Security is a pipe-dream

Security Pipe Dream for many

Security is a pipe-dream,  few enterprises are fully protected from events that have occurred in the past several months.  All one has to do is to look at the recent cyber attacks at Uber and Experian. In both of those cases, the CIO and/or  CSO were blamed and left the organization.

Not many CIOs and CSOs feel they have 100% of their security risks covered. In a recent survey that was published in NetworkWorld:

  • 55% said that was the case
  • 40% said they hope the had all of their security bases covered
  • 6% said that they did

With only 6% saying they had all of their bases covered there are many opportunities for security hackers and data breachers to attack the systems in place.

Now that we know that a security breach may occur, how sure are these same CIOs and CSOs that they will be able to react in time? The first step is detection that a hack or breach has occurred. In another survey by Janco Associates, we found that in midsized and large enterprises:

  • 35% had a detection solution in place and they automatically quarantined the server(s)
  • 43% had a detection solution in place but had to “manually” quarantine the server(s)
  • 23% had to “manually” put the server(s) offline when they found out they had a problem

When you put these two sets of data together, you conclude that less than 2% of enterprises are protected adequately enough to prevent a major security hack or breach occurs.

Disaster Recovery / Business Continuity &
Security Template Bundle

ISO 27000, Sarbanes-Oxley, and HIPAA Compliant
PCI-DSS Compliant

Order DRP BCP SecuritySample DRP Security Manual

Experts Agree You Should Update Your Plan Annually

Security is a critical concern during the recovery process

It goes without saying that every company, regardless of size, needs a concise business continuity plan in case of an emergency. If you don’t have a disaster recovery plan or haven’t updated yours recently, now is the time to take this critical step to protect your business.

At Risk e-Mail Accounts

At risk e-mail accounts are Gmail, Yahoo, and Hotmail

Security Manual Template
Security Manual Template contains all of the procedures needed to support a world class security infrastructure. Contain BIA and Threat Assessment Tools.

At risk e-mail accounts according to the University of California (Berkeley) and Google are Gmail.com, Yahoo.com and Hotmail.com.  Users who use those email  account have the highest probability of being  victims of hacking attacks. The types of attacks are credential exposure, phishing, and keylogging.

Much of the expose is due to the multitudes of “unsophisticated” users who are not well trained in how to avoid those attacks.  In addition, there is the exposue they face due to the loss of their credentials because of a lack of adequate security at hosting sites from where their credentials and personal data can be extracted.  The cases in point are the recent massive hacks at Yahoo and Experian.

The summary results of the study are:

At Risk e-mail accountsThe data does NOT reflect the victims of the Yahoo and Experian attacks.

Read on SecurityOrder Security ManualDownload Selected Security Manual Pages

 

 

Security Vulnerability Analysis Tool

Security Vulnerability Analysis Tool and BIA in Template

Security Manual Template
Security Manual Template contains all of the procedures need to support a world class security infrastructure. Contain BIA and Threat assessment tools.

Security Vulnerability Analysis Tool is not included as part of Janco’s Security Manual Template.  Firewalls have become ubiquitous across enterprises over the past decade, but the combination of new and varied access methods combined with increasingly sophisticated attacks has forced network operators and security professionals to constantly evaluate their defenses. When deploying a next-generation firewall there are many  factors to consider.

The Security Manual template now includes the latest Threat Vulnerability Analysis Tools.  They are proven and ready to use.

One of the really great features are all of the electronic forms that come with the Security Manual Template.

Read on SecurityOrder Security ManualDownload Selected Security Manual Pages

DR/BC Plans and Security Procedures have errors

DR/BC Plans and Security Procedures errors

DR/BC Plans and Security Procedures errors – Janco has reviewed the recovery processes of 148 enterprises that were impacted by the recent hurricanes, fires, miscellaneous business disruption events and found that 53% had some significant error(s) or omission(s) in their DR/BC Plans and/or security procedures. Many were attributed to the length of the business interruption event and the lack of supporting infrastructure such as cell communication (Puerto Rico) or shortage of fuel for back up generators.

Only 17% of enterprises that had major business disruption events in the summer and fall of 2017 had no major issues with their DR/BC plan activation process and security procedures

Janco is currently in the process of determining what were the causes for these defect.  Preliminary  findings are that as a result of the slow economy enterprise cut back on the maintenance of core infrastructure.  This included updating existing DR/BC plans Security procedures with changes, training in those areas, and people being reassigned or leaving the enterprise that were critical for these processes.

