Category Archives: Risk Management

Securing Data in the Cloud

Securing Data in the Cloud

Storing data in the cloud allows for easy management and accessibility over the internet. According to the Goldman Sachs analysts, as of 2020, around 23% of all IT workloads are processed in the cloud. As with any storing solution, cloud storage poses risks for security, including a loss of sensitive data, violation of other controls, insider threat, and malware. However, the number of companies using cloud storage has increased, so it is important to practice cyber hygiene when migrating to a cloud service. A data breach through accessing cloud data may be hard to prosecute, as the data can cross international borders. With cloud storage, there is an absence of physical protection of the data. The following tips will ensure safe cloud computing best practices.

Encrypt Data

Data should be encrypted when in transit and at rest. Use a strong encryption algorithm, such as AES- 256. Also, salt your keys and passwords. Using PGP for public key based encryption and decryption to enhance your encryption standard. It is also important to encrypt data on your end devices along with encryption in the cloud. Additionally, metadata should be encrypted so that PII is undecipherable after it leaves the on- premises point of origin.

Separate the Data Path and the Control Path

The control path can use public cloud services to provide orchestration and management functions at scale. On the other hand, the data path should be entirely on- premises. File data should never be transmitted outside the enterprise security perimeter.

Ensure Local Backup

Having local backups will allow for business continuity in the event that cloud storage is compromised. Data should also be backed up frequently.

Avoid Storing Sensitive Information

No storage solution is 100% free of security risks, and cloud storage is no exception. Avoid storing any PII or proprietary information in the cloud.

Use Strong Access Control Methods

Have strong password requirements such as minimum password length and complexity requirements. Using multifactor authentication will add to cloud security.

Classify data to assign explicit access controls to each type of data. For example, an employee in accounting does not need access the HR records. This will allow you to monitor activity within data. Restrict and control content with permissions, expiry dates, and password protected links.

Know Your Cloud Provider

Enterprises should always make sure their cloud storage partners offer geo-redundant storage with high levels of data durability, as well as extensive industry security and compliance certifications. Insist on rigorous compliance certifications like PCI DSS and SOC 2. Companies should make note of the cloud provider’s user agreement and ensure that the provider’s goals align with the company’s goals.

The company should also make note about the provider’s process in the event of a breach. They should take into account maintenance and management controls, as well as other measures the provider has taken to ensure that the system is always up to date with patches. The company should have a good understanding of the cloud provider’s recovery options.

Other Tips

  • Test your cloud security setup
  • Install antivirus
  • Have a defined and enforced data deletion policy
  • Use a VPN and private network
  • Identify security gaps between systems


Cybersecurity in the Age of the Coronavirus: The Impact on Business Operations

Cybersecurity in the Age of the Coronavirus: The Impact on Business Operations

As the global workforce shifts to remote work, business operations and management face a number of obstacles. As mentioned in the previous article, the line between our work lives and our personal lives are blended now more than ever. Pre- pandemic predicted cybercrime will cost companies $6 trillion globally. According to research, last year, governments and government organizations were attacked most often, followed by industrial companies, healthcare, education, and finance. 

Business networks are now accessible from home, posing a risk to the security of business operations. We’ve seen changes in the way leadership makes decisions for business performance. During these unprecedented times, the movement to cybersecurity concentration is rapid, with little to no room for error. Cybersecurity is built in layers and it is impossible to protect a network forever. However, leadership must conform to a balance between risk mitigation and business efficiency.

In this day and age, business leaders are getting a daily lesson in large scale systematic failure during COVID- 19. They see and read how quickly COVID- 19 spread around the world and how it affects economic, social, political, and business systems. It is imperative to provide real- time capability and adaptability of the company’s cybersecurity defenses. The gap between cybersecurity risk and defensive effectiveness is as wide as it’s ever been for most companies, and experts warn that it could get even worse once the pandemic subsides. New cybersecurity risks will emerge and defense has to continue to be ahead of them.

Board members often ask “Are we spending enough on cybersecurity?” rather than “What do we need to protect, what is the value of what we need to protect, and how secure is it for what we’re spending?”. Digital success and failure start at the top, so they need to have a deep understanding of how cybersecurity complexities work. Some say the pandemic is actually helping companies by urging executives to focus on cybersecurity and their digital business system, calling for a structural reform for some companies. 

IT teams who once had physical access to employee machines now lack the time and accessibility to address commonplace issues. The absence of onsite diagnostic teams calls for automated threat reporting and diagnostic tools such as endpoint detection and response. Business Continuity Plans and Disaster Recovery Plans are important to the flow of business operations by ensuring that resources are available, to keep employees online, and to guarantee constant communication.

