What is the difference between Penetration Testing and Vulnerability Assessment?

For pentester VSEC - BLOG

In the dictionary universe of security assessment forms, Penetration Testing and Vulnerability Assessment are considered to be the two familiar and typical techniques that are most used. Although the functions, methods and implementation techniques may be different, in terms of final results, both methods aim to evaluate the security strength of the system.

To make it easier for businesses to choose which form of security assessment is more suitable for them, we will list some basic differences as below.

The difference between Penetration Testing and Vulnerability Assessment (Source: VSEC)

What is Vulnerability Assessment (or ​​VA)?

True to its name, VA is a form of security assessment through which businesses can find the most possible vulnerabilities. With a VA, the organization will respond to cyber-attacks on the system by identifying, classifying and resolving security risks and guiding to minimize the risks in the best way.

Recommendation: The unit in charge of the VA may not have specialized personnel or the management system may not be equipped with many security tools, but it may have identified the goal of checking for vulnerabilities in the system for appropriate recommendations.

The basic form of VA that these units perform often focuses on security assessment on websites, applications, etc and the business’s information technology infrastructure.

 

Why Vulnerability Assessment is needed?

All information security experts recommend that businesses need VA as soon as possible because the core value system of the businesses needs to be ensured the maximum level of security before expanding or upgrading in line with the speed of business development. Here are four basic reasons:

Firstly, VA helps identify threats and weaknesses in IT system security early

Secondly, after VA, the IT department will need to take corrective actions to close vulnerabilities and protect sensitive information systems.

Thirdly, VA helps businesses implement and meet compliance requirements, and applicable cybersecurity regulations such as HIPAA and PCI DSS.

Fourthly, VA helps protect against data breaches and unauthorized access

 

Only if a business has a dedicated security or information management team, should it perform Penetration Testing?

Not entirely correct. The assessment and testing by security experts will be a form of assessment that goes quite deeply into the business’ IT system in order to detect potential weaknesses and assess the security level of the system. There are many models and methods of security assessment for businesses to choose to minimize the risk of breaking the system’s security structure such as Pentest As A Service, Network Pentest, Web Application Pentest, Mobile Application Pentest, API. Pentest, etc..

In most cases, businesses that need to test their team’s defenses will choose Penetration Testing or even Red Team to test the system’s capabilities and professional qualifications of the staff themselves.

However, whichever form may be selected, businesses need to set clear goals, principles and limits for the form of an attack to ensure risk management during the security assessment.

Cyber security & frequently asked questions

Security for Newbie

Cyber security is one of the important issues for units operating on digital platforms. In this article, VSEC will provide you with frequently asked questions when you are new to the field of Information Security.

1. Why do hackers hack?

– Cyber security is the activity of protecting computers, servers, mobile devices, electronic systems, networks, and data from malicious threats. It is also referred to as information security or electronic information security. This term can be applied in various contexts and can be divided into several common types, as below:
– Application security: focuses on keeping software and devices free from threats. An infiltrated application may provide unauthorized access to the data it is designed to protect. Security should be started buiding from the design phase, before a program or device is deployed.
– Information security: protects the integrity and privacy of data, both during storage and transmission.
– Operational security: includes processes, regulations about handling and protecting data assets. The rights that users have when accessing the network and the procedures that determine how and where data can be stored or shared belong to the scope of this protection.
– Incident Recovery and Business’s continuity: determine how an organization responds to a cybersecurity incident or any other event that causes operational or data loss. Incident repair policies dictate how an organization restores its operations and information to return to normal functioning prior to the incident. Business continuity is the plan that organizations rely on when attempting to operate without certain resources.
– End-user education: resolves the most unpredictable cyber security factor: people. Anyone can accidentally introduce virus into a secure system if they do not conform to good security measures. Instructing users to delete suspicious email attachments, do not plug in unidentified USB drives, and other important lessons are crucial for any organization’s security.

2. Who or which organization can be attacked?

The reality is that in today’s world, all organizations are at risk of cyber attacks. The digital revolution is driving innovation in business, but it also brings new threats that organizations must face to. Exciting new technologies like virtualization, AI, and Cloud, etc. help organizations enhance the integration and reduce costs, but they also come with risks and the potential for exploitation. The more avenues for exploration, the more organizations must confront a greater number of cyber attacks.

However, for many businesses, the concept of cyber security remains quite vague and complex. Although it may be part of a strategic program, what does it truly mean? And what can organizations do to strengthen their defense systems and protect themselves from cyber threats? A common misconception is that cyber attacks only happen to certain types of organizations, such as well-known technology companies or financial institutions. However, the truth is that every organization has valuable assets at stake.

The losses from cyber attacks are significant. Tangible costs include stolen money, damaged systems, legal expenses, and financial compensation for affected parties. However, what can be even more damaging are the intangible costs—such as loss of competitive advantage due to stolen intellectual property, loss of trust from customers or business partners, loss of integrity because of breached digital assets, and overall damage to the organization’s reputation and brand—all of which can have a profound impact and, in extreme cases, even lead to a company ceasing operations.

3. What is Ransomware?

Ransomware is malicious software that uses encryption to keep the victim’s information for various purposes, with the most common being ransom money. The critical data of users or organizations is encrypted, preventing them from accessing files, databases, or applications, and with conditions to request for the access right.
Ransomware is often designed to spread across networks and target databases and file servers, thus can quickly cripple an entire organization. Threats related to ransomware are more and more increasing , causing damages amounting to billions of dollars paid to cybercriminals by businesses and government organizations all over the world.

4. Black hat and White hat?
A hacker is an individual or organization that uses their skills to breach cyber security defenses. In the world of cyber security, hackers are often classified into different “hats.” This system may have originated from the old cowboy movie culture, where good characters typically wore white hats and bad characters wore black hats.
There are three main “hats” in the cyberspace:

– White Hat: White hat is like Marvel’s Captain America. They always stand up for protecting the truth, people and organizations in general by actively identifying and reporting vulnerabilities in systems before bad characters find them. They often work for organizations and take on roles such as cyber security engineers, penetration test engineers, security analysts, CISOs (Chief Information Security Officers), and other security positions.

– Grey Hat: DC’s Dark Knight and grey-hat hackers have a lot in common. Both aim to protect the trutht but employ unique methods to do so.
Grey-hat hackers are a balance between white-hat and black-hat hackers. Unlike white hats, they don’t ask permission to attack the systems, but also do not perform any illegal activities like black-hat hackers. Grey hats have a controversial history, and some even must go to prison for their actions.

– Black Hat: The Joker is the closest comparison to black-hat hackers. They engage in illegal activities for financial benefit, challenge, or simply for entertainment purposes. They seek out vulnerable systems, exploit them, and use them to gain any advantage possible.
They can use both technical and non-technical measures as long as they achieve their ultimate objectives.

5. Why do hackers hack?

Hackers are individuals or organizations who gain unauthorized access to different information technology systems with a specific objective, such as gaining prestige by shutting down computer systems, stealing money, or causing network disruption.The experience gained from these attacks and the satisfaction derived from successful attacks can become an addiction. Some common reasons for launching attacks include reputation, curiosity, revenge, boredom, challenge, theft for financial gain, sabotage, corporate espionage, extortion, etc. Hackers are known to frequently cite these reasons to explain their actions.Furthermore, a very common scenario is when hackers steal data to assume identities and then use that data for other purposes, such as borrowing money, transferring money, ect. The occurrence of such incidents has increased with the popularity of mobile banking and internet banking services.

6. How to secure your private data?

Below are some tips to ensure your personal information does not fall into the hands of wrongdoers.

a. Create strong passwords

When creating passwords, think beyond easily guessable words or numbers that cybercriminals might easily figure out, such as your date of birth. Choose a combination of lowercase and uppercase letters, numbers, and symbols and change them regularly. You should also use a unique password instead of using the same one across multiple websites. If you are worried about remembering too many passwords, a password manager tool can help you keep track.

b. Avoid oversharing on social media

We all have a friend who post too many details about his life online. This not only causes annoyance but can also put your personal information at risk. Check your privacy settings to know who is viewing your posts and be cautious when sharing your location, hometown, date of birth, or other personal information.

c. Be cautious with free Wi-Fi

Most public Wi-Fi networks are not well-secured, which means others using the same network can easily access your activities.

d. Beware of links and attachments

Cybercriminals operate stealthily and often design their deceptive schemes to make them look like legitimate communications from banks, utility companies, or other businesses. Pay attention to errors such as spelling mistakes, unusual numbers or characters, wrong brand names, different email addresses from the usual senders, as these could be indicators of a trap.

e. Check if a website is secure

Before entering personal information on a website, check your browser’s address bar. If there is a padlock icon and the URL begins with “https,” it means the website is secure. There are other ways to determine if a website is trustworthy, such as checking their privacy policy, contact information, or “verified security” seal.

f. Consider additional protection

Installing antivirus software, anti-spyware software, and a firewall may not be foolproof methods, but they are essential for self-defense against low-level threats in the “flat world” era.

Above are some frequently asked questions when new to the concept of Information Security/Cybersecurity. If there are any questions not listed above, please follow the information here to be answered,

15 critical security flaws in the well-known US healthcare website were found by VSEC.

Case study VSEC - BLOG

Errors were discovered while applying VSEC’s Pentest service to a well-known American healthcare website, resulting in the discovery of 4 critical vulnerabilities, 3 serious breaches, and 8 possible flaws. Experts from VSEC quickly addressed all of these issues in the following two weeks, allowing businesses to move forward without worry…. Last June, VSEC received a contact from the city of Washington, USA. A company has requested that we investigate the safety of their website (their primary point of contact with customers) to ensure the complete safety of all data and assess any potential threats. VSEC promptly began developing the client’s system after evaluating their website!

About customers

Our clients are professionals in the medical industry who deliver cutting-edge, practical, and patient-centered healthcare solutions. Customers have demonstrated, from a new angle, that the health care industry must consider not just external health issues and hazardous substances, but also internal elements and potentials. It has left a lasting impression on many people and has contributed to the rapid expansion of our clients’ businesses. The customer’s annual sales have surpassed $17 million, and they have earned numerous honors for their success, including being named one of Inc. magazine’s Top 500 Outstanding Development Enterprises in 2016 and one of Seattle Business Magazine’s Top 100 Best Businesses to Work for in 2014–2016. 

Challenge

After ten years in business, clients have amassed a vast quantity of data on their servers. When a company relies heavily on technological resources, it is its most valuable asset. The publicly available website serves as the main entry point to the data warehouse. The security measures taken by the customer to protect their website are the determining factor in whether or not their data will remain secure. Clients need to do research on the organization, on the needs and goals of many people, and on the specific area of health care they need help with in order to come up with each plan, program, and suitable health care. While this is great for customers, it also means that cybercriminals will have more opportunities to steal sensitive information. In order to prevent the misuse of the customer’s resources and the revelation of sensitive information, it is imperative that the website’s security be verified. The customer is a small to medium-sized business, thus it has few available employees and no IT security experts. Client saw the value of VSEC’s Pentest Penetration testing service and contacted the company after searching for it online. Many strict regulations, such as BASEL, PCI/DSS (Payment Card Industry Data Security Standard), and others, have been enacted by the host country’s state-owned bank to protect information security. Each member of the technical team carries numerous tasks. Information security evaluation and testing is typically outside of their capabilities because of the sheer diversity and volume involved. Banks need to ensure they are in compliance with the ever-changing set of regulations that govern their industry. 

Solution

Access to the primary website account login page, the user management center login page, and the support partner website login page are all validated by VSEC. In order to evaluate the security of its customers’ systems from the outside without having any prior knowledge of the system, VSEC employs the Black Box method in Pentest through these three portals. Specifically, VSEC professionals take on the role of attackers, mimicking actual attack methods in an effort to locate vulnerabilities in websites. After two weeks of testing, specialists identified fifteen separate flaws. After the service is complete, VSEC generates a report and hands off implementation to the client, along with suggestions for corrective measures and preventative measures.

Benefits of the service

Pentest is known to have a lot of benefits. One of them is rapid rollout with little information collected from end users. It also helps reduce the overall cost of security and the time needed to patch security vulnerabilities in data systems. Customers have been motivated to learn more about VSEC and its services by these factors. And after experiencing its benefits firsthand, customers are ecstatic, praising Pentest for its ability to cut down on investment costs in the system, protect against most vulnerabilities, and lessen the severity of any damage that does occur, plus create a more streamlined workflow.

Conducting a penetration test on the system of a TOP 1000 world bank

Case study VSEC - BLOG

Our clients are those who operate in the banking sector. In line with the trend, they are actively developing online software utilities to provide more convenient services for current clients as well as expand their new client network. These utilities is often accompanied by security risks. VSEC’s VCHECK penetration testing service visually demonstrates the significant risks of an online banking application. They may arise from the potential for a valid user to proactively access the full bank account information of other clients.

About clients

Our client is a joint-stock commercial bank in the Top 1000 largest banks in the world, with total assets of nearly USD 6 billion and more than one million regular active accounts. After nearly 25 years of operation, this bank has been frequently awarded prizes such as EuroMoney, Asian Banker, The Banker, and so on from prestigious international organizations.

Challenge

To enhance transaction convenience, the bank has developed a Mobile Banking application on mobile phones. Through this software, clients can query and conduct basic transactions similar to when they do so at a teller counter. At the time of assessment, over 1.06 million bank accounts have been activated and regularly used. The service development has posed challenges regarding information security assurance. Bank account numbers are considered non-confidential information. When conducting online transactions, many users provide them on websites for transferring money to buy and sell goods and services However, certain account-related financial details must always be protected at the highest level: account balance, transaction information, etc. Securing this information is the responsibility of the bank which provides the technological infrastructure. In the home country, the state bank has also issued many strict regulations that bind banks to comply with and ensure information security, such as BASEL, PCI/DSS, and so on. Due to handling multiple tasks with a heavy workload, technical personnel often lack the necessary resources, time, and skills to carry out information security assessments and testing. As regulations become increasingly specific, banks are required to ensure proper compliance and consistently maintain control checks.

Solution

One of the biggest concerns of banks is whether the Mobile Banking application that is provided to clients is safe or not, and how well user data is protected. As a result, the bank needs to use an information security penetration testing service to obtain objective and multidimensional information. VCHECK is VSEC’s overall information security service, which includes penetration testing. The service is capable of imitating the most realistic way that external attackers take advantage of the vulnerability to illegally collect Client’s data. To begin the penetration testing process, the Bank provides VSEC the name of the Mobile Banking application on the Google Play (Android version) or Apple Appstore (iOS version). VSEC technicians will act as attackers and imitate real-life techniques in order to identify software vulnerabilities. Skilled engineers combined with various specialized tools will learn how the Mobile Banking application works and how the server interacts with the application to detect weaknesses, reconstruct security errors and finally report. After 10 days, a VSEC engineer establishes a bank account as a customer of the bank. With the key technique of using a proxy, it assists the engineer in fully comprehending how the application works and how it interacts with the Bank’s server. The application includes many different components, VSEC engineer noticed a serious issue while allowing him to view the details of any other account. This serious security error occurred because computer programmers did not closely apply to user account management and safe programming standards. VSEC have transferred the entire implementation process to the Client. Simultaneously, VSEC recommended to remedy it by modifying the application and providing the ability to verify whether the query submitted to the server is valid, and the correct information of the client is using or not.

Benefits of VCHECK security testing service

Deployment is quick and Clients do not need to provide much information.

Penetration testing project for government agencies

Case study VSEC - BLOG

This time, our customer is the state management agency in charge of information security, responsible for establishing regulations and policies of information security. This is also the unit in charge of assisting government agencies and businesses with information security. 

Although it is a State agency, the team of information security specialists is relatively small, It is challenging to meet the demands of completing multiple tasks at once.

Furthermore, the unit lacks objective evaluation from external partners to exclude cases of omission due to subjective factors from internal employees.

In our experience, we have provided evaluation and penetration testing services for your system and applications. From there, we can determine the best suggestions and solutions for the unit. VSEC collaborates with the unit to deploy solutions of reducing information security risks such as Pentest testing of the entire system, application, etc.

Following the working procedure, we have quickly identified a large number of risks and vulnerabilities on the unit’s system and applications. This reduces the risk of being attacked and exploited in the unit’s system and application, and thereby contribute to ensuring the image of the State management agency on information security and social security.

Monitoring information security for the state’s provincial unit information management agency

Case study VSEC - BLOG

The client is an agency in charge of managing the website system representing the voice of the state, informing and orienting information across the entire province. They own a system of more than 150 websites that operate continuously 24/7.

The number of websites requiring monitoring is substantial. The business operations are diverse. The connectivity system is extensive. There is a high volume of access traffic. The displayed information must ensure absolute accuracy and integrity.

Provide 24/7 security monitoring services for critical website systems, install 24/7 downtime monitoring for the entire website, periodically review vulnerabilities, offer recommendations, and collaborate on remediation efforts. Coordinate with on-site personnel to address identified vulnerabilities.

The client enhances their capability to manage and monitor information security for critical website systems. This reduces personnel costs and investment for the IT security team while whole system is still guaranteed to be monitored 24/7. It also decreases response time to incidents.

Information security monitoring for a pioneering corporation in green cities

Case study VSEC - BLOG

The customer is an FDI enterprise, a branch of a multinational corporation in the field of motorcycles and automobile assembling and manufacturing, whose market share is among the top motorcycles and automobile business enterprises in the Vietnam market.

Subject to the general regulations on information security of the parent group. Using monitoring services for external threats (data leak, web phishing, etc.), monitering the reputation of international providers at a great cost. Building a team in charge of local information security leads to the need for great support from partners.

Providing monitoring services for external threats (data leak, web phishing, etc.), and reputation monitoring. Coordinating and discussing with customers to continuously optimize the monitoring process.

VSEC SOC detects and promptly informs customers about fake websites and leaked data of customers published and sold on the dark web and dark forums. Provide services with reasonable cost and international-suppliers-level quality. Support the local team in the process of ensuring information security for businesses.

Webinar: Hack hackers with “multi-dimensional” defense tactics

Event VSEC - BLOG

On July 11, 2023, the webinar “Hack hackers with “multi-dimensional” defense tactics organized by The Vietnamese Security Network (VSEC) in collaboration with Vietnam Internet Association (VIA), took place successfully and leaving many good impressions in the IT community and small and medium enterprises in Vietnam. With useful sharing from experienced speakers in the industry, the webinar attracted the attention of more than 150 attendees.

The security story is not only for large businesses anymore, but regardless of the object, any business of any scale, whether it generates or owns large sources of data or liquidity, is the target of the company. cybercriminals for profit.

Monitoring information security in the enterprise
SOC is one of the security trends in the past 5 years. Large enterprises have equipped themselves, only a few small and medium enterprises pay attention to this issue. In his presentation, Mr. Vu The Hai – Head of VSEC Information Security Monitoring and Operation Center affirmed: “Information security solutions cannot prevent 100% of incidents. No solution provider commits that their solution can prevent all attack incidents.” Therefore, when system solutions, solutions, technologies and machines cannot be solved, we need to have a plan to detect and handle such attacks and incidents – that is by human means. People. At VSEC, SOC always ensures compliance with British CREST standards and other standards such as Azure.

Time to start SOC
Enterprises need to build SOC as soon as possible, should build immediately after having equipped with basic security solutions. At this time, the number of personnel, the amount of information and the processes just needs to be simple and moderate to suit the working environment.
It is not necessary to have a centralized SIEM system, a system to collect and analyze logs, you can directly use the portal of those solutions.

What do I need to prepare to work at SOC?
Webinar is not only for small and medium enterprises but also attracts a lot of students interested in working at SOC. To be able to work at the Information Security Monitoring Center, students need to master the basic knowledge: programming skills, system skills, application management and usage skills… Then , strengthen more specialized skills in SOC such as malware, web, common attacks, writing rules to detect malicious code….

 

Realistically react to Hackers using the Red Team method
The concept of Red Team (Deep Penetration Assessment) is very familiar in the international market. However, in Vietnam today, this concept is still not well understood and deeply understood, making businesses still hesitant to use Red Team.

With experience in participating in Red Team assessment for many domestic and foreign organizations for financial and banking units, etc., Mr. Be Khanh Duy – Head of VSEC’s Southern Regional Expert Service team said in the era Regarding the current development of network security, Red Team has become a trend in Vietnam, bringing many benefits to organizations and businesses. Before deploying Red Team, businesses need to plan and prepare thoroughly to ensure the process is efficient and brings the desired results. Here are some key steps businesses should take before implementing Red Team:

Identify goals: Clearly outline the Red Team’s goals and objectives. Identify specifically which part of your organization’s security infrastructure, processes, or people you want to evaluate and improve. Besides, it is also necessary to set the Red Team’s attack target, for example: Internet Banking system, Customer information,…
Scope and Rules of Engagement: Clearly define the Red Team’s scope, including the systems, networks, and applications that are in scope and those that are out limitations eg: Core-Banking system, no leadership Phishing,… Establish rules of engagement to ensure Red Team operates within legal and ethical boundaries.
Get Stakeholder Consent: Ensure approval and support from key stakeholders, including upper management, IT team, legal department, and any other stakeholders. They should be aware of the goals, benefits, and potential risks associated with Red Team exercises.

“Currently the cyber environment is no longer safe. For organizations that always put information technology security first, it is even more important to protect their company’s data assets. Therefore, using Red Team can increase the responsiveness of the organization and improve the defensive knowledge of your Blue Team team.” Mr. Be Khanh Duy affirmed.

Digital social management and implementing instruction for Decree 53

Cyber world trending VSEC - BLOG

Digital Society Management and Decree 53, which guide the implementation of a number of Cybersecurity Law articles

Decree 53/2022/ND-CP guiding the implementation of a number of articles of the Law on Cybersecurity will take effect on October 1. With the technology development, especially the connection technology infrastructure in the globalized world, these are the necessary regulations that VSEC experts will share the following from the perspective of the supplier: provide network security services.

Interview with Mr. Truong Duc Luong – Chairman of VSEC

Question: We have recently received contact from a number of foreign newspapers  and members of the community who are keenly interested in Article 26 regarding regulations for foreign enterprises providing cross-border services. As a network security expert, could you provide your perspective on this matter?

Mr. Truong Duc Luong: Within the framework of the law, I think it is necessary to have regulations like this. With the development of technology, especially technology infrastructure, it has made connecting easier than ever. Technological applications have also created a parallel society to the real society in which we live every day. We can call it a digital society. Digital society has many common features of real society and also has many unique features. The most basic feature is borderless, identity. Digital society, besides the positives, also comes with many negatives like the real society, and the development of the digital society also needs to be accompanied by management measures to help the population to be less affected by negative impacts such as intimidation, fraud, fake information, etc. 

VSEC – The first MSSP service provider in Vietnam to achieve CREST international certification for Pentest and SOC services 

Many technological tools, like the Internet and social media platforms, etc., originate from the West and bring with them Western philosophies and cultures. Digital society can therefore be said to be built mostly from the West. And in the development process, the conflict between the real society and the digital society is understandable when the borderless nature is different from the borderless nature of the real society. These contrasts are evident in areas like perceptions of freedom, business practices, and tax views. 

Mr. Truong Duc Luong – Chairman of VSEC. 

This brings us to the content of Article 26 of the Decree, which defines the types of enterprises/businesses that will be governed by the law. These are companies in the fields of communication (social networks), finance (payment gateways), and commerce (markets, electronic floors). Managing real society and digital society, in my opinion, real society must be prioritized because incidents in digital society can cause significant damage in real society. Numerous examples in the media have demonstrated this. A digital society can emerge from anywhere in the world due to its borderless nature. Therefore, the management of the digital society will be difficult to achieve effectively without a real way of linking between the manager and the unit that creates the digital society. 

Currently, article 26 is carrying out methods including: Storing identity data in Vietnam and Setting up offices/branches in Vietnam. In the future, there may be other methods. However, for now, I think these two tools are enough to start. In my opinion, there are some following reasons. Firstly, electronic transactions and the inherent nature of identity technology are often weak. As a result, detailed requirements for the information to be stored will make it feasible to enforce management when issue occur. Secondly, the law was introduced in 2018, and now after 4 years, businesses in Vietnam have had a certain growth to meet the technical requirements of modern storage. Thirdly, legitimacy is important in management. Additionally, when there are people who have the authorities to work and be present in Vietnam, it has created more efficiency in coordination, management information or handling issues. Therefore, having offices or branches of “virtual society” companies in Vietnam has had great effects on managers. 

The proposed law will often take time to put into practice and adjust accordingly. I hope the law will be a good tool for the virtual society to become healthier and more positive, bringing good value to the real society

Thank you Mr. Truong Duc Luong,

 

Learn more about Decree 53/2022/ND-CP here

Source: VSEC

Network scam tatics to be cautions about

Cyber world trending VSEC - BLOG

In the final months of the year, consumers in Vietnam and around the world tend to shop more when the commodity market shows signs of stabilization and when Christmas and the Lunar New Year are approaching. This is a golden time for shopping, as well as the month of December in which hackers and scammers can increase their online fraudulent activity.

According to the Ministry of Industry and Trade, the total retail sales of consumer goods and services in the third quarter of 2022 were estimated at VND 1,450.4 trillion, up 3.8% from the previous quarter and 41.7% from the same period the previous year. In the first nine months of 2022, total retail sales of consumer goods and services are projected to increase by 21% over the same period last year, with the first quarter showing a 5% increase, the second quarter showing a 20.1% increase, and the third quarter showing a 41.7% increase.

Crime increase in the last months of the year

E-commerce or shopping applications are believed to be an essential factor in promoting year-end consumption, particularly when consumers prefer online shopping following the Covid-19 epidemic’s fluctuations. This is also the time of year when consumers and sellers are most at risk of hacker attacks if they are not vigilant while shopping online. Here are a few types of attacks that consumers should pay special attention to.

  1. Impersonating employees of companies/brands giving gifts

Scammers obtain shopper contact information by impersonating post office workers or customer service agents of some companies, who provide warranty upgrade information, promotions, or gift announcements. The gullible consumer will supply information or pay a fee or tax in order to acquire the freebie.

In addition, numerous subjects impersonated bank employees and money-lending companies in order to obtain personal information from users, such as social security numbers, certificate of land use rights, etc. 

  1. Stealing personal information on social networking sites

Numerous subjects commit cyber fraud by stealing personal information from social networking sites and chat applications in order to borrow money, preying on the credulity of victims. Experts recommend that consumers “slow down” in order to verify the veracity of the information exchanged and contact their acquaintances through alternative communication channels.

  1. Creating fake social media accounts

As the platform for chat applications, social networks make it simple to establish accounts; many con artists take advantage of this to create fake social media accounts. Targets are online merchants on e-commerce websites. In order to steal information and hack the seller’s bank account, the subject will request a bank account number with internet banking, account holder name, phone number, etc. when ordering products online.

To receive money, the scammer will send a message stating that the account has been credited and requesting that the recipient access a link and update all login information and the OTP code. 

  1. Impersonating a banker/police agency/procuracy, etc.

The scammer will pretend to be a bank employee or a police officer and inform you that your bank account is having problems, errors, cases, etc. When a recipient is concerned, they may be tempted to supply a pin code, card information, a phone number, and a link to access the login and account information. 

  1. Creating fake sales and investment information pages

Sophisticated fraud occurs when scammers create fake sales websites. Fake websites or names of reputable sales units, inexpensive sales pages, and inducements for customers to log in to their shopping accounts in order to steal credit card information, or establish websites for financial investments, virtual money with extremely high interest rates. After customers have participated in the investment for a period of time, the objects will actively destroy the fake website in order to steal the customers’ investment funds.

Experts advise consumers to be wary of any information related to requests for personal information or bank account information. In addition to us, users may also create additional multi-factor authentication.

Source: Synthesis

65% of business leaders will increase security budgets for 2023

Cyber world trending VSEC - BLOG

In most cases, the expense of fixing a data breach can exceed the company’s actual financial expenses, etc.

Most businesses are worried about cybercrime (65%), mobile fraud (41%), email (40%), cloud data leakage (38%) and other similar threats. (Illustration).

PwC’s latest 2022 Global Digital Confidence Survey polled over 3,500 CEOs from 65 different countries. Accordingly, 27% of businesses around the world have lost $1 million to $20 million or more due to a data breach in the last three years.

Despite having sustained millions of dollars in losses from cyberattacks, less than 40% of executives surveyed reported having fully mitigated cybersecurity risks in several areas, including: telecommuting and flexibility (38%); accelerating cloud adoption (35%); increasing use of the Internet of Things (IoT) (34%); increasing digitization of supply chain (32%); and office administrative activities (31%).

Moreover, senior executives voiced concern that their companies lacked the resources necessary to effectively counteract the growing threats. Cybercrime (65%), mobile fraud (41%), email (40%), cloud data leak (38%), hacking/account hijacking of business email (33%), and ransomware (32%) are on top list of risks in the cyber environment in 2023. Security in the supply chain becomes a major issue for operational executives.

Though transparency regarding cyber incidents is desired, only 56% of CEOs believe that their company can give information about a critical incident within a predetermined time frame. 70% of CEOs in businesses worry that increased openness and transparency may cause them to lose their competitive edge. 

INCREASE NETWORK SECURITY BUDGET

Sixty-nine percent (69%) of the business owners polled indicated their companies are allocating more money to security this year, and another 65 percent said they wish to invest more in 2023.

“Companies should establish a clear and consistent reporting system; have a contingency plan to respond quickly to ensure the system’s continuity; and prioritize building a network security risk management strategy.” Mrs. Nguyen Phi Lan, Deputy General Director of PwC Vietnam.

The majority of CEOs (52%), said they will take greater action to address cybersecurity in the future years and will push for substantial initiatives to strengthen cybersecurity. 

Some CFOs are also planning to prioritize cybersecurity, which includes investing in technological solutions (39%), prioritizing strategy and coordinating it with engineering/operation (37%), and working to enhance their cybersecurity expertise and hire qualified staff (36%).

According to the marketing leaders surveyed, the true cost of data leaks much exceeds the hard numbers. Loss of clients (27%), loss of customer data (25%), and reputation/brand damage (23%) are just some of the ways in which businesses have been harmed by data leaks or personal data incidents over the previous three years. 

The Deputy General Director and Head of Risk Management at PwC Vietnam, Mrs. Nguyen Phi Lan, advises businesses to develop a strategy for managing network security risks, prepare for potential disruptions to the system and implement clear and consistent reporting procedures.

Source: Vneconomy

MSI becomes victim of ransomware attack following ACER

Cyber world trending VSEC - BLOG

Taiwanese PC company MSI (short for Micro-Star International) has officially verified that their system is under a cyber attack.

After detecting “network anomalies”, the company implemented “immediately” initiated measures to handle the problem and also notified law enforcement agencies. However, MSI did not disclose specifics when the attack occurred or whether exclusive information, such as source codes leaked out.

“Currently, the affected systems are progressively returning to normal process, with no significant impact on financial operations”, according to a brief statement from the company.

According to a regulatory filing with the Stock Exchange of Taiwan, enhanced controls over the network and infrastructure have been implemented to ensure data security. MSI encourages users to only download firmware/BIOS updates from their official website, rather than from any other sources.

Money Message, a new ransomware group, has recently added the company into their victim list. Late last month, the threat was brought to Zscaler’s attention.

In the analysis published by Cyble, the experts noted: “This group applies a double blackmail technique to attack the victims, involving filtering before encrypting the victim’s data”. “Unless ransom is paid, they will upload data to their breach website.”

The development occurs one month after Acer disclosed their own mistakes leading to 160GB of secret information theft. Such data was advertised on March 6th 2023, for sale on BreachForums and is now defunct.

According to The Hacker News.