Janco’s Solution

Janco has added 17 electronic forms to alleviate this problem in DR/BC plan and its Security Manual Template. Included as a bonus is an eReader format of both templates.  The forms can be completed via tablets and smartphones and stored in a remote cloud location.  With the included security and DR/BC audit programs, it now is easier to highlight those areas of existing plans and procedures which need work to guarantee compliance with security mandates and success in the recovery process.

Security and DR - BC Read onOrder DRP BCP SecurityDownload Table of Contents Security and DRP templates

10 Reasons why Chip Readers

10 Reasons why Chip Readers used by merchants

10 Reason why Chip Readers10 Reasons why Chip Readers usage will expand.

  1. Credit card chip usage improves the security landscape
  2. Required for compliance
  3. Merchants pay a lower fee
  4. Physical card is required for in-store transactions
  5. Credit card chips reduce counterfeit card fraud: Countries that have been using chip cards for many years have seen significant reductions in counterfeit card fraud. In the UK, for example, counterfeit card losses have been reduced by 70%.
  6. An increased number of chip cards in consumers’ possession: over 600 million chip cards have been issued in the U.S. as of the end of 2016.
  7. Majority of all retail outlets now accept chip cards: almost 90% of all travel, entertainment, and high-cost retail operations accept chip cards
  8. Swipe and insert versus manually keying in card information is more accuracte
  9. Daily settlement of transactions for merchants
  10. Get accurate customer information: For online transactions validate customers’ billing and address information is entered correctly.

Read on…

Order Omni Commerce Planning ToolkitDownload Selected Pages of omni commerce strategy

10 Question Security Assessment Process

10 Question Security Assessment Process for CIOs and CSOs

10 Question Security Assessment
Everything that needs to be done in order to improve the security and compliance of the enterprise

10 Question Security Assessment Process is a way for CIOs and CSOs to quickly identify risks that they need to address.

  1. What does the enterprise need to differently today in order to stop a breach tomorrow?
  2. Does the enterprise know if the company has been breached? How does it know?
  3. What assets are protecting, what are they being protected from (i.e., theft, destruction, compromise), and who are they being protected them from (i.e. cybercriminals or insiders)?
  4. What risks does the enterprise face if it is breached (i.e., financial loss, reputation, regulatory fines, loss of competitive advantage)?
  5. Does the enterprise’s IT security implementation match the enterprise’s business-centric security policies?
  6. Are formal written policies, technical controls or both in place? Are they being followed?
  7. What is the enterprise’s security strategy for IoT?
  8. What is the enterprise’s security strategy for BYOD and “anywhere, anytime, any device” mobility?
  9. Does the enterprise have an incident response plan in place?
  10. What is the enterprise’s remediation process? Can the enterprise recover lost data and prevent a similar attack from happening again?

Supports Meaningful Use Compliant Stage Implementation – Meets HIPAA Ransomware Guidelines — Comes in eReader, MS Word, and PDF formats. Includes 24 Electronic Forms that are ready to use and User Bill of Rights for Sensitive Data and Privacy

Order Security Policies and ProceduresDownload TOC security policies

Minimize breach response cost

Minimize breach response cost with operational strategy

Minimize breach response cost
Policies and procedures need to defined and be in place in order to minimize breach response cost

While the costs of a data breach can vary widely on a case-by-case basis, CIOs who understand the drivers behind the expense will be better positioned to take steps needed to protect their organization.

Here are 6 way to minimize breach response cost:

  1. Eliminate data you do not need.
    You can potentially dramatically reduce your exposure by destroying records of past customers.  You cannot lose data if you do not save it. In 2015 one company served 69 million customers, yet when they were breached that year, they exposed 78 million records. The extra nine million records most likely come from former customers. Each of these individuals had to be notified and offered credit monitoring, driving up costs.
  • Do not store street address if there is no real business requirement.
    When a breach occurs, companies are typically required to notify affected individual via old-fashioned, handwritten “snail mail.” But they can use alternative methods of notification, such as email or public announcement if they do not have a valid mailing address. Physical, written notifications can cost up to $2 per person, and the cost quickly adds up. It may be worth asking twice what the business need for those customer addresses is and considering not capturing these addresses to reduce the exposure to notification requirements.
  • Utilize logs to prove proof a breach or data loss did not occur.
    One industry study shows that in 44% of incidents, public notification is not required. To avoid notification, companies must prove that, even if they were attacked, no records were improperly accessed. To do so, they use systems logs. Without logs, a company may be forced to assume a breach occurred because it cannot prove otherwise.
  • Follow PCI rules and protect credit card data.
    For breaches that involve credit card data, reimbursing card companies for fraudulent transactions can amount to a staggering cost, from $3-$30 or more per card. New chip cards are designed to reduce fraud, and early data show they are having the intended effect – MasterCard reported a 54% reduction in counterfeit card fraud costs at retailers who have switched to chip cards.
  • Use experts who know the breach response landscape.
    Your breach response effort is not a good time to reinvent the wheel. Missteps happen fast and have serious consequences. Credit monitoring alone can cost $5 to $30 per person. Data breach specialists, such as PR consultants or data privacy lawyers, often have seen as many as hundreds of data breaches and are highly practiced at helping you craft a genuine story that keeps confusion – and costs – down.
  • Be prepared for additional audits and compliance reviews.
    In the wake of a breach, a company may be audited and investigated by a number of regulatory agencies. While it’s not guaranteed to occur, it is likely, and there are simple steps you can take to prevent sensational fines if it does. To start, CIOs and  CFOs should be strong advocates for the implementation of the security controls recommended by external auditors or by regulators themselves.

