PRESENTED BY

INFORMATION SECURITY MISTAKES YOU DON’T WANT TO MAKE

Information Security Mistakes You Don't Want to Make

With growing security threats affecting global organizations and personal privacy, cyber security is essential in protecting sensitive information, the infrastructure of our economy and our national security.

Moving forward, businesses of all sizes and in all industries will be expected to increase security efforts to address challenges with new technologies that are changing the landscape of human interaction and business operations.

Digital Defense, Inc. (DDI), a leader in information security risk assessments, awareness education and Decisive Security Intelligence is on a mission to help organizations mitigate risk.

In an effort to help businesses build a culture of security, we offer “The Dirty Dozen” — the top 12 information security mistakes commonly made and provide expert insight and recommendations on how to bolster security.

LACK OF EXECUTIVE SUPPORTFor a security strategy to be effective, it is imperative that support

comes from the highest levels. This executive adoption helps mitigate delays, and leads employees by example, demonstrating a corporate wide

initiative to improve security. Lack of executive support also challenges many IT teams when trying to gain approval for allocation of budget for security initiatives. Unfortunately, these same budgets are often approved after a breach has occurred.

As a strategy for requesting need-ed resources, DDI sees success in gaining support when the cost of a breach specific to the organization is presented as part of the budget package. Demonstrating the devastating conse-quences of a very real threat will help gain the executive support that is crucial to an effective secu-rity program. As an example,

1

according to the Ponemon Institute 2014 report, the cost of a data breach per record in the United States is $201.00.

Extrapolate that dollar figure by the num-ber of records often lost during a breach and it’s easy to see how quickly the cost of a breach can far exceed most budgets.

ASSUMING ANNUAL TESTING IS ENOUGHIt’s that time of year - time to check that box and report to upper management that the annual penetration test and

network vulnerability scan have been completed. If this sounds like your organization, you may be in jeopardy of a breach.

Just as early detection is important to the health of our bodies, it is as important to the well-being of an organization’s network security. Similar to develop-ing healthy habits such as exercise, sound nutrition, and regular check-ups, managing a corporate information network requires the same diligence. To improve security, it is imperative that regular as-sessments be conducted throughout the year to ad-dress any new vulnerabilities that could threaten the ongoing operations of an organization. For instance, penetration testing of critical networks and systems is also recommended. The frequency will depend on the amount of change introduced throughout the course of a year and may be helpful in gaining executive management support by demonstrating how assets can be com-promised by unauthorized resources.

PLAYING DUNGEONS & DRAGONS AND CALLING IT SECURITYToday, risks are real. Leave the role playing to the gamers. Archaic

security practices are for the misguided. Gone are the days of thinking that you can hide your treasure in the dungeon, secure the perimeter with a moat and a fire breathing

Examples:

250 Records = $50, 250

500 Records = $100,500

1000 Records = $201,000

1M Records = $201M

2

3

dragon, and assume that the warlocks and thieves are unable to get into the castle that is your network. You could have a knight in shining armor guarding every external entrance, but today’s war is waged in a new realm and the bad guys are getting very good at jump-ing the moat and scaling the castle walls.

Criminals, the aggressors in cyber warfare, are not often challenged by your perimeter defenses and easily find entry points to your secret passages and eventually your trea-sure chest of sensitive information.

If you are a company that is investing re-sources solely in firewall and external net-work scanning, you may have a false sense of security and be overlooking the internal safety of your castle.

As you consider how to further shield your information, we encourage you to invest in in-ternal as well as external vulnerability scanning practices so that you can fully understand the security posture of your computing networks and be able to make more informed decisions on how best to invest in security mechanisms (e.g. firewalls) to protect your information valuables.

OVERLOOKING THE HUMAN ELEMENTBusinesses often spend thousands of dollars on network security, only to have

company credentials provided over the phone by an employee to a malicious attacker.

Today’s data protection technology has advanced, making it more difficult for hackers to ‘get in’, but human nature and a person’s willingness to be helpful has not changed. Social

engineers are choosing to work smarter, not harder, and are using the element of basic human trust

to their advantage to get to the information they seek.

Employees are the first line of defense when it comes to protecting sensitive

information and often the first place attackers go to. To combat against

the attacks, employees must be equipped through security aware-ness training to recognize an

attempted attack and fight back.

4

INVESTING IN TOOLSThere are effective tools in the marketplace created to

evaluate your network for vulnerabili- ties. If you desire a Do-It-Yourself (DIY) ap-proach, then these tools could be a good fit for your organization. However, no matter how effective the tool is at detecting risks, if it is not fully utilized it can be a costly and ineffective investment. Unfortunately, many companies find out too late that the tools are difficult to deploy, and require skilled resources for implementation, training and ongoing device management. Individuals respon- sible for managing the assessment system must oversee installation, testing, technology updates, cloud application evaluation, policies, permissions, traffic monitoring of IPS perimeter defenses and most importantly, understanding the output to prioritize vulnerabil- ities. This can be a madden-ing process, overwhelming the most skilled IT individual to the point of ‘information over-load’, paralyzing the process. When this happens, a very expen- sive tool is left to collect dust and the business is left at risk.

ASSUMING COMPLIANCE EQUATES TO SECURITYMany companies faced with a breach often have difficulty fully understanding the incident, asking the

question, “How could this happen? We passed compliance re-quirements/audit.”

It is important to appreciate the benefits of compliance based reviews such as SOX, HIPAA, HITECH, PCI-DSS and others, while also understanding that com-pliance does not equate to security. Some compliance requirements are broad in nature and can be left open to interpretation by the organization, auditor or com-pliance officer performing the review. We encourage businesses to go beyond compliance by implementing frequent scanning and effective security training and awareness programs to help build a culture of security to identify and eliminate risk.

5

6

Top 5 Reasons Why Scanning Tools Tend to Collect Dust1. Difficult to implement2. Requires ongoing maintenance by a trained tool specialist3. Product capabilities may not be fully utilized4. Added charges for customer service and support when needed5. External tools may be required to manage the data External tools may be required to manage the data

APATHY AND INDIFFERENCE

A common mistake made by understaffed and overwhelmed organizations is security apathy and indifference. The leadership at these organizations makes the case that, if the bad guys want in, they will find a way and there is nothing that can be done to stop them. This type of apathy provides a prime target for a cyber-criminal looking to gain access to customer data. Although there is no silver bullet solution when it comes to security, there are very cost and labor-effective security solutions that can be implemented. With ade-quate resources and a proactive approach, the chance of a breach can be mitigated.

EMBRACING TECHNOLOGY WITHOUT SECURITY SAVVYTechnology is everywhere. It is in the hands of our doctors, the dashboards

of our vehicles and at our fingertips each time we use a mobile device. With innovation comes an increased security risk—the pace-

maker that was hacked, the cloud-based home media sys-tem that served as an open vector for an attack, the

engine control takeover from the tire-monitor-ing system. Security risks are everywhere.

Balancing the security priorities of an organization without hindering flexibil-ity, convenience and agility can be an awkward dance. New technologies and advancements are awe-inspiring but can be dangerous if not properly deployed and monitored with security minded intelli-gence. As innovation evolves, the security infrastructure must adapt to support busi-ness while minimizing risk. Organizations must be on the forefront of identifying new

technology and should implement a risk/ reward analysis as to what is truly required for

the organization to conduct business at the highest levels of efficiencies and security.

7

8

HAVING AN ‘IT CAN’T HAPPEN TO ME’ MENTALITYMany companies have read the headlines and understand that security is a concern but may not view their organization

as a potential target. To a cyber criminal, the industry or size of the business no longer matters. All organizations are a target.

Whether a business has 20 or 20,000 employees, it’s imperative that a proactive approach to security be taken. There is no one silver bullet. Organizations must proactively build a culture of security to most effectively mitigate risk.

Today’s information security threats demand constant vigilance. Hackers, misinformed employees and lax security – any of these can put your critical business operations, profits and reputation at risk. In essence, organization must defend through regular se-curity risk assessments and awareness education to ensure both networks and staff are secure.

ROGUE B.Y.O.D POLICIESMost organizations understand the benefits of personal devices in the work place, as well as the security challenges associated with conve-

nience. Businesses of all sizes and industries often make the mistake of not implementing policies that work.

Companies that are winning the battle ARE THOSE THAT TAKE ACTION BY:

• Identifying users and privacy rights for monitoring usage

• Clearly defining who owns the data on a device

• Educating users on the benefits of complex passwords, PINS and data encryption

• Restricting access to apps

• Creating a help desk devoted to mobile devices to assist employees and to monitor and manage data flow

• Defining the consequences of corporate policy violation

• Investing in employee education

• Defining what devices will be supported by the organization

9

10

POOR VENDOR DUE DILIGENCE

Many organizations do background checks on employees but fail to do a compre-hensive review of outside third party organizations that have the potential for significant harm. Risks associated with vendors can vary but all have the potential to bring about financial and reputational harm through error, data loss, breach of contract or confidentiali-ty and more. Business leaders should perform due diligence on potential vendors to better understand backgrounds, performance history and risk management practices. Vendor due diligence should not be an annual audit. Organizations that hope to mitigate risk should conduct ongling background checks on third party vendors just as they might new employees. In addition to proper screening, organizations should ensure that their suppli-er contracts include the appropriate control language requiring their suppliers to institute regular security testing and an ongoing commitment to keeping sensitive data protected.

POOR PHYSICAL SECURITYPhysical security is the protection of personnel, hardware programs, networks and

data from physical circumstances and events that could cause serious losses or dam-age to an enterprise, agency or institution.

This includes protection from fire, natural disasters, burglary, theft, vandalism and terrorism. Having strong physical security does not require a great

deal of technical knowledge and can be one of the most impactful areas within an organization’s security strategy.

Your Site Could be a Security Risk

• Do windows have glass break sensors?

• Are physical network access points/jacks secured to prevent an intruder from simply connecting their own device to the network?

• Is a valid proof of identification, such as a driver’s license, required with a guest sign in?

• Is there camera coverage of facility dumpster/ waste bins?

• Can badges easily be counterfeited by a social engineer?

11

12

DEFEND & PROTECT: SECURITY PRACTICES TO HELP MITIGATE RISK

Be friendly, but cautious. A social engineer preys on a person’s willingness to help others.

Be suspicious of emails asking you to “verify” your account.

Be leery of website addresses with misspelled words.

Type the website address into your browser to view vs. clicking on a link shared via social media or email.

Get to know your co-workers and clients and beware of impersonators.

Remember, social engineers use social media sites to gain inside knowledge. Be careful what you post online about your work practices.

“Out of office” messages can be used for reconnaissance. Limit what you disclose.

Be suspicious of unsolicited phone calls asking about employees or other internal information.

Avoid completing online forms that ask for personal information unless necessary as part of your work function.

Be wary of alarmist email messages with urgent requests.

Know where your data resides. Understand your landscape and where data goes if/when you terminate service or when a provider is no longer in business.

Backup your data and have a data retention policy in place to purge unnecessary data.

Consider services like managed firewalls, antivirus and intrusion solutions.

Test, test, test the security of cloud- based solutions through vulnerability scanning and ethical hacking.

Improve password security at all levels of the organization.

Consider a two-level authentication technique for password security.

Embrace encryption limiting the damages resulting from lost laptops and mobile devices.

An effective firewall is a sound solution to preventing unauthorized access.

Always select service providers that have security top of mind.

Use VPNs or encrypted mobile device management systems for network connections by portable devices.

Develop strict security policies for users.

Have policies in place instructing users to delete sensitive voicemail messages after listening to them

Apply strong passwords to access the voicemail inbox functionality.

Have a data destruction policy in place that outlines how to properly discard data that is no longer needed.

Don’t assume that your business is not considered a target.

Embrace employee security awareness training.

Shred sensitive data on a consistent basis.

Conduct background checks on third party vendors just as you would on new employees.

Confirm that the organization’s trash is handled by a trusted service provider.

Encrypt all laptops that could be storing corporate data.

Implement a strict policy use for the handling of USB drives and portable media.

Closely monitor social networks for themes or hostile comments about your company or industry.

DIGITAL DEFENSE CAN HELPAssessments + Education + Decisive Security Intelligence

Digital Defense, Inc. (DDI) is helping companies fight back by reducing vulnerabilities to cybercrime and other types of information security breaches with a unique combination of comprehensive assessment capabilities, employee education and Decisive Security Intelligence.

If you are an organization working hard to mitigate risks and avoid common security mistakes and would benefit from a third party perspective and industry expert support, contact us today and let us help you build a culture of security!

• Managed SAAS Solutions

• Security Risk Assessments

• Security Awareness Education

• Decisive Security Intelligence

REFERENCES & RESOURCES

http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/

http://www.darkreading.com/management/top-10-reasons-security-products-dont-wo/208804015

http://www.seventhman.com/byod-policy-practical-tips-for-small-business-owners

9000 Tesoro Drive, Suite 100San Antonio, Texas 78217888.273.1412sales@ddifrontline.com