Additionally, the way employees access data is now heavily reliant on VPNs. As a result, VPN gateways are running at or near capacity. This means that corporate IT departments need to leverage all the tools at their disposal to keep loads manageable so that the VPN gateways aren’t overwhelmed and unable to provide the necessary access for remote workers. Because of this, just one DDoS attack can take down an entire company. Cybercriminals know that employees are more exposed and less cautious when working from home, so it is important that IT stays up to date with software patches and take appropriate actions to mitigate risks. 

Along with higher VPN precautions, companies have been increasing the use of advanced concepts of threat hunting, including detection and incident responses. It is not possible to keep the threat out of the perimeter forever, so it is important to seek out the target and actively address it without giving up a basic layer of protection. Organizations have also invested in educating employees on cyber threats and their impact. Organizations have reported higher victimization of phishing emails, prompting the adoption of more innovative approaches.

Security teams are now emphasizing employee security awareness and training. Doing this while providing a basic layer of protection can create a more effective prevention and defense strategy. Organizations that do not practice cyber hygine have reported higher phishing victimization.

The risks of entering networks through third- party vendors have also increased. There is more evidence of attempts to insert malicious code, exploit external suppliers and outsourced technologies, generating higher threats and more vulnerabilities. Organizations have shown a higher dependency on outsourced tools to maintain ongoing operations such as marketing and communication tools. This may result in the higher exposure of sensitive data, expanding the potentials for supply- chain attacks. There are also more consumer- oriented online services such as E- commerce websites that are open to public access. These websites are overloaded with requests, and many of the financial processes are now made as online procedures. Phishing through these E- commerce websites is aimed at victims as both individuals and professionals.

Experts urge companies to proceed with caution. Reducing reliance on office VPN and migrating to a cloud solution is a must. Also, lock down the supply chain, as they can be an entry point for hackers. Ask your suppliers what they do to maintain security. Scale up benefits of cloud migration to virtualize the workforce. CISOs must switch their focus to four main points, rather than sticking with the traditional viewpoints.

  1. Focus: Focus on supporting only those technology features and services that are critical to operations. Focus on employee safety on the frontline.
  2. Test: Test the company’s incident response plan, business continuity and disaster recovery plan, and vendor requirements right away. Eliminating risk is impossible, but you can reduce the risk associated with a poor response.
  3. Monitor: Monitor all resources, including collaboration tools and endpoints.
  4. Balance: Cybersecurity teams are likely to receive a flood of urgent requests for cybersecurity. Allow policy exceptions that will allow teams elsewhere in the organization to get work done.

Many organizations never really take cybersecurity projects seriously because they are lower priority, but the Coronavirus has pushed cybersecurity projects to the forefront. Management has acknowledged that things will not go back to the way they used to be. This transition period marks a point in time where there are distinct opportunities for a new and more aggressive type of cyberattack to damage or slow business rather than the traditional goal of attaining money from many parties.

SOC 2 and NIST 800-53

SOC 2 and NIST 800-53

Both SOC 2 and NIST 800-53 play a large role in regulatory compliance. Both aim to protect data in the cloud and are critical in today’s environments to ensure information security. The SOC 2 Framework and NIST 800-53 Publication go hand- in- hand, and adhering to both sets of controls will provide your company with sufficient data protection.

In order to assess our information systems, we first need to take a closer look at both SOC 2 and NIST 800-53.

SOC 2

SOC 2 is a framework created by the American Institute of Certified Public Accountants (AICPA). SOC 2 is one of the most used frameworks in the technology industry and applies to all organizations and enterprises where customer data is stored and processed in the cloud. SOC 2 is unique to each individual organization and can be lined up with specific business practices. SOC 2 also aligns with requirements of today’s cloud environment.

Trust Service Criteria (TSC)

The Trust Service Criteria (TSC) serve as the control areas for managing a reporting on information and systems. The five TSC are as follows:

  1. Security: Protection of resources against unauthorized access. Examples include multifactor authentication and an intrusion detection system.
  2. Availability: The accessibility of system, products, or services as stated in the Service Level Agreement (SLA). An example would be a failover cluster.
  3. Processing integrity: Whether or not a system achieves its purpose. Assessing if the system processing is complete, accurate, timely and authorized.
  4. Confidentiality: The information is restricted to a specified set of persons or organizations, as stated in the agreement. For example, using encryption and network security tools.
  5. Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the service organization’s privacy notice, and with criteria set forth in generally accepted privacy principles issued by the AICPA.

Type 1 and Type 2

A SOC 2 Type 1 Audit assesses systems at one point in time. It tests to see whether the system’s design is suitable to meet the relevant trust principles. A SOC 2 Type 2 Audit tests the operational effectiveness of systems over a period of time. Most companies will start with a SOC 2 Type 1 and then follow with an annual SOC 2 Type 2 audit. 

Requirements

The main requirement for SOC 2 is that the organization must develop written policies and procedures that are followed by everyone. The organization must also actively monitor all systems and information, ensuring that there is no unusual activity or access. It is also crucial that the organization sets up automatic alerting for anomalies when accessing data.

NIST 800- 53

NIST 800- 53 is a publication providing comprehensive security controls for federal information systems, published by the National Institute of Standards and Technology (NIST). NIST 800-53 covers steps in Risk Management Framework. It includes 8 control families and over 900 requirements. Organizations may also adhere to controls which apply to them and the security level of the data they store (Low, medium, or high). These controls can be tested during a SOC 2 audit. NIST provides guidance for complying with FISMA.

FISMA

To demonstrate compliance with NIST 800-53, organizations should look to becoming compliant with the Federal Information Security Management Act (FISMA). FISMA is a requirement for federal agencies to develop, document, and implement an information security and protection program.

Some specific goals of FISMA include:

  • Implementing a risk management program
  • Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
  • Ensure the integrity, confidentiality and availability of sensitive information

FISMA requires organizations to do the following:

  • Maintain an inventory of information systems.
  • Categorize information and information systems according to risk level.
  • Maintain a system security plan.
  • Implement security controls
  • Conduct risk assessments.
  • Certification and accreditation.
  • Conduct continuous monitoring.

Best practices for FISMA are geared towards federal agencies that protect sensitive data. Best practices and requirements include encrypting everything, keeping up to date with FISMA standards, classifying information as it is created, and maintaining documentation of FISMA compliance efforts.

Compliance with both SOC 2 and NIST 800-53 provide organizations with a number of benefits, especially increasing data security. The main difference between the two is that SOC 2 is part of the System and Organizational Controls (SOC) framework, and NIST 800-53 is a publication. A full mapping of SOC 2 and NIST 800- 53 can be found on the AICPA website.

The Importance of IT Security Policies

The Importance of IT Security Policies

IT security policies are necessary in organizations as they define who has responsibility of what information within the company. Policies are the baseline of all procedures and should be maintained regularly.

Why Do Organizations Need Security Policies?

IT security policies outline rules for user and IT personnel behavior. These policies also identify consequences for not adhering to them. Policies are also crucial in ensuring compliance with regulations such as NIST and HIPAA. Policies should define risks within the organization and provide guidelines on how to reduce these risks. They should be modified to fit the company’s need.

Writing an Effective IT Security Policy

  1. Conduct a Security Risk Assessment to identify all your critical assets, vulnerabilities, and controls in your company. Use this assessment to determine ways to reduce or eliminate these risks.
  2. Determine the scope of the policy including who the policy will address and what assets will be covered.
  3. Ensure your policy is written to be easily understood by employees and enforced by management. Employees need to be explicitly aware of the consequences of not complying with the policy. These policies will help with the development of procedures, so it is important to write the policies clearly.
  4. Update your policies at least once a year to keep them up to date with your company’s procedures and security concerns.

Common IT Security Policies:

  • Access Authorization
  • Acceptable Use
  • Breach Notification
  • Change Management
  • Data Backup Plan
  • Employee Screening
  • Employee Training
  • Encryption and Decryption
  • Media Security
  • Network Security
  • Password Management
  • Secure Development
  • Security Incident Response
  • Vendor Management
  • Vulnerability Management

The need for certain IT security policies is dependent on the company data itself. For example, if a company handles customer health data, they should consider implementing a HIPAA Acceptable Use Policy.

Is Your Password Secure?

Is Your Password Secure?

Tips for Creating a Strong Password

Passwords can be an inconvenience to remember, especially when you have dozens of applications and accounts to log into everyday. However, with the increase in phishing and ransomware attacks, passwords can be the main line of defense when securing your data. Once an attacker knows your password, your personal data and your company’s data may be at risk. Employees are often the weakest link of any organization’s information security, so it is important to ensure that you and your employees follow these tips. These steps should be outlined in a strong, detailed password policy.

1. Use a longer password with a mix of letters, numbers, and symbols.

Making passwords more complex can hinder the possibility of an attacker guessing the password. Using an easy password such as NYClover can be strengthened by adding numbers and symbols. For example, the password N3wY0rkC!tyL0v3r is more secure.

2. Never use a word or phrase that is easy to guess or contains personal information.

Using personal information such as your middle name or birthday can be risky, especially when it is found on your social media. Using full words or phrases in your passwords may also make them easy to guess. See the list of 1000 most used passwords and avoid using them.

3. DO NOT use the same password for all your accounts.

Using the same password for all your accounts can be dangerous. By doing so, an attacker may be able to access all of your accounts with just one password.

4. Never write down your passwords on paper.

Writing down your passwords can make you a target for shoulder surfing. Passwords managers, such as LastPass, should be used to remember your passwords and should also have a strong master password.

5. Use Multifactor Authentication (MFA).

Using MFA can help secure your account just incase your password is compromised. MFA can be a one time code sent to your phone or email. Google allows users to set up MFA manually.

6. Change your passwords consistently.

Passwords should be changed on a regular basis, just in case your current password gets compromised. Many applications require users to change passwords after 90 days or X increment, while others may just recommend changing your password after a certain period of time. Best practice is to change your password on a consistent basis, preferably 90 days or less.

How to Prevent Phishing Attacks Against Your Organization

How to Prevent Phishing Attacks Against Your Organization

What is a Phishing Attack?

In recent news, several large companies including Microsoft and Facebook have been affected by phishing attacks. Phishing is a type of cybercrime that happens when an attacker poses as a legitimate company or website in order to divulge sensitive information from the victim. This can be the victim’s social security number, credit card number, or login credentials. Phishing attacks can take place over the phone, instant messaging, or email. Phishing differs from other cybercrimes as it requires human interaction; attackers target end- users rather than the actual computer systems. These attacks can be damaging to a company; however, they can be prevented.

How Does a Phishing Attack Work?

A common example of phishing occurs when a company employee receives an email prompting them to change their company password. This email usually includes a link that brings the victim to a legitimate looking website. Here, the victim inputs their credentials. The attacker now has the victim’s login information and access to the company network. After gaining access to the company network, the attacker may be able retrieve confidential information to hold as Ransomware or find other security holes to exploit.

How Can I Prevent a Phishing Attack?

1. Use Web and Email Filters

Applying web and email filters can help filter out spam content from legitimate content. See examples of web filters.

2. Compose New Hire and Annual Security Training for Employees

Many times, attackers can bypass web or email filters, so it is vital to provide comprehensive security trainings to employees. Educate employees on the different methods attackers may use and the consequences phishing attacks may have on the company. Send a fake phishing email to employees to familiarize them with illegitimate emails and webpages. Train them on ways to identify a phishing email. Also, have a well- written Acceptable Use Policy and Security Awareness Policy.

3. Stay Updated

It is crucial to frequently update your anti- virus software, firewalls, and operating systems to prevent an attacker from exploiting any security holes. Run routine security scans on all machines and perform regular Security Risk Assessments. Additionally, check that your Disaster Recovery Plan is updated frequently and working.

4. Review Company Website and Information

Phishing attacks require the attacker to research the company such as employee names and contact information. Attackers may also look into the vendors the company uses such as types of machines and operating systems. Ensure that accessibility to employee and vendor information is limited.

5. Be In the Know

Be aware of new cybercrime cases and vulnerabilities in the news, blogs, and security bulletins. Often, security cannot keep up with attacks, so it is important to be alert of new types of attacks. Websites such as The Cyber Wire post daily security briefings.

Prevention is Key

Recovering from cybercrime can be rigorous and exhausting, so having preventive measures in place is the most practical solution. By combining technical controls with security awareness, you can mitigate the risk of a phishing attack against your company.

How a Sneaky Data Hack Increases Liability Risks for Corporate Directors

Adsero Security develops long-term solutions that are supported by written policies. Issues arise such as hacking. This can be prevented via penetration testing. Check out this article about how easy it is for organizations to be hacked.

Directors Facing Increased Liability for Data Breaches

Because two of my clients – 360 Advanced and Adsero Security – provide IT data breach auditing and remediation services, I was especially interested when I learned of how a major corporation had been so easily hacked recently.

The hackers got inside the corporation’s accounts payable department and had a pretty hefty check sent to them, which was cashed and cleared. The corporation’s vice president for information technology (IT) and his team reported to the board at its monthly directors and management meeting that “everything’s OK now.”

Is it? Could the hackers still be inside, or worse, inside the company’s vendor and partner IT systems?

“Duty of care” Demands Auditing Risks as Hacks Increase

Statistics show that once data thieves are in, they can hide for months undiscovered until they strike again – this time at an even greater cost to the victim and their vendors and partners. Data thieves got inside Target through an air conditioning/heating vendor and loitered at their leisure, and Yahoo! and Equifax still aren’t certain who or how they were breached.

Which brings me back to the corporate board of directors. The corporation victimized by the hackers in this instance has not had an outside, third-party audit of its IT systems and data security processes and protocols by a QSR – Qualified Security Assessor. Could that failure lead to a lawsuit against its officers and directors for failure to exercise the concept of duty of care when there is another future hack? With news of major hacks every day now, should boards be more diligent in ordering management to have such audits? Read more »