As confirmed by PriceWaterhouseCoopers, attacks against small and midsized businesses (SMBs) between 2013 and 2014 increased by 64 percent. Why? Low price, high reward.

Attackers can break through millions of poorly defended SMBs through automation, gaining access to a treasure trove of data. Small-business vulnerability assessments can identify your weaknesses, but they take time away from daily operations. Is a security vulnerability assessment really worth the resources? These five questions will help you decide.

What Does It Entail?

A vulnerability assessment identifies precious assets as well as how attackers could steal them from you. Not surprisingly, 2014’s most common attack vectors were:

  • Software exploit (53 percent).
  • User interaction, such as opening a malicious email attachment or clicking through an unsafe URL (44 percent).
  • Web application vulnerability, like SQL injection, XSS or remote file inclusion (33 percent).
  • Use of stolen credentials (33 percent).
  • DDoS (10 percent).

It’s impossible to patch every vulnerability. “You can scan and patch 24/7, 365 days a year,” says Forrester security researcher Kelley Mak, “and still not take out a significant chunk.” The key is to identify vulnerabilities that will result in the most damage to your bottom line.

How Frequently Should We Assess?

Frequency depends on what kind of data you store and what kind of business you operate. If you can say yes to the following, you should assess more often:

  • You’ve never assessed security vulnerability before, or it’s been a while. In either case, establish a baseline with frequent assessments for a year or so. Then dial back the frequency.
  • You’re subject to regulatory compliance. If you’re just checking boxes, you’re only getting a limited security picture. Compliance is a baseline, not an effective defensive posture.
  • You’re a contractor for a government agency or valuable enterprise target. Cybercriminals love to use SMB vendors to break into higher-value targets. If one of your employees’ stolen authentication creds cost an enterprise millions of dollars, you’d kiss your contract goodbye.

Can Ops Do It?

Give another sysadmin the SANS 20 recommended list of security controls. If he can understand them, evaluate the business for them and remediate all associated issues, let them handle it.

Already too busy to take on the project? Bring in a specialist. Keep expenses down by getting an initial third-party assessment, drafting an action plan and joining the entire ops team in implementing it.

What Does a Top-Notch Third-Party Assessment Look Like?

Before you hire someone, ask them to explain how they conduct a security vulnerability assessment. According to Robbie Higgins, CISO of AbbVie and author for SearchMidmarketSecurity, their services should include:

  • Information and infrastructure evaluation. The consultant should look at your information systems, stored data, hardware and software. Critical systems like billing, HR, CRM, legal and IP repositories are vital, but you should also focus on minor systems accessible by your own vendors.
  • Current threat landscape. In addition to knowing today’s common exploits and malware trends, your consultant should tell you what types of data attackers are after as of late and what kinds of organizations they’re currently targeting.
  • Awareness of internal soft spots. Attacks don’t always happen because employees are disgruntled. Simple incorrect data entry can expose you to an SQL injection.
  • Estimated impact. Your vendor should explain the degree to which each security vulnerability would affect data integrity, confidentiality and availability of your network resources.
  • Risk assessment. A good vendor combines weaknesses, threat landscape and potential impact to extrapolate your risks in priority order.
  • An action plan. Again, save on security consultation by letting your team execute this roadmap.

Is It Worth It?

Assessments and remediation could cost you in short-term payroll or a third-party consultant’s fee. But if they prevent a data breach that could shut down your business, almost any price is worthwhile.

advanced-persistant-threatsIt’s been a year since Sony Pictures employees logged into their workstations, expecting to start a normal workday, when they were greeted by soundbites of gunfire, images of skeletons and threats scrolling across their monitors. To date, the Sony Pictures attack is arguably the most vivid example of advanced persistent threats used to disable a commercial victim. A corporate giant was reduced to posting paper memos, sending faxes and paying over 7,000 employees with paper checks.

How Advanced Persistent Threats Work

Writing for the Wall Street Journal, security expert Bruce Schneier defines advanced persistent threats (APTs) as the most focus- and skill-oriented attacks on the Web. They target high-level individuals within an organization, or attack other companies that have access to their target.