Security Architect

Security Architect is a Hot New Job

Security Architect job description
Security Architect is just one of over 280 full job descriptions that are delivered electronically

Security Architect – The one position that CIOs and C-Level executives are looking to fill.  With all of the recent cyber-attacks and negative publicity they have generated there is a need for this proactive position.

Most of the other positions are focused on “after the fact” monitoring.  This one looks at what could happen and creates an architecture which address potential cyber-attacks and hacks.  The individuals operate on a philosophy that is easier to prevent something from happening versus trying to address problems after they occur.

Position Purpose

The individual in this position  assumes responsibility for data security including the planning, design and implementation of security measures which safeguard access to enterprise terminal files and data elements.  The administrator provides rapid response to user community’s request for security assistance.

They  secure enterprise information by determining security requirements; planning, implementing, and testing security systems; preparing security standards, policies, and procedures; mentoring team members.

The full job description for this position has just been released.

Security Architect read on…

Order Security Architect Job Description

10 Best Practices for managing cyber-attack

10 Best Practices for managing cyber-attack

10 Best Practices for managing cyber-attack
10 Best Practices for IT Infrastructure are contained in this bundle of policies and procedures

10 Best Practices for managing cyber-attack have never been more important than today. They are:

  1. Stay calm, prioritize and don’t point fingers
  2. Assign response responsibility to a single point of contact
  3. Have both an incident response plan and a disaster recovery plan in place
  4. Take detail backups regularly – store backups on non-connected sites
  5. Have a business continuity plan in place with solutions that do not depend on the existing networks and data
  6. Have a PR/media and legal operational plan in place before the event
  7. Immediately notify customers
  8. Manage user/customer expectations
  9. Conduct a postmortem
  10. Implement policies and procedures that focus on infrastructure security
Order IT Infrastructure PoliciesDownload Selected Pages

 

Common Security Concerns

Common Security Concerns that CSOs and CIOs have

Security Manual Template - Common Security Concersn
CIOs and CSOs often are tasked to address user and C-Level management’s common security concerns. The Security Manual Template and its associated items address each of these in detail.

When the CIOs and CSOs discuss common security concerns these five topics always seem to appear:

  1. Surfing the web anonymously is a thing of the past – As online tracking systems become more sophisticated and harder to shake, the likelihood of private, anonymous browsing is becoming a long-ago memory. Take into account the latest ISP changes, where the U.S. government allows providers to not only track, but sell your browsing history without your consent. These changes in “net neutrality rules” require users to be more vigilant about their own browsing patterns. You can guard your activity by logging out of search engines before browsing, clearing your cache and search history, and switching to a private browser to minimize the various ways your browsing history is catalogued.Order Security Policies and ProceduresDownload TOC security policies
  2. Anyone gain access your webcam – Hackers can and do target cameras by disabling the light that notifies of access, and keeping tabs in order to commit some sort of crime. Many users have responded by putting dark tape or coverings over their computer’s webcam. But as more smart devices are created and purchased, the surface area for webcam hacking only expands. Think, for example, of all the places you take your smartphone, with its built-in camera almost always pointing in your direction. The malware used to hack webcams, known as RAT (remote access Trojan), is often spread through spam email. Once clicked, the software is capable of disabling your light so you’re never made aware of anyone watching.
  3. How to protect against identity theft – Be wary of sites asking for personal information to complete a basic task, such as subscribing to a newsletter. When submitting personal information, such as your address or payment method, check for https versus http and never submit this information to a party you’re not familiar with or for a request you don’t remember making.Protecting your identity, at its core, always comes back around to common sense behavior online. Understand risks, practice careful consuming, and taking precaution to diversify passwords and watch out for phishing schemes.
  4. Free antivirus software is not free – You get what you pay for in the area of antivirus and malware protection. If it is free a lot of people use it and when there is a security hole – hackers will attack.  That is opposed to paid programs were vendors constantly update the software to address new issues as the occur.
  5. Are tablets, Smartphones and Macs safe without antivirus software? – Though the Android and Mac OS X boast of operating systems that claims they are tough to breach, they still contains weak access points. Just like any tool that surfs the web or connects to wireless routers, security is needed to scan all those items you click. (Recent research suggests Macs are now more vulnerable than PCs.)While these devices have often carried around the title of most-secure operating system, it doesn’t hurt to back up your devices with the latest antivirus security protection.

