Manage Cybersecurity Risk with Data Protection Policies

Nov 17, 2015 | Cybersecurity Advice, Network Security

In order to manage cybersecurity risk effectively, data protection policies must be developed. However, a new research study conducted by risk and business consulting firm Protiviti, suggests that a third of companies have not yet developed data protection policies. When data protection policies have been implemented, many are insufficient and leave the company vulnerable to a cyberattack.

Data protection policies are inadequate or non-existent in many cases

Over 700 information security professionals and executives were polled and asked about their company’s efforts to keep data secure. Questions were asked about data retention, storage and secure disposal, as well as governance, privacy policies and a wide range of cybersecurity controls. It would appear that many firms were not managing cybersecurity risk effectively, leaving them vulnerable.

Information security solutions may have been implemented, but basic controls such as the development and issuing of data protection policies had been neglected. When policies had been written and implemented, many were insufficient and did not cover even a fraction of the elements necessary to keep systems and data secure. Many security holes were allowed to persist.

To manage cybersecurity risk, start at the top

The board must become involved in cybersecurity decisions and should take a greater interest in keeping their organizations secure. Policies must be developed that set rules for the entire organization, and awareness of data and network security must be improved. All members of staff must be made aware of the current threat levels and a culture of security awareness developed. Best practices must be defined and all users monitored to make sure that those practices are being followed.

The study indicates that board level involvement in cybersecurity issues is becoming more common, yet only 28% of survey respondents indicated there was a current high level of board engagement in such issues. What is even more worrying is there has actually been a fall of 2% in high-level engagement year on year. 15% of respondents said board engagement in cybersecurity matters was low, while a third said engagement was at a medium level, better than in previous years.

You must identify the most critical assets to effectively manage cybersecurity risk

In order to protect assets, they must first be identified. This may sound obvious, but many companies are unsure what their critical assets are according to the study. A number of companies had failed to identify the data that cybercriminals were most likely to try to obtain. Appropriate protections were therefore not being put in place to keep the most sensitive data secure.

Confidence in repelling cyberattacks is low

The majority of organizations are not particularly confident that a targeted attack could be repelled, even though cybersecurity protections had been put in place. Companies were believed to be better at protecting their assets and keeping sensitive data secure than in recent years, although considerable efforts still need to be made.

According to the researchers, a lack of confidence is actually good news, as it should spur companies to keep on developing their security protections.

5 Security Errors Often Made by System Administrators

Sep 17, 2015 | Cybersecurity Advice, Network Security

Most system administrators have a rather long to-do list. As soon as one item is cleared, another two seem to take its place. Oftentimes there are simply not enough hours in the day to deal with all of the issues. There are software problems, hardware problems, user problems, and it can be hard to find time to be proactive instead of reactive.

We would like to make your job easier and reduce the number of items on your future to-do lists. With this in mind we have listed five issues that you should avoid to prevent future headaches. They are basic, but that is why many system administrators forget them.

Network Security No No’s

Never host more than Windows Active Directory on a domain controller

Active Directory looks after the identities and relationships of your network. It will allow you to provide all employees with SSO (Single Sign-On) access. However, it is important that Active Directory is isolated and the machine you use is not used for anything else. Don’t mix up your assets, as in the event of one being compromised, anything else hosted on the same machine is also likely to be affected. After all, hackers are likely to have a snoop around and see what else is running on a server they have managed to gain access to. Keep everything separate, and you will be limiting the damage that can be caused in the event of a security breach.

Don’t access a workstation using your administrator credentials

Your administrator login credentials, if compromised, would allow a malicious insider or outsider to gain access to systems where a lot of damage can be caused. If you login to a compromised workstation using your administrator login, you could be giving your access rights to a hacker. Cached login credentials are not difficult to obtain. Github offers code that will allow anyone to change Local Admin privileges to Domain Admin privileges. If that happens, a hacker really can unleash hell.

Don’t ever reuse passwords

One of the most elementary data security measures is to ensure passwords are impossible to guess. In the unlikely event that your password is guessed, or is somehow compromised, it is essential that the password cannot be used to access any other systems, servers or workstations. Setting different access passwords for everything is a pain, but it is an essential security measure.

Don’t leave default logins active

Default logins are often exploited. Many can be obtained with a very quick search on the Internet. This applies for all networked devices, routers, and equipment. It is usually the first thing that will be attempted in order to gain access. How easy is this? Take hospital drug pumps as an example. There have been instances of patients searching online for the manufacturer’s website, obtaining the default login details, and then logging in to up their morphine doses. If patients can do it, it would not be too hard for a hacker.

Never, ever use an open Wi-Fi network

In a business environment, it is not possible to justify using an open Wi-Fi network. The risks that insecure Wi-Fi creates are simply too high. If you need to provide guest access, set up a guest login and password and make sure it is changed regularly. You may get a few complaints, but not as many as you will get when your system is compromised, data is exfiltrated, or heaven forbid, data is deleted or encrypted with ransomware.

Summary

It may be more convenient to share passwords, allow anyone to access Wi-Fi, share servers and use the same login to access everything, but it is a recipe for disaster. If anything goes wrong, and it eventually will, you must ensure that the damage caused is limited as far as is possible. Convenience should never jeopardize system security.

How to Deal with Insider Threats: A Common Sense Approach

Aug 25, 2015 | Cybersecurity Advice, Network Security

Beware the threat from within: How to deal with insider threats

IT security professionals and C-suiters are well aware of the threat from hackers. Cyberattacks have been all over the news recently. Major security breaches have resulted in millions of files being stolen. Patient health records have been targeted with the cyberattack on Anthem Inc., the largest ever healthcare data breach ever recorded. That cyberattack, discovered in February this year, involved the theft of 78.8 million health insurance subscriber records.

Target was attacked last year and hackers managed to obtain the credit card details of an estimated 110 million customers. The finance industry was also hit hard in 2014, with 83 million J.P. Morgan Chase accounts compromised by hackers.

Cybersecurity defenses naturally need to be put in place, monitored, and bolstered to deal with the ever changing threat landscape. However, it is important not to forget the threat from within. Malicious insiders can be just as dangerous, and often more so than hackers. Just ask the NSA. They know all too well how dangerous insiders can be. Edward Snowden managed to steal and release data that has caused considerable embarrassment. In his case, he wanted the world to know what the NSA was up to. The NSA had gone to great lengths to make sure that what occurred behind its walls stayed secret.

Malicious insiders are often individuals who have been given access to patient and customer records, as well as the intellectual property of corporations, company secrets, product development information and employee databases. They are therefore potentially able to steal everything. The harm that can be caused by malicious insiders is therefore considerable.

It is not just theft of data that is a problem. Insiders may use their access to computer systems to defraud their employers, destroy data, or install malware and ransomware. Unfortunately, tackling the threat from within is a much more difficult task than preventing external attacks.

Bear in mind that insiders are not necessarily employees. They can include business partners and associates, contractors and past employees.

Which insiders pose the biggest threat

Unfortunately, any employee can steal corporate secrets and data; but the potential for damage increases as privilege levels increase. In a hospital, a physician may only have access to his or her caseload of patients. It may be possible for that physician to access the records of other patients of the facility, but not without triggering alarms. Those alarms may not be klaxons, but a flag would be raised that would alert anyone checking access logs that there may be some inappropriate activity.

A member of the IT department may have the highest level of privileges, and could potentially access huge quantities of data. One member of the IT department may not have access to everything, but in theory – and sometimes in practice – they could elevate their privileges for long enough to gain access to the data they require.

Recent research conducted by the United States Computer Emergency Readiness Team (CERT) shows that half of insider security breaches are conducted by individuals who have access to data. These individuals already have the authority to access systems containing valuable data. If you do not deal with insider threats, it is only a matter of time before a security breach is suffered.

It can be difficult to identify insider threats. Some say “it’s always the quiet ones,” but in reality, there is no way of being 100% certain which employees will steal data or sabotage systems. There are many potential reasons why an individual may decide to steal or delete data. Employers must therefore be aware of the risk and take action to mitigate that risk as far as is possible.

CERT research is useful in this regard. Studies have shown that that security breaches and data theft are most likely to occur in the time leading up to an employee leaving employment, and shortly after that employee has left – typically, a month either side of leaving a company.

As soon as an employee hands in his or her notice, place alerts on their accounts and conduct audits. If a worker is disgruntled or is unhappy at work, this could be a sign that they are looking for employment elsewhere and it would be wise to keep a close check on data access. It is a wise precaution to lower account privileges shortly before an employee leaves and to ensure that access is blocked as soon as they do. Many companies are a little lax when it comes to closing accounts and may not block access immediately.

Fortunately, risk can be managed. Adopt the following best practices to help you deal with insider threats and you will limit the opportunity for an insider to steal or delete data. You will also limit the damage that can be caused.

Best practices to deal with insider threats

• Minimum necessary information – Only give access to data critical for an individual to perform regular work duties
• Provide temporary access as appropriate – If tasks need to be conducted to perform atypical duties, temporarily escalate privileges to allow the task to be conducted and then lower those privileges when the task has been completed
• Monitor access to resources – Implement a system that monitors and logs access to data and regularly audit access logs to check for inappropriate activity
• Control access to physical resources – Restrict access to confidential files, stored backups, old computer equipment, and servers. Keep them under lock and key.
• Separation of duties – Restrict access as far as is possible: Do not assign full access to one individual, only allow part of a system to be accessed by a single employee. Use Privileged Access Management (PAM). This will limit the damage that can be caused.
• Implement policies and controls – Make sure these are communicated to all staff members.
• Restrict file transfers – As far as is possible, put controls in place to prevent data from being copied or exfiltrated. Prevent certain file types from being emailed outside the company and block peer-to-peer file sharing websites
• Encryption – Employ encryption for all stored data and control who is able to unencrypt files. Always protect data at its source.

Habits Developed by the Best System Administrators

Aug 4, 2015 | Cybersecurity Advice, Network Security

Not all habits are bad. Sure you should ease up on the alcohol, give up smoking, and stop biting your nails, but make sure you take some time to develop some good habits. Take a look at the best practices below, ensure you perform them regularly, and before long they will become second nature. You will then be able to legitimately rank yourself alongside the best system administrators. Even better, you should find you have far fewer bad days and even some when everything runs smoothly without a hitch.

Develop a ticket system and keep on top of requests

You are likely to receive more requests for assistance than you can deal with in a single day. If you are regularly flooded with requests, some will invariably be forgotten. Sometimes you will deal with an issue only for a user to complain that you have not. It is useful to be able to prove that you have dealt with a problem in a timely manner. A ticketing system will allow you to do this, as well as help you prioritize tasks and never forget a single reported system or computer issue.

Your system need not be expensive or complicated. If you work on your own in a small business, you can set up a very simple MS Access database to log all requests. Even a spreadsheet may suffice. A word document would also work. The important thing is that all requests are logged.

If there is more than one system administrator employed in your company, it is probable that you may need to have a more complex system. Helpdesk software is likely to be required if you are having to deal with hundreds of requests. They will need to be allocated to staff members, and follow-ups will be required. Making sure all queries have been answered and all reported problems resolved will be a nightmare without such a system in place.

Keep a log of your activity

If you ever have to justify what you have spent all your time doing, your ticketing system is your friend. You can show the volume of requests you have received/resolved on a daily basis, and use that information to show that your time has been well spent.

One clever way of reducing the requests you get is to log the requests and send the user (and his or her line manager) an email detailing the request received and the likely timescale for resolution. If a manager is involved, you may find the number of requests you are given will decrease. A formal request process and confirmation procedure is a wonderful way of cutting back on many of the requests for support that are usually sent to the desk of a Sys Admin.

Be proactive and avoid power/cooling issues

Overheating servers and power fluctuations cause many headaches and waste a lot of a Sys Admin’s time. It sounds obvious, and it is, but managing power and ensuring server rooms are effectively cooled are well worth the effort. Being proactive in this regard will save a great deal of time in the long run.

Power issues can be largely solved by installing an Uninterrupted Power Supply unit (UPS) on each of your servers. When purchasing a UPS, make sure it has sufficient power to last for an hour and that it will shut down the server properly, not just give up when it runs out of juice. The latter is particularly important as it will ensure files are not corrupted and will mean fewer reboots are required.

Are your routers, switches and servers locked away in a closet without any cooling systems installed? If you work in a small organization, this may well be the case. If your equipment frequently overheats, consider investing in a small air conditioning unit. Does your server overheat frequently at the weekend, yet is fine in the week? Oftentimes, air con systems are shut down at the weekend when there is no one in the office. A separate unit will solve this problem, just make sure it vents into the ceiling.

Monitor your network and devices connected to it

It is vital to monitor your network and systems. This will allow you to take action before they crash and services are lost. Install a system to monitor everything, and then install a system to monitor your monitoring system. Get the system to send you alerts, and you can prevent a lot of problems from occurring and avoid time consuming (and expensive) system outages.

If your Monday mornings are usually spent dealing with system crashes that have accumulated over the weekend, you can make the start of the week a lot easier if you put a monitoring system in place. Do you have a service level agreement in place with your ISP? If so, you may be able to add in a monitoring function on your switches and router as part of your service level agreement. This may not be possible though if you have a highly complex system or atypical network configuration. Fortunately, in most cases, monitoring systems are inexpensive, yet can save a lot of time, money, and hair loss from stress.

Cut back on time consuming manual chores

Repeating the same tasks over and over again wastes and extraordinary amount of time, plus each time a task is performed there is the possibility of mistakes being made. Use the automation and scripting controls on servers and other devices, and updates and installations can be performed automatically.

If you use Powershell for instance, Windows 2012 Server support will be streamlined. It may take a little time to set up, but it will save you hours in the long run. If you cannot do this, create a detailed checklist containing all of the settings for different applications to reduce the possibility of errors being made.

Don’t let users waste your time

OK, this is much easier said than done, but there are ways to reduce the time spent dealing with user issues. For instance, create a website page that lists the correct contact numbers and persons responsible for dealing with particular IT problems. Remember that users are non-technical individuals, so the language used must also be non-technical. “Server problems” rather than “Windows NT problems” for example.

Instruct all users visit the webpage before contacting you. You can then place updates on the webpage that may answer many of their questions. Also include a self-help section. (have you tried turning your computer off and on again?)

Include sections for changing passwords and the common problems you are asked to deal with that can easily be resolved by following a simple set of instructions. You will find the volume of helpdesk calls will reduce considerably. Also create a login banner to advise of maintenance schedules etc., to avoid being bombarded with calls when a planned outage takes place.

Get involved in the business

It is your job to deal with technical aspects of the business, yet you will need to be aware of how the business operates. In order to get authorization for IT upgrades or new equipment, it helps if you can explain, concisely, why the purchases are necessary, the impact they will have on the business, and the consequences if purchases are not made. Work on your communication skills and learn how to communicate effectively with non-technical staff members. It requires practice, and a great deal of patience sometimes, but it will make your life easier in the long run.

Securing Data: What Data are Sensitive and Must be Better Protected?

May 14, 2015 | Cybersecurity Advice, Network Security

Hackers and malicious insiders are trying to break through security defenses to get their hands on sensitive data, but what data are they actually looking for? Which data needs to be better protected?

There are federal laws that require physical, technical and administrative controls to be put in place to keep data secure. Fail to protect certain data types and there could be serious trouble, regardless of whether a hacker actually manages to compromise your network.

Some data types are obvious, others less so. Credit card numbers, bank account information, Social Security numbers and healthcare data all require robust security measures to keep the information secure. Have you made sure that each of the following 9 data types have appropriate controls in place to prevent unauthorized individuals from gaining access.

Financial Data

The goal of many hackers and cyber criminals is to gain access to bank account information, and the logins and passwords used to access online accounts. Once they have this information they can use it to make transfers and empty accounts. Credit/debit card numbers are also sought in order to make online purchases and create fake cards. PIN numbers, if stored, along with answers to security questions must similarly be protected with robust controls.

Medical Data

The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to put physical, technical and administrative controls in place to keep medical data secure. In the wrong hands, medical data can be used to discriminate and defame. It is also used in spear phishing campaigns, and used with other data to commit fraud. Failure to secure these data is a violation of HIPAA Rules, and financial penalties are sure to follow. Criminal charges can even be filed against individuals for failing to secure highly sensitive data.

Driver’s License Numbers

A valid driver’s license number can be used to create fake driving licenses. These are not only useful for people who are not legally allowed to drive, they can be used to obtain other forms of identification and commit identity theft and fraud.

Student Data

Student data is increasingly being sought by criminals in order to commit fraud and identity theft. Universities and schools are required to protect data under the Federal Educational Rights and Privacy Act (FERPA), which restricts the individuals who are allowed to access student records. Personal data, education information and test results must all be protected. Student Social Security numbers and dates of birth are highly sought after and often targeted by hackers.

Social Security Numbers

Social Security numbers (together with a limited amount of personal information) can be used to commit medical fraud, file false tax returns and steal identities. They are highly sought after by cyber criminals and often sold on darknet websites for big money. The SSNs of minors are particularly valuable, as they can be used for longer before fraud is identified. Social Security numbers are also covered by HIPAA rules and numerous other state and federal laws.

Health Insurance ID numbers

With health insurance information criminals are able to file claims for medical services that are not provided, and allow criminals to make fraudulent insurance claims. This data are highly sensitive and must be kept secure.

Intellectual Property Data

Your company’s secrets, product development information, computer codes, bespoke software, new product designs and blueprints are highly valuable to competitors. If your company has an edge, or is developing a new product or service, a competitor could use these data to develop similar products, and even bring a product to market first.

Human Resources Data

Human resources databases contain detailed information on employees such as salary information, bonuses, and confidential personal data. Criminals seek personal information of individuals in order to conduct convincing spear phishing campaigns. These data can also be used to blackmail individuals and discriminate.

Communications Data

Emails can contain highly sensitive information. When hackers gain access to an email account, they can obtain personal information, company secrets, and even many of the above data types. If an email account is compromised, it can be used to spread viruses and malware. Telephone records and text messages are also valuable.

Data must be secured at rest and in motion

Controls must be put in place to secure all forms of these data, whether they are in Word documents, PDFs, JPEGS, spreadsheets, EHRs or other databases. Just as paper files must be shredded when they are no longer required, the same applies to electronic data. Records must be securely and permanently erased when no longer required. It must not be possible to reconstruct any of these data once deleted.

It is essential to protect stored data, especially if it is housed on portable devices such as zip drives, laptop computers, portable hard drives and Smartphones. These devices are all too easily misplaced, lost or stolen. Data encryption should be considered to protect all stored sensitive data. Data must similarly be protected when in transit. Emails should be encrypted, as should SMS messages. A number of companies provide SMS and email encryption services to allow communications to be sent securely, with authentication controls to ensure only the desired recipient can view the messages.

Business Risk and Security Risk Should Be Discussed in the Same Context

Feb 11, 2015 | Cybersecurity Advice, Network Security

You are faced with an insurmountable problem: Your job requires you to keep the business secure from external attacks, and you must take action to deal with the threat from malicious insiders. It is your responsibility, and your job may well be on the line if something goes wrong and data is stolen, or your network is infected with a virus or malware.

Unfortunately, you have not had a budget increase and cannot afford to purchase the software solutions necessary to protect your business from attack.

This is a problem faced by many IT professionals. Management understands there is a risk and knows the risk is considerable, yet they expect you to work your magic with your hands tied behind your back.

You are not a magician; so, if management wants to be properly protected, it is your job to convince the powers that be that you need a bigger budget. We know you have already tried this. What you therefore need to do is improve your communication skills. You need to find a way to convince the management that additional funding is absolutely essential. One of the best ways of doing this is to explain that security risk is actually business risk.

You are not alone – 50% of IT professionals work with inadequate security measures

IT department funding is almost always limited. It is not possible to purchase the highest quality equipment, the best possible security measures, and have enough staff members to perform all of the required work. So if you are stressed, are suffering a critical lack of funding, or are desperately understaffed – you are not alone.

The situation has recently been assessed by the Ponemon Institute. Its latest survey probed IT security professionals and asked them about the level of security in their organization. It would appear that when it comes to cybersecurity protections, the management and IT department heads are often not on the same page.

The survey was large. Over 5,000 IT professionals send back responses to the survey and more than 2,500 of those respondents said their cybersecurity measures were inadequate. The problem for many was the fact that the upper management simply did not understand just how important it was to improve network security. Sure they understood there was a risk of attack, but they didn’t understand just how serious that risk was.

If a cyberattack occurs, it is their fault right? Unfortunately, you may have explained risk until you became blue in the face, but how well did you communicate?

A survey conducted two years ago by Ponemon suggests that when it comes to communicating with management, IT security professionals often have problems. In fact, 64% of IT staff were discovered not to have effectively communicated the seriousness of the threats, or had only started to communicate them properly following a data breach. Nearly half of the IT professionals taking part in the 2013 survey said communication between the IT department and management was “poor, nonexistent or adversarial”.

IT budgets rarely reflect the seriousness of security risks

When budgets for IT security are calculated, they are rarely sufficient to allow all risks to be effectively neutralized. Spending is often misaligned with the needs of the business. According to the Ponemon study, only 11% of the average security budget is devoted to protecting the application layer. Interestingly, 37% of organizations believe that the application layer poses the businesses threat to data security.

Why is this the case? According to Larry Ponemon, founder and CEO of the Ponemon Institute, it is because management has not been provided with the right information. He says that few organizations have actually performed a full security audit and that security risks have therefore not been identified. As a result, management is not aware of the level or risk, and budgets are not set accordingly.

Any organization that fails to invest in IT security is likely to have to cover far higher costs in the long term. Take Target for example. The money spent on resolving its data breach is far higher than the cost of implementing solutions that would have prevented the attack from being possible in the first place. The company now has to cover the cost of data breach resolution, in addition to investing in better security. The expected cost of the Target data breach is expected to top $1 billion!

If security intelligence technologies are implemented, companies are much better equipped to detect intrusions and contain attacks when they do occur. According to the study, the security breach resolution cost savings are, on average, $1.6 million less when security intelligence technologies are implemented prior to a security breach occurring.

IT security should not be an afterthought. Proper investment will see more security breaches prevented and the cost of resolution significantly reduced. It is therefore essential to communicate the need for investment. The most effective way to get your voice heard is to provide facts and figures to back up your argument and to explain security risk in the context of the financial cost, operational problems that will be suffered, and the likely damage to the company’s reputation if a breach is suffered.

Security tools are not cheap. Understand the business drivers that generate the funds that will cover the cost of security software and become more effective at communicating credible risk. Give management the information it needs to understand why greater investment is needed. You are then likely to be given the funding you need to effectively manage security risk.