After gaining login credentials, cybercriminals gain admin privileges, move data and employ sophisticated methods to evade detection. APTs can persist undetected in networks for months, even years.

What They Do

Most APTs are deployed by government agencies, organized factions of cybercrime or activist groups (often called “hacktivist” groups). According to Verizon’s most recent Data Breach Investigations Report, APTs primarily target three types of organizations: public agencies, technology/information companies and financial institutions.

Some APTs are designed to steal specific information, like a company’s intellectual property. Other APTs, such as the Stuxnet worm, are used to spy on or even attack another government. APTs like those launched by Sony’s attackers seek to embarrass one organization for a particular grievance. Hackers reportedly had a beef with Sony back in 2005, when the company implemented anti-piracy software into its CDs.

Peter Elkind, writing for Fortune, reported that attackers using advanced persistent threats managed to disable Sony Pictures by:

  • Erasing the storage data on 3,262 of 6,797 personal computers and nearly half of its network servers.
  • Writing over these computers’ data in seven different ways and deleting each machine’s startup software.
  • Releasing five Sony Pictures films, including four unreleased movies, to torrent sites for downloading.
  • Dumping 47,000 Social Security numbers, employee salary lists and a series of racist internal emails directed at President Obama.

Limiting Damage from APTs

Maintaining patches and upgrades, using an antivirus and enabling network perimeter detection are worthy defense strategies, but they rarely work against an intruder who’s in possession of high-level login credentials. With sufficient skills, resources and time, attackers can penetrate even the most well-fortified network. Organizations should start by using least-privilege security protocols and training critical employees to recognize and avoid spearphishing attacks.

While you’re at it, use network monitoring to detect APTs early, and watch for the telltale signs of an attack in progress. Some of these are as follows:

Late-Night Login Attempts

A high volume of login attempts occurring when no one’s at work is a simple but critical APT indicator. They may appear to come from legitimate employees, but they’re actually attackers — often in another timezone, according to InfoWorld — using hijacked credentials to access sensitive information at odd hours.

Backdoor Trojans

By dropping backdoor Trojan horse malware on multiple endpoint computers, attackers maintain access to the system even when they lose access in another area. Security personnel should never stop after finding a backdoor Trojan on one computer; there may be more still on the network.

Shadow Infrastructure

Attackers frequently set up an alternate infrastructure within the existing network to communicate with external command-and-control servers. Rogue agents have even been known to set up a series of spoof domains and subdomains based on old company names to appear legitimate. When people visit the real domain, the attackers’ C&C server would redirect them to fake URLs.

Outbound Data Abnormalities

InfoWorld also suggests looking for strange movements of outbound data, including those against computers within the company’s own network. Attackers love to build internal “way stations,” assemble gigabytes of data and compress the files before extracting them.

Threat intelligence consultants are always at your disposal, but they shouldn’t be the ones who wait for 15 minutes — surrounded by logged-in workstations — before a single human comes to greet them. To be prepared for a major attack, today’s IT departments should fortify security and network monitoring tools to detect APTs, and tell any contractors they work with to do the same.

Information security isn’t what it used to be — firewalls, although necessary, are not enough to prevent a data breach. The problem for IT is that the old methods of keeping data secure are not enough to stop intruders who, for instance, use sophisticated phishing attacks on unaware employees.

Ashok Sankar, director of cybersecurity at Raytheon-Websense, said in Computer Weekly that cybercriminals are determined to breach company security walls, no matter how long it may take them. But these concerns can’t pose a roadblock to innovations in, say, the cloud, and impede businesses in their efforts to access new markets and gain a competitive advantage.

RSA president Amit Yoran agrees, according to SC Magazine, citing infosecurity as fundamentally broken. Firewalls and policing network perimeters are just things that make you “feel safe” but don’t address real security problems.

The evolution of security is widely discussed in the technology community:

Traditional approaches to security are making us more vulnerable to attack, suggests Yoran. It’s time to rethink security to become less reactive and more resilient.

Measure Your Detection Deficit

Teach employees to use all of their mobile devices, cloud applications and business innovations securely. “This means understanding their needs, explaining to them the security implications and coming to a consensus on what can and what cannot be done,” says Sankar. “If employees want flexibility, they must understand the responsibilities that go with that.”

Stop measuring security strength by the number of attacks a system has endured and stopped. Instead, monitor the time elapsed between the data breach and when the intruder has been detected and contained — otherwise known as the detection deficit.

Firewalls Aren’t Impervious to Breaches

Firewalls do little to contain invasions at the business level too. In order to best protect the assets of your organization, prepare for an advanced persistent threat (APT), which is usually purposeful and done with malicious intent.

Assess Your Loopholes and Know What to Protect

The first step is to prioritize. Align your security goals with those of business executives to determine which assets are most sensitive. “It is now imperative to develop a layered security approach that will amp up the security arsenal with a 360-degree visibility into all corners of the network,” warned Chloe Green, security reporter for Information Age.

Ultimately, you need to improve how you monitor and detect for a data breach, which can come out of loopholes in your security system that lockdown protocol is ineffective against once malware has been installed. Once these endpoints are closed, you’ll be able to better protect your most important information.

What Absolutely Needs Securing?

According to a report by the privacy and data-protection team at Baker & Hostetler LLP, 36 percent of problems were borne out of employee negligence — only 22 percent came from external theft.

Informing your employees not only on what information they have to protect but also, how they should protect it, will lower the majority of your post-breach data loss risk.

Preparing for an APT Prepares You for the Worst

If you’re going to contain the scope of a potential APT, a firewall won’t be enough. End-to-end encryption for data in motion and comprehensive monitoring of all inbound and outbound traffic in your network have to be top priorities. End-to-end encryption protects data being transferred or shared between end-points, whether people or systems. Pair your traditional security solutions with advanced detection and real-time analytics, provided they’re configured to detect malicious activity before it causes actual damage. Differentiate this traffic by identifying patterns with an IP-based device that connects to the network, and you’ll be able to isolate the problem immediately if it occurs.

Security measures can help you minimize the looming threat of a data breach. It’s no longer practical — let alone sustainable — to approach problems with the idea that they can all be prevented once they touch your network.

There is so much to absorb at RSA Conference.  The largest gathering of security vendors, solution providers and practitioners in the U.S. certainly didn’t disappoint as the Moscone Center was buzzing with security education and of course lots of thought provoking conversations.

Many of the people I spoke with shared similar concerns of data breach risk, tighter compliance and auditing requirements, and their lack of visibility and control over the tools that people are using inside their organization to share files and data with other people.  IT leaders are feeling pressure (and rightfully so) to regain control over how people share files with other people.  It was also great hear so many people talking about migrating to the public and private clouds in order to take advantage of benefits such as quick provisioning and elasticity.

My favorite conversations at conferences are usually the ones I have with current customers…. And RSA was no exception.  Quite frankly, the key insights I learn from talking with customers help me do my job better.  Many thanks to the dozen or so Ipswitch customers that stopped by our booth and shared stories of how they have successfully consolidated and replaced the various homegrown file transfer tools and scripts, various vendor products, and manual processes they had been relying on with an Ipswitch MFT solution, resulting in improved efficiencies in their business processes as well as a simplified way to demonstrate compliance and consistently enforce security policies for all their file transfer and file sharing activities.

Education IT systems seem to have a large target on their back these days.  According to an October, 2010 McAfee study, universities and colleges rank number 1 in the ‘Top 10 Riskiest Places to Give Your Social Security Number’.  Cyber crooks are attracted to the vast pools of personal data available on university and educational IT systems.  And unlike typical commercial organizations, universities and schools can’t simply lock the doors in the evening and feel assured that their network is somewhat secure.  Open buildings and computer lab environments complicate the physical security policies for these institutions.  As a result, “State schools and universities are among the most likely government agencies to suffer data breaches.”

