Security is a pipe-dream

Security Pipe Dream for many

Security is a pipe-dream,  few enterprises are fully protected from events that have occurred in the past several months.  All one has to do is to look at the recent cyber attacks at Uber and Experian. In both of those cases, the CIO and/or  CSO were blamed and left the organization.

Not many CIOs and CSOs feel they have 100% of their security risks covered. In a recent survey that was published in NetworkWorld:

  • 55% said that was the case
  • 40% said they hope the had all of their security bases covered
  • 6% said that they did

With only 6% saying they had all of their bases covered there are many opportunities for security hackers and data breachers to attack the systems in place.

Now that we know that a security breach may occur, how sure are these same CIOs and CSOs that they will be able to react in time? The first step is detection that a hack or breach has occurred. In another survey by Janco Associates, we found that in midsized and large enterprises:

  • 35% had a detection solution in place and they automatically quarantined the server(s)
  • 43% had a detection solution in place but had to “manually” quarantine the server(s)
  • 23% had to “manually” put the server(s) offline when they found out they had a problem

When you put these two sets of data together, you conclude that less than 2% of enterprises are protected adequately enough to prevent a major security hack or breach occurs.

Disaster Recovery / Business Continuity &
Security Template Bundle

ISO 27000, Sarbanes-Oxley, and HIPAA Compliant
PCI-DSS Compliant

Order DRP BCP SecuritySample DRP Security Manual

Experts Agree You Should Update Your Plan Annually

Security is a critical concern during the recovery process

It goes without saying that every company, regardless of size, needs a concise business continuity plan in case of an emergency. If you don’t have a disaster recovery plan or haven’t updated yours recently, now is the time to take this critical step to protect your business.

At Risk e-Mail Accounts

At risk e-mail accounts are Gmail, Yahoo, and Hotmail

Security Manual Template
Security Manual Template contains all of the procedures needed to support a world class security infrastructure. Contain BIA and Threat Assessment Tools.

At risk e-mail accounts according to the University of California (Berkeley) and Google are Gmail.com, Yahoo.com and Hotmail.com.  Users who use those email  account have the highest probability of being  victims of hacking attacks. The types of attacks are credential exposure, phishing, and keylogging.

Much of the expose is due to the multitudes of “unsophisticated” users who are not well trained in how to avoid those attacks.  In addition, there is the exposue they face due to the loss of their credentials because of a lack of adequate security at hosting sites from where their credentials and personal data can be extracted.  The cases in point are the recent massive hacks at Yahoo and Experian.

The summary results of the study are:

At Risk e-mail accountsThe data does NOT reflect the victims of the Yahoo and Experian attacks.

Read on SecurityOrder Security ManualDownload Selected Security Manual Pages

 

 

Security Vulnerability Analysis Tool

Security Vulnerability Analysis Tool and BIA in Template

Security Manual Template
Security Manual Template contains all of the procedures need to support a world class security infrastructure. Contain BIA and Threat assessment tools.

Security Vulnerability Analysis Tool is not included as part of Janco’s Security Manual Template.  Firewalls have become ubiquitous across enterprises over the past decade, but the combination of new and varied access methods combined with increasingly sophisticated attacks has forced network operators and security professionals to constantly evaluate their defenses. When deploying a next-generation firewall there are many  factors to consider.

The Security Manual template now includes the latest Threat Vulnerability Analysis Tools.  They are proven and ready to use.

One of the really great features are all of the electronic forms that come with the Security Manual Template.

Read on SecurityOrder Security ManualDownload Selected Security Manual Pages

Threat and Vulnerability Tool – Best in Class according to IT Productivity Center

Threat and Vulnerability Tool – Best in Class according to IT Productivity Center

Threat Vulnerability Assessment Tool Best in class
The purpose of a Threat Risk Assessment (TRA) is to categorize enterprise assets, examine the different “threats” that may jeopardize them, and identify and correct the most immediate and obvious security concerns.

Threat and Vulnerability Tool – Best in Class award concurrent with the release of Version 4.o.  Janco is proud to announce it has recieved a Best in Class by the IT Productivity Center.  This is the third time the IT Productivity Center has issued an award to Janco for this tool.

One of the added features of version 4.0 is that it now comes not only in MS Word and PDF formats, but it also comes as an ePub (eReader) document that can easily be distributed to smartphones, tablets, and desktops.

The Tool comes with a work plan that can be used to conduct the Threat and Vulnerability Assessment as well as a definition of the components of the process including:

  • Administrative Safeguards
  • Logical Safeguards
  • Physical Safeguards

One of the additional features of this template is that it can be used as the core of an enterprises compliance program.

This tool is also included with the Disaster Recovery / Business Continuity Template and the Security Manual Template.

DR/BC Plans and Security Procedures have errors

DR/BC Plans and Security Procedures errors

DR/BC Plans and Security Procedures errors – Janco has reviewed the recovery processes of 148 enterprises that were impacted by the recent hurricanes, fires, miscellaneous business disruption events and found that 53% had some significant error(s) or omission(s) in their DR/BC Plans and/or security procedures. Many were attributed to the length of the business interruption event and the lack of supporting infrastructure such as cell communication (Puerto Rico) or shortage of fuel for back up generators.

Only 17% of enterprises that had major business disruption events in the summer and fall of 2017 had no major issues with their DR/BC plan activation process and security procedures

Janco is currently in the process of determining what were the causes for these defect.  Preliminary  findings are that as a result of the slow economy enterprise cut back on the maintenance of core infrastructure.  This included updating existing DR/BC plans Security procedures with changes, training in those areas, and people being reassigned or leaving the enterprise that were critical for these processes.

Janco’s Solution

Janco has added 17 electronic forms to alleviate this problem in DR/BC plan and its Security Manual Template. Included as a bonus is an eReader format of both templates.  The forms can be completed via tablets and smartphones and stored in a remote cloud location.  With the included security and DR/BC audit programs, it now is easier to highlight those areas of existing plans and procedures which need work to guarantee compliance with security mandates and success in the recovery process.

Security and DR - BC Read onOrder DRP BCP SecurityDownload Table of Contents Security and DRP templates

Security Architect

Security Architect is a Hot New Job

Security Architect job description
Security Architect is just one of over 280 full job descriptions that are delivered electronically

Security Architect – The one position that CIOs and C-Level executives are looking to fill.  With all of the recent cyber-attacks and negative publicity they have generated there is a need for this proactive position.

Most of the other positions are focused on “after the fact” monitoring.  This one looks at what could happen and creates an architecture which address potential cyber-attacks and hacks.  The individuals operate on a philosophy that is easier to prevent something from happening versus trying to address problems after they occur.

Position Purpose

The individual in this position  assumes responsibility for data security including the planning, design and implementation of security measures which safeguard access to enterprise terminal files and data elements.  The administrator provides rapid response to user community’s request for security assistance.

They  secure enterprise information by determining security requirements; planning, implementing, and testing security systems; preparing security standards, policies, and procedures; mentoring team members.

The full job description for this position has just been released.

Security Architect read on…

Order Security Architect Job Description

IT Related Fraud issues addressed by Janco

 IT related fraud occurred in over 70% companies

Malware exposure is high in many enterprises

IT related fraud and alware infections cause a number of problems. Machines become unresponsive or sluggish resulting in users become frustrated and administrators spending precious time trying to find the problem.

Once an attacker is on the inside, his or her work is significantly easier since on most networks, systems on the inside are trusted.   To that end, in a review of over 300 security audits Janco has found a list of the greatest security weaknesses.

Enterprise Wde Security Weaknesses

The weaknesses are:

  • Using only single level verification for access to sensitive data
  • Having “public” workstations or access point is connected to a secure network
  • Sharing login credentials
  • Data validation for forms is contained in client-side JavaScript
  • Connect to network from an unsecure access point
  • Corporate web site is encrypted but the login process is not
  • Using weak encryption for back end management
  • Using unencrypted or weak encryption for Web site or Web server  management

Order Security Policies and ProceduresDownload TOC security policies

New York Security Compliance

New York Security Compliance Mandates added

New York Security Compliance – The State of New York announced a series of new rules strengthening cybersecurity requirements for financial firms. This is the latest in a series of announcement aimed at protecting clients, consumers and financial entities from the “ever-growing threat of cyber-attacks.

