THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Choosing the right partner services When it comes to IT Security and finding the right vendor to help keep your organization the task could be daunting to say the least. As we come to the end of the year, there are a lot of us who are looking to find vendor “partners” to help us. With the increased focus on security, organizations are finally seeing that they need to spend a little money to get the services that they need to protect the business, but most of all, their customers. Support Outline One of the worst things that you can do is go shopping for a vendor without a clearly defined need or service that you are looking to find a vendor for. This can lead into looking in all the wrong places and then spending your precious budget on services that don’t quite get the job done. This is a huge mistake that many IT Security Managers fall into. In order to get the biggest bang for your buck, you should outline what you are looking for. Here are a few questions you should ask when looking at a potential vendor:
Vendor Risk Assessment It is not only important to identify what sort of problem the vendor or Managed Service Provider (MSP) will provide your organization, but also what sort of risk they may pose to your business as well. Risks can come in many forms and this is especially true when you start giving access to your network to companies you won't have control over. (Any sort of access should be spelled out in the contractual agreement). Here are some questions that can help with evaluating the risk of the vendor:
These are some basic questions that can help you determine if there is a risk to your enterprise network posed by a potential vendor. If there is more risks posed by the vendor than the organization can handle, then looking at another company will be in order. The goal with picking a vendor is to reduce the overall risk exposure to your company, not to increase it. (Thanks to my fellow colleague for suggesting the addition of this section). Selling, Selling, Selling
As we get to the end of the year, the sales staff for the various vendors will be pushing to make the sale and may offer discounts if you sign early. While this may be something that may push you to sign early, due diligence as to how the product or service may fit your needs should be tested prior to any contract being signed. Conducting a Proof of Concept (POC) test prior to the implementation of a solution should happen. If you are not able to do so because of the need of the solution, make sure, you go with one that checks all of your boxes for the needs that you have. While the sales teams will want to make the sale to help their numbers at the end of the year, the one thing to remember is that you will have to live with the solution for however long you sign the contract for. It can either be a positive experience for you, or a living hell. It is up to you, but remember they will be working with you to accomplish your requirements. There is no reason to settle for a sub-standard vendor that won’t be a great partner for your business. Making the Sale After you have looked at several different vendors for the services, you are looking to fill. It comes the time to actually sign the contract. If you have a board or a group of executives that you have to go through to get funding for your projects, there might be a timing issue. The best thing that you can do is be honest with your sales team and let them know that ahead of time. Honesty will go a long way with creating a partnership with your partner vendor teams. If they know that they can trust that you are not just stringing them on, then they will do their best for you as well. Summary Choosing a vendor or a MSP can be one of the most difficult things that we do as IT Security Professionals. Whether we are looking to make recommendations to senior management or if we are the decision makers, the task can be one that can take up a majority of our time for at least a few weeks or even months. It is important to keep in mind that the work we put into this process will be rewarded with a relationship and partnership with a company that we can rely upon to do what we need them to. Whether you are looking for a particular type of service or a variety of solutions, the time you take in choosing the right vendor will go a long way in helping to secure your organization.
0 Comments
Preventing an AttackPoint-of-Sale solutions are being utilized in ever-increasing numbers. This even more so during this holiday season as more and more companies see the benefit to using these devices. Whether it is in the retail environment or in the hospitality industry, Mobile POS solutions are making their way into different industry segments such as retail, and hospitality. This is especially true of the hospitality industry as more and more organizations embrace the ability to have mobile solutions for their customers to run their credit card transaction through. Here are a few of the ways that may be taken to secure your POS systems from a potential attack:
Development of secured firmware should be the focus of POS solution providers. Designing processes and systems that check the firmware for any deviation off what was previously installed or downloaded is one way that businesses will be able to secure the application that actually runs on the mobile device. Additional hardware checks should also be made that prevents any change to the interaction between the hardware and the firmware that is installed on it. This prevents the manipulation of the software and changing the parameters of coding process. These are areas that are discussed with any POS solution provider and should be an integral as part of your security posture. The software that is deployed on the hardware solution should also support the capabilities and reinforce the overall security processes that are utilized. Hardware and firmware should work in conjunction to secure the POS device from potential compromise (either of the hardware or of alteration to the firmware itself). This layered security approach provides a robust response to potential threats. EMV No Longer Cuts It The slow rate of adoption of the EMV smart card payment standard (A.K.A. chip and PIN) in the U.S. is one of the primary drivers for the repeated attacks on U.S. retailers. EMV requires a significant investment for companies to implement, and will not improve security for card-not-present transactions such as online or mobile purchases. As a result, chip and PIN alone will not be enough to protect retailers or merchants in the future. Businesses should focus on developing technologies and processes (such as end-to-end encryption and two-factor authentication) that would enable secure payment methods and protect consumers from evolving threats now, and in the future. Additional control technologies and systems will need to be adopted on a larger scale in order to protect consumers who use POS solutions. Multi-factor Authentication (MFA) has proven to be a viable addition to controls that are currently in place. Having additional steps put into place prior to processing a payments allows for further verification of user. In addition, the combination of biometrics and MFA has shown great promise, but providers are slow to adopt due to the cost of the implementation of the process and hardware that is needed to support it. Mobile Solution Adoption
While mobile solutions have the promise of solving most of the security issues that have been outlined in this blog. The actual adoption and use of those technologies has not panned out as expected. With the use of Apple Pay or Samsung Pay, most retailers and merchants either have adopted for a specialized service or support that method that is used by the hardware device that they have adopted as their POS solution. While a large number of solution providers use Near-Field-Communications (NFC) capabilities of the customer’s mobile device in order to provide the interaction for the processing of credit card data, not all mobile devices support this feature. This leaves the contact-less adoption rate lacking. In order to get more merchants to adopt this technology it has to provide more security than is provided currently by other solutions that just require the EMV chip. Summary With the growing number of breaches, happening through the compromise of a POS solution it is imperative that solution providers take the necessary steps to protect the end consumer. Customers are demanding more security from the organizations that process their credit card payments. Whether it is the security on the back-end of the process or the interaction with the device itself, the credit card payments industry has to do more to protect sensitive data. Regulatory requirements are being implemented and mandated by governmental agencies at an ever-increasing rate. While these laws provide the drive for the adoption of these controls. The slow adoption rate by the end consumer has led to a hole in protections that attackers are taking advantage of to breach accounts. Businesses will either demand stronger controls their POS solution providers, or face additional penalties for not implementing the controls and greater overall legal liability. The solution is simple, demand more security and implement it across the board with all POS solutions. That is easier said than done. Remediating RiskBreaches can happen anywhere within a company. Unfortunately, one of the most common ways for a breach to happen is due to network infrastructure configuration failures. While these failures can come in many different forms, the majority of them will be because they failed to follow their own established standards and industry best practices. These failures could have been addressed right from the get go and would have never happened, but sadly that is not the case. Attackers will take advantage of any opening they can get. One of the easiest to close is following already established guidelines or best practices. When an organization fails to even do this then there are possible threats that come from that, and the biggest is a breach of the network and the loss of data. Network Assets Asset Management is one of the key pillars of IT Security and should be one of the top issues addressed by any organization. Unfortunately, most companies don’t have a program in place that tracks assets during their life within the business. From the time the asset is delivered to the business to the time the organization decides to get rid of it, it should be tracked. Asset control procedures are a way that the IT Department will have in order to determine what assets will have access to the corporate network. Not having an accurate list of assets can lead to allowing rouge devices on the network, (this also means BYOD too). Rogue devices or those not directly managed by the IT Security Team can be an open gate to potential threats or attackers. Remediation The solution for this would be have an automated process that tracks the asset from the time it is brought onto the enterprise network to the time that it is at the end of its life. All discrepancies with the “approved assets” listed should be removed from the network. This will permit only those assets that are known and managed by the IT Department to access the resources of your company. Thus limiting the potential exposure of rogue devices on the corporate network. Patch Management
Patch Management is one area that can’t be over emphasized as a requirement for preventing breaches and helping to mitigate potential threats. Applying security and software update patches should be the top of the list of items that an IT Security Department oversees on a monthly basis. Regardless of whether the patches are tested, (which testing should happen) they should be deployed to systems on the network in a timely manner. When vulnerabilities become known, manufacturers will try to send out updates as soon as possible. While this may take time and the manufacturer may have to make a public statement about the identified vulnerability as part of the notification process. Potential attackers get the same information, and will act upon it once it is known. This will leave a very small window in which to install updates or patches. Failure to follow through with this process will leave the company vulnerable. Remediation Install patches in a timely manner or as quickly as possible. Have an established rating system that rates patches and updates are deployed based on the potential impact that it might have on your business. Having a quick turnaround time on the patch deployment process will address many potential vulnerabilities that may surface. This one area alone will address the biggest reasons that businesses of all sizes are targeted by attackers. Process Control One of the largest areas that any IT Security Team will deal with in any given year will be on policy and process development documentation. Developing intricate processes or policies take time and effort. These policies and process documents take into consideration best practices and may have additional suggested controls that address specific vulnerabilities. Failure to follow them can lead to a potential compromise of the network. The following are areas can be of concern if the documentation or processes are not followed according to best practices:
Remediation The best way to remediate this potential threat would be to make sure the teams that are involved with the direct management of the assets use the documentation. Whether it is a firewall configuration guideline or an Incident Reporting Policy, all of these different documents will help to secure the enterprise from a potential breach, but only if they are followed. It is important to remember that all documentation should be followed and implemented in accordance with the established guidelines. They were written in order to address some specific need or requirement, but most of all to address potential threats to the enterprise. Summary While there are many areas to look at when protecting a company against a possible breach. The vulnerabilities within the enterprise should not be one of the largest contributors to a possible breach. Nevertheless, humans are the weakest link in protecting our networks. We need to take steps in order to mitigate the possible threats that attackers could take advantage of and breach our networks. Following the created documentation and best practices will do a lot in reducing the overall risk these areas pose. But it will take vigilance on the part of IT Security Pros and others on the IT Team to make sure things are configured and setup correctly. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|