Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A No Nonsense Approach to Objectively Evaluating Your Information Security

407 views

Published on

Businesses and organizations are under siege today, constantly being attached by outside actors, who attempt to steal information, disable networks, and interrupt business activities. Small and medium organizations suffer from a disproportionately large per capita impact from such attacks, estimated to be $1,513 versus $517. Why does this lack of security focus happen? To summarize expert opinion, the primary reasons for lack of information security adoption in small businesses and organizations are:

• Too expensive
• Don't know where to start
• Lack of dedicated technology staff

The purpose of this white paper is to dispel those concerns, and to demonstrate how much of an improvement in information security can be achieved simply with a bit of focus. The paper presents a 30 point checklist that organizations can apply themselves to evaluate their security posture. The commentary for each item includes helpful recommendations, and references to helpful software and resources, often free.

Unlike many white papers, this one is intended to be detailed, specific, and not at all focused on marketing products or services.

This full document is available for download using the following link:

http://www.togocio.com/#!wp/c1xsz

Published in: Technology
  • Login to see the comments

  • Be the first to like this

A No Nonsense Approach to Objectively Evaluating Your Information Security

  1. 1. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness Robert C. Covington togoCIO 3/19/2015
  2. 2. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 2 CONTENTS The Problem____________________________________________________________________________________ 4 So, Why Worry About It? ______________________________________________________________________4 The Case for Taking Action ___________________________________________________________________5 How We Approach the Problem______________________________________________________________6 How Can You Do What We Do? _______________________________________________________________6 The Approach __________________________________________________________________________________ 7 The Checklist ___________________________________________________________________________________ 8 Security Policy __________________________________________________________________________________8 1) Does a Written Policy Exist?________________________________________________________________________ 9 2) Does an Update Process Exist? _____________________________________________________________________ 9 3) Is the Policy Available to Employees? _____________________________________________________________ 9 Employee Awareness __________________________________________________________________________9 4) Is A Security Training Program in Place for All Employees? _____________________________________ 9 5) Is The Training Program Reviewed and Updated At Least Yearly?_____________________________10 6) Are New Employees Given Training or Policy Documents When They Start?_________________10 Credential Management_____________________________________________________________________ 10 7) Are Minimum Password Standards Enforced?___________________________________________________11 8) Are Regular Password Changes Required?_______________________________________________________11 9) Is a Formal Offboarding Process in Place?________________________________________________________11 10) Is Employee Access Restricted to Only the Information Needed to Do Their Jobs? _________11 Server Security________________________________________________________________________________ 11 11) Have All Server Default Passwords Been Changed?____________________________________________12 12) Are Server Patches Up to Date?__________________________________________________________________12 13) Are Server Logs Routinely Monitored?__________________________________________________________12 14) Is Key Server Data Encrypted?___________________________________________________________________12 Workstation Security ________________________________________________________________________ 13 15) Is Anti-Virus Software Installed and Updated on EVERY Workstation? ______________________13 16) Is a Patch Management Process in Place?_______________________________________________________13 Network Security _____________________________________________________________________________ 13 17) Is a Firewall in Place with Current Firmware __________________________________________________14 18) Are Firewall Logs Regularly Reviewed?_________________________________________________________14 19) Is a Regular Penetration Test Performed? ______________________________________________________14 Wireless Security_____________________________________________________________________________ 15 20) Is Your Wireless Network Secured with Appropriate Encryption? ___________________________15 21) Are Guests Restricted From Accessing Organization Systems? _______________________________15 Physical Security _____________________________________________________________________________ 15
  3. 3. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 3 22) Can a Visitor Enter the Building Without Passing Through a Controlled Door? _____________16 23) Are Cameras Used in Key Areas? ________________________________________________________________16 24) Is an Intrusion Alarm System in Place, Using Unique Codes? _________________________________16 25) Are Confidential Documents Shredded Appropriately? _______________________________________16 Risk Management ____________________________________________________________________________ 17 26) Are Regular Backups Performed? _______________________________________________________________17 27) Are Backups Stored Offsite? _____________________________________________________________________17 28) Are Backups Regularly Tested?__________________________________________________________________17 29) Does a Bring Your Own Device (BYOD) Policy Exist? __________________________________________18 30) Does a Disaster Recovery Plan Exist? ___________________________________________________________18 In Summary __________________________________________________________________________________ 19 About togoCIO________________________________________________________________________________ 20 Table of Authorities_________________________________________________________________________ 22
  4. 4. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 4 The Problem Businesses and organizations are under siege today, constantly being attached by outside actors, who attempt to steal information, disable networks, and interrupt business activities. According to the PwC US State of Cybercrime Survey study, in 2014, three in four (77%) respondents admitted having detected a security event in the past 12 months, and more than a third (34%) said the number of security incidents detected increased over the previous year. 1 Small and medium organizations suffer from a disproportionally large per capita impact from such attacks, estimated to be $1,513 versus $517 2. A major part of the problem relates to their poor adoption of security and risk management practices. A recent McAfee study showed that more than 90% of such organizations did not protect their data. 3 Why does this lack of security focus happen? According to government experts in the UK, a quarter of small businesses think cyber security is too expensive. At the same time, 20% admit that they don't know where to start. 4 At least somewhat complicit in this problem is the fact that most such organizations don't have in house staff devoted to information security to warn of the dangers, or to implement controls. In many cases, they don't have in house technology staff at all. So, to summarize expert opinion, the primary reasons for lack of information security adoption in small businesses and organizations are:  Too expensive  Don't know where to start  Lack of dedicated technology staff The purpose of this white paper is to dispel those concerns, and to demonstrate how much of an improvement in information security can be achieved simply with a bit of focus. Throughout this white paper, we will refer to Small and Medium Organizations as SMO's, which we define as a business or not-for-profit organization with fewer than 100 employees. So, Why Worry About It? Statistics can be interesting and informative, but how do the above numbers really impact your SMO? After all, Target, Anthem, Home Depot, etc all seemed to weather their recent breaches without incident. Target just agreed to settle their
  5. 5. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 5 outstanding lawsuits for up to $10,000 each, totaling over $10 million 5. To them, and the other behemoths, this amounts to a drop in the bucket. Can your SMO afford a $10,000/customer settlement? Worse yet, can you afford the loss of customers that would likely occur if you allowed their personal data to be compromised? The Case for Taking Action Can you buy and install security products that will eliminate all of your information security risks? In a word, no, at least, not completely. If the large enterprises with huge IT budgets can't, it is unlikely that your SMO can. It seems like a lost cause from the start, and thus, many SMOs just ignore the problem We in the SMO world have some advantages over the big guys however: 1. We are small and nimble, adapting quickly to the need for change 2. Our IT infrastructures are simpler and easier to secure 3. We are far less visible to the hacking community A recent article in Security Week 6 breaks intrusion threats down into three categories: 1. Generic - Opportunistic, non-targeted threats. These are the drive bys of the hacker world. Hackers are looking to break into something, and happen upon your network. 2. Targeted - These attacks are aimed directly at you for one reason or another. Hackers want something they think you have, and they are after you to get it. 3. Invasive - These attacks are the "in laws" of the hacking world. They come to stay awhile. They want not only what you have today, but what they think you will have next month. The work to hide the footprints indicating their presence. Large corporations are the primary victims for Targeted and Invasive attacks. They are well known, very visible, and have many potential points of vulnerability. As noted above, for the SMO world, our lack of visibility is a significant advantage. We are unlikely targets for Targeted and Invasive attacks. Our primary concern is Generic attacks, and to a much smaller degree, Targeted attacks.
  6. 6. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 6 So, in the midst of all of the scary statistics and disturbing news reports, the good news is that we in the SMO world can eliminate much of our risks by following basic security practices. We are not as good a match for a determined and well funded hacking organization, but they are not very likely to come after us. Don't underestimate the risk of a generic attack however. Much of the initial discovery aspect of hacking is done via automation. Hackers write programs to attempt access to IP addresses in sequence, utilizing standard techniques and known vulnerabilities. Any responses are logged, and later used by a human for a more in depth attack. If you have any doubt, a quick review of your server or firewall log will remove any doubt. A SaaS company for which we managed security was subject to almost continuous probes, primarily from outside the United States. How We Approach the Problem In our many years of experience securing SMOs, we have developed a scorecard to aid in the objective evaluation of an organization's security posture. Our Business Security Review service uses this scorecard to provide a quick and affordable analysis of their current exposure. Based on our expertise and years of experience, we can tell fairly quickly whether an SMO has a significant exposure, and just as quickly advise them about the changes they need to make to resolve them. Using this approach, a significant improvement can be achieved in a short time. Another advantage we have lies in our experience recommending and implementing cost-effective solutions. Fixing the problem does not have to cost a fortune. Many recommended changes don't even involve writing a check. How Can You Do What We Do? The good news is that there is nothing magic in what we do for SMOs. Given our concern for the victims of cybercrime, we willingly share what we have learned with those who want it. Armed with our checklist, along with some objectivity, you can do it for yourself. The purpose of this white paper is to arm you with the criteria you need to make such an evaluation of your own situation. If we have done our job right, you will be able to review your information security (infosec) posture, and have a good idea about where to start in correcting any deficiencies.
  7. 7. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 7 Should you do it yourself? In a perfect world, I would say no. You are up against a well funded and highly trained hacking community, with their own marketplace, tech support organizations, and in some cases, support from foreign powers. It is also hard for you to be completely objective about your own situation. Realistically however, funds are often tight, and most SMOs have grown up doing for themselves. As such, it is critical that you conduct such an analysis, and doing it yourself is far better than not doing it at all. The Approach First, you need to be prepared to forget for a time everything you know, or think you know, about your infosec posture. You must be able to see your situation with the eyes of an outsider. As an example, you may assume that since you pay for 100 copies of anti-virus software, that your workstations are protected. To succeed with your analysis, you must be able to forget this, and check your workstations, like an outsider with no knowledge of your anti-viruses would. It is not unlikely that you will be surprised at what you find. Next, you must be able to block out enough time to conduct the review in a reasonable period of time. Since infosec is not your full time job, it is easy to get distracted by other business. Such distractions can prevent you from completing the project. Schedule some time, and knock it out quickly. Third, when you reach your conclusions, act on them! I have worked with many SMOs that have paid consultants to make recommendations, and then put the documents on the shelf, never to be looked at again. Analysis is only half the battle. You must follow through and correct the identified issues. These changes may seem daunting, but you probably already have an origination or individuals handling information technology functions for you, and they can generally be called upon to implement the changes you decide on. Don't let your lack of hands on knowledge dissuade you. It is helpful to document your approach and findings as you go. This helps to make sure you have covered everything, and that all identified issues have been addressed. This process will need to be repeated regularly, and the documentation you create will help you to do it efficiently in the future.
  8. 8. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 8 The Checklist The checklist that follows represents over 20 years of combined infosec experience, primarily focused on the SMO world. It is consistent with most current compliance standards, including PCI, HIPAA, and SOX. The security infrastructure created using this approach has withstood audits by large enterprises, and government and private agencies. Note that what you see below is a slightly simplified version of the one we use in practice. The checklist that follows is broken down into major areas, and within each area, its significant analysis points. Within a heading, individual points are shown in order of importance, based on our experience. For each point, we attempt to tell you why it is important, and how to correct deficiencies. One caveat - Infosec is a world unto itself, meaning that you could read a 5,000 page manual and still not have all of the information you need. As such, we cannot hope to give the subject complete treatment in a short document. Our intent is to "hit the high points", allowing you to address your major exposures. You need to consider the specific needs dictated by your business and industry, and apply additional standards and objectives as approach. Now, without further interruption, the checklist: Security Policy Every organization, regardless of size, needs a written security policy. This is the area where we usually get the most push back from SMOs. Such organizations often assume that since they are small, this can be accomplished via "oral tradition". This may work for an organization with just a few employees. The problem is that as growth occurs, they never go back and write it all down. The result is a larger number of employees playing by their own rules. An additional justification relates to the supervision of contractors and vendors. They must play by your rules as well, or you are just as exposed as you would be from an employee's failure to follow policy. Your rules need to be written down and provided to them, so that they know how to conduct business on your behalf. There are many other justifications, including consistency, basis for disciplinary action, awareness, and demonstration of management commitment. 7 If you don't have such a policy, don't despair. Templates are readily available in the Internet, either free or for a small fee. With a little effort, you can build a policy out
  9. 9. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 9 of such a template. You can also hire an organization to customize a policy document for you. 1) Does a Written Policy Exist? This is an easy analysis point. Either it exists, or it doesn't. If not, you need one. The process of producing one is a bit easier than it seems. There are a variety of templates available on the Internet that you can download and modify to meet the requirements of you organization. As an example, Entrepreneur Magazine has a reasonable version. 8 2) Does an Update Process Exist? Your business is not static, so your security policy cannot be either. Resolving this can be as easy as making an entry on your calendar for every 6 months to review the document, and update as necessary. 3) Is the Policy Available to Employees? Your policy accomplishes nothing sitting on your shelf. Make sure your employees have access to it, and read it. Make it available to your vendors as well, and let them know that they are expected to follow it. Employee Awareness Many security breaches result from inadvertent failures by employees. The Anthem data breach, which resulted in a huge disclosure of personal information, is believed to have been caused by employees following a counterfeit link to a fake domain in an official-looking email. 9 You cannot assume that your employees know what to do to keep your organization safe. It is essential, through formal training and other practices, to help them understand the risks, and how they can address them. A recent study by Carnegie Mellon University 10 clearly demonstrated a reduction in employees clicking on pfishing links after specific training. 4) Is A Security Training Program in Place for All Employees? This is critical to your infosec program, whether you have 5 employees or 500. If you don't have such a program, you can find templates online, buy pre-packaged programs, pay someone to handle the training for you, or do
  10. 10. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 10 train the trainer. One example is a complete program, including posters and handouts, available for free from Sophos. 11 Here are a few training program tips learned from personal experience:  Make it fun - you can use games, humor, etc to engage employees  Make the case - help your employees understand how their participation helps the organization, and how the lack of attention to it increases risk  Bring food - as Mary Poppins would say, "Just a spoon full of sugar..."  Door prize - I always bring a door prize as an extra incentive for people to attend 5) Is The Training Program Reviewed and Updated At Least Yearly? Very simple - we live in a changing world. Your training program must grow and evolve along with your company. 6) Are New Employees Given Training or Policy Documents When They Start? Don't wait for the next round of training. Hand them your policy document when they start, and put them through your training program as soon as practical. Credential Management The lifeblood of any organization is the systems they use. These systems contain the information necessary to run the business and keep track of customers. Such systems are effectively the end game for any hacker. It is essential that you protect and control access to such systems, and restrict employees to only the information they need to do their jobs. There is a relatively class of products, called identity management systems, that can help with a number of aspects of credential management. They allow employees to login to all web-based applications from a central portal. The also support automation of employee onboarding and offbording, and can help to enforce minimum password standards, as well as grouping employees for access rights. We have been very successful in the use of one such product, Okta. 12
  11. 11. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 11 7) Are Minimum Password Standards Enforced? I hate password standards as much as anyone, but a good password is essential. According to security organization SplashData 13, the most common password is still "123456". A good hacker always starts with the list of common passwords, and many succeed without employing stronger measures. 8) Are Regular Password Changes Required? This item is obviously unpleasant, but none the less necessary. This requirement should be enforced by your network and applications, where possible. 9) Is a Formal Offboarding Process in Place? A surprising number of organizations fail to disable system access when an employee leaves the organization. Given the growing number of cloud-based systems in use, it is very easy to miss one when removing access. If for example, you lose a sales person, their continued access to your CRM system could result in the loss of customers. You need, at a minimum, a checklist of all systems. When someone leaves the organization, disable their access to any systems, and file the checklist in their personnel file. 10) Is Employee Access Restricted to Only the Information Needed to Do Their Jobs? Don't provide blanket system access to employees. Give them just what they need to do their jobs. We have had an old saying in the infosec world for many years: "stinginess with privilege is kindness in disguise." That could not be more true today. Server Security It is especially important to properly secure any servers in use within your SMO. This seems like it goes without saying, but we continue to be amazed at how many
  12. 12. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 12 poorly secured servers we find. The material in this section applies to cloud-based systems and servers as well. 11) Have All Server Default Passwords Been Changed? No server should have the original or default passwords. Hackers read the manuals, and they know the defaults. The same applies to passwords for any network devices. In conducting a security analysis for a customer recently, we broke into their wireless network within about 30 seconds because of the default password being in use. 12) Are Server Patches Up to Date? A large percentage of security breaches occur because a hacker who gets into a network is able to access information on a server via known vulnerabilities. HP's recent Cyber Risk Report 2015 14 showed that most of the vulnerabilities exploited in 2014 were years or even decades old, with patches readily available. Again, this recommendation applies to network devices. In just the past few weeks, D-Link was forced to release patches for various network devices for vulnerabilities rated 10 out of 10 by the United States Computer Emergency Readiness Team (US-CERT). 15 Based on our experience, very few device owners will ever apply these patches. 13) Are Server Logs Routinely Monitored? In many cases, server logs will show you that hacking attempts are occurring before they succeed. They can also be helpful in identifying server hardware issues before they become serious. Sadly, most such logs never get opened. There are a large number of products on the market to handle log consolidation, and in some cases log analytics. 16 These systems gather entries from logs on various systems, and consolidate them into a single log. This makes log review quicker and easier. In some cases, there packages to perform some analytics, allowing them to highlight the entries of particular concern. One example of log consolidation products is Loggly 17, a cloud- based system with free and purchased versions available. 14) Is Key Server Data Encrypted? If you store Personal Identifying Information (PII) for customers or employees, it needs to be encrypted, in case the server is compromised.
  13. 13. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 13 Fortunately, many server operating systems (including Windows) have some encryption capabilities built in. These features just need to be enabled. 18 Workstation Security Your PCs connect to your network and systems. A compromised PC can allow a hacker to gain access to everything to which it is connected. Many vulnerabilities result from web sites visited, or files downloaded, making PCs the front line of your cyber war battle. 15) Is Anti-Virus Software Installed and Updated on EVERY Workstation? This seems obvious, but is overlooked with surprising frequency. Don't forget that even if a PC came with such protection, it usually expires after some number of months, and must be renewed. According to a recent article by Tom's Guide 19, expired anti-virus software is no better than none at all. Buy a uniform package for all of your PCs, and make sure it stays deployed on all PCs. For small organizations, Microsoft allows their Security Essentials product to be used without charge for up to 10 workstations. 20 16) Is a Patch Management Process in Place? New vulnerabilities are found in operating systems and software every week. Even Apple, once considered immune to such issues, is now releasing frequent patches. It is essential that each PC on your network have patches applied as they are released. Some process must exist to check them periodically to ensure this is happening. If this seems like a daunting processes, you will be relieved to know that a variety of products exist to simplify this process. As an example, ManageEngine offers such a product with additional asset management features, which is free for up to 25 workstations. 21 Dell offers an express version of their excellent KACE asset management product as a free download. 22 Network Security You probably don't leave the front door to your house unlocked, and neither should you fail to give proper attention to the security of your network., which is the front door to your business technology. This is arguably the easiest part of this checklist to address, because of the robust set of products available to do it.
  14. 14. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 14 17) Is a Firewall in Place with Current Firmware If I was only able to make one recommendation, it would be to install and maintain a good firewall. This device provides strong protection for your network, filtering outside attacks, and in many cases blocking infected files and sites your employees attempt to access. Do NOT rely on the router provided by your Internet Service Provider. In a recent blog post, we pointed out that Comcast for some time has been allowing public access to private customer routers. 23 Also, do NOT go to the office supply store and buy the cheapest thing they have. This is the place to spend a major part of your technology budget. While there are many good products on the market, we have had good experience with the Dell SonicWall line of firewalls for the SMO market (full disclosure - we do NOT sell products, so we have no economic bias in our recommendations). Fortinet also makes a good firewall series. Just as you must change the oil in your car, you must keep your firewall firmware up to date. Most firewall products can automatically download new threat signatures, but firmware must normally be applied manually. Add this to your calendar as a item to be regularly checked. 18) Are Firewall Logs Regularly Reviewed? Firewall logging can be your attack early warning system. If you keep an eye on these logs, you will know if attempts are made to attack your network. Again, there are numerous products and services available to help simplify this process. We break out firewall logging as a separate item, because of its criticality. Many of the products that perform log consolidation will incorporate firewall logs as well. See the commentary on item 13 for more information. 19) Is a Regular Penetration Test Performed? Despite your best efforts, your network may inadvertently be exposed to outside attack. The only way to know for sure is to perform a penetration test, which is a intentional attempt to break into your network, thereby identifying any vulnerabilities. Such checks are a basic element of the major
  15. 15. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 15 compliance standards, including HIPAA and PCI. A variety of organizations offer this as a service. There are also online tools to help with this. One of my favorites is Pentest-Tools, which offers some basic checks without charge. 24 While we like the self-service tools for quick frequent checks, there is no substitute for periodic professional checks. Wireless Security A wireless network can unintentionally be an invitation to the world to come on in, probably not the message you intended to send when you set it up. A wireless network can leave you very vulnerable, since it is readily accessible from outside of your physical walls. It is essential to use a secure encryption standard and a strong access password. 20) Is Your Wireless Network Secured with Appropriate Encryption? A system known as WEP was a common wireless standard for some time, and can still be found in use today. Sadly, it is an easily breached system. In fact, you can readily find software online which can determine a WEP key. It is essential that you use WPA2 or better encryption, with a strong password. This may seem obvious, but don't post the password in your facility. One major wireless router manufacturer generates a random default password for their units (a good thing), and puts it on a label on the outside of the unit. We found one customer recently who still had the label on the unit, for all visitors to see. 21) Are Guests Restricted From Accessing Organization Systems? If you allow visitors to access your wireless network, they need to be restricted to accessing only the Internet. A rogue visitor with your primary wireless password can continue to access your network after they walk out the front door, and can use this to attack your systems. Many wireless access points have the ability to provide restricted guest services. These features just need to be enabled. Physical Security With all of our focus on infosec, it is easy to overlook basic physical security. Someone gaining access to your office can easily bypass just about any infosec control you put in place. A stolen laptop, server, or removable disk can provide a wealth of saleable information to a hacker.
  16. 16. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 16 22) Can a Visitor Enter the Building Without Passing Through a Controlled Door? An unlocked door should have some form of entry control, be it a receptionist (at a minimum), or badge or key access required beyond the lobby (preferred). Years ago, a law office where my mom was employed was robbed using a simple tactic. One thief distracted the receptionist, and the other went through an open door, took items of value, and let unseen. Sadly, this approach is still common today. 23) Are Cameras Used in Key Areas? Cameras are an inexpensive approach to monitor your doors and other key areas. They can be useful in preventing intrusions, and an allow you to get details on an incident that occurred. They are somewhat unique, in that they function as deterrent, preventative, and detective controls, all at the same time. Quite a bargain! 24) Is an Intrusion Alarm System in Place, Using Unique Codes? This seems obvious, but it is overlooked by more organizations than you might guess. In many cases, those who have one use a common code for everyone. Unless you are religious about changing the code when someone leaves, you are at risk. Systems with unique codes usually cost little, if anything, more than a regular alarm system. Invest in such a system, and remove individual codes as soon as an employee leaves. This also allows you to use a unique code for cleaning personnel, and other contractors. 25) Are Confidential Documents Shredded Appropriately? Your organization needs to have a policy in place defining which documents are confidential, and must be disposed of appropriately. Such documents must be shredded. At a minimum, a cross-cut shredder is required, as a regular shredder does not sufficiently destroy documents. We recommend a shredding company that destroys documents while at your site. Some years ago, a major Atlanta-based document destruction company with a state contract to destroy driver's licenses was found to be "losing" licenses on
  17. 17. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 17 their way back to the shredding facility. If you watch your documents being destroyed, there is no such danger. The National Association for Information Destruction (NAID) is a good resource for finding a vendor. They have a certification program for destruction vendors, requiring that they meet certain standards. 25 Risk Management This category relates involves efforts to keep your organization operating, and to restore operations in the case of an event. This is likely the most overlooked category for SMOs. 26) Are Regular Backups Performed? Backing up servers (local and cloud-based), PCs, and any other devices with important company data, is essential to being able to recover from a device failure, fire, etc. Many organizations fail to address this requirement for servers, let alone PCs and mobile devices. 27) Are Backups Stored Offsite? For backups made via magnetic tape, CD/DVD, or removable disk, it is important that they be stored outside of the primary facility. If they remain onsite and the primary facility is damaged or destroyed, you risk losing your systems and the backups. This can be as simple as an organization official taking them home, or can involve a service that stores your media at a protected site. If they are taken home, we recommend this be done by a company executive, and not an IT staff member. Depending on your particular situation, cloud-based backup services can be a good option, since they solve the offsite storage system by default. They do add some data security exposures, so careful vendor selection is important. 28) Are Backups Regularly Tested? Unfortunately, ignorance is not bliss in the risk management world. You may think your backups are fine, when in fact they may be unusable. This is particularly true for those still using magnetic tape as a backup medium, because such media has a definite shelf life. The lifespan of a magnetic tape is significantly impacted by handling and environmental conditions. If you continue to use this medium, we recommend that you review the Council on Library and Information Resources guidelines for care and handling
  18. 18. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 18 guidelines. 26 It is important to regularly attempt a file restore from whatever media or service is used. 29) Does a Bring Your Own Device (BYOD) Policy Exist? With the widespread presence of smart phones and tablets, employees use their personal devices in many cases to perform activities on behalf of the organization. This can be an advantage, as it can make the employee more efficient, and extend their work hours. The use of such devices poses significant risks however, particularly if such devices have confidential data, passwords, or are used to connect to company systems. As an example of the exposure, IBM in a recent study 27 found that over 60% of Android dating apps were vulnerable to cyber attack, and 50% of enterprises reviewed had such apps on employee devices, co- existing with confidential company data. It is important that you define for employees what they can and cannot do in terms of using their devices for company work, requiring anti-malware software, data encryption, etc. The use of a mobile device containing company information on a public network is a significant and growing threat. Most mobile users access a public network regularly, and their devices often connect to such a network without them even realizing it. These networks are easily spoofed and compromised by people with readily available hardware and software. 28 Your policy needs to fully address this risk. As with the Security Policy, free BYOD templates are readily available. One example is published by the Society for Human Resource Management. 29 30) Does a Disaster Recovery Plan Exist? Few SMOs have done any significant disaster recovery planning. It is important however for any organization, regardless of size, to do some planning about how they would respond to a disaster, such as a building fire or flood, loss of a key server, phone system failure, data breach, etc. This does not have to be highly formal, but needs to be defined and documented in some fashion before it happens. 30 31 As an example, many organizations now use cloud-based systems almost exclusively. In these instances, an
  19. 19. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 19 Internet failure is a potentially-crippling event, which must be accounted for. Internet redundancy is practically possible, and needs to be strongly considered in these instances. In Summary Organizational exposures are often overlooked, and frequently at the bottom of the list for resolution. The intent of this white paper is to highlight these exposures, demonstrate the risks related to a failure to address them, and provide summary guidance on how to address them. It is impossible in a short document to completely cover this complex topic. Instead, our goal has been to discuss those that are common, critical, and reasonably easy to address. It is our belief and experience that such issues can be addressed and resolved by personnel within an SMO, with a bit of focus and effort. There are numerous exposures however that cannot be covered in this document, many of which are unique to industries and organizations. As such, once the potential exposures in this white paper are addressed, we recommend that a professional be used to evaluate potential additional exposures, and recommend approaches to remediate any found. Additionally, while you may be completely satisfied with your current IT personnel or service provider, we recommend against having them conduct such an analysis. It is generally difficulty for such people to be completely objective in evaluating the systems and policies they themselves maintain. We welcome your comments and suggestions.
  20. 20. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 20 About togoCIO togoCIO represents over 30 years of IT, risk management, and security experience, primarily focused on the SMO world. Small businesses and organizations are at a major disadvantage in today's business world. Technology is critical to success, and grows increasingly complex every day. At the same time, such organizations rarely have access to the experienced staff needed to help them make good and cost-effective technology decisions. Our vision is to help such organizations achieve a high standard of technology operations, including: •A secure network, with properly protected customer data and intellectual property •An efficient operation, with the best possible combination of hardware and software products, backed up by documented procedures •A low risk organization, prepared for a variety of challenges and risks •A compliant organization, not only meeting regulatory requirements, but doing so in a documented fashion Our services include: •Technology Evaluation and Recommendations •Fractional CIO and CISO Services •Security and Compliance Evaluation, and Staff Security Training •Policy and Procedure Development •Disaster Recovery Planning •Data Center Design and Construction Management •Assistance with IT Staff Selection •Asset Management •Firewall and Intrusion Prevention, Deployment, and Monitoring We work with your team or service provider to implement specific recommendations, or bring in one of our partners, as you prefer.
  21. 21. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 21 THANK YOU. FOR MORE INFORMATION CONTACT: Robert C. Covington President togoCIO The Missing Piece to Your IT Puzzle www.togocio.com rcovington@togocio.com 678-341-3630 (voice) 678-907-9720 (cell) 678-261-0923 (fax)
  22. 22. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 22 Table of Authorities 1 PwC, "About the 2014 US State of Cybercrime Survey", June 2014 http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/2014-us- state-of-cybercrime.pdf 2 Ponemon Institute, “2014 Cost of Cyber Crime Study: United States,” Hewlett-Packard, October 9, 2014, https://ssl.www8.hp.com/us/en/ssl/leadgen/document_download.html?objid=4AA5- 5208ENW 3 Pando.com, " Big companies like Target aren’t the only ones leaving customer information vulnerable to thieves", January 22, 2015, http://pando.com/2015/01/22/big-companies-like-target-arent-the-only-ones-leaving- customer-information-vulnerable-to-thieves/ 4 The Telegraph, " SMEs failing to guard against cyber attacks, Government warns", February 24, 2015 http://www.telegraph.co.uk/finance/businessclub/11430701/SMEs-failing-to-guard- against-cyber-attacks-Government-warns.html 5 Reuters, "Target agrees to pay $10 million to settle lawsuit from data breach", March 19, 2015 http://www.reuters.com/article/2015/03/19/us-target-settlement- idUSKBN0MF04K20150319 6 SECURITYWEEK, "Security, Know Thine Enemy", March 10, 2015 http://www.securityweek.com/security-know-thine-enemy 7 Tripwire, "Corporate Security Policies: Their Effect on Security, and the Real Reason to Have Them", March 18, 2015 http://www.tripwire.com/state-of-security/security-awareness/corporate-security- policies-their-effect-security/ 8 Entrepreneur, http://www.entrepreneur.com/formnet/form/731 9 PC World, " Premera, Anthem data breaches linked by similar hacking tactics", March 17, 2015 http://www.pcworld.com/article/2898612/premera-anthem-data-breaches-linked-by- similar-hacking-tactics.html 10 Cranor, Lorrie, et al, "Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions",
  23. 23. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 23 http://lorrie.cranor.org/pubs/pap1162-sheng.pdf 11 Sophos, http://www.sophos.com/en-us/security-news-trends/it-security-dos-and- donts.aspx 12 Okta, https://www.okta.com/ 13 SplashData, " 'Password' unseated by '123456' on SplashData's annual 'Worst Passwords' list" http://splashdata.com/press/worstpasswords2013.htm 14 welivesecurity, " Top 10 breaches of 2014 attacked ‘old vulnerabilities’, says HP", February 25, 2015 http://www.welivesecurity.com/2015/02/25/top-10-breaches-2014-attacked-old- vulnerabilities-says-hp/ 15 Softpedia, "D-Link Patches Against Critical Remote Command and Code Execution Flaws", March 17, 2015, http://news.softpedia.com/news/D-Link-Patches-Against-Critical-Remote- Command-and-Code-Execution-Flaws-475976.shtml 16 ProfirBricks, " Top 47 Log Management Tools", May 19, 2014, https://blog.profitbricks.com/top-47-log-management-tools/ 17 loggly, https://www.loggly.com/ 18 Microsoft, BitLocker: "How to deploy on Windows Server 2012", August 30, 2012 https://technet.microsoft.com/en-us/library/jj612864.aspx 19 tom's GUIDE, " Expired Antivirus Protection Just as Bad as None", November 18, 2015 http://www.tomsguide.com/us/danger-stale-av-software,news-19928.html 20 Microsoft, http://windows.microsoft.com/en-us/windows/security-essentials-download 21 ManageEngine, https://www.manageengine.com/products/desktop-central/windows- patch-management.html 22 Dell KACE Express, http://www.kace.com/k1express 23 Covington, Robert, " Is Comcast Inviting the Public Into Your Home or Office?", September 24, 2014, http://www.togocio.com/#!Is-Comcast-Inviting-the-Public-Into-Your-Home-or- Office/c1eet/55BCE452-1A25-48B9-BB0F-E36FA149DCE5
  24. 24. A No Nonsense Approach to Objectively Evaluating Your Information Security Readiness © 2015, togoCIO. All rights reserved. Page | 24 24 Pentest-Tools, https://pentest-tools.com 25 National Association for Information Destruction (NAID), http://www.naidonline.org/nitl/en/ 26 Council on Library and Information Resources, " How Can You Prevent Magnetic Tape from Degrading Prematurely?", June, 1995, http://www.clir.org/pubs/reports/pub54/5premature_degrade.html 27 Security Intelligence, " A Perfect Match: Uniting Mobile Security With Your Employees’ Use of Online Dating Apps", February 11, 2015 http://securityintelligence.com/datingapps/#.VQx7vU10xet 28 De Correspondent , "Maybe Better If You Don’t Read This Story on Public WiFi", October 14, 2014 https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard- dd5b8dcb55e6?linkId=13028935 29 Society for Human Resource Management, http://www.shrm.org/templatestools/samples/policies/pages/bringyourowndevicepolicy. aspx 30 Covington, Robert, "Disaster Recovery for the SMB", ecember 30, 2014 http://www.togocio.com/#!Disaster-Recovery-for-the-SMB/c1eet/7FD1F3D6-E483-4747- A90D-EA785107CE5E 31 Covington, Robert, " Disaster Recovery for the SMB - 7 Steps to Better Sleep", January 6, 2015 http://www.togocio.com/#!Disaster-Recovery-for-the-SMB-7-Steps-to-Better- Sleep/c1eet/94B1DC7E-0735-4440-A6E7-13E9DD4054CA

×