Document Security — Does Your Security Policy Protect Digital and Physical Documentation?

Disclaimer: As there are books about document/data security, consider the following as an introduction. Discuss the points raised and estimate how your company would be rated if tested by an ethical hacker or penetration tester. Perhaps you might want to hire a penetration testing company to evaluate your digital and on-premise security?

Digital transformation is simplified as the aim to eliminate paper-based documents and go ‘fully digital’. As much as we would like to, it’s generally impossible to achieve a paperless office. Barriers include financial, accounting, legislative and compliance requirements that require retention of original paper documents for a specified number of years. Some industries (legal, for example) have yet to make all their processes digital and physical form-filling is common in many situations. Therefore, any worthwhile security policy must consider both physical paper-based documents and their digital counterparts.

How can companies ensure adequate protection of physical and digital files? What are the common attack vectors involved? Does your security policy consider remote and onsite attacks?

Risk Management

The first step in creating a security policy is to identify risk. Attack vectors include but are not limited to:

  1. Remote hacking – Industry best practices recommend a comprehensive cybersecurity strategy. Many companies use industry standards such as HIPAA as a guideline. Recent requirements in Europe in relation to data privacy (such as the GDPR) also force a strategy as part of compliance. The key message is that companies are responsible (and can be penalised) for failing to protect data adequately as most jurisdictions have corresponding data privacy regulations, especially for medical and financial data and any other personally identifiable information (PII).
  2. Internal threats – disgruntled employees are a viable attack vector. In addition, employees can unwittingly allow a hacker to breach your network after falling victim to phishing, ransomware or other remote attack based on social engineering techniques.
  3. A combination of the above – where the remote attacker has a willing accomplice onsite.
  4. Decommission, donation, recycling or theft of onsite equipment such as PCs, laptops, smartphones optical media, hard drives and memory cards can all introduce risk. This is true because even when wiped, forensic techniques can successfully recover data.
  5. Insecure storage areas – when filing cabinets and digital backups can be accessed by anyone.
  6. Sharing – consider the numerous ways we can share or capture data. Our smartphones can act as personal computers, take photos, share via chat program, upload to any number of free cloud storage providers, share on social networks and, of course, use the internal storage of the phone to store files for later review. Shadow IT, where users install their own unauthorised programs, could also allow dispersal of confidential data.
  7. Security Updates and Patches – Prompt updates prevent hackers from exploiting security vulnerabilities. Best not to ignore them.

Okay, so now you have an idea of the potential threats. It’s worth noting that hackers will take the easiest route to acquire data. In film and TV, sophisticated hackers acquire passwords and systematically break through all cybersecurity defenses, but the reality is very different. It’s much easier to hack the user or use ‘low-tech’ or ‘no-tech’ methods than breach firewalls and other security features.

Social Engineering

As reported in MeriTalk, citing ISACA’s survey STATE OF CYBERSECURITY 2019, PART 2,  cyber threats remain consistent but have increased in volume in 2019, with the top three most prevalent attacks coming from cybercriminals, hackers and non-malicious insiders. All three accounted for 70 per cent of all attacks reported by survey respondents. 44% said phishing was the most common attack, 31% said malware and 27% claimed social engineering was most prevalent.

However, since phishing is a form of social engineering, and malware creators often use social engineering techniques to fool the user, the truth is that social engineering of the human factor is the most lucrative option for any hacker. We are the weakest links in any security system.

How to Protect All Your Files

Firstly, be paranoid. Then, be very paranoid. Be aware that the size of your company does not matter. You may be in an industry attractive to hackers or be a client or supplier of a target company. In addition, it’s generally a numbers game, with cybercriminals, hackers and wannabe hackers all launching volume attacks using easily acquired tools and hacking packs. Being a hacker doesn’t necessarily mean you need skills. The “as-a-service” model also applies to the hacking community and on the Dark Web, you can acquire all you need to start hacking. Clearly, to protect your files and documents, a detailed security policy is necessary or perhaps, different security policies for each process. The SANS Institute offers a wide variety of free security policy templates that can be personalised for your company, which saves time in policy creation.

I’ll save you some more time… Assume that your company is a viable target and protect files and documents accordingly. The following is not an exhaustive list but will offer some suggestion to enhance your security posture and protect confidential data.

  • Identify potential risk and create the appropriate security policies.
  • Ensure OS and software updates are promptly installed. Likewise, security patches and firmware updates if appropriate.
  • Use antivirus, malware and spyware tools.
  • Use permission/user management to control data access. The aim is to prevent unauthorised data access.
  • Use device level monitoring to prevent the install of unauthorised software (shadow IT) and ensure all company-owned mobile devices have a remote wipe feature if lost or stolen.
  • Ensure security awareness training is an ongoing process, where users are informed of the latest attack methods. Basics include not clicking on links within emails from unknown parties.
  • When disposing of equipment, ensure data is destroyed by sending to a certified recycling company. Ensure data recovery is not possible by shredding or incinerating the device.
  • When disposing of paper-based documents, fine cross-cut shredding or incineration is best. Low-tech hackers are not above searching rubbish bins for clues.
  • Ensure non-employees cannot sneak onto your premises.
  • In public areas, be aware that shoulder-surfing (looking over your shoulder) is possible. It’s an easy way to gather info directly from your screen. Similarly, visual hacking is a threat, with smartphone cameras allowing easy capture of information.
  • Confidential documentation should be locked away, with on-premise security essential.
  • Consider the many ways files are shared online and aim to restrict as many as possible. Some companies operate using a whitelist of essential websites, blocking any that allow sharing of data.
  • Protect your hardware – Some companies use tamper evident labels to prevent low-tech hacking using memory sticks, cards and other solutions to directly acquire data from target systems.
  • Consider Wi-Fi access. Do you allow guest access or segregation from your network or even prevent it entirely?
  • In electronic manufacturing, all employees and visitors are scanned with a wand (just like in the airport) and must store all electronic devices in a provided locker before access is granted. Is this worth considering?
  • Social Media – Ensure employees are aware that social media info posted is often used in convincing spear phishing campaigns. Never post anything that will aid social engineering or disclose company workings, even something as innocuous as a planned vacation or lunch times can help a hacker.
  • Encryption and password management – both are highly recommended. It’s also important to remove data access promptly if an employee leaves the company.

By no means a complete list, but still difficult to implement securely. NOW consider how difficult it is to prevent against an insider threat, when that user already has access to your network…

In conclusion, cybersecurity is an ongoing process, but it is very important that paper-based documents are also considered. Ensure printouts and other files are disposed of correctly and not thrown out with the general rubbish. Security awareness is not limited to cybersecurity but must also consider real-world activities such as copied ID cards, premises security and storage and disposal of physical documents. Penetration testing is a worthy exercise that will highlight any insecure areas in your organisation. With the number of data breaches increasing each year, ethical hackers can identify problems and close off any vulnerabilities. How confident are you that all documents are secure?

Update Management —Prompt Installation Required to Maintain Network Security

In most companies, at least those who believe in managing security correctly, the rollout of all updates is controlled by the IT team. Only users with administrative access can install security patches, firmware and software updates or service packs. Basic users are also blocked from installing software on company assets. This is good practice and prevents shadow IT (where users can install unapproved and unsupported software). It does annoy users, as they must ask IT to add any applications they feel are necessary to add productivity to their roles. However, it does make sense and aids security, ultimately creating a list of approved software that satisfies all company activities.

Unfortunately, this activity is not enough as, regardless of hardware and software configurations, updates are necessary on at least a weekly basis, whether related to the OS, applications or installed hardware. Some experts recommend prompt installation while others advise performing some research before installation, to make sure the update does not have a negative impact on operations. I advise a combination–it’s better to verify on an offline machine before rolling out the update to all.

What is the ideal way to ensure reliable yet prompt update installation? In a traditional office environment, is it practical to supervise individual installs? Can we rely on all updates or will they cause additional problems?

Unfortunately, there is no single solution, given the plethora of hardware and software configurations available. It’s impossible for manufacturers to test on all possible system configurations not to mention on connected peripherals and other software. Therefore, as security vulnerabilities and other issues are identified by end-users and real-world usage, patches and updates are released. Managing all these updates on a company network is a task that requires prompt action but in a way that ensures business continuity, given that some updates cause problems.

How Important is Update Management?

Ignoring updates is not a good idea as hackers exploit known vulnerabilities, secure in the knowledge that companies are often slow to implement security updates. It’s not enough to focus on OS patches as commonly used applications such as MS Office, Acrobat and many more are all attractive targets, exploited to launch cyber-attacks, ransomware, or simply to harvest data. Therefore, a process is needed to stay on top of all updates.

Are you Prepared for Updates?

A company’s activities are often defined by processes, procedures and compliance requirements. Documentation is key to ensuring a defined strategy for all aspects of the business. Most will have a security policy, cybersecurity strategy, disaster recovery policy and other documents to ensure a defined process is maintained and improved where necessary. Update or patch management is no different. Define your process and follow it. If you haven’t decided how to officially handle updates in your organisation, it’s worth starting. Let’s make a few assumptions first:

  • Most companies will have similar (if not identical) desktops and notebooks. In most cases, they will at least be from the same manufacturer if not the same model. It makes sense to do so as discounts are available for volume orders. A mix and match approach to desktops is rarely observed.
  • All will have the same OS.
  • A complete audit of the network has provided an inventory of all hardware and software on the business network.
  • Installations and updates are managed by the IT team, with users unable to perform admin functions on their machines.
  • System restore or other rollback function is installed on every machine in case a patch or update requires removal.

If all the above are not true, it complicates matters for the IT team. In my opinion, driver updates for hardware and application updates rarely cause problems and can easily be rolled back on a machine if problems occur. OS patches are another matter and need more careful rollout, given that they will apply to all machines. If flawed, a patch can grind operations to a halt. It’s for this reason, I’d recommend a dedicated machine for testing updates before rolling out updates to the entire network.

Define a Process

Therefore, a potential process could include a review beforehand. Ask some questions. These could include but are not limited to the following:

  1. Is the update plugging a security vulnerability or just a performance/feature update? Security updates receive priority.
  2. Have any problems been identified by those who have already installed the update? Google is your friend in this case.
  3. Who is affected by the update? If everyone, test on standalone machine before rollout.
  4. Is a network rollout possible or is it necessary to update each individual machine? Most sysadmins perform updates after hours to mimimise downtime.

Of course, there are other issues, especially for software companies or those who use software with a browser-based GUI. Such issues should be identified during online research.

In conclusion, it’s best to act on new updates as soon as possible. Automatic installs are possible but carry some risks. It may be best to avoid automated installs in some cases and follow a manual process based on prior experience with your company systems (most admins will identify a pattern of problematic updates). Regardless of the method used to process updates, ignoring them is not an option, especially when you consider that doing so could allow a data breach or result in network downtime. Can you take that risk?

5 reasons why schools should add texting to safety plans

Today’s college officials face challenges that that previous generations of education professionals never had to deal with, starting with the Internet.

Though advances in digital technology have generally been a good thing as far as program delivery and creating more interactive multimedia classroom experiences, they have also created more potential for harm, or at least new distractions for instructors and students.

At the same time, interest in school security has also risen, partly due to increases in violence at secondary schools and colleges. Though shootings get headlines and cause high levels of fear, other crimes can take place too, including assaults with other weapons.

Because of a push to keep students safer, educators and security staff continue to search for new methods to alert students during a crisis – it doesn’t have to be violence, but any occasion when information needs to be delivered in a hurry. Perhaps it could be a natural disaster or even a serious traffic accident or weather situation that could impact traffic in and out of campus.

One solution that has gained popularity is texting, when school officials can send instructions to students and faculty in the event of a safety situation.

Here’s why it should be added to a college’s security plan.

  • Students are more likely to see a text first.

Emergency warnings in the past have included mass emails or automated phone calls. But these may not be able to be seen as quickly as a text – sometimes emails or voice messages aren’t checked for hours or days while a text can be seen in minutes. Since more students are using mobile devices, especially for texting, it’s likely that they will hear and see an immediate message, or at least someone near them will.

  • It’s a faster delivery method.

Depending on your particular texting service, thousands of one-to-many texts can be sent a matter of minutes. In comparison, thousands of mass emails must be sent in small bursts over hours to avoid spam detectors. Texts are also universal – the same message can be seen on everyone’s phone.

  • Brief is better.

In emergency situations, school officials may just send out short details and quick instructions, with the expectation that more info will be shared later. “Active shooter on campus, seek shelter.” “Tornado coming, stay indoors, will text all-clear later.”

  • No reply needed.

Sending one-to-one texts can create opportunities for a conversation, but one-to-many texts aren’t intended for interaction, only instructions. Officials sending texts may not have time or interest to answer the same question multiple times, so it’s easier just to send an identical message out to everyone.

  • Different databases can be managed easily.

A college may have multiple ‘text’ lists, such as students on different campuses, or even local media. Plus it may have an ‘everyone’ list.  Most texting programs make it easy to specify which database when creating a message. This can make sure the correct students and staff receive the message.

Secondary schools like middle schools and elementary schools will likely require different texting policies than colleges. Younger students may not even own mobile phones, or if they do have them, they may not be permitted in the classroom.

In this case, school alerts should be sent to faculty/staff and perhaps a separate database for parents. These also can give quick, direct information with the promise of more details to come. “School in lockdown. Keep students calm and in classrooms.” “Fire in gym, please evacuate to field.”

Leaders also should keep in mind that every school’s texting plan should be customized based on local resources and the local community.

Overall, it’s critical that a school gets the word out as much as possible prior to launching a texting service to make sure many as many people sign up. Schools also should consider sending out several types of warnings, not just texts, in case a student may not have their phone on or even with them on any given day.

5 Security Experts on Why IT Leaders Need to Start Automating

Automation has been cited as the next big thing for IT leaders looking to secure their communications in all types of cloud environments—but leadership knows the challenges they face in doing so.

Answering to a Network World survey, 47% of respondents claim that it is difficult to monitor network behavior from end-to-end, and 41% say these security operations have difficulties that arise from cloud computing.

The main problem with not automating security operations is scalability and the difficulty in setting up these systems. But it’s necessary—it’s impossible to keep up with the increasing pace, limited cybersecurity, and network operations personnel, all while managing network security operations on a box-by-box, or CLI-by-CLI basis.

But don’t take our word for it. These five security experts have driven deep into the world of network security, and have their own reasons for passing along advice to IT leaders to start automating security processes today.

Security Experts and their Reasons for Encouraging IT Leaders to Automate

According to the Enterprise Security Group (ESG) 63% of networking and cybersecurity professionals working at enterprise organizations (more than 1,000 employees) believe network security operations is more difficult today than it was two years ago.

The bottom line – the main roadblock standing in the way of IT leaders and automated security process is difficulty. Here’s why you should take the plunge despite the challenges.

Jon Oltsik, ESG Senior Principal Analyst and Founder of the Firm’s Cybersecurity Service

Oltsik knows the scalability problems that security leadership faces, even though leadership knows the risk they’re taking without it. He cites a survey of 150 IT professionals, where 31% of respondents say automation is “critical” to address future IT initiatives, while 58% claim it is “very important” to address future IT initiatives.

Because of the recognition of its importance, the technology industry is listening – Companies like Cisco, Fortinet, Check Point, and more have all introduced solutions that will assist security network operations teams in automation and visibility of their networks. His advice to leadership is to adopt these technologies:

“Since relying on people and manual processes can’t scale or keep organizations secure, CISOs and network operations managers should assess where they are in the network security operations automation transition as soon as possible, making sure to look into their people, processes and technologies.

Once shortcomings and bottlenecks are discovered, large organizations should develop a plan to address these areas and institute network security operations automation projects, phasing in capabilities over the next few years.” Jon Oltsik

Stephanie Tayengco, SVP of Operations, Logicworks

Tayengco is a proponent for automation, but automation the right way in the face of risk. Her bottom line—you need to get rid of as much manual work as possible to stay secure.

According her, it’s important to automate infrastructure buildout first, continually check instances across the environment, fully automate deployments, include automated security monitoring in those deployments, and finally, prepare for the future of automation.

“Ninety-five percent of all security incidents involve human error, according to IBM’s 2014 Cyber Security Intelligence Index.

This year alone, enterprises will spend $8 billion on cyber security, but these initiatives are often useless in preventing an engineer from misconfiguring a firewall or forgetting to patch a security vulnerability on a new server. Manual work is risk, and manual security work is a disaster waiting to happen.” – Stephanie Tayengco

Gabby Nizri, CEO, Ayehu

Nizri is worried about the rising number of security breaches. According to the ISACA 2015 Global Cybersecurity Status Report, 781 publicized cyber security breaches resulted in 169 million personal records being exposed.

Well-known companies like BlueCross, Harvard and Target were involved, making it clear that even the most sophisticated and well-funded security departments aren’t safe. Even so, only 38% of organizations across the globe can confidently say they are prepared to handle a sophisticated cyber-attack. Because of this, Nizri urges you to automate.

“Simply put, IT personnel are no match for such intensive, sustained attacks. Not only are humans incapable of keeping up with the sheer volume of incoming threats, but their ability to make quick and highly-impactful decisions to manually address such an attack is equally inefficient.

This is why automation is becoming such a powerful and effective component of cyber security incident response. To combat the onslaught of incoming threats, organizations must employ an army of equivalent strength and sophistication.” – Gabby Nizri

Danelle Au, VP of Strategy and Marketing at SafeBreach

Automation isn’t all about just avoiding mistakes. Au cites instances where automation makes an IT department more agile, and improves processes such as application delivery.

For the private cloud environment, applications and desktops are being virtualized at an faster than ever before. According to Au, As the number of virtual machines (VMs) increases, automation and orchestration is no longer a “nice to have.”

“The ability to translate complex business and organization goals into a set of automated data center workflows is critical to not slowing down the application delivery process. It is also an essential part of making compliance and security requirements a lot easier to manage in a very dynamic environment.

To fully realize the promise of private clouds or software defined data centers (as VMware defines it), the traditional IT infrastructure — in particular network security — needs to transform into agile and adaptive end-to-end automated processes.” – Danielle Au

Brian Dye, VP of Intel Security Group

A recent ESG study noted that 46% of organizations said they have a “problematic shortage” of cybersecurity skills—up from 28% just a year ago. That means the development of these skills in IT personnel isn’t improving at a rate needed to keep up with threats.

One-third of those respondents said their biggest gap was with cloud security specialists. According to Dye, this is the reason security automation is important, as well for working with SDN technologies and responding to breaches.

“As organizations explore software defined networking (SDN), they see a need for more automation skills, as security policy must co-exist with the orchestration to fully exploit an SDN environment. These skills become especially important as virtualization expands beyond servers and into networks and storage.” – Brian Dye

Network security automation is important for many reasons – the risks associated with manual processes, adaptation to new technologies, the agility of the cloud, and the race to keep up the skills needed in personnel to use new emerging technologies.

Creating the proper mix of skillsets, automation and processes will provide IT leaders with the security confidence they need moving forward.

SMSEagle is Hardware SMS gateway to send and receive SMS text messages. To find out how we can help support your network security program, check out our online store.

3 Secret Habits of Really Effective Network Security Programs

Effective network security programs require more than just one layer of protection if one solution fails, you still have others guarding your company and its data from all types of network attacks.

There are best practices that set the highly effective network security programs apart from the rest.

A recent survey conducted by ReRez Research, and commissioned by Infoblox, shows that when IT departments are segmented by security success factors, there are certain best practices that rise to the top.

The study was comprised of 200 large organizations, and shows how certain habits differed between organizations with top-tier network security programs and everyone else.

These alterations in behavior matter, as breaches in security can cost organizations large fees in both recovery and damages.

Analysts estimate the cost of a typical unplanned network outage now tops $740,000. Protecting the network – from problems like breaches, outages and poor performance – is crucial for organizations. – Infoblox 2016 Network Protection Survey

Education is the first place you should start. Your network security awareness program is probably following a one-year plan, which isn’t the best practice. Programs that follow 90-day plans are more effective, and focus on three topics simultaneously throughout those 90 days.

After your awareness program is in place, start thinking about your network security structure in a different way.

Below are the three secrets of the most highly effective network security programs.

1. Make Sure there is Cooperation Between the Network, Security and Application Teams

Siloing the various teams in your department can stifle your security activities, and keep you from reaching your goals. Network operations staff, the security staff and the application teams should all be communicating fluidly, with 100% of top-tier organizations in the survey citing this as a best practice.

High performing organizations are 9x more likely than others to be using integrated visibility tools already, and they’re 4x as likely to be using integrated security tools in conjunction.

Communication becomes paramount when it comes to reporting. One key factor in running a successful network security program is being able to prove that success. The only way to do so is to collect metrics that reflect this success across the organization.

2. Utilize DNS/DHCP Data to it’s Full Potential

This is a slowly growing but serious differentiator between effective and mediocre security departments. According to the survey, close to half of top-tier organizations use DNS/DHCP data to discover other new devices, compared to zero other contenders.

Not only are they tracking and utilizing the data, but they’re 3x as likely to use DNS logs for security purposes.

3. Commit to the Continual Use of Intelligence

The most successful organizations have a mechanism in place that forces them to commit to security intelligence. They’re 6x as likely to have deployed an SIEM, and 4x as likely to invest in machine-readable threat intelligence.

In addition to intelligence commitment, they’re 6x as likely to use automated tools that alert them to new devices appearing on the network.

Keep in mind some of these changes when building your network security program certain best practices could not only set you apart from the rest, but save your organization it’s reputation, and hundreds of thousands in damages.

SMSEagle is Hardware SMS gateway to send and receive SMS text messages. To find out how we can help support your network security program, check out our online store.