[metaslider id=2951] … Read More
The 3 Biggest Mistakes in CyberSecurity
August 23, 2016 – Chris Moschovitis – Information Management
Everyone, from the small business owner, to senior executives in businesses of every shape and size are confronting a seemingly insurmountable problem: Constant and rising cyber security breaches. It seems no matter what we do, there is always someone that was hacked, a new vulnerability exploited, and millions of dollars lost.
In an effort to stem the tide people have tried everything: From throwing money at it by buying the latest and greatest tech gizmos promising security, to outsourcing cyber security management, to handing it over to the IT folks to deal with it. And, every time the result is money lost, productivity decreased, and the attacks continue.
Many business people complain that we’re not just losing a battle here and there. We’re losing the war. Is that true?
The truth is that those that keep losing their cyber battles and risk losing the war are making three critical mistakes:
1. They think cyber security is a technology problem.
2. They follow a cyber security check list once-and-done.
3. They don’t have a cyber security awareness training program in place.
First, cyber security is not a technology problem. Far from it. It is a business-critical problem, and more importantly: It’s a people problem, and we need to address it at that level.
Second, cyber security is a constantly evolving battlefield. The threats evolve, the attacks take new paths, the underlying technologies change. A static check list solves yesterday’s problems, not today’s, and certainly not tomorrow’s.
Finally, if people don’t understand the threat they will not even see the attack coming, much less be able to respond and protect themselves. Cyber security awareness training is the only way to prepare everyone for the new reality we live and work in.
Cyber security is not an IT problem either, according to Prosyn. It is a risk management problem. This is easier to understand in your work and in a regulated industry. Therefore, the concept, language, even governance of risk management is part of the daily lexicon. This is why it’s so important that you understand how to respond to risk as well as being aware of what the risks may be before they occur.
Not so with small and mid-market businesses less familiar with the risk management function. It doesn’t help that the very nature of the threat and the way the “payload” of the attack is delivered is via information technologies. It almost makes sense to have IT deal with cyber security. But the victims are not the computers. The victims are the businesses and their people.
More importantly: A company’s Information Technology generates Value. It does so through myriad different ways depending on the business you are in, from the actual delivery of goods to clients (e.g. software businesses, data businesses, media, and technology businesses, etc.) to complementing, enhancing, and realizing the mission and vision of the company (law firms, manufacturing, logistics, healthcare, etc.) Owing to these security breach issues, many businesses tend to opt for services of reliable service providers like Privacera (https://privacera.com/products/centralized-access-control/) and similar others. By having centralized and secure access to all the data of the business, they are most likely to be not affected by cybercrime.
That said, externally sourced IT management could do a better job at regulating data security as well as other IT-based functions. As they are professionals in the field, software facility management may be leveled and managed properly. Besides, the risk involved in such functions may be taken up by the IT outsourcing company, which means that external threats may be mitigated without client company involvement.
Cyber security, like all risk management, is there to protect value. Therefore, you can never have cyber security (the value protector) report to IT (the value creator). That creates a conflict of interest. Just like IT reports directly to the CEO, so must cyber security. They are parallel tracks keeping the business train aligned and moving.
Once you have the reporting structure correctly in place, you need to empower it with executive buy-in and engagement. Cyber security needs your direction on company goals and risk appetite so they can develop the right strategy to protect the company’s assets. Cyber security professionals, working with the board and executives, including IT and business units, will develop the right defense-in-depth strategy that is right for the company.
Cybersecurity is a crucial component of a defensive strategy for businesses that operate online, like e-commerce stores. It is likely that you will need to protect your website or mobile application from cyber threats if you operate such a store. In order to accomplish this, you may need to develop a strong security system to protect customer data and transactions. In the event that you do not have enough funds, you can consult with companies that provide ecommerce financing options to fund your cybersecurity development.
Cyber security doesn’t happen in isolation. It is not a set check list. It is dynamic, adjusting strategy to risk, asset value, and controls. As market conditions change, as company goals change, and as technology changes, so will the cyber security strategy.
Neither structure nor strategy will help if you ignore the most important element in cyber security: People. In 2016 ISACA published the top three cybersecurity threats facing organizations in that year. They were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats.
Excluding the advanced persistent threats typically targeted against large multinationals, governments, military, infrastructure and the like, the other two have one common element: People.
It is people that become the victims of cyber-attacks, and by extension, the businesses they work in or do business with. Be it through social engineering, extortion, or any of the many vulnerabilities that hackers can exploit, it is people that get compromised first. They are the ones that have to pick up the pieces when all the data is gone or when their identity is stolen.
The good news is that cyber security awareness training is one of the most effective controls against hackers. Training and sensitizing people to the threats, the methods used, vulnerabilities, even their own personal privacy risks, has been proven time and again as the one thing that makes a real difference in early detection, quick response and recovery during a cyber-attack. Having a quarterly lunch-and-learn will go a long way in developing a culture of cyber awareness, saving both your business and your employees from cyber-harm.
Avoiding these three mistakes in cyber security won’t help win every single battle. But it will guarantee you win the war.
Employees are weak link in company cyber attacks
Mark Burnette, For The Tennessean 11:11 p.m. CDT April 29, 2015
Today’s companies face a truly daunting task when trying to protect their computer systems and sensitive data from compromise. Attackers are better coordinated and more sophisticated than ever before, and their tools are easier to obtain and use.
While there are many security issues for businesses to be concerned about (some of which are covered in other installments of this series), an all-too-common problem at companies of all sizes is attacks directed at the computer users themselves. The vulnerable users are workers in the company who have user accounts and passwords and use desktops, laptops, tablets and other devices to interact with a company’s data and network. Hackers and other bad guys target these users because they have access to sensitive data and systems, their account passwords are typically easy to guess or crack, and they are often willing to open a malicious file, click on an emailed link or even willingly type their password into a bogus site.
Protecting your company against end-user attacks requires a two-pronged approach: 1) train your users to help them be more aware of how end-user security attacks occur and 2) configure your systems to make it harder for the bad guys to successfully get in if a user slips up. Here’s a list of steps you should take:
•Keep up to date with security patches provided by software vendors for end-user machines. In addition to operating system patches, be sure to patch application software such as Adobe, Java and web browsers, as older versions of those tools have well-known vulnerabilities that are frequent vectors of attack.
•Provide spam filtering for every machine, with sensitivity controls turned up. One of the most common tactics attackers use to make initial entry into a company’s network is enticing end users to click on a spam email link that installs malware. While this won’t stop every phishing attempt, if you can filter out even one, that is one fewer opportunity for an unsuspecting user to click a bad link.
•Remove local administrator rights from end-user machines. Local administrator rights give a user more power to make changes to a computer, and if an attacker gains control of a machine with those rights, damage to the network can be much more significant.
•Make sure there is up-to-date anti-virus/malware protection installed on every machine.
•Require IT personnel to use different passwords when they work on servers. Even IT administrators can fall victim to email phishing attacks when they are working on their own computer. If they click on a bad link while logged in as an administrator, attackers can gain big-time access to your network using their privileged credentials.
•Develop a security awareness program for all personnel to help them understand their responsibilities when using a company computer system and/or handling sensitive data. This training should also teach users how to create good passwords (ones that are easy to remember, but difficult to guess).
•And perhaps most importantly, require “two-factor authentication” for users logging on to the network from a remote location. That means that a password alone is not enough to gain access; another form of authentication is needed. That could take the form of such things as a fingerprint, a token (a physical device that generates a code that is entered on the machine) or a digital certificate. If two-factor authentication is in place, an attacker who successfully captures a user’s access credentials still won’t be able to remotely connect to the network without the second factor (the token).
Taking all these measures will not completely eliminate the possibility of a successful attack, but it will greatly reduce your exposure to this common attack path, which just might make a potential attacker move on to a more vulnerable target.
Mark Burnette is a partner in the Security and Risk Services practice at LBMC, the largest regional accounting and financial services family of companies based in Tennessee, with offices in Brentwood, Chattanooga and Knoxville.
Cyber Attacks On US Companies in 2014
The spate of recent data breaches at big-name companies such as JPMorgan Chase, Home Depot, and Target raises questions about the effectiveness of the private sector’s information security. According to FBI Director James Comey, “There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”
A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.
This paper lists known cyber attacks on private U.S. companies since the beginning of 2014. (A companion paper discussed cyber breaches in the federal government.) By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U.S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U.S. businesses have been affected by the Backoff malware, which targets point-of-sale (POS) systems used by most retail industries. These attacks targeted administrative and customer data and, in some cases, financial data.
According to an article in info-security, most security professionals expect an APT attack in the next six months. Within the article, it is quoted:
“The three structures of IT Security used to be ‘prevention’, ‘detection’ and ‘remediation’. However, with prevention an almost impossible task due to the very nature of the way IT is used today, it now falls down to ‘detection’ as the best way to protect systems,”.
Prevention is extremely difficult, however, using a defense in depth will assist – implementing a Unified Threat Management system, endpoint protection, as well as utilizing a NAC solution to see who is on your network, as well as stop communication back to command and control, are great first steps.
Using an Event Log Management system or SIEM will help detect abnormal behaviour, improving detection of not only malware or APTS, but also unusual activity by employees, guests, and other cyber threats. Most ELMs, or SIEMs have the ability to do file integrity monitoring as well – providing you with detailed information on what files were altered and by whom.
Take a look at some of our whitepapers on APT’s, or contact us.
Whitepaper by Sophos – Advanced Persistent Threats
Network security is all about ensuring you close the holes an attacker can get through. But you also need measures in place to detect the signs of an attack in progress to stop it from unfolding. In this paper we’ll explain how a multi-faceted approach to protect against APTs including layers of defense can reduce the risk of attacks.
To view all of our whitepapers please click here – >