Categories
Computer & Network Security

Best Practices for Privileged Account Management – Part 2

Privileged and Service Account Management

We spoke previously on the management of privileged accounts and how important it is to keep them accountable. Privileged accounts are one of many different types of accounts that should fall under your organizations Account Management Program and another one to add to that would be service accounts.

What is a service account anyway? In basic terms, a service account is an account that a service on your computer uses to run under and access resources. While they may look the same, the separation of users from services is very important for both tracking and the ability to tighten down what an account can do. A service account could also be an account that is used for a scheduled task (sometimes referred to as a batch job account), or an account that is used in a script that is run outside of a specific user’s context. A scheduled task account should not be a personal user’s account for the same reasons that a service should not run under a personal user’s account.

You may ask what is so important about these? It seems like if it is not a user account, then how would it have access to my organization’s network? On the contrary, these accounts are a favorite target of many malicious actors because they are often implemented in such a way that they have a higher level of access than a user account. These accounts are members of the domain in the same way a user account is. Historically, they also have not changed passwords as often (if ever) as user accounts.

Services are often installed under the built-in Local System account, which gives what are essentially local administrator privileges, so they are more predictable in how they will be able to be used if compromised. While local administrator privileges may seem somewhat harmless since they are not usually useable on other computers on your network, the local administrator privileges can end up granting access to domain username/password combinations. An attacker can use this as a jumping point  leading to account changes that allow for elevated access to other parts of your network. As a result, both locking down a service account and following good password change and audit procedures is an important part of keeping your systems secure.

What can you do?

When it comes to the configuration and management of service accounts, there a few things listed below that can help.

  • Password Management – Some administrators like to set these accounts up with passwords that do not expire or use the same password for all the service accounts. Instead, there needs to be a strategy for managing these passwords and changing them on a regular basis, as well as using unique passwords. Use an encrypted vault to protect, store and generate random passwords for service accounts.
  • Privilege Management – It is best practice to implement the principle of least privilege. Only provide the minimum necessary privileges to service accounts. If your service account must run with administrative privileges, deny that account access to all of the directories besides the one or two that it needs. Creating limited access to systems and denying interactive rights to only what is required reduces exposure.
  • Governance – First inventory all service accounts to know what you have and where. Next establish regular reviews of service accounts in the environment documenting ownership, required access and lifecycle of the account. Enforce these requirements with a workflow to gather these elements for new authorizations.
  • Auditing – Logging and auditing of service accounts, and all accounts in any case, is very important to keep systems secure. Using a SIEM looking for specific events can be helpful in discovering security problems and services that are not working correctly.

Locking down your service accounts should be a basic component of your hardening guide for all computers. While it requires more time to lock down a new service account to allow access only to what it needs, it is well worth the time spent. Defense-in-depth requires that you look at more than the perimeter, and service accounts are one major place where the in-depth strategy can serve you well.

 

Categories
Computer & Network Security

Best Practices for Privileged Account Management – Part 1

Basic Privileged Account Management

Abused and Misused privileges are often seen as being the cause of breaches within organizations around the world.  Privileged account management should be a major focus for Security and IT management who are looking to mitigate the risks of data breaches and insider risks.

What is Privileged Account Management?

Privilege Account Management is the definition and management of policies and processes that define the ways in which the user is provided access rights to enterprise systems.  It governs the management of the data that constitutes the user’s privileges and other attributes, including the storage, organization and access to information in directories (FICAM-09).  In other words, how an organization manages privileged passwords and delegates privileged actions.  Do you delegate, control, and filter privileged operations that an administrator can execute?  Do you audit, record, and monitor privileged access?

Why is it important to an organization?

When it comes to utilizing high business value IT systems, privileged users, such as administrators, typically have the widest operational latitude.  They are typically responsible for deploying and managing functionality on which the business depends, from vital day-to-day functions, to strategic capabilities that enable the business to maintain its competitive edge.

However, there are risks to wielding this power.  IT complexity means that minor changes could potentially have unintended, and severe impacts on availability, performance, and/or integrity.  Malicious attackers, inside and outside of the organization, can capitalize on administrative level access to inflict serious damage to the business.  Given the increasing sophistication and popularity of modern attacks via malware and other methods, it is common for attackers to gain and exploit such privileges by impersonating trustworthy personnel.

What are some common best practices?

There are countless solutions out there for organizations to implement and everyone has their opinion on what is the best way to do it.  Below are a set of common privileged account best practices all organizations should follow:

  • Separate regular access accounts from privileged accounts
  • Inventory all privileged accounts and assign ownership to that inventory
  • Do not use shared accounts
  • Minimize the number of personal privileged accounts
  • Limit scope for each privileged account
  • Use privilege elevation for users with regular access
  • Document policies and processes for the management of privileged accounts
  • Monitor and log all privileged access activity
  • Implement separation of duties model to manage superuser administrative privileges
  • Use default administrator, root, and similar accounts only when absolutely necessary
  • Require multi-factor authentication for all privileged accounts
  • Require complex and long passwords for privileged accounts
  • For service or application privileged accounts store passwords in an encrypted vault with a random password

Read Part 2 of this blog here >>.

Categories
Computer & Network Security|Information Security

Simple Cybersecurity Tips for your Business

If you’ve ever had someone break into your home or even your car, you know the feeling of vulnerability and fears that accompany that experience. The fear and uncertainty can linger for months and even years.

Now imagine a break-in at your business that jeopardizes everything you have worked so hard to build. But this intruder is invisible, and there is no chance that the neighbors will see something suspicious and call the police. Someone in a distant coffee shop in another country can steal your bank account information, private employee data, and information about your clients. Security cameras and motion detectors are useless in detecting this kind of intruder. What does the aftermath look like? In the best-case scenario, you will spend a LOT of time and money cleaning up the situation and making things right. With a little luck, you might be able to get everything running normally again. In the worst-case scenario, you lose a significant amount of money, you are sued by employees and/or clients for not securing their information properly, and the devastation leads to your business not being able to recover.

According to Homeland Security, 44% of small businesses reported being a victim of a cyber-attack, with an average cost of approximately $9,000 per attack. Protecting your business from cyber threats has become a top priority and it takes everyone in your company working together to keep your business safe, from top leadership to the newest employee. It takes everyone in your company, from leadership to the newest employee, working together to keep your business safe. Here are a few tips from Homeland Security your company can apply.

SIMPLE TIPS FOR EMPLOYEES

  • When in doubt, throw it out. Stop and think before you open attachments or click links in emails. Links in email, instant message, and online posts are often the way cybercriminals compromise your computer. If it looks suspicious, it’s best to delete it.
  • Implement a backup plan. Make electronic and physical back-ups or copies of all your important work. Data can be lost in many ways including computer malfunctions, malware, theft, viruses, and accidental deletion. Your backup plan should include offsite storage.
  • Guard your devices. In order to prevent theft and unauthorized access, never leave your laptop or mobile device unattended in a public place and lock your devices when they are not in use.
  • Secure your accounts. Use passwords that are at least eight characters long and a mix of letters, numbers, and characters. Do not share any of your usernames or passwords with anyone. Create a unique password for each site that you visit. When available, turn on stronger authentication for an added layer of security, beyond the password.
  • Report anything suspicious. If you experience any unusual problems with your computer or device, report it to your IT Department.

SIMPLE TIPS FOR THE BUSINESS OWNER

  • Equip your organization’s computers with antivirus software and antispyware. This software should be updated regularly.
  • Secure your Internet connection by using a firewall, encrypt information, and hide your Wi-Fi network.
  • Establish security practices and policies to protect sensitive information.
  • Require employees to use strong passwords and to change them often.
  • Invest in data loss protection software, use encryption technologies to protect data in transit, and use two-factor authentication where possible.
  • Protect all pages on your public-facing websites, not just the checkout and sign-up pages.

In a perfect world, every employee would work their hardest to keep your network safe and secure. Since we don’t live in a perfect world, let this post help you determine next steps. Businesses often think they can’t afford outside help…until it’s too late.

If you would like to learn more about how you can protect your corporate data, please click here to contact us. SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare. Let us help you determine where you should spend your time and money protecting your information.

Categories
Computer & Network Security

Artificial Intelligence Advancements In Healthcare: The Needed Next Level of Cyber Security

How is Artificial Intelligence being used in healthcare?

Artificial Intelligence, or AI, is having a dramatic effect on the healthcare sector. At its core, artificial intelligence seeks to mimic the unique processing capacity of the human brain. Using algorithms, pattern matching, deep learning, cognitive computing, and heuristics, AI is able to quickly sort through masses of raw data. This is incredibly helpful in the medical field. In addition to the millions of Electronic Health Records (EHRs) at the center of our healthcare system, medical practitioners must also incorporate data from studies, data from testing, and past patient records when diagnosing and treating a case. AI can use predictive models to find irregularities or similarities in raw data that doesn’t have to be pre-sorted. This helps doctors improve diagnosis accuracy, patient care, and outcomes. AI’s ability to find meaningful relationships in data is being used as a powerful tool to aid in drug development as well as patient monitoring and treatment plans. Artificial Intelligence is becoming more common in many parts of the healthcare system, and it is estimated that $36.8 billion will be invested in AI systems across the US by 2025. AI is poised to be the main force that drives improvement across the healthcare industry.

Why is this a big deal?

Artificial Intelligence will be the engine of change by organizing masses of data and giving relevance to data points, which will ultimately improve reliability and objectivity in diagnoses. AI will provide context for patient data more quickly than ever before, allowing doctors to identify and treat diseases accurately, minimizing misdiagnosis and lowering the mortality rate. In addition, the costs for drug development will be lower, as we will more accurately be able to predict the drugs’ effects in certain patients. This all leads to an increase in doctors’ facetime with patients. They become freed from analyzing mountains of data and more able to focus on care and healing.

What concerns with cybersecurity arise when using AI?

When we open up patient records to artificial intelligence, we are opening up our systems to outside attacks. With sensitive information at risk, healthcare providers must be very careful that their rate of system upgrade does not outpace their security improvements. Installing new systems that sort sensitive patient data must be tested from all endpoints to ensure there are no flaws or vulnerabilities to attack. AI dramatically increases the complexity of assessing security threats. These new systems could be a point of entry for malware that will be difficult for systems designed to monitor human behavior to detect. 

What upgrades in cybersecurity are necessary to protect against these concerns?

Greater use of AI in healthcare systems means that we need greater use of AI in cybersecurity software to match it. Our main protection will be anomaly detection. This will mean installing these detection programs across all endpoints in the system. Anomaly detection works in the same way that the AI identifies meaningful relationships in patient data. It monitors the system and senses potential threats whenever there is unusual behavior. Anomaly detection can do more than discover malware within a system. It can also identify where the cyber attacks are coming from and what kind of attacks being perpetrated. Predictive analytics for malware detection can also stop problems before they start. These analytics can identify suspicious files and prevent them from opening, stopping problems before they start. Properly planned and configured, these new cyber security measures act like the immune system for a healthcare company. 

What are the challenges in implementing new AI/Cyber Security Procedures in healthcare systems?

Establishing new and heightened security procedures require behavior monitoring, to make sure users are complying with new systems. While some users may think that increased security measures are intrusive at first, compliance is paramount. When cybersecurity systems are implemented without factoring in the human element and allowing time for training, it can often lead to users falling back on unauthorized apps and outdated but familiar systems. These non-sanctioned entrances into the system leave it vulnerable to a breach. There are human users in your system in addition to AI, and it can take time and planning to make sure your innovations don’t outpace your cyber security procedures. A coordinated strategy that considers both human and artificial intelligence creates a healthcare system that is more accurate, faster, and cheaper for patient treatment.

Want to know more about how you can ensure your company is secure? Contact us!

Categories
Webinar

Arriving at the Scene of a Cyber Attack

In this 1-hour webinar, SecurIT360 experts describe what’s like to arrive at the scene of a cyber attack and how to respond.

Watch the full webinar recording below.

Webinar Speaker:

  • David Forrestall, Managing Partner, SecurIT360
Categories
Uncategorized

Coronavirus Cyber Security Challenges – The Remote Workforce

The Cyber Security Implications of the Coronavirus

As the fear of the Coronavirus – COVID-19 – spreads, governments and companies are looking for containment strategies that reduce human contact.  Exposed cities are on lockdown, forcing any work to be done remotely and there are more restrictions to come.  Some companies have already closed locations as a precaution, and as restrictions increase, others will be forced to send workers home to work remotely.  The criminals have already started the scams: phishing campaigns to take people to fake news updates to see if they can entice a click.  That is the easy starting place.  No doubt that the cyber criminals will find other ways to try to monetize the situation including new types of Ransomware attacks.

Need help?
Contact one of our representatives and we’ll help you find solutions.

Remote Security Posture vs. Capacity

Many have created remote security policies and procedures to address the potential risks which need to be taken into consideration.  Systems have been designed with capabilities to allow secure remote access and keep sensitive data safe, but they often don’t have the capacity for everyone or even most of the organization to work remote simultaneously.  

Will the workarounds and changes you make to accommodate the need for operations compromise your security?  They might.  It is situations like COVID-19 where the urgency of a solution often does not get full Cyber Security due diligence.  Or, there is not enough time and funds available to implement a prudent secure solution that considers the risks. 

What to Do

Evaluate Risk

The discipline of applying cybersecurity protections is centered around the risk to the organization, its people, its systems, and the information.  Now, you don’t have to stop what you are doing for a couple of weeks and perform a formal risk assessment, but could an extra day or week for a more secure solution reduce hundreds of thousands or millions of risk?  Here are some basics about remote access that you should consider:

  • Who will be accessing the resources?
  • What devices will be used to access resources?
  • What resources will be accessed?  Data, Networks, Applications, Physical systems, etc.
  • What will the individuals be doing with the resources?  Download, screenshot, email, copy, print, control other systems, etc.
  • Will remote access to the information comply with statutory and client requirements that we must abide by?
  • If all of the above are not created equal (and they are not), then which might need to be treated differently?
  • See other known risks below

Implement MultiFactor Authentication 

For everything that is remotely accessible.  There are many options depending upon what you are trying to protect.  It is not a silver bullet and can be circumvented in some cases, but it GREATLY reduces your risk.  You should also require an additional layer or stronger security for certain individuals like your IT administrators and others with access to sensitive information.

Ensure that your basic security protections also apply

You MUST have difficult passwords, require patching, screen saver time-outs, and all of the other basics that you require for your internal network.  

Monitor Remote Access

Is that really John?  Why is he still working at 2:30am?  Geez, he is copying a lot of files right now.  You need to be able to understand that the remote behavior is legitimate and if not, take action.

Train Your Staff About Working Remotely

Ensure they know what is allowed and not allowed and what the risks are.

Consider a Tiered Solution

If you can’t provide the same level of security for everyone, then ensure that those that need the most security are on your best solution.  Create workarounds for others.  Many may be able to operate without remote access to the environment at all.  Cloud services come in handy here.  You can also check with your vendors about emergency temporary licensing or solutions.  See below for some considerations of different types of remote access. 

Known Risks Associated with Remote Access

You CANNOT and MUST NOT trust a home network

The PC itself is an unknown device that has many risks.  I hate to be the voice of doom, but it may already be compromised by a bad actor and be part of a botnet network or otherwise

  1. Could have multiple users including kids playing games and others going to known risky sites
  2. May have risky applications installed
  3. It may not have current or working Antivirus and security software in place
  4. It may not be fully patched and have many vulnerabilities
  5. It may not require a password
  6. You get the picture…

    The Network is consumer-grade and does not have the ability to offer protections that you depend on at work.

  7. Firewall.  There may not even be one, just the device provided by the Internet provider
  8. Security Monitoring and Alerting.  Mature business environments have regular information available to surface anomalies and other risks that home networks do not have
  9. There are other devices that are not secure on the network.  Other computers, mobile phones, smart refrigerators, home automation systems, and who knows what other new security risks (baby monitors…) 

Data Sprawl

This is a big one.  When users know that they may be out of the office for a while, they will find ways to be productive in the easiest manner possible AND they are less concerned about the security or compliance requirements.  Be aware:

  • People will email themselves information.  Either to a home account or to themselves in their corporate account
  • Data will be copied to USB keys and might be transferred to other file-sharing technologies
  • Now that this data is being duplicated into other places, how can we keep up with it and secure it
  • If allowed, the above-copied data will end up on non-company computing devices.  

Increased Scams

We have already mentioned the increase in phishing scams.  Since January, there is documented activity of a number of questionable registered websites related to COVID-19 and reputable organizations like the WHO with the intent to take advantage of those that are looking for legitimate information about the pandemic.

Free WiFi

Hopefully, this is happening a little less in this situation, but you could have workers trapped overseas or on a cruise ship that is using insecure remote access.  Educate and provide alternatives.

Physical Theft

Now that we have more folks out of the office and working on company-owned or personal devices, these devices could be targeted by criminals.  If they get their hands on a home PC – without a password – that has company or customer information on it…

Security Postures of Possible Solutions

Today’s technology provides quite a few options for remote access; some of which are more secure than others.  Below is a discussion about the security considerations of some of the most common methods.  NOTE:  MFA (MULTIFACTOR AUTHENTICATION) is paramount for the security of any remote access solution.  MFA is not the silver bullet as you will see below, but we would not consider a remote access solution without it.

1 – Virtual Desktops

These offer the most protection, if on a company-owned computer and configured correctly.  

Also known as VDI (Virtual Desktop Infrastructure) and DaaS (Desktop-as-a-Service).  VDI is typically hosted internally or privately, while DaaS is typically provided by a hosting company.  This includes VDI and DaaS.  (More about Remote Access at the end of this post.)

Advantages:

  • All of the data and applications remain on the virtual machine located within the data center and its security controls.  
  • You can enforce the same level of security (or a chosen level) based on profiles or rules.  These include:
    • Copying (or not) data to the remote computer
    • Sharing folders with the remote computer
    • Printing
    • Access to certain applications
    • Location-based rules

Risks of VDI and DaaS:

  • If accessing from an insecure or compromised (home) computer, an attacker could see everything the user can see – even if you did use MFA to access…
  • If rules are not established to govern copying files, network sharing, and printing, then the remote computer and network are vulnerable.

2 – VPN (Virtual Private Network)

Good protection but can have hidden risks if not correctly configured.  A VPN is an encrypted tunnel into your private network that makes the connected Computer or network a remote part of the network it connects to.  

Advantages:

  • The secure tunnel allows connection to internal network resources including computers, applications, databases, and file shares.  
  • Some VPN software will enforce local security profiles on the connecting PC (including home PCs) to ensure that minimum requirements are met.  the same level of security (or a chosen level) based on profiles or rules.  

Risks of VPNs:

  • If accessing from an insecure or compromised (home) computer, an attacker could see everything the user can see – even if you did use MFA to access…
  • If not configured correctly, you can be attaching and insecure (home network and all of its insecure devices – your kid’s iPhones) to your corporate network.
  • Depending upon configuration, VPNs allow users to transfer files to remote devices and map network drives to file shares

3 – Remote Desktop Access Strength of security varies, but not as capable as VDI or DaaS.  When paired with a VPN, security is increased, but you still have risks.  Remote Desktop access is provided by software running on a computer inside your corporate network.  Examples include:  RDP, LogMeIn, GoToMyPC, VNC, Team Viewer, and there are others.

Advantages:

  • Access to the same computer and programs that you use while at work.
  • The company computer is subject to all of the company security policies and protections

Risks:

  • If allowed, the software can be installed and managed without IT’s knowledge, circumventing monitoring and other security controls creating an unmanaged gateway into the company.
  • Some solutions can be accessed from anywhere using a web browser and may not require MFA.
  • Solutions allow for data transfer and printing which can lead to risks of data breaches. 

More About Remote Access

Virtual Desktops – VDI & DaaS

After authentication (including MFA…) the user essentially receives a window that displays the computer and all of its applications on the remote computing device.  The computing infrastructure can be in a private data center or hosted.  There is a virtualization layer where computing and storage resources may be spread across multiple physical devices that sometimes are not in the same physical location.

Virtual Private Networks – VPNs

Instead of routing directly through a public network, VPNs put a layer between your information and public access. It can aid in masking your online activity from the public and provide you with a secure connection to another network online. They work by making your IP address and location anonymous; your data is sent through them before being released into an external server. Generally, outside forces can identify your IP address and track your activity online, but with the veil of VPNs, your online activity can only be traced back to your VPN service provider. 

Remote Desktops

Windows RDP

In Windows, this is a native software program that allows remote connection from another device running the appropriate connection software.  The user receives a screen just as they would sitting in front of the actual computer and is able to see the desktop and use their mouse and keyboard to interact.  One (insecure) way to use RDP is to open a port in the Firewall and allow direct connection from the internet.  This is how many machines have been compromised over the past couple of years.  RDP connections can also be brokered using a local server running Remote Desktop Services.  This is a safer, more secure configuration – don’t forget MFA. 

Local Remote Desktop Programs

Programs like Teamviewer or VNC can be installed locally on a PC or Mac that will allow direct connection over the network.  These function like Windows RDP above and can also be configured insecurely via a Firewall over the internet.

Hosted Remote Desktop

Other software is installed and managed by a cloud provider.  LogMeIn is an example.  The user installs the program on their computer and registers it with the service.  They can then remotely go to a web browser from any computer and authenticate (MFA?) to start a session with the company computer.

Contact Us

Contact us and one of our representatives would be happy to help you.

Categories
Computer & Network Security|Uncategorized

New Ransomware Attacks

In the past few weeks, 5 law firms reported ransomware attacks by a malicious group known as Maze. This new and unique virus doesn’t follow the typical protocol. Instead of placing a ransom note on your system, they place your firm’s name on a public website. Entities that do not comply with ransom demands have portions of their data released publically until the ransom is paid; two different firms had their data released this week. Now that you are aware of the situation, we’ve put together some resources to help you understand it and how to prevent ransomware attacks:

Ransomware – the basics

How to spot it and how to deal with it

Emisoft has stated that at least 45 companies were the center of attack by Maze in January. They also state that this only accounts for 25% of their hit list. More information about this ransomware attack can be found here [LawSitesBlog.com]

Categories
Computer & Network Security|Information Security

IT and the C-Suite: 3 Tips for Communication

Years ago, I served as Head of Information Security for a large organization. After just 6 months on the job, we experienced every network administrator’s worst nightmare…. a data breach. As we worked to resolve the problem, it seemed like there was enough blame for everyone. IT was blamed because of their operation. Application Development and Support was blamed because of their code. Then the CIO started taking heat because security hadn’t been his top priority. Finally, the CEO came under fire for the overall performance of the team leading up to the breach.

A recent article I read by Kacy Zurkus in Security Boulevard reminded me of this situation; Zurkus does a great job outlining recent trends in cybersecurity and corporate accountability. There is no doubt that C-level executives are held just as accountable as IT teams when a breach occurs. However, that doesn’t mean that the C-suite and IT are on the same page. Knowing this, why are there continuing challenges in communication? are there continuing challenges in communication?

Communication Between C-Suite Executives and IT

There is a communication gap between the C-Suite and IT. 91% of IT pros feel that their organization is improving its cybersecurity while only 69% of C-level executives agree. Executives also disagreed with IT on data priority. They prioritized protecting employee data while IT prioritized financial data.

If IT and executive leadership are going to prepare for inevitable data breaches, we need a roadmap for communication so that we can align priorities and coordinate efforts.

3 Tips for Communication Between IT and the C-Suite

The article on Security Boulevard highlighted some good thoughts on communication with the C-Suite. Here are some ideas that jumped out at us plus a few thoughts of our own.

Tip #1: Don’t Use Industry Lingo

IT must learn to communicate complex IT issues and security threats in layman’s terms. We recommend using analogies and avoiding industry jargon. As you will see in our next tip, your communication still needs to have some meat on the bone.

Tip #2: Make Substantial Recommendations

While words like “synergy” and “collaborative” are great in presentations (not really!), they don’t do much to make your company more secure. The CEO is personally responsible for every type of issue across all parts of the company and you can help by bringing specific, actionable recommendations to the table.

Tip #3: Understand the Role of the Chief Information Security Officer (CISO) in Preparing for a Data Breach

Many companies have designated a Chief Information Security Officer (CISO) to advocate for information security within the organization. This seems like a great solution, but many CISOs are not as empowered as they could be. The CISO frequently reports to the CIO, and their interests are not necessarily aligned. This can lead to a breakdown in communication within the executive team and lead the CEO to develop a false sense of security. Consider whether a CISO would benefit your organization and think about how they fit into the corporate hierarchy.

Conclusion

I’ve worked in IT security for over 30 years. Many things have changed, but it occurred to me as I was writing this article that these thoughts would have been applicable 10, 20, or 30 years ago. Before concluding this article, there is one more tip that passes the test of time:

Bonus Tip #4: Get an Outside Perspective

IT security is complex, and the only certainty is that the bad guys are always looking for new approaches. Having a fresh set of eyes to analyze your data security in light of the latest threats and security resources is frequently the difference between an unsuccessful hacker and a catastrophic breach.

At SecurIT360, we specialize in delivering our cutting-edge security resources with communication that is understandable and helpful for anyone from an executive with no background to the highest-level network engineers.

We are offering a free security audit to identify the paths that could leave you vulnerable to the next data breach. Contact us today to find out more.

Categories
Compliance > Privacy

Your CCPA Compliance Checklist for 2020

You’ve read about it for months now, and it’s finally here. The California Consumer Protection Act went into effect on January 1st, 2020. Unlike asking a telemarketer to put you on the mythical “Do Not Call List,” consumers’ new privacy rights under the CCPA are very real and very enforceable. We’ve waded through all the confusing information on the CCPA to put together a handy list of answers to questions you may have had when hearing about CCPA and considering its impact on your business.

What is it?

The California Consumer Protection Act, or AB-375, was passed on June 28, 2018. It is a comprehensive piece of legislation designed to significantly elevate privacy regulations and to protect California consumers from having their personal data stolen, sold, or shared without their knowledge. Businesses will be under increasing scrutiny to have complete transparency in how they are currently collecting, storing, and using consumer data.

What kind of consumer data is protected?

Be careful – the CCPA takes a very broad view of what constitutes “personal data” about consumers. It’s not just credit card information! The specific definition of personal data under the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to a customer’s name, this “personal information” includes: IP address, postal address, email address, Social Security Number, driver’s license number, passport number, biometric information, geolocation data, consumer photos, and messages…the list goes on. ALL of these things are now protected under the CCPA. Due to the connected nature of the growing Internet of Things, more consumer data of an alarmingly personal nature is being unwittingly shared online. The regulations under the CCPA are an attempt to control and curb the spread of that data.

What are consumers’ rights under the CCPA?

In short, the CCPA is designed to give consumers greater control legal over what information businesses know and share about them. Consumers have the right to:

  • Disclosure – Consumers can make verifiable requests to know what personal information is being collected or sold about them, and businesses must disclose this information.
  • Access – At the point of collection, a consumer must be informed of what type of information is being collected, and how it is being used.
  • Deletion – Consumers can request to be “forgotten,” ie. they can request for all personal information about them to be deleted from a business’ system. This includes the removal of consumer information from third-party vendors.
  • Antidiscrimination – Consumers cannot be discriminated against because they have exercised their rights under the CCPA.
  • Ability to Opt-Out – A business must provide a “Do Not Sell My Personal Information” option on its website.
  • Privacy Policy Requirements – Businesses are required to state their online privacy policy plainly, and update it every 12 months.

What are the new privacy policy requirements for businesses under the CCPA?

Maintaining all of these rights for consumers sounds like a big ask, but there are five main CCPA requirements that will help you achieve this. The CCPA asks that business take part in the following activities:

  • In-house data inventory, mapping of relevant personal data, and highlighting instances of selling data
  • Setting up new individual rights to data access and erasure
  • Setting up new individual rights to opt-out of data selling
  • Updating service agreements with third-party vendors and data processors to ensure that they are also CCPA-compliant
  • Identifying and eliminating information security gaps and business system vulnerabilities

Will it affect my business?

“My business isn’t based in California, so I’m in the clear, right?” Not so much. There is a broad swath of companies that will have to comply.

If your business is for-profit, and if your business:

  • Is owned and operated in California OR:
  • Sells to consumers in California OR:
  • Has an annual revenue of $25 million or more OR:
  • Buys receives, sells, or shares consumer data from 50,000 or more consumers, households, or devices OR:
  • Gains a majority of their annual revenue from the selling of personal data

You will be bound by this legislation! As you can see, this definition includes most of the companies in the U.S.

Are there any exceptions?

The main exceptions to the rule are where it conflicts with federal regulation. The CCPA shall not restrict a business’ ability to:

  • Comply with federal, state, or local laws
  • Collect, use, sell, or disclose consumer information that is aggregated consumer information
  • Collect or sell personal information if every aspect of the transaction takes place wholly outside of California

The CCPA shall not apply to:

  • Medical Information or protected health information, pursuant to regulations established by HIPAA
  • Personal information collected pursuant to the California Financial Information Privacy Act

So, unless your industry is medical or financial (which are already strictly regulated), you need to pay close attention to the CCPA!

How do I achieve compliance?

“Ok, I get it. It will affect me. Now, what do I do to maintain compliance?” It’s all about putting in “reasonable security protection.” Your business should check for the following points to ensure CCPA compliance:

  • Stringent processes and protections in place for how you collect and store customer data
  • Consumer notifications of what type of information is being stored and used at the point of collection
  • Strong endpoint protection and encryption
  • Strong emergency processes in place in case a data breach occurs
  • An Opt-Out option on your website so that consumers can request to be “forgotten”
  • An updated privacy policy that you’ve shared with your third-party vendors
  • An updated privacy policy posted clearly on your website

Update your systems so that your consumers are made aware of what information you are gathering and how you are using it, and you should have no problem.

What will happen if I’m non-compliant?

There is a higher cost than ever for non-compliance, whether voluntary or involuntary. The CCPA Enforcement states that “any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty.” If you knowingly disclosed consumer personal data, the penalty is $7,500 for each intentional violation. If you unknowingly violate the CCPA (which shouldn’t happen if you are reading this post!), the penalty is $2,500 for each violation.

In addition to that, consumers can individually bring a civil action against your company for up to $750 per incident, or the cost of the actual damages, whichever is greater. This civil action will question whether your business has implemented “reasonable security procedures and practices,” so if you can’t prove you had privacy protection measures in place, watch out.

What should I do if there’s a breach?

If there is an attack on your business’ data systems and an information breach, you must act quickly to protect your consumers’ personal information, as well as to notify them of the breach. If you fail to do this within 30 days, you will be subject to maximum penalties. However, if you can prove that your violations have been amended and that no more will occur, you will be spared additional fines.

When will I have to enforce CCPA compliance?

If you feel like there’s a great deal you need to do to achieve compliance, you still have some time to do it. Even though the legislation goes into effect January 1st, 2020, there is a grace period that lasts until “6 months after the publication of such regulations,” or July 1st, 2020.

There. I’m done. Now I don’t have to hear about CCPA ever again, right?

Not quite. This legislation is following the trend of the EU’s GDPR (General Data Protection Regulation), which is actively creating and expanding the definitions of consumer rights. Right now, though, there is still turmoil as the CCPA tries to bring some cohesion to what is a dynamic policy area. There will be great changes in the legislation until homeostasis is reached. Businesses can expect similar laws to be passed across the country in the next few years, so if you don’t have to deal with consumer privacy rights now, don’t worry. You will.

Why is this important?

The CCPA legislation will impact your business, whether you realize it now or not. With many business’ marketing strategies relying heavily on using and predicting consumer identities, removing personal information about your customers introduces holes into the picture. This law will greatly affect the accuracy and efficacy of established marketing approaches like attribution.

The increased connection of the Internet of Things begins to reveal the many vulnerabilities that are emerging in sharing, storing, and protecting consumer personal information. According to Risk Based Security, 2018 was the second-most active year for data breaches, with 6,500 reported breaches that included some 5 billion records. And those numbers can only be expected to increase. The CCPA is an attempt to mitigate some of these breaches.

The CCPA may seem like a headache, but it is a good opportunity for your business to focus its attention on upgrading your security and privacy practices all around.

What’s going to happen next?

You can expect a rocky start to the enactment of the CCPA. First off, despite its being around for over a year, there is a great deal of contention as to the exact scope of the legislation. Two bills are currently under consideration to expand the CCPA, while nine bills are being considered that would narrow its scope. In addition, a federal privacy law is still under consideration in Washington, DC, that would affect the exact provisions of the CCPA.

In addition to this lack of agreement, there is a general lack of knowledge about the CCPA. A recent survey by ESET polled 625 business owners and executives to see how prepared they are for the enforcement of the CCPA on January 1st, 2020. Of these 625 owners, half had never heard of CCPA, 34% were unaware if they needed to change for compliance, and only 12% knew specifically how the law would affect them. Because of this confusion, you can expect to hear about a great deal of litigation in the new year as businesses are faced with the high cost of non-compliance.

Categories
Uncategorized

Cyber Security Budgeting for 2020

It is time to update our annual Cyber Security Budgeting advice.  I just lead an exercise at a conference where folks had limited budgets and needed to determine the best places to spend their Cyber Cash.  As I reviewed what we have adapted over the years, much of it is still the same.  We continue to become more dependent on technology composed of applications, operating systems, processors, storage, and connectivity.  IoT, autonomous vehicles, 5G, Huawei, and other new things continue to proliferate, but we still apply the same principles to protect ourselves.  

So, what is new this year?

The proliferation of Ransomware and Business Email Compromise (BEC).  Crimeware as a service is nothing new, but the cases are skyrocketing.  If you don’t know someone who has had one of the events, then you don’t have very many friends.  The crime groups are becoming better at monetizing these events and they are growing at an amazing pace.  The primary attack vectors is still email and the humans that own these accounts.  This threat landscape and other considerations will move a few things around and I will make note of them. 

So, here is some of the same old stuff:  Organizations are now willing to spend $$ now more than ever to avoid becoming the next headline.  When planning, it is easy to focus on available products that vendors are spending millions of dollars to push at us every day.  Products are required, but it is the process around these that keep you secure.  Best practices in security follow a layered approach, and budgeting is no different.  Where should you focus your efforts?

The Basic Layers:  Reduce Known Risks

These are not sexy, but neither is changing your oil and rotating your tires (Diet and exercise?  Pick your poison).  Before you look at some of the newer, enticing security solutions, it is important to make sure the basics are covered.  What we know:  attacks and breaches are increasing every year.  We have seen an 8x increase in incidents in the past twelve months.  So, our basic list has grown from last year.  You may ask:  why don’t you just follow the CIS top 20?  We agree that all of those 20 items are very important, but after working with over450 organizations, we know that approval of budget items, gaps in expertise, and culture typically makes it hard for an organization to follow the CIS in order.  If you can, that is great, but we offer the following list of items to consider in order of importance and ease of execution:

  1. Email & Web security – Spam & Antivirus solutions
  2. Enable MultiFactor Authentication for all remote access – don’t forget O365 and other cloud services – or don’t allow it
  3. Tested Backup and Recovery Capability.  More than restoring that occasional deleted file or email.  This is typically IT Ops and we had not specifically called it out previously – it is the best defense against Ransomware.
  4. IDS/IPS; internet monitoring/filtering – hard to believe, but we still find some organizations with outdated firewalls and no IDS capability
  5. End User Security Awareness Training – must include email Phishing
  6. Basic Incident Response capabilities
  7. Security patching for all hardware/software
  8. Endpoint protections – Antivirus/Malware solutions
  9. Review all accounts, especially privileged accounts and do not allow privileged accounts for regular use
  10. Check for consistent password and access controls across all of your platforms
  11. Encrypt portable devices
  12. Approve Basic Policies to establish guidelines
  13. Constant inventory devices on your network
  14. Review firewall, remote access/VPN, and wireless solutions regularly
  15. Comprehensive network documentation
  16. Secure file transfer capability
  17. Basic Security Metrics and Reporting – Regular measurements are a must to eliminate a false sense of security
  18. Increase visibility with SIEM (Security Information & Event Management) – either in-house or as a service
  19. Evaluate your ability to perform these basic functions adequately – do we need managed services?

Add Advanced Layers to Cover Blind Spots

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses.  If you do not have the in-house expertise available, you may need to rely on outside assistance.  Some items to consider:

  1. Objective measurement: Risk Assessment, Security Audit, Vulnerability and penetration testing
  2. Compliment SIEM with MDR (Managed Detection & Response)
  3. Formal Program & Policy development following ISO 27001, NIST, HITRUST, or other appropriate framework
  4. Risk Management
  5. Vulnerability Management
  6. Mobile device management solution
  7. NAC – internal Network Access Controls
  8. Data Loss Prevention technologies
  9. Identity Access Management
  10. Forensic capabilities
  11. Application whitelisting
  12. Incident Response Tabletops, Red Team, Blue Team, Purple Team Exercises
  13. Information Governance

Studies have shown that a good security posture will reduce the operational costs and the cost of a security breach.

A Note for your CFO:  You may want to remind your finance committee that breaches can cause serious reputational damage and be very expensive.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.

Note:  SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.  We do not sell or broker hardware or software.

If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Why not just follow the CIS top 20?

Since we mentioned it, we will go ahead and put this list out here too.

Basic CIS Controls

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational CIS Controls

  1. Email and Web Browser Protections
  2. Malware Defenses
  3. Limitation and Control of Network Ports, Protocols and Services
  4. Data Recovery Capabilities
  5. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
  6. Boundary Defense
  7. Data Protection
  8. Controlled Access Based on the Need to Know
  9. Wireless Access Control
  10. Account Monitoring and Control

Organizational CIS Controls

  1. Implement a Security Awareness and Training Program
  2. Application Software Security
  3. Incident Response and Management
  4. Penetration Tests and Red Team Exercises

The 7 Key Principles guiding the latest version of the CIS Controls:

When designing the latest version of the CIS Controls, our community relied on 7 key principles to guide the development process:

  1. Improve the consistency and simplify the wording of each sub-control
  2. Implement “one ask” per sub-control
  3. Bring more focus on authentication, encryption, and application whitelisting
  4. Account for improvements in security technology and emerging security problems
  5. Better align with other frameworks (such as the NIST CSF)
  6. Support the development of related products (e.g. measurements/metrics,implementation guides)
  7. Identify types of CIS controls (basic, foundational, and organizational)