THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
We have seen a drastic increase in the number of companies and individuals that are working from home these recent weeks due to the outbreak of COVID-19 or the Coronavirus and the impact it has had on the global workforce. It is not just the technical industries that are finding that they need to support this suggested defense strategy for dealing with the outbreak. Being secure while working from home seems like a no-brainer, but in a corporate environment, you have more resources and security measures that are not available at home or that can be implemented. Network Connections One of the biggest issues that employees face is how they are able to connect to the network in the office. Whether this is a direct connection or over a Virtual Private Network (VPN) all of your employees will need to know what they need to do in order to be in compliance with your company’s policies. These will be difficult to maintain in a remote working environment, but it can be managed by communicating these specific requirements to the employees. Security Guidelines Some basic guidelines in how to enable the workforce to work remotely are needed. The following recommendations and industry best practices should be followed:
Changing Work Model
While the impact of COVID-19 may be unknown for years to come, it is important to see what it is doing to the modern work environment now and how that has drastically changed in just the last four months. With working remotely being an “added benefit” before the outbreak, to a “must have” now has helped drive the change for what work looks like in the 21st Century. As the pandemic drags on and we see surges in infections and additional areas being infected, where people work has changed. Having to go into the office in 2020 means that you are potentially putting yourself and your family at risk for a possible infection. Companies are also looking at what model they will be going with in the future and making plans for the changing work environment that has been hoisted upon them due to the pandemic and the response that the governments around the world have taken in order to combat its spread. Securing the Remote Office There are a growing number of technical workers that are creating or employing their own office environment in their homes. Whether this is because they have to in order to work or if they have chosen to do so, the remote office has become the norm in the time of the pandemic. Providing a secure and protected work environment may seem to be a challenge, but it can be done. Start by doing the following:
Summary While there may seem to be little that can be done with an employee that doesn’t come into the office to work, there is a lot that can still be done to secure their work environment at home. Also, extending the secure work perimeter needs to happen, and supporting the end user remotely should be encouraged as much as possible. These small changes can help to facilitate a more secure work environment and provides good “security hygiene” for when and if employees ever return to the corporate office environment.
0 Comments
With the continuing evolution of Smart Meters and the need for ever more data, companies are finding that they need to protect information that didn’t need protected before. Whether the utility provider is using data analytics to provide energy insights to their customers or using the information in new ways in order to provide value to a potential client, it comes down to IT Security to come up with ways to protect that data. While big data, smart meters, or other networked sensors provide a vast amount of data, the use of the cloud and “Big Data Analytics” has the ability to provide insight into the end consumer’s behavior and how they use their utility services. It is from this combination of sources and the ability to correlate the data in a meaningful manner that cyber criminals are finding weaknesses in how the data is protected. It is up to the utility or the support services provider to protect that data. Protecting the Undefined Much of the data that is collected and correlated through analysis are being done by organizations that may not have been responsible for this type of data in the past. For a large number of utilities and service providers, this is new territory that they are banking on to provide their customers information that will help to benefit their business. Part of the challenge is identifying what is considered Personally Identifiable Information (PII) and what should be taken to protect that data. Defining the limitations or the extent that those protections should be implemented will help businesses allocate resources that will be needed in protecting that information. Since this has not been an area of focus for any specific regulatory requirement, the implementation of current IT Security industry best practices have helped to fill this gap. PII Defined The following definitions and information is what is “normally” thought of as PII. But due to the nature of, and the type of data that is collected from utility customers, this data provides only a small part of the overall picture of the end consumer.
Typical Datasets Some typical datasets that are collected or that is used as part of the analysis process may be any of the following:
While these are not typical for use as PII, they can be used in conjunction with other publicly available data to provide targeted and detailed information about the end consumer that would not be available otherwise. This information does not identify one particular individual, but a whole category of individuals. But if the attacker knew a small piece of the information about a particular target, they would be able to collect additional information in order to create the “bigger picture” of who they are going to target. Example?? Business Benefit v. Data Protection When utilities collect data on end consumers, it is used to help the utility provide better services to the customer or to help with the overall effectiveness of the grid network and energy resource delivery. What these information providers are finding is that it is becoming ever more important to protect data that they have collected and are conducting analysis against. While the end consumer is driving this demand, utilities and support service providers are finding that they have to comply with this requirement as well. Securing the Data When a utility obtains data points on consumers, it is usually stored in large data repositories and this is where data can be readily accessed. This data pool is used to perform analysis against and can be accessed by a number of entities. This is especially true if the company employs a third-party service provider that will use the data to provide detailed information for use by the utility. This data repository is also where security controls can be implemented that helps to protect the information and its integrity within the data sets that are used for analysis. Encrypting the data at rest and in transit and only using secure and proven methods of transmission and storage is one of the ways in which this data can be secured. Preventing or restricting access to this data can also be helpful in preventing the loss or the leakage of this sensitive data. Also, there is a growing use of the various cloud services to provide the processing and storage capacity that is needed for these large data pools of information. Adhering to an established IT Security standard may provide some guidance on how to handle this information Compliance & Regulation
In North America there are two main compliance certifications that are becoming important for utilities and support services providers to follow, or at least to adhere to. These are:
While these compliance standards don’t directly describe or require specific requirements for the use and storage of the type of data that is collected by utility service providers, they do provide industry best practices for how to store and transmit sensitive data. Protecting the Consumer Utilities and support service providers have an obligation to protect the data that is collected and used or stored by the organization. Whether the data is stored in the cloud or used by a third-party for running analysis against, it is important for the company to take the needed steps to make sure that the information does not fall into the wrong hands. Utilities and support service providers can do the following:
Summary While companies have the ability to transform data that they get from diverse sensors, meters, and network nodes into actionable data, businesses that use this information have an obligation to keep the data safe and secure. With data that seems to be just noise in the background, it can be used in conjunction with other information to provide a more inclusive picture of a customer, or a potential cyber victim. The amount of electrical usage, or the times in which that usage is recorded and all this can be put together in order to form a more complete profile of a potential target. Knowing this information may provide the business an advantage against a competitor, it can also pose a risk if that information is not protected. Special Mentions A special thanks to Robert Smith who can be reached at his website TheDataScienceGuy for helping to review and critique this article. When it comes to how we live our lives in the Twenty-first Century, nothing may have an impact on our lives daily like the ability to have access to electricity to run our homes, and our businesses. This ability to have access to reliable and consistent power is especially true to those of us who depend on it for powering machinery to help us live more productive lives. If we lost this ability, there would be numerous deaths due to some interruption of these services. Technical Upgrades With recent technical developments in the management of this vital resource. Software applications and hardware has been developed in order to provide better management of these services to the end consumer. Whether it is the integration of renewable energy into the grid, or rerouting resources during an outage. While technology continues to help improve our lives, it comes with some inherent risks as well. Hardware Vulnerabilities Recently, there has been a movement to convert old monitoring devices with “Smart Meters” in order to better manage the power supply to a residence or a business. Whether it is the amount of power that is used, or if there is some interruption in that service. These smart meters can provide the energy company with real time information about their distribution network. This means that these devices are not just connected to a business or a residence, but also to a computer network. It’s this network that collects the data and provides connectivity to the service provider. It is also where security vulnerabilities lie as well. The meters have firmware that is installed by the manufacturer which interfaces with the service provider’s network. This software provides for the functionality of the device and enables software to interface with it for the end consumer to manage their usage over time. Grid Threats It is with this growing connection to the Internet that the energy grid is potentially more vulnerable to potential hackers. Whether it is disrupting service, or causing some mass outage, attackers can impact consumers in a way like never before. Additionally, the data that is collected by those smart meters allows hackers to infer certain things about the connected household, like:
Lives Impacted
The importance of having a continuous supply of energy is essential to life in the Twenty-first Century, and more and more people are dependent on its continued delivery. Whether it is to supply electricity to the oxygen purification machine, or the monitoring of a patients heartbeat. All of these can be seriously impacted if the grid is compromised or shut down, even for a short amount of time. Securing the Data One of the things that electricity providers can do is to secure the data that they collect from the smart meters. As these meters can provide deep insight into the delivery of resources to the end consumer, they can also collect data that may not have been intended. Here are some ideas about how to secure this data:
Promise of the Future While there are some very serious concerns that should be addressed by those that collect user data from smart electrical meters. There is the promise that the analysis of this data will help to provide insight into how energy is being used and when the need for more resources should come online. Additionally, rerouting of the grid to provide services during an outage may be one of the biggest benefits that this technology provides. Also, the ability to integrate green-energy initiatives into the grid will help to provide redundancies where there were none before. Summary The use of smart-technology is an ever growing field within the electrical delivery industry. Whether it is used to monitor usage or how the electricity is delivered, the smart meters are collecting data that can be used maliciously if it is compromised. It is up to the electricity service provider to protect this data and help to ensure that the customer’s unique usage data is not compromised. By taking some of the steps mentioned above, a service provider will be able to take the needed steps to help to ensure that their consumer’s data will not be compromised. Update 7/13/2020 Read the recent update to this article published by Nexant As I write this article today, I’m sitting in my home office coughing and having some difficulty breathing. Being right in the middle of a potential pandemic hot-zone of Washington State can help bring things into focus when it comes to planning for the worst-case scenario when it comes to planning for an incident to impact your business. Taking the right course of action in a timely manner can help to protect the business, but most importantly, the community at large as well. Epidemic Tracking Right now, we are concerned with the COVID-19 (Coronavirus) and the potential impact it may have on the population since it was an unknown virus to the human population just a few months ago. When the emergence of this virus started, I started to keep track of the numbers that we were seeing and how it was spreading. As part of my IT Security role, I have a responsibility for Business Continuity Management within the company. Therefore, I keep an eye out on these sorts of things, as they have a potential to turn quickly if we are not looking. I believe that this is what happened here, and I believe that China for the most part has not provided accurate information to the world at large. No matter what the epidemic is, planning to take action as a business or other organization should be the prudent move here. Planning for what the company may do if faced with a certain situation allows for calm and calculated planning to occur instead of being reactive to what is going on around them. Any decisions that the business makes will have an impact on the company, and ultimately the work force that you employ as well. Epidemic Impact No matter how you plan, the decisions you make or plan for will always change. Flexibility is the name of the game here. Have several different levels or ways to address an issue as it arises and plan on meeting those changes as they occur and not be reactive to them. Being cautious and taking, an aggressive approach at the onset may help prevent more of an outbreak than waiting on what the state, national, or global authorities may suggest. We are seeing this play out in Seattle and in King County, Washington, as the local authorities have suggested that employees work remotely if they can for a length of time in order to prevent a further spread of the virus. Businesses in the county will have to determine how they plans to address this issue. Will they take the steps that have been requested by the local government, or will they side on their own best interests in order to preserve their business? The impact of an epidemic is not just a personal one, but also a monetary one for the company that has to make those choices. This is one of the crucial aspects of the planning process that seems to be left out for most businesses, pandemic insurance or emergency funding in case it is needed. While organizations will focus on business operations for emergency funding, pandemic funding or planning for the potential impact of it should also be in consideration as well. "The suggestion is to have at least 3 months of operating capital on hand in case of a pandemic." - Erich Barlow Developing a Plan The first course of action should be to establish and develop a Pandemic Response Plan that will be implemented in case a pandemic or epidemic is declared. This plan should have the following areas:
Plan Testing One of the core issues that plans sometimes have is that they aren’t tested as often as they should be. This will lead to plans that are out dated or inaccurate and with personnel not knowing their particular role in the plan when it is activated. It is recommended that at least once a year a tabletop test be performed in order to validate the planning process. Testing your plan is one of the best ways of making sure that it will be there when it is needed in case a pandemic hits where you are located. Summary While there are a lot of different areas that need to be addressed when planning for a potential pandemic, the time that is taken in planning for it will pay off if it ever has to be implemented. This is what we are seeing play out right now with those organizations in Washington State that have not planned for such an event. While most businesses will have plans for fire, flood, or even an earthquake. Pandemic Response Planning is one of those areas that are not really planned for. Taking the proper steps in developing a robust response plan before you have to need it will go a long way in helping the company recover from a potential outbreak. Whether it is suggesting working remotely or limiting social interaction within large groups, it is important to address these issues ahead of time. Reader’s note: Due to the rapidly changing situation and the impact that the current epidemic is having on the community in which I live. I plan to update this article through the next few weeks as we deal with this outbreak and how we are going to react to it. Working from Home During the COVID-19 Pandemic – Blog Update May 23rd, 2020 After two months of working from home (and changing jobs in the process) it has been a huge change for me and those that I work with. While I saw most of my friends be laid-off or fired due to the impact of the virus, a large majority have been able to keep working. Essential Workers While a lot of jobs were declared “essential” and we saw that they were able to keep working (although with some modifications) and were still able to earn a paycheck. While the government was able to determine who was essential and who was not, this designation was not applied equally across the board and those folks that we all depend on everyday lost their jobs because the government decided that they posed a risk to our health. Pandemic Mental Health Like most of the people that I work with, I have been impacted on a personal level with the restrictions that have been imposed on me “for my health”, but it is my belief that our mental health has been impacted in ways that we don’t fully understand. Whether it is our kids that we are now all homeschooling or those of us who are social beings, we have had to change the way that we function in the world around us. Being able to go to the gym for a good workout and helping to relieve stress has been off the table of things I have been able to do (which I have seen some weight come back) for the last two months now. Additionally, being able to practice my faith have been prevented as well, which like a lot of people, has been a great source of comfort before the outbreak, and it still is, but the practice of it has had to change. Technology Work Changed Forever
While there are a lot of issues that we all have had to endure over the last couple of months, there are some bright spots. One of them is that working from home, or at least the ability to do so has become the norm and not the rarity that it once was. While there have been some difficulties in the adjustment to it, I think that it will become the way business is done in the future, even after being able to return to the office. More and more people are seeing the benefit of working remotely (not to mention the savings we get from not being in rush hour traffic). While a lot of companies were not sure about how they could make working remotely work, they were able to figure it out. Now with that infrastructure in place and working efficiently, why dismantle it when the pandemic is declared over? I think that we are going to see more businesses adopt the model and keep on working this way, or at least have it as a full option for workers if they choose to do so. Security at Home One of the biggest issues that companies have had with going to the work from home model of business, is how do you enforce security on personnel when they are not in an office? Businesses have quickly learned that the use of encryption for communications and network connections are an important aspect of those security measures. Additionally, making sure that employees are adhering to IT Security best practices has also been an important issue that has been addressed. Providing IT Security information to the end user has been a focus of the IT Security teams around the globe that are supporting the work from home business model. Additional Updates While I live in the Pacific Northwest, the Governors here are continuing to restrict business operations and the abilities of the people to go about their normal lives. The area that I live will be under these restrictions until at least the end of summer, if not later. So, I will be posting updates as we continue to deal with the pandemic in hopes of preventing its spread. Also, updates on what are considered best practices during this unprecedented outbreak will also be posted to this blog. What seems to be all the buzz these days is the deployment of critical infrastructure or Software-as-a-Service (SaaS) applications into a cloud environment in order to provide additional security. While most businesses are looking for the benefits that this offers to them and their customers, an area of concern is the alignment of their business operations and that security meets their specific needs or requirements. Cloud Security Companies and organizations are looking for the following when it comes to the migration of their infrastructure to the cloud:
Centralized Security Cloud security is all about control. If you are able to control access requirements and resources from one online portal, the company will save on having to deploy specialized personnel to a data center. This is how services such as AWS (Amazon Web Services) are accessed and managed. The centralization of the security means that the IT Security Pro will have more time to devote to other areas of the infrastructure, like perimeter defenses or vulnerability scanning. Reduction in Costs One of the biggest reasons if not the sole reason that an organization will choose to deploy infrastructure or applications to the cloud is the cost savings they get from using the resources that are available within that environment. Whether it is the bandwidth, server resources, or just the overall cost savings from not having to pay for a capital expenditure. Businesses continue to move to the cloud in order to gain a financial benefit from the move. This can be a significant amount, so thinking about security and how it will be used within that environment should be understood before anything moves to the cloud. Reduced Administration
The reduction in costs that a company might see from moving to a more cloud centric environment is directly associated with the reduction in the administrative costs. With streamlined services and online portals to access all of the resources in the cloud infrastructure, companies may employ a fewer number of admins than they would if they had to create the environment on their own. Also, the people who do fill these admin roles are going to be crucial to the deployment and maintenance of the cloud environment after the deployment. Reliability of Services When we look at cloud services, one of the most significant aspects that we take into consideration is the reliability of the services that are offered (up-time percentage is a BIG one here). Additionally, looking at the redundancy of various services such as:
Summary While there are a lot of reasons to move to the cloud, a business should determine how they will address security and what sort of benefits they are looking for from this critical realignment of their network architecture. Whether it happens to be overall cost savings or the enhanced capabilities that the cloud offers, IT Security and how that will be addressed needs to be a part of the discussion. Understanding the security posture once the critical assets are migrated is the wrong time to try to figure out how your security posture will be effected in such a move. When it comes to providing security to users who utilize their banking services, many companies do not do everything they can to protect their user accounts. This lack of support or enhanced capability can lead to accounts that may be susceptible to potential attacks. Additionally, banking institutions continue to lack security support for their online portals or account access. Security Requirements When it comes to banking, there has been a lot of focus on the bank as a whole and how they process user payments or processing those payments. This has left a hole in the security requirements that can allow user data to be accessed or hacked by a dedicated attacker. An example of this lack of security can be shown with their limitation on user account password complexity, only allowing the following
Making it a Challenge When it comes to hacking, or attacking an online portal, or a user account, an attacker will want to spend as little time as possible for each of the accounts that they try to compromise. This means that they are not looking for a challenge and will want to make sure that the account they attack will be easy to compromise. By not adding additional characters to the mix of potentially used, this drastically cuts down on the amount of time it would take to crack an account. Time for Cracking
Due to both the complexity of the password that is being used, there are some basic periods for which those passwords can be hacked given the right circumstances in which to do so. Here are just a few examples:
Online Portals When it comes to credit card safety, it starts with the online portal for customer service. These sites have limited security requirements as they are meant for a way that the customer could quickly access their credit card account data. Additional security measures are needed with these specific accounts to the ability that they have in providing access to funds, resources, and data on the bank’s customer. While functionality on the online portals is needed, sometimes the security measures do not meet the same standards as other areas in the support services of the bank. The lack of enforcement of multi-factor authentication (MFA) is one of the specific solutions that should be in place on all online account access portals. Additionally, time-out or account verification during additional requests should also be enforced in order to prevent an attacker from gaining additional user account details or funds. Summary One of the glaring areas that come from banks and other institutions is that they are unwilling or unable to protect their customer’s information by the simple enablement of more complex passwords using special characters on user accounts. No matter where you use your password, you should feel safe in knowing that the bank or organization that supports the site is doing its best to protecting your information. If a bank or other institution is unwilling or unable to provide for basic security of your data, then looking for those organizations that do, should be important for you. Even card brands such as Visa, Mastercard, and AmericanExpress fail to support the inclusion of special characters in user passwords (NetSpend/ Visa and BlueBird/ AmerEx). This one addition to the password complexity equation could mean the difference between being hacked and not. In addition, the inclusion of just two more characters (10 total) is enough to make a simple hack into a costly one in time for the attackers to accomplish. Reference: https://thycotic.force.com/support/s/article/Calculating-Password-Complexity for the times taken in order to crack the passwords. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|