Category Archives: IAM Security

8 Effective Third-Party Risk Management Tactics

In this increasingly complex security landscape with threat actors and vendors changing their tools rapidly, managing third-party risk is very difficult, ambiguous, and it’s even more difficult to know how to prioritize mitigation spend.

Fig 1. Risk, Stock Image, 2019.

The key to any vendor risk management program or framework is measurement, repeatability, and learning or improving from what was repeated as the business and risks change. These are the nine best practices you can follow to help assess your vendors’ security processes and their willingness to understand your risks and collectively mitigate both of them.

1) Identify All Your Vendors / Business Associates:

Many companies miss this easy step. Use RBAC (role-based access controls) when applicable – windows groups or the like. Creating a repeatable, written, compliance process for identifying them and making updates to the list as vendors move in and out of the company is worthwhile.

2) Ensure Your Vendors Perform Regular Security Assessments:

Risk assessments should be conducted on a weekly, monthly, or quarterly basis and reviewed and updated in response to changes in technology and the operating environment.

At a minimum, security risk assessments should include:

a) Evaluate the likelihood and potential impact of risks to in-scope assets.

b) Institute measures to protect against those risks.

c) Documentation of the security measures taken.

Vendors must also regularly review the findings of risk assessments to determine the likelihood and impact of the risk that they identify, as well as remediate any deficiencies.|

Fig. 2. Stock Image, Third-Party Risk Mgmt Inputs, 2019.

3) Make Sure Vendors Have Written Information Security Policies / Procedures:

a) Written security policies and procedures should clearly outline the steps and tasks needed to ensure compliance delivers the expected outcomes.

b) Without a reference point, policies and procedures can become open to individual interpretation, leading to misalignment and mistakes. Verify not only that companies have these written policies, but that they align with your organization’s standards. Ask other peers in your industry for a benchmark.

 4) Prioritize Vendors Based on Risk – Use Evidence and Input from Others – NOT Speculation:

a) Critical Risk: Vendors who are critical to your operation, and whose failure or inability to deliver contracted services could result in your organization’s failure.

b) High Risk: Vendors (1) who have access to customer data and have a high risk of information loss; and / or (2) upon whom your organization is highly dependent operationally.

c) Medium Risk: Vendors (1) whose access to customer information is limited; and / or whose loss of services would be disruptive to your organization.

d) Low Risk: Vendors who do not have access to customer data and whose loss of services would not be disruptive to your organization.

5) Verify That Vendors Encrypt Data in All Applicable Places – At Rest, In Transit, etc:

a) Encryption, a process that protects data by making it unreadable without the use of a key or password, is one of the easiest methods of protecting data against theft.

b) When a vendor tells you their data is encrypted, trust but verify. Delve deeper and ask for details about different in-transit scenarios, such as encryption of backup and what type of backup. Ask them about what type of encryption it is and get an infographic. Most people get lost when you ask this question.

c) It’s also imperative that the keys used to encrypt the data are very well-protected. Understanding how encryption keys are protected is as vital as encryption itself. Are they stored on the same server? Is multi-factor authentication needed to get access to them? Is there a time limit on how long they can have access to the key?

6) Ensure Vendors Have A Disaster Recovery Program:

In order to be compliant with the HIPAA Security Rule and related rules, vendors must have a detailed disaster recovery program that includes analysis on how a natural disaster—fire, flood or even a rodent chewing through cables—could affect systems containing ePHI. The plan should also include policies and procedures for operating after a disaster, delineating employees’ roles and responsibilities. Finally, the plan should clearly outline the plan for restoring the data.

7) Ensure Access Is Based on Legitimate Business Needs:

Fig 3. Stock Image, RBAC Flow, 2019.

It’s best to follow the principle of least privilege (POLP), which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under POLP, users are granted permission to read, write, or execute only the files or resources they need to do their jobs. In other words, the least amount of privilege necessary. RBAC is worth mentioning here again.

8) Vet All New Vendors with Due Diligence:

a) Getting references.

b) Using a standard checklist.

c) Performing a risk analysis and determining if the vendor will be ranked Critical, High, Medium or Low.

d) Document and report to senior management.

Contact us here to learn more.

3 Key Points From “Unsecurity” By Evan Francen

UNSECURITY-1200x628-adNational author, speaker, consultant, and entrepreneur Evan Francen got into information security long before it was cool and buzzing in the media, and long before every so-called IT consultancy started chasing the money. In fact, he and I both dislike the money chasers. He and his growing consultancy, FRSecure are for-profit, but they don’t do it for the money.

Like a patriot who delays college to join the army amid dire national conflict, Francen offers a fact-based call to arms to fix the broken cybersecurity industry in his 2019 book “Unsecurity”. Having known him and his company for a few years, and having read the book and many on this subject, this content is worth sharing because too few people write or talk about how to actually make this industry better. Here are my three unbiased key points from his book.

1)    We’re Not Speaking the Same Language:

614hGPZRmJL._SY600_Francen opens his book with a lengthy chapter on how poor communication between cybersecurity stakeholders exacerbates trouble and risk. You can’t see or measure what isn’t communicated well. It starts because there are five main stakeholder groups who don’t share the same vocabulary amid conflicting priorities.

  1. IT: Speaks in data tables and code jargon.
  2. Cyber: Speaks in risk metrics and security controls.
  3. Business: Speaks in voice of the customer and profits.
  4. Compliance:Speaks in evidence collection and legal regulatory frameworks.
  5. Vendor: Speaks in sales and marketing terms.

Ideally, all these stakeholders need to work together but are only as strong as the weakest link. To attain better communication and collaboration between these stakeholders, all must agree on the same general security framework best for the company and industry, maybe NIST CSF with its inferred definitions or maybe ISACA Cobit. However, once you pick the framework you need to start training, communicating, and measuring against it and only it –going with its inferred definitions.

Changing frameworks in the middle of the process is like changing keys in the middle of a classical song at a concert – don’t do it. That’s not to say that once communication and risk management gets better, that you can’t have some hybrid framework variation – like at a jazz concert. You can but you need proof of the basic items first.

Later, in the chapter Francen describes the communication issue of too many translations. That’s too many people passing the communication onto other people and giving it their spin. Thus, what was merely a minor IT problem ticket turns into a full-blown data breach? Or people get tied up arguing over NIST, ISSA, ISACA, and OWASP jargon – all the while nothing gets fixed and people just get mad at each other yet fail to understand one another. Knowing one or two buzz words from an ISACA conference or paper yet failing to understand how they apply to NIST or the like does not help. You should be having a framework mapping sheet for this.

The bigger solution is more training and vetting who is authorized to communicate on key projects. The issue of good communication and project management is separate from cybersecurity though it’s a critical dependency. Organizations should pre-draft communication plans with roles and scope listed out, and then they should do tabletops to solidify them. Having an on-site Toastmasters group is also a good idea. I don’t care if you’re a cyber or IT genius; if you can’t communicate well that’s a problem that needs to be fixed. I will take the person with much better communication skills because likely they can learn what they don’t know better than the other.

2)    Overengineered Foundations:

In chapter two, Francen addresses “Bad Foundations”. He gives many analogies including building a house without a blueprint. However, I’m most interested in what he says on page 76:

  • “Problem #4 Overengineered Foundation – too much control is as bad as too little control, and in some cases, it’s even worse than no control at all.”

What he is saying here is that an organization can get so busy in non-real world spreadsheet assessments and redundant evidence gathering that their heads are in the sand for so long that they don’t see to connect the dots that other things are going array and thus they get compromised. Keep in mind IT and security staff are already overworked, they already have many conflicting dials and charts to read – amid false alarms. To bog them down in needless busywork must be weighed against other real-world security tasks, like patch management, change management, and updating IAM protocols to two-factor.

If you or your organization have an issue figuring this out, as Francen outlines, you need to simplify your risk management to a real-world foundational goal that even the company secretary can understand. It may be as simple as requiring long complex (multicharacter) passwords, badge entry time logs for everyone, encrypting data that is not public, or other basics. You must do these things and document that they have been done one at a time, engraining a culture of preventative security vs. reactive security.

3)    Cultivate Transparency and Incentives:

In chapter five, “The Blame Game” Francen describes how IT and business stakeholders often fail to take responsibility for security failings. This is heavily influenced by undue bias, lack of diversity, and lack of fact-based intellectualism within the IT and business silos at many mid-sized and large organizations. I know this is a hard pill to swallow but its so true. The IT and business leaders approving the bills for the vendors doing the security assessments, tool implementations, and consulting should not be under pressure to give a favorable finding in an unrealistic timeframe. They should only be obligated to give timely truthful risk prudent advice. Yet that same advice if not couched with kid gloves can get a vendor booted from the client – fabricating a negative vendor event. Kinda reminds me of accounting fraud pre-Sarbanes Oxley.

The reason why is because risk assessors are creating evidence of security violations that the client does not agree with or like, and thus you are creating legal risk for them – albeit well justified and by their own doing. From Francen’s viewpoint, this comprehensive honest assessment also gives the client a way to defend and limit liability by disclosing and remediating the vulnerabilities in a timely manner and under the advisement of a neutral third party. Moreover, you’re going to have instructions on how to avoid them in the future thus saving you money and brand reputation.

Overall, transparency can save you. Customers, regulators, and risk assessors view you more positively because of it. That’s not to say there are not things that will remain private because there are many, trade secrets, confidential data, and the like. My take on Francen’s mention of the trade off’s between transparency and incentives in a chapter called “The Blame Game” is that it’s no longer acceptable to delay or cover up a real security event – not that it ever was. Even weak arguments deliberately miscategorizing security events as smaller than they are will catch up with you and kick your butt or get you sued. Now is the time to be proactive. Build your incident response team ahead of time. It should include competent risk business consultants, cyber consultants, IT consultants, a communication lead, and a privacy attorney.

Lastly, if we as an industry are going to get better we’re going to have to pick up books, computers, pens, and megaphones. And this book is a must-read! You can’t be passive and maintain your expert status – it expires the second you do nothing and get poisoned by your own bias and ego. Keep learning and sharing!

Top Ten Ways Companies Can Reduce Cyber Risk

cost-of-cyber-attacks-to-business-mq593szq6dt3vzuawhu5qtm2upt66jfkqpxzl18l8sMid-sized businesses are defined from about $50 million to $800 million in revenue. A 2017 report published by Keeper Security and the Ponemon Institute found more than 50% of small and medium business had been breached in the past 12 months, but only 14% of them rated their ability to defend against cyber-threats as “highly effective” (Keeper / Ponemon, 2017). According to the 2017 Verizon Data Breach Investigations Report, 75% of the breaches were caused by outsiders with 51% involving organized criminal groups and the remaining involved internal actors. Not surprising, malware installed via malicious email attachments was present in 50% of the breaches involving hacking(Verizon, 2017). Here are ten steps (applicable to any size business) you can take to shield your mid-sized business from cyber-attacks:

10) Train Staff Often:

Most cyber-attacks take the form of phishing and spear phishing which is hackers targeting individuals rather than computer systems – typically with the help of good social engineering (IT Governance Blog, 2017). Therefore, employees need to be educated to roll back what they share on social media and to opt out of data harvesting when they can. Training needs to be ongoing because the threat landscape and technology change so fast. For example, ransomware was not a serious attack vector 6 years ago, but it is front and center today. Additionally, crypto-currency mining networks is an exploit vector that is arguably less than 2 years old and growing rapidly. Lastly, training more often improves the company security culture and that is directly related to keeping a good business reputation and core customer base. Here are a few more training necessities:

