Security Architect

Security Architect is a Hot New Job

Security Architect job description
Security Architect is just one of over 280 full job descriptions that are delivered electronically

Security Architect – The one position that CIOs and C-Level executives are looking to fill.  With all of the recent cyber-attacks and negative publicity they have generated there is a need for this proactive position.

Most of the other positions are focused on “after the fact” monitoring.  This one looks at what could happen and creates an architecture which address potential cyber-attacks and hacks.  The individuals operate on a philosophy that is easier to prevent something from happening versus trying to address problems after they occur.

Position Purpose

The individual in this position  assumes responsibility for data security including the planning, design and implementation of security measures which safeguard access to enterprise terminal files and data elements.  The administrator provides rapid response to user community’s request for security assistance.

They  secure enterprise information by determining security requirements; planning, implementing, and testing security systems; preparing security standards, policies, and procedures; mentoring team members.

The full job description for this position has just been released.

Security Architect read on…

Order Security Architect Job Description

IT Related Fraud issues addressed by Janco

 IT related fraud occurred in over 70% companies

Malware exposure is high in many enterprises

IT related fraud and alware infections cause a number of problems. Machines become unresponsive or sluggish resulting in users become frustrated and administrators spending precious time trying to find the problem.

Once an attacker is on the inside, his or her work is significantly easier since on most networks, systems on the inside are trusted.   To that end, in a review of over 300 security audits Janco has found a list of the greatest security weaknesses.

Enterprise Wde Security Weaknesses

The weaknesses are:

  • Using only single level verification for access to sensitive data
  • Having “public” workstations or access point is connected to a secure network
  • Sharing login credentials
  • Data validation for forms is contained in client-side JavaScript
  • Connect to network from an unsecure access point
  • Corporate web site is encrypted but the login process is not
  • Using weak encryption for back end management
  • Using unencrypted or weak encryption for Web site or Web server  management

Order Security Policies and ProceduresDownload TOC security policies

New York Security Compliance

New York Security Compliance Mandates added

New York Security Compliance – The State of New York announced a series of new rules strengthening cybersecurity requirements for financial firms. This is the latest in a series of announcement aimed at protecting clients, consumers and financial entities from the “ever-growing threat of cyber-attacks.

New York Security ComplianceThe Governor of New York said, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from … state-sponsored organizations, global terrorist networks, and other criminal enterprises.” Even if your firm isn’t directly subject to these new regulations, it’s safe to assume that this approach will be rapidly adopted by similar regulatory bodies domestically and around the world.

The current draft calls for the “encryption of all nonpublic information held or transmitted”, but because they tie it tightly to access control, acceptable usage policy, and data retention. Simple encryption won’t be enough to comply with the New York mandates.

To comply with New York Security Compliance mandates CFOs, CIOs, and CSOs, and firms should:

  • Implement more dynamic ways to protect data. Enterprises will need to deploy more dynamic forms of data protection that extend beyond their current systems. When the requirement for encryption and data-loss protection spans not just records and managed systems, but anywhere data can travel, traditional means of encryption and monitoring are scale able. Organizations will need to enforce granular limitations on access privileges, implement new audit systems to document data governance, and be able to remotely apply data disposition and destruction rules.
  • Tie access control and privilege management to identity. In a complex technology ecosystem, it’s no longer feasible to define access and privilege at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and un-managed services, and provides a consistent way to set, audit, and control access to confidential information. Ultimately, encryption, access controls, and data-in-use protections must persist independent of the kinds of data protected, where it’s stored, or how it’s shared.
  • Prioritize solutions to balance simplicity and security. Too often, risk and security teams have simply added new solutions to their portfolio in response to regulations and enforcement. Unfortunately, this has often created a complex, hard-to-navigate forest of tools, hurdles, and collaboration dead-ends for employees. The downside of that is it creates incentives for otherwise well-intentioned people to avoid following policy, increasing the risk of a material breach.
  • Make audit a primary concern. In the past, the requirement for an audit trail on data access was seen as an add-on. In the worst case, it was an afterthought, something built last as a reaction to risk and compliance needs. But, by thinking differently about this rich trove of data, you can improve your visibility into data use and your ability to identify dangerous behavior in advance. In many cases, you will be able to proactively stop data loss before it happens. With a strategy that protects data directly, by deploying identity-driven access controls and dynamic permissions, you can use the data from each user interaction to build a better picture of where data is traveling, and to whom.
  • Take a more dynamic approach to data protection. Adhere to mandates and be ready to tell any auditor about your enterprises ability to protect the confidentiality, integrity, and availability of your enterprise’s information.

Order Security ManualDownload Selected Pages

Wearable Device Security Concerns

Wearable Device Security Concerns

Wearable Device Security – Over 300,000,000 wearable devices are going to be deployed in the next several years

Wearable Device Security
Wearable Device Security

Wearable Device Security – Janco Associates has determined that most mobile devices have some major vulnerabilities. They include:

  • Insufficient User Authentication/Authorization: Many devices are vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration.
  • Data Encryption Missing: Most devices have implemented transport encryption using SSL/TLS, but almost one half of all cloud connections are vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2.
  • Insecure Interfaces: Over 1/3 of smartwatches use cloud-based web interfaces, all of which have major security concerns. In addition there are security concerns with the devices mobile applications. These vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
  • Software/Firmware Updates Not Secure: Firmware and software security issues, include transmitting updates without encryption and without encrypting the update files. On the plus side, most updates are signed to help prevent the installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed.
  • Privacy Controls are missing: most wearable devices collect some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account security issues and use of weak passwords on some products, exposure of this personal information is a concern.

The use of wearable devices that can capture and broadcast video, voice, data and location information is increasing at an accelerated rate

Janco addresses the security, privacy and reputation management issues for a world in which wearable devices have cameras, microphones, massive data storage and INTERNET connectivity

Download Selected Pages

Wearable devices provide a variety of potential business or educational uses involving accessing, capturing and sharing data.  At the same time they can pose a significant security risk to an organization with, the ability to surreptitiously record audio and video can threaten business confidentiality and jeopardize company data and even its reputation.

With that in mind, the consultants at Janco Associates have created a Wearable Device Policy that can be downloaded and used as a guideline for organizations as they establish rules for the use of such devices in the workplace.

Security is a pipe-dream

Security is a pipe-dream,  few enterprises are fully protected from events that have occurred in the past several months.

Not many CIOs and CSOs feel they have 100% of their security risks covered. In a recent survey that was published in NetworkWorld:

  • 55% said that was the case
  • 40% said they hope the had all of their security bases covered
  • 6% said that they did

With only 6% saying they had all of their bases covered there is lot of room for security hackers and data breachers to attack the systems in place.

Now that we know that a security breach may occur, how sure are these same CIOs and CSOs that they will be able to react in time. The first step is detection that a hack or breach has occurred. In another survey by Janco Associates we found that in midsized and large enterprises:

  • 35% had a detection solution in place and they automatically quarantined the server(s)
  • 43% had a detection solution in place but had to “manually” quarantine the server(s)
  • 23% had to “manually” put the server(s) offline when they found out they had a problem

When you put these two sets of data together, you conclude that less than 2% of enterprises are protected adequately enough to prevent a major security hack or breach occurring.

Disaster Recovery / Business Continuity &
Security Template Bundle

ISO 27000, Sarbanes-Oxley, and HIPAA Compliant
PCI-DSS Compliant

Order DRP BCP SecuritySample DRP Security Manual

Experts Agree You Should Update Your Plan Annually

Security is a critical concern during the recovery process

It goes without saying that every company, regardless of size, needs a concise business continuity plan in case of an emergency. If you don’t have a disaster recovery plan or haven’t updated yours recently, now is the time to take this critical step to protect your business.

Top 6 cyber attack threats

Top 6 cyber attack  threats

The top 6 threats that CSOs need to address as attackers conspire to take down applications and steal data. These treats focus on data center infrastructure. (See also How to Manage Cyber Attacks)  Storing the most valuable and most visible assets in your organization –  web, DNS, database, and email servers – data centers have become the number one target of cyber criminals, hacktivists and state-sponsored attackers. The threats are:

  1. DDoS Attacks
  2. Web Application Attacks
  3. DNS Infrastructure
  4. SSL-Induced Security Blind Spots
  5. Brute Force
  6. Weak Authentication

CIOs and CSOs start the management process before the cyber attack occurs

Cyber attackCyber-attacks are now an everyday event and it is only a matter of time before your company faces one if it has not already. Cyber criminals are ubiquitous and attacks will continue despite our resolute attempts to stop them – even organizations with the best defenses in place are not immune. CIOs and CSOs need to accept these risks as fact and be prepared to respond quickly and effectively.
Managing cyber breaches starts before the breach occurs

Order Security TemplateTable of Contents

ISO 22301 International Business Continuity Standard

ISO 22301 International Business Continuity Standard

In the constantly changing business environment and with unpredictable natural disasters and accidents risk security officers have impelled are forced to  focus more on developing immunity towards such unpleasant occurrences to continue stable business operations. The ISO 22301, the first international standard for Disaster Recovery Management  emphasizes on quality planning and monitoring of a well-defined framework to facilitate timely responses to disruptive events.

ISO 22301 International Business Continuity Standard

In most organizations, the DRP and BCP processes are the most complex task CIOs need to focus on. Disasters happen typically happen so infrequently that recovery operations are the opposite of routine. What’s more, the myriad interconnected data, application and other resources that must be recovered after a disaster make recovery an exceptionally difficult and error-prone effort. Even if you have never built a Disaster Recovery plan before, you can achieve great results. Just follow the DR Template that Janco has created and you will have a functioning plan before you know it.

 Order Disaster Plan TemplateDisaster Plan SampleDR BC History

Password Requirements and Management Issues

Password Requirements and Management IssuesPassword Requirements

  1. The passwords should not be reused across many accounts, but should preferably be unique to each account. (single-sign-on services & password management tools – should be used very carefully in a decentralized formation in view of the single point of failure that comes with them.)
  2. The passwords written on a memo should be hidden in a safe place. (It may be practicable indoor, but not outdoor where there is no such safe place since both the memo and the mobile device can be found on the user at the 100% probability.)
  3. Whether with multi-factor authentications or with biometric solutions or with ID federations, a reliable password that confirms the volition of the user remains a fundamental prerequisite or essential condition.

Limitations against the many password resets are

  • Humans can firmly remember only 5 textual passwords on average.
  • Existing password authentication systems are still all text-based, even though it is easily possible to break the above (4) limitation by expanding the password systems to include pictures of episodic/autobiographic memory in addition to the conventional textual passwords.

Examples of invalid or poorly chosen passwords:

  • Your login ID.
  • Names of co-workers, pets, family, etc.
  • Phone numbers, license numbers, or birthdays.
  • Simple passwords like “asdf” (adjacent keys on a keyboard).
  • Words, which can be found in a dictionary.

Examples of strong passwords (the following are for example purposes only; do not use any of these examples as your actual password):

  • Use a name, modified slightly, like “b0b$mith” or “M@ryL0ng”.
  • Use a phrase you can remember, like “hello world” modified to “hel10@World”.
  • “tL*5i?wu” (contains letters, special characters, and numbers).

Even though it is not a rule, it is strongly recommended that you use a combination of both upper and lower case letters.

Text Messaging Sensitive and Confidential Information Policy released by Janco

Text Messaging Sensitive and Confidential Information Policy released by Janco

Janco has added a critical security component to its CIO IT Infrastructure Policy Bundle with a policy that focuses on how to send secure sensitive data text messages via mobile devices

Janco Associates has developed a policy for managing security and compliance for clear text messages being sent via email or messaging apps that contain sensitive and confidential enterprise information.  In addition, this new policy has been added to Janco’s CIO IT Infrastructure Policy Bundle to complete the set of policies that every CIO needs to have in place to meet the expanding compliance and security requirements of today.

The CEO of Janco, Victor Janulaitis said, “Leakage of data is an issue that everyone is aware of, be it accidental or intentional.  Policies need to be put in place so everyone minimizes the risks that organizations face as the points of potential security breaches expand outside of the traditional office environment.”  The CEO added, “As the more people work outside of the confines of an office, use mobile devices, communicate via social networks, and compliance requirements expand, organizations are faced with a dilemma.  How can they balance security and compliance needs with the requirement of users to have both sensitive and confidential information away from the office and at their fingertips. That is why we have developed this complete set of rules that minimize the risks that organizations are facing. ”

The Text Messaging Sensitive and Confidential Information Policy as well as the other 16 policies in the CIO IT Infrastructure Policy Bundle are provided in MS WORD and PDF formats. The policies in the bundle are: Backup and Backup Retention Policy; Blog and Personal Web Site Policy; BYOD Access and Use Policy; Google Glass Policy; Incident Communication Plan Policy ; Internet, Email, Social Networking, Mobile Device, and Electronic Communication Policy; Mobile Device Access and Use Policy; Outsourcing Policy; Patch Management Policy; Physical and Virtual Server Security Policy; Record Management, Retention, and Disposition Policy; Sensitive Information Policy; Service Level Agreement Policy; Social Networking Policy; Telecommuting Policy; Text Messaging Sensitive and Confidential Policy; and, Travel, Laptop, PDA and Off-Site Meeting Policy.

