GSA HACS SIN

The General Services Administration (GSA) Federal Acquisition Service (FAS) announced in September 2016 that in support of the President’s Cybersecurity National Action Plan (CNAP), GSA’s IT Schedule 70 established four (4) new Highly Adaptive Cybersecurity Services (HACS) Special Item Numbers (SINs). These new SINs provide organizations seeking specialized IT Security services with faster and more reliable access to pre-vetted support vendors for their cybersecurity needs.

SeNet International Corporation (SeNet), one of the leading cybersecurity services firms, announces that it has been qualified and approved by GSA to add these four new SINs. As such, we have become one of the select few companies to offer these services to federal, state, local, and tribal agencies.

SIN 132-45A Penetration Testing - The Penetration Testing SIN provides for:

• Conducting authorized “white hat” penetration testing; 

• Analyzing enterprise computer network defense policies andconfigurations and assessment of compliance with regulations and enterprise; and

• Assisting with the selection of cost-effective security controls to mitigate risk (e.g., protection of information, systems, and processes) directives.

SIN 132-45B Incident Response - The Incident Response SIN will allow organizations impacted by cyberattacks to obtain support in determining the extent of the damage and restoring networks to a secure state. Tasks include:

• Collecting intrusion artifacts (e.g., source code, malware, and Trojans), and use discovered data to enable mitigation of potential Computer Network Defense incidents within the enterprise;

• Performing command and control functions in response to incidents; and

• Correlating incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation.

SIN 132-45C Cyber Hunt - Cyber Hunt activities, in times of crisis, require that SeNet utilize global cyber intelligenceinformation to identify undiscovered attacks and mitigate further attacks by threat actors. Tasks include but are not limited to:

• Collecting intrusion artifacts (e.g., source code, malware, and Trojans) and use discovered data to enable mitigation of potential Computer Network Defense incidents within the enterprise;

• Coordinating with and providing expert technical support to enterprise-wide Computer Network Defense technicians to resolve Computer Network Defense incidents; and

• Correlating incident data to identify specific vulnerabilities and making recommendations that enable expeditious remediation.

SIN 132-45D Risk and Vulnerability Assessment - Risk and Vulnerability Assessments must identify threats and vulnerabilities, assess the level of risk, and develop mitigation recommendations. Tasks include but are not limited to: network mapping, vulnerability scanning, and database assessment. Knowledge areas include but are not limited to: access management, network protocols, and application security.

• Network Mapping - consists of identifying assets on an agreed upon IP address space or network range(s).

• Vulnerability Scanning - comprehensively identifies IT vulnerabilities associated with agency systems that are potentially exploitable by attackers.

• Phishing Assessment - includes activities to evaluate the level of awareness of the agency workforce with regard to the digital form of social engineering that uses authentic looking, but bogus, emails requesting information from users or directing them to a fake Website that requests information. Phishing assessments can include scanning, testing, or both,and can be conducted as a one- time event or as part of a larger campaign to be conducted over several months.

• Wireless Assessment - includes Wireless Access Point (WAP) detection, penetration testing, or both, and is performed while onsite at a customer’s facility.

• Web Application Assessment - includes scanning, testing, or both of outward facing web applications for defects in Web service implementation that may lead to exploitable vulnerabilities. Provides report on how to implement Web services securely, and that traditional network security tools and techniques are used to limit access to the Web Service to only those networks and systems that should have legitimate access.

• Operating System Security Assessment (OSSA) - assesses the configuration of select host Operating Systems (OS) against standardized configuration baselines.

These SINs are now available on SeNet’s GSA Schedule 70 contract

World Game Protection Conference

The World Game Protection Conference is taking place this February 21st-23rd in Las Vegas.  This will be the 12th year for the show that debuted in 2006.  In previous years the focus of the show has been on physical security, surveillance, and protecting the casinos from cheaters.  However, in recent years with the rise of technology in the gaming industry the focus has been expanded to include these components.  This year there are sessions on OSINT for surveillance operators, technical breakdown of how slot machines work, and a panel on “How Computers are Taking the Luck Out of Gambling”.

This is a timely discussion as there was a recent Wired article on a sophisticated “hack” where a criminal organization reverse engineered slot machine’s random number generator (RNG) in order to gain an advantage over the casinos.  SeNet has experience with RNGs and fraud from our work in the Hot Lotto and MUSL criminal case in Iowa.  SeNet’s CTO contacted Willy Allison, the conference organizer, and even at this late stage Willy extended an offer to Gus Fritschie to participate in the panel and discuss what regulators and gaming operators need to be aware of as it relates to RNG security.

SeNet is looking forward to participating in this conference and continuing research into RNG and slot security. 

Security and Surveillance: The Age of Insecurity

In the recent Global Gaming Business magazine Marjorie Preston wrote an article titled “Security and Surveillance: The Age of Insecurity”.  The article discusses the state of cybersecurity in the gaming sector, from the attack on Las Vegas Sands to the credit card compromise at Hard Rock Las Vegas.  SeNet’s CTO, Gus Fritschie, was interviewed for the article and is quoted throughout.  Several topics are discussed such as the difficulty of securing these complex environments, common attack vectors, and iGaming security.  The article can be read in its entirety here.