confident are you in your organization’s ability to inventory and monitor IT assets? 
  2. How confident are you in your organization’s ability to “detect unauthorized activity”? 
  3. How confident are you in your organization’s ability to identify and respond to true positive incidents within a reasonable time to respond? 
No alt text provided for this image
Source: medium

Layers 1-2 – Inventory and Telemetry – The first two layers are related to asset inventory which is part of the CIS Controls 1-2. How can you defend the vulnerable Windows 2003 server that is still connected to your network at a remote site?

Layers 3-4 – Detection and Triage – These layers are related to a SOC/SIEM/SOAR program which will allow the cyber security team to begin to detect threats through logging and monitoring.

Layers 5-10 – Threats, Behaviors, Hunt, Track, Act – The final layers are threat hunting, tracking and incident response and this is where the MITRE framework is very helpful to identify threats, understand the data sources, build use cases and prepare the incident response playbooks based on real world threat intelligence.

To more about What is the MITRE’s Att&CK Framework? Source: The MITRE Att&CK Framework

Tags: MITRE Att&CK Framework

Mar 22 2021

FCC Boots Chinese Telecom Companies, Citing Security

Category: Cyber Attack,Cyber Communication,Cyber Espionage,cyber security,Cyber Spy,Cyber surveillance,Cyber Threats,Cyber War,CybercrimeDISC @ 11:01 am
FCC Boots Chinese Telecom Companies, Citing Security

he Federal Communications Commission’s (FCC) Public Safety and Homeland Security Bureau on March 12 identified five Chinese companies they said posed a threat to U.S. national security. These companies are: Huawei Technologies Co., ZTE Corp., Hytera Communications Corp., Hangzhou Hikvision Digital Technology Co. and Dahua Technology Co.

The declaration, according to the FCC, is in accordance with the requirements of the Secure and Trusted Communications Networks Act of 2019, which requires the FCC to “publish and maintain a list of communications equipment and services that pose an unacceptable risk to national security or the security and safety of U.S. persons.”

In June 2020, the FCC designated both ZTE and Huawei as national security threats. “… [B]ased on the overwhelming weight of evidence, the Bureau has designated Huawei and ZTE as national security risks to America’s communications networks—and to our 5G future,” said then-FCC chairman Ajit Pai. Pai continued, “Both companies have close ties to the Chinese Communist Party and China’s military apparatus, and both companies are broadly subject to Chinese law obligating them to cooperate with the country’s intelligence services.  The Bureau also took into account the findings and actions of congress, the executive branch, the intelligence community, our allies, and communications service providers in other countries. We cannot and will not allow the Chinese Communist Party to exploit network vulnerabilities and compromise our critical communications infrastructure. Today’s action will also protect the FCC’s Universal Service Fund—money that comes from fees paid by American consumers and businesses on their phone bills—from being used to underwrite these suppliers, which threaten our national security.”

ZTE’s petition for reconsideration in November 2020 was immediately rejected. Huawai also petitioned for reconsideration, and their appeal was rejected in December 2020, after a few weeks of deliberation.

FCC Boots Chinese Telecom Companies, Citing Security

Tags: Chinese Telecom

Mar 22 2021

How to stay ahead of the rise of synthetic fraud

Category: Cyber Attack,Cyber Threats,CybercrimeDISC @ 9:30 am
How to stay ahead of the rise of synthetic fraud

There are a number of reasons why synthetic fraud is on the rise, but there are also actions banks and other financial institutions can take to prevent this growing trend from doing damage.

Synthetic fraud on the rise

Banks around the world have faced difficulty in recognizing this type of complex fraud. Synthetic identity fraudsters are expert cybercriminals. They make use of the dark web to acquire legitimate personal information which they then blend with falsified information. They will then use this newly formed identity to establish a positive credit report and spend or borrow until they’ve maxed out their spending abilities.

They will often have multiple synthetic identities in play simultaneously to maximize the impact of their efforts. And it is hard to detect because these synthetic identities even have genuine profiles with the credit bureaus which the fraudsters creatively engineer.

An economic environment primed for fraud

Due to the economic toll the coronavirus pandemic has taken on the world, global GDP is expected to be negative this year. As a result, there has been and will continue to be an increase in the size of the banks’ loan portfolios, as businesses that are struggling to manage working capital requirements in a challenging commercial climate seek new lines of credit. The same demand for additional credit is similarly anticipated for retail customers.

As such, it will be easier to hide fraud within an environment where there is more lending activity, a larger portfolio to monitor and more losses to recover. This environment allows criminals to hide inside the noise of economic turmoil, while financial institutions struggle to cope with the sheer volume of applications, overwhelmed with the amount of identity checking they have to undertake.

It will also become harder to differentiate between delinquencies and defaults from genuine customers in distress and deliberate attacks from fraudsters as these loans come due for repayment.

Further, more individuals may be tempted to turn to fraud to maintain their lifestyles in an environment where they’ve lost jobs, financial security and are dealing with other economic difficulties.

How to stay ahead of the rise of synthetic fraud

Tags: synthetic fraud

« Previous PageNext Page »