All of Janco’s products are delivered electronically for more information go to:

Job Descriptions – https://www.e-janco.com/Job_Book.htm

10 Steps to Prevent Being Scammed by Social Media

10 steps to Preventing Social Media Scam

Social Media ScamWith more companies moving to marketing via social media there now is a greater possibility that social media scam will impact and compromise your company.  Here are 10 steps that Janco Associates has found that can minimize that risk.

  1. Implement a social networking policy for all individuals and devices that can impact the company’s infrastructure
  2. Social engineering awareness training must be done constantly, not the typical annual training program.
  3. If it sounds like it is too good to be true the odds are it is a scam
  4. Look to the outside to be aware of scams that others are facing
  5. Question suspicious behavior and communications.
  6. Report suspicious behavior and communications to the IT and HR management instead of shared on social networks.
  7. Work devices should not be used for personal activities.
  8. Access to various types of data should be protected with separate and strong passwords.
  9. The network should be segmented to guard against scammers infiltrating a network segment simply because an employee with access to another segment was compromised.
  10. Learn from past mistakes of others. Reverse engineer this same scenario in your own company to see if the scam could happen in your organization.
Order PolicySample policy

Cyber-Attack — How to Manage them 10 steps

Cyber-Attack — If you have not been faced by one the odds are you will be

Cyber-attacks are now an everyday event and it is only a matter of time before your company faces one if it has not already. Cyber criminals are ubiquitous and attacks will continue despite our resolute attempts to stop them – even organizations with the best defenses in place are not immune. CIOs and CSOs need to accept these risks as fact and be prepared to respond quickly and effectively.

Managing cyber breaches starts before the breach occursCyber-Attack Security Manual

  • Perform a security data audit
  • Conduct endpoint security analytics
  • Determine the extent of exposure
  • Understand the capability of the malware or attack
  • Collect data for post event analysis
  • Implement long term solution
  • Adjust monitoring protocols
  • Post Mortem Analysis
  • Activate Incident Communication Plan(see https://www.e-janco.com/Incident-Communication-Plan-Policy.html)
  • Document results and keep them up to date

Security cyber war recent articles

Cyber war  continues

Cyber war and security recent postings:Cyber War Security Manual

  1. CIOs worry more about cyber threats with mobile computing  Cyber threats are now a much greater concern with the expansion of the use of mobile devices and services. At the same time online criminals…
  2. Anatomy of a Chinese Cyber Attack  Cyber Attack — How the Chinese do it… A Chinese cyber Attack (a Stuxnet-style attack) frequently makes its first entry into a company’s secure network…
  3. Fraud is on the rise CIOs need to address fraud issues with better security For the last three years it has been reported that estimated fraud losses that are doubling…
  4. Cyber war breaks out – slows Internet Cyber war pushes need for more security The recent cyber war between Spamhaus and Cyberbunker with commercial Denial of Service Attack (DDoS) pushed the Internet…
  5. CIOs Worry More About Cyberthreats  CIOs face more cyber threats Cybert hreats are now a much grater concern with the expansion of the use of mobile devices and services. At…

Order Security ManualTable of Contents

Cyber attacks are on the rise

Cyber attacks are more extensive as the criminal element moves in

Security ManualCyber attacks and threats to networks and enterprise data are not going away. Risk is always with us, but the focus on security has expanded from physical security to cyber security.

The type and sophistication of cyber attacks  are shifting and so are the people launching the attacks.Order Security ManualTable of Contents

Initially cyber attacks started out with individuals infecting computer networks with viruses, but now the criminal element is involved. In 2011 there was an increase in denial-of-service attacks by hacktivists, like Anonymous, and, more recently, foreign-based cyber criminals have targeted automated clearing house (ACH) transfers and used diversionary denial-of-service (DoS) to attempt account takeovers.

Over the past five years there have been some big changes. There are websites where you can buy the tools you need. In fact, users can purchase 100,000 fraudulent bank cards that are guaranteed to work.

Security ManualThe targets are not limited to the United States, online fraud attempts have jumped significantly in Europe and Asia as well.

Just as banks continue to be targets for criminals looking for big scores, the crooks are not deterred when some tighten their defenses. They just move on to other banks. And just as bank robbers of the past were reticent to give up techniques that worked, today’s thieves are reluctant to develop new tools.

The Zeus family of malware is still the gold standard, a trojan horse botnet that came to light in 2007.

%d bloggers like this: