By: Stephen Haley – January 2025
COO ToriiGate Security Consulting, LLC

In our digital age, while technology advances at breakneck speed, so do the tactics of cybercriminals. Among their most insidious tools is social engineering, a form of deception that preys on human psychology rather than technical vulnerabilities. Here's why you should be wary and how to protect yourself.

What is Social Engineering?

Social engineering attacks exploit our natural inclination to trust and help others. Rather than breaking into systems with brute force or sophisticated malware, attackers manipulate individuals into providing sensitive information or performing actions that compromise security. This can include phishing emails, pretexting calls, baiting with infected USB drives, or even in-person deception.

Common Types of Social Engineering Attacks

1. Phishing: Attackers send emails or messages pretending to be from reputable sources, tricking recipients into revealing personal information like passwords or credit card numbers.

2. Pretexting: An attacker creates a fabricated scenario to steal personal information. For example, they might pretend to be from a bank's fraud department asking for account details to verify suspicious activity.

3. Baiting: The promise of a reward (like free music downloads or software) lures victims into downloading malware or clicking malicious links.

4. Tailgating: Someone without proper authorization physically follows an authorized person into a restricted area, exploiting human courtesy.

How to Protect Yourself

1. Be Skeptical: Always question unexpected communications, especially if they request sensitive information or immediate action. Verify the identity of the person or organization directly through official channels.

2. Educate and Train: Continuous education about the latest social engineering tactics can help you recognize potential threats. Regular training sessions and simulations can keep you and your organization vigilant.

3. Use Multi-Factor Authentication (MFA): Adding an extra layer of security can prevent unauthorized access even if your credentials are compromised.

4. Monitor and Report: Stay vigilant for signs of social engineering attempts and report suspicious activities to your IT department or relevant authorities immediately.

5. Secure Physical Spaces: Ensure that your work environment is secure and that access control measures are in place to prevent unauthorized entry.

Conclusion

Social engineering attacks highlight the importance of the human factor in cybersecurity. While firewalls and encryption are essential, the weakest link often lies in human behavior. By staying informed, skeptical, and proactive, you can defend against these silent threats and safeguard your digital life.

Stay vigilant and stay safe!

By: David Gatewood – December 2024
CEO ToriiGate Security Consulting, LLC

As 2024 draws to a close, I find myself recovering from my first bout with COVID-19. For years, I thought I had evaded it, but it finally caught up with me. This experience got me thinking about how many businesses, from small to large, might feel secure, believing they are not targets for cybercrime.

Just as my health was unexpectedly interrupted by COVID-19, any business can fall victim to cybercrime. If your business is connected to the Internet, engages with third parties online, operates a Point of Sales (POS) system, or collects customer information, you could be a target for cybercriminals.

When was the last time your business underwent a cyber health check? If you can't remember, it might be time to assess your security measures. A cyber health check can identify vulnerabilities and help you enhance your defenses.

Need a cyber health check? Contact us at ToriiGate Security Consulting, LLC. We're here to help ensure your business stays secure.

By: David Gatewood – November 2024
CEO ToriiGate Security Consulting, LLC

New cyber incidents are reported almost daily across media outlets worldwide. Many more go unnoticed or unreported for various reasons.

According to research from IBM in 2022 (http://www.IBM.com/reports/Data-breach), the average cost of a data breach in healthcare is $10.1M, with the possibility of additional General Data Protection Regulation (GDPR) fines up to 4% of the companies worldwide revenue from the previous year. GDPR is a Regulation in EU law on data protection and privacy.

According to the FBI’s Internet Crime Report 2023 covering 2022 (https://www.aha.org/cybersecurity-government-intelligence-reports/2024-03-11-federal-bureau-investigation-internet-crime-report-2023):

• 800,944 complaints reported to the FBI’s Internet Crime Complaint Center (IC3) with losses exceeding $10.3 billion.

• Phishing schemes were the most reported crime type with 300,497 complaints.

• Investment fraud resulted in the highest financial loss at $3.3 billion, a 127% increase from the previous year.

• Cryptocurrency investment fraud rose from $907 million in 2021 to $2.57 billion in 2022.

For 2022, the Internet Crime Compliant Center Statistics released in 2023 show (https://www.fbi.gov/contact-us/field-offices/springfield/news/internet-crime-complaint-center-releases-2022-statistics):

• 880,418 complaints registered with IC3, with potential losses exceeding $12.5 billion.

• Investment fraud losses increased to $4.57 billion, a 38% increases from 2022.

• Business email compromise (BEC) scams resulted in $2.9 billion in reported losses.

• Ransomware incidents increased by 18% from 2022, with reported losses rising from $34.4 million to $ 59.6 million.

According to PURPLESEC (https://purplesec.us/resources/cyber-security-statistics/):

• Small and medium-sized businesses (SMBs) are targeted in over 50% of all cyber attacks.

• The average cost of a data breach for small businesses ranges from $120,000 to $1.24 million.

• It is estimated that, worldwide, cybercrimes will cost $10.5 trillion annually by 2025.

• Enterprises experienced 130 security breaches per year, per organization, on average.

Introduction

In today's digital landscape, the need for robust information and cybersecurity measures within businesses is more critical than ever. This article aims to demystify three crucial security services: Security Assessment, Vulnerability Scan, and Penetration Test. These terms are often misunderstood and incorrectly used interchangeably.

Misconceptions and Realities

Having spent over twenty-five years in the information security industry, I've noticed persistent misconceptions, especially among non-security professionals. A prevalent myth is that a penetration test involves merely pressing a button and waiting for an automated report. However, this is far from the truth. Often, what clients truly seek is a security assessment or a high-level review of system settings within a planned deployment environment.

The Triad of Security Services

Security Assessment

A Security Assessment is a high-level review of available security settings for various elements including networks, servers, cloud environments, printers, applications, and IoT devices. It is conducted by a security team or architect, comparing these settings against the company’s security policies. Where company policies may be lacking, the reviewer may reference among others in the United States; the National Institute of Standards and Technology (NIST – nist.gov), the Open Web Application Security Project (OWASP – owasp.org), and the Cybersecurity and Infrastructure Security Agency (CISA – cisa.gov). This assessment is best performed during the design phase, prior to deployment, and should not be confused with a vulnerability assessment.

Vulnerability Scan

A Vulnerability Scan is typically conducted via automated tools to identify potential security vulnerabilities in production-ready systems and applications. These tools must be regularly updated to detect emerging threats. While useful, they can generate false positives, as they may not consider mitigating controls or layered security measures. The analogy of shining a flashlight into a dark area to check for a padlock without verifying if it is actually locked aptly describes the limitation of these scans. To enhance security posture, it is recommended to integrate automated security vulnerability scans into regular monitoring. This practice will ensure that alerts are promptly triggered if there are any changes in configurations or if new systems are introduced with missing settings or patches, thereby mitigating potential risks.

Penetration Test

A Penetration Test goes beyond identifying vulnerabilities; it involves simulating real-world attack scenarios to validate and exploit vulnerabilities. This process requires skilled security professionals who continually update their knowledge and techniques to mimic potential adversaries (criminals). Unlike automated tools, penetration testers tailor their methods to the specific environment and provide detailed recommendations to mitigate identified risks.

Challenges and Considerations

Despite the increasing awareness of cybersecurity, security services often remain an afterthought, contacted out of necessity rather than proactive planning. This reactive approach can hinder project timelines and diminish the perceived value of security. Additionally, any testing, such as vulnerability scans or penetration tests, must have explicit authorization from the entity in charge of the target to avoid legal repercussions according to the Computer Fraud and Abuse Act in the United States.

Conclusion

Understanding the distinct purposes and processes of Security Assessments, Vulnerability Scans, and Penetration Tests is crucial for effectively safeguarding your business. Each service plays a unique role in a comprehensive security strategy, contributing to layered defenses that adapt to evolving threats. Clear communication and precise scoping of these services ensure that businesses receive the most value from their security investments.

By: David Gatewood

In a recent review of our team metrics spanning the past two decades, we conservatively estimated that we have evaluated and consulted on the security of between 5,000 to 10,000 vendor applications, solution systems, and hardware devices. This extensive experience has highlighted recurring security concerns, particularly when products necessitate modifications to enterprise firewalls.

A frequent issue arises when vendors request that ports be opened in the enterprise firewall. From the vendor’s perspective, opening a few ports may seem trivial. However, for a large enterprise, each request to open up to 20 ports represents a significant security risk. This issue was recently underscored in a discussion with a vendor whose application, designed to meet a clinical need, was more suited for a small physician clinic rather than a large enterprise. The vendor was adamant about not supporting a B2B connection, which compounded the security concerns.

From the enterprise security standpoint, firewall rules must be configured across multiple firewalls, not just one. Each hole in a firewall potentially serves as an entry point for threat actors. With thousands of vendors on the network, each with unique requirements, the cumulative effect can quickly transform firewalls into Swiss cheese, leaving the company vulnerable.

After several weeks of negotiations, the division requiring the vendor’s product arranged a conference call. During this call, I was able to articulate the security concerns from both perspectives. I emphasized that by enhancing their services as requested, the vendor would not only meet our security standards but also position themselves to offer a more secure product to other clients. The vendor ultimately agreed that it was in both companies’ best interests to implement the enhancements and establish a B2B connection.

This case underscores an important lesson: as the client demographic grows, so do the security concerns. Vendors must consider the target environments and not just the system or application developed in a controlled environment. By doing so, they can ensure their products are secure and suitable for deployment in large enterprises.

By - David Gatewood

In the ever-evolving landscape of cybersecurity, the team at ToriiGate Security Consulting stands united by a common purpose: to serve and protect. Our journey is driven by a profound sense of duty and a commitment to leveraging our collective expertise for the greater good.

A Call to Serve

While I cannot speak for everyone in the cybersecurity field, I can confidently share the ethos that binds our team. We are driven by a calling to serve, a mission that transcends the boundaries of a typical business. In a world where vast amounts of data (Big Data) have become fertile ground for cyber threats, our combined experience becomes a beacon of hope and security for our clients.

Diverse Backgrounds, Unified Purpose

Many of our team members have proudly served in the armed forces, bringing with them a wealth of diverse skills and training. These varied backgrounds have equipped us with a unique set of capabilities that are invaluable in the cybersecurity arena. Our military experience has instilled in us a sense of discipline, resilience, and strategic thinking that we now apply to safeguarding your business.

Beyond Business

Yes, we started a business. Survival is a fundamental need for everyone. However, our journey is not solely about commercial success. It is about fulfilling a shared need to serve and utilizing our vast combined experience to build a safer digital world. Our services are crafted around this core principle, ensuring that we are always ready to understand and address the unique challenges your business faces.

Ready to Protect

At ToriiGate Security Consulting, we stand ready to help your business navigate and survive the growing landscape of cyber threats. Our commitment to service, combined with our extensive experience, positions us as your trusted partner in cybersecurity. Together, we can build a resilient defense against the ever-present dangers in the digital world.