Breaches seem to be a continuous part of the news headlines these days, but one article in particular caught my eye in the last few weeks.  In mid-January, a California city college notified more than 13,000 students and employees about a specific breach that was discovered in late November.  The breach was identified when the IT department found gaps in the data logs of a server that was located in a campus computer lab.  After investigating these gaps, they found a virus that had existed on the college’s system since 1999…more than a decade.  And during the investigation, they found transmissions that had been sent to Russia, China and several other countries; however the college hasn’t confirmed what type of data was sent in these transmissions.

As our schools add new devices to the network, making it more complex, it is harder to manage and control.  How can education institutions that are struggling to control costs mitigate these risks within their expanding networks while protecting their student and employee’s data?  Abnormal behavior often provides the best insight to network administrators needing prevent breaches and system failures. Cost-effective solutions exist that can help institutions watch their network for unusual behavior that may include:

  • Unconventional network traffic patterns
  • Unauthorized access attempts
  • Resource utilization spikes
  • Unauthorized configuration changes

To learn more about these IT Management best practices for Education, please listen to our latest webcast that provides insight into mitigating data breach risks or download our best-practice white paper.

Looking back at 2011, we saw more and more employees using consumer-grade (and often personally owned) file sharing technologies such as USB drives, smartphones, personal email accounts, and file sharing websites to move sensitive company information.  We’ve learned that employees will “do what they need to do” to be productive and get their job done… And if IT doesn’t provide them with the right tools, they will find their own.

2011 was also a record-breaking year for data breaches.  Coincidence?   Perhaps.  But there is no denying the fact that the increased use of non-sanctioned technology in the workplace has created a security loophole in many organizations.  It will become increasingly important for organizations to mitigate this risk to avoid a failed security or compliance audit or worse, a data breach.

Ipswitch can help your organization meet the security, usability and visibility requirements for file sharing.  For example, our Ad hoc Transfer module for MOVEit DMZ enables organization to enforce consistent policies and processes around person‐to‐person file transfers ‐ email encryption, attachment offloading, secure messaging, eDiscovery, and more.  It not only gives companies unparalleled governance, but it also allows end users to send information, with anyone, in a fast, easy, secure, visible, and well managed way.

We will be talking a lot more about the topic of people person-to-person file sharing in 2012, so stay tuned….

Data breach in around the world is a costly problem – specifically in the UK, the average annual cost of a data breach is £1.9m.  However, there is a cost-effective resolution: The WhatsUp Gold compliance solution!

Tune in to IT Compliance in the European Union Wed., Dec. 14 at 9am ET hosted by solutions manager, Alex Coco, to learn what you need to know to protect your critical business assets and to stay on the good side of compliance officers. Topics covered will range from a general overview of major regulatory requirements in the European Union to tips on how to leverage your WhatsUp Gold investment.

At the end of the webinar – one registrant will be selected to win an iPad! REGISTER NOW!

Hey SEC, it’s Frank Kenney at Ipswitch. I don’t mean to rock the boat but I had a few quick questions regarding your recent announcement that you are requiring companies to notify their customers of a breach or risk of breach.

  1. What’s a “breach”? Does it mean the bad guys came in and took the data? Or maybe the data was left unencrypted? Or perhaps an executive lost his or her BlackBerry?  Wikipedia talks about breaches of confidence, breaches of contract and breaches of faith. Is it all or none of the above?
  2. What does “notify” mean? Email? Snail mail? SMS? Press release? Facebook status update? Tweet? We just don’t know. And when do they need to send that out? When it happens (or it happened?) When it was discovered? When it was fixed? This is key and I say this because the breaches that happened were reported months after they actually happened. So when?
  3. And by “customers”, do you mean people who pay for my services? What if my services are free like social networks? Does free = exempt? What if I give you my email and contact info, does that make me a customer?
  4. What in the world is “risk of breach” and why shouldn’t I just fix it instead of telling my customers?

