THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Protecting your home network One of the hottest areas of technology these days has been the development and the adoption of the Internet of Things (IoT) devices within the home network. While this technology continues to evolve and the public adopts new applications of this technology, there are still questions that need to be answered. What are some of the security measures that vendors need to implement to help to protect the individual users data? What is IoT? IoT devices are those devices that you would not normally consider to be a computer and that may be networked or created to be “smart” in order to offer greater flexibility or application. Some devices that fall into this category are:
AI & IoT Artificial Intelligence (AI) is where computers learn certain behaviors or responses to inputs from their environments or users. Computer learning algorithms teach a computer system to learn and how to react to those inputs. Some examples of AI would be Alexa by Amazon, and Siri from Apple. These applications of AI allow the users to be able to access content or effect the environmental controls around them, such as turning lights or music on or off. The current application is to allow an AI such as Siri to access your smart devices in order to control them for you via voice commands or via a Wi-Fi connection to your home network. Security Issues
Some security issues that still worry the IT Security Pros are those that deal with access controls, and vulnerability management. These two areas lend themselves to providing vulnerabilities that could lead to a compromise of a home network. The average user is not thinking that about the security behind the product, all they want is a device that they can connect to the network and that it just works and does what they need it to do. Authorize & Authenticate Devices While IoT devices and services are being adopted more and more, some gaps in security continue to remain. One key areas is the authorization or authentication of the devices on the network. This needs to happen in order for the devices to be able to access other applications or services. The more devices that you have on the network, the more places for potential compromise or failure. Manufacturers of these devices need to provide support for complex passwords and allow users to change the default settings. This will go a long way in securing these devices on the network by preventing default access accounts. Security should be the key to the development of new devices as the public becomes more aware of their need to protect their personal information. Manage Device Updates/ Patches Patching the firmware or other operating system can be a daunting task, even in a small network environment. (With a small installation of an AI and some basic IoT devices onto a home network, you could have an addition 12 to 20 devices connecting to it). Updates and patches to the device firmware should happen over the air in order to prevent devices not being patched and continuing to have security holes. Ensuring Data Privacy What happens to your sensitive personal data that you share with the Echo? What sort of protections are put into place so that nobody will be able access this sensitive information? The problem here is that there is very little that is currently being done by the companies that are putting out these devices. This information should have the current best practices when dealing with protected data. Sensitive information should be encrypted and the data should be stored and protected from being compromised. Devices that use personally identifiable information (PII) should only store the information only for the purpose that it was asked for. After the use of the information, it should be disposed of according to current best practices, but if the data is to be retained, then all protections should be in place in order to protect the specific type of data that it is. (HIPPA for health data/ PCI for credit card info). Management of Vulnerabilities Managing vulnerabilities might seem like a no brainer to some of us, but having devices and applications that are created or manufactured by different vendors makes this a complex task. What might be a vulnerability to one device may indeed make another device not work at all. Even some settings for your network gateway may prevent some devices from getting updates, while others get them. Managing a list of devices and what firmware configuration will allow the user to better manage these devices. Installing updates and patches when they are deployed by the vendor is needed in order to address an identified vulnerability. While management of vulnerabilities is easier to do in a business environment, it is also becoming more complex in the home environment as well. Summary The widespread adoption of new technology has a way of spurning innovation in a variety of different fields all at the same time. From home electronics, to medical equipment, IoT has proven to be an effective way to get more out of those devices we use every day. While innovation is a good thing, the lack of security controls should be a concern for all of us who use them. Data and the access to it has become one of the largest driving forces in business today, but securing that information should be just as important as what the device can do for you.
0 Comments
Holding your data hostage: What you can do to prevent the impact of ransomware on your business4/19/2018 Preparing for Disaster When it comes to security issues hitting the news, nothing has the impact these days like a ransomware attack that has locked up a company’s data and demanded a Bitcoin ransom. While there are several areas of thought on this topic, what keeps the IT Security Professional up at night is whether the company or organization will pay the ransom or not? Moreover, what would happen to the business? What steps can we take to protect our data now? While this may seem to be, an area that is best decided at the top levels of the business. There are actions that you can take right now that can at least limit the impact to the company. While nobody wants to be a victim of ransomware attack, you should at least prepare for it in case it does happen to you. Decisions, Decisions Many companies or organizations will just pay the ransom and not let anyone know that they have been attacked or compromised. There are several reasons that a company may choose to do this, but this action only emboldens the attackers to continue their efforts to attack networks. Senior management will have to make the ultimate decision as to what they will do, but hopefully it is the right one for the business. Why pay? When an organization has failed to do what some would call "basic precautions" to reduce their overall risk to this type of threat, the impetus would be to pay the ransom due to not knowing if you would be able to recover the encrypted data that is being held hostage. It comes down to limiting the impact to the business and preventing any impact to the reputation of the organization. The critical need of the data being held is also a consideration in the decision making process. Depending on what industry the organization works in may also impact this process, with hospitals, banks, and public services industries being the most difficult to provide rapid access. Hindering access could need the difference between a loss of life or in most cases, a loss of potential business for the company or service provider. Preventive Action Plan
Protecting your organization from a ransomware attack begins having a plan in place that addresses what steps you will be taking in order to reduce your overall risk to this threat and what steps you will be taking if you are compromised. Some areas of focus are listed below: 1.Employee Training/ Communication Employees are our frontline troops in this battle against ransomware and they need to be informed. We rely on them to notify us if they start seeing something wrong on the network. Having a training session or communications sent to the employees on a regular basis will keep them informed as to the possible threat. 2.Patch Management Installing patches and updates on a regular basis is one area in which some organizations have difficulty in accomplishing on a regular basis. This is the area that can be a huge risk for an organization and one that could do a lot to prevent a compromise. Patches should not only be deployed, but they should be determined to be effective as well. Following up and auditing the process should also happen to ensure that the organization is doing all they can to protect against this threat. 3.Malware Protection Antivirus applications or systems should be deployed throughout the network, and especially on all endpoints (servers, workstations, mobile devices). These applications should be updated on a regular basis and should be employed at all times. Ransomware attacks can attack without leaving a trace, and most of the antivirus applications will use some sort of signature identification process in order to flag the malware. 4.Network Scanning/ Monitoring The use of a network monitoring system should also be looked at as a way to always be on the look out for the potential threats that are out there, including ransomware. Heuristics (behavioral) is becoming a way that some new services are using in order to alert the security staff of company of a compromise. Monitoring not just the access or specific actions taking place, but also the activities as a whole as well. 5.Data Backups This should be a no-brainer, but unfortunately, it is not. Backup your data and have both your critical and non-critical information secured and available for when you need it. Ransomware should be treated as a disaster and should be included in your manmade disaster threats. 6.Testing Backup Plan Not only should an organization have a backup plan, but the plan should be tested as well to make sure that it works as intended. Validate the backups and the processes. This will help with proving confidence in your process and systems. 7.Vulnerability Monitoring Review and conduct assessments that review your organizations security posture and the processes that you have in place to deal with potential threats. Conducting scans against the network and looking not just at the systems, but also the software applications that are running on them as well. Documenting a ransomware attack You will should document the specific steps that the organization takes when a ransomware attack has been detected and how it responds. All of the processes should be in very clear detail (this may be used in court or for further investigations depending on the type of information that has been compromised). Ransomware can spread and once an infection has been detected, the goal should be to contain it and limit the spread. Summary While ransomware is a huge threat to any organization, it is possible to deal with it and lessen the impact to your business. While there are many decisions to be made in how to deal with your data being held hostage, businesses have recovered and continue to thrive. Do not let the impact of a ransomware attack stop your organization. If you take some of the steps that I mentioned here in this blog, you might be able to keep your data safer than it is today. Is it time to rethink user data security in the U.S.? As we move closer towards the enforcement of the General Data Protection Regulation (GDPR) standard on May 25, companies and organizations that do business in the European Union (E.U.) are required to implement its controls. While larger organizations are working feverishly to implement the standards, and how they will allow consumers to access their data. Implementing these controls can be a daunting task, but in the name of consumer protections, they are all doing it. Is it time for the adoption of these same regulations here in the U.S.? Behind the Curve When it comes to data security, everyone knows that the U.S. is behind the curve on adopting protections for consumers. While most of the world adopted the EMV (Europay, MasterCard, and Visa) standard for payment card processing, the U.S. lagged behind its implementation and adoption. It has only been over the last year or so, with the included requirements for PCI (Payment Card Industry) that we have seen a steady increase in the number of providers. Protections Built In GDPR will provide a number of protections for users who provide their personal information to companies or organizations that do business in Europe. Here are some of the highlights:
Social Media GDPR
As was brought up numerous times during the hearings in Congress this week, GDPR is currently being looked at for adoption here in the U.S. as well. It has been one of the biggest failures that Facebook and their CEO, Mark Zuckerberg have been allowed to regulate themselves. When asked about the need of regulations, he even agreed that it is needed. The only issue is who needs to adopt it, Congress or the industry? The consciences is that the industry has failed to do so, so it will be up to Congress to implement new regulations. Social media has been an industry that continues to collect and use customer data with very little if any accountability to the individuals that provide it. A GDPR type regulation may change that paradigm and create a more responsive industry to the needs of its users. We all should have the rights that are afforded under GDPR, it is just sad that the E.U. is the one to show us that we needed it. Regulations Needed When consumers are given control of their data and there are protections put into place that protect that information, everyone wins. We all win in that our data is taken more seriously by the organizations that use it for their own benefit. This is also true for businesses that have to enforce the controls. Businesses will have to get their houses in order and do the right thing when it comes to protecting our data. If an organization does not have a regulation, making them do what is best for the consumer, maybe its time for the Congress to act, and make it happen. Summary While regulations can cost an organization time and effort to enforce, it is needed in order to protect the personal data of their customers. Numerous businesses have gotten off the hook by not having to answer to the consumer who has had their data compromised. Sure, their reputations may have been impacted, and they may have had to face some sort of fine, but they got out unscathed for the most part. However, the consumer has had to fight to regain control of their information and to correct the misuse of that information by identity thieves. A regulation that gives the control and use of a consumer’s information back into the hands of a consumer is a good thing. Moreover, the Congress should look at ways to implement similar regulations to GDPR, while also making sure that has the teeth that it needs for the enforcement of it. References EUGDPR.org https://www.eugdpr.org/ PCI https://www.pcisecuritystandards.org/ Mr. Zuckerberg's image by Reuters. https://www.reuters.com/ Privacy Regulations for Social Media If you have followed the news over the past couple of days, you may have seen something about the Facebook CEO Mark Zuckerberg answering questions from Congress. While the commentary was back and forth and some issues were brought up and discussed that should be drawn attention to. Some of issues were horrifying and should scare those of us who use Facebook and the apps that are associated with the platform. Privacy for Sale While the scandal around the Cambridge Analytica (@CamAnalytica) and the use of personal data of some of the 187 Million Facebook users continues to brew and stir. The goal of this questioning from Congress has been to determine how Facebook makes money off your personal data and what they are doing to protect it. As it turns out, not much and Mr. Zuckerberg has continually deferred the questioning and has been evasive to say the least. What has come to light though is that the company continues to fail in protecting your personal data in order to make a buck by whatever company wants to send you advertisements. User Controls As Mr. Zuckerberg pointed out during the hearings, you have control over your data. However, you don’t have control over who other than Facebook is going to get access that data. While Facebook controls the data technically, that data is for sale to the highest bidder for their use. While Mr. Zuckerberg hid behind his user agreement and the myriad of pages that it contains for the explanation of the policy. (How many have actually read the agreement and understood all the legal jargon?) Some of the explanations that have been given make me shake my head and ask if they really are doing what they have said they would. Unfortunately, that has proved to be lackluster at best, as they have continued to fail in the implementation of the controls they have said that they would. Users of Facebook have control to either join the application or not, but giving permission to the company to share your data how they see fit and are paid for doing it. Self-regulation Not Working While Facebook has been given an opportunity to self-regulate, the company has continued to fail at doing it. Mr. Zuckerberg hid behind his company’s processes and policies, with the only times the company has taken action has been when a member of Congress has to step in and call the staff at the company in order to get things done. This was pointed out numerous times during the hearings, both with various Senators and Congressmen. The company has continually found themselves in hot water over their practices and their continued violations of current regulations. No matter how you look at it, Facebook has let the public down. They were supposed to have the controls put in place prior to the latest issue with Cambridge Analytica and they never followed up to make sure that they followed through with the specific requirements. This was a huge failure on Facebook’s part. Social Media Politics
One of the issues that was brought up in the hearings as well was the disregard for view of conservatives and the disproportionate abuse that was waged against them during the election of 2016 and that continues today. While Mr. Zuckerberg acknowledged his company failed in this area, it was pointed out that the lack of diversity within the staff that he employs may be at fault. That is not the only reason; it was also the lack of political diversity as well. Facebook has been known as a bastion of liberal ideas and goals, as Mr. Zuckerberg was an avid supporter of President Obama and took an active role in helping to promote the election of Mrs. Clinton in the last presidential election. And has continually voiced his opposition to the views and goals of President Trump and his administration. With recent admissions by the company, they now classify all of their users based on their political leanings and the content that they post or follow. Whether you like it or not, your political ideas and leanings are up for sale as well. With this data, you are not able to delete, and you have no way to correct or restrict that access to. This is an area that I believe the company will struggle with as they try to comply with the promises that they have now made to the American people, and the world. Social Media Regulations From the both of the hearings that have been held this week you can see the writing on the wall, so to speak. Regulations are going to be coming to the tech industry and to those social media platforms that collect and use your personal data in order to monetize their services. This not just a Facebook issue, this is also a Twitter, LinkedIn, and an Instagram issue. All of these various platforms store or use your data in a way that makes the company money off your information. Regulations Needed While social media continues to be an area that needs to be addressed with its use and the monetizing of their users data. It is important that all companies take note here, that if you use, store, or sale the access to your users information, you need to put in controls and means to manage that data. Even if the company stores data and gets users permission in order to do it. The user still retains ownership of it and should have control over how that data is used. This is where Facebook continues to fall short. It is difficult to control and delete this information for a user. They may retain some of that data even after you delete it (images on backup systems) and they may continue to sell the access to this data to advertisers. Not to mention the use of metadata that is retained by other applications as well. Solutions Needed Facebook has 1/3rd of the planet’s population as members of its services, and they continue to grow. Some of the solutions that might help would be the following:
Summary While nobody really likes regulations since they have the ability to stifle creativity and add onerous controls that companies will have to comply with. The fact is, we need protections put into place to protect our personal data. The companies that have this information have continued to prove that they are either unwilling or unable to take the steps they need to protect it. It will need to be a regulatory law that is passed that will finally make companies do the right thing. How will you respond? When it comes to IT Security, there is nothing that strikes fear into the hearts and minds of young analysts like having to respond to a possible security breach. What do you do? Who needs to know about this? How is this going to affect our company? These are just some of the things that go through your mind when you get that call at 3:33 am. How are you going to handle this? Planning This is one of the most stressful issues to address as an organization, and it should be thought out thoroughly. This is when experience and knowledge come in handy. Knowing what to expect and having an idea about how to handle things ahead of time will go a long way in how you will address an incident. Planning the response to an incident should be done when the management team is not under stress, and clear and concise decisions need to be made. The planning process should address the most realistic types of events or ones that the company believes that will pose the largest risk to the business. We can all think of the worst-case scenarios and the once in a lifetime types of events, but realistically those events will be less likely to happen. Planning for exfiltration of data by an employee sending files attached to their personal private email account may be more realistic. Notification Being notified is the first step in the planning process, and should be the focus of your planning procedures. While notifications take many forms, how you get the information, and when, can be crucial to your response plan. Here are some ways to be notified:
Communication of Breach
How you communicate, the breach is almost as important as being able to detect it in the first place. This is a touchy subject for many organizations, since they may not know how much to communicate and what information is important to do so. While companies and organizations will want to keep things quiet, the key here is to reassure the public and your customers that you are doing all you can in order to correct whatever vulnerability was compromised or some other action that will get your organization back up and running. People want to trust that you are doing the right thing. Trying to avoid notifying the public, or being evasive, will only harm your business reputation. Which is not what you need right now. Need to Know Who in your organization or customers/stakeholders will need to know that you have had a security incident? This critical step and should be clearly defined in your Incident Management Plan or response. Employees should hear about a security incident from there company leadership, not the local news channel. When employees or customers know that management is handling a situation, it instills a sense of confidence about the recovery efforts. Documentation Documenting a breach is an area that can be overlooked and is a subject that many IT Security Professionals have difficulty with. (This is because if you don’t go through a breach of some sort, how do you know what you will need to have documented?) This is where consulting an expert in the field or an organization that specializes in the recovery of a business after a security breach will be beneficial. If the breach was criminal in nature, you will have to provide evidence that can be used in a court of law. This will require very specific handling of the information or assets (chain of custody), and may complicate the overall recovery efforts. Understanding how to navigate this critical area will go a long way in helping to prepare a case against the attackers. Some of the documentation or resources that you might need to provide are:
At this point in the process, you should be well underway in the recovery efforts for your organization. The recovery efforts should address all of the areas that were identified in the documentation process. In addition, the management team should have all of the information they will need to make the decisions for the business. Recovery efforts may take many forms depending on the type of impact the incident may have. This may include:
Testing Incident Response One of the most important areas of incident response is making sure that your plan will even work. The Incident Response Plan should be tested on a regular basis as part of your overall yearly operational readiness. You are only as effective as your last test. When you test your plan, you will find areas that may need more focus than what you thought of initially. You will find that changes may need to be made to address potential threat area or reduce risks to your business. Taking action on these areas after a test may help reduce the potential costs due to a breach; you may have to pay in the future. Summary When it comes to security incidents and the management of them, it comes down to developing a plan, testing it regularly, and reducing potential threats. It is important to understand what you need to protect and what steps you can take to reduce your risks. The key here is to make your organization less of a potential target. If someone wants into your network and access to your information, they will find a way to get in. It may be a matter of time before they do, but a determined attacker will find your weaknesses. The question you have to ask, is have I done everything to reduce that potential threat? IT Security is as much about the technology as it is about communication of risks to those in management and helping them to make the right decisions. Reducing PCI LiabilitiesSecuring Credit Card Transactions Restaurant chains and many retail organizations continue to be the targets of attackers who are trying to exfiltrate customer data out of the organizations network. While there are many ways that an attacker can accomplish this, the one that seems to be the most effective has been to compromise the physical hardware or software that collects the customer information. While the process for compromising a POS system is fairly easy for some, there are a few things that need to be in place for this to be effective, and for the attackers to get away with it. This uptick in breaches and attacks is one of the reasons that we have seen updated security regulations coming out of the banking institutions for the Payment Card Industry (PCI) (www.pcisecuritystandards.org) with an upgrade to their requirements to 3.2. Payment Security PCI has established guidelines that all businesses that accept payment cards must follow with regards to establishing and maintaining the ability to process those payments. Making sure that the transaction is secure and that the consumer data is not compromised is the name of the game here. Failure in this area and your name will be in the papers for the entire world to see (or these days, on the web). We have seen spectacular failures such as Target (www.target.com), Applebee’s (www.applebees.com), and Forever21 (www.forever21.com). While some of these breeches can be directly related to the vulnerabilities related to the hardware itself, others have been due to a compromise of the software that is used, or an infection of malware. Addressing these vulnerabilities by an organization is of the utmost importance and should be the focus of any solution provider. If these processes fail, it is the customer and the merchant that pays the price. Security In-depth When it comes to payment processing, having security in-depth is needed. What do I mean by that for a POS system? I mean that the hardware and software work together in making sure the payments are transmitted to the banking institution in an encrypted format that protects the customer’s data. Developing software that uses the hardware is similar to what Apple (www.apple.com) has done with their production of the iMac or MacBook. Creating proprietary software that helps support the security controls that are already available on the hardware can go a long way in securing the device from being tampered with (which is one of the areas that an attacker will try to compromise a system). Hardware design also helps. One Stop Vendor The key areas that a merchant can do to help reduce their risk and liability is by looking at various solutions that meet their needs. As a work-around, restaurant operators may opt to work with one company to meet all their needs. “When it comes to choosing a vendor, if we could get something through our POS provider we will do it because we know it will integrate well rather than having to find a loophole,” says Michael Jackson, director of logistics at Kerbey Lane CafÉ (www.kerbeylanecafe.com) in Austin, Texas. Jackson uses NCR’s (www.ncr.com) Aloha POS (www.alohancr.com) system, kitchen system, mobile POS, loyalty solution and more. This approach, however, can lead a restaurant to prioritize the benefits of a one-stop provider over hand-picking “best-of-breed” suppliers; that is, those with deep expertise in one area, such as loyalty or social commerce. (Mastroberte, 2014) The business must weigh the cost-benefit of choosing a provider that they can rely on for all of their services, or hobble together bits and pieces from different providers. While some larger restaurant chains are able to develop their own solutions, others are relying on dedicated organizations that specialize in creating and developing an all integrated solution (utilizing dedicated hardware and software). Reducing Risk & Liability Utilizing one solution provider for all of the services that a merchant might need (credit card processing and loyalty card payments) lowers the possibility that the solution components will not work well together. The solution provider who integrates both the software and the hardware (whether they produce them or not) has worked to develop the software to work effectively with the hardware that is used in their solution will function in a manner that protects the data being transmitted. When a merchant utilizes a certified solution provider for their processor for payments the provider takes on the liability with reduced merchant costs. With the market moving towards integrators and less on those that specialize in one or two components of the overall solution. The result will be a more secure POS system that is less vulnerabilities than in the past. (Don’t get me wrong, if somebody wants to get into your devices, they will find a way in). The new integrators are making that task more difficult. This is a step in the right direction in reducing the merchants risk and liability while also providing more secure solutions to choose from. Summary While the POS solution providers market continues to grow and more companies get into the game of providing solutions to their customers. The need for solution integrators is growing and will be pushed along by merchants and customers demanding their data be more secure. While there continues to be various devices on the market that meet these needs, not many have the security in-depth that I mentioned above. Merchants can choose to go it alone and except the full liability and risk, or they can choose an integrator that provides a whole solution. The latter being the way to help secure the customer’s payment card data and reducing overall PCI liability. References Mastroberte, T. (2014, August 6). POS Integration Becoming a "Must-Have". Retrieved from hospitalitytech.com: https://hospitalitytech.com/pos-integration-becoming-must-have Additional Links Forever21 https://www.forever21.com/protecting_our_customers/default.aspx Target https://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-breach/ Applebee’s https://www.scmagazine.com/applebees-hit-with-pos-breach/article/749139/ |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|