How Do You Define Success for a Cyber Security Team?

Is it risk reduction? Training employees? Fighting back against targeted attacks?

The easy answer to this question is to build a comprehensive and mature Security Program. The difficult part is identifying every critical component that make this a success. Remembering that any security program is only as strong as the weakest link, you must build layers of security that act as both active barriers and safety nets that complement each other. Five of these components are listed below:

  1. Executive Support – All programs are doomed to fail without the full support and financial backing at the highest level. Be sure to define and clearly explain what is considered to be Best Practice and how this directly affects the business.
  2. Experience – While training and security awareness is valuable, there is no substitute for experience. Bring in at least one expert who has real hands on experience to guide and mentor the team.
  3. Plan – Build a detailed three-year plan. Use this for communication, financial and project planning, but most importantly, this can help you measure progress and eventual “success.”
  4. Align to a Security Framework – Choose between one of the leading frameworks such as ISO, NIST, or equivalent. These frameworks not only define specific controls that must be in place for any program, but also help to measure the effectiveness of your program.
  5. Test – Now that you have the core security components in place, have the network layer scanned, as well as the application layer with both static and dynamic scans. This is not a one-time event as new vulnerabilities are created and altered every single day.  Again, this is an excellent measure of success that can be used to provide specific evidence for the executive team, which in turn, will be needed to maintain and enhance your successful cyber security program.

The data security threat is complex and constantly changing

by Adam Muspratt, content editor, CX Network, August 16, 2018

Adam Muspratt, content editor for CX Network, interviewed several experts in cyber security. In this report Muspratt delves into data security and discusses how complex the threat is and the fact that it is constantly changing.

Data security in customer experience: Are CX teams cyber-aware?

Going into 2019 and beyond, data security will continue to be a major source of investment across all industries and sectors. The many high profile data breaches throughout 2017-18 – and the customer backlash that followed – have served as a constant reminder that cyber security is something that customer experience (CX) teams must take into consideration.

Jonathan Gossels, CEO, SystemExperts, stated, “There are really two questions we have to consider going into the future where customers are increasingly willing to take extra measures to know that their transactions are secure:

  1. What are the major brands doing to ensure that they are operationally cyber secure?
  2. What level of transparency/impact are they willing to impose on their customers?”

To read the entire report, click here.

Business Continuity Plans and Disaster Recovery Plans (Part 2)

Comprehensive business continuity and disaster recovery plans are must-haves for companies of all sizes that are dependent on their systems to run their businesses. In Part 2 on this topic, I discuss factors that have to be considered when building a plan.

Preparing for a disaster can be a daunting task, involving many factors. A company will have to first identify events that will impact the continued business operations — essentially, any time there is a loss of staff, systems, facilities, or third party service providers. Some staff, systems, facilities, or third party service providers are more critical than others, so that will have to be factored into the process, along with event likelihood — for instance, a snowstorm in Florida is not very likely.

Another factor will be time of the event and how long will it be until the loss becomes impactful. The loss of the email system may not be impactful if lost for an hour, but it would be extremely impactful if lost for a week.

Once this Business Impact Analysis (BIA) is completed, the company will have a firm understanding of critical business functions, optimal staff levels, critical systems, service providers, and critical facilities. The company will also have an understanding of how long it will be before the disaster is impactful to the business. With that knowledge, the company will be able to strategize how best to be prepared for these events, which could include:

  • Cross-training staff so that people from other departments could help the impacted department
  • Having manual processes available to address the loss of automated processes
  • Having redundant systems in place that could be activated quickly if there was a loss of a primary system
  • Having backup power generators or redundant Internet

What steps go into creating a recovery plan?

Since the Business Continuity Plan (BCP) and the Disaster Recovery Plan (DRP) are potentially going to be used by a number of different departments with varying skill sets, the first step should be to design, plan, and document a Business Continuity Management (BCM) process. The process should include the following:

  • Setting up an internal BCM organization, to ensure that there is representation from each facility, for each system, and from each department
  • Complete the BIA process to ensure that there is an up-to-date understanding of what is critical to the business and what redundancy must be in place. This process should occur at least annually
  • Develop and review the BCP, to ensure that the content of the plan is standardized and contains the level of detail needed for individuals of any skill level to accomplish their task
  • Develop and review the DRP, to ensure that the content of the plan meets the needs of the IT and Facilities personnel, and any other stakeholders
  • Plan maintenance process, to ensure that the plans are updated whenever there are significant changes to the organization (e.g., organizational changes, system changes, facility changes). These plans should be reviewed and updated at least annually
  • Test all processes, to ensure that evacuation plans, system failovers, and alternate work procedures actually work effectively. A variety of tests should be conducted over the course of a given year

How should it be constructed?

The Business Continuity Plan should include the following:

  • How a disaster is declared and by whom
  • How Staff Communications will occur (alerting staff that a disaster has occurred)
  • Which Staff are critical versus secondary
  • Where staff should report if the disaster impacts the facility
  • The procedures on how to prioritize and conduct business during a number of different disaster scenarios
  • The procedures on how staff will recover from manual processes, performed during the disaster, once the disaster is over

The Disaster Recovery Plan (DRP) should include the following:

  • Criteria and responsibilities associated with declaring a disaster
  • Procedures on how IT system interaction will occur during a disaster
  • Procedures on how to re-construct the IT infrastructure and any lost facilities
  • Procedures on how the IT infrastructure is to be operated after a loss of a service provider

When and how should employees be trained on the plan?

Training on the plans can generally be accomplished by testing the different aspects and processes contained within. For example:

  • Most companies perform evacuation drills at least annually to ensure that staff know how to leave the building safely and where to go for a headcount
  • Companies often create a testing schedule to evaluate how well-written their plans are and to determine whether the organization can indeed failover to backup processes and systems within a defined timeframe

Business Continuity Plans and Disaster Recovery Plans (Part 1)

Comprehensive business continuity and disaster recovery plans are must-haves for companies of all sizes that are dependent on their systems to run their businesses.

The definition of a disaster is anything that can impact the continuation of business operations. Most people think disasters would just include major weather events (snowstorms, hurricanes, flood, and tornadoes), fire, earthquakes, war, and hurricanes. However, there are so many other events that could impact the continuing operations of a business, including:

  • A plumbing leak that forces the employees to have to evacuate the business facility
  • A vendor that has a disaster and can no longer fully support the business
  • The death of a critical employee, without a succession plan
  • A sickness or pandemic that results in a percentage of the staff being not able to fully perform its business function

Companies should have a documented plan in place to address the following, based on the disaster:

  • How the business can continue to function at some less than optimal level during the disaster event
  • How the business can use alternative work locations to continue operations during the disaster event
  • How the business can failover to backup systems to continue operations during the disaster event
  • How the business can recover data and restore all operations back to normal, once the disaster event has passed

What is the difference between a business continuity plan and a disaster recovery plan?

A Business Continuity Plan (BCP) defines how the business functions will operate during the disaster event. It will also include plans on how to protect the staff, such as evacuation plans or hide-in-place strategies. Its focus is on people and process. A company, based on size and complexity, could have one BCP, or they could have a plan for each department in the company.

A Disaster Recovery Plan (DRP) defines how business will failover to backup systems or will use backup facilities to continue operations. The DRP will also address how the plans on how to recover from the disaster such as rebuilding replacement systems a facilities. A company, based on size and complexity, could have one DRP, or they could have a plan for each facility and each IT system.

Why does a business need one?

A business should always be prepared to handle events that impact the business. Consider the following:

  • Is there an evacuation plan? Do all employees know how to evacuate the facility and where their outdoor meeting point is for a proper headcount ensuring that everyone got out safely?
  • Is there a plan on how work will be conducted/prioritized if 50% of the accounts receivable department are out sick for the day/week?
  • Is there a plan on how work will be conducted if there was a loss of the Internet, phone service, or the electrical power?

In my next blog post I will discuss factors that have to be considered when building a plan.

Q&A On Reconstructing Data After a Disaster

I was recently asked about best practices for a business to reconstruct its data after a disaster by John Edwards, TechTarget. John included my tip noting that once a disaster involving data loss is identified, you must act fast to preserve your environment to prevent further damage, and to protect the archived data itself. Here are some addition tips for reconstructing data after a disaster:

1.What’s the best way for a business to reconstruct its data after a disaster?

When a disaster involves data loss, it is often difficult to be sure of what data was destroyed or corrupted.  Unless of course, there is complete data loss or incidents involving Ransomware or encryption. For that reason, it is often best to conduct a complete restore of the device or server affected using an image.

2. How should the process be handled if the data is stored on various platforms?

The process should not vary greatly based on the platform alone, however, the restore options will vary slightly.

3. How can reconstructed data be verified for accuracy?

Assuming technical solutions to verify accuracy, such as Checksum are not available, the best method to verify accuracy is the manual comparison of the restored data against the transaction logs.

4. What steps should be taken if some critical data is missing?

During any restore process, it is very likely that some amount of data will be lost.  This can be minimized by near real-time replication. However, no method will ensure complete restoration of data in all situations.  Gaps in data must be recreated using the transaction logs noted in step 2.

5. What are the biggest mistakes business make while reconstructing data?

It would be a mistake to assume that file level restores will correct an incident.  For example, during a virus attack, it may appear that the target was a single file, folder or user.  In reality, the target may be much bigger, and a seed may have been embedded to inflict wide spread damage during a timed event.  Many times, the only way to rid the network of all damage is to image restore back to a specific date and time prior to the incident.

6. Do you have anything else you would like to add?

Redundant and geographically disperse backups provide many benefits and options.  Having the ability to file level restore or image restore provides great flexibility, while also providing a second copy of the data if back up data is also affected by the disaster.

Five data recovery planning steps to protect vital assets

by John Edwards, technology writer, TechTarget, July 19, 2018

Accurately restoring lost data after disaster strikes requires planning, patience and logic. If your goal is a smooth recovery process, here’s what you’ll need to know beforehand.

Disaster can strike any data center on any day. Money, time and effort enable physical IT assets to be fully restored — often to states exceeding predisaster levels. The same, however, is not always true for crucial data, which may be lost forever unless it has been properly retrieved from backups and carefully reconstructed.

Here are five things you should know about data recovery planning and post-disaster data reconstruction, before doomsday arrives.

Begin planning now

Data recovery planning and testing are the most important things any organization can do to prepare against data loss. “These days, disasters can include being hacked or having your data ransomed,” said Mike Orosz, senior director of threat services and technology transformation at Citrix. “If your data is already replicated and available in more than one place, that ‘disaster’ isn’t going to be the end of the world, because you’ve already planned for it.”

“Businesses should identify what their tolerance is for potential data loss and operational downtime by performing a business impact analysis,” said Tom Reynolds, director of technology solutions at Razor Technology, an IT managed services provider. Such an analysis will allow the organization to determine two key recovery metrics: the recovery point objective (RPO) and the recovery time objective (RTO). The RPO represents how much data the business can stand to lose, while the RTO indicates how long the business can be without functional systems during a recovery. “Once these metrics are determined, proper technologies can be put in place to ensure that the desired levels of recoverability can be achieved.”

Don’t hesitate

The data recovery process should start the moment a disaster is declared and confirmed. Tomas Honzak, director of security and compliance at data analytics specialist GoodData, noted that smart organizations have documented data recovery planning that outlines the steps that need to be taken during an emergency to protect vital assets, including data. The plan also establishes the decision criteria for assessing whether a situation is a disaster and designates the officer(s) who are authorized to make key decisions. “Otherwise, incident managers must reach out to the company’s executive team and obtain the authorization to move forward,” he noted.

Once the root cause of the data loss has been identified and chain of custody concerns are ruled out, it’s necessary to identify the incident’s scope and the exact data loss period, said Joe Kurfehs, senior consultant at SystemExperts, an IT security and compliance consulting firm. Inventory and take possession, if necessary, of the backup media. “Collect any available transaction logs to be used for the reconstruction and verification purposes,” Kurfehs said.

Check the data for integrity

Data integrity checks, along with restoration validity, should be performed on a routine basis for all backup data and media. “If there is truly a crisis-level event, the backup servers should be verified via an incident response team to ensure they were not touched, manipulated or harmed by an adversary in any way,” said Sean Mason, incident response director for Cisco Security Advisory Services.

“Test to make sure the replication of the data is complete,” Orosz said. “Gone is gone, so make sure you have the data backed up before you need it.”

Expect to lose some data

During any restore process, it’s possible that some data won’t be recovered. Such damage can be minimized by adopting near-real-time replication as part of your data recovery planning. “However, no method will ensure complete restoration of data in all situations,” Kurfehs said. “Gaps in data must be recreated using transaction logs.”

Recovery teams should also reach out to affected business managers for assistance, Honzak said. “In some cases, there will be alternative sources of data — such as invoices sent out via email — that can be used to recreate the missing data manually or even semi-automatically via [optical character recognition] or the parsing of derived documents and files,” he explained. “If there is no way the data can be validated automatically, business [managers] must be made aware of all the missing or potentially incorrect records.”

Anticipate a much heavier than normal workload

When post-disaster data recovery planning involves hundreds, or perhaps even thousands, of machines, it’s unlikely that existing staff, using possibly limited resources, will be able to restore data in time to ensure business continuity.

“Proactive planning should take place to better understand the true impact and recovery time,” Mason said. “It is also imperative to [determine] how much work the recovery [project] needs by bringing in outside assistance to help manually restore the data.”

Three Cyber Security Tips for Small Businesses

There are three critical security controls that all small businesses should implement if they are just starting to address security. These are:

  1. Keep your systems up to date by applying all security updates
  2. Make sure you have daily backups of all critical data and be sure to test the ability to restore from the backups
  3. Users should not be local administrators on their computers, if that is not achievable, require the use of multi-factor-authentication for all systems and applications

For small companies that have already addressed the above controls take a look at Australia’s Essential Eight Maturity Model.

Data Protection and GDPR

Do you know how your data is being used?

The most important thing an individual can do to understand how their data is used is to limit the information they provide. People by nature desire to be helpful. They click and respond quickly without a thought. Stop and think before you click.

If all of the information is truly required, read the sites Privacy Policy carefully.  GDPR compliant companies are now required to provide details of what they collect, the purpose, and the ability to “Opt Out.”  When in doubt, you have the right to request that your personal information be purged from their systems.

How can you limit the amount of data social media companies collect about you?

Again, stop and think before you voluntarily provide any information. Is it truly necessary to disclose where you live, your sex, your eye color, your birthday, etc.  In most cases, absolutely not. If your goal is to limit the amount of your personal data on social media, make the decision up front to keep it private. The use of disposable email addresses and screen names is a great place to start.

Most GDPR coverage focuses on businesses and their restrictions, but what does it mean for the individual?

Individuals now have a choice of what they provide to a business and how it is used. Take advantage of the Privacy Policy disclosure and “Opt Out” options, as needed. GDPR is not a perfect solution, but the fines for non-compliance are steep. Your data is likely “safer” than it has ever been since these companies no longer can freely and recklessly store and share your personal data.  

Companies required to comply with GDPR are forced to implement controls that in the past, were too expensive to consider. With new fines of up to 4 percent of annual worldwide turnover or 24 million dollars (whichever is greater), the cost of the risk is now far more than the cost of implementing the controls. This translates into greater protection for the users.

What should everyone know about GDPR?

Although GDPR was created for the protection of EU users only, the improvements that companies were forced to implement have a global benefit since most controls protect the entire environment and not just EU specific users.  

The deadline for compliance is now upon us, but the controls and processes are not mature or effectively tested. It may be years before we learn the true benefits and effectiveness of the new protections that have been put in place.

Continue to be cautious with everything you choose to provide on the web or any form of media. GDPR is not a silver bullet.

What Questions Should an SMB Ask When Hiring Outside Cyber Security Help

Choosing the right cyber security consultants for an SMB can feel intimidating, but it doesn’t have to be. You don’t have to know much about cyber security to ask the right hiring questions.

To make an informed decision, an SMB should ask about the consultant’s qualifications, track record, quality of work, breadth of technical services, payment model, and price. By gathering information about your candidates in these categories, you’ll be able to reach an informed decision about who to