Common Security Concerns

Common Security Concerns that CSOs and CIOs have

Security Manual Template - Common Security Concersn
CIOs and CSOs often are tasked to address user and C-Level management’s common security concerns. The Security Manual Template and its associated items address each of these in detail.

When the CIOs and CSOs discuss common security concerns these five topics always seem to appear:

  1. Surfing the web anonymously is a thing of the past – As online tracking systems become more sophisticated and harder to shake, the likelihood of private, anonymous browsing is becoming a long-ago memory. Take into account the latest ISP changes, where the U.S. government allows providers to not only track, but sell your browsing history without your consent. These changes in “net neutrality rules” require users to be more vigilant about their own browsing patterns. You can guard your activity by logging out of search engines before browsing, clearing your cache and search history, and switching to a private browser to minimize the various ways your browsing history is catalogued.Order Security Policies and ProceduresDownload TOC security policies
  2. Anyone gain access your webcam – Hackers can and do target cameras by disabling the light that notifies of access, and keeping tabs in order to commit some sort of crime. Many users have responded by putting dark tape or coverings over their computer’s webcam. But as more smart devices are created and purchased, the surface area for webcam hacking only expands. Think, for example, of all the places you take your smartphone, with its built-in camera almost always pointing in your direction. The malware used to hack webcams, known as RAT (remote access Trojan), is often spread through spam email. Once clicked, the software is capable of disabling your light so you’re never made aware of anyone watching.
  3. How to protect against identity theft – Be wary of sites asking for personal information to complete a basic task, such as subscribing to a newsletter. When submitting personal information, such as your address or payment method, check for https versus http and never submit this information to a party you’re not familiar with or for a request you don’t remember making.Protecting your identity, at its core, always comes back around to common sense behavior online. Understand risks, practice careful consuming, and taking precaution to diversify passwords and watch out for phishing schemes.
  4. Free antivirus software is not free – You get what you pay for in the area of antivirus and malware protection. If it is free a lot of people use it and when there is a security hole – hackers will attack.  That is opposed to paid programs were vendors constantly update the software to address new issues as the occur.
  5. Are tablets, Smartphones and Macs safe without antivirus software? – Though the Android and Mac OS X boast of operating systems that claims they are tough to breach, they still contains weak access points. Just like any tool that surfs the web or connects to wireless routers, security is needed to scan all those items you click. (Recent research suggests Macs are now more vulnerable than PCs.)While these devices have often carried around the title of most-secure operating system, it doesn’t hurt to back up your devices with the latest antivirus security protection.

IT Related Fraud issues addressed by Janco

 IT related fraud occurred in over 70% companies

Malware exposure is high in many enterprises

IT related fraud and alware infections cause a number of problems. Machines become unresponsive or sluggish resulting in users become frustrated and administrators spending precious time trying to find the problem.

Once an attacker is on the inside, his or her work is significantly easier since on most networks, systems on the inside are trusted.   To that end, in a review of over 300 security audits Janco has found a list of the greatest security weaknesses.

Enterprise Wde Security Weaknesses

The weaknesses are:

  • Using only single level verification for access to sensitive data
  • Having “public” workstations or access point is connected to a secure network
  • Sharing login credentials
  • Data validation for forms is contained in client-side JavaScript
  • Connect to network from an unsecure access point
  • Corporate web site is encrypted but the login process is not
  • Using weak encryption for back end management
  • Using unencrypted or weak encryption for Web site or Web server  management

Order Security Policies and ProceduresDownload TOC security policies

Walmart denies hack occurred

14,600 emails addresses and passwords posted – Walmart denies hack occurred

Walmart denies hack occurred
Incident Communication Plan

Walmart denies hack occurred after email address and passwords were posted.   – Over 14,600 email addresses and plain-text passwords associated with Sam’s Club’s online store were dumped on Pastebin, a text sharing site. Walmart denied a hack occurred.

The title of the password dump said that the accounts listed belonged to the retail giant. The company which has over 650 locations across the US and tens of millions of members.

Walmart said “.. looked into this issue and there is no indication of a breach of our systems. It is most likely a result of one of the past breaches of other companies’ systems. Because customers often use the same usernames and passwords on various sites, bad actors will typically test the credentials they obtain across many popular sites. Unfortunately, this is an industry-wide issue,” said a Walmart spokesperson.

Order PolicySample Policy

That is no way to inspire confidence in the security of an enterprise’s website.

To survive an incident such as a business interruption, security breach, or a product recall, organizations need more than a successful communication strategy – they need an incident communication plan.

The overall objectives of a incident communications plan should be established at the outset. The objectives should be agreed upon, well understood, and publicized. For example, will the primary objective of the communications plan be for communications only to employees, and only during a disaster? Or is the intent to advise customers of interruptions to service? Or is it for investors and stockholders? Or regulatory agencies? Or is it some combination of these?

eReader versions of the DR Plan and IT Job Descriptions

eReader version of DR/BC Plan and IT Job Descriptions – 273 jobs

eReader version of DR Plan and IT Job Descriptions have just been released by Janco.  Both of these offering now can be put in an enterprise’s catalog of electronic documents which can be shared across the network.

eReader books by Janco
eReader books by Janco

The .epub version can be read by most (if not all mobile devices) including iPad, Surface, generic tablets, SmartPhones, and computer desktops.  With this step forward a great collaboration tool is now in the hands of individuals who can review, write notes on, share, and utilize as a handy set of reference tools.

The eReader version are fully indexed, have a hot link table of contents and meet industry standards for mobility.

Over the course of the next several months Janco will be adding .ePub options to most of its product line.  Products that are next in line for this include.

Order Sensitive Information Policy

10 step security

10 step security for third party access to enterprise systems

10 Setps for security in cloud Security plan10 step security for 3rd party access to enterprise systems are a must with the increased use of internet processing and use by day to day business operations.

Security and compliance are key to maintaining control of sensitive and confidential information. All of the product offerings of Janco are geared towards proving tools to help C-Level executives and top IT professionals maintain the privacy of its users and enterprise data.

Order Security ManualDownload Selected Pages

  1. Create an asset inventory and tracking to reduce the risk of network-connected assets being out of compliance with policy.
  2. Understand the cloud-based environment where all users are considered remote, and apply controls similar to how they have historically provided access to third parties.
  3. Make changes in how the organization manages and controls these various user-types by incorporating concepts such as zero-trust, network abstraction, extended identity validation and full-session recording to effectively reduce the overall risk and isolate any potential impact caused by third parties or remote user actions.
  4. Define a plan which meets the requirements for external contractors, employees, and B2B entities.
  5. Coordinate third party access plan in conjunction with their business units and develop a solid communications plan.
  6. Create rules for access using the appropriate level of controls commensurate with their given risk profiles, to include: isolation/segmentation, encryption, and federation integrations.
  7. Establish access points and rules for data availability to third parties
  8. Invest in ways to authenticate third-party users beyond simple username and password.
  9. Define metrics which address compliance variances and risks, and build an end-to-end security and risk view for the entire enterprise.
  10. Create a reporting system which track access, access violations, downloads and total usage. This should be real-time and have assigned individuals monitor and report and deviations.

Order Cloud Outsourcing TemplateDownload Selected Pages

Top 10 Security Predictions

Top 10 Security Predictions

Top 10 Security Predictions – Many organizations fail to realize the benefits of security information management due to the often exhaustive financial and human resource costs of implementing and maintaining the software. However, Janco’s’ Security Manual Template – the industry standard – provides the infrastructure tools to manage security, make smarter security decisions and respond faster to security incidents and compliance requests within days of implementation.

Top 10 Security Predictions from Janco Associates are:

  1. Over the next several years almost all of vulnerabilities exploited by hackers will continue to be ones known by security and IT professionals for at least one year.

    Top 10 Security Predictions
    Top 10 Security Predictions
  2. Robotics will take over many security operations. China will lead the way with 30-40K students training in universities with this technology. US will lag for several years.
  3. Shadow IT will be responsible for over one third of attacks experienced by enterprises.
  4. The need to prevent data breaches from public clouds will drive many organizations to develop data security governance programs.
  5. Over the long term enterprises engaged in application development will secure applications by adopting application security self-testing, self-diagnosing and self-protection technologies.
  6. Future cloud-based providers will include network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms in their offerings.
  7. Identity as a service (IDaaS) implementations the focus of several new companies.
  8. Use of passwords and tokens in will drop 55%, due to the introduction of bio-metrics.
  9. A majority of IoT device manufacturers will not be able to address threats from weak authentication practices.
  10. More than 25% of identified enterprise attacks will involve IoT.

Order Security ManualDownload Selected Pages

10 Security Assessment Questions

10 Security Assessment Questions

Security Assessment and Compliance Management
Security Assessment and Compliance Management

Security Assessment Questions

  1. To stop a breach tomorrow, what does the enterprise need to differently today?
  2. Does the enterprise know if the company has been breached? How does it know?
  3. What assets are being protecting, what are they being protected from (i.e., theft, destruction, compromise), and who are they being protected them from (i.e. cybercriminals or insiders)?
  4. What risks does the enterprise face if it is breached (i.e., financial loss, reputation, regulatory fines, loss of competitive advantage)?
  5. Does the enterprise’s IT security implementation match the enterprise’s business-centric security policies?
  6. Are formal written policies, technical controls or both in place? Are they being followed?
  7. What is the enterprise’s security strategy for IoT?
  8. What is the enterprise’s security strategy for BYOD and “anywhere, anytime, any device” mobility?
  9. Does the enterprise have an incident response plan in place?
  10. What is the enterprise’s remediation process? Can the enterprise recover lost data and prevent a similar attack from happening again?

Security Compliance – Comprehensive, Detailed and Customizable for Your Business

The Security Compliance Policy and Audit Program bundle provides all the essential sections of a complete security manual and walks you through the creation of each step. Detailed language addressing more than a dozen security topics is included in 220 plus page Microsoft Word document, which you can modify as much or as little as you need to fit your business requirements. The template includes sections on critical topics like:

  • Risk analysis – Threat and Vulnerability Assessment via Electronic Forms
  • Staff member roles
  • Physical security
  • Electronic Communication (email / SmartPhones)
  • Blogs and Personal Web Sites
  • Facility design, construction and operations
  • Media and documentation
  • Data and software security
  • Network security
  • Internet and IT contingency planning
  • Insurance
  • Outsourced services
  • Waiver procedures
  • Incident reporting procedures
  • Access control guidelines
  • PCI DSS Audit Program as a separate document

Order Download Selected Pages

Disaster Recovery Business Continuity with Security

Disaster Recovery Business Continuity with Security

Every company, regardless of size, needs a concise approach  disaster recovery business continuity with security in case of an emergency.

Order DRP BCP Security Download Selected Pages

Disaster Recovery Business Continuity with Security
Disaster Recovery Business Continuity with Security

Data is the lifeblood of every company, and often, it is a competitive advantage and the only thing that differentiates one enterprise from another. Who has the most loyal customers, the best service, and the most innovative strategies all boils down to information residing on the enterprise’s Information Technology and application systems. For this reason disaster recovery and business continuity are a definite need.  In addition, there are  security requirements that need to be met.  With mandated requirements like Sarbanes-Oxley, HIPAA, PCI-DSS, and ITIL, executive management is depending on you to have the right security policies and procedures in place.

Disaster Recovery Business Continuity with Security

Google has addressed this and describes it in a video that is has placed on youtube.

10 step security implementation process :

  • Make security an executive directive
  • Implement clear security guidelines
  • Provide specifics for security compliance
  • Enforce that everyone follows the rules
  • Provide formal training program
  • Communicate Security
  • Monitor security compliance
  • Establish security compliance metrics
  • Provide security compliance feedback
  • Audit security with a third party 

Cyber attack stages

Cyber attack stages

 

Cyber attack stages - Security Manau
Cyber attack stages

Stages of a cyber attack’s life cycle need to be understood so that CIO’s can create an effective defense strategy. Malicious cyber attacks continue to threaten sensitive data — whether it is personal data or company sensitive data — one fact remains: attackers will continue to exploit weakness to infiltrate systems and extract data that they can turn into money. The life cycle of attacks is as follows.Order Security ManualDownload Selected Pages

Identify and define potential attack vectors

The first step attackers usually take is to identify members of staff within the organization and the best attack vectors to utilize. This is done by scanning the organization’s public facing websites and gathering as much information about the sites as possible, while simultaneously performing scans against the internal networks.

Initial attack

Using several identified attack vectors, hackers attempt to gain access to an organization’s network. Using different IP addresses and a significant number of computers, the hackers will kick off an automated dictionary attack and after only a few short days malware is installed on the victim’s computer.

Command and control

With the malware in place, the attackers can now begin an in-depth recon against the internal network. The attackers will attempt to escalate privileges on the victim’s account, and create new user accounts with administrative and privileged access.

Discover and spread

With access to the network, the hackers begin to spread it across the organization’s entire network. With a significant presence within the network allowing them to wait, while making detailed asset maps, noting employee patterns and any other information that can assist them in their long term goal: data theft.

Extract and ex-filtrate

Attacks siphon data out of their target company’s environment. They will do this by moving the targeted data to a remote server. After several weeks or possibly even months of siphoning data, the attackers can end their campaign. However, before exiting, they will ensure that they make several network modifications to enable them to return at anytime in the future.

Discovery and clean up

When the organization finally discovers the compromise, typically more than 200 days to detect a breach, stopping the attack begins.

Top 10 Best Practices Ransomware

Top 10 Best Practices Ransomware

Best Practices Ransomware

Best Practices Ransomware – Ransomware is a class of malware that holds a computer or data “hostage” until the user pays a particular amount or abides by specific instructions. The ransomware restricts access to the data and the system. Some cases of ransomware also repeatedly show messages that tell users they must pay the “ransom” or perform a particular action. There are some ransomware variants that encrypt files found on the system’s hard drive. Users must pay the ransom in order to decrypt the data that was altered by the ransomware.

Cybercriminals behind this threat made use of online payment methods as a way for users to pay the ransom.

  1. Have remote backups of your data that is not “mapped” to your computers and network.
  2. Show hidden file extensions. One way that Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions. In order to mitigate this re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.
  3. Have your email server filter out all files that are executables. If there is a need to exchange executable files within your environment and are denying emails with “.EXE” files, you can do so with ZIP files (password-protected) or via cloud services.
  4. Disable files running from AppData/LocalAppData folders. One of the way that ransomware works is to place an executable within those Wndows folders and then launch the programs. By disabling those files you eliminate a major weakness in your operating environment.
  5. Disable Remote Desktop Protocol (RDP) which allows others to access your desktop remotely. If you do not require the use of RDP, you can disable RDP to protect your environment.
  6. Keep your software current by applying patches and updates in a timely manner. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often.
  7. Utilize a security suite that has large user base and is updated frequently.
  8. If you run WiFi in your environment, ,make sure that all of the routers in the network are secure, utilize strong passwords and change their passwords at least quarterly. If you do have a ransomware attack turn your WiFi off immediately.
  9. Provide in-depth training to all users who have access to your environment on what they can and cannot do such as accept files that are suspicious or from unknown users.
  10. Stay current with all breaches and ransomware attacks that are reported and adjust your operating environment to address exposures that others have faced.

Security Manual Template and Compliance Tools

Order Security Manual Download Selected Pages

Wearable Device Security Concerns

Wearable Device Security Concerns

Wearable Device Security – Over 300,000,000 wearable devices are going to be deployed in the next several years

Wearable Device Security
Wearable Device Security

Wearable Device Security – Janco Associates has determined that most mobile devices have some major vulnerabilities. They include:

  • Insufficient User Authentication/Authorization: Many devices are vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration.
  • Data Encryption Missing: Most devices have implemented transport encryption using SSL/TLS, but almost one half of all cloud connections are vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2.
  • Insecure Interfaces: Over 1/3 of smartwatches use cloud-based web interfaces, all of which have major security concerns. In addition there are security concerns with the devices mobile applications. These vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
  • Software/Firmware Updates Not Secure: Firmware and software security issues, include transmitting updates without encryption and without encrypting the update files. On the plus side, most updates are signed to help prevent the installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed.
  • Privacy Controls are missing: most wearable devices collect some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account security issues and use of weak passwords on some products, exposure of this personal information is a concern.

The use of wearable devices that can capture and broadcast video, voice, data and location information is increasing at an accelerated rate

Janco addresses the security, privacy and reputation management issues for a world in which wearable devices have cameras, microphones, massive data storage and INTERNET connectivity

Download Selected Pages

Wearable devices provide a variety of potential business or educational uses involving accessing, capturing and sharing data.  At the same time they can pose a significant security risk to an organization with, the ability to surreptitiously record audio and video can threaten business confidentiality and jeopardize company data and even its reputation.

With that in mind, the consultants at Janco Associates have created a Wearable Device Policy that can be downloaded and used as a guideline for organizations as they establish rules for the use of such devices in the workplace.

Top 10 Reasons Why Security Breaches Occur

Top 10 Reasons Why Security Breaches Occur

Security Policies

With all of the concerns about security breaches, still one out of ten CIOs and CFOs feel they do not have an adequate security strategy in place and are reactive when an incident does occur. Many of them find out, the hard way, that the cost to react to an event is significantly greater than it would have been to implement an adequate solution before hand.

The top 10 drivers of security shortcomings include:

  1. Insufficient funding for security
  2. Lack of commitment by senior executive management
  3. Lack of leadership in the security arena by the CIO
  4. Belief that the organization will not be targeted
  5. Lack of internal resources who are “security” experts
  6. Lack of an effective IT security strategy
  7. Lack of an action plan on how to implement a solution before an event
  8. Infrastructure for IT that does not easily lend itself to security implementation including complex and disjointed applications and data
  9. No central focus with the enterprise that focuses on security
  10. Lack of a good termination policy for employees and contractors

In a review of over 200 incidents we have found the frequency of these types of breach losses to be as depicted in the chart below:

Order Security ManualSample DRP

10 actions to protect data assets

10 actions to protect data assets

10 actions to protect data assets — Janco has found that more than 90% of all data breaches affecting 500 or more individuals are caused by an organizations’ own employees, not hackers. Since ninety percent of an organization’s data breaches are due to “friendly fire” – the mistakes and transgressions of the business’s own employees and business associates CIOs and CSOs need to take a leadership position in managing this. By taking specific actions, a company can greatly reduce the likelihood of these internal breaches – both the careless mistakes and the malicious acts.

Here are 10 actions that a CIO or CSO can take are:

  1. Instill on all employees that they are the first line of defense when it comes to data protection and data security.
  2. Develop and implement specific policies and procedures regarding the handling of proprietary or sensitive information. Have employees sign an acknowledgement form indicating that they have read the policies and understand their responsibilities.
  3. Validate that the policies and procedures meet all industry and mandate compliance requirements.
  4. Improve training and require all employees to take. Many organizations think that a general 30-minute online information-security training followed by 10 questions is sufficient for employees to know what they should do in a given situation. However, the lack of specificity to their own responsibilities opens the possibility of unintentional exposure of, or unauthorized access to, protected information.
  5. Maintain a tight control on all data assets and ensure only the minimum necessary access to the information. Organizations need to take the time to assess the functions or roles in the organization that need access to confidential information, and to document the process for initiating and terminating that access. The most damaging impact on an organization can be caused by a disgruntled employee who is terminated from the organization, yet his or her access to information is not cut off in a timely fashion.
  6. Require all passwords be changed frequently and not be repeated.
  7. Communicate, enforce and apply consistent sanctions for information privacy or security violations. If there is no punishment for accessing or sharing information, people are more apt to do so. For example, rural hospitals and health plans have significant problems with employees snooping into medical records of colleagues, ex-partners, and others in the community. Larger hospitals and rehab centers have to address the improper snooping into the medical records of celebrities and prominent public figures.  An organization can suffer significant financial and reputational damage if steps aren’t taken when bad behavior occurs.
  8. Monitor employee activity both on PCs and mobile devices. Doing so ensures appropriate access and can unearth any unusual activity. Take the time to review or randomly sample usage reports to identify any potential problems early and initiate remediation activities.
  9. Ensure adequate oversight or governance of information security programs. This is necessary to evaluate the causes of security or privacy incidents, apply consistent sanctions, monitor training activities, provide resources for mitigation and remediation of impermissible disclosures, and make information security part of the organization’s culture.
  10. Have independent 3rd parties test the data protection and data security compliance practices.

Security PoliciesSecurity Policies – Procedures – Audit Tools

ISMS 10 reasons why CIOs should implement ISMS

ISMS 10 reasons why CIOs should implement

ISMS – 10 reasons why — Some CIOs believe that their companies do not need a formal Information Security Management System (ISMS) because they already have security policies and procedures along with controls in place or are deploying other technologies to protect their enterprises from cyber-attacks.

Order Security ManualTable of Contents

Security ManualHowever here are ten reasons CIOs should implement an ISMS in their enterprises:

  1. An ISMS includes people, processes and IT systems, acknowledging that information security is not just about software, but depends on the effectiveness of organizational infrastructure, processes, and the people who manage and follow them.
  2. An ISMS provides standard set of terms and communication methods for everyone to be educated in.
  3. An ISMS helps enterprises to coordinate all security efforts (both electronic and physical) coherently, consistently and cost-effectively.
  4. An ISMS provides enterprises with a systematic approach to managing risks and enables enterprises to make informed decisions on security investments.
  5. An ISMS can be integrated with other management system standards (e.g. ISO 22301, ISO 9001, ISO 14001, etc.) ensuring an effective approach to corporate governance.
  6. An ISMS creates better work practices that support business goals by asserting roles and processes that have to be clearly attributed and adhered to.
  7. An ISMS requires ongoing maintenance and continual improvement, which ensures that policies and procedures are kept up to date, resulting in better protection for your sensitive information.
  8. An ISMS gives enterprises credibility with staff, clients, suppliers, customers, and partner organizations, and demonstrates due diligence.
  9. An ISMS helps enterprises comply with corporate governance requirements.
  10. An ISMS can be formally assessed and certified against ISO 27001, bringing additional benefits such as demonstrable credentials, customer assurance and competitive advantage.

Security Threats – Protecting Enterprise Infrastructure

Security Threats – Protecting Enterprise Infrastructure

Security Policies

In the first half of the 2013 fiscal year, the US Department of Homeland Security’s responded to more than 200 incidents.  53 percent of the incidents were in the energy and utility sector — many of them sponsored by states such as China.

As attacks become more sophisticated and digital control systems increase in complexity and levels of automation, it is increasingly difficult to prevent threats from impacting the operation of critical infrastructure.

Order Security ManualSample DRP

Security balancing act

The costs of implementing a stricter policy need to be weighed against the potential costs that could result from the failure of a weaker policy. These costs include purchasing a security solution, implementing this security solution, and finally managing and maintaining the solution. Initial costs often include the physical infrastructure necessary to deploy the solution, such as servers, kiosks and networks, as well as the consulting services that are often required to implement the solution correctly.

Security Threats

Defining acceptable media and content

Defining a portable media and content strategy is key to a secure data workflow policy. When developing a secure data workflow policy, organizations should first define what types of portable media are acceptable and how they can be used.

Designing secure data workflows

The best security policies have multiple layers of protection, to guard against many types of threats, both known and unknown. This defense-in-depth strategy will minimize the risk of any one threat getting past all of the security layers.

A secure data workflow should leverage threat protection methods including:

  • User authentication and source verification: Prevent unauthorized users or sources from bringing in data and facilitate logging for future auditing;
  • File type analysis and filtering: Prevent risky file types from entering the facility, including files that have spoofed extensions
  • Multiple anti-malware engine scanning: Detect threats that are known by any of the many commercial anti-malware engines, and leverage many varying heuristic algorithms to detect zero-day attacks;
  • Document sanitation: Further protect against unknown threats by using sanitation methods to strip potential threats out of documents and images.

Order Security ManualSample DRP