How to be Proactive with Your IT Security this Year

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.virtual-strategy.com/2015/09/08/how-be-proactive-your-it-security-year#axzz3lBgxKBfi


Today’s cybercriminals are smart and sneaky, and they’re only after one
thing — your data.

These online hackers are continuing to get smarter and slier every day,
which is evident in the number of security breaches that happened last
year. There were 744 data breaches and more than 600 million identities
exposed during 2014, a year that can rightly be considered the year of the
mega security breach. The total number of these attacks, 194% greater than
2013’s number, was the most damaging series of cyber attacks in security
breach history to date, and we can only expect to see that threat rise this
year for businesses and their customers as businesses collect more
information that’s highly valuable to online hackers and as mobile device
usage continues to rise.

In order to effectively protect your business and your customers this year,
it’s important to know about the potential threats your company could face
and what the necessary and best plans of action are to better prevent,
monitor, manage and respond to these security attacks.

Security Breach Overview

Security breaches are not only rising, they’re becoming more sophisticated
and diverse. We can credit this sophistication and higher frequency to
advances in technology and online perpetrators adapting to these changes
faster than businesses and their security can. As a society, we are
dependent on technology, which makes businesses high-value targets to these
high-tech cyber criminals. Businesses know they’re facing cyber conflict,
and know the security risk landscape is continually evolving, but it can be
difficult to keep up with the latest technological developments and keep
their security from lagging behind.

Company security breaches don’t just happen in a day or two. Most of them
happen during the course of several months, meaning hackers are not only
smart they’re extremely patient. They also may not attack servers directly.
Instead, they often come in slyly through other areas, such as user
devices, media players, and browsers. Cyber attacks have several entry
points, and some of the popular attack methods are malware, DDoS, SQL
injection, XXS, watering hole, spear phishing, and physical access.

Technology and cyber criminals will continue to advance — so your business
and its security have to as well. Every organization that collects or
manages individuals’ personal information needs to use security safeguards
to keep that information out of the wrong hands. You have the
responsibility of protecting your customers and their information, as well
as yourself, by preventing all the data you store from unauthorized access,
use, disclosure, modification and destruction.

Implementing an effective information security program is essential for
your business to rightly fulfill your responsibility to the individuals who
entrust you with their personal information. If you don’t, you’ll lose the
trust and business of several of your customers, not to mention your good
reputation and the respect of others in your industry.

You not only have to be prepared to ward off and handle security breaches,
you also have to be ready to report cyber security threats to your
customers and the federal government. In February, President Obama signed
an executive order requiring private companies to share more information
regarding cyber security threats with other companies, as well as with
their customers and the federal government. This proposal creates a
national notification standard and includes a 30-day notification
requirement. The purpose of this legislative proposal is to bring more
peace of mind to consumers, but it can be somewhat of a challenging
headache for businesses since businesses are now on a time crunch to
understand cyber threats and get them reported to the required list of
people. This is just another reason why instituting a security plan and
company policies that help prevent, monitor, manage and respond to security
breaches should be at the top of your business’s priority list.

Preventing Security Breaches

One of the best ways to prevent a security breach from happening is
planning for the unexpected. In this day and age, you have to be proactive.
You need to stay a step or two ahead of potential hackers as best you can,
which means establishing a strong security strategy. Your plan should
include but is not limited to:

- Secure all electronic devices by requiring passwords and passcodes.
- Using encryption with emails, spreadsheets, etc.
- Limiting access to what data employees see.
- Monitoring mobile device usage and whereabouts.
- Having a company email deletion policy.
- Regularly monitoring data movement to track any unusual changes.
- Identifying security holes.
- Implementing automated patch management.

Aside from your security plan, your best and first line of defense is your
staff. In order to effectively protect your business and customers and be
prepared with the right defenses, your entire company needs to know about
the potential threats you could face. Take the necessary time to educate
and train your staff on awareness and preventative methods, best practices
and company policies. Trust me, it is well worth the time and money spent.

You also need to patch your systems since patches facilitate added
functionality or address security flaws within your program. Unfortunately,
this isn’t a huge priority for businesses, which is why 50% aren’t
currently patching their systems. Don’t be a business contributing to this
50%. Timely patching of security problems is critical to maintaining the
operational availability, confidentiality and integrity of your company’s
IT systems. When you implement patch and vulnerability management, you’re
proactively preventing the exploitation of IT vulnerabilities existing
within your company. Proactively managing system vulnerabilities lessens or
completely eliminates exploitation potentials and takes significantly less
time and effort than responding after an exploit occurs. To help keep your
OS and third party patches up-to-date, use a patch manager.

Many companies follow Patch Tuesday, also known as Update Tuesday. Patch
Tuesday is the unofficial term referring to the day when Microsoft
regularly releases security patches for its software products, which occurs
the second Tuesday of each month. Using this date as an anchor to start
your monthly maintenance is a good way to create a predictable update
schedule for critical assets. For client systems, it’s highly recommended
to update more frequently, especially for laptops and remote users. Most
vendors (Google, Mozilla, Adobe, etc.) release updates as needed,
introducing security updates throughout the month.

At Microsoft’s 2015 Ignite event on May 4th, the company announced "Windows
Update for Business.” Depending on your Windows 10 edition companies will
have different options to keep systems up to date. The introduction of
distribution rings allows companies some flexibility to control how quickly
security and non-security updates are delivered to their systems. Companies
with Enterprise licenses will have access to the “Long Term Service Branch”
which will allow them to stay on a stable branch of the operating system
from much longer, and “Current Branch for Business” which gives companies a
level of control, but not indefinitely. Pro licenses will have access to
the “Current Branch for Business”, which provides access to a few branches
in which the company has control over the updates applied to systems, but
not indefinitely. Consumer licenses will have access to the “Current
Branch”, which will push updates more frequently and does not give much for
options to opt out of updates.

Before any of these preventive methods can happen, businesses need upper
level buy in. Once you talk with the C-level people and receive their
approval and cooperation, then you can take your security plan and push it
down through the rest of the levels in the organization so everyone is
aware and able to keep the security plan in motion.

Monitoring Your Systems

When it comes to monitoring, you have to spend more time monitoring your
systems than online hackers do. Hackers monitor networks for months,
sometimes even years, before attacking. More than 200 days is the average
time a hacker spends monitoring. Your company must be willing to put in the
needed time, effort and patience — like potential hackers do — to keep a
watchful eye on your systems to prevent or quickly handle any suspicious
movements.

Monitoring requires examining all your systems, and you need multiple
layers of monitoring in place, which includes perimeter security and adding
a botnet to your system network. It’s also important to remember to monitor
more than just parts of your environment audited for different compliance
standards. Many company machines that have passed their PCI audit aren’t
PCI compliant, they weren’t audited since they didn’t directly touch data
that requires them to be audited. It’s these machines that hackers use to
get into the environment to then search for ways onto machines that may
have been audited and compliant.

Another way to monitor your systems is regularly checking for necessary
updates, i.e. system and tool updates, and then ensure that those updates
happen. SharePoint server updates are quite tricky because they can cause
things to break and many company departments rely on them, so
administrators are typically nervous to do these updates, which often leads
to security breaches. VMware tools are designed to help with this problem.
Using these tools and virtual environments help reduce required large
system updates that could possibly break something.

Managing Security Breaches

To effectively manage a security breach, having an employee or a team of
employees in charge of managing internal security breaches is a must-have.
The size of your company will determine if you need one security expert or
a team of security experts to effectively manage, but if you have the
resources and manpower, a small team is probably the best option with any
company.

Assembling this security management team is like assembling a startup. You
need a handful of people with various skillsets that nicely mold together
to create a successful team. Each individual needs their own skills, but
each also needs to be well versed in security and privacy situations and
not afraid to immediately jump on a problem when one occurs. Maintaining
good working relationships with one another and effectively communicating
on a regular basis are keys to a successful security management team.

Responding To Security Breaches

Responding to a company security breach is like firemen responding to a
house fire. Firemen have a set plan in place that includes safety,
investigating the fire, and then taking action to remediate the problem.
Like prepared firemen, you need a plan in place — an incident response plan
— to be as prepared as possible to respond to a security breach. This plan
should tell all employees what to do if a security breach happens,
outlining the necessary steps to take, people to contact for various types
of breaches, and the right technology to use. Put your security management
team in charge of crafting a company incident response plan. This plan is
going to be a lifesaver by limiting damage if a security breach happens.

An incident response plan is vital to responding to breaches, but don’t
forget you still need patching. Patching is your foundation level. Without
patching, it’s like having a car with an engine but no wheels; not the kind
of car you want or the type of security you want for your business.

Security Breach Review

To recap what you need to do, here are the necessary steps to follow to
proactively prevent, monitor, manage and respond to security breaches:

- Plan for the unexpected.
- Have a security strategy.
- Educate your staff.
- Patch your systems.
- Get upper level buy in.
- Monitor all your systems.
- Check for updates on a regular basis.
- Form a security management team.
- Create and follow an incident response plan.

Cyber attacks are the most likely terrorism attack for 2015. It’s why every
employee from every industry must work together, as well as collaborate
with regulators and legislatures, to better focus on the prevention and
response of likely cyber attacks from today’s very smart cybercriminals to
protect your business and customers to the best of your ability.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!