IT Related Fraud issues addressed by Janco

 IT related fraud occurred in over 70% companies

Malware exposure is high in many enterprises

IT related fraud and alware infections cause a number of problems. Machines become unresponsive or sluggish resulting in users become frustrated and administrators spending precious time trying to find the problem.

Once an attacker is on the inside, his or her work is significantly easier since on most networks, systems on the inside are trusted.   To that end, in a review of over 300 security audits Janco has found a list of the greatest security weaknesses.

Enterprise Wde Security Weaknesses

The weaknesses are:

  • Using only single level verification for access to sensitive data
  • Having “public” workstations or access point is connected to a secure network
  • Sharing login credentials
  • Data validation for forms is contained in client-side JavaScript
  • Connect to network from an unsecure access point
  • Corporate web site is encrypted but the login process is not
  • Using weak encryption for back end management
  • Using unencrypted or weak encryption for Web site or Web server  management

Order Security Policies and ProceduresDownload TOC security policies

eReader Security Template

eReader Security Template released with version 12

eReader Security Template
eReader Security Template now address SIEM with both best practices and KPI metrics in addition to identity protection

eReader Security Template has just been released by Janco with its latest update of the security manual.  This is a major update as it the template now also includes KPI metrics and best practices for Security Information and Event Management (SEIM) as well as a chapter in Identity Protection.

This security template was first release in 1999 and has been updates between 3 to 4 times each year.  Currently the template is over 250 pages and includes chapters on the following topics.

  • Security policies – scope and objectives
  • Minimum and Mandated Security Standard Requirements
  • Vulnerability Analysis and Threat Assessment
  • Risk Analysis – IT Applications and Functions
  • Physical Security
  • Facility Design, Construction and Operational Considerations
  • Media and Documentation
  • Physical and Virtual File Server Security Policy
  • Network Security
  • Sensitive Information Policy
  • Internet and Information Technology Contingency Planning
  • Insurance Requirements
  • Security Information and Event Management (SIEM)
  • Identity Protection
  • Ransomware – HIPAA Guidance
  • Outsourced Services
  • Waiver Procedures
  • Incident Reporting Procedure
  • Access Control Guidelines
  • Electronic Communication
  • Mobile Access and Use Policy

Read on SecurityOrder Security ManualDownload Selected Security Manual Pages

 

 

Top 10 tips improve social networking security

Top 10 tips and best practices to improve social networking security

Top 10 tips improve social networking security – These best practices will improve social networking security and protect the enterprise’s social networking reputation.

  1. Educate employees – Educating employees of best practices can help improve the overall security of the business. Awareness through seminars, workshops, and other programs help educate how attackers use social media to target a brand via individual employees.
  2. Have employees use different passwords for different system – Encourage users to have multiple unique passwords. This can be support by implementing a cloud based password management system.
  3. Mandate strong passwords – Make it a requirement to have unique strong passwords.
  4. Have employees change passwords regularly – One every three or four months communicate with employees to tell them it is time to change their passwords.
  5. Do not share accounts – For social accounts that represent the enterprise only have one user per each and the linking e-mail account should be one that is in the enterprise domain and will remain with the enterprise in case the employee leaves or is terminated
  6. Implement two factor authentication – Many of the larger social networks provide two-factor authentication, commonly in the form of a code sent to their smartphone or email each time a new device or browser attempts to login to the account.
  7. Educate employees to NOT open email attachments or go to links where the originator is not known – Stress the practices of carefully reviewing URL links before clicking to make sure the company and site name are spelled correctly. Cybercriminals will often blast out links that are very similar to a real address adding, subtracting or rewording parts to differentiate them.
  8. Utilize antivirus and security software – . No matter how careful a user is, there’s always the risk of accidentally engaging with a malicious link – and just one unfortunate click can lead to months of recovery time.
  9. Don’t friend people you do not know – Companies should encourage employees to thoroughly vet a friend request before hitting “accept”. They should check to see if other colleagues are also connected to the account. If the account seems suspicious or you don’t know the individual, ignore or report the user, and refrain from clicking on any links they may have sent.
  10. Validate and verify – just because it is on the Internet does not make it true.

Order Policy Download Selected Pages

Walmart denies hack occurred

14,600 emails addresses and passwords posted – Walmart denies hack occurred

Walmart denies hack occurred
Incident Communication Plan

Walmart denies hack occurred after email address and passwords were posted.   – Over 14,600 email addresses and plain-text passwords associated with Sam’s Club’s online store were dumped on Pastebin, a text sharing site. Walmart denied a hack occurred.

The title of the password dump said that the accounts listed belonged to the retail giant. The company which has over 650 locations across the US and tens of millions of members.

Walmart said “.. looked into this issue and there is no indication of a breach of our systems. It is most likely a result of one of the past breaches of other companies’ systems. Because customers often use the same usernames and passwords on various sites, bad actors will typically test the credentials they obtain across many popular sites. Unfortunately, this is an industry-wide issue,” said a Walmart spokesperson.

Order PolicySample Policy

That is no way to inspire confidence in the security of an enterprise’s website.

To survive an incident such as a business interruption, security breach, or a product recall, organizations need more than a successful communication strategy – they need an incident communication plan.

The overall objectives of a incident communications plan should be established at the outset. The objectives should be agreed upon, well understood, and publicized. For example, will the primary objective of the communications plan be for communications only to employees, and only during a disaster? Or is the intent to advise customers of interruptions to service? Or is it for investors and stockholders? Or regulatory agencies? Or is it some combination of these?

New York Security Compliance

New York Security Compliance Mandates added

New York Security Compliance – The State of New York announced a series of new rules strengthening cybersecurity requirements for financial firms. This is the latest in a series of announcement aimed at protecting clients, consumers and financial entities from the “ever-growing threat of cyber-attacks.

New York Security ComplianceThe Governor of New York said, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from … state-sponsored organizations, global terrorist networks, and other criminal enterprises.” Even if your firm isn’t directly subject to these new regulations, it’s safe to assume that this approach will be rapidly adopted by similar regulatory bodies domestically and around the world.

The current draft calls for the “encryption of all nonpublic information held or transmitted”, but because they tie it tightly to access control, acceptable usage policy, and data retention. Simple encryption won’t be enough to comply with the New York mandates.

To comply with New York Security Compliance mandates CFOs, CIOs, and CSOs, and firms should:

  • Implement more dynamic ways to protect data. Enterprises will need to deploy more dynamic forms of data protection that extend beyond their current systems. When the requirement for encryption and data-loss protection spans not just records and managed systems, but anywhere data can travel, traditional means of encryption and monitoring are scale able. Organizations will need to enforce granular limitations on access privileges, implement new audit systems to document data governance, and be able to remotely apply data disposition and destruction rules.
  • Tie access control and privilege management to identity. In a complex technology ecosystem, it’s no longer feasible to define access and privilege at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and un-managed services, and provides a consistent way to set, audit, and control access to confidential information. Ultimately, encryption, access controls, and data-in-use protections must persist independent of the kinds of data protected, where it’s stored, or how it’s shared.
  • Prioritize solutions to balance simplicity and security. Too often, risk and security teams have simply added new solutions to their portfolio in response to regulations and enforcement. Unfortunately, this has often created a complex, hard-to-navigate forest of tools, hurdles, and collaboration dead-ends for employees. The downside of that is it creates incentives for otherwise well-intentioned people to avoid following policy, increasing the risk of a material breach.
  • Make audit a primary concern. In the past, the requirement for an audit trail on data access was seen as an add-on. In the worst case, it was an afterthought, something built last as a reaction to risk and compliance needs. But, by thinking differently about this rich trove of data, you can improve your visibility into data use and your ability to identify dangerous behavior in advance. In many cases, you will be able to proactively stop data loss before it happens. With a strategy that protects data directly, by deploying identity-driven access controls and dynamic permissions, you can use the data from each user interaction to build a better picture of where data is traveling, and to whom.
  • Take a more dynamic approach to data protection. Adhere to mandates and be ready to tell any auditor about your enterprises ability to protect the confidentiality, integrity, and availability of your enterprise’s information.

Order Security ManualDownload Selected Pages

%d bloggers like this: