Security is a pipe-dream

Security Pipe Dream for many

Security is a pipe-dream,  few enterprises are fully protected from events that have occurred in the past several months.  All one has to do is to look at the recent cyber attacks at Uber and Experian. In both of those cases, the CIO and/or  CSO were blamed and left the organization.

Not many CIOs and CSOs feel they have 100% of their security risks covered. In a recent survey that was published in NetworkWorld:

  • 55% said that was the case
  • 40% said they hope the had all of their security bases covered
  • 6% said that they did

With only 6% saying they had all of their bases covered there are many opportunities for security hackers and data breachers to attack the systems in place.

Now that we know that a security breach may occur, how sure are these same CIOs and CSOs that they will be able to react in time? The first step is detection that a hack or breach has occurred. In another survey by Janco Associates, we found that in midsized and large enterprises:

  • 35% had a detection solution in place and they automatically quarantined the server(s)
  • 43% had a detection solution in place but had to “manually” quarantine the server(s)
  • 23% had to “manually” put the server(s) offline when they found out they had a problem

When you put these two sets of data together, you conclude that less than 2% of enterprises are protected adequately enough to prevent a major security hack or breach occurs.

Disaster Recovery / Business Continuity &
Security Template Bundle

ISO 27000, Sarbanes-Oxley, and HIPAA Compliant
PCI-DSS Compliant

Order DRP BCP SecuritySample DRP Security Manual

Experts Agree You Should Update Your Plan Annually

Security is a critical concern during the recovery process

It goes without saying that every company, regardless of size, needs a concise business continuity plan in case of an emergency. If you don’t have a disaster recovery plan or haven’t updated yours recently, now is the time to take this critical step to protect your business.

At Risk e-Mail Accounts

At risk e-mail accounts are Gmail, Yahoo, and Hotmail

Security Manual Template
Security Manual Template contains all of the procedures needed to support a world class security infrastructure. Contain BIA and Threat Assessment Tools.

At risk e-mail accounts according to the University of California (Berkeley) and Google are Gmail.com, Yahoo.com and Hotmail.com.  Users who use those email  account have the highest probability of being  victims of hacking attacks. The types of attacks are credential exposure, phishing, and keylogging.

Much of the expose is due to the multitudes of “unsophisticated” users who are not well trained in how to avoid those attacks.  In addition, there is the exposue they face due to the loss of their credentials because of a lack of adequate security at hosting sites from where their credentials and personal data can be extracted.  The cases in point are the recent massive hacks at Yahoo and Experian.

The summary results of the study are:

At Risk e-mail accountsThe data does NOT reflect the victims of the Yahoo and Experian attacks.

Read on SecurityOrder Security ManualDownload Selected Security Manual Pages

 

 

Security Vulnerability Analysis Tool

Security Vulnerability Analysis Tool and BIA in Template

Security Manual Template
Security Manual Template contains all of the procedures need to support a world class security infrastructure. Contain BIA and Threat assessment tools.

Security Vulnerability Analysis Tool is not included as part of Janco’s Security Manual Template.  Firewalls have become ubiquitous across enterprises over the past decade, but the combination of new and varied access methods combined with increasingly sophisticated attacks has forced network operators and security professionals to constantly evaluate their defenses. When deploying a next-generation firewall there are many  factors to consider.

The Security Manual template now includes the latest Threat Vulnerability Analysis Tools.  They are proven and ready to use.

One of the really great features are all of the electronic forms that come with the Security Manual Template.

Read on SecurityOrder Security ManualDownload Selected Security Manual Pages

Minimize breach response cost

Minimize breach response cost with operational strategy

Minimize breach response cost
Policies and procedures need to defined and be in place in order to minimize breach response cost

While the costs of a data breach can vary widely on a case-by-case basis, CIOs who understand the drivers behind the expense will be better positioned to take steps needed to protect their organization.

Here are 6 way to minimize breach response cost:

  1. Eliminate data you do not need.
    You can potentially dramatically reduce your exposure by destroying records of past customers.  You cannot lose data if you do not save it. In 2015 one company served 69 million customers, yet when they were breached that year, they exposed 78 million records. The extra nine million records most likely come from former customers. Each of these individuals had to be notified and offered credit monitoring, driving up costs.
  • Do not store street address if there is no real business requirement.
    When a breach occurs, companies are typically required to notify affected individual via old-fashioned, handwritten “snail mail.” But they can use alternative methods of notification, such as email or public announcement if they do not have a valid mailing address. Physical, written notifications can cost up to $2 per person, and the cost quickly adds up. It may be worth asking twice what the business need for those customer addresses is and considering not capturing these addresses to reduce the exposure to notification requirements.
  • Utilize logs to prove proof a breach or data loss did not occur.
    One industry study shows that in 44% of incidents, public notification is not required. To avoid notification, companies must prove that, even if they were attacked, no records were improperly accessed. To do so, they use systems logs. Without logs, a company may be forced to assume a breach occurred because it cannot prove otherwise.
  • Follow PCI rules and protect credit card data.
    For breaches that involve credit card data, reimbursing card companies for fraudulent transactions can amount to a staggering cost, from $3-$30 or more per card. New chip cards are designed to reduce fraud, and early data show they are having the intended effect – MasterCard reported a 54% reduction in counterfeit card fraud costs at retailers who have switched to chip cards.
  • Use experts who know the breach response landscape.
    Your breach response effort is not a good time to reinvent the wheel. Missteps happen fast and have serious consequences. Credit monitoring alone can cost $5 to $30 per person. Data breach specialists, such as PR consultants or data privacy lawyers, often have seen as many as hundreds of data breaches and are highly practiced at helping you craft a genuine story that keeps confusion – and costs – down.
  • Be prepared for additional audits and compliance reviews.
    In the wake of a breach, a company may be audited and investigated by a number of regulatory agencies. While it’s not guaranteed to occur, it is likely, and there are simple steps you can take to prevent sensational fines if it does. To start, CIOs and  CFOs should be strong advocates for the implementation of the security controls recommended by external auditors or by regulators themselves.

Common Security Concerns

Common Security Concerns that CSOs and CIOs have

Security Manual Template - Common Security Concersn
CIOs and CSOs often are tasked to address user and C-Level management’s common security concerns. The Security Manual Template and its associated items address each of these in detail.

When the CIOs and CSOs discuss common security concerns these five topics always seem to appear:

  1. Surfing the web anonymously is a thing of the past – As online tracking systems become more sophisticated and harder to shake, the likelihood of private, anonymous browsing is becoming a long-ago memory. Take into account the latest ISP changes, where the U.S. government allows providers to not only track, but sell your browsing history without your consent. These changes in “net neutrality rules” require users to be more vigilant about their own browsing patterns. You can guard your activity by logging out of search engines before browsing, clearing your cache and search history, and switching to a private browser to minimize the various ways your browsing history is catalogued.Order Security Policies and ProceduresDownload TOC security policies
  2. Anyone gain access your webcam – Hackers can and do target cameras by disabling the light that notifies of access, and keeping tabs in order to commit some sort of crime. Many users have responded by putting dark tape or coverings over their computer’s webcam. But as more smart devices are created and purchased, the surface area for webcam hacking only expands. Think, for example, of all the places you take your smartphone, with its built-in camera almost always pointing in your direction. The malware used to hack webcams, known as RAT (remote access Trojan), is often spread through spam email. Once clicked, the software is capable of disabling your light so you’re never made aware of anyone watching.
  3. How to protect against identity theft – Be wary of sites asking for personal information to complete a basic task, such as subscribing to a newsletter. When submitting personal information, such as your address or payment method, check for https versus http and never submit this information to a party you’re not familiar with or for a request you don’t remember making.Protecting your identity, at its core, always comes back around to common sense behavior online. Understand risks, practice careful consuming, and taking precaution to diversify passwords and watch out for phishing schemes.
  4. Free antivirus software is not free – You get what you pay for in the area of antivirus and malware protection. If it is free a lot of people use it and when there is a security hole – hackers will attack.  That is opposed to paid programs were vendors constantly update the software to address new issues as the occur.
  5. Are tablets, Smartphones and Macs safe without antivirus software? – Though the Android and Mac OS X boast of operating systems that claims they are tough to breach, they still contains weak access points. Just like any tool that surfs the web or connects to wireless routers, security is needed to scan all those items you click. (Recent research suggests Macs are now more vulnerable than PCs.)While these devices have often carried around the title of most-secure operating system, it doesn’t hurt to back up your devices with the latest antivirus security protection.

IT Related Fraud issues addressed by Janco

 IT related fraud occurred in over 70% companies

Malware exposure is high in many enterprises

IT related fraud and alware infections cause a number of problems. Machines become unresponsive or sluggish resulting in users become frustrated and administrators spending precious time trying to find the problem.

Once an attacker is on the inside, his or her work is significantly easier since on most networks, systems on the inside are trusted.   To that end, in a review of over 300 security audits Janco has found a list of the greatest security weaknesses.

Enterprise Wde Security Weaknesses

The weaknesses are:

  • Using only single level verification for access to sensitive data
  • Having “public” workstations or access point is connected to a secure network
  • Sharing login credentials
  • Data validation for forms is contained in client-side JavaScript
  • Connect to network from an unsecure access point
  • Corporate web site is encrypted but the login process is not
  • Using weak encryption for back end management
  • Using unencrypted or weak encryption for Web site or Web server  management

Order Security Policies and ProceduresDownload TOC security policies

Walmart denies hack occurred

14,600 emails addresses and passwords posted – Walmart denies hack occurred

Walmart denies hack occurred
Incident Communication Plan

Walmart denies hack occurred after email address and passwords were posted.   – Over 14,600 email addresses and plain-text passwords associated with Sam’s Club’s online store were dumped on Pastebin, a text sharing site. Walmart denied a hack occurred.

The title of the password dump said that the accounts listed belonged to the retail giant. The company which has over 650 locations across the US and tens of millions of members.

Walmart said “.. looked into this issue and there is no indication of a breach of our systems. It is most likely a result of one of the past breaches of other companies’ systems. Because customers often use the same usernames and passwords on various sites, bad actors will typically test the credentials they obtain across many popular sites. Unfortunately, this is an industry-wide issue,” said a Walmart spokesperson.

Order PolicySample Policy

That is no way to inspire confidence in the security of an enterprise’s website.

To survive an incident such as a business interruption, security breach, or a product recall, organizations need more than a successful communication strategy – they need an incident communication plan.

The overall objectives of a incident communications plan should be established at the outset. The objectives should be agreed upon, well understood, and publicized. For example, will the primary objective of the communications plan be for communications only to employees, and only during a disaster? Or is the intent to advise customers of interruptions to service? Or is it for investors and stockholders? Or regulatory agencies? Or is it some combination of these?

eReader versions of the DR Plan and IT Job Descriptions

eReader version of DR/BC Plan and IT Job Descriptions – 273 jobs

eReader version of DR Plan and IT Job Descriptions have just been released by Janco.  Both of these offering now can be put in an enterprise’s catalog of electronic documents which can be shared across the network.

eReader books by Janco
eReader books by Janco

The .epub version can be read by most (if not all mobile devices) including iPad, Surface, generic tablets, SmartPhones, and computer desktops.  With this step forward a great collaboration tool is now in the hands of individuals who can review, write notes on, share, and utilize as a handy set of reference tools.

The eReader version are fully indexed, have a hot link table of contents and meet industry standards for mobility.

Over the course of the next several months Janco will be adding .ePub options to most of its product line.  Products that are next in line for this include.

Order Sensitive Information Policy

10 step security

10 step security for third party access to enterprise systems

10 Setps for security in cloud Security plan10 step security for 3rd party access to enterprise systems are a must with the increased use of internet processing and use by day to day business operations.

Security and compliance are key to maintaining control of sensitive and confidential information. All of the product offerings of Janco are geared towards proving tools to help C-Level executives and top IT professionals maintain the privacy of its users and enterprise data.

Order Security ManualDownload Selected Pages

  1. Create an asset inventory and tracking to reduce the risk of network-connected assets being out of compliance with policy.
  2. Understand the cloud-based environment where all users are considered remote, and apply controls similar to how they have historically provided access to third parties.
  3. Make changes in how the organization manages and controls these various user-types by incorporating concepts such as zero-trust, network abstraction, extended identity validation and full-session recording to effectively reduce the overall risk and isolate any potential impact caused by third parties or remote user actions.
  4. Define a plan which meets the requirements for external contractors, employees, and B2B entities.
  5. Coordinate third party access plan in conjunction with their business units and develop a solid communications plan.
  6. Create rules for access using the appropriate level of controls commensurate with their given risk profiles, to include: isolation/segmentation, encryption, and federation integrations.
  7. Establish access points and rules for data availability to third parties
  8. Invest in ways to authenticate third-party users beyond simple username and password.
  9. Define metrics which address compliance variances and risks, and build an end-to-end security and risk view for the entire enterprise.
  10. Create a reporting system which track access, access violations, downloads and total usage. This should be real-time and have assigned individuals monitor and report and deviations.

Order Cloud Outsourcing TemplateDownload Selected Pages

Top 10 Security Predictions

Top 10 Security Predictions

Top 10 Security Predictions – Many organizations fail to realize the benefits of security information management due to the often exhaustive financial and human resource costs of implementing and maintaining the software. However, Janco’s’ Security Manual Template – the industry standard – provides the infrastructure tools to manage security, make smarter security decisions and respond faster to security incidents and compliance requests within days of implementation.

Top 10 Security Predictions from Janco Associates are:

  1. Over the next several years almost all of vulnerabilities exploited by hackers will continue to be ones known by security and IT professionals for at least one year.

    Top 10 Security Predictions
    Top 10 Security Predictions
  2. Robotics will take over many security operations. China will lead the way with 30-40K students training in universities with this technology. US will lag for several years.
  3. Shadow IT will be responsible for over one third of attacks experienced by enterprises.
  4. The need to prevent data breaches from public clouds will drive many organizations to develop data security governance programs.
  5. Over the long term enterprises engaged in application development will secure applications by adopting application security self-testing, self-diagnosing and self-protection technologies.
  6. Future cloud-based providers will include network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms in their offerings.
  7. Identity as a service (IDaaS) implementations the focus of several new companies.
  8. Use of passwords and tokens in will drop 55%, due to the introduction of bio-metrics.
  9. A majority of IoT device manufacturers will not be able to address threats from weak authentication practices.
  10. More than 25% of identified enterprise attacks will involve IoT.

Order Security ManualDownload Selected Pages

10 Security Assessment Questions

10 Security Assessment Questions

Security Assessment and Compliance Management
Security Assessment and Compliance Management

Security Assessment Questions

  1. To stop a breach tomorrow, what does the enterprise need to differently today?
  2. Does the enterprise know if the company has been breached? How does it know?
  3. What assets are being protecting, what are they being protected from (i.e., theft, destruction, compromise), and who are they being protected them from (i.e. cybercriminals or insiders)?
  4. What risks does the enterprise face if it is breached (i.e., financial loss, reputation, regulatory fines, loss of competitive advantage)?
  5. Does the enterprise’s IT security implementation match the enterprise’s business-centric security policies?
  6. Are formal written policies, technical controls or both in place? Are they being followed?
  7. What is the enterprise’s security strategy for IoT?
  8. What is the enterprise’s security strategy for BYOD and “anywhere, anytime, any device” mobility?
  9. Does the enterprise have an incident response plan in place?
  10. What is the enterprise’s remediation process? Can the enterprise recover lost data and prevent a similar attack from happening again?

Security Compliance – Comprehensive, Detailed and Customizable for Your Business

The Security Compliance Policy and Audit Program bundle provides all the essential sections of a complete security manual and walks you through the creation of each step. Detailed language addressing more than a dozen security topics is included in 220 plus page Microsoft Word document, which you can modify as much or as little as you need to fit your business requirements. The template includes sections on critical topics like:

  • Risk analysis – Threat and Vulnerability Assessment via Electronic Forms
  • Staff member roles
  • Physical security
  • Electronic Communication (email / SmartPhones)
  • Blogs and Personal Web Sites
  • Facility design, construction and operations
  • Media and documentation
  • Data and software security
  • Network security
  • Internet and IT contingency planning
  • Insurance
  • Outsourced services
  • Waiver procedures
  • Incident reporting procedures
  • Access control guidelines
  • PCI DSS Audit Program as a separate document

Order Download Selected Pages

Disaster Recovery Business Continuity with Security

Disaster Recovery Business Continuity with Security

Every company, regardless of size, needs a concise approach  disaster recovery business continuity with security in case of an emergency.

Order DRP BCP Security Download Selected Pages

Disaster Recovery Business Continuity with Security
Disaster Recovery Business Continuity with Security

Data is the lifeblood of every company, and often, it is a competitive advantage and the only thing that differentiates one enterprise from another. Who has the most loyal customers, the best service, and the most innovative strategies all boils down to information residing on the enterprise’s Information Technology and application systems. For this reason disaster recovery and business continuity are a definite need.  In addition, there are  security requirements that need to be met.  With mandated requirements like Sarbanes-Oxley, HIPAA, PCI-DSS, and ITIL, executive management is depending on you to have the right security policies and procedures in place.

Disaster Recovery Business Continuity with Security

Google has addressed this and describes it in a video that is has placed on youtube.

10 step security implementation process :

  • Make security an executive directive
  • Implement clear security guidelines
  • Provide specifics for security compliance
  • Enforce that everyone follows the rules
  • Provide formal training program
  • Communicate Security
  • Monitor security compliance
  • Establish security compliance metrics
  • Provide security compliance feedback
  • Audit security with a third party 

Cyber attack stages

Cyber attack stages

 

Cyber attack stages - Security Manau
Cyber attack stages

Stages of a cyber attack’s life cycle need to be understood so that CIO’s can create an effective defense strategy. Malicious cyber attacks continue to threaten sensitive data — whether it is personal data or company sensitive data — one fact remains: attackers will continue to exploit weakness to infiltrate systems and extract data that they can turn into money. The life cycle of attacks is as follows.Order Security ManualDownload Selected Pages

Identify and define potential attack vectors

The first step attackers usually take is to identify members of staff within the organization and the best attack vectors to utilize. This is done by scanning the organization’s public facing websites and gathering as much information about the sites as possible, while simultaneously performing scans against the internal networks.

Initial attack

Using several identified attack vectors, hackers attempt to gain access to an organization’s network. Using different IP addresses and a significant number of computers, the hackers will kick off an automated dictionary attack and after only a few short days malware is installed on the victim’s computer.

Command and control

With the malware in place, the attackers can now begin an in-depth recon against the internal network. The attackers will attempt to escalate privileges on the victim’s account, and create new user accounts with administrative and privileged access.

Discover and spread

With access to the network, the hackers begin to spread it across the organization’s entire network. With a significant presence within the network allowing them to wait, while making detailed asset maps, noting employee patterns and any other information that can assist them in their long term goal: data theft.

Extract and ex-filtrate

Attacks siphon data out of their target company’s environment. They will do this by moving the targeted data to a remote server. After several weeks or possibly even months of siphoning data, the attackers can end their campaign. However, before exiting, they will ensure that they make several network modifications to enable them to return at anytime in the future.

Discovery and clean up

When the organization finally discovers the compromise, typically more than 200 days to detect a breach, stopping the attack begins.

Top 10 Best Practices Ransomware

Top 10 Best Practices Ransomware

Best Practices Ransomware

Best Practices Ransomware – Ransomware is a class of malware that holds a computer or data “hostage” until the user pays a particular amount or abides by specific instructions. The ransomware restricts access to the data and the system. Some cases of ransomware also repeatedly show messages that tell users they must pay the “ransom” or perform a particular action. There are some ransomware variants that encrypt files found on the system’s hard drive. Users must pay the ransom in order to decrypt the data that was altered by the ransomware.

Cybercriminals behind this threat made use of online payment methods as a way for users to pay the ransom.

  1. Have remote backups of your data that is not “mapped” to your computers and network.
  2. Show hidden file extensions. One way that Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions. In order to mitigate this re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.
  3. Have your email server filter out all files that are executables. If there is a need to exchange executable files within your environment and are denying emails with “.EXE” files, you can do so with ZIP files (password-protected) or via cloud services.
  4. Disable files running from AppData/LocalAppData folders. One of the way that ransomware works is to place an executable within those Wndows folders and then launch the programs. By disabling those files you eliminate a major weakness in your operating environment.
  5. Disable Remote Desktop Protocol (RDP) which allows others to access your desktop remotely. If you do not require the use of RDP, you can disable RDP to protect your environment.
  6. Keep your software current by applying patches and updates in a timely manner. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often.
  7. Utilize a security suite that has large user base and is updated frequently.
  8. If you run WiFi in your environment, ,make sure that all of the routers in the network are secure, utilize strong passwords and change their passwords at least quarterly. If you do have a ransomware attack turn your WiFi off immediately.
  9. Provide in-depth training to all users who have access to your environment on what they can and cannot do such as accept files that are suspicious or from unknown users.
  10. Stay current with all breaches and ransomware attacks that are reported and adjust your operating environment to address exposures that others have faced.

Security Manual Template and Compliance Tools

Order Security Manual Download Selected Pages

Wearable Device Security Concerns

Wearable Device Security Concerns

Wearable Device Security – Over 300,000,000 wearable devices are going to be deployed in the next several years

Wearable Device Security
Wearable Device Security

Wearable Device Security – Janco Associates has determined that most mobile devices have some major vulnerabilities. They include:

  • Insufficient User Authentication/Authorization: Many devices are vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration.
  • Data Encryption Missing: Most devices have implemented transport encryption using SSL/TLS, but almost one half of all cloud connections are vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2.
  • Insecure Interfaces: Over 1/3 of smartwatches use cloud-based web interfaces, all of which have major security concerns. In addition there are security concerns with the devices mobile applications. These vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
  • Software/Firmware Updates Not Secure: Firmware and software security issues, include transmitting updates without encryption and without encrypting the update files. On the plus side, most updates are signed to help prevent the installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed.
  • Privacy Controls are missing: most wearable devices collect some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account security issues and use of weak passwords on some products, exposure of this personal information is a concern.

The use of wearable devices that can capture and broadcast video, voice, data and location information is increasing at an accelerated rate

Janco addresses the security, privacy and reputation management issues for a world in which wearable devices have cameras, microphones, massive data storage and INTERNET connectivity

Download Selected Pages

Wearable devices provide a variety of potential business or educational uses involving accessing, capturing and sharing data.  At the same time they can pose a significant security risk to an organization with, the ability to surreptitiously record audio and video can threaten business confidentiality and jeopardize company data and even its reputation.

With that in mind, the consultants at Janco Associates have created a Wearable Device Policy that can be downloaded and used as a guideline for organizations as they establish rules for the use of such devices in the workplace.

%d bloggers like this: