Categories
Uncategorized

Coronavirus Cyber Security Challenges – The Remote Workforce

The Cyber Security Implications of the Coronavirus

As the fear of the Coronavirus – COVID-19 – spreads, governments and companies are looking for containment strategies that reduce human contact.  Exposed cities are on lockdown, forcing any work to be done remotely and there are more restrictions to come.  Some companies have already closed locations as a precaution, and as restrictions increase, others will be forced to send workers home to work remotely.  The criminals have already started the scams: phishing campaigns to take people to fake news updates to see if they can entice a click.  That is the easy starting place.  No doubt that the cyber criminals will find other ways to try to monetize the situation including new types of Ransomware attacks.

Need help?
Contact one of our representatives and we’ll help you find solutions.

Remote Security Posture vs. Capacity

Many have created remote security policies and procedures to address the potential risks which need to be taken into consideration.  Systems have been designed with capabilities to allow secure remote access and keep sensitive data safe, but they often don’t have the capacity for everyone or even most of the organization to work remote simultaneously.  

Will the workarounds and changes you make to accommodate the need for operations compromise your security?  They might.  It is situations like COVID-19 where the urgency of a solution often does not get full Cyber Security due diligence.  Or, there is not enough time and funds available to implement a prudent secure solution that considers the risks. 

What to Do

Evaluate Risk

The discipline of applying cybersecurity protections is centered around the risk to the organization, its people, its systems, and the information.  Now, you don’t have to stop what you are doing for a couple of weeks and perform a formal risk assessment, but could an extra day or week for a more secure solution reduce hundreds of thousands or millions of risk?  Here are some basics about remote access that you should consider:

  • Who will be accessing the resources?
  • What devices will be used to access resources?
  • What resources will be accessed?  Data, Networks, Applications, Physical systems, etc.
  • What will the individuals be doing with the resources?  Download, screenshot, email, copy, print, control other systems, etc.
  • Will remote access to the information comply with statutory and client requirements that we must abide by?
  • If all of the above are not created equal (and they are not), then which might need to be treated differently?
  • See other known risks below

Implement MultiFactor Authentication 

For everything that is remotely accessible.  There are many options depending upon what you are trying to protect.  It is not a silver bullet and can be circumvented in some cases, but it GREATLY reduces your risk.  You should also require an additional layer or stronger security for certain individuals like your IT administrators and others with access to sensitive information.

Ensure that your basic security protections also apply

You MUST have difficult passwords, require patching, screen saver time-outs, and all of the other basics that you require for your internal network.  

Monitor Remote Access

Is that really John?  Why is he still working at 2:30am?  Geez, he is copying a lot of files right now.  You need to be able to understand that the remote behavior is legitimate and if not, take action.

Train Your Staff About Working Remotely

Ensure they know what is allowed and not allowed and what the risks are.

Consider a Tiered Solution

If you can’t provide the same level of security for everyone, then ensure that those that need the most security are on your best solution.  Create workarounds for others.  Many may be able to operate without remote access to the environment at all.  Cloud services come in handy here.  You can also check with your vendors about emergency temporary licensing or solutions.  See below for some considerations of different types of remote access. 

Known Risks Associated with Remote Access

You CANNOT and MUST NOT trust a home network

The PC itself is an unknown device that has many risks.  I hate to be the voice of doom, but it may already be compromised by a bad actor and be part of a botnet network or otherwise

  1. Could have multiple users including kids playing games and others going to known risky sites
  2. May have risky applications installed
  3. It may not have current or working Antivirus and security software in place
  4. It may not be fully patched and have many vulnerabilities
  5. It may not require a password
  6. You get the picture…

    The Network is consumer-grade and does not have the ability to offer protections that you depend on at work.

  7. Firewall.  There may not even be one, just the device provided by the Internet provider
  8. Security Monitoring and Alerting.  Mature business environments have regular information available to surface anomalies and other risks that home networks do not have
  9. There are other devices that are not secure on the network.  Other computers, mobile phones, smart refrigerators, home automation systems, and who knows what other new security risks (baby monitors…) 

Data Sprawl

This is a big one.  When users know that they may be out of the office for a while, they will find ways to be productive in the easiest manner possible AND they are less concerned about the security or compliance requirements.  Be aware:

  • People will email themselves information.  Either to a home account or to themselves in their corporate account
  • Data will be copied to USB keys and might be transferred to other file-sharing technologies
  • Now that this data is being duplicated into other places, how can we keep up with it and secure it
  • If allowed, the above-copied data will end up on non-company computing devices.  

Increased Scams

We have already mentioned the increase in phishing scams.  Since January, there is documented activity of a number of questionable registered websites related to COVID-19 and reputable organizations like the WHO with the intent to take advantage of those that are looking for legitimate information about the pandemic.

Free WiFi

Hopefully, this is happening a little less in this situation, but you could have workers trapped overseas or on a cruise ship that is using insecure remote access.  Educate and provide alternatives.

Physical Theft

Now that we have more folks out of the office and working on company-owned or personal devices, these devices could be targeted by criminals.  If they get their hands on a home PC – without a password – that has company or customer information on it…

Security Postures of Possible Solutions

Today’s technology provides quite a few options for remote access; some of which are more secure than others.  Below is a discussion about the security considerations of some of the most common methods.  NOTE:  MFA (MULTIFACTOR AUTHENTICATION) is paramount for the security of any remote access solution.  MFA is not the silver bullet as you will see below, but we would not consider a remote access solution without it.

1 – Virtual Desktops

These offer the most protection, if on a company-owned computer and configured correctly.  

Also known as VDI (Virtual Desktop Infrastructure) and DaaS (Desktop-as-a-Service).  VDI is typically hosted internally or privately, while DaaS is typically provided by a hosting company.  This includes VDI and DaaS.  (More about Remote Access at the end of this post.)

Advantages:

  • All of the data and applications remain on the virtual machine located within the data center and its security controls.  
  • You can enforce the same level of security (or a chosen level) based on profiles or rules.  These include:
    • Copying (or not) data to the remote computer
    • Sharing folders with the remote computer
    • Printing
    • Access to certain applications
    • Location-based rules

Risks of VDI and DaaS:

  • If accessing from an insecure or compromised (home) computer, an attacker could see everything the user can see – even if you did use MFA to access…
  • If rules are not established to govern copying files, network sharing, and printing, then the remote computer and network are vulnerable.

2 – VPN (Virtual Private Network)

Good protection but can have hidden risks if not correctly configured.  A VPN is an encrypted tunnel into your private network that makes the connected Computer or network a remote part of the network it connects to.  

Advantages:

  • The secure tunnel allows connection to internal network resources including computers, applications, databases, and file shares.  
  • Some VPN software will enforce local security profiles on the connecting PC (including home PCs) to ensure that minimum requirements are met.  the same level of security (or a chosen level) based on profiles or rules.  

Risks of VPNs:

  • If accessing from an insecure or compromised (home) computer, an attacker could see everything the user can see – even if you did use MFA to access…
  • If not configured correctly, you can be attaching and insecure (home network and all of its insecure devices – your kid’s iPhones) to your corporate network.
  • Depending upon configuration, VPNs allow users to transfer files to remote devices and map network drives to file shares

3 – Remote Desktop Access Strength of security varies, but not as capable as VDI or DaaS.  When paired with a VPN, security is increased, but you still have risks.  Remote Desktop access is provided by software running on a computer inside your corporate network.  Examples include:  RDP, LogMeIn, GoToMyPC, VNC, Team Viewer, and there are others.

Advantages:

  • Access to the same computer and programs that you use while at work.
  • The company computer is subject to all of the company security policies and protections

Risks:

  • If allowed, the software can be installed and managed without IT’s knowledge, circumventing monitoring and other security controls creating an unmanaged gateway into the company.
  • Some solutions can be accessed from anywhere using a web browser and may not require MFA.
  • Solutions allow for data transfer and printing which can lead to risks of data breaches. 

More About Remote Access

Virtual Desktops – VDI & DaaS

After authentication (including MFA…) the user essentially receives a window that displays the computer and all of its applications on the remote computing device.  The computing infrastructure can be in a private data center or hosted.  There is a virtualization layer where computing and storage resources may be spread across multiple physical devices that sometimes are not in the same physical location.

Virtual Private Networks – VPNs

Instead of routing directly through a public network, VPNs put a layer between your information and public access. It can aid in masking your online activity from the public and provide you with a secure connection to another network online. They work by making your IP address and location anonymous; your data is sent through them before being released into an external server. Generally, outside forces can identify your IP address and track your activity online, but with the veil of VPNs, your online activity can only be traced back to your VPN service provider. 

Remote Desktops

Windows RDP

In Windows, this is a native software program that allows remote connection from another device running the appropriate connection software.  The user receives a screen just as they would sitting in front of the actual computer and is able to see the desktop and use their mouse and keyboard to interact.  One (insecure) way to use RDP is to open a port in the Firewall and allow direct connection from the internet.  This is how many machines have been compromised over the past couple of years.  RDP connections can also be brokered using a local server running Remote Desktop Services.  This is a safer, more secure configuration – don’t forget MFA. 

Local Remote Desktop Programs

Programs like Teamviewer or VNC can be installed locally on a PC or Mac that will allow direct connection over the network.  These function like Windows RDP above and can also be configured insecurely via a Firewall over the internet.

Hosted Remote Desktop

Other software is installed and managed by a cloud provider.  LogMeIn is an example.  The user installs the program on their computer and registers it with the service.  They can then remotely go to a web browser from any computer and authenticate (MFA?) to start a session with the company computer.

Contact Us

Contact us and one of our representatives would be happy to help you.

Categories
Uncategorized

Artificial Intelligence Advancements In Healthcare: The Needed Next Level of Cyber Security

How is Artificial Intelligence being used in healthcare?

Artificial Intelligence, or AI, is having a dramatic effect on the healthcare sector. At its core, artificial intelligence seeks to mimic the unique processing capacity of the human brain. Using algorithms, pattern matching, deep learning, cognitive computing, and heuristics, AI is able to quickly sort through masses of raw data. This is incredibly helpful in the medical field. In addition to the millions of Electronic Health Records (EHRs) at the center of our healthcare system, medical practitioners must also incorporate data from studies, data from testing, and past patient records when diagnosing and treating a case. AI can use predictive models to find irregularities or similarities in raw data that doesn’t have to be pre-sorted. This helps doctors improve diagnosis accuracy, patient care, and outcomes. AI’s ability to find meaningful relationships in data is being used as a powerful tool to aid in drug development as well as patient monitoring and treatment plans. Artificial Intelligence is becoming more common in many parts of the healthcare system, and it is estimated that $36.8 billion will be invested in AI systems across the US by 2025. AI is poised to be the main force that drives improvement across the healthcare industry.

Why is this a big deal?

Artificial Intelligence will be the engine of change by organizing masses of data and giving relevance to data points, which will ultimately improve reliability and objectivity in diagnoses. AI will provide context for patient data more quickly than ever before, allowing doctors to identify and treat diseases accurately, minimizing misdiagnosis and lowering the mortality rate. In addition, the costs for drug development will be lower, as we will more accurately be able to predict the drugs’ effects in certain patients. This all leads to an increase in doctors’ facetime with patients. They become freed from analyzing mountains of data and more able to focus on care and healing.

What concerns with cybersecurity arise when using AI?

When we open up patient records to artificial intelligence, we are opening up our systems to outside attacks. With sensitive information at risk, healthcare providers must be very careful that their rate of system upgrade does not outpace their security improvements. Installing new systems that sort sensitive patient data must be tested from all endpoints to ensure there are no flaws or vulnerabilities to attack. AI dramatically increases the complexity of assessing security threats. These new systems could be a point of entry for malware that will be difficult for systems designed to monitor human behavior to detect. 

What upgrades in cybersecurity are necessary to protect against these concerns?

