Application Risk: Speed Kills!

We are at the end of the second decade of the 21st century now, and we are still suffering from poor application coding security practices of all sorts. This is costing us big-time in dollars, intellectual property, privacy, security, apprehension and consternation!

As individual consumers, we tend to think of things like identity theft, invasion of privacy and loss of services when we consider the problem of poorly secured applications. But the problem is much broader and deeper than that. Holes in application coding security can also be used to attack communications systems, utility and industrial control systems, supply chains and transportation systems, and military command and control and weapons systems. These kinds of failures can lead to wide-scale confusion, outages, disasters and the deaths of innocents; possibly lots of innocents.

Continue reading

Phishing: It Takes Humans to Fight It!

For more than 20 years now, hackers and cyber-criminals have been breaking into computer systems and networks. And for just as long a period of time, manufacturers, networking folk and cyber-security personnel have been developing devices, controls and processes to prevent these people from getting in and raising havoc. The “bad guys” come up with new ways to compromise system security, and then the “good guys” come up with new ways to protect it. Back and forth, forth and back, back and forth… it never seems to stop!

Continue reading

Insurers Take Note: Ohio Senate Bill 273 is Now in Effect

Have you ever heard of the New York State Department of Financial Services regulation requiring financial services companies to adopt cybersecurity measures that “match relevant risks and keep pace with technological advancements” (23 NYCRR 500)? If you haven’t, you should take a look, even if you don’t do business in the State of New York. This regulation is having a snowball effect that is affecting financial institutions across the nation.

Continue reading

Using Blockchain? Better Have Good Key Management

Algorithms, step-by-step processes designed to tell a computer what to do and how to do it, are used to encipher data. Passwords and crypto keys are strings of characters needed to decrypt enciphered data. If these strings are not properly managed, you can lose the ability to decrypt this data forever. That is why proper key management is so important any time you are using cryptography on your systems. When using Blockchain, it can be especially important.

The most notable use of Blockchain to date is in Cryptocurrency. Last December, the 30-year-old founder of the Canadian cryptocurrency exchange QuadrigaCX reportedly died abroad. Unfortunately, he went to his reward without telling anyone the password for his storage wallet, causing the loss of up to 190 million dollars. What a mess! The exchange is now out of business and the court has appointed a monitor (Ernst & Young) and law firms to represent QuadrigaCX customers. An object lesson indeed for employing proper key management.

Continue reading

About the Ohio Data Protection Act

The Ohio Data Protection Act differs from others in the country in that it offers the “carrot” without threat of the “stick.” Although companies are rewarded for implementing a cyber-security program that meets any of a variety of security standards, having a non-compliant program carries no penalty under this act.

The theory is that Ohio companies will be more willing to put resources into their information security programs proactively if a tangible return on their investment is available; like investing in insurance to hedge risk. Alternatively, if there is no threat of penalty for non-compliance, why wouldn’t a business simply adopt a wait and see attitude? After all, most companies do not have big data breaches, and developing and documenting a compliant information security program is expensive.

Continue reading

Incident Response: Practice a Must!

Whether you are trying to comply with HIPAA/HITECH, NAIC Model Laws, SOX, PCI DSS, ISO or the NIST Cybersecurity Framework, you must address incident response and management. In the time I have been involved in risk management, I have seen an ever-growing emphasis being placed on these functions.

I think that one of the reasons for this is that most of us have come to the realization that there is no such thing as perfect information security. Not only are data breaches and other security incidents inevitable, we are seeing that there are more and more of them occurring each year; a trend I don’t expect to change anytime soon. In addition, people are becoming increasingly concerned with their privacy and protecting their proprietary information. In response, regulators are becoming tougher on the subject too.

Continue reading

Inventory Control a Must for Effective System Security Maintenance & Config Control

Some security controls can’t reach maximum effectiveness unless other, related controls are also in place. This is the case with system security maintenance and configuration control. If you don’t tie these controls to well maintained and updated inventories of all network assets you are bound to see vulnerabilities cropping up on your systems.

Continue reading

IoT Smart Devices: The Honeymoon is Over!

What isn’t an Internet of Things device these days?! Companies are literally flooding the consumer market with smart chip-equipped devices you can control with your iPhone or Android (which themselves are equipped with smart chips – sigh!). Smart bike locks, smart egg trays, smart water bottles, smart dental floss dispensers, smart baby-changing pads!! These are all real devices.

Continue reading

Good Inventory Control is a Must for Effective Security Maintenance & Configuration Control

Maintaining current inventories of all hardware devices, software applications, operating systems and firmware applications on your networks is listed as Job #1 in cutting-edge information security guidance. This is true for a number of reasons, but today I want to discuss the paramount importance of good inventory control processes in mounting trackable and effective security maintenance and configuration control programs.

In a recent Threatpost report on top threats for2018, it was reported that exploit kits were still the top web-based threat. Exploit kits are very good at uncovering missing patches, misconfigurations, default passwords and the like, and they are most assuredly not limited to Windows systems only.

In the work we do, it is very common for us find networks that are obviously being generally well administered. We see that most systems are well configured, that Windows patching is very good and that most access controls are strong. But on these same networks, we almost always find glaring anomalies that don’t fit the overall picture. Maybe we’ll find a couple of hosts with factory default credentials in place, or a firewall that is running an exploitable firmware version, or maybe it will virtual machine software that is missing security patches. The list is extensive. But they all have one thing in common; these are systems and hosts that have somehow fallen through the cracks.

This is where good inventory control comes in. Most of the organizations I referred to above have inventories in place, but they are just there to be there; nobody seems to use them for anything. I think this is mainly because most infosec programs are driven by compliance, and compliance means you have to be able to check the “inventories in place” box. What a mistake! Those inventories are useful!

Inventories should be central to all security maintenance and configuration control efforts. All hardware devices, software applications, operating systems and firmware applications should be included in IT inventories. Security maintenance and configuration control administrators should ensure that all entities on these lists are included in their efforts. Those in charge of these processes should also always ensure that they are communicating and coordinating their efforts, and that everything is kept up-to-date. In fact, I’ll go one step further.

An effective information security program, although made up of many different processes, needs to work together like a single entity. It’s very much like our own bodies. We have a brain, a heart, limbs, bones, eyes, skin and numerous other individual parts, but they all cooperate together to function as a single entity. If you don’t leverage each part of your infosec program to feed and enable all of the other parts, then you are wasting a lot of time and money!

Monitoring: A True Necessity

There is no easier way to shut down the interest of a network security or IT administrator than to say the word “monitoring”. You can just mention the word and their faces fall as if a rancid odor had suddenly entered the room! And I can’t say that I blame them. Most organizations do not recognize the true necessity of monitoring, and so do not provide proper budgeting and staffing for the function. As a result, already fully tasked (and often times inadequately prepared) IT or security personnel are tasked with the job. This not only leads to resentment, but also virtually guarantees that the job is will not be performed effectively.

And when I say human monitoring is necessary if you want to achieve any type of real information security, I mean it is NECESSARY! You can have network security appliances, third party firewall monitoring, anti-virus packages, email security software, and a host of other network security mechanisms in place and it will all be for naught if real (and properly trained) human beings are not monitoring the output. Why waste all the time, money and effort you have put into your information security program by not going that last step? It’s like building a high and impenetrable wall around a fortress but leaving the last ten percent of it unbuilt because it was just too much trouble! Here are a few tips for effective security monitoring:

  • Properly illustrate the necessity for human monitoring to management, business and IT personnel; make them understand the urgency of the need. Make a logical case for the function. Tell them real-world stories about other organizations that have failed to monitor and the consequences that they suffered as a result. If you can’t accomplish this step, the rest will never fall in line.
  • Ensure that personnel assigned to monitoring tasks of all kinds are properly trained in the function; make sure they know what to look for and how to deal with what they find.
  • Automate the logging and monitoring function as much as possible. The process is difficult enough without having to perform tedious tasks that a machine or application can easily do.
  • Ensure that you have log aggregation in place, and also ensure that other network security tool output is centralized and combined with logging data. Real world cyber-attacks are often very hard to spot. Correlating events from different tools and processes can make these attacks much more apparent.
  • Ensure that all personnel associated with information security communicate with each other. It’s difficult to effectively detect and stop attacks if the right hand doesn’t know what the left hand is doing.
  • Ensure that logging is turned on for everything on the network that is capable of it. Attacks often start on client-side machines.
  • Don’t just monitor technical outputs from machines and programs, monitor access rights and the overall security program as well:
    • Monitor access accounts of all kinds on a regular basis (at least every 90 days is recommended). Ensure that user accounts are current and that users are only allocated access rights on the system that they need to perform their jobs. Ensure that you monitor third party access to the system to this same level.
    • Pay special attention to administrative level accounts. Restrict administrative access to as few personnel as possible. Configure the system to notify proper security and IT personnel when a new administrative account is added to the network. This could be a sign that a hack is in progress.
    • Regularly monitor policies and procedures to ensure that they are effective and meet the security goals of the organization. I recommend doing this as a regular part of business continuity testing and review.