Privacy Today is coming soon!
Employees’ human errors are the weakest link in securing an organization’s confidential information. However, there are some small, inexpensive steps (through employee training) that can reduce information risk.
Security Awareness Training (SAT) programs educate an organization’s workforce about the risks to information and potential schemes employed by hackers. SAT provides them with the skills to act consistently in a way that protects the organization’s information assets. Bad actors target an employee’s natural human tendencies with phishing emails and spear-phishing campaigns. SAT training programs often include phishing simulation and other social-engineering tactics such as text message smishing and unattended USB drives. SAT products provide a comprehensive approach to employee training, which empowers them to recognize and avoid a broad range of threat vectors.
SAT is an effective and easy way to reduce risk. Corporate risk is reduced by changing the (human) behavior of employees. Leading products in this market use innovative methods such as short, animated videos and pop quizzes to teach employees about information security threats.
SAT is not a one-and-done activity. In order to be effective, SAT must be implemented as an ongoing process. Physical security programs implemented to meet OSHA requirements serve as a good metaphor. SAT is a continuous improvement process; new threats emerge every day. The leading products incorporate new content on a regular basis and provide employee engagement opportunities that go well beyond the traditional computer-based training activities.
Ransomware attacks are among the most serious and prevalent threats for data. Ransomware is best understood as a type of malicious software that intends to either publish of block access to information until a “ransom” is paid. While ransomware attacks have increased in complexity, and the ability to reverse them along with it, encrypting files and making them inaccessible until the ransom payment provides real problems for organizations that store massive amounts of personal data.
One of the latest attacks was on Rochester-based (Minnesota) Associates in Psychiatry and Psychology (APP) on March 31, 2018. The ransomware attack affected patient information for 6,546 individuals; thus far, it appears that the information was not in a “human-readable” format and that the protected health information wasn’t accessed or copied by the attackers.
Ransomware attacks like this speak to the need for information governance and vital records programs. While there isn’t an exhaustive list of information potentially accessed, it likely included:
APP had a prompt response to the attack, taking their systems offline. Doing so in a timely manner likely stopped the spread of the attack and limited possible encryption of personal data and data theft, completing the “ransom” aspect of the ransomware attack.
APP, in a Q&A regarding the incident, reported that it was a “Triple-M” ransomware attack. This variation uses the RSA-2048 encryption protocol, which utilizes long keys in order to encrypt the data. A ransom was paid, as the backups with the restore files couldn’t be accessed based on the attack. The initial ransom demand of 4 Bitcoin ($30,000) was not paid and instead negotiated down to .5 BTC ($3800). With the systems and data now restored, APP has installed additional layers of security as well as new remote-access policies.
Penetration testing (“pen test”) is a technique used by information security (InfoSec) professionals to find weaknesses in an organization’s InfoSec defenses. In a penetration test, authorized cybersecurity professionals play the hacker’s role.
Penetration testing attempts to circumvent digital safeguards and involves the simulation of an attack by hackers or an internal bad actor. The same techniques used by hackers to attack companies every day are used. The results of a penetration test reveal (in advance) the vulnerabilities and weaknesses that could allow a malicious attacker to gain access to a company’s systems and data.
Some techniques used include brute-force attacks, exploitation of unpatched systems, and password-cracking tools. Organizations hire InfoSec experts with specialized training credentials—such as Certified Ethical Hacker (CEH) and Offensive Security Certified Professional (OSCP)—to conduct authorized attempts to breach the organization’s security safeguards. These experts begin the pen test by conducting reconnaissance, often creating an attack surface and internet footprint analysis to passively identify exposures, risks, and gaps in security. Once potential vulnerabilities are identified, the penetration testing team initiates the exploit attempts using automated tools to probe websites, firewalls, and email systems.
Successful exploits often involve multiple vulnerabilities, which are attacked over several days. Individually, none of the weaknesses are a wide-open door. However, when combined together by an expert penetration tester, the result is a snowball effect that provides the pen test expert with an initial foothold inside the network from which they can pivot and gain access to additional systems.
Penetration testing is a useful technique for evaluating the potential damage from a determined attacker, as well as to assess the organizational risks posed. Most hackers and criminals go after low-hanging fruit—easy targets. Regular penetration tests ensure that the efforts required to gain access to internal networks are substantial. The result? Most hackers will give up after a few hours and move on to other targets that are not so well defended.
The term vulnerability assessment applies to a broad range of systems. For example, in the context of a disaster recovery plan, the vulnerability assessment would include the likelihood of flooding, earthquakes, and other potential disasters.
In the digital sphere, a vulnerability assessment is an evaluation of an organization’s cybersecurity weaknesses. This process includes identifying and prioritizing specific computer configuration issues that represent vulnerable aspects of an organization’s computing platforms.
The Institute for Security and Open Methodologies (ISECOM) http://www.isecom.org/research/) publishes the Open-Source Security Testing Methodology Manual that documents the components of a vendor neutral approach to a wide range of assessment methods and techniques. A vulnerability assessment project typically includes the following:
Prioritized remediation plan vulnerability assessment starts with an inventory of computer systems and other devices connected to the network. Once the items on the network have been enumerated, the network is scanned using an automated tool to look for vulnerabilities. There are two types of scans: credentialed and non-credentialed. A credentialed scan uses domain admin credentials to obtain detailed inventories of software applications on each of the computers. This method provides the security team with the information necessary to identify operating system versions and required patches.Often overlooked, a company’s website should be part of a comprehensive vulnerability assessment.
The Open Web Application Security Project (OWASP) maintains a list of the top-10 vulnerabilities most commonly found on websites. Surprisingly, many websites fail to properly implement user authentication and data input checking. These types of vulnerabilities have the potential to expose corporate data to anyone with internet access. Performing a vulnerability assessment exposes these issues so they may be resolved.
The final output of a vulnerability assessment project is the prioritized remediation plan. This plan uses the results of the risk assessment to determine which vulnerabilities represent the greatest risk to the organization. The total list of vulnerabilities is often numbered in the hundreds, if not thousands. However, not all of the vulnerabilities are big problems requiring immediate attention. The prioritized remediation plan allows IT administrators to reduce corporate risk quickly by focusing on the most important weaknesses first.
In today’s cyber threat landscape, companies have a fiduciary duty to assess their cyber security posture. This is the root function of a Cyber Security Assessment. Typically, 3rd party vendors are contracted to perform the Assessment. These firms have expertise in a variety of cyber security skills which they use to tailor the engagement to a scope appropriate for the organization being assessed.
One of the first steps when starting a Cybersecurity Assessment project is to select a framework. This choice will become part of the project requirements and in large part define the scope of work to be performed by the 3rd party vendor. There are several frameworks to choose from including: ISO 27001, COBIT, NIST Cybersecurity Framework, NIST 800-53, DOD 8570, DCID 6/3, HITRUST CSF and the Cloud Security Alliance’s – Cloud Controls Matrix. Even the Motion Picture Association of America has defined a cyber security framework to protect their member’s intellectual property.
The NIST Cybersecurity Framework consists of five “functions”. The five functions are: Identify, Protect, Detect, Respond and Recover as shown below:
These five functions are sub-divided into 22 categories … and then each category has multiple controls. One issue with the NIST framework is that a comprehensive Security Assessment using this framework can quickly become a big project, often too big for the organization’s size.
For small and medium sized business, a good step forward is to specify the Center for Internet Security (CIS) Top 20 controls as the framework the independent cybersecurity team will assess. The CIS top twenty controls provide an easy to understand assessment tool which senior executives will understand.
Once the CIS controls are evaluated, the organization’s security posture can be easily visualized using color-coded infographics and risk score heat charts. Many Security Assessments include an evaluation of the business’ people, processes, and technologies. There is no point in spending technology dollars if the existing corporate processes do not support their use. These decisions can be explored using Radar charts to visualize the cyber readiness of three metrics: people, process, and technology. Radar charts depict cyber security assessment scores in a circular chart with gradient ranking that shows executives the information they need to act on to enhance their security posture.
The second step in the Cyber Framework series will explore assessment metrics and executive engagement.
Judy has over 25 years of experience in insurance coverage litigation. She has particular expertise in cyber insurance and coverage under various policy forms for today’s emerging risks. As well, she is a prolific author and sought-after speaker on insurance, cyber, technology, and compliance issues. She has been quoted in leading publications, including the Wall Street Journal, Fortune, Forbes, Reuters, Directors & Boards, and numerous others.
InfoGov World: Where did you grow up?
Judy: I grew up in Brooklyn, but way before it was the cool place to be. My old neighborhood is famous for great Italian food, Saturday Night Fever, and over-the-top Christmas lights.
How did you develop an interest in cyber-risk mitigation and cyber insurance?
I started working on insurance coverage matters right out of law school. I handled very large and complex cases that went on for years and involved tremendous volumes of paper––and later electronic data in discovery. Because of my background, some former colleagues asked me to head up the eDiscovery and technology practice at my last law firm; I was responsible for managing the eDiscovery and data-handling processes for the massive Madoff litigations. I later co-founded the firm’s Information Governance practice as well. I concurrently studied cybersecurity, Big Data, IoT, and crisis management at MIT to develop a deeper knowledge of key issues affecting my practice. All this coincided with the emergence of cyber insurance, so it was a natural to marry my two areas of expertise and focus on cyber-risk mitigation and insurance. A lot of people are struggling to understand and deal with these issues, and I enjoy being in the position to help them.
What types of consulting work have you recently been engaged in?
I’ve been engaged in some really interesting consulting projects. I often work with companies to help them get appropriate insurance across a variety of traditional insurance lines, including Directors and Officers, Employment Practices Liability, Generally Liability, Property, Crime, etc. However, I’m most often retained to advise companies about cyber insurance. I negotiate for better policy terms, help companies select the right coverages, advise them about coverage pitfalls, assist with completion of the application, and help them to understand their obligations under the terms of the policy. I’ve supported technical teams doing cyber-risk audits. I review the results of the audit and work with the company to get insurance coverage for the identified risks. I also conduct insurance due diligence in the context of corporate mergers and acquisitions, and consult with private equity firms about insurance issues.
Over the past few months, I’ve become more involved with regulatory compliance engagements, particularly around the GDPR. I also advise corporate boards about insurance, privacy, cybersecurity best practices, and privacy/data protection compliance issues.
Copyright © 2019 Privacy Today & InfoGov World Media LLC- All Rights Reserved.