Make the Most of Your IT Inventories

If you look at modern information security guidance such as the Center for Internet Security Top 20, the NIST Cybersecurity Framework or MicroSolved’s own 80/20 Rule for Information Security, the first controls they recommend implementing are inventories of hardware and software assets. There are several good reasons for making IT asset inventories job number one.

First and foremost, you can’t protect a network asset that you don’t know exists. I would be hard put to tell you how many times we have compromised network security by exploiting forgotten devices or software applications during penetration testing engagements using this vector.

Second, how can you tell if a device or software application is supposed to be on the network if you don’t have an approved inventory list you can check it against? An employee or service provider could install unauthorized devices or applications on the network and you would be none the wiser.

Another reason I don’t hear much about, but think is at least as important as those mentioned above is that you can leverage your inventories to enable and improve other information security processes on your network. I will cite specifically configuration control and security maintenance programs.

When most people think of configuration control, they immediately think of firewalls, switches and routers. This is understandable, since misconfiguration of these devices can have immediate and far-reaching security implications. But really effective configuration control should extend far beyond networking devices. In fact, we council our clients that all network entities should be securely configured according to an accepted baseline security scheme. For example, we often see applications or devices that are still configured with their default administrative passwords. We also see other configuration problems such as FTP systems that are not configured with proper access controls, systems that are configured to accept the use of weak cryptographic protocols and systems that are configured with verbose error messages just to name a few. But if you tie the configuration control program to your network inventories, you can systematically ensure that each and every device, operating system and software/firmware application is configured correctly and securely.

The same thing applies to the security maintenance program. We are able to exploit out of date or unpatched network entities on a regular basis to compromise network security or elevate our privileges on the network. A lot of organizations now not only use WSUS, but employ some kind of service to help them deal with their security maintenance woes. But we have found that even with such mechanisms in place, there are applications or devices that just slip through the cracks. But if you couple your inventories with the security maintenance system, you can ensure that none of these network “orphans” will come back to bite you.

And think of the other processes you can tie in with network inventories? How about access control and change management for instance? Constructing and properly maintaining full network inventories is a difficult task. Why not get all the benefits you can from all your efforts?

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

IAM: We Should Use All the Factors We Can

There has been a lot of talk recently about getting rid of passwords as a means of user identification. I can certainly understand why this opinion exists, especially with the ever-increasing number of data breaches being reported each year. It’s true that we users make all kinds of mistakes when choosing, protecting and employing passwords. We choose easy to guess passwords, we use the same passwords for business access and for our personnel accounts, we write our passwords down and store them in accessible places, we reveal our passwords during phishing attacks, we reuse our old passwords as often as we can and we exploit every weakness configured into the system password policy. Even users who are very careful with their passwords have lapses sometimes. And these weaknesses are not going to change; humans will continue to mess up and all the training in the world will not solve the problem. However, even knowing this, organizations and systems still rely on passwords as the primary factor necessary for system access.

Continue reading

California Consumer Privacy Act

Times are getting hard for concerns that collect or sell information about individuals. People are becoming more concerned about their privacy and want their personal information protected. It’s taken a while, but folks are waking up to the fact that information about who they are, where they live, what they like to do, what they like to buy and a plethora of other information is being systematically collected and sold all the time.

National information security and privacy legislation has been bandied about now for a long time, but with no results as yet. So, the States are getting sick of waiting and are drafting their own privacy acts, especially since the inception of the European Union’s General Data Protection Regulation (GDPR).

Continue reading

Application Risk: Speed Kills!

We are at the end of the second decade of the 21st century now, and we are still suffering from poor application coding security practices of all sorts. This is costing us big-time in dollars, intellectual property, privacy, security, apprehension and consternation!

As individual consumers, we tend to think of things like identity theft, invasion of privacy and loss of services when we consider the problem of poorly secured applications. But the problem is much broader and deeper than that. Holes in application coding security can also be used to attack communications systems, utility and industrial control systems, supply chains and transportation systems, and military command and control and weapons systems. These kinds of failures can lead to wide-scale confusion, outages, disasters and the deaths of innocents; possibly lots of innocents.

Continue reading

Phishing: It Takes Humans to Fight It!

For more than 20 years now, hackers and cyber-criminals have been breaking into computer systems and networks. And for just as long a period of time, manufacturers, networking folk and cyber-security personnel have been developing devices, controls and processes to prevent these people from getting in and raising havoc. The “bad guys” come up with new ways to compromise system security, and then the “good guys” come up with new ways to protect it. Back and forth, forth and back, back and forth… it never seems to stop!

Continue reading

Insurers Take Note: Ohio Senate Bill 273 is Now in Effect

Have you ever heard of the New York State Department of Financial Services regulation requiring financial services companies to adopt cybersecurity measures that “match relevant risks and keep pace with technological advancements” (23 NYCRR 500)? If you haven’t, you should take a look, even if you don’t do business in the State of New York. This regulation is having a snowball effect that is affecting financial institutions across the nation.

Continue reading

Using Blockchain? Better Have Good Key Management

Algorithms, step-by-step processes designed to tell a computer what to do and how to do it, are used to encipher data. Passwords and crypto keys are strings of characters needed to decrypt enciphered data. If these strings are not properly managed, you can lose the ability to decrypt this data forever. That is why proper key management is so important any time you are using cryptography on your systems. When using Blockchain, it can be especially important.

The most notable use of Blockchain to date is in Cryptocurrency. Last December, the 30-year-old founder of the Canadian cryptocurrency exchange QuadrigaCX reportedly died abroad. Unfortunately, he went to his reward without telling anyone the password for his storage wallet, causing the loss of up to 190 million dollars. What a mess! The exchange is now out of business and the court has appointed a monitor (Ernst & Young) and law firms to represent QuadrigaCX customers. An object lesson indeed for employing proper key management.

Continue reading

About the Ohio Data Protection Act

The Ohio Data Protection Act differs from others in the country in that it offers the “carrot” without threat of the “stick.” Although companies are rewarded for implementing a cyber-security program that meets any of a variety of security standards, having a non-compliant program carries no penalty under this act.

The theory is that Ohio companies will be more willing to put resources into their information security programs proactively if a tangible return on their investment is available; like investing in insurance to hedge risk. Alternatively, if there is no threat of penalty for non-compliance, why wouldn’t a business simply adopt a wait and see attitude? After all, most companies do not have big data breaches, and developing and documenting a compliant information security program is expensive.

Continue reading

Incident Response: Practice a Must!

Whether you are trying to comply with HIPAA/HITECH, NAIC Model Laws, SOX, PCI DSS, ISO or the NIST Cybersecurity Framework, you must address incident response and management. In the time I have been involved in risk management, I have seen an ever-growing emphasis being placed on these functions.

I think that one of the reasons for this is that most of us have come to the realization that there is no such thing as perfect information security. Not only are data breaches and other security incidents inevitable, we are seeing that there are more and more of them occurring each year; a trend I don’t expect to change anytime soon. In addition, people are becoming increasingly concerned with their privacy and protecting their proprietary information. In response, regulators are becoming tougher on the subject too.

Continue reading

Inventory Control a Must for Effective System Security Maintenance & Config Control

Some security controls can’t reach maximum effectiveness unless other, related controls are also in place. This is the case with system security maintenance and configuration control. If you don’t tie these controls to well maintained and updated inventories of all network assets you are bound to see vulnerabilities cropping up on your systems.

Continue reading