Assessing and evaluating your organization's security exposure and educating key stakeholders: Avasek

We live in a fast-paced, global economy that relies more and more on data and information carried through cyberspace. As a business, it is important to maintain the physical property you own and protect it against intruders, potential theft and other acts that could cause issues within your company. In the same way, cyber security is as important a need, if not greater, than traditional security precautions.

A variety of sensitive information is stored within the files of your company such as employees’

Social Security numbers, passwords and passcodes for a variety of functions and information critical to your company’s success. Network security must become paramount within any business or organization in our time.

Hackers are constantly on the alert looking for chinks in the defenses you put up as protection; if your company chooses to forego computer network security, you can severely damage your reputation as a company. Do not take chances any longer on the vulnerability of your network security.

Avasek, 2015 through education, security tips, and current event helps protect companies and people from the growing cyber-security threats faced today. It is a leading IT security consulting firm offering years of knowledge and experience to address the needs of many industries, professions, and specialized business services. Using up-to-the-minute methodologies, the firm will assess and evaluate your organization’s security exposure and educate key stakeholders to foster secure computing practices.

Precis about company’s journey

Avasek was formed to provide an underserved market with security services. The company started at one of New Jersey’s Small Business Incubators. December 2016 it was announced that the incubator was closing and we moved to another location co-located with another IT Support vendor. 2016 was a tremendous growth year for us and we were recognized as the “Best of Biz” in South Jersey for Data Security. Through 2016 and 2017 Avasek has built strategic relationships with the FBI, NJ Homeland Security, and local Universities to help bridge the information sharing gap between public and private sectors and help to raise the next generation of security professionals.

The present market landscape; In CEO David J. Humphreys’ words

Cyber crime continues to grow forcing increased budgeting requirements for companies. There continues to be a shortage of cyber security professionals to meet the domain.

For most small to medium size businesses, security budget continues to be viewed as an “insurance investment” for something that may or may not happen. Most b2b business and consumers are not mandating a certain level of security control implementation, therefore, generating new business does not require IT security. Most enterprise-to-enterprise (E2E) business and some enterprise-to-medium-size (E2M) business require verification of security control implementation as a prerequisite to contract rewards, which makes it easier to justify security budget. At Avasek we are starting to see a shift in this.

The DoD has now required compliance with NIST SP 800-171 under DFARS Clause 252.204-7012 by 12/31/2017 for Controlled Unclassified Data that resides on Contractor’s Internal Systems. Many prime contractors are now using EXOSTAR and require sub-contractors (regardless of size) to complete cyber-security questionnaires. The completion of these questionnaires assigns a score that designates the “Risk Level” of doing business with that contractor. In order to answer Request for Proposals (RFPs) subcontractors are now being required to share their EXOSTAR profile as a part of the bidding process.

With in the mid-sized energy technology sector a security audit team will typically visit a potential vendor to review technical implementations as well as policies and procedures (P&P) as a part of the bidding process. If the vendor has achieved ISO 27001 certification to validate the implementation of their cyber security program, the audit process is many times unnecessary, which is appealing to the buyer creating a competitive advantage for the vendor.

Regulatory requirements are continuing to become more stringent and enforced.

 On March 1st 2017 New York Department of Financial Services (DFS) promulgated Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations. The DFS requirement implements a broad set of regulations affecting banks, insurers, and other financial institutions.

The new DFS regulations will be phased in stages and requires addressing areas such performing risk assessments, the development and implementation of a cyber security program, proper policy development to inform employees the knowledge they need to protect the organization against cyber-attacks, vulnerability assessments and penetration testing, training and monitoring programs such as security awareness and training sessions and security information and event management (SIEM) programs, and incident response plans. It always requires a Senior Officer to submit an annual compliance report and that person can be held personally liable for infractions.

Head-to-head with the dignitary: David J. Humphreys, CEO

What is the rationale behind setting up Avasek?

I had worked as a security lead on the Naval Ballistic Missile Defence Systems (AEGIS) for Lockheed Martin, was assigned to the Inter-Country Cyber security Incident Response Team and the Information Security Automation Team at the Philadelphia Naval Yard, and worked as the Lead Security Engineer for the FAA’s Next Generation Air Traffic Control Program called ADS-B. With all of that experience I was frustrated with the “checklist” approach to security witnessed with government-related work. I wanted to be able to utilize critical thinking and problem solving to find other ways to address security concerns without the damage caused by checking off boxes.

During that time, business owners had reached out to me and asked me to review their networks systems. I quickly realized that the small-to-medium sector did not have security advisors that they could turn to for advice and thought the combination of opportunity and resolution to my frustrations was too good to pass up.

What products and services do you render?

Our products and services fall into four categories:

Education – This includes services such as managed security awareness programs, security assessments, compliance audits

Securing – This includes system and software engineering services. Network Architecture/Topology design, System/Software implementation designs, Business Continuity services, Disaster Recovery Implementation

Monitoring – This includes ongoing services to maintain the desired state of systems or software, Log Event Management and Monitoring, Incident Response, Forensics, and maintenance of business continuity/disaster recovery plans

Who are some of your biggest clients? In which vertical do you see the most traction in?

Arthur J. Gallagher & Co. is a leading international insurance brokerage and risk management services firm, with operations in 34 countries.

The company has deep expertise in its cyber risk practice with client initiatives that ensure that companies are both educated on current and emerging threats, i.e., social engineering, and given the right tools so they can evaluate the effectiveness of their systems. Gallgher has created the “Cyber Due Diligence” cyber-risk management tool that aids companies in identifying the type of insurance they may need through a six-step process, which minimizes confusion and enables them to ask the pertinent cyber liability questions so they can mitigate the risk to their organization.

Avasek is one of the preferred vendors that AJG recommends to ensure a flawless implementation with maximum effectiveness. Avasek has conducted cyber seminars for TD Bank clients to keep them up to date on the latest threats.

Avasek also has strategic alliances with Rowan University, NJCCIC (NJ Homeland Security), and the FBI to share information with the public, private, and educational sectors to make sure their clients has the most up-to-date information on emerging threats.

The verticals that Avasek has the most traction in are – title companies, medical, legal, and financial industries.

Case studies to highlight the story

Hackers Allegedly Steal $1.5 Million from D.C. Couple in Home-Buying Phishing Scheme

When hopeful D.C. homebuyers Sean Smith and Erin Wrona were asked earlier this year to wire their title company $1.57 million, they took it as a routine request ahead of closing on the purchase of a five-bedroom, 2,300-square-foot Cleveland Park home.

But when they went to the offices of Federal Title & Escrow a month later to sign the final paperwork, an attorney for the company informed them that the funds the couple thought they had wired had not ended up in escrow as expected. In fact, no one at Federal Title even knew the money had been sent.

A new lawsuit now sheds some light on the mystery of the missing money: Smith and Wrona apparently fell victim to a hacker who had commandeered Federal Title’s servers and sent the couple an email asking that they wire the $1.57 million for the home purchase to a bank account that, unbeknownst to them, was controlled by the hacker.

It’s a practice known as phishing, and while it’s not a new scam — it’s how hackers gained access to John Podesta’s email account last year, for one — it is fairly new in the realm of real estate transactions.

Last year, the Federal Trade Commission and National Association of Realtors teamed up to warn homebuyers of phishing attempts:

Hackers have been breaking into some consumers’ and real estate professionals’ email accounts to get information about upcoming real estate transactions. After figuring out the closing dates, the hacker sends an email to the buyer, posing as the real estate professional or title company. The bogus email says there has been a last minute change to the wiring instructions, and tells the buyer to wire closing costs to a different account. But it’s the scammer’s account.

Unlike the victims in those scams, many of which involved closing costs involved in home purchases, Smith and Wrona lost almost the entirety of what they were going to pay for the house, spare the $200,000 they put down separately as a deposit. (The sales price was just north of $1.7 million.)

In a statement, Federal Title spokeswoman Nikki Lyon says the incident stemmed from “what appears to be a cybercrime attack on our information systems.”

 “Federal Title discovered the attack and immediately reported it to the FBI. Federal Title continues to work with the FBI as they complete their investigation. Federal Title’s internal review has revealed that no other customers were affected by this attack,” she said.

Those assurances are not enough for Smith, who works for a U.S. senator, and Wrona, a statistician with the U.S. Census Bureau.

Last week, the couple filed a lawsuit against the company, alleging that Federal Title either conspired to defraud them of the $1.57 million or was so negligent in its online security protocols that it all but allowed the money to be stolen by someone else.

Nadel also says Federal Title, which has offices in Friendship Heights and Logan Circle, failed to effectively communicate with Smith and Wrona ahead of the closing — a situation he attributes to the company being involved in the scheme.

The pair is asking not just for their $1.57 million, but also close to $5 million for an alleged violation of RICO — the Racketeer Influenced and Corrupt Organizations Act, the law best known for its use against the mob — plus punitive damages and attorneys’ fees.

Federal Title’s Nikki Lyon denies that the company had anything to do with the money going missing.

Smith and Wrona did ultimately buy the house. According to the lawsuit, the couple and their family “wired an additional $1.57 million to close the transaction.”

Background of the CEO

David is an accomplished cyber security engineer with 10 years of experience in information technology (IT) solutions. His responsibilities have included cyber security engineering, database administration, software development, and IT training and support. His expertise encompasses governmental agencies as well as small to medium size businesses.

David sits on the YMCA’s Risk Committee and is an Adjunct Professor for Rowan University and Rowan College of Burlington county developing and teaching cyber security courses. He has served to protect his Country on the battlefield overseas, and now serves to protect organizations on the virtual battlefield here at home.

 “We specialize in Security Assessments, Policy Compliance, Employee Training, Managed Security Services, Business Continuity Planning, Disaster Recovery, and Digital Forensics.”