If you don’t mind I’d like to give the public in general my 2 cents…

The real story is this: we should all take these breaches seriously because at some point they will impact us individually. We must make it crystal clear to our service providers, our Internet providers and in some cases our employers that there needs to be policies and enforcement around the proper use and retention of our private information. We must also make clear that these same providers must put processes in place to better communicate and resolve any future data breaches. In much the same way we now see consumers making purchase decisions based on the carbon footprint of their suppliers/providers, the same approach will be taken when it comes to private confidential information. We at Ipswitch believe putting a secure managed file transfer solution in place will allow these suppliers to stem breaches by giving them visibility into how data is being accessed and for what purpose BEFORE these breaches happen.

Have you done enough to protect your business against data breaches? Although people assume only large businesses are susceptible to data breaches, research shows that is not always the case.  In fact, attacks on companies with 100 or fewer employees are rising according to Verizon and the secret service.  In 2009, 27% of small businesses were victims, rising to 63% in 2010, which is extremely concerning.  Most data breaches occur when a third party gains access to confidential digitally stored information via weak firewalls or passwords and can result in the loss of anything from bank account information to legal secrets.  To protect against these threats, businesses should be proactive by identifying their weaknesses, strengthening passwords, securing firewalls, properly storing records, and training employees to be watchful and cautious.  If preventative steps are not taken, losses can be substantial and devastating!

Check out this cool infographic on data breaches!  http://networkedblogs.com/nY2xO   

Enhanced by Zemanta

As George Hulme recently wrote, the vision of Senator Richard Blumenthal’s data breach legislation is simple enough:  Protect individuals’ personally identifiable information from data theft, and penalize firms that don’t adequately secure their customers’ information.

Clearly, there’s a need for organizations to better secure confidential and private customer information.  It seems that a week rarely passes without a new high-profile data breach in the news.  In fact, 2011 is trending to be the worst-ever year for data breaches.  And that is despite many U.S. states introducing legislation that expands the scope of state laws, sets stricter requirements related to notification of data breaches involving personal information, and increases penalties for those responsible for breaches.

The need to protect customer data is unanimously shared by honest people worldwide…. The issue is HOW to effectively govern and enforce the various data protection requirements and laws?

I agree with Senator Blumenthal’s concept of establishing “appropriate minimum security plans”…. But color me skeptical on the government’s ability to appropriately monitor and enforce those plans, especially after witnessing the mighty struggles at effectively governing the dozens of state laws already on the books.

My skepticism is shared by many, including Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation:  “The devil is in the details with these laws.  We’ve had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data.  Companies are already victims in these attacks, so why are we penalizing them after a breach?  I think that’s because it’s easier to issue fines than it is to track down the criminals and go after them.”

In my opinion, business leaders need to prioritize their own internal efforts to properly protect sensitive information rather than wait on the government to catch up.  First order of business is to identify where confidential files and data live in your organization and ensure visibility of that info (after all, how can you protect what you don’t know about?).  Fortunately, there are technology solutions available to help organizations better manage and govern their critical files and data as they are being moved and consumed both internally and with business partners and across people, systems and various business applications.

Recently, Cisco published a blog post on an interview with a former Anonymous hacker who offered his top security tips for the enterprise. Some of the suggestions were fairly obvious, while others were intuitive and absolutely on point. For example:

#5: Teach your staff about information security

Take note, he didn’t refer to just security staff; he was referring to the entire staff – from the administrative assistants to the most critical of security analysts. In fact, a recent Ipswitch survey shows that even the most stringent security professionals break protocol when it comes to the transfer and collaboration of information. And these folks have tons of acronyms behind their names!

What chance does the layman have? Establishing the groundwork for the dissemination and adherence to corporate policies around information security is a positive set of actions to better protect companies.

There needs to be a general awareness around information security and data and a clear understanding of the security and risk issues associated with physical media, such as DVDs and memory sticks, and outside services, like Gmail, which allows employees to ‘easily’ send large files.  This combination can be the best deterrent to data breaches.