New York Security ComplianceThe Governor of New York said, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from … state-sponsored organizations, global terrorist networks, and other criminal enterprises.” Even if your firm isn’t directly subject to these new regulations, it’s safe to assume that this approach will be rapidly adopted by similar regulatory bodies domestically and around the world.

The current draft calls for the “encryption of all nonpublic information held or transmitted”, but because they tie it tightly to access control, acceptable usage policy, and data retention. Simple encryption won’t be enough to comply with the New York mandates.

To comply with New York Security Compliance mandates CFOs, CIOs, and CSOs, and firms should:

  • Implement more dynamic ways to protect data. Enterprises will need to deploy more dynamic forms of data protection that extend beyond their current systems. When the requirement for encryption and data-loss protection spans not just records and managed systems, but anywhere data can travel, traditional means of encryption and monitoring are scale able. Organizations will need to enforce granular limitations on access privileges, implement new audit systems to document data governance, and be able to remotely apply data disposition and destruction rules.
  • Tie access control and privilege management to identity. In a complex technology ecosystem, it’s no longer feasible to define access and privilege at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and un-managed services, and provides a consistent way to set, audit, and control access to confidential information. Ultimately, encryption, access controls, and data-in-use protections must persist independent of the kinds of data protected, where it’s stored, or how it’s shared.
  • Prioritize solutions to balance simplicity and security. Too often, risk and security teams have simply added new solutions to their portfolio in response to regulations and enforcement. Unfortunately, this has often created a complex, hard-to-navigate forest of tools, hurdles, and collaboration dead-ends for employees. The downside of that is it creates incentives for otherwise well-intentioned people to avoid following policy, increasing the risk of a material breach.
  • Make audit a primary concern. In the past, the requirement for an audit trail on data access was seen as an add-on. In the worst case, it was an afterthought, something built last as a reaction to risk and compliance needs. But, by thinking differently about this rich trove of data, you can improve your visibility into data use and your ability to identify dangerous behavior in advance. In many cases, you will be able to proactively stop data loss before it happens. With a strategy that protects data directly, by deploying identity-driven access controls and dynamic permissions, you can use the data from each user interaction to build a better picture of where data is traveling, and to whom.
  • Take a more dynamic approach to data protection. Adhere to mandates and be ready to tell any auditor about your enterprises ability to protect the confidentiality, integrity, and availability of your enterprise’s information.

Order Security ManualDownload Selected Pages

Wearable Device Security Concerns

Wearable Device Security Concerns

Wearable Device Security – Over 300,000,000 wearable devices are going to be deployed in the next several years

Wearable Device Security
Wearable Device Security

Wearable Device Security – Janco Associates has determined that most mobile devices have some major vulnerabilities. They include:

  • Insufficient User Authentication/Authorization: Many devices are vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration.
  • Data Encryption Missing: Most devices have implemented transport encryption using SSL/TLS, but almost one half of all cloud connections are vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2.
  • Insecure Interfaces: Over 1/3 of smartwatches use cloud-based web interfaces, all of which have major security concerns. In addition there are security concerns with the devices mobile applications. These vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
  • Software/Firmware Updates Not Secure: Firmware and software security issues, include transmitting updates without encryption and without encrypting the update files. On the plus side, most updates are signed to help prevent the installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed.
  • Privacy Controls are missing: most wearable devices collect some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account security issues and use of weak passwords on some products, exposure of this personal information is a concern.

The use of wearable devices that can capture and broadcast video, voice, data and location information is increasing at an accelerated rate

Janco addresses the security, privacy and reputation management issues for a world in which wearable devices have cameras, microphones, massive data storage and INTERNET connectivity

Download Selected Pages

Wearable devices provide a variety of potential business or educational uses involving accessing, capturing and sharing data.  At the same time they can pose a significant security risk to an organization with, the ability to surreptitiously record audio and video can threaten business confidentiality and jeopardize company data and even its reputation.

