Fraud/Scams

Join us in this insightful episode of Breakfast Bytes with Felicia King, along with our guest Kyle Wentworth of the Wentworth Group. We delve into a balanced exploration of business needs vs IT security needs, demonstrating the magnitude of this issue with a case study of a massive spam operation hijacking over 8000 trusted brand domains.
https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html
In this detailed conversation, our experts elucidate steps towards prevention and emphasize the significance of effective domain ownership and control. Kyle highlights the central role of Technology Management departments in mitigating IT risks and stresses the importance of a comprehensive understanding of orderly processes for DNS management, timely publishing of DNS records, and the related cost implications.
This episode underscores the need for operational maturity in businesses, and how maintaining domain infrastructures and adhering to robust protocols can protect your business from digital threats. Listen to gain invaluable insights into how businesses of all sizes can level up their understanding of the intersections of business and IT security systems.
The episode also draws attention to the potential vulnerabilities of newly registered domain names and the common pitfalls relating to outsourcing these functions. We underscore the necessity to take caution or face serious losses and discuss the ramifications of transferring control of key business aspects to external vendors.
With a candid look at the dangers of ill-considered network security and the hazards of transferring all risks to an external IT service provider, we make a strong case for integral security measures. Listen in to gain an understanding of the importance of viewing technology as a business partner rather than an expense and to learn how focusing on strengthening your network security can pave the way for business success.

In today's episode of Breakfast Bytes, we are delighted to have Joe Brunsman from Brunsman Advisory Group as our special guest. Known for his extensive knowledge on the intersecting worlds of insurance and cybersecurity, Joe offers beneficial insights on the evolving sphere of insurance exclusions and how businesses can navigate these changes amidst the increasing threats of cyber warfare. Tune in as we explore the importance of adopting risk mitigation strategies with tangible security investment returns rather than relying solely on insurance coverage.
Join our profound discussion on the role of senior management in establishing a secure digital environment, starting from understanding IT risks and challenges, creating actionable plans, and sticking to a consistent policy. We also delve deeper into topics like legacy technical debt, the role of a Chief Information Security Officer (CISO), gaps in current insurance policies, and breaches of customer contracts owing to the lack of managerial insight in the IT sector.
In this knowledge-packed episode of Breakfast Bytes, we help you understand the intricate relationship between insurance and cybersecurity, and how enhancing comprehension in these two areas can secure your business in this fast-paced digital age. Listen as we unwrap various complexities surrounding cyber insurance and the emergence of warranties as an alternative, exploring their potential pitfalls and inconsistencies.
From diving deep into the history of insurance to shedding light on the impending exclusions in the upcoming insurance policies, we've got it all covered. Moreover, we highlight the need for skepticism and caution while dealing with Cyber Insurance, emphasizing comprehension over rushing headlong into the risky space of cyber warranties. Also, discover the correlation between proactive security measures and reduced insurance coverage needs, and understand why more insurance doesn't guarantee better safety.
Lastly, our guest Joe Brunsman sheds light on the seldom-discussed aspect of cyber insurance and data security. Learn how states are regulating insurance companies for holding sensitive data and the shockingly minimal regulations surrounding warranty companies. Get enlightened about the real-world realities of cybersecurity and how, despite utilizing SaaS platforms, corporations are not as secured as they think.
This episode guarantees both enlightenment and critical thinking around cyber insurance and data security. Tune in to gain a wealth of knowledge on this important but often unexplored domain!

Kathy Durfee – CEO & Founder of Tech House joined Felicia to discuss dark web breach monitoring
Scenario: FUD report from a competitor
Perceived: Multiple users in their environment were breached. Perceived proof was report with the listing of the users and the passwords and columns that the customers did not know what that data was.
Good: Customer told their current IT service provider about the report.
FUD – Fear, Uncertainty, and Doubt – is, in the wrong hands, a powerful tool to drive snap decisions within a company. However, it is not a viable or valid sales tactic: for all it could potentially do well, causing unnecessary stress and suffering is what it does best. Speaking with Kathy Durfee, CEO and Founder of TechHouse, a managed services and solutions provider based in Florida, we walk through a recent case of FUD with a customer of hers that received a worrisome report from a potential competitor. During our chat, we covered:
The key aspects of FUD (and how it does not work)
What the Dark Web is, and the logistics of monitoring and combating it
Leadership training and best practices for helping a team best meet their security and regulation requirements
Identifying the key differences between commodified and relational partnerships, especially in the technological sphere
Shared responsibility between MSPs, their customers, and those customers’ clients
Where does dark web monitoring and dark web data risk reside on the continuum of risk? How best to mitigate?
What really is the risk and the mitigation?
Put the efforts into prevention.
Put the individual in the driver’s seat of managing the risk that is best managed by them by putting the right tools in their hands.
Resources
https://haveibeenpwned.com/
Perception of the proper allocation of the budget
Businesses must make time for training.
ITSP must include in service catalog what the client is getting in terms of services.
What do we need to do? Cross reference on tools that accomplish outcomes and cover risk mitigation and ensure that the client understands what those are.
Training is how you squeeze the juice out of the orange. Without it you may not get all the juice out of the orange or get any juice out of it at all.
Common business objections to allocating time for training
Payroll costs, but avoiding training is not legally defensible anymore.
Policies
The IT Service provider CANNOT alone write policies for you, and they CANNOT approve and enforce your organizational policies.
Four pillars
Policies
Technical controls implemented
Automation of technical controls
Reported to the business – It’s YOUR report, your organization.Shared responsibility – some months the CFO does it, some months the CEO does it.Set a schedule and do it. 3 weeks any habit; trainer or partner
Do you look at your P&L and balance sheet every month? You should be understanding the reports from IT.
 
An interesting lawyer opinion on the topic:
https://abovethelaw.com/2023/01/dark-web-monitoring-for-law-firms-is-it-worthwhile/

Ken Dwight is “The Virus Doctor” – Business consultant and advisor to IT service providers and internal IT at many businesses who have come to him for his training, has his own direct clients. Ken conducts a monthly community meetings for alumni. He provides a list of curated items of current interest for discussion and resources, and has a featured topic which often includes another speaker to provide breadth of perspective. He has been doing this community service for 83 months!
I asked Ken to cover with me some topics that from his perspective don’t get talked about enough.
Business Email Compromise
Also known as CEO fraud. Impersonating a CEO for purposes of wire fraud. We are focused on the technological solutions. There is no technological solution for eliminating BEC.
CEOs must be part of the solution.
Example: Subcontractor to Airbus. Used to dealing with multi-million-dollar wire transfers.
BEC is a large Fortune 500 issue, it scales down to one user environments.
Title companies are a big target.
Retention policies and standards for WHERE to store what kinds of data to make sure that email is not a file server thereby increasing the risk of what data is compromised as part of BEC.
Perfect example of the beginning of an incident response plan or a tabletop exercise. Orgs must define the cost of compromise. That plan needs to be in place long before. It makes a recovery so much more straightforward.
Attackers analyze their victims in tiers. Potential victims $10 - $50mm revenue organizations. Reputational damage, but not big enough to have an adequate cybersecurity budget.
ShadowIT is a problem, which is why you must address it with a CFO-enforced procurement policy.
Proactive management of M365 tenant security configuration is so critical
The security of your tenant is not included in the fee for biz premium or the overall licensing.
How much activity there is, changes, products, services, vendors. Ideal stack, layers, point solutions within that. Revisit that in a period of time like a year.
This is a nice resource for M365 security and BEC.
https://www.blumira.com/office-365-security-issues
Direct advice from Ken
One topic I believe falls directly into this category is the issue of Business Email Compromise, as opposed to actual malware / hacking / ransomware attacks. As you know, the losses to BEC still represent a greater dollar value than ransomware, according to the FBI statistics. But BEC isn’t even a technology problem, it’s pure social engineering – and no additional layers of hardware or software “solutions” will prevent it or reduce the cost to its victims. In my opinion, that’s why you hear so little on the subject from the cybersecurity vendors.
Another topic I find interesting, but haven’t really heard any vendors or industry pundits talk about, is the whole new ecosystem and infrastructure produced by modern threat actors. The whole business model of these sophisticated criminals has created occupations, titles, and job descriptions that didn’t exist a few years ago. Some of these are a result of the specialization, compartmentalization, and outsourcing by these organizations; here are a few that come to mind:
Breach attorney
Ransomware Negotiator
Initial Access Broker
Cloud Access Security Broker
Multiple “As-a-Service” offerings:
Ransomware as a Service
Phishing as a Service
C2 as a Service
Another area that is mentioned fairly frequently, but typically fueled by more heat than light – and raised as a point of frustration by MSPs and IT Solution Providers in general – is the users who still believe they don’t have to worry about cybersecurity, hackers, malware, or ransomware, because they “don’t have anything the criminals would want,” or words to that effect. I believe those users need to comprehend how real and serious the threats are to their business.
By defining the multiple tiers of threat actors, the threat vectors they may employ, their potential victims, the assets owned and managed by those victims, and the attacker’s strategy for monetizing those assets, I believe it becomes obvious that every organization and every individual is the intended target of some subset of those threat actors.
Visit this resource for help making argumentation. Ken is working on some additional materials for end user cybersecurity awareness training.
https://qpcsecurity.podbean.com/e/the-real-reason-you-cannot-afford-to-have-a-cybersecurity-incident/
 

How to avoid cybersecurity insurance fraud. If this happens to you, your claim will be denied and you will likely be uninsurable in the future including by other insurance providers.
You have to be working with an extremely operationally mature ITSP with ISOs on staff or you probably will not be able to navigate this complexity.
Great article showing a claims denial and then accompanying lawsuit for a perceived insurance fraud indicent.
https://www.insurancejournal.com/news/national/2022/07/12/675516.htm