Category

Blog

Security vs Compliance

Your company has an upcoming compliance audit and your security staff is working overtime preparing; every control is put in place and each system is set to the exact specifications of the compliance audit. The day arrives and your company passes with flying colors, receiving a passing grade from the compliance body. There’s a collective sigh of relief as the company’s day to day business lives to see another day and the proverbial bullet is dodged.

While compliance is important for a company to maintain contracts, the ability to use certain services, and avoid losing your shirt in lawsuits, compliance is not the end all be all of securing a company. Sadly, many companies take this stance – “we are compliant therefore we are secure.” Putting compliance above security or even on par with security can be just as damning to a business as not having compliance at all. Whether a company is compliant or not, data breaches can still incur fines from the governing compliance body.

Perhaps the most important step to understanding that security and compliance are not one and the same is to define how each is used.

The strength of your information security program is often determined by your organization’s ability to protect against, and respond to, the ever-changing threat landscape; it is important to note that the best security programs are proactive to get ahead of these threats. Whereas compliance is based on a set of controlled standards set in place by a governing body, which is commonly reactive. The endgame is the same but the paths differ.

Security is never finished and should be at the very least, always maintained and improved upon. Compliance is driven by the needs of the business rather than the technical needs and is achieved when the governing body is satisfied and issues a passing grade.

Again, it is important to reiterate that just because the compliance audit identified gaps within the security landscape of a company, that does not mean the company can check the box and say, “We found this gap, we closed it, we are now secure.”

Take for instance, the Payment Card Industry Data Security Standard (PCI DSS) 12.6 that says, “§12.6 – Make all employees aware of the importance of cardholder information security. Educate employees (for example, through posters, letters, memos, meetings, and promotions). Require employees to acknowledge in writing that they have read and understood the company’s security policy and procedures.” (a)

This requirement means making sure employees are aware of how to protect customer cardholder information. This, as seen above, can simply be achieved through posters or a security “test” where typically users just click through and answer the questions at the end. Simply put, all that is required to check the box on the PCI DSS compliance audit for this measure is a security awareness program.

To be secure, however, there is much more that should and needs to be done. While compliance would be simply setting up an awareness program, security would create phishing campaigns to educate users using tools such as Knowbe4, and implementing antiphishing services such as Proofpoint. While the security awareness program might offer employees a “passing glance,” actively monitoring and training these employees creates a more secure environment for the company’s assets.

This is not to say that a company should choose security over compliance, in fact, the two should go hand in hand and compliment the other. Compliance should be used to help establish a baseline to build on the practices of the companies security policies, and compliance is often not needed to ensure the business can keep operating. For instance, taking credit and debit card payments, as with PCI compliance. While security is there to take those baselines and cover them from every foreseeable, and even unforeseeable aspect, such as ensuring that the correct security controls are in place.

If a company is forced to check a box of either a. being compliant, or b. being secure, the company needs to write in its own checkbox or c. being compliant and secure, the biggest question we get here is: “where is the money going to come from?” This is a question that security leaders are all too familiar with…

Resellers, such as SecureNation, can help play a major role in a company’s security posture. Having a team to help carefully and critically examine these next-gen security appliances, software, and services, as well as negotiating the lowest price on your behalf, will leave more time and money in the budget to work on both compliance and security.

Resources:

(a) Best Practices for Implementing a Security Awareness Program. (n.d.). Retrieved January 30, 2019, from https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf

Share this on:
Share

Distributed Denial of Service Attacks: What are They?

Distributed Denial of Service Attacks: What are They?
Distributed Denial of Service (DDoS) attacks occur when multiple systems flood the bandwidth of a company, typically through a web server. These types of attacks are more often than not a result of multiple compromised systems being used as botnets, that flood the target with traffic to overwhelm their environment. Imagine a town that only has one road as a way to reach it, if too many cars suddenly flood this road, the town has no way to receive visitors, and the town cannot operate effectively.

A Distributed Denial of Service attack is something that can affect every company these days even if their own procedures help guard against them. On February 28th, 2018, Github which is a popular platform for developers faced a sudden attack that clocked in at 1.35 terabits per second. This was record-breaking traffic with the last big attack being the Occupy Central Hong Kong Attack that reached 500 GBPS. This means that the Github DDoS attack caused more than double the traffic that the world had seen from any DDoS attack. While Github was prepared for DDoS attacks as many internet companies are these days, Github had no way of knowing an attack they would launch this massive against them.

What could these attacks cost?
Someone can bring companies to a crippling halt by DDoS attacks, while larger companies have the ability to bounce back with large reserves of cash flow, smaller businesses are not so lucky.

In 2017 the average DDoS attack cost for businesses rose to over 2.5 million dollars (a), these attacks, however, were small attacks compared to the Github attack with the average attack strength being only around 10 GBPS. In 2014 the internet firm Code Spaces when out of business because of a DDoS extortion attack. Code Spaces, which was a company that provided services akin to Github, discovered that this attack had occurred far too late.

What or who is to blame?
With millions of IoT devices accessing the network daily, from thermostats to smart outlets to refrigerators, it is critical that everyone keeps these devices secure so that they cannot be leveraged in a DDoS attack. These smart-devices rarely possess any security that keeps them from being breached, as they are designed for innovation and not safeguarding against malware.

This issue is compounded by the fact that many users never change their devices from having default user names and passwords for their admin consoles.

This makes these devices prime targets for hackers to leverage to use in these large DDoS attacks. This is where companies can use IoT security such as Fortinet, and Gemalto to help secure these devices and ensure that their systems are not only kept safe from compromise but not used in DDoS attacks against other companies.

IoT is not the only culprit here, as it has become quite easy for bad actors to build, or rent, the botnets needed for these attacks. Once upon a time creating a botnet required months if not years of planning and work, now there are bot-net for hire services that allow attackers to purchase time from other attackers to leverage in their attack. The more an attacker is willing to pay, the longer and more robust the attack launched against a company. What compounds this issue is that more often than not DDoS attacks are being used as a distraction in order for attackers to gain access to a system while security departments are scrambling to put out the DDoS “fire”.

Guarding against DDoS
There are fortunately ways to guard against these DDoS attacks, both proactive and reactive ways to ensure that a company is not caught unawares. In a technical article written in 2018, Ahmad Nassiri points out 3 detection methods that you can use to help get ahead of DDoS attacks. (b)

Flow Sampling: In flow sampling, the router samples packets and then exports a datagram that contains information about those packets. Nearly all routers support this type of technology, plus it’s highly scalable, making it a popular choice. However, this method only gives you a limited snapshot of your traffic and doesn’t allow for detailed analysis.

Packet Analysis: When a high-performance DDoS mitigation device is deployed in-path, it can instantly detect and mitigate anomalies. This type of device continuously processing all incoming traffic and can also process all outgoing traffic—this is known as asymmetric and symmetric processing, respectively.

Mirrored Data Packets: Although mirrored data packets don’t operate in the path of traffic, they provide the full detail for in-depth analysis, and can detect anomalies quickly. The only downside to this method is that it can be difficult to scale up.

The Future:
The development of faster and stronger DDoS attacks continues to loom over us all with more IoT devices being developed every day and the ease of hiring botnet services. The sharp increase of traffic being used in these attacks is even more terrifying. The next attack, should this trend continue, may end up being one that cripples a large company, or even the internet.

(a) Osborne, Charlie. “The Average DDoS Attack Cost for Businesses Rises to over $2.5 Million.” ZDNet, ZDNet, 2 May 2017, www.zdnet.com/article/the-average-ddos-attack-cost-for-businesses-rises-to-over-2-5m/.

(b) NassiriAug, Ahmad, et al. “5 Most Famous DDoS Attacks.” A10 Networks, www.a10networks.com/resources/articles/5-most-famous-ddos-attacks.

Share this on:
Share

Cloud Access Security Broker Keeping Confidential Information Confidential

In the past few years, the use of personal cloud storage has been on the rise, from GoogleDrive to Dropbox and even Microsoft Onedrive. These cloud storage options allow users to share data across computer systems, and while this can be seen as a boon in productivity for employees, these cloud storage services can become an IT security nightmare nearly overnight. Users and more importantly, employees have these services installed on their personal cell phones, personal computers, and even their work computers.

Malicious or Accidental Exfiltration of Company Data?

Every company has different policies on how data is to be handled, these policies are only as good at the tools and prevention measures that monitor and block malicious, or ignorant use by employees. While a company may have measures in place to monitor malicious use or exfiltration of files and information, are they monitoring every possible aspect? USB devices may be disabled but does the company have a way to monitor cloud storage or even data stored in the cloud? Who has access to the cloud storage, that a company’s confidential data may be saved to? How would a company even know if their data was being saved to cloud storage by malicious or even well-meaning employees?

Even well-meaning employees can create compliance violations, a nurse or medical transcriptionist saving patient data within the cloud on a personal storage account, could lead to hefty fines as well as possible loss of contracts or abilities to bid on future projects for the company. The average HIPAA fine currently being 1.5 million (a), so these types of slip-ups can and have cost companies greatly.

BYOD is a lurking issue for cloud storage

More companies are switching to BYOD, or Bring Your Own Device, and allowing users to have access to the company’s networks and data with their personal devices (b).  These devices often mobile devices, usually come preloaded with cloud access, be it Google Drive with Android devices, or icloud with Apple devices. While the rise in productivity seems to benefit companies, the potential loss of confidential or proprietary data is greater with this policy.

How to guard against this?

The answer to these problems is a simple one, CASB or Cloud Access Security Broker. “Cloud access security brokers” (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on (c).”  

Essentially, a guardian of your companies data that alerts and forbids sensitive company, personal, or proprietary information from being loaded onto unsanctioned cloud services.

These systems achieve this goal in different ways, from scanning the information that is passed through the network, to checking the hashes of the files and information passing through the CASB.  In the case of Netskope, a popular CASB solution, as well as several others, even the use of steganography is not enough to get past the system and exfiltrate data.

Cloud DLP

All data stored within the cloud is not scary; however, it is still vulnerable to the same issues with security. Companies that have adopted the practice would be relieved to know that many of the big players in the CASB market offer a form of cloud DLP.

Cloud DLP specifically protects the companies that have moved to cloud storage by ensuring sensitive data is not stored on the cloud without first being encrypted, and is only sent to the authorized cloud services.  These Cloud DLP options will either alter or altogether remove the classified or sensitive information before it comes in contact with the cloud.

Some of the key benefits of this cloud DLP include:

  • Integration with cloud storage to scan servers, and then identify and encrypt data
  • Continuous audit of uploaded information
  • Instantly alert the proper administration when data has been put at risk.

Think of Cloud DLP as having a virtual security guard that checks the receipts of users taking files out into the world of the internet, and ensuring nothing gets taken that has not been approved.

The Big Players in CASB

According to the Gartner Magic Quadrant, there are four big players currently in the CASB market:

  • Netskope offering multiple built-in and tenant-specific threat intelligence feeds.
  • McAfee with their recently acquired Skyhigh Networks offering the ability to create Data Loss -Prevention Policies without the need for coding, allowing a recording extension to observe the behavior as the app is invoked.
  • Bitglass offering the ability to include enterprise digital rights management within their Data Loss Prevention policies.
  • Symantec offering a large range of predefined DLP selectors based on compliance, and other common factors.

 

Resources

(a) Sivilli, F. (2018, September 17). Average HIPAA Violation Fine now $1.5 Million. Retrieved from https://compliancy-group.com/average-hipaa-fine-is-now-1-5-million/

(b) BYOD Statistics Provide Snapshot of Future. (n.d.). Retrieved from https://www.insight.com/en_US/learn/content/2017/01182017-byod-statistics-provide-snapshot-of-future.html

(c) Cloud Access Security Brokers – CASB – Gartner tech definitions. (2018, February 08). Retrieved from https://www.gartner.com/it-glossary/cloud-access-security-brokers-casbs/

Share this on:
Share

Halting Hackers: Safety Secured.

The world is evolving into a hyper-connected world, where what only a few years ago seemed like science fiction is becoming a reality thanks to IOT devices. These IOT devices range from refrigeration systems, automated manufacturing systems, medical systems and even coffee pots are connected.

Introduction

Medical systems are becoming the largest front-runner in this world, with recent reports pointing to over 3.7 million medical devices are being used to monitor the health of patients all over the world, [1] and the number is growing. However, with the growing numbers of the IOT device market, inevitably the security risks that will affect these devices are also increasing.

While securing regular systems is a daunting task in a world where even the cyber-attacks are becoming automated, securing IOT systems compounds the difficulty exponentially due to the devices rarely having built-in or even third-party defenses such as anti-malware. With medical equipment being used to monitor vitals, 3d print heart valves and having robots to assist in surgery, the risk of not securing these devices has risen far above just the loss of PII or HIPPA violations.

An attacker gaining access to a patient’s vitals with intent to manipulate the output is a scary thought. However, an attacker accessing the network, connected to a 3d printer, being used to print out a heart valve, and disabling the temperature safety features could potentially cause a fire within a lab which would be utterly terrifying.

Past vulnerabilities within IoT devices

IoT devices have already seen their fair share of “newsworthy” attacks. However, these are merely the ones detected or at the very least reported.

The Mirai Botnet
In 2016, the most massive DDOS attack ever was launched against the service provider, Dyn, using an IOT botnet. This attack crippled a large portion of the internet, including Twitter, the Guardian, Netflix, Reddit and CNN, proving that no one is truly immune to DDoS attacks. Attackers were able to control these IoT devices using a malware dubbed Mirai. The malware once present on a system continuously scanned the internet for vulnerable IoT devices, attempting the default usernames and passwords to log in to the devices. Such a wide variety of IoT devices were being used in the attack that it made it impossible for companies merely to patch or update the system.

Cardiac Devices at St. Jude
In 2016, the FDA confirmed that St. Jude Medical’s cardiac devices contained vulnerabilities that could allow an attacker to gain access to the device. [2] An attacker controlling these devices could either purposefully administer incorrect pacing or shocks. The implications of cardiac devices malfunctioning due to attacker intervention are staggering.

Importance of IoT security within the medical field

While important for every IoT owner, the need for securing these devices within the medical field holds higher consequences for not doing so.

Healthcare breaches are on the rise and those breaches have resulted in the theft or exposure of at least 176,709,305 healthcare records. [3] The average settlement for these HIPAA violation cases: $500,000.00 USD.

Most IoT medical devices contain PII about the patient they are attached to at that moment. From “doomsday” scenarios of further injury to patients to attackers gaining control are both terrifying HIPAA violations that are a more realistic and more prevalent issue that faces the medical field concerning IoT devices.

Securing the IoT

As with all systems, there are a few key ways to best guard your systems from attackers and IoT devices are no exception.

1. Don’t connect the IoT devices to your network unless necessary
2. Create a separate network from your main network
3. Change the default passwords of your IoT devices
4. Ensure firmware upgrades are installed
5. Keep personal devices separate from work IoT devices
6. Track and assess all company-owned IoT devices

However, these steps are only the beginning, and with the need for a constant network connection for most IoT healthcare devices, these steps may not be appropriate for the needs of the business.

All is not lost though, as there is monitoring software out there that will secure and protect IoT devices from outside influences. While IoT security is a hot commodity at the moment, there are three major players in the IoT security game: Zingbox, CloudPost and Medigate. These are cybersecurityarly stage providers for IOT cyber security product providers which specialize in Healthcare.

With Secure Nation’s team of skilled IT security experts and their background in IT management, information security, risk assessment, security policy audit and development, penetration testing, overall network design and project management, you’re in good hands. We help you to build a stronger information security and technology program. We work to not only strengthen your compliance status; but, also heighten your overall security posture without increasing cost.

References
[1] Internet of Things (IoT) Healthcare Market is Expected to Reach $136.8 Billion Worldwide, by 2021 https://www.marketwatch.com/press-release/internet-of-things-iot-healthcare-market-isexpected-to-reach-1368-billion-worldwide-by-2021-2016-04-12-8203318

[2] FDA Warns St. Jude Pacemakers Vulnerable to Hackers | Inc.com. https://www.inc.com/willyakowicz/fda-warns-st-jude-pacemaker-vulnerable-to-hackers.html

[3] Sivilli, F. (2018, July 31). HIPAA Violation & Breach Fines | List of HIPAA Violations. Retrieved from https://compliancy-group.com/hipaa-fines-directory-year/

Share this on:
Share