information security

Employees’ human errors are the weakest link in securing an  organization’s confidential information. However, there are some small,  inexpensive steps (through employee training) that can reduce  information risk.

Security Awareness Training (SAT) programs educate an organization’s  workforce about the risks to information and potential schemes employed  by hackers. SAT provides them with the skills to act consistently in a  way that protects the organization’s information assets. Bad actors  target an employee’s natural human tendencies with phishing emails and  spear-phishing campaigns. SAT training programs often include phishing  simulation and other social-engineering tactics such as text message  smishing and unattended USB drives. SAT products provide a comprehensive  approach to employee training, which empowers them to recognize and  avoid a broad range of threat vectors.

SAT is an effective and easy way to reduce risk. Corporate risk is  reduced by changing the (human) behavior of employees. Leading products  in this market use innovative methods such as short, animated videos and  pop quizzes to teach employees about information security threats.

SAT is not a one-and-done activity.  In order to be effective, SAT  must be implemented as an ongoing process. Physical security programs  implemented to meet OSHA requirements serve as a good metaphor. SAT is a  continuous improvement process; new threats emerge every day. The  leading products incorporate new content on a regular basis and provide  employee engagement opportunities that go well beyond the traditional  computer-based training activities.

Ransomware attacks are among the most serious and prevalent threats  for data. Ransomware is best understood as a type of malicious software  that intends to either publish of block access to information until a  “ransom” is paid. While ransomware attacks have increased in complexity,  and the ability to reverse them along with it, encrypting files and  making them inaccessible until the ransom payment provides real problems  for organizations that store massive amounts of personal data.

One of the latest attacks was on Rochester-based (Minnesota)  Associates in Psychiatry and Psychology (APP) on March 31, 2018. The  ransomware attack affected patient information for 6,546 individuals;  thus far, it appears that the information was not in a “human-readable”  format and that the protected health information wasn’t accessed or  copied by the attackers.

Ransomware attacks like this speak to the need for information  governance and vital records programs. While there isn’t an exhaustive  list of information potentially accessed, it likely included:

• Names
• Birthdates
• Addresses
• Social Security numbers
• Insurance information
• Treatment records

APP had a prompt response to the attack, taking their systems  offline. Doing so in a timely manner likely stopped the spread of the  attack and limited possible encryption of personal data and data theft,  completing the “ransom” aspect of the ransomware attack.

APP, in a Q&A regarding the incident, reported that it was a  “Triple-M” ransomware attack. This variation uses the RSA-2048  encryption protocol, which utilizes long keys in order to encrypt the  data. A ransom was paid, as the backups with the restore files couldn’t  be accessed based on the attack. The initial ransom demand of 4 Bitcoin  ($30,000) was not paid and instead negotiated down to .5 BTC ($3800).  With the systems and data now restored, APP has installed additional  layers of security as well as new remote-access policies.

Penetration testing (“pen test”) is a technique used by information  security (InfoSec) professionals to find weaknesses in an organization’s  InfoSec defenses. In a penetration test, authorized cybersecurity  professionals play the hacker’s role.

Penetration testing attempts to circumvent digital safeguards and  involves the simulation of an attack by hackers or an internal bad  actor. The same techniques used by hackers to attack companies every day  are used. The results of a penetration test reveal (in advance) the  vulnerabilities and weaknesses that could allow a malicious attacker to  gain access to a company’s systems and data.

Some techniques used include brute-force attacks, exploitation of  unpatched systems, and password-cracking tools. Organizations hire  InfoSec experts with specialized training credentials—such as Certified  Ethical Hacker (CEH) and Offensive Security Certified Professional  (OSCP)—to conduct authorized attempts to breach the organization’s  security safeguards. These experts begin the pen test by conducting  reconnaissance, often creating an attack surface and internet footprint  analysis to passively identify exposures, risks, and gaps in security.  Once potential vulnerabilities are identified, the penetration testing  team initiates the exploit attempts using automated tools to probe  websites, firewalls, and email systems.

Successful exploits often involve multiple vulnerabilities, which are  attacked over several days. Individually, none of the weaknesses are a  wide-open door. However, when combined together by an expert penetration  tester, the result is a snowball effect that provides the pen test  expert with an initial foothold inside the network from which they can  pivot and gain access to additional systems.

Penetration testing is a useful technique for evaluating the  potential damage from a determined attacker, as well as to assess the  organizational risks posed. Most hackers and criminals go after  low-hanging fruit—easy targets. Regular penetration tests ensure that  the efforts required to gain access to internal networks are  substantial. The result? Most hackers will give up after a few hours and  move on to other targets that are not so well defended.

The term vulnerability assessment applies to a broad range of  systems. For example, in the context of a disaster recovery plan, the  vulnerability assessment would include the likelihood of flooding,  earthquakes, and other potential disasters.

In the digital sphere, a vulnerability assessment is an evaluation of  an organization’s cybersecurity weaknesses. This process includes  identifying and prioritizing specific computer configuration issues that  represent vulnerable aspects of an organization’s computing platforms.

The Institute for Security and Open Methodologies (ISECOM) http://www.isecom.org/research/) publishes the Open-Source Security Testing Methodology  Manual that documents the components of a vendor neutral approach to a  wide range of assessment methods and techniques. A vulnerability  assessment project typically includes the following:

1. Inventory of computing assets and networked devices
2. Ranking those resources in order of importance
3. Identification of vulnerabilities and potential threats
4. Risk assessment

Prioritized remediation plan vulnerability assessment starts  with an inventory of computer systems and other devices connected to the  network. Once the items on the network have been enumerated, the  network is scanned using an automated tool to look for vulnerabilities.  There are two types of scans: credentialed and non-credentialed. A  credentialed scan uses domain admin credentials to obtain detailed  inventories of software applications on each of the computers. This  method provides the security team with the information necessary to  identify operating system versions and required patches.Often  overlooked, a company’s website should be part of a comprehensive  vulnerability assessment.

The Open Web Application Security Project (OWASP)  maintains a list of the top-10 vulnerabilities most commonly found on  websites.  Surprisingly, many websites fail to properly implement user  authentication and data input checking. These types of vulnerabilities  have the potential to expose corporate data to anyone with internet  access.  Performing a vulnerability assessment exposes these issues so  they may be resolved.

The final output of a vulnerability assessment project is the  prioritized remediation plan. This plan uses the results of the risk  assessment to determine which vulnerabilities represent the greatest  risk to the organization. The total list of vulnerabilities is often  numbered in the hundreds, if not thousands.  However, not all of the  vulnerabilities are big problems requiring immediate attention. The  prioritized remediation plan allows IT administrators to reduce corporate risk quickly by focusing on the most important weaknesses first.

In today’s cyber threat landscape, companies have a fiduciary duty to  assess their cyber security posture.  This is the root function of a  Cyber Security Assessment. Typically, 3rd party vendors are contracted  to perform the Assessment. These firms have expertise in a variety of  cyber security skills which they use to tailor the engagement to a scope  appropriate for the organization being assessed.

One of the first steps when starting a Cybersecurity Assessment  project is to select a framework. This choice will become part of the  project requirements and in large part define the scope of work to be  performed by the 3rd party vendor. There are several frameworks to  choose from including:  ISO 27001, COBIT,  NIST Cybersecurity Framework, NIST 800-53, DOD 8570, DCID 6/3, HITRUST  CSF and the Cloud Security Alliance’s – Cloud Controls Matrix. Even the  Motion Picture Association of America has defined a cyber security  framework to protect their member’s intellectual property.

The NIST Cybersecurity Framework consists of five “functions”. The  five functions are: Identify, Protect, Detect, Respond and Recover as  shown below:

These five functions are sub-divided into 22 categories … and then  each category has multiple controls. One issue with the NIST framework  is that a comprehensive Security Assessment using this framework can  quickly become a big project, often too big for the organization’s size.

For small and medium sized business, a good step forward is to  specify the Center for Internet Security (CIS) Top 20 controls as the  framework the independent cybersecurity team will assess. The CIS top  twenty controls provide an easy to understand assessment tool which  senior executives will understand.

Once the CIS controls are evaluated, the organization’s security  posture can be easily visualized using color-coded infographics and risk  score heat charts. Many Security Assessments include an evaluation of  the business’ people, processes, and technologies. There is no point in  spending technology dollars if the existing corporate processes do not  support their use. These decisions can be explored using Radar charts to  visualize the cyber readiness of three metrics: people, process, and  technology. Radar charts depict cyber security assessment scores in a  circular chart with gradient ranking that shows executives the  information they need to act on to enhance their security posture.

The second step in the Cyber Framework series will explore assessment metrics and executive engagement.

Judy has over 25 years of experience in insurance coverage  litigation. She has particular expertise in cyber insurance and coverage  under various policy forms for today’s emerging risks. As well, she is a  prolific author and sought-after speaker on insurance, cyber,  technology, and compliance issues. She has been quoted in leading  publications, including the Wall Street Journal, Fortune, Forbes,  Reuters, Directors & Boards, and numerous others.

InfoGov World: Where did you grow up?
Judy: I  grew up in Brooklyn, but way before it was the cool place to be. My old  neighborhood is famous for great Italian food, Saturday Night Fever, and  over-the-top Christmas lights.

How did you develop an interest in cyber-risk mitigation and cyber insurance?
I  started working on insurance coverage matters right out of law school. I  handled very large and complex cases that went on for years and  involved tremendous volumes of paper––and later electronic data in  discovery. Because of my background, some former colleagues asked me to  head up the eDiscovery and technology practice at my last law firm; I was responsible for managing the eDiscovery and data-handling processes for the massive Madoff litigations. I later co-founded the firm’s Information Governance practice as well. I concurrently studied cybersecurity, Big Data, IoT, and crisis management at MIT  to develop a deeper knowledge of key issues affecting my practice. All  this coincided with the emergence of cyber insurance, so it was a  natural to marry my two areas of expertise and focus on cyber-risk  mitigation and insurance. A lot of people are struggling to understand  and deal with these issues, and I enjoy being in the position to help  them.

What types of consulting work have you recently been engaged in?
I’ve  been engaged in some really interesting consulting projects. I often  work with companies to help them get appropriate insurance across a  variety of traditional insurance lines, including Directors and  Officers, Employment Practices Liability,  Generally Liability, Property, Crime, etc. However, I’m most often  retained to advise companies about cyber insurance. I negotiate for  better policy terms, help companies select the right coverages, advise  them about coverage pitfalls, assist with completion of the application,  and help them to understand their obligations under the terms of the  policy. I’ve supported technical teams doing cyber-risk audits. I review  the results of the audit and work with the company to get insurance  coverage for the identified risks. I also conduct insurance due  diligence in the context of corporate mergers and acquisitions, and  consult with private equity firms about insurance issues.

Over the past few months, I’ve become more involved with regulatory  compliance engagements, particularly around the GDPR. I also advise  corporate boards about insurance, privacy, cybersecurity best practices,  and privacy/data protection compliance issues.