Greater use of AI in healthcare systems means that we need greater use of AI in cybersecurity software to match it. Our main protection will be anomaly detection. This will mean installing these detection programs across all endpoints in the system. Anomaly detection works in the same way that the AI identifies meaningful relationships in patient data. It monitors the system and senses potential threats whenever there is unusual behavior. Anomaly detection can do more than discover malware within a system. It can also identify where the cyber attacks are coming from and what kind of attacks being perpetrated. Predictive analytics for malware detection can also stop problems before they start. These analytics can identify suspicious files and prevent them from opening, stopping problems before they start. Properly planned and configured, these new cyber security measures act like the immune system for a healthcare company. 

What are the challenges in implementing new AI/Cyber Security Procedures in healthcare systems?

Establishing new and heightened security procedures require behavior monitoring, to make sure users are complying with new systems. While some users may think that increased security measures are intrusive at first, compliance is paramount. When cybersecurity systems are implemented without factoring in the human element and allowing time for training, it can often lead to users falling back on unauthorized apps and outdated but familiar systems. These non-sanctioned entrances into the system leave it vulnerable to a breach. There are human users in your system in addition to AI, and it can take time and planning to make sure your innovations don’t outpace your cyber security procedures. A coordinated strategy that considers both human and artificial intelligence creates a healthcare system that is more accurate, faster, and cheaper for patient treatment.

Want to know more about how you can ensure your company is secure? Contact us!

Categories
Computer & Network Security|Uncategorized

New Ransomware Attacks

In the past few weeks, 5 law firms reported ransomware attacks by a malicious group known as Maze. This new and unique virus doesn’t follow the typical protocol. Instead of placing a ransom note on your system, they place your firm’s name on a public website. Entities that do not comply with ransom demands have portions of their data released publically until the ransom is paid; two different firms had their data released this week. Now that you are aware of the situation, we’ve put together some resources to help you understand it and how to prevent ransomware attacks:

Ransomware – the basics

How to spot it and how to deal with it

Emisoft has stated that at least 45 companies were the center of attack by Maze in January. They also state that this only accounts for 25% of their hit list. More information about this ransomware attack can be found here [LawSitesBlog.com]

Categories
Computer & Network Security|Information Security

IT and the C-Suite: 3 Tips for Communication

Years ago, I served as Head of Information Security for a large organization. After just 6 months on the job, we experienced every network administrator’s worst nightmare…. a data breach. As we worked to resolve the problem, it seemed like there was enough blame for everyone. IT was blamed because of their operation. Application Development and Support was blamed because of their code. Then the CIO started taking heat because security hadn’t been his top priority. Finally, the CEO came under fire for the overall performance of the team leading up to the breach.

A recent article I read by Kacy Zurkus in Security Boulevard reminded me of this situation; Zurkus does a great job outlining recent trends in cybersecurity and corporate accountability. There is no doubt that C-level executives are held just as accountable as IT teams when a breach occurs. However, that doesn’t mean that the C-suite and IT are on the same page. Knowing this, why are there continuing challenges in communication? are there continuing challenges in communication?

Communication Between C-Suite Executives and IT

There is a communication gap between the C-Suite and IT. 91% of IT pros feel that their organization is improving its cybersecurity while only 69% of C-level executives agree. Executives also disagreed with IT on data priority. They prioritized protecting employee data while IT prioritized financial data.

If IT and executive leadership are going to prepare for inevitable data breaches, we need a roadmap for communication so that we can align priorities and coordinate efforts.

3 Tips for Communication Between IT and the C-Suite

The article on Security Boulevard highlighted some good thoughts on communication with the C-Suite. Here are some ideas that jumped out at us plus a few thoughts of our own.

Tip #1: Don’t Use Industry Lingo

IT must learn to communicate complex IT issues and security threats in layman’s terms. We recommend using analogies and avoiding industry jargon. As you will see in our next tip, your communication still needs to have some meat on the bone.

Tip #2: Make Substantial Recommendations

While words like “synergy” and “collaborative” are great in presentations (not really!), they don’t do much to make your company more secure. The CEO is personally responsible for every type of issue across all parts of the company and you can help by bringing specific, actionable recommendations to the table.

Tip #3: Understand the Role of the Chief Information Security Officer (CISO) in Preparing for a Data Breach

Many companies have designated a Chief Information Security Officer (CISO) to advocate for information security within the organization. This seems like a great solution, but many CISOs are not as empowered as they could be. The CISO frequently reports to the CIO, and their interests are not necessarily aligned. This can lead to a breakdown in communication within the executive team and lead the CEO to develop a false sense of security. Consider whether a CISO would benefit your organization and think about how they fit into the corporate hierarchy.

Conclusion

I’ve worked in IT security for over 30 years. Many things have changed, but it occurred to me as I was writing this article that these thoughts would have been applicable 10, 20, or 30 years ago. Before concluding this article, there is one more tip that passes the test of time:

Bonus Tip #4: Get an Outside Perspective

IT security is complex, and the only certainty is that the bad guys are always looking for new approaches. Having a fresh set of eyes to analyze your data security in light of the latest threats and security resources is frequently the difference between an unsuccessful hacker and a catastrophic breach.

At SecurIT360, we specialize in delivering our cutting-edge security resources with communication that is understandable and helpful for anyone from an executive with no background to the highest-level network engineers.

We are offering a free security audit to identify the paths that could leave you vulnerable to the next data breach. Contact us today to find out more.

Categories
Computer & Network Security|Information Security

Simple Cyber Security Tips for your Business

If you’ve ever had someone break into your home or even your car, you know the feeling of vulnerability and fears that accompany that experience. The fear and uncertainty can linger for months and even years.

Now imagine a break-in at your business that jeopardizes everything you have worked so hard to build. But this intruder is invisible, and there is no chance that the neighbors will see something suspicious and call the police. Someone in a distant coffee shop in another country can steal your bank account information, private employee data, and information about your clients. Security cameras and motion detectors are useless in detecting this kind of intruder. What does the aftermath look like? In the best-case scenario, you will spend a LOT of time and money cleaning up the situation and making things right. With a little luck, you might be able to get everything running normally again. In the worst-case scenario, you lose a significant amount of money, you are sued by employees and/or clients for not securing their information properly, and the devastation leads to your business not being able to recover.