1. Follow cyber security best practices and conduct audits on a regular basis – based on your selected one or two frameworks (Cobit 5, ISO 2700, etc)

2. Use games contest and prizes to teach cyber safety – leadership must do this as well.

3. Notify and educate staff of any current cyber-attacks – have a newsletter.

4. Teach them how to handle and protect sensitive data – do lunch and learns.

9) Secure Wireless Networks:

Wireless networks can be easily exploited by cyber attackers, unknowing guests, and even angry customers. Your network is not like a coffee shop community room but rather it’s like a bank vault with many segmented areas – map the segments and know their rank order value. To harden your wireless network, avoid WEP (Wired Equivalent Privacy) encryption (which can be cracked in minutes) and use only WPA2, which uses AES-based encryption and provides better security than WPA.

Fig 1. (WPA2 Selection Screen Clip).

wpa_top

If you have a Wi-Fi network, be sure access to the router is secured by a password and hidden so that it does not broadcast the network name. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, remember to password-protect access to the router. Additionally, for protection against brute-force attacks, protect your network with a complex passphrase containing at least 25 characters and including a mix of letters, upper and lower case and numerals and symbols. Use a firewall and encryption to safeguard your internet connection.

8) Physically Secure Your Environment:

Focusing on web tools and monitoring is needed, but it’s also important to remember there are physical concerns about securing your network as well. To a threat actor overcoming all of your security measures may be as easy as walking up to your router and pressing the reset button. Make sure that your key pieces of in-office infrastructure are secure, and that you’re monitoring them with video, sensors or other physical security controls. Make sure to be creative and thorough about how you define a physical security connection point including: doors, public lobbies, windows, air vents, turnstiles, roofs, printer room, network closet, and USB ports on machines, etc. Lastly, employees should keep their devices near them at all times.

7) Double Down on Firewalls:

While most routers have a firewall built in that can protect your internal network against outside attacks, you should know that it may not be automatically activated. It’s generally called something like SPI (stateful packet inspection) or NAT (network address translation). Either way, turn it on (Chelsea Segal, Cox Blue, 09/16/18).

It’s also important to ensure that your own software isn’t sending information out over the network or the internet without your permission. For that, you’ll want to install firewall software on your PC as well. PC Magazine’s top pick is Check Point ZoneAlarm Pro, but the default firewall that comes with Windows 8 and 10 is also a good start.

6) Evaluate Your Operational Resilience and Cyber-Security Practices Quarterly: 

A good start is the US-CERT’s Cyber Resilience Review (CRR), which helps organizations assess enterprise programs and practices across 10 domains including risk management, incident management, service continuity, and more (SBA, 2018). They can also use the CSET (Cyber Security Evaluation Tool), which is a free customizable multi-framework DHS created general cyber security assessment.

5) Review Control Access / IAM and Audit Access Regularly:

Administrative access to your systems should only be granted on a need-to-know basis – least privilege principle. The correct job roles should be in the correct windows access groups. Keep sensitive data – such as payroll – out of the hands of anyone who doesn’t need it to do their job, marketing for example. Remove unused, stale, or unnecessary IAM users/credentials. Also, consider decommissioning old systems for risk reduction and cost savings – with the appropriate project analysis done. Use a secure strong password especially for single sign on interfaces – two factor authentication. Organizations should audit their IAM user activity to see which users haven’t logged into AWS for at least 90 days and revoke their permissions. Monitor user activity in all cloud services (including IAM user activity) to identify abnormal activity indicative of threats arising from a compromised account, or malicious/negligent internal employee – when corroborated with event logs and related intelligence.

4) Back up and Secure Your Systems and Data but Don’t Over Retain:

Ransomware, or viruses used by hackers to encrypt an organization’s computer files and detain them until a ransom is paid, has emerged as a serious and growing threat to businesses worldwide, according to the FBI (FBI CISO Report 2018). Whether data is stored in the cloud, on-premises, or in a hybrid data center, businesses should back up all files to hard drives stored in a safe place outside the reach of cyberthieves. These are some key data backup subpoints.

1. Limit access to sensitive data to only a few authorized employees.

2. Encrypt all your sensitive data – do not over-classify.

3. Backup your data periodically and store it in an offsite location.

4. Protect all devices with access to your data – third party vendor implications.

5. If you accept credit cards transactions, secure each point of sale.

3) Create a Guidebook for Mobile Security:

While mobile devices allow for work anywhere, anytime, they create significant security challenges. The FCC suggests requiring users to password-protect their devices, encrypt data, and install security apps to prevent criminals from stealing information while the phone is on public networks (FCC, Feb 2018). Plus, set reporting procedures for lost or stolen mobile devices. Draft a BYOD policy that separates personal vs. corporate data and covers the below points.

1. Ensure your equipment has the latest security software and run anti-virus/malware scans regularly. If you don’t have good anti-virus software installed, buy and install it.

2. Install all software updates as soon as they are available, including all web browsers.

3. Have the latest operating systems on your devices with access to regular updates.

4. Make sure your internet connect is protected with firewall security.

5. Make sure your Wi-Fi network is encrypted, hidden, and password protected.

2) Use Encrypted Websites for E-commerce Via Strong Third-Party Risk Management Policies:

Only buy from encrypted websites by looking for https on every page. Don’t’ be teased in by super low prices or the like, it may be a drive by download set-up. Ensure that the owner of the website is reputable and is who they say they are. This kind of gets at third party and supply chain risk management, which should be based on some applicable security framework for your industry, etc.

1) Avoid When Possible and Rigorously Evaluate Freeware:

There are a lot of free options for software including anti-virus (AVG), graphic design (GIMP), marketing and sales applications, some of which are quite reliable. However, many are not reliable and pose risk because they often come with malvertising, utility ad ons that slow things down, or direct malware. All of this complicates cyber risk and blurs sight lines into the infrastructure stack. Cyber security isn’t a good place to cut costs so pay for a good antivirus and firewall tool-set. If you are going to use a robust free graphic design tool like GIMP make sure it is documented, always updated, and that it is run in a limited area.

Bonus) Have a Sound Way To Prioritize Patching.

Establish a process to risk-rate vulnerabilities based on: ease of exploit and potential impact of the vulnerability (reference the CVE scores), if other working defenses are in place, and lastly by grouping the assets they may impact.

Reach out to me here for questions.

Five Things Small to Medium Businesses Can Do To Mitigate Cyber Risk

Small to medium businesses should evaluate their operational resilience and cyber-security practices quarterly. A good start is the US-CERT’s Cyber Resilience Review (CRR), which helps organizations assess enterprise programs and practices across 10 domains including risk management, incident management, service continuity, and more (SBA, 2018).

b7.contentThey can also use the CSET (Cyber Security Evaluation Tool), which is a free customizable multi-framework DHS created general cyber security assessment. A 2017 report published by Keeper Security and the Ponemon Institute found more than 50% of small and medium business had been breached in the past 12 months, but only 14% of them rated their ability to defend against cyber-threats as “highly effective” (Keeper / Ponemon, 2017). Here are five steps you can take to shield your small business from cyber-attacks:

1) Train Staff Often

Most cyber-attacks take the form of phishing and spear phishing which is hackers targeting individuals rather than computer systems – typically with the help of good social engineering (IT Governance Blog, 2017). Therefore, employees need to be educated to roll back what they share on social media and to opt out of data harvesting when they can. Training needs to be ongoing today because the threat landscape and technology change so fast. For example, ransomware was not a serious attack vector 6 years ago, but it is front and center today. Additionally, crypto-currency mining networks is an exploit vector that is arguably less than 2 years old and growing rapidly. Lastly, training more often improves the company security culture and that’s directly related to keeping their business reputation and core customer base. Here are a few more training necessities:

  1. Follow cyber security best practices and conduct audits on a regular basis – based on your selected one or two frameworks (Cobit 5, ISO 2700, etc)
  2. Use games contest and prizes to teach cyber safety – leadership must do this as well.
  3. Notify and educate staff of any current cyber-attacks – have a newsletter.
  4. Teach them how to handle and protect sensitive data – do lunch and learns.

2) Secure Wireless Networks

Wireless networks can be easily exploited by cyber attackers, unknowing guests, and even angry customers. Your network is not like a coffee shop community room but rather it’s like a bank vault with many segmented areas – map the segments and know their rank order value. To harden your wireless network, avoid WEP (Wired Equivalent Privacy) encryption (which can be cracked in minutes) and use only WPA2, which uses AES-based encryption and provides better security than WPA.

Fig 1. (WPA2 Selection Screen Clip).

wpa_top

If you have a Wi-Fi network, be sure access to the router is secured by a password and hidden so that it does not broadcast the network name. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, remember to password-protect access to the router. Additionally, for protection against brute-force attacks, protect your network with a complex passphrase containing at least 25 characters and including a mix of letters, upper and lower case and numerals and symbols. Use a firewall and encryption to safeguard your internet connection.

3) Control Access / IAM and Audit Access Often

Administrative access to your systems should only be granted on a need-to-know basis – least privilege principle. The correct job roles should be in the correct windows access groups. Keep sensitive data – such as payroll – out of the hands of anyone who doesn’t need it to do their job, marketing for example. Remove unused, stale, or unnecessary IAM users/credentials. Also, consider decommissioning old systems for risk reduction and cost savings – with the appropriate project analysis done. Use a secure strong password especially for single sign on interfaces – two factor authentication. Organizations should audit their IAM user activity to see which users haven’t logged into AWS for at least 90 days and revoke their permissions. Monitor user activity in all cloud services (including IAM user activity) to identify abnormal activity indicative of threats arising from a compromised account, or malicious/negligent internal employee – when corroborated with event logs and related intelligence.

4) Back up and Secure Your Systems and Data but Don’t Over Retain

Ransomware, or viruses used by hackers to encrypt an organization’s computer files and detain them until a ransom is paid, has emerged as a serious and growing threat to businesses worldwide, according to the FBI (FBI CISO Report 2018). Whether data is stored in the cloud, on-premises, or in a hybrid data center, businesses should back up all files to hard drives stored in a safe place outside the reach of cyberthieves. These are some key data backup subpoints.

  1. Limit access to sensitive data to only a few authorized employees.
  2. Encrypt all your sensitive data – do not over-classify.
  3. Backup your data periodically and store it in an offsite location.
  4. Protect all devices with access to your data – third party vendor implications.
  5. If you accept credit cards transactions, secure each point of sale.

5) Create a Guidebook for Mobile Security

While mobile devices allow for work anywhere, anytime, they create significant security challenges. The FCC suggests requiring users to password-protect their devices, encrypt data, and install security apps to prevent criminals from stealing information while the phone is on public networks (FCC, Feb 2018). Plus, set reporting procedures for lost or stolen mobile devices. Draft a BYOD policy that separates personal vs. corporate data and covers the below points.

  1. Ensure your equipment has the latest security software and run anti-virus/malware scans. regularly. If you don’t have anti-virus software installed, buy, and install it.
  2. Install all software updates as soon as they are available, including all web browsers.
  3. Have the latest operating systems on your devices with access to regular updates.
  4. Make sure your internet connect is protected with firewall security.
  5. Make sure your Wi-Fi network is encrypted, hidden, as well as password protected.

For more information reach out to Abstract Forward Consulting here.