Staying Secure in 2017: A Step-by-Step Guide to Guarding Your Organization

The actionable steps to staying safe in the age of cybercrime

By Bob Janssen, CTO, founder and SVP of Innovation, RES

Bob Janssen CTO and Founder of RESAs Forbes’ Technology Council recently proclaimed, 2017 will be the year of cybersecurity concern. While there are a great deal of individuals and organizations doing tremendous work to combat the concern, cybersecurity can sometimes seem like a distant problem as opposed to an everyday issue. Instead of speaking about cybersecurity in grandiose terms, it is imperative to get down to business and face the ‘real world’ risks, and the practical steps that IT and security teams can take to prevent their organizations from becoming an embarrassing security breach headline. It is impossible for organizations to devote 100% of their time to state-of-the-art cybersecurity excellency, especially considering the dearth in cybersecurity talent that many firms deal with.

Cybersecurity professionals and IT departments are given the tough task to keep spending down, empowering employees to be the most productive, and not to mention – responding quickly to ever-changing security threats like the augmentation of IoT and bots. Considering these pressures, it’s integral to prioritize decisions and actions that have an affect security imperatives sooner rather than later.

There is one great thing organizations can do to accomplish this, develop a dynamic whitelisting strategy for access management. Whitelisting provides more than a list of trusted websites, apps or users. Whitelisting can also facilitate the enforcement of security access controls based on individual identities and contextual attributes such as time of day or location. When you use whitelisting properly, it can help secure your data and protect your organization from threats. Below you will be able to find a guide that security professionals can follow to protect their organizations without slowing down regular business operations.

Step 1: Reexamine and step up whitelisting policies

Ask: “Do we have a central repository of well-defined whitelisting policies?”

Dynamic whitelisting is a core best practice for enterprise security and one of the best ways to enforce access policies.  It entails restricting user access and code execution by default to only that which is specifically permitted and known to be safe. Whitelisting should also take into consideration both identity and context attributes such as time of day, location or device. This model is essential for protecting your organization from all kinds of threats — including malicious hosts, hijacked user IDs, insider threats, and the like.

A primary security requirement for an organization is therefore a unified repository of clearly defined whitelisting policies. These policies can be owned and controlled by different individuals with appropriate authority across an organization, but a single, reliable, and up-to-date place for maintaining whitelisting policies is essential across all resources, parameters, and user groups.

Step 2: Don’t depend on “script heroes”  

Ask: “Does our implementation and enforcement of our access policies still depend on manual configuration and/or homegrown scripts?”

Policies alone do not make a secure enterprise. An organization also needs a way to implement and enforce those policies in an automated way. Chances are, however, that an organization still depends on a wide range of disparate mechanisms to give users whitelist-appropriate access to digital resources. These likely include application- and database-specific admin tools and homegrown provisioning scripts.

There are many problems inherent in depending on these fragmented access provisioning mechanisms. From a security perspective, they are simply too unreliable because they are subject to human error and they’re not intrinsically linked to the underlying policies they have been created to enforce. If an organization still depends on “script heroes” to ensure the right people get access to the right resources at the right time, it is exposing itself to unnecessary risk. Instead, maintaining a unified, manageable, and automated mechanism for executing an organization’s access policies can offset these concerns.

Step 3: When employees leave – make sure your data doesn’t leave with them

Ask: “When someone leaves our company, are all of their digital privileges immediately, automatically, and entirely revoked?”

One of the single most important policy imperatives is the complete revocation of an employee’s digital privileges immediately upon termination. Most organizations don’t have a simple, automated, and reliable means of immediately eliminating an individual’s access privileges across every application, database, SharePoint instance, communications service, etc. Some of those privileges can remain in place days, weeks, or even months after an employee is terminated — leaving them exposed to risks that their breach detection and prevention tools can’t stop.

This is why in addition to having a unified system for managing access privileges across the enterprise, an organization also needs to appropriately integrate that system with whatever other systems can generate a valid termination event — including an organization’s core identity management systems, HR applications, and contractor databases. Only such integration can give an organization full confidence in the timely and complete revocation of digital privileges.

Step 4: Put access controls in place

Ask: “Can we reliably prevent users from accessing the wrong files from the wrong places at the wrong times?”

Most organizations can only apply a limited and relatively crude set of parameters to their access controls. In the real world, an organization’s access policy parameters and controls must be much richer and more context-aware. Common examples of this include:

  • Geo-fencing. It often makes sense to constrain a user’s access privileges based on location. A doctor, for example, may be allowed wireless access to certain clinical systems data while on premise at a healthcare facility, but not while off-site.
  • Wi-Fi security. There may be times when an organization wants to make its data access rules (including read/write vs. read-only privileges) contingent upon whether a user’s Wi-Fi connection is public/non-secure or private/secure.
  • File hashing. File hashes provide an exceptionally reliable means of ensuring that users only download, open, and work with legitimate content — thereby protecting an organization from a wide range of threats, including ransomware and spearphishing attacks.

To implement these kinds of rich security controls, an organization needs an access management system that can automatically respond in real time to session context and execute hash-based identification. Without those controls, defense against various types of identity and content spoofing will be severely limited.

Step 5: Make sure your security process is adaptable  

Ask: “Do we have a consistent process for adding new applications (including cloud/SaaS) to our whitelist as demanded by the business — and applying the appropriate policies to them?”

An organization’s business isn’t static. In fact, most companies are adding new cloud/SaaS services at a faster pace than ever. Many of these new services are being activated directly by lines of business, without much involvement from IT. At one time, this was referred to as “shadow IT.” But it’s not just a shadow anymore. It’s central to how organizations leverage software and analytic innovation in the cloud.

If an organization can’t quickly secure these new applications and services, several unacceptable outcomes can result. People may be unable to use new resources in a timely manner because they’re blocked by an organization’s whitelisting system. Or new resources may get whitelisted too hastily — without being properly secured by policies such as geo-fencing and Wi-Fi restrictions. Worse yet, people may just come up with workarounds to avoid an organization’s security mechanisms altogether. None of these outcomes are acceptable.

To avoid these outcomes, an organization need a fast, reliable, and consistent process for adding new cloud resources (as well as new conventionally developed applications) to its whitelisting repository/automation engine. Without such a process, an organization’s security won’t be able to keep up with its business — which means an organization will either compromise the former or impede the latter.

Step 6: Empower self-servicing

Ask: “Have we met the needs of the business for consumerization/self-service and LOB delegation?”

The millennial workforce is increasingly expecting IT to provide consumerized self-service similar to what they experience in their personal use of technology. Self-service is a win-win for IT and the business. The business wins because self-service takes delay out of everyday requests for digital services. IT wins because it frees staff with limited time from a variety of routine tasks. Self-service can also include the delegation of certain administrative tasks to line-of-business managers — such as the authorizing access privileges or adding software licenses.

The best way to provide self-service and delegation to the business is by extending an organization’s security whitelist automation engine to non-IT users with the appropriate policy-based controls. This approach allows an organization to ensure that no one outside of its cybersecurity team can violate its policies — even as an organization empowers them to quickly perform routine tasks without IT’s intervention.

Step 7: Prepare for an audit

Ask: “Are we ready to handle an audit – really?”

Even if an organization has “checked off” all of the above six items – none of it matters if an organization cannot credibly prove itself to an auditor.

That’s why an organization needs a unified, rules-based access whitelisting automation engine that’s fully self-documenting. Only a centralized permissions control “brain” can secure an organization’s environment and enable an organization to quickly and easily provide auditors with credible evidence that it has exercised full diligence.

By leveraging a single, robust access provisioning mechanism across all of its digital resources — from its most complex core business applications to its most recently adopted cloud service — an organization can make itself vastly more secure, while enhancing productivity, and not unnecessarily adding to daily workload.

Bio: Bob Janssen is the CTO, founder, and SVP of Innovation of RES. He has been responsible for product vision, strategy and development at RES since founding the company in 1999 and is a prominent RES spokesperson at industry events. He was instrumental in the creation of the flagship products, RES Workspace Manager (now RES ONE Workspace) and RES Automation Manager (now RES ONE Automation), released in 1999 and 2005, respectively. During his tenure, RES has sold millions of licenses worldwide. Mr. Janssen holds several patents for the solutions he has developed at RES, and has worked with the RES R&D team on the filing of numerous others.

Check Your Security Knowledge Against These Survey Results

Cybersecurity Survey Blumberg CapitalI think we’re all a little too confident in our level of personal security and a little too careless with our personal information. Preston and I want to emphasize the importance of keeping your personal data secure and personal. Don’t allow the bad guys to make an easy mark of you. These survey results are surprising and you should stay vigilant, especially on social networks and on sites where you submit credit card data. Never save the data for later; enter it every time.

When it comes to cybersecurity, Americans are overconfident in their knowledge and skills, a study released today by Blumberg Capital found.

A few interesting highlights from the findings:

  • 63% of Americans rate their knowledge of cybersecurity equal to or higher than the likes of Donald Trump
  • Shockingly, only a mere 7% of Americans are concerned with keeping their nude or racy photos and videos secure
  • Those surveyed find Social Networks and Dating Sites to be the least trustworthy (at 5% each) in keeping customers’ personal information safe
  • While 95% of adults expressed at least some concern about their personal information being hacked on e-Commerce sites, 54% of Americans who shop online trust online marketplaces, like eBay and Amazon, with their financial information
  • 33% of Americans believe they are more secure online if they don’t save their credit card information. Others choose to only use PayPal or other trusted payment services (30%).

You can view the full findings of the survey here: http://cybersecurity.blumbergcapital.com/

Listen to the SecurityNOW podcast, live shows, and watch our videos here at http://securitynow.live.

2017 Cybersecurity Resolutions (Podcast)

ResolutionsAs promised on our 2017 Topics List, January is for cybersecurity resolutions. This podcast features Preston and me discussing a short list of cybersecurity awareness topics for personal and for business use. Staying secure in everything you do is very important. We can’t stress too much the importance of using very strong passwords, doing some regular housekeeping, being smart about opening email attachments, and protecting yourself from cyberstalkers who want to compromise your accounts and your identities.

RoseRock Cafe & BakeryWe decided to try something different today and record our podcast at a little cafe that’s inside our favorite bookstore; The RoseRock Cafe* on South Mingo Road. The recommended choice is the Reuben sandwich on marbled rye bread, which is excellent, by the way.

The only problem with recording in public is that you’re subjected to random sounds, like the phone in the background that seems to ring and ring and ring. I know that the bookstore is staffed well enough that someone could have picked up. But that’s why we chose the cafe setting because we wanted those ambient sounds. Plus, there’s something ironic about discussing a security topic in a public place.

Podcast details:

Length: 10:29 minutes. Format: MP3. Rating: G for all audiences.

This short podcast has a lot of good information in it about how to protect yourself. Over the coming weeks and months, Preston and I will return to public places to discuss cybersecurity and maybe even conduct a few impromptu interviews along the way.

#SecurityNOW #SecurityResolutions2017

*RoseRock Cafe & Bakery is not a SecurityNOW show sponsor, but they were kind enough to allow us to record our show there.

Interview with Cybersecurity Forensic Expert Simon Smith (Podcast)

eVestigator Simon SmithIt’s not often you get to talk to a real cybersecurity expert. Simon is an expert programmer, cyberforensics expert, and a security maven. Recently he exposed a criminal who used a VPN (Secure, private connection to the Internet) who thought he’d gotten away. Simon’s investigative abilities proved otherwise. Simon owns eVestigator, a company that specializes in helping victims of hacks, breaches, and other cybercrimes. He’s the real deal and has the track record to prove it. Just look at the list of his certifications and diplomas. He also has solved more than 350 cybersecurity and cybercrime cases.

During this podcast, we discussed the role of artificial intelligence in cybersecurity and the human element, its removal, and its requirement.

Preston and I were glad to speak to Simon and hope to have him back on the show to discuss other hot security topics.

Podcast details:

Length: 23:31 minutes. Format: MP3. Rating: G for all audiences.

Preston and I want to remind you to stay secure.

#SecurityNOW

The State of NoSQL Database Hacks with Cryptzone’s Jason Garbis (Podcast)

CryptzoneOn January 6, I received a notice that over 10,000 MongoDB databases have been deleted by various groups of hackers over the last few days, confirming today’s security models are broken. I was shocked and wanted to investigate further, so I connected with Cryptzone for comment and scheduled a podcast interview with Jason Garbis, CISSP and VP of Products at Cryptzone.

By the time we connected for the podcast, more than 30,000 NoSQL databases had been compromised, had their data deleted or stolen, and in many cases, ransoms demanded.

To combat this, Cryptzone has rolled out the latest version of its Software Defined Perimeter offering, AppGate. AppGate transforms network security, employing an “authenticate first, connect second” approach.

Jason’s notes about the MongoDB and other NoSQL database attacks:

“Attacks – such as those against NoSQL databases, are exceptionally damaging but frustratingly they’re also preventable.”

“Exposing any system to the ‘Internet Cesspit’ is fundamentally a bad idea. All systems have weaknesses – whether it’s a vulnerability, poor configuration or inadequate controls. It’s far too easy for an attacker to use Shodan (a powerful search engine) to discover and then violate them.”

“Rather than putting all of their systems in the shop window, particularly one that doesn’t even have any glass to protect it, companies must wake up to the realization that a new approach to network security is required. Taking an identity-centric approach, so one that only permits authorized users to access resources, would effectively brick up the window to anyone that doesn’t know its there, locking the attackers out and rendering their malware impotent.”

Preston and I interviewed Jason about these recent exploits and found that the solution to the problem is very simple, but obviously overlooked.

Podcast details: Length: 17:59 minutes. Format: MP3. Rating: G for all audiences.

Think about the security of any data that’s exposed directly to the Internet or that’s exposed via web application. Setup two-factor authentication as an added measure against data exploitation.

Ransom Where? Study shows office not home is a better target

Ransomware InfographicIBM released the results of a study that included complete surveys from 600 businesses and just over 1,000 consumers about their willingness to pay and their paid history with ransomware. The study found that 70 percent of businesses that have experienced ransomware attacks have paid the ransom. In contrast, fewer than 50 percent of consumers hit with ransomware would pay the ransom.

Ransomware extortion is a profitable business. Business executives stated that they would pay between $20,000 and $50,000 to regain access to ransomed data. While smaller businesses are generally better targets because of their lack of training and a general lack of protection, they are less desirable to attack because of their inability to pay large ransoms. Consequently, only 29 percent of the small businesses in the survey had experienced ransomware attacks. Ransomware has grown close to a $1 billion business and there’s no end in sight for the numbers of attacks or the extent to which criminals will go to cash in on victims.

Consumers, who overwhelmingly stated that they would not pay a ransom, changed their minds when asked about paying to regain access to financial data and to their mobile devices. Some consumers would pay $100 or more to the extortionist, however ransoms usually are in the $500 or higher range. 55 percent of parents who have digital pictures of family and children are more willing to pay ransoms to regain access, while only 39 percent of non-parents would pay.

Ransomware is software that locks data using encryption techniques. Once infected, users can’t access the data. The ransomware writers demand a fee paid, usually in bitcoin (a virtually untraceable electronic “currency”), to gain access to the data via a passcode supplied by the extortionist.

Almost 50 percent of the businesses surveyed experienced ransomware attacks and 70 percent of those paid ransoms. Half of those who paid ransoms paid over $10,000 and 20 percent paid over $40,000. Close to 60 percent of the business respondents stated that they would pay a ransom to recover their data.

There are some things you can do to prevent becoming a ransomware victim. IBM’s X-Force experts recommend the following:

  • Be Vigilant: If an email looks too good to be true, it probably is. Be cautious when opening attachments and clicking links.
  • Backup Your Data: Plan and maintain regular backup routines. Ensure that backups are secure, and not constantly connected or mapped to the live network. Test your backups regularly to verify their integrity and usability in case of emergency.
  • Disable Macros: Document macros have been a common infection vector for ransomware in 2016. Macros from email and documents should be disabled by default to avoid infection.
  • Patch and Purge: Maintain regular software updates for all devices, including operating systems and apps. Update any software you use often and delete applications you rarely access.

The three most valuable pieces of advice that we, at SecurityNOW, can offer consumers and businesses is a) Train everyone to delete suspicious emails that manage to make it through your spam detection, b) Keep your computers and devices updated and patched, and c) Use an anti-malware program on every device you own, especially those used by children and less-skilled users.