#6: Teach your staff about social engineering

The use of technology to interact and collaborate – and how that collaboration can involve unknown third parties – is the very reason your staff should have an understanding around social engineering. Let’s face it, anyone can get an e-mail address and register on any social site. Hackers, thieves, con artists, and scammers aren’t the only ones that want access to
your personal information.

Employees who use shareware or free cloud service are exposing sensitive information and risking an unintentional data breach. Employees who work from home, on a personal machine late at night or on an unapproved smart phone (at any hour) are the biggest targets for hackers and breaches. How many corporate iPhone users are there anyway?

#13: Keep an eye on what information you are letting out into the public domain

In many cases, all information about major IT purchases and deployments by publically traded companies is public record. A move to incorporate MySQL databases, a content management system based on open source technology or even portal technologies can give a hacker everything they need to exploit your system.

Again, this is an issue of determining risk associated with information and mitigating that risk. Laying out your architecture and your infrastructure blueprints for the world to see may not be the best idea for your company…

#14: Use good physical security. What good is all the [security] software if someone could just walk in and take your “secure” system?

Stop everything you’re doing and walk from the front entrance of your office to the mailroom.

Is that door of the mailroom locked? How hard is it to just pick up a backup tape or CD and slip it into a bag? For that matter, how hard is it to just walk into the office without proper credentials? And when you walk into your office, are there secure terminals? Maybe someone in human resources went to the break room for coffee and neglected to lock their computer?

A simple, misplaced memory stick or an unsecured PC are potential recipes for disaster. There is never any excuse for leaving a terminal unsecured in a public or semipublic setting. My rule of thumb: if you can’t leave your purse or wallet opened with hundred dollar bills in plain view, you cannot keep your desktop, laptop, smart phone or a terminal unsecured.

All in all, I think the suggestions make sense. Looking at a few of the tips allows you to take a few steps in the mind of a hacker. A few seconds of non-diligence equals a career of regret.

You might say that the entire point of a Managed File Transfer (MFT) system is to do exactly that: provide centralized management and control. For example, let’s say that your company is subject to the Payment Card Industry Data Security Standard (PCI DSS). Requirement 4 of PCI DSS is to “encrypt transmission of cardholder data and sensitive information across public networks,” such as the Internet. Let’s also say that you frequently need to transmit cardholder data to partner companies, such as vendors who will be fulfilling requests.

One option is to simply allow someone within your company to email that information, or to have an automated process do so. You’ll need to ensure that everyone remembers to encrypt those emails — you did remember to get digital certificates for everyone, correct? — every single time. If someone forgets, you’ve created the potential for a data breach, and it’s not going to look very good for your company on the evening news.

Another option is to automate the file transfer using an MFT solution. That solution can be centrally configured to always apply PGP‐based encryption to the file, to always require an FTP‐over‐SSL connection with the vendors’ FTP servers, and to always require 256‐bit AES encryption. You don’t have to remember those details beyond the initial configuration — it’s
centrally configured. Even if your users need to manually transfer something ad‐hoc — perhaps an additional emergency order during the Christmas rush — your MFT solution will “know the rules” and act accordingly. Your users’ lives become easier, your data stays protected, and everyone sleeps more soundly at night. This central control is often referred to as policy-based configuration because it’s typically configured in one spot and enforced — not just applied — to your entire MFT infrastructure, regardless of how many physical servers and clients you are running.
What’s the difference between enforced and applied? Making a configuration change is applying it. That doesn’t, of course, stop someone else from coming along behind you and applying a new configuration. The idea with policies is that they’re configured sort of on their own, and that they’re protected by a unique set of permissions that govern who can modify them—they’re not just wide‐open to the day‐to‐day administrators who maintain your servers. In many cases, a review/approve workflow may have to be followed to make a change to a policy. Once set, the policies are continually applied to manageable elements such as MFT client software and MFT servers. A server administrator can’t just re-configure a server, because the policy prevents it. The MFT solution ensures that your entire MFT infrastructure stays properly configured all the time.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!