According to Homeland Security, 44% of small businesses reported being a victim of a cyber-attack, with an average cost of approximately $9,000 per attack. Protecting your business from cyber threats has become a top priority and it takes everyone in your company working together to keep your business safe, from top leadership to the newest employee. It takes everyone in your company, from leadership to the newest employee, working together to keep your business safe. Here are a few tips from Homeland Security your company can apply.

SIMPLE TIPS FOR EMPLOYEES

  • When in doubt, throw it out. Stop and think before you open attachments or click links in emails. Links in email, instant message, and online posts are often the way cybercriminals compromise your computer. If it looks suspicious, it’s best to delete it.
  • Implement a backup plan. Make electronic and physical back-ups or copies of all your important work. Data can be lost in many ways including computer malfunctions, malware, theft, viruses, and accidental deletion. Your backup plan should include offsite storage.
  • Guard your devices. In order to prevent theft and unauthorized access, never leave your laptop or mobile device unattended in a public place and lock your devices when they are not in use.
  • Secure your accounts. Use passwords that are at least eight characters long and a mix of letters, numbers, and characters. Do not share any of your usernames or passwords with anyone. Create a unique password for each site that you visit. When available, turn on stronger authentication for an added layer of security, beyond the password.
  • Report anything suspicious. If you experience any unusual problems with your computer or device, report it to your IT Department.

SIMPLE TIPS FOR THE BUSINESS OWNER

  • Equip your organization’s computers with antivirus software and antispyware. This software should be updated regularly.
  • Secure your Internet connection by using a firewall, encrypt information, and hide your Wi-Fi network.
  • Establish security practices and policies to protect sensitive information.
  • Require employees to use strong passwords and to change them often.
  • Invest in data loss protection software, use encryption technologies to protect data in transit, and use two-factor authentication where possible.
  • Protect all pages on your public-facing websites, not just the checkout and sign-up pages.

In a perfect world, every employee would work their hardest to keep your network safe and secure. Since we don’t live in a perfect world, let this post help you determine next steps. Businesses often think they can’t afford outside help…until it’s too late.

If you would like to learn more about how you can protect your corporate data, please click here to contact us. SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare. Let us help you determine where you should spend your time and money protecting your information.

Categories
Compliance>Privacy

Your CCPA Compliance Checklist for 2020

You’ve read about it for months now, and it’s finally here. The California Consumer Protection Act went into effect on January 1st, 2020. Unlike asking a telemarketer to put you on the mythical “Do Not Call List,” consumers’ new privacy rights under the CCPA are very real and very enforceable. We’ve waded through all the confusing information on the CCPA to put together a handy list of answers to questions you may have had when hearing about CCPA and considering its impact on your business.

What is it?

The California Consumer Protection Act, or AB-375, was passed on June 28, 2018. It is a comprehensive piece of legislation designed to significantly elevate privacy regulations and to protect California consumers from having their personal data stolen, sold, or shared without their knowledge. Businesses will be under increasing scrutiny to have complete transparency in how they are currently collecting, storing, and using consumer data.

What kind of consumer data is protected?

Be careful – the CCPA takes a very broad view of what constitutes “personal data” about consumers. It’s not just credit card information! The specific definition of personal data under the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to a customer’s name, this “personal information” includes: IP address, postal address, email address, Social Security Number, driver’s license number, passport number, biometric information, geolocation data, consumer photos, and messages…the list goes on. ALL of these things are now protected under the CCPA. Due to the connected nature of the growing Internet of Things, more consumer data of an alarmingly personal nature is being unwittingly shared online. The regulations under the CCPA are an attempt to control and curb the spread of that data.

What are consumers’ rights under the CCPA?

In short, the CCPA is designed to give consumers greater control legal over what information businesses know and share about them. Consumers have the right to:

  • Disclosure – Consumers can make verifiable requests to know what personal information is being collected or sold about them, and businesses must disclose this information.
  • Access – At the point of collection, a consumer must be informed of what type of information is being collected, and how it is being used.
  • Deletion – Consumers can request to be “forgotten,” ie. they can request for all personal information about them to be deleted from a business’ system. This includes the removal of consumer information from third-party vendors.
  • Antidiscrimination – Consumers cannot be discriminated against because they have exercised their rights under the CCPA.
  • Ability to Opt-Out – A business must provide a “Do Not Sell My Personal Information” option on its website.
  • Privacy Policy Requirements – Businesses are required to state their online privacy policy plainly, and update it every 12 months.

What are the new privacy policy requirements for businesses under the CCPA?

Maintaining all of these rights for consumers sounds like a big ask, but there are five main CCPA requirements that will help you achieve this. The CCPA asks that business take part in the following activities:

  • In-house data inventory, mapping of relevant personal data, and highlighting instances of selling data
  • Setting up new individual rights to data access and erasure
  • Setting up new individual rights to opt-out of data selling
  • Updating service agreements with third-party vendors and data processors to ensure that they are also CCPA-compliant
  • Identifying and eliminating information security gaps and business system vulnerabilities

Will it affect my business?

“My business isn’t based in California, so I’m in the clear, right?” Not so much. There is a broad swath of companies that will have to comply.

If your business is for-profit, and if your business:

  • Is owned and operated in California OR:
  • Sells to consumers in California OR:
  • Has an annual revenue of $25 million or more OR:
  • Buys receives, sells, or shares consumer data from 50,000 or more consumers, households, or devices OR:
  • Gains a majority of their annual revenue from the selling of personal data

You will be bound by this legislation! As you can see, this definition includes most of the companies in the U.S.

Are there any exceptions?

The main exceptions to the rule are where it conflicts with federal regulation. The CCPA shall not restrict a business’ ability to:

  • Comply with federal, state, or local laws
  • Collect, use, sell, or disclose consumer information that is aggregated consumer information
  • Collect or sell personal information if every aspect of the transaction takes place wholly outside of California

The CCPA shall not apply to:

  • Medical Information or protected health information, pursuant to regulations established by HIPAA
  • Personal information collected pursuant to the California Financial Information Privacy Act

So, unless your industry is medical or financial (which are already strictly regulated), you need to pay close attention to the CCPA!

How do I achieve compliance?

“Ok, I get it. It will affect me. Now, what do I do to maintain compliance?” It’s all about putting in “reasonable security protection.” Your business should check for the following points to ensure CCPA compliance:

  • Stringent processes and protections in place for how you collect and store customer data
  • Consumer notifications of what type of information is being stored and used at the point of collection
  • Strong endpoint protection and encryption
  • Strong emergency processes in place in case a data breach occurs
  • An Opt-Out option on your website so that consumers can request to be “forgotten”
  • An updated privacy policy that you’ve shared with your third-party vendors
  • An updated privacy policy posted clearly on your website

Update your systems so that your consumers are made aware of what information you are gathering and how you are using it, and you should have no problem.

What will happen if I’m non-compliant?

There is a higher cost than ever for non-compliance, whether voluntary or involuntary. The CCPA Enforcement states that “any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty.” If you knowingly disclosed consumer personal data, the penalty is $7,500 for each intentional violation. If you unknowingly violate the CCPA (which shouldn’t happen if you are reading this post!), the penalty is $2,500 for each violation.

In addition to that, consumers can individually bring a civil action against your company for up to $750 per incident, or the cost of the actual damages, whichever is greater. This civil action will question whether your business has implemented “reasonable security procedures and practices,” so if you can’t prove you had privacy protection measures in place, watch out.

What should I do if there’s a breach?

If there is an attack on your business’ data systems and an information breach, you must act quickly to protect your consumers’ personal information, as well as to notify them of the breach. If you fail to do this within 30 days, you will be subject to maximum penalties. However, if you can prove that your violations have been amended and that no more will occur, you will be spared additional fines.

When will I have to enforce CCPA compliance?

If you feel like there’s a great deal you need to do to achieve compliance, you still have some time to do it. Even though the legislation goes into effect January 1st, 2020, there is a grace period that lasts until “6 months after the publication of such regulations,” or July 1st, 2020.

There. I’m done. Now I don’t have to hear about CCPA ever again, right?

Not quite. This legislation is following the trend of the EU’s GDPR (General Data Protection Regulation), which is actively creating and expanding the definitions of consumer rights. Right now, though, there is still turmoil as the CCPA tries to bring some cohesion to what is a dynamic policy area. There will be great changes in the legislation until homeostasis is reached. Businesses can expect similar laws to be passed across the country in the next few years, so if you don’t have to deal with consumer privacy rights now, don’t worry. You will.

Why is this important?

The CCPA legislation will impact your business, whether you realize it now or not. With many business’ marketing strategies relying heavily on using and predicting consumer identities, removing personal information about your customers introduces holes into the picture. This law will greatly affect the accuracy and efficacy of established marketing approaches like attribution.

The increased connection of the Internet of Things begins to reveal the many vulnerabilities that are emerging in sharing, storing, and protecting consumer personal information. According to Risk Based Security, 2018 was the second-most active year for data breaches, with 6,500 reported breaches that included some 5 billion records. And those numbers can only be expected to increase. The CCPA is an attempt to mitigate some of these breaches.

The CCPA may seem like a headache, but it is a good opportunity for your business to focus its attention on upgrading your security and privacy practices all around.

What’s going to happen next?

You can expect a rocky start to the enactment of the CCPA. First off, despite its being around for over a year, there is a great deal of contention as to the exact scope of the legislation. Two bills are currently under consideration to expand the CCPA, while nine bills are being considered that would narrow its scope. In addition, a federal privacy law is still under consideration in Washington, DC, that would affect the exact provisions of the CCPA.

In addition to this lack of agreement, there is a general lack of knowledge about the CCPA. A recent survey by ESET polled 625 business owners and executives to see how prepared they are for the enforcement of the CCPA on January 1st, 2020. Of these 625 owners, half had never heard of CCPA, 34% were unaware if they needed to change for compliance, and only 12% knew specifically how the law would affect them. Because of this confusion, you can expect to hear about a great deal of litigation in the new year as businesses are faced with the high cost of non-compliance.

Categories
Uncategorized

Cyber Security Budgeting for 2020

It is time to update our annual Cyber Security Budgeting advice.  I just lead an exercise at a conference where folks had limited budgets and needed to determine the best places to spend their Cyber Cash.  As I reviewed what we have adapted over the years, much of it is still the same.  We continue to become more dependent on technology composed of applications, operating systems, processors, storage, and connectivity.  IoT, autonomous vehicles, 5G, Huawei, and other new things continue to proliferate, but we still apply the same principles to protect ourselves.  

So, what is new this year?

The proliferation of Ransomware and Business Email Compromise (BEC).  Crimeware as a service is nothing new, but the cases are skyrocketing.  If you don’t know someone who has had one of the events, then you don’t have very many friends.  The crime groups are becoming better at monetizing these events and they are growing at an amazing pace.  The primary attack vectors is still email and the humans that own these accounts.  This threat landscape and other considerations will move a few things around and I will make note of them. 

So, here is some of the same old stuff:  Organizations are now willing to spend $$ now more than ever to avoid becoming the next headline.  When planning, it is easy to focus on available products that vendors are spending millions of dollars to push at us every day.  Products are required, but it is the process around these that keep you secure.  Best practices in security follow a layered approach, and budgeting is no different.  Where should you focus your efforts?

The Basic Layers:  Reduce Known Risks

These are not sexy, but neither is changing your oil and rotating your tires (Diet and exercise?  Pick your poison).  Before you look at some of the newer, enticing security solutions, it is important to make sure the basics are covered.  What we know:  attacks and breaches are increasing every year.  We have seen an 8x increase in incidents in the past twelve months.  So, our basic list has grown from last year.  You may ask:  why don’t you just follow the CIS top 20?  We agree that all of those 20 items are very important, but after working with over450 organizations, we know that approval of budget items, gaps in expertise, and culture typically makes it hard for an organization to follow the CIS in order.  If you can, that is great, but we offer the following list of items to consider in order of importance and ease of execution:

  1. Email & Web security – Spam & Antivirus solutions
  2. Enable MultiFactor Authentication for all remote access – don’t forget O365 and other cloud services – or don’t allow it
  3. Tested Backup and Recovery Capability.  More than restoring that occasional deleted file or email.  This is typically IT Ops and we had not specifically called it out previously – it is the best defense against Ransomware.
  4. IDS/IPS; internet monitoring/filtering – hard to believe, but we still find some organizations with outdated firewalls and no IDS capability
  5. End User Security Awareness Training – must include email Phishing
  6. Basic Incident Response capabilities
  7. Security patching for all hardware/software
  8. Endpoint protections – Antivirus/Malware solutions
  9. Review all accounts, especially privileged accounts and do not allow privileged accounts for regular use
  10. Check for consistent password and access controls across all of your platforms
  11. Encrypt portable devices
  12. Approve Basic Policies to establish guidelines
  13. Constant inventory devices on your network
  14. Review firewall, remote access/VPN, and wireless solutions regularly
  15. Comprehensive network documentation
  16. Secure file transfer capability
  17. Basic Security Metrics and Reporting – Regular measurements are a must to eliminate a false sense of security
  18. Increase visibility with SIEM (Security Information & Event Management) – either in-house or as a service
  19. Evaluate your ability to perform these basic functions adequately – do we need managed services?

Add Advanced Layers to Cover Blind Spots

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses.  If you do not have the in-house expertise available, you may need to rely on outside assistance.  Some items to consider:

  1. Objective measurement: Risk Assessment, Security Audit, Vulnerability and penetration testing
  2. Compliment SIEM with MDR (Managed Detection & Response)
  3. Formal Program & Policy development following ISO 27001, NIST, HITRUST, or other appropriate framework
  4. Risk Management
  5. Vulnerability Management
  6. Mobile device management solution
  7. NAC – internal Network Access Controls
  8. Data Loss Prevention technologies
  9. Identity Access Management
  10. Forensic capabilities
  11. Application whitelisting
  12. Incident Response Tabletops, Red Team, Blue Team, Purple Team Exercises
  13. Information Governance

Studies have shown that a good security posture will reduce the operational costs and the cost of a security breach.

A Note for your CFO:  You may want to remind your finance committee that breaches can cause serious reputational damage and be very expensive.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.

Note:  SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.  We do not sell or broker hardware or software.

If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Why not just follow the CIS top 20?

Since we mentioned it, we will go ahead and put this list out here too.

Basic CIS Controls

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational CIS Controls

  1. Email and Web Browser Protections
  2. Malware Defenses
  3. Limitation and Control of Network Ports, Protocols and Services
  4. Data Recovery Capabilities
  5. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
  6. Boundary Defense
  7. Data Protection
  8. Controlled Access Based on the Need to Know
  9. Wireless Access Control
  10. Account Monitoring and Control

Organizational CIS Controls

  1. Implement a Security Awareness and Training Program
  2. Application Software Security
  3. Incident Response and Management
  4. Penetration Tests and Red Team Exercises

The 7 Key Principles guiding the latest version of the CIS Controls:

When designing the latest version of the CIS Controls, our community relied on 7 key principles to guide the development process:

  1. Improve the consistency and simplify the wording of each sub-control
  2. Implement “one ask” per sub-control
  3. Bring more focus on authentication, encryption, and application whitelisting
  4. Account for improvements in security technology and emerging security problems
  5. Better align with other frameworks (such as the NIST CSF)
  6. Support the development of related products (e.g. measurements/metrics,implementation guides)
  7. Identify types of CIS controls (basic, foundational, and organizational)
Categories
Compliance|Computer & Network Security|Uncategorized

New York DFS – 23 NYCRR 500 Compliance

Checklist for Compliance

In response to the increasing threats of cybercriminal activity and as an effort to protect Non-Public Information (NPI)
held by entities under its jurisdiction, the New York State Department of Financial Services (DFS) implemented a cybersecurity
regulation, 23 NYCRR 500. It has twenty-three Sections and went into effect on March 1, 2017. There are
designated “Transition Periods,” but the last one expires on March 1, 2019. A few key things to consider when looking
at this Regulation:

  • It applies to Covered Entities, which include those operating under NY Banking Law, Insurance Law, or Financial
    Services Law – see next page.
  • It is specifically about protecting Non-Public Information; social security numbers, drivers’ license numbers,
    financial accounts, biometric records, health record, and other personal information.
  • Third Parties that provide services to Covered Entities will indirectly be pulled into some type of compliance.
    See Section 500.11.

The Good News

Some may not agree that any of the regulation is good, but the requirements align with many security best practices.
For the most part, DFS is not asking for many things out of the ordinary (besides reporting and retention), and if you
comply, you will be implementing layers of protection for your company.

What to Do

  1. Check the Exemptions – see next page.
  2. Assess Your Risk. This supports other requirements and your decisions for prioritizing other efforts.
    1. Perform a Risk Assessment.
    2. Perform Vulnerability Assessments.
    3. Perform a Penetration Test.
  3. Establish a Security Program prioritized by risk. This will require effort and time. NIST has many available resources to assist.
    1. Establish a Chief Information Security Officer(CISO). Can be internal or external staff.
    2. Implement Policies to cover required areas -see page 3.
    3. Ensure you have qualified staff. Disciplines of Security are different than IT. You may need to hire or train.
  4. Develop an Incident Response Plan that includes notices to Superintendent. Requires 72-hour notice. There is additional guidance on the FAQ page.
  5. Ensure that your security program addresses the following requirements (prioritized by risk):
    1. Multi-Factor Authentication
    2. Encryption of NPI
    3. Security Auditing. This typically requires a new system or Managed Security Service.
    4. Review of access privileges to NPI
  6. Develop Vendor and Third Party Risk Management Program. You will need to rank your vendors and ensure that you perform due diligence on those with higher risks.
  7. Develop a Data Retention Policy and Process. The Superintendent requires 5 years of records for compliance. Be familiar with other required retention periods for different types of data.
  8. Annual Certification. Submit by each February 15th a written statement covering the prior calendar year.

Covered Entities

The Department of Financial Services supervises many different types of institutions. Supervision by DFS may entail chartering, licensing, registration requirements, examination, etc. More details are available on their website:

  • All insurance companies
  • Banks Trust Companies
  • Budget Planners
  • Charitable Foundations
  • Check Cashers
  • Consumer Credit Reporting Agencies
  • Credit Unions
  • Domestic Representative Offices
  • Foreign Agencies
  • Foreign Bank Branches
  • Foreign Representative Offices
  • Holding Companies
  • Investment Companies (Article XII)
  • Licensed Lenders
  • Life Insurance Companies
  • Money Transmitters
  • Mortgage Bankers
  • Mortgage Bankers-Exempt
  • Mortgage Brokers
  • Mortgage Brokers – Inactive
  • Mortgage Loan Originators
  • Safe Deposit Companies
  • Sales Finance Companies
  • Savings Banks; Savings & Loan Associations (S&L)
  • Service Contract Providers

Exemptions

[fusion_table]

ExemptionExempt FromStill Required
500.19 (a) (1) Fewer than 10
employees working in NYS


500.19 (a) (2) Less than $5
million in gross annual revenue


500.19 (a) (3) Less than $10
million in year-end total assets


500.19 (c) Does not control any
information systems and
nonpublic information


500.19 (d) Captive insurance
companies that do not control
nonpublic information other
than information relating to its
corporate parent company

500.04- Chief Information Security Officer

500.05- Penetration Testing and Vulnerability

500.06- Audit Trail

500.08- Application Security

500.10- Cybersecurity Personnel and Intelligence

500.12- Multi-Factor Authentication

500.14- Training and Monitoring

500.15- Encryption of Nonpublic Information

500.16- Incident Response Plan

500.02- Cybersecurity Program

500.03- Cybersecurity Policy

500.04- Chief Information Security Officer

500.05- Penetration Testing and Vulnerability

500.06- Audit Trail

500.07- Access Privileges

500.08- Application Security

500.10- Cybersecurity Personnel and Intelligence

500.12- Multi-Factor Authentication

500.14- Training and Monitoring

500.15- Encryption of Nonpublic Information

500.16- Incident Response Plan

500.02- Cybersecurity Program

500.03- Cybersecurity Policy

500.07- Access Privileges

500.09- Risk Assessment

500.11- Third Party Provider Security Policy

500.13- Limitations on Data Retention

500.17- Notices to Superintendent

500.18- Confidentiality

500.19- Exemptions

500.20- Enforcement

500.21- Effective Date

500.22- Transitional Periods

500.23- Severability

500.09- Risk Assessment

500.11- Third Party Provider Security Policy

500.13- Limitations on Data Retention

500.17- Notices to Superintendent

500.18- Confidentiality

500.19- Exemptions

500.20- Enforcement

500.21- Effective Date

500.22- Transitional Periods

500.23- Severability

[/fusion_table]

23 NYCRR 500 Sections

Section 500.00 Introduction
Section 500.01 Definitions
Section 500.02 Cybersecurity Program
Section 500.03 Cybersecurity Policy.
(a) information security
(b) data governance and classification
(c) asset inventory and device management
(d) access controls and identity management
(e) business continuity and disaster recovery
(f) systems operations and availability concerns
(g) systems and network security
(h) systems and network monitoring
(i) systems and application development and
quality assurance
(j) physical security and environmental controls
(k) customer data privacy
(l) Third Party Service Provider management
(m) risk assessment
(n) incident response
Section 500.04 Chief Information Security Officer
Section 500.05 Penetration Testing and Vulnerability Assessments
Section 500.06 Audit Trail
Section 500.07 Access Privileges
Section 500.09 Risk Assessment
Section 500.10 Cybersecurity Personnel and Intelligence
Section 500.11 Third Party Service Provider Security Policy
Section 500.12 Multi-Factor Authentication
Section 500.13 Limitations on Data Retention
Section 500.14 Training and Monitoring
Section 500.15 Encryption of Nonpublic Information
Section 500.16 Incident Response Plan
Section 500.17 Notices to Superintendent
Section 500.18 Confidentiality
Section 500.19 Exemptions
Section 500.20 Enforcement
Section 500.21 Effective Date
Section 500.22 Transitional Periods
Section 500.23 Severability

Categories
Information Security>Data Breach|Computer & Network Security>Viruses|Computer & Network Security>Vulnerabilities

A Ransomware Savings Account – Pay in Advance!

Diet and exercise versus a pill. An ounce of prevention versus a pound of cure. Saving for expenses versus using credit cards.

We all understand that good habits and planning are valuable to achieve our goals. We apply the same principles to Cyber Security…

This is a cautionary tale. We all learn from experience, and when fortunate, we can learn from the experience of others. This story teaches a valuable lesson based on real-world experience, and it will help you avoid a terrible situation.

A medium-sized firm, unfortunately, became the victim of a ransomware attack. An IT employee came into the office early in the morning to discover their ERP server had a white on red full-screen text message (complete with skull and bones ASCII art) stating the contents of the hard drive were encrypted. To recover the contents, they were to transfer one bitcoin to the wallet address on the screen, and to email a Hotmail address notifying them the ransom had been paid in order to retrieve the decryption key.

SecurIT360 Standard Operating Procedures (SOPs) do not recommend paying the ransom under any circumstances. We’ve found that once a company pays the ransom, they are “tagged” for further exploits because the company has been known to pay out. It is safer and better to simply restore from the last known good backup and redo the 12-24 hours of work lost.

Unless the last known good backup is over eight months old.

As a cost-saving measure, this business only purchased a single license for Veritas Backup Exec Server. For the other servers, they used a combination of tarballing, Secure Copy (SCP)/File Transfer Protocol (FTP) or xcopy, and 7zip to archive and transfer critical network files, Microsoft SQL database data, transaction, and log files, and customer detail records to the one server with a backup license.

Business continuity was literally running on a shoestring budget with a fragile, multiple-step process that required each step to complete before the next step would begin. This giant Rube Goldberg machine had a high failure rate. In this case, the Microsoft SQL data and log files hadn’t been transferred from the ERP server to the backup server in eight months. Imagine losing eight months of orders, inventory, fulfillment, and financial reporting. Did we mention that this is a real-world case study?

We discovered that Hotmail address that the hackers provided for payment confirmation had been terminated, and the value of a Bitcoin at that time was nearly $14,000 US. The business owners insisted on paying the ransom even though the likelihood of receiving an encryption key was remote. The felt that they had to try because of the magnitude of the data loss.

Unfortunately, they never received a decryption key.

But maybe they should try this Axis Incyte code:  8EM7YQ58

The company ultimately had to pause operations for two weeks to recreate as much information as possible from employee emails and printed reports. Then, they had to conduct a physical inventory to repopulate their ERP system.

This particular client sadly ended up paying their ransom three times: once in a bitcoin transfer that received no response, once in lost revenue while they recreated their ERP data so they could begin conducting business again, and then once again in new backup server licensing for all of their servers post incident.

How could this have been prevented?

A much less expensive “ransom” could have been paid ahead of time by purchasing five more Veritas Backup Exec Server licenses for $5,000 to cover their remaining servers, properly ensuring business continuity. This would have saved them thousands compared to the cost of the “ransom” paid and the additional 2 weeks of lost productivity while recovering data.

What can you do to not fall into the same trap as this business?

SecurIT360 works with our clients every day to ensure business continuity. Based on our experience, we would like to share 3 critical processes that your business must have in place to avoid this kind of disaster.

  1. Invest in a backup process for all of your servers and business-critical data.
  2. Regularly test your backups to make sure that all processes are running properly.
  3. And while backups are one of the most important things that you can do to protect your business, they shouldn’t be your first line of defense. Schedule regular “black hat” penetration tests to ensure that your network is protected from this kind of event.

Would you like a free assessment of your disaster preparedness and business continuity procedures? Call us today to make sure that the disaster experience you learn from isn’t your own.

SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm. We can work with you to stop cyber attacks in real time. Book a meeting with us today for a complimentary budgeting and strategy session by following this link Appointments.

Categories
Uncategorized

Phishing Attacks and Multifactor Authentication

Stop the Password Reset Insanity

How much time does your IT department spend changing a user’s network and or email account passwords because they clicked on a phishing link that they should not have? How many users do you have who do this repeatedly? Have you trained your users to identify, report, and ignore these phishing attempts?

Why make the only procedure to resolve this resetting the password when it just keeps happening again and again? Stop the insanity and look at a new way of solving this problem.

“The definition of insanity is doing the same thing over and over again and expecting different results.”

How Spearphishing Works

Your company webpage has just been redesigned to provide an enriched marketing experience. It looks great and everyone on your leadership team is excited about the new page. One of the pages, “About Our Team”, lists every member of the executive management team with a short bio. You have just provided the bad guys with a short list of high-value targets within your company.

With this list of users in hand and by utilizing the most standard email address format (everyone uses first initial of the first name + last name), a couple of smart public DNS queries, and a telnet to port 25 of your email server, I can determine your mail server and version, including Microsoft Office 365. Then I can set up a fake webmail account login page and send a well-crafted email asking them to log in to my fake email system so I can steal their password.

Once your user completes this action, I have not just compromised their account, I have compromised an influential person in the company. I now have access to the corporate account of someone who can make decisions and spend money, for example, authorize an invoice to be paid or request a wire transfer. Payday for me, headaches dealing with law enforcement, lawyers, cyber insurance companies, and forensics experts for you.

What Happens Next

Once you discover the intrusion, I’ve been reported to IT, the user’s account password has been changed, the lawyers are doing insurance reviews, and accounting is double checking the books, but I am still out there. While everyone is thinking, crisis averted, I am waiting for the next opportunity.

Now, I sit back and wait a week or two before another attempt. During this time, a business crisis arises, distracting the executives, and I send another email asking you to log in. Nine times out of ten, I get back in. Executives are busy between internal, partner and customer meetings, traveling, reviewing performance numbers, and so on. They are always busy and want things to go smoothly so they can accomplish tasks quickly. Because of this, your executives rarely look twice at the email asking for the password again – just so they can get that PDF report they think they are getting.

So, they are compromised. Again. You change their password. Again. Insanity.

While you are saying to yourself, “This would never happen at my company”, let me share this story with you. I recently worked a case where the President of the company was successfully spearfished three times in two weeks. Each time, the password was reset, and everyone moved on to other things. In another case, a breached IT administrator account was used to spearfish the CFO. As if that is not bad enough, the CFO had already been successfully spearfished two months prior.

How do I end this cycle?

The easy answer is to require multi-factor authentication (MFA). The harder question is, “How do I implement MFA without being chased with pitchforks and firebrands?” Or worse yet, isolated in an office in the basement with your career stalled out.

So, how do you implement MFA while minimizing the impact on your users?

Scenario 1:

IT develops a MFA implementation plan. They then meet with the executives to outline the program’s pros and cons, with the strategy of scaring them into agreeing to implement MFA. They use statistics from Gartner, include quotes from Verizon’s Annual Data Breach Investigation Report, and try to sell the implementation plan. Remember, these are the same executives who are busy moving from one fire drill to another while being spearfished daily. This strategy almost never goes well.

Scenario 2:

IT develops a MFA implementation plan. Instead of only using statistics from Gartner and quotes from Verizon’s Annual Data Breach Investigation report, they use actual internal data to affect change from within. Prior to presenting this data, they have already completed a MFA pilot with their Email administrators and then rolled it out to the entire IT department. Here’s the payoff: report the measured results of the rollout to the IT Steering Committee, CFO, or COO; the point is, get an executive to start thinking about MFA, hearing the results, and digesting the successes. Then, get that individual to try it.

Peer pressure can also be beneficial in this scenario. “One-Upmanship” within a highly political boardroom can be a good thing. Having someone inside the decision-making group proudly boasting how fourteen unauthorized attempts to log in to their account were thwarted by MFA can provide the incentive you need. No one wants to be the weak link or in last place.

The Benefits of MFA

Now that you have implemented MFA, you are able to stop the insanity of repeatedly resetting passwords, re-imaging computers, spending hours on telephone calls with lawyers, insurance companies, and forensics companies. You can expect fewer security headaches, more time to complete your projects, and your executive team to appreciate how secure your network has become with multi-factor authentication.

SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.