817-668-6995 [email protected]
Insider Threats Matter – Part One

Insider Threats Matter – Part One

Insider ThreatsMost companies recognize the security threats from outside their own organization – maybe it’s Chinese hackers trying to steal their trade secrets, or perhaps it’s a Russian organized crime ring trying to steal credit cards.  As an industry, we in the Information technology field have been doing a decent job trying to educate business owners and decision makers about the need for security.  It’s been a long road for some of us (I started down this path nearly 20 years ago), but finally, we are starting to see significant improvements in the area of security awareness.

What about Insider Threats?

But what about the “Insider Threats” from within an organization?  Do you have people working for/with you that are detrimental to your important business data health?  Are they very careless with sensitive information that could be used for malicious or nefarious purposes?  How do you know people are taking the right precautions to protect this data or information?

Security breaches from the inside – depending on which report you read – can be up to 90% of the actual threat to your business.  Why is it so high you might ask?  Well, consider the “attack footprint” or surface area by which someone can access sensitive data.  From the outside looking in, assuming you have the proper security in place, there shouldn’t be much that an outsider can get access to.  You have a website (probably hosted by some other company) and you have email (again, hosted by someone else).  However, your employees have access to everything.  Databases of customer information, spreadsheets full of data, technical drawings, credit card and account information – a veritable cornucopia of information that makes your business who you are.  And all available to someone working on the inside.

So what can you do to minimize the Insider Threats to your data but still allow the business to run? Surprisingly, quite a bit.  The hard part is identifying the vulnerable areas and determining a path to help prevent the Insider Threat from compromising your business. We will explore this further in Part 2.

To learn more about the Insider Threats in your company, contact us today at [email protected] or 817-668-6995.

Cloud Security

Cloud Security

Cloud services. Cloud apps. Cloud infrastructure. Cloud storage. Cloud backup.

“Cloud, cloud everywhere
And all the users did cheer;
Cloud, cloud everywhere
Nor any bit to secure.”

— Excerpt from the unpublished best seller Rime of the Ancient Security Guy

It seems that everything within the IT world is moving towards cloud something, and it is here to stay (at least for the time being). Cloud services of all types have their value to business – that’s one thing that’s been proven time and time again. You need a server for an application you’re developing? Spin one up using Amazon Web Services in 5 minutes and you’re ready to roll. Need a CRM solution? Whip out the credit card and start selling using SalesForce in 20 minutes.

IT people all over (sometimes) sing the praises of cloud services, as it’s less infrastructure (storage, compute, network) that they have to manage, and they can provide their customers (i.e. users) with the services that the business needs in a more efficient and timely manner.

Except for IT security people.

Nearly every security person I’ve talked to in the past few years, when asked, has stated that they don’t like cloud services. The universal answer is related in some form or fashion to monitoring, auditing and control, which are core tenets of securing data.

Cloud Security, The Oxman GroupThe National Institute of Standards and Technology (NIST) defines cloud computing as coming in basically three models: Infrastructure as a Service (IaaS) – Hardware only is supplied/managed by the cloud provider; Platform as a Service (PaaS) – Hardware and operating system is supplied/managed by the cloud provider; and finally Software as a Service (SaaS) – Hardware, operating system and applications are supplied/managed by the cloud provider. Most, if not all, cloud offerings can be categorized in one of these ways.

Here’s the reason why IT security people cringe when cloud is mentioned:

The value of IT to a business is the ability of IT assets to store, move and process data. Every business survives on data – whether they are a manufacturer and the data (technical design information) is used to create a sellable product, or are a retailer and use data (credit card numbers) to get paid. Because this data is how businesses survive, it should be protected and every IT security person would agree on that principle.

When the data is local, it’s easier to secure. Physical access is controlled because not everyone has a key to the server room. Logical access is controlled via various permissions and firewalls. Server logs are reviewed. User accounts are audited to ensure that only legitimate users have accounts.

Once cloud services come into play, some of those security measures go out the window. In some cases, all of these security measures go out the window.

Physical access to the data is now under the control of a faceless identity in some unknown part of the world. Give me physical access to data and I’ll be able to access it within minutes (a little longer with some types of encryption).

Logical access is at the mercy of whatever the cloud provider wants to allow. Maybe they can give granular permissions, maybe they can’t. And even if they allow the customer to provision the access, who’s to say there aren’t “backdoors”?

Who is monitoring access to the data? What will they do with that information? How is the access controlled?

The list of questions and concerns can go on and on. Unfortunately for many in the security field, the risks of using cloud services are outweighed by the advantages, or the risks are accepted as a cost of a solution being “convenient” or “less expensive”, so any objections to using cloud services are simply overruled.

Fortunately, steps can be taken to ensure a certain level of security with cloud services, depending on which model is used (IaaS, PaaS, or SaaS).

In the IaaS model, the business can usually do whatever they want with the hardware. This provides the most flexibility in regards to security. Disk encryption can be used to hinder unauthorized access. Permissions can be audited and monitored. Logging can be performed and reviewed.

Generally speaking, the PaaS model provides similar security opportunities, but because the cloud provider is responsible for the operating system there could be some challenges. If the cloud provider has system administrator or root access, that’s a weak link. Yes, you’re supposed to trust your provider but what security guy trusts the telecom providers after the NSA spying scandal?

The SaaS model provides the least amount of flexibility when it comes to security. Everything is managed by the cloud provider, and the customer is merely a consumer of service (much like I’m a regular consumer of Starbucks but have little to say how they make my drink). The cloud services customer cannot install encryption in the SaaS model nor can they completely control anything – they’re at the mercy of the provider.

But all is not lost. There are cloud security services to fill the void!

In an ideal situation, the cloud services customer is using a single sign-on (SSO) solution to manage identities and uses a single portal by which users can access the various cloud-based services. This single sign-on portal create a choke point by which you can implement a security solution, such as that offered by Skyfence (www.skyfence.com).

Basically what happens is that Skyfence becomes a cloud security gateway, in which all traffic destined to/from cloud-based services is inspected to see which cloud services are in use and by whom, inspect the traffic for malicious activity and block it if required, and monitor and log all usage. What’s even better is that Skyfence doesn’t require a proxy server or anything installed on the endpoints (unlike other cloud security solutions).

Finally there is an easy to implement and easy to manage solution for helping to secure cloud services, providing much-needed control, monitoring and auditing capabilities. And now the IT Security people can stop cringing at the mention of cloud.

6 Ways to Stay Secure Online

6 Ways to Stay Secure Online

1. Hook up to a network that you know.

Free Wi-Fi is tempting, but be sure that you consider who is providing the connection. Public connections at the local coffee shop are usually unsecured and leave your machine open to outsiders. While these networks provide a convenience, there are risks to be aware of.

2. Bank and shop with caution.

Shopping from familiar websites is a good place to start. Stick with the reputable sites that are tried and true – like Amazon or eBay. Also, when checking out and finalizing the purchase, look for the ‘padlock’ symbol or the abbreviation ‘https’ in the address bar at the top of your browser. This will ensure that you are on a secure, encrypted part of this webpage. Keeping an eye on your bank statements for suspicious activity is always a good idea, among these other best practices for shopping online.

3. Use secure passwords.

Passwords for logging into any website should contain a mix of letters, numbers, and special characters – as well as be different for each website that you log into. It can definitely be a pain to remember all of these passwords, but ask yourself which is more of a pain – remembering these, or recovering stolen personal information.

4. Lock Your Computer.

TOG Computer SecurityWhen you walk away from your machine, lock it. In Windows, it is as easy as pressing the Windows key + L. On an Apple Mac, pressing “Control+Shift+Eject” will do the trick (unless you do not have an optical drive, then you can hit the “Power” key instead of “Eject”). This practice would be the equivalent to deadbolting the front door of your home. It acts as a deterrent to the bad guys as well as a line of defense. You should also setup a password lock on your Apple or Windows machine as well.

5. Do not click on anything unfamiliar.

If an offer is too good to be true, it probably is. If you get an email from an unknown source, do not click any of the links within it – and immediately report it to whomever provides IT support to your business. If a window pops up while browsing a website, immediately close it. Familiarity is always your friend. Using your judgment and trusting your gut is the ultimate defense when online. Always play it safe!

6. Use quality anti-virus and anti-malware software.

Make sure you’re using a good quality anti-virus and anti-malware software. The free versions, while appealing, simply do not offer enough protection for today’s threats. Spend some money and save yourself grief. Or better yet, use a Managed Service Provider to manage your computer security.

3 Ways to Boost Mobile Device Security

3 Ways to Boost Mobile Device Security

1. Set a pin or passcode.

This is your first line of defense. If someone wants to access your device, they will first need to break this code. This is not an easy task (as evidenced recently by the FBI being unable to break into the San Bernardino shooter’s iPhone), and can operate as a deterrent against theft. Some device manufacturers have an option to automatically wipe your device after a few unsuccessful attempts at your passcode or pin; so, even if your phone is stolen, your information cannot be accessed. As long as you backup your phone (you are doing this, right?), you should have this particular feature enabled on your phone. For the best security for your business, you should look for Managed Service Providers (MSP) that offer mobile device management (MDM) in their portfolio of services.

2. Remote locate and wipe tools.

3 Ways to Boost Mobile Device SecurityThere are thousands of applications out there, and many involve more than just crushing candy or shooting birds at pigs. Certain software can help you locate your lost or stolen device through its GPS. Apple offers a service like this for their mobile devices aptly named Find my iPhone. For Android users, the Android Device Manager offers these services. Windows Mobile users also have this option from the Windows Phone website. Similarly, many third party applications are available in each of the app stores.

3. Keep your device clean.

Utilizing an Antivirus and Malware scanner is never a bad idea. Your phones are mini-computers, and just like your “big” computer – they need to be cleaned up from time to time. Malware and Virus threats can compromise information stored on your mobile devices. Malware has a snowball effect, and can continuously pile up until it slows downs or stops your device. Look for an MSP that offers Malwarebytes as a solution to this problem for both mobile devices and computers. It will keep your end points clean and secure from outsiders. Consider Webroot as an antivirus application that scans your downloaded apps and devices for any threats. Many MSPs offer Webroot antivirus in their managed IT services package. Equipped with Internet security, this defense will give you a heads up if it detects any malicious activity from your device’s browser.