Security Discussions You Need To Have in 2016
January 14, 2016
As security specialists we all know that by 2020 there will be over 200 billion connected devices worldwide (McAfee Labs Report 2015). Given this level of interactivity, the cybersecurity space has experienced a surge over the past five years and shows no signs of slowing down. More endpoints, more threats, more technologies, more vulnerabilities, more complexity; more of everything.
As your trusted advisor in security, allow Herjavec Group to break through the clutter and focus your attention on the top cybersecurity related discussions you should be having in 2016:
Ransomware is a malicious software that allows hackers to access a company’s computers, encrypt information and then demand payment in order to decrypt it. Vulnerabilities are often exploited in 3rd party software including Microsoft Office, Adobe and various graphic files. McAfee Labs reported 58% growth year over year in ransomware in Q2 2015 (~ 4 million samples). We concur with McAfee Labs that there will be new variants in the ransomware families operating in this landscape and anticipate they will begin to target files found in the business environment. Herjavec Group does not advocate for paying out or negotiating during a ransomware attack. It is recommended that all organizations have an asset back up strategy in the event they need to recover critical information & files. It is also important to patch 3rd party software as new releases become available to minimize the risk of a vulnerability.
How Are You Addressing Mobile Malware Vulnerabilities?
Multiple best of breed vendors have reported an uptick in mobile malware as part of their 2016 predictions reports. Herjavec Group is focusing on the prevalence of these issues across Android devices in particular. The attack surface is growing as more individuals and corporate customers are adopting Android technology. Unfortunately in many instances, this operating system requires carrier updates in order to issue a new release. The lengthy lifecycle of each release provides ample opportunity for hackers to exploit existing vulnerabilities before the update occurs. To mitigate the risk, it is recommended that individuals ensure their mobile devices are up to date with the latest available operating systems. Organizations need to consider how they permit or push these updates to their employees. Note - you should only be installing software from verified sources including Google, or Amazon and ensure all applications, including antivirus applications, are also verified.
Are You Moving to the Cloud?
We recognize that moving assets and technologies to the cloud presents a scalable, cost effective solution offering improved visibility, and the opportunity for proactive analysis. Unfortunately many organizations are challenged to advance cloud based projects due to concerns over control, regulatory compliance and overall security. To manage risk we recommend developing a benchmark to measure cloud application usage on a regular basis (ex: track progress against risk targets, report cloud trust ratings quarterly, report new cloud services in use monthly). Herjavec Group offers various cloud consulting services including vulnerability assessments, web application testing & penetration tests. We also integrate, deliver & manage various cloud based technologies, and have the ability to remediate in a cloud based environment.
In addition, Herjavec Group can support with the development of a Cloud Security Framework that would include elements such as:
a. The development of a cloud governance committee
b. Cloud security training program
c. Classification of data assets
d. Understanding appropriate levels of visibility, control and access
Spending on security technology is not sufficient as many reports indicate that employees and not firewalls are the number one threat vector today. Organizations must consider how they are protecting their employees’ endpoints when they leave the corporate environment for business travel or to return home. It is anticipated that home networks will become targeted as hackers attempt to infiltrate corporate data being worked on remotely. You must also evaluate what training and awareness programs you offer to ensure your employees are invested in the protection of your organization’s vital assets. Herjavec Group can provide an outline of appropriate educational materials for your team or help administer a cybersecurity awareness seminar for your organization.
It’s imperative every organization develops and understands the following elements of their security framework:
What happens when you hit the panic button (ie: will it work, who do you escalate to? What’s the disaster recovery plan?)
How many risks are being taken to run tech operations (ie: layers of security control, are all systems protected equally?)
Where and what is your sensitive data (ie: can you identify what has been lost in the event of a breach? Back up and recovery plans?)
If you’re unclear, we recommend following the ten point plan below to ensure your team has fully evaluated their security incident preparedness.
The Ten Point Plan
- Don’t wait for a breach to get ready. The time is now to begin these discussions at all levels of your organization, including with the board.
- Understand your business, and what is critical, important, and meaningful. Document where those important things are stored, how they’re protected, and what the cost and impact is if they’re lost or stolen. Invest in protection to prevent unacceptable losses to the extent the business tolerates.
- Elevate the priority placed on Security Awareness internally and ensure that employees across all levels of your organization understand that it is their job to help support the company’s security posture (this will involve communication, training etc).
- Create policies, procedures and guidelines for handling information security incidents. Create practices for communication, involving your legal departments, staff, law enforcement and customers. Develop and document escalation and authority structures.
- Ensure you have visibility into the critical activity and behavior in your environment. Review how you are receiving and digesting this information, as well as which stakeholders within your organization receive, provide input on, or action the data.
- Make incident detection and analysis a core competency for your information security program. Find a balance for your program goals and spending between preventative, detective and corrective actions. Visibility into the data and events occurring on the network and within the data repositories is critical. Preventative controls can and will fail.
- Develop and understand your capacity for response. Hire, contract or allocate resources that are trained, and have the necessary tools and experience in incident response. Most organizations will be able to develop the capacity to handle and recover from minor incidents. Develop a plan and process to understand and react to extended incidents, or major incidents that exceed the skill level and capacity of internal staff.
- Practice and learn. Even if you are having regular “live-fire” incidents, review your plan yearly and do simulations to create a continuous improvement cycle.
- Leverage expert advice and guidance. In addition to advice from a trusted security advisor, you can learn a lot from SANS Institute IR training or by reading resources like “NIST SP 800-61rev2”.
- Talk early, meaningfully and often, with your executives, with company staff and with contractors about your program’s readiness, your plans for improvement and your capacity for response. While discovering a security incident might be unwelcome, it shouldn’t be a surprise.
We welcome the opportunity to engage with you, your IT teams & your boards to table these discussion points further.
Here is to a prosperous, safe, and successful 2016.