Cyber Security Management

Transcription

1 Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies focusing their investments in IT security, consistent testing of servers, programs, websites and networks, it is time to act! Nevertheless this is not enough to protect businesses from groups of attackers and the resulting losses and fines for the breaches that were detected. Contrary to the common justification of we are too small for hackers to care about startups and small businesses are essentially perceived as laid-back targets by hackers. Immediately after you have registered your domain, setup hosting and , you are on the grid and at risk. In the Federal world, the Office of Management and Budget (OMB) was hacked, accessing sensitive federal information of both federal employees and contractors and putting at risk over 21.5 million security clearances. For small businesses that want to do business with the Federal government, getting a facility clearance and background clearances in 2015 has almost been non-existent! This is a burden for small business enterprises that are already at a disadvantage over their larger business competitors. The Federal government already takes forever to process paperwork. In fact a lot of small businesses go out of business waiting on the process to be completed. And at a time when the government is pushing to help small businesses get funding faster, however, the focus on the process has become analysis paralysis. I for one, have a small business focusing on IT services at POWERNET America, Inc., and I need a facility clearance and an update to my personal clearance, but since the government has not been open to follow Federal Information Security Modernization Act (FISMA)

2 and NIST standards regularly, has hurt my business because government contracts in Huntsville have dried up. Even when trying to create partnerships, become a subcontractor to a Prime, or just simply find a partial task order has been non-existent, because there are very few contracts being issued, or have been over 18 months since a Request for Proposal (RFP) was submitted without closure of a win. I have been without work, without a paycheck or even an opportunity with a contract since I created the company, and after talking with other company executives, I find they are in the same boat. So was it worth not having a good cyber security process in place for OMB, NO! Information security and privacy are constantly major focuses, but as we get closer to 2016 the malaise seems to be spinning like a vortex, with no sight of it slowing. In the last year, the world has seen high-profile cyberattacks on businesses and governments, making us focus our attention on topics surrounding data protection, encryption, privacy and surveillance like never before. So having your online information hijacked is a nightmare, and, should it happen to your business, it could cost you customers. Cybersecurity is a must for any business with a presence online. Whether you have a website, online accounts or any type of Web-based infrastructure, you are at risk for a cyberattack. Although the public typically only hears about cyberattacks against highprofile companies, banks and government websites like Target and Home Depot. Now small businesses make prime targets for cybercriminals, competitors and disgruntled parties. And due to their lack of resources, small businesses have the leastprotected websites, accounts and network systems, making cyberattacks a relatively easy job. When a security breach occurs, the company or business concerned not only loses valuable and/or sensitive data, but it also suffers damage to its brand or reputation that can take a lot of time and money to repair. So it is imperative that you have a secure, trustworthy hosting company to keep the bad guys out and your content up and running," says Wright. "It is also very important to keep your content management system updated in order to stay one step ahead of the hackers." Detection over prevention - Hackers have gotten very refined, and avoiding breaches entirely is impossible, so businesses need a two-element approach focusing on breach prevention and breach detection and remediation. So first implement a continuous monitoring and mitigation approach, and then identify all perilous resources and the potential attack surface. Then implement a detection and response solution and finally implement an ongoing process for security posture assessment and improvement. Penetration Testing - Penetration testing should be performed on a regular basis to ensure more consistent IT and network security management by revealing how newly discovered threats or emerging vulnerabilities may potentially be assailed by attackers. In addition to regularly scheduled analysis

3 and assessments required by regulatory mandates, tests should also be run whenever: o New network infrastructure or applications are added o Significant upgrades or modifications are applied to infrastructure or applications o New office locations are established o Security patches are applied o End user policies are modified A penetration test is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and even risky end-user behavior. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as end-users adherence to security policies. Penetration tests are typically performed using manual or automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits at other internal resources, specifically by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information via privilege escalation. Information about any security vulnerabilities successfully exploited through penetration testing is typically aggregated and presented to IT and network systems managers to help those professionals make strategic conclusions and prioritize related remediation efforts. The fundamental purpose of penetration testing is to measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations. Security literacy - Security starts from within a business. Instituting safety practices and ensuring all employees are aware of them is significant in your overall plan. Ensure you have an IT policy and education plan to educate your employees. It will go a long way toward better security posture, especially in this age where advanced threat actors increasingly resort to social engineering tactics in their threat campaign. Server Hardening - The server, operating system and applications that run your services are critical to securing. Hardening your server is the difference between running through a parchment wall or a brick wall. Anthony of POWERNET This is an area it is usually best to hire an experienced IT security consultant or employ a seasoned systems administrator, or utilize a managed hosting provider to take care of for you. Although your developers may be capable, that does not mean they know how to secure a server properly, just as you would not hire a

4 landscaper to do build your home even though both are handy. Server hardening is also not a one-time event, but is a continuous process of monitoring, patching and upgrading over time as new vulnerabilities are discovered. Anthony Goodeill, of POWERNET requires all of his hosting customer maintain a SiteLock on every server account. Going through a managed hosting partner like POWERNET makes it easier because they already have systems in place to automate this process as well as additional security layers including firewalls, IDS (Intrusion Detection Systems) and other more robust security solutions in place such as SiteLock which you can benefit from. Most of the time server can get you a better price on these monthly costs. Cyber Security: Social Engineering Today s cyber criminals don t need high-tech methods to hack into your computer systems. They take advantage of basic human behavior to get what they want. Social engineering is a non-technical intrusion that tricks unsuspecting employees into breaking normal security procedures and giving network access to attackers. Here are some of the focus areas POWERNET checks for, and so should you: Phishing - phishing is one of the most common social engineering methods. Users of critical data are tricked into revealing passwords or clicking on links that contain malware. As a part of POWERNET s social engineering services, we conduct controlled phishing assessments in order to measure employees IT security awareness. Pretexting - In pretexting, social engineers invent scenarios to engage targeted victims in such a way as to increase the possibility of obtaining sensitive data. To protect your organization from pretexting, POWERNET conducts controlled pretexting assessments to identify weak points in your employee defenses. Physical Social Engineering - Criminals often take advantage of vulnerabilities in an organization s physical environment in order to walk directly into an office to get what they want. Generally, the social engineer looks and acts as if they belong in the office in order to avoid suspicion. To ensure the security of your physical environment, POWERNET s experts conduct physical social engineering exercises in an attempt to circumvent your security measures and identify vulnerabilities. Cyber Security Risk Management Cyber security and information security management are like many other aspects of your business. If you think about aspects such as customer service, credit control and ordering goods, your organization has a system or process so that everyone in the business knows what they need to do, how to do it and when they need to do it. Cyber and information security are no different. Demonstrating that you have robust systems for data protection is becoming increasingly important for three reasons:

5 To reduce the risk of fines Protect your organization s reputation Winning new customers, especially when tendering for new business You need a set of systems and processes called a Cyber Security Management System (CSMS) sometimes known as an Information Security Management System (ISMS). POWERNET helps businesses with data protection and cyber compliance, protecting both your data, helping you with your Cyber Security Management and that of your clients. The 5 steps to your Cyber Security Management System 1. Appoint a person with overall responsibility 2. Identify the risks in your organization 3. Mitigate those risks with security solutions 4. Issue cyber security policies based on your risks 5. Train your staff on your risks and policies, and then test their awareness The POWERNET CSMS is a thorough and practical way of ensuring all risks are considered and mitigated. Aided by a series of work programs, checklists and structured working papers a fully documented audit trail is created showing the assessment of risk and the rationale for decisions made on risk mitigation. This fully documented audit trail is important evidence to show that your organization has done everything it can reasonably be expected to do to minimize the risk of data loss and if something does go wrong you can find out how and why it went wrong. Finally NIST has several tools and workshops to help companies better understand and respond to cybersecurity issues such as the Cybersecurity Framework within the Computer Security Division Computer Security Resource Center. They have a series of small business workshops to help owners and managers understand better risk management strategies. If you need assistance answering these questions in your business, POWERNET America would be happy to help. About the authors: K. Anthony Goodeill is the Founder and President/CEO of POWERNET America, Inc. in Huntsville, Alabama. POWERNET provides Fast Track IT consulting services to the Tennessee Valley and to government contracts.