During our engagements, we routinely look for source code or other internal sensitive information that could have been inadvertently posted. The team has been doing this as part of our standard engagements for quite awhile, and we routinely identify information through this method that clients are always thankful of being notified about. “But I have DLP!” – quite frequently, DLP won’t detect uploads to sites like Pastebin or Github.
If yours is like most organizations, you have a policy or requirement of periodic (usually annual) risk assessment. Financial organizations and medical concerns, for example, fall under this requirement. Also, many organizations that have no regulatory requirement to perform risk assessment, perform one as a matter of best practice. And since you are doing one anyway, you might as well get maximum use from it.
It is the season when many concerns are allocating resources for the coming year. The information security budget is usually limited, even if it is adequate to protect the system and the information it contains. It is therefore very important that information security dollars be allocated wisely, and to maximum effect. To make a wise decision, you need to have the best and most current information. The results of an enterprise-level risk assessment are an excellent source of such information.
CBS News recently did an interesting piece on ransomware, and the various reasons that businesses may choose to pay the ransom.
These ransom payments can range from a few thousands – Lees, Alabama negotiated their attacker down from $50,000 to $8,000 – to half a million dollars or more.
On the flip side of the coin, Atlanta, GA decided not to pay a ransom demand of approximately $50,000 – instead spending upwards of $17 million to recover from the attack.
If you look at modern information security guidance such as the Center for Internet Security Top 20, the NIST Cybersecurity Framework or MicroSolved’s own 80/20 Rule for Information Security, the first controls they recommend implementing are inventories of hardware and software assets. There are several good reasons for making IT asset inventories job number one.
There has been a lot of talk recently about getting rid of passwords as a means of user identification. I can certainly understand why this opinion exists, especially with the ever-increasing number of data breaches being reported each year. It’s true that we users make all kinds of mistakes when choosing, protecting and employing passwords. We choose easy to guess passwords, we use the same passwords for business access and for our personnel accounts, we write our passwords down and store them in accessible places, we reveal our passwords during phishing attacks, we reuse our old passwords as often as we can and we exploit every weakness configured into the system password policy. Even users who are very careful with their passwords have lapses sometimes. And these weaknesses are not going to change; humans will continue to mess up and all the training in the world will not solve the problem. However, even knowing this, organizations and systems still rely on passwords as the primary factor necessary for system access.
Data breaches from stolen or lost laptops are in the news far too often. And you know it happens even more often off the news. MicroSolved’s recommendation for field laptops that may contain databases with sensitive and personal information is to encrypt the data or entire volume. Using the BitLocker feature on Windows is one such solution.
Over the past few years we have seen plenty of news about data being stolen from misconfigured Amazon S3 buckets and other cloud based services. Now attackers are figuring out ways to further abuse these systems beyond simply stealing data.
In this episode (~45 minutes), I answer questions from the audience around blockchain and smart contract security considerations. I cover some of the reasons why I think these technologies are important, what their potential impacts are likely to be and how information security teams should prepare. Some of the questions drift into changes around store of value, investment insights and other closely related topics.
This episode is sponsored by MachineTruth™ – a new passive, analytics-based solution for network inventory, traffic analysis and security baselining. Learn more at http://www.machinetruth.net.