With that in mind, the consultants at Janco Associates have created a Wearable Device Policy that can be downloaded and used as a guideline for organizations as they establish rules for the use of such devices in the workplace.

Top 6 cyber attack threats

Top 6 cyber attack  threats

The top 6 threats that CSOs need to address as attackers conspire to take down applications and steal data. These treats focus on data center infrastructure. (See also How to Manage Cyber Attacks)  Storing the most valuable and most visible assets in your organization –  web, DNS, database, and email servers – data centers have become the number one target of cyber criminals, hacktivists and state-sponsored attackers. The threats are:

  1. DDoS Attacks
  2. Web Application Attacks
  3. DNS Infrastructure
  4. SSL-Induced Security Blind Spots
  5. Brute Force
  6. Weak Authentication

CIOs and CSOs start the management process before the cyber attack occurs

Cyber attackCyber-attacks are now an everyday event and it is only a matter of time before your company faces one if it has not already. Cyber criminals are ubiquitous and attacks will continue despite our resolute attempts to stop them – even organizations with the best defenses in place are not immune. CIOs and CSOs need to accept these risks as fact and be prepared to respond quickly and effectively.
Managing cyber breaches starts before the breach occurs

Order Security TemplateTable of Contents

ISO 22301 International Business Continuity Standard

ISO 22301 International Business Continuity Standard

In the constantly changing business environment and with unpredictable natural disasters and accidents risk security officers have impelled are forced to  focus more on developing immunity towards such unpleasant occurrences to continue stable business operations. The ISO 22301, the first international standard for Disaster Recovery Management  emphasizes on quality planning and monitoring of a well-defined framework to facilitate timely responses to disruptive events.

ISO 22301 International Business Continuity Standard

In most organizations, the DRP and BCP processes are the most complex task CIOs need to focus on. Disasters happen typically happen so infrequently that recovery operations are the opposite of routine. What’s more, the myriad interconnected data, application and other resources that must be recovered after a disaster make recovery an exceptionally difficult and error-prone effort. Even if you have never built a Disaster Recovery plan before, you can achieve great results. Just follow the DR Template that Janco has created and you will have a functioning plan before you know it.

 Order Disaster Plan TemplateDisaster Plan SampleDR BC History

Password Requirements and Management Issues

Password Requirements and Management IssuesPassword Requirements

  1. The passwords should not be reused across many accounts, but should preferably be unique to each account. (single-sign-on services & password management tools – should be used very carefully in a decentralized formation in view of the single point of failure that comes with them.)
  2. The passwords written on a memo should be hidden in a safe place. (It may be practicable indoor, but not outdoor where there is no such safe place since both the memo and the mobile device can be found on the user at the 100% probability.)
  3. Whether with multi-factor authentications or with biometric solutions or with ID federations, a reliable password that confirms the volition of the user remains a fundamental prerequisite or essential condition.

Limitations against the many password resets are

  • Humans can firmly remember only 5 textual passwords on average.
  • Existing password authentication systems are still all text-based, even though it is easily possible to break the above (4) limitation by expanding the password systems to include pictures of episodic/autobiographic memory in addition to the conventional textual passwords.

Examples of invalid or poorly chosen passwords:

  • Your login ID.
  • Names of co-workers, pets, family, etc.
  • Phone numbers, license numbers, or birthdays.
  • Simple passwords like “asdf” (adjacent keys on a keyboard).
  • Words, which can be found in a dictionary.

Examples of strong passwords (the following are for example purposes only; do not use any of these examples as your actual password):

  • Use a name, modified slightly, like “b0b$mith” or “M@ryL0ng”.
  • Use a phrase you can remember, like “hello world” modified to “hel10@World”.
  • “tL*5i?wu” (contains letters, special characters, and numbers).

Even though it is not a rule, it is strongly recommended that you use a combination of both upper and lower case letters.

Text Messaging Sensitive and Confidential Information Policy released by Janco

Text Messaging Sensitive and Confidential Information Policy released by Janco

Janco has added a critical security component to its CIO IT Infrastructure Policy Bundle with a policy that focuses on how to send secure sensitive data text messages via mobile devices

Janco Associates has developed a policy for managing security and compliance for clear text messages being sent via email or messaging apps that contain sensitive and confidential enterprise information.  In addition, this new policy has been added to Janco’s CIO IT Infrastructure Policy Bundle to complete the set of policies that every CIO needs to have in place to meet the expanding compliance and security requirements of today.

The CEO of Janco, Victor Janulaitis said, “Leakage of data is an issue that everyone is aware of, be it accidental or intentional.  Policies need to be put in place so everyone minimizes the risks that organizations face as the points of potential security breaches expand outside of the traditional office environment.”  The CEO added, “As the more people work outside of the confines of an office, use mobile devices, communicate via social networks, and compliance requirements expand, organizations are faced with a dilemma.  How can they balance security and compliance needs with the requirement of users to have both sensitive and confidential information away from the office and at their fingertips. That is why we have developed this complete set of rules that minimize the risks that organizations are facing. ”

The Text Messaging Sensitive and Confidential Information Policy as well as the other 16 policies in the CIO IT Infrastructure Policy Bundle are provided in MS WORD and PDF formats. The policies in the bundle are: Backup and Backup Retention Policy; Blog and Personal Web Site Policy; BYOD Access and Use Policy; Google Glass Policy; Incident Communication Plan Policy ; Internet, Email, Social Networking, Mobile Device, and Electronic Communication Policy; Mobile Device Access and Use Policy; Outsourcing Policy; Patch Management Policy; Physical and Virtual Server Security Policy; Record Management, Retention, and Disposition Policy; Sensitive Information Policy; Service Level Agreement Policy; Social Networking Policy; Telecommuting Policy; Text Messaging Sensitive and Confidential Policy; and, Travel, Laptop, PDA and Off-Site Meeting Policy.

All of Janco’s products are delivered electronically for more information go to:

Job Descriptions – https://www.e-janco.com/Job_Book.htm

10 Steps to Prevent Being Scammed by Social Media

10 steps to Preventing Social Media Scam

Social Media ScamWith more companies moving to marketing via social media there now is a greater possibility that social media scam will impact and compromise your company.  Here are 10 steps that Janco Associates has found that can minimize that risk.

  1. Implement a social networking policy for all individuals and devices that can impact the company’s infrastructure
  2. Social engineering awareness training must be done constantly, not the typical annual training program.
  3. If it sounds like it is too good to be true the odds are it is a scam
  4. Look to the outside to be aware of scams that others are facing
  5. Question suspicious behavior and communications.
  6. Report suspicious behavior and communications to the IT and HR management instead of shared on social networks.
  7. Work devices should not be used for personal activities.
  8. Access to various types of data should be protected with separate and strong passwords.
  9. The network should be segmented to guard against scammers infiltrating a network segment simply because an employee with access to another segment was compromised.
  10. Learn from past mistakes of others. Reverse engineer this same scenario in your own company to see if the scam could happen in your organization.
Order PolicySample policy

Cyber-Attack — How to Manage them 10 steps

Cyber-Attack — If you have not been faced by one the odds are you will be

Cyber-attacks are now an everyday event and it is only a matter of time before your company faces one if it has not already. Cyber criminals are ubiquitous and attacks will continue despite our resolute attempts to stop them – even organizations with the best defenses in place are not immune. CIOs and CSOs need to accept these risks as fact and be prepared to respond quickly and effectively.

Managing cyber breaches starts before the breach occursCyber-Attack Security Manual

  • Perform a security data audit
  • Conduct endpoint security analytics
  • Determine the extent of exposure
  • Understand the capability of the malware or attack
  • Collect data for post event analysis
  • Implement long term solution
  • Adjust monitoring protocols
  • Post Mortem Analysis
  • Activate Incident Communication Plan(see https://www.e-janco.com/Incident-Communication-Plan-Policy.html)
  • Document results and keep them up to date
%d bloggers like this: