Protecting Your Cyberlife

By Preston Smith

How significant are foreign hacks and cyber threats to the average person?

Does the thought of foreign hackers enter our daily lives?

Does anyone stop and think, “Wow, right now there are possibly thousands of entities trying to break into my cyberlife.”?

Don’t make the mistake of thinking it’s just the work side of your cyberlife that they’re trying to gain access to. There may be more information from an organization, but if they can get even a little bit of your personal information, they’re going to try and get it!
Most of the time it isn’t even people who are testing and trying out ways to get into information. Often, it’s just a bot trying any IP addresses that it can reach. If a bot hits an IP address and receives an open request for a login, that response forwards onto the next bot that attempts to guess login credentials. Then that bot keeps trying, following whatever “might” be a logical limit (if the owner or admin bothered to set that option) on login attempts, so as not to lock out the account until it gains access.

A bot doesn’t care about how quickly it can access an account.; it can be very patient, especially since few, if anyone, checks access to accounts or, heaven forbid, to regularly change passwords! Of course, once a bot successfully logs in, it probably gives notification to the organization (or to the country) that started the bot so that the attacker can infiltrate and either place Stealth viruses or another bot to collect information, onto compromised systems.
The really challenging bots are some that have learned to hide on our systems. They collect everything about us that we put into a computer that we think is safe. Again, this is something that can happen on your home computer as well as on your work computer.

I don’t want to make us all psychotic about using our cyber devices. But I do want us to realize that international and foreign hackers are not just on the government’s doorstep! They’re at your door if you have any device with an IP address! Instead of freaking out about it and shutting everything off, let’s apply logic and strategy and make security a habit, not a chore. Use password managers so they can help us track how often to change passwords and to not use duplicate passwords anywhere.

Update software and firmware on everything. Don’t delay installing the latest updates as they usually include important security patches! Also, since firmware doesn’t seem to let us know when there’s a new version available, put together a calendar reminder to check your firmware on a regular basis!

Always have at least one (or even more) of the well-known antivirus software applications running on any device that it can be installed! Check that you have set your settings at a secure mode. Don’t ever accept the default settings from a program or an application. Read the options carefully, find what you would be comfortable with, and then set it one level higher (more restrictive) than you want.

Remember, it’s too easy to forget how much the bad guys want to get into your cyberlife! Think about things like “Does this device connect to the Internet?” “Does it have a login?” And here is the difficult question that really requires thought, “If someone gained access to this device, what information could they get or how much access would they have to my cyberlife?”

We must realize that our comfortable and exciting cyberlife is not the safest of environments. All it takes to feel more comfortable with our cyber choices is to be sure that we take complete control and know our risks and our protections.

Turn GDPR Compliance into Lemonade

Lacy GruenBy Lacy Gruen, RES

“When life gives you lemons, make lemonade,” goes the popular saying, which inspires us to tackle life’s challenges in a positive way to help us grow and learn from hardships. For organizations struggling to meet the upcoming GDPR compliance deadline in May 2018, it may be difficult to view the massive data privacy compliance project as a positive, a piece of investment that can change the way an organization stores and handles user data for the better.

But how can an organization successfully turn GDPR “lemons” into lemonade? By using this time to solidify its overall compliance strategy, an organization can get a return on its GDPR compliance investment. Below is a quick summary of the payoff an organization can potentially see from implementing a comprehensive GDPR strategy:

  • Better data- and analytics-driven decision-making — visibility around data and access to data can help with both GDPR compliance and other IT or business initiatives.
  • Long-term customer/brand loyalty— customers want to know that the company they are buying from cares about protecting its users’ data.
  • Greater organizational agility—having automation around data access in place allows an organization to be nimble to respond to business changes and needs.
  • Reduced cybersecurity risk— security controls that are put in place for GDPR compliance can potentially help an organization protect against IT security threats such as ransomware.
  • Higher-value allocation of IT staff— some automation tools are flexible enough to not only automate the enforcement of data policies but automate many other IT tasks along the way.
  • Reduced overall compliance and audit costs— organizations most likely have multiple regulations to comply with, so streamlining auditing will help with more than just GDPR compliance.
  • Avoidance of GDPR-related fines— GDPR has set up hefty penalties for those who are not in compliance with the regulation, and any smart organization should plan to avoid the maximum non-compliance fine of 4% of the firm’s annual turnover.

Studies show that organizations are allocating significant budgets for GDPR compliance. But what are the key areas that organizations should invest in to ensure that GDPR compliance pays off in the long-run?

Key investment #1: Good data governance

Disciplined and diligent data governance is a must for any GDPR compliance effort. An organization cannot effectively manage and protect customer data if it does not know where it is located. For GDPR compliance, businesses must make an active effort to locate all user data, to know exactly what it consists of, and where the data originated. It also needs to define and enforce policies regarding how data is viewed, used, copied and accessed.

Key investment #2: Context-based mobile workspace controls

In the age of the digital workspace, employees take their digital identities everywhere with them, expecting to get their work done effectively regardless of the time of day or physical location. In fact, the majority of employers expect that employees work on-the-go from their smartphones, tablets, laptops, and home desktops. This is an issue for organizations that continue to depend on static, perimeter-based technologies to control access to sensitive data resources.

The only way to ensure that customer data doesn’t travel anywhere it shouldn’t—and that all use of customer data is legitimate and traceable—is to manage data access in context. Context and associated policies determine what is and isn’t allowed. It also provides the usage data essential for GDPR audit reporting.

Key investment #3: Streamline privilege administration with automation and delegation

Many employees unnecessarily have more access than they need to company data, posing a serious risk to GDPR compliance—as well as to general cybersecurity. The solution to the problem of creeping privilege is to streamline the administration of access rights. Automation also enables IT to put a “freshness date” on privileges so they don’t last indefinitely. Organizations can also fight privilege creeping by using delegation tools that empower LOB managers, HR admins, and other non-IT stakeholders to perform access administrative as appropriate. This adaptive, business-aligned approach to access control can significantly reduce total organizational privileging without impairing anyone’s ability to be productive.

Key investment #4: Anti-ransomware whitelisting

Ransomware attacks now impact about half of all businesses, and ransomware techniques continue to become more sophisticated. These attacks often take the form of social engineering techniques that circumvent cybersecurity perimeter defenses by tricking human users into clicking a malicious link or opening a malicious attachment.

Effective ransomware defense requires multiple counter-measures, including frequent data backups and aggressive user education. However, any organization seeking to fend off ransomware and similar cyberattacks must also implement some form of workspace whitelisting. Effective whitelisting is thus closely related to automated privilege administration (key investment #3)—with the added dimension of disallowing access to non-whitelisted resources.

Key investment #5: Push-button offboarding

Another related and essential capability for GDPR compliance is push-button offboarding. As noted above, employees can accumulate many privileges over time. So when they leave an organization, those privileges must be revoked immediately.

Revocation of a user’s privileges can tend to be slow, leaving organizations vulnerable to data leakage. This is a huge GDPR and data security no-no. Every organization needs an offboarding mechanism that triggers complete revocation of all privileges across all systems—on-premise and in the cloud—without exception immediately upon a termination or transfer event in the company’s HR system.

Regulations change and new legislation continue to pop up, but if an organization take the right data protection measures now, an organization will have the right tools in place to make its life much easier in the future. Businesses that properly view GDPR compliance as one part of a broader effort to better govern data the digital enterprise—traversing compliance, security, and automation—will significantly out-perform their more complacent competitors. And that performance will have a tangible, positive impact on the bottom line.

Bio: Lacy Gruen is a Director at global digital workspace provider RES, where she works to develop go-to-market strategy and help customers find solutions that will solve the real IT challenges of today and the future.

SecurityNOW’s Cybersecurity Tips of the Week – March 31, 2017

TipsPasswords, they used to say, are like toothbrushes–don’t share them and change them often. Indeed that rule is still true but security is more than just changing your passwords often and keeping them to yourself. Passwords, unfortunately, are our first line of defense in protecting our online accounts, our identities, and our transactions. Passwords should be as long and as complex as possible, which is why you should use a password manager such as LastPass. LastPass will generate a random, long, and complex password that you don’t have to remember because it remembers them for you. There’s only two things you have to remember when you use LastPass: logoff of LastPass before you leave your computer and the LastPass master password.

And since passwords aren’t your only defense in this cyber-connected and unsafe world, I’m providing a list of tips to help keep you safe and secure during your online excursions. Read and heed.

  1. Use the screen lock feature of your phones, tablets, and computers.
  2. Use a random non-guessable passcode for unlocking screens.
  3. Use a password manager.
  4. Use different passwords for each online account (saved in your password manager)
  5. Install all hardware and software updates as they’re presented.
  6. Only install apps from the app store and only those that have many good reviews.
  7. Turn off tracking from your apps.
  8. Use a VPN or your cellular network in public places.
  9. Keep phone conversations private.
  10. Perform online banking in private.
  11. Use two-factor authentication on social media and financial sites.
  12. Cover your device when entering passwords.

I know these are tips that you read and hear all the time but you need to remember them at all times. There is no trusted public environment and a secured WiFi connection is no guarantee of security. Anyone can setup a WiFi connection and supply a common password to it.

If you ever have questions about cybersecurity, use our contact page to ask your questions. We will reply.

Check Point releases 2017 Cyber Security Survey results

Check PointI’m a big fan of surveys. I’m a fan because numbers are easy to digest. I like to see, at a glance, the results of opinion surveys to see how well they correspond with my own opinions. Rarely do I differ from the norm in security surveys. This one is no exception. I think we all feel overwhelmed and surprised that everyone else feels overwhelmed and surprised by malware, mobile threats, APTs, data loss, insider threats, and other security breaches and thefts.

Check Point surveyed more than 1,900 IT Security personnel. Check Point, for those of you who don’t know, is one of the first security companies to offer an intelligent firewall solution. In fact, for the past 25 years, Check Point has been the “Go To” firewall solution for companies across the world.

Check Point released its 2017 Cyber Security Survey. Here are a few data points highlighted in the survey:

A poll of 1900+ IT Security experts reveals…

  • Slightly more than one-third (35%) either feel Extremely Confident or Very Confident with their organization’s security posture. More interestingly that means nearly 65% are not confident; these organizations continue to remain vulnerable to security breaches.
  • 81% feel their organization currently has security concerns as it relates to adopting public cloud computing.
  • 64% said Data Leakage and Data Loss were their primary mobile security concern related to BYOD (Bring Your Own Device).
  • 68% said Malware Protection is their key capability required for an effective Mobile Threat Management solution.

Of all the recent security surprises, I’m not surprised that almost two-thirds of the survey’s respondents are not confident with their organization’s security posture. I think that mobile threats are actually less of a problem than people think. The problem with mobile devices is not necessarily malware or hacking, but the problem of data exfiltration. Mobile Content Management prevents data exfiltration and file-level auditing is a good deterrent as well.

The full survey can be accessed through Check Point’s blog: Check Point’s 2017 Cyber Security Survey Shows Key Concerns and Opportunities among IT Professionals.

Staying Secure in 2017: A Step-by-Step Guide to Guarding Your Organization

The actionable steps to staying safe in the age of cybercrime

By Bob Janssen, CTO, founder and SVP of Innovation, RES

Bob Janssen CTO and Founder of RESAs Forbes’ Technology Council recently proclaimed, 2017 will be the year of cybersecurity concern. While there are a great deal of individuals and organizations doing tremendous work to combat the concern, cybersecurity can sometimes seem like a distant problem as opposed to an everyday issue. Instead of speaking about cybersecurity in grandiose terms, it is imperative to get down to business and face the ‘real world’ risks, and the practical steps that IT and security teams can take to prevent their organizations from becoming an embarrassing security breach headline. It is impossible for organizations to devote 100% of their time to state-of-the-art cybersecurity excellency, especially considering the dearth in cybersecurity talent that many firms deal with.

Cybersecurity professionals and IT departments are given the tough task to keep spending down, empowering employees to be the most productive, and not to mention – responding quickly to ever-changing security threats like the augmentation of IoT and bots. Considering these pressures, it’s integral to prioritize decisions and actions that have an affect security imperatives sooner rather than later.

There is one great thing organizations can do to accomplish this, develop a dynamic whitelisting strategy for access management. Whitelisting provides more than a list of trusted websites, apps or users. Whitelisting can also facilitate the enforcement of security access controls based on individual identities and contextual attributes such as time of day or location. When you use whitelisting properly, it can help secure your data and protect your organization from threats. Below you will be able to find a guide that security professionals can follow to protect their organizations without slowing down regular business operations.

Step 1: Reexamine and step up whitelisting policies

Ask: “Do we have a central repository of well-defined whitelisting policies?”

Dynamic whitelisting is a core best practice for enterprise security and one of the best ways to enforce access policies.  It entails restricting user access and code execution by default to only that which is specifically permitted and known to be safe. Whitelisting should also take into consideration both identity and context attributes such as time of day, location or device. This model is essential for protecting your organization from all kinds of threats — including malicious hosts, hijacked user IDs, insider threats, and the like.

A primary security requirement for an organization is therefore a unified repository of clearly defined whitelisting policies. These policies can be owned and controlled by different individuals with appropriate authority across an organization, but a single, reliable, and up-to-date place for maintaining whitelisting policies is essential across all resources, parameters, and user groups.

Step 2: Don’t depend on “script heroes”  

Ask: “Does our implementation and enforcement of our access policies still depend on manual configuration and/or homegrown scripts?”

Policies alone do not make a secure enterprise. An organization also needs a way to implement and enforce those policies in an automated way. Chances are, however, that an organization still depends on a wide range of disparate mechanisms to give users whitelist-appropriate access to digital resources. These likely include application- and database-specific admin tools and homegrown provisioning scripts.

There are many problems inherent in depending on these fragmented access provisioning mechanisms. From a security perspective, they are simply too unreliable because they are subject to human error and they’re not intrinsically linked to the underlying policies they have been created to enforce. If an organization still depends on “script heroes” to ensure the right people get access to the right resources at the right time, it is exposing itself to unnecessary risk. Instead, maintaining a unified, manageable, and automated mechanism for executing an organization’s access policies can offset these concerns.

Step 3: When employees leave – make sure your data doesn’t leave with them

Ask: “When someone leaves our company, are all of their digital privileges immediately, automatically, and entirely revoked?”

One of the single most important policy imperatives is the complete revocation of an employee’s digital privileges immediately upon termination. Most organizations don’t have a simple, automated, and reliable means of immediately eliminating an individual’s access privileges across every application, database, SharePoint instance, communications service, etc. Some of those privileges can remain in place days, weeks, or even months after an employee is terminated — leaving them exposed to risks that their breach detection and prevention tools can’t stop.

This is why in addition to having a unified system for managing access privileges across the enterprise, an organization also needs to appropriately integrate that system with whatever other systems can generate a valid termination event — including an organization’s core identity management systems, HR applications, and contractor databases. Only such integration can give an organization full confidence in the timely and complete revocation of digital privileges.

Step 4: Put access controls in place

Ask: “Can we reliably prevent users from accessing the wrong files from the wrong places at the wrong times?”

Most organizations can only apply a limited and relatively crude set of parameters to their access controls. In the real world, an organization’s access policy parameters and controls must be much richer and more context-aware. Common examples of this include:

  • Geo-fencing. It often makes sense to constrain a user’s access privileges based on location. A doctor, for example, may be allowed wireless access to certain clinical systems data while on premise at a healthcare facility, but not while off-site.
  • Wi-Fi security. There may be times when an organization wants to make its data access rules (including read/write vs. read-only privileges) contingent upon whether a user’s Wi-Fi connection is public/non-secure or private/secure.
  • File hashing. File hashes provide an exceptionally reliable means of ensuring that users only download, open, and work with legitimate content — thereby protecting an organization from a wide range of threats, including ransomware and spearphishing attacks.

To implement these kinds of rich security controls, an organization needs an access management system that can automatically respond in real time to session context and execute hash-based identification. Without those controls, defense against various types of identity and content spoofing will be severely limited.

Step 5: Make sure your security process is adaptable  

Ask: “Do we have a consistent process for adding new applications (including cloud/SaaS) to our whitelist as demanded by the business — and applying the appropriate policies to them?”

An organization’s business isn’t static. In fact, most companies are adding new cloud/SaaS services at a faster pace than ever. Many of these new services are being activated directly by lines of business, without much involvement from IT. At one time, this was referred to as “shadow IT.” But it’s not just a shadow anymore. It’s central to how organizations leverage software and analytic innovation in the cloud.

If an organization can’t quickly secure these new applications and services, several unacceptable outcomes can result. People may be unable to use new resources in a timely manner because they’re blocked by an organization’s whitelisting system. Or new resources may get whitelisted too hastily — without being properly secured by policies such as geo-fencing and Wi-Fi restrictions. Worse yet, people may just come up with workarounds to avoid an organization’s security mechanisms altogether. None of these outcomes are acceptable.

To avoid these outcomes, an organization need a fast, reliable, and consistent process for adding new cloud resources (as well as new conventionally developed applications) to its whitelisting repository/automation engine. Without such a process, an organization’s security won’t be able to keep up with its business — which means an organization will either compromise the former or impede the latter.

Step 6: Empower self-servicing

Ask: “Have we met the needs of the business for consumerization/self-service and LOB delegation?”

The millennial workforce is increasingly expecting IT to provide consumerized self-service similar to what they experience in their personal use of technology. Self-service is a win-win for IT and the business. The business wins because self-service takes delay out of everyday requests for digital services. IT wins because it frees staff with limited time from a variety of routine tasks. Self-service can also include the delegation of certain administrative tasks to line-of-business managers — such as the authorizing access privileges or adding software licenses.

The best way to provide self-service and delegation to the business is by extending an organization’s security whitelist automation engine to non-IT users with the appropriate policy-based controls. This approach allows an organization to ensure that no one outside of its cybersecurity team can violate its policies — even as an organization empowers them to quickly perform routine tasks without IT’s intervention.

Step 7: Prepare for an audit

Ask: “Are we ready to handle an audit – really?”

Even if an organization has “checked off” all of the above six items – none of it matters if an organization cannot credibly prove itself to an auditor.

That’s why an organization needs a unified, rules-based access whitelisting automation engine that’s fully self-documenting. Only a centralized permissions control “brain” can secure an organization’s environment and enable an organization to quickly and easily provide auditors with credible evidence that it has exercised full diligence.

By leveraging a single, robust access provisioning mechanism across all of its digital resources — from its most complex core business applications to its most recently adopted cloud service — an organization can make itself vastly more secure, while enhancing productivity, and not unnecessarily adding to daily workload.

Bio: Bob Janssen is the CTO, founder, and SVP of Innovation of RES. He has been responsible for product vision, strategy and development at RES since founding the company in 1999 and is a prominent RES spokesperson at industry events. He was instrumental in the creation of the flagship products, RES Workspace Manager (now RES ONE Workspace) and RES Automation Manager (now RES ONE Automation), released in 1999 and 2005, respectively. During his tenure, RES has sold millions of licenses worldwide. Mr. Janssen holds several patents for the solutions he has developed at RES, and has worked with the RES R&D team on the filing of numerous others.

Check Your Security Knowledge Against These Survey Results

Cybersecurity Survey Blumberg CapitalI think we’re all a little too confident in our level of personal security and a little too careless with our personal information. Preston and I want to emphasize the importance of keeping your personal data secure and personal. Don’t allow the bad guys to make an easy mark of you. These survey results are surprising and you should stay vigilant, especially on social networks and on sites where you submit credit card data. Never save the data for later; enter it every time.

When it comes to cybersecurity, Americans are overconfident in their knowledge and skills, a study released today by Blumberg Capital found.

A few interesting highlights from the findings:

  • 63% of Americans rate their knowledge of cybersecurity equal to or higher than the likes of Donald Trump
  • Shockingly, only a mere 7% of Americans are concerned with keeping their nude or racy photos and videos secure
  • Those surveyed find Social Networks and Dating Sites to be the least trustworthy (at 5% each) in keeping customers’ personal information safe
  • While 95% of adults expressed at least some concern about their personal information being hacked on e-Commerce sites, 54% of Americans who shop online trust online marketplaces, like eBay and Amazon, with their financial information
  • 33% of Americans believe they are more secure online if they don’t save their credit card information. Others choose to only use PayPal or other trusted payment services (30%).

You can view the full findings of the survey here: http://cybersecurity.blumbergcapital.com/

Listen to the SecurityNOW podcast, live shows, and watch our videos here at http://securitynow.live.

Interview with Preston Smith (Podcast)

PasswordFebruary 1st is a special day for Preston and me, here at SecurityNOW. I interviewed Preston! That’s right. We returned to the very cool Rose Rock Cafe over on Mingo Road to have the famous Baconator burger and to record Preston’s first SecurityNOW interview, where he’s the interviewee. Find out about Preston’s background and what he thinks the biggest security issues are. Preston also gives you some tips on how to protect yourself in this world of growing cybersecurity threats.

The interview is short and sweet, just like Preston, but you’ll learn a lot from it. Preston discusses good passwords, bad passwords, LastPass, two-factor authentication, and some physical security tips as well. There’s a lot packed into this 15-minutes, so take good notes, there will be a test at the end.*

February is a very special month too. February is SecurityNOW’s month of best practices. We’re going to produce several podcasts that give you real-world advice on how to protect yourself from the bad guys without having to change your entire life. We try to help you make security easy yet effective.

Podcast details:

Length: 15:22 minutes. Format: MP3. Rating: G for all audiences. Background soundtrack: Rose Rock Cafe.

*Not really.