IT security policies are necessary in organizations as they define who has responsibility of what information within the company. Policies are the baseline of all procedures and should be maintained regularly.
Why Do Organizations Need Security Policies?
IT security policies outline rules for user and IT personnel behavior. These policies also identify consequences for not adhering to them. Policies are also crucial in ensuring compliance with regulations such as NIST and HIPAA. Policies should define risks within the organization and provide guidelines on how to reduce these risks. They should be modified to fit the company’s need.
Writing an Effective IT Security Policy
Conduct a Security Risk Assessment to identify all your critical assets, vulnerabilities, and controls in your company. Use this assessment to determine ways to reduce or eliminate these risks.
Determine the scope of the policy including who the policy will address and what assets will be covered.
Ensure your policy is written to be easily understood by employees and enforced by management. Employees need to be explicitly aware of the consequences of not complying with the policy. These policies will help with the development of procedures, so it is important to write the policies clearly.
Update your policies at least once a year to keep them up to date with your company’s procedures and security concerns.
Common IT Security Policies:
Data Backup Plan
Encryption and Decryption
Security Incident Response
The need for certain IT security policies is dependent on the company data itself. For example, if a company handles customer health data, they should consider implementing a HIPAA Acceptable Use Policy.
Passwords can be an inconvenience to remember, especially when you have dozens of applications and accounts to log into everyday. However, with the increase in phishing and ransomware attacks, passwords can be the main line of defense when securing your data. Once an attacker knows your password, your personal data and your company’s data may be at risk. Employees are often the weakest link of any organization’s information security, so it is important to ensure that you and your employees follow these tips. These steps should be outlined in a strong, detailed password policy.
1. Use a longer password with a mix of letters, numbers, and symbols.
Making passwords more complex can hinder the possibility of an attacker guessing the password. Using an easy password such as NYClover can be strengthened by adding numbers and symbols. For example, the password N3wY0rkC!tyL0v3r is more secure.
2. Never use a word or phrase that is easy to guess or contains personal information.
Using personal information such as your middle name or birthday can be risky, especially when it is found on your social media. Using full words or phrases in your passwords may also make them easy to guess. See the list of 1000 most used passwords and avoid using them.
3. DO NOT use the same password for all your accounts.
Using the same password for all your accounts can be dangerous. By doing so, an attacker may be able to access all of your accounts with just one password.
4. Never write down your passwords on paper.
Writing down your passwords can make you a target for shoulder surfing. Passwords managers, such as LastPass, should be used to remember your passwords and should also have a strong master password.
5. Use Multifactor Authentication (MFA).
Using MFA can help secure your account just incase your password is compromised. MFA can be a one time code sent to your phone or email. Google allows users to set up MFA manually.
6. Change your passwords consistently.
Passwords should be changed on a regular basis, just in case your current password gets compromised. Many applications require users to change passwords after 90 days or X increment, while others may just recommend changing your password after a certain period of time. Best practice is to change your password on a consistent basis, preferably 90 days or less.
In recent news, several large companies including Microsoft and Facebook have been affected by phishing attacks. Phishing is a type of cybercrime that happens when an attacker poses as a legitimate company or website in order to divulge sensitive information from the victim. This can be the victim’s social security number, credit card number, or login credentials. Phishing attacks can take place over the phone, instant messaging, or email. Phishing differs from other cybercrimes as it requires human interaction; attackers target end- users rather than the actual computer systems. These attacks can be damaging to a company; however, they can be prevented.
How Does a Phishing Attack Work?
A common example of phishing occurs when a company employee receives an email prompting them to change their company password. This email usually includes a link that brings the victim to a legitimate looking website. Here, the victim inputs their credentials. The attacker now has the victim’s login information and access to the company network. After gaining access to the company network, the attacker may be able retrieve confidential information to hold as Ransomware or find other security holes to exploit.
How Can I Prevent a Phishing Attack?
1. Use Web and Email Filters
Applying web and email filters can help filter out spam content from legitimate content. See examples of web filters.
2. Compose New Hire and Annual Security Training for Employees
Many times, attackers can bypass web or email filters, so it is vital to provide comprehensive security trainings to employees. Educate employees on the different methods attackers may use and the consequences phishing attacks may have on the company. Send a fake phishing email to employees to familiarize them with illegitimate emails and webpages. Train them on ways to identify a phishing email. Also, have a well- written Acceptable Use Policy and Security Awareness Policy.
3. Stay Updated
It is crucial to frequently update your anti- virus software, firewalls, and operating systems to prevent an attacker from exploiting any security holes. Run routine security scans on all machines and perform regular Security Risk Assessments. Additionally, check that your Disaster Recovery Plan is updated frequently and working.
4. Review Company Website and Information
Phishing attacks require the attacker to research the company such as employee names and contact information. Attackers may also look into the vendors the company uses such as types of machines and operating systems. Ensure that accessibility to employee and vendor information is limited.
5. Be In the Know
Be aware of new cybercrime cases and vulnerabilities in the news, blogs, and security bulletins. Often, security cannot keep up with attacks, so it is important to be alert of new types of attacks. Websites such as The Cyber Wire post daily security briefings.
Prevention is Key
Recovering from cybercrime can be rigorous and exhausting, so having preventive measures in place is the most practical solution. By combining technical controls with security awareness, you can mitigate the risk of a phishing attack against your company.
You may have read in the news lately about a new and growing threat to municipal computer networks, ransomware attacks. These attacks can be crippling, and can shut down entire cities for weeks or even months. They can have devastating consequences and can cost hundreds of thousands of dollars in ransom just to get a city’s network back online. The good news is, these types of municipal malware attacks are preventable.
Hows does a Ransomware Attack Work?
A ransomware attack, such as Cryptolocker or Triple Threat (which combines Emotet, TrickBot and Ryuk) work by gaining a foothold somewhere your network, usually through a phishing campaign to city employees, or by gaining access to the network through out of date software. Once they are in the network, they spread from machine to machine and server to server to infect as many machines as possible. Once they have infected a large enough number of machines, they activate and begin encrypting all the data stored on every computer. One the data is encrypted, users will be given the ransom demands on their computer screens. Ransom demands can range from $75,000 in bitcoins, as in the Baltimore attacks, or range into the hundreds of thousands, as in the $600,000 Riveria Beach attack ransom.
How do I prevent a Ransomware Attack?
Preventing a ransomware attack is always your best option, potentially saving your city hundreds of thousands of dollars is losses. Luckily preventing a ransomware attack is doable. Here are 4 basic steps you should take to prevent ransomware attacks on your municipal network:
1) Update, update, update
Most malware attacks take advantage of out of date software and operating systems with security holes. Make sure your entire network, all servers and end user desktops and laptops are updated with the most current version of Windows or MacOS and that automatic updates are enabled. Monthly updated are critical to your security.
2) Use Anti-virus / Anti-malware software on everything
A strong antivirus software is one of the best defenses against ransomware attacks. Ensure that every server, desktop and laptop in your network has an up-to-date copy of some antivirus software running on it. Make sure that automatic definition updates are enabled and that the machine is being being protected with realtime protection or with daily scans.
3) Ensure your Disaster Recovery Plan is in place, and working
Recovering from an attack after the fact, without paying the ransom, is near impossible, unless you have a well planned, tested and functioning Disaster Recovery Plan. That means ensuring that all your servers and data are backed up on a daily basis and stored offsite. A good rule of thumb is the 3-2-1 backup rule. Always have 3 copies of your data, 2 of them should be on different types of storage and 1 of them should be offsite. With a solid Disaster Recovery Plan, recovery from a ransomware attack can be a simple as cleaning your servers and restoring your data.
4) Know your network and software
Do you know what is currently on your network? Do you know if your machines are updated? How well is your anti-virus software working? Knowing exactly how well protected your network is can be the difference between ransomware taking over your network and staying safe. Perform regular Security Risk Assessments to ensure you are properly protecting your network and data from attacks.
An Ounce of Prevention is Worth A Pound of Cure
Preventing ransomware in your cities network is defiantly one place where this old adage holds true. Taking four the basic steps outline above to protect your municipal network will go a long way to preventing ransomware attacks. Recovering from a ransomware attack can be a nightmare, so plan ahead, practice good IT hygiene, and you can significantly lessen the risk of a municipal ransomware attack.
A Security Risk Assessment (or SRA) is an assessment that involves identifying the risks in your company, your technology and your processes to verify that controls are in place to safeguard against security threats. Security risk assessments are typically required by compliance standards, such as PCI-DSS standards for payment card security. They are required by the AICPA as part of a SOC II audit for service organizations and are also requirements for ISO 27001, HITRUST CSF and HIPAA compliance, just to name a few. Because of this, security risk assessments can go by many names, sometimes called a risk assessment, an IT infrastructure risk assessment, a security risk audit, or security audit.
Security Risk Assessments are performed by a security assessor who will evaluate all aspects of your companies systems to identify areas of risk. These may be as simple as a system that allows weak passwords, or could be more complex issues, such as insecure business processes. The assessor will typically review everything from HR policies to firewall configurations while working to identify potential risks.
For example, during the discovery process an assessor will identify all databases containing any sensitive information, an asset. That database is connected to the internet, a vulnerability. In order to protect that asset, you need to have a control in place, in this case it would be a firewall. You have now taken the first step in mitigating risk.
A Security Risk Assessment identifies all your critical assets, vulnerabilities and controls in your company to ensure that all your risks have been properly mitigated.
Why do I need a Security Risk Assessment?
A Security Risk Assessment is vital in protecting your company from security risks. Imagine being tasked with remodeling a house, without being told what’s wrong with it first. A security risk assessment provides you with the blueprint of risks that exist in your environment and gives you vital information about how critical each issue is. Knowing where to begin when improving your security allows you to maximize your IT resources and budget, saving you time and money.
Whats the difference between Risk Management and a Security Risk Assessment?
This is one of the most common questions when people begin to read through security or compliance requirements. The short answer is: a Security Risk Assessment is a point-in-time review of your companies technology, people and processes to identify problems. Risk Management is an ongoing process where you round up all the identified risks in your company and work towards eliminating them.
Security Risk Assessments are deep dive evaluations of your company, or maybe even a specific IT project or even a company department. During the assessment, the goal is to find problems and security holes before the bad guys do. The assessment process should review and test systems and people, looking for weaknesses. As they are found, they are ranked based on how big of a risk they are to the company. The resulting report will identify systems that are working well and properly secured, and those that have issues. A Security Risk Assessment will typically have very specific technical results, such as network scanning results or firewall configuration results.
Risk Management is an ongoing effort to collect all the known problems, and work to find solutions to them. Think of a Risk Management process as a monthly or weekly management meeting. Each week, risks and problems are identified, ranked and then discussed to ensure that nothing is slipping through the cracks. The goal of a Risk Management process is to continually improve the security of a company and work to eliminate all risks as they occur.
What types of systems are involved in a Security Risk Assessment?
A Security Risk Assessment is a far reaching review of anything that could pose a risk to the security or compliance of the company. Each assessment is tailored to fit the exact purpose and scope requested by the client. Assessments can involve any of the following elements:
Facility Power & Redundancy
Backup Power, UPS & Generator Capacity
Facility Cooling Capacity & Redundancy
Facility Fire Suppression Systems
Server Wiring and Cabling
Server Rack Infrastructure
Facility Physical Security & Tracking Systems
Facility Camera & Alarm Systems
Servers & Systems
Server Inventory including detected OS’s
Server Vulnerability Reports Server Resource Utilization
Server Backup Processes
Redundancy / High Availability Configuration
IT Asset Inventory Processes
Server Update Processes
Identity & Authentication Systems
Complete Network Discovery Mapping
Discovered Network Inventory List
Internal Network Device Vulnerability Scan
External Network Device Vulnerability Scan
Firewall Vulnerability Scan
SPAM Filtering Review
Web Filter Device Review
Data Loss Prevention Systems Review
Discovery of all internal web applications
Discovery of all external web applications
Application Vulnerability Assessment
Application Server Vulnerability Scanning
Sensitive Data Inventory
Data Risk Analysis
Data Encryption Review
Access Authorization Procedures Access Controls
Comprehensive IT Policy Review
Disaster Recovery Plan Review
Business Continuity Plan Review
Device and Media Control Policy Review
Software Development Procedure Review
Security Incident Procedure Review
Log Monitoring Process Review
Workforce Security Policy Review
Workforce “Hire and Fire” Policy Review
Risk Management Process Review
So How do you perform a Security Risk Assessment?
A Security Risk Assessment typically covers all aspects of a company from IT to Operations to HR and Accounting. An assessment is a labor intensive process, although each assessment is unique to match the company and scope, they typically take 30-60+ days and contain the phases outlined below:
Adsero schedules a conference call to discuss your company, your procedures and what your goals are during the Risk Assessment process.
Next our team of experts will spend time at your facility to perform an onsite review of your technology and processes.
Adsero Security’s analysts then take the information gathered during the onsite visit and begin identifying risks and controls you may have in place already.
Once all the analysis is complete, you will receive a complete Risk Assessment report that outlines all your assets, vulnerabilities and risks. The report includes recommendations on how to improve your overall security and compliance.
Encrypting desktops and laptop computers is one of the easiest ways to prevent data loss as a result of lost or stolen computers. Modern operating systems such as Windows 10 Pro and MacOS High Sierra include full disk encryption features bundled with the operating system. Once a disk is encrypted, it is impossible to access data on the device without the proper credentials. This simple task is extremely effective and yet has zero impact on users’ daily work tasks and responsibilities.
Companies often forget about data once they stop using it day-to-day. Leaving outdated data on sunsetted systems increases your potential exposure in the event of a data breach. Ensure that data no longer actively used is properly disposed of and devices that contain data, such as laptops, old hard drives and USB drives are properly DoD data wiped or destroyed. Retired company laptops may still retain recoverable data on their hard drives even after formatting. A policy-driven culture enforcing proper destruction and disposal of retired equipment is best practice.
Allowing employees or guests to share a single WiFi password prevents you from controlling who is accessing your company network. Once a person has your WiFi password, they can access your network at any time, even from outside your building’s locked doors, or potentially after you have terminated them, leaving you with no control. Users should always connect to WiFi using a unique username and strong password that company staff can enable and disable as needed. Company policy should always enforce users to use strong passwords so your Wifi password cannot be guessed or compromised.
Once a user logs into a computer, they potentially have access to sensitive company information. If they get distracted or leave their computer unattended, it leaves your company data open to potential theft or exploit. Ensure that all company computers are set to automatically lock the screen after a defined time interval, e.g. 15 or 30 minutes and then require a password to log back in.
Data Breaches occur almost on a daily basis. You may not know that your IT Security problem is. We will find it and we’ll develop and implement real-world solutions. Read on to learn more about the data breach that leaked state government material.
News has surfaced of a breach of sensitive data of California state employees.
As reported by The Sacramento Bee, it appears thousands of Social Security numbers have been exposed at the Department of Fish and Wildlife, with the department confirming so in a memo sent to its staff.
It is alleged the breach was discovered in December last year but was only disclosed to employees this week. The California Highway Patrol is thought to be investigating the incident, which is believed to have been brought about as a result of a former state employee downloading data to a personal device before taking the device outside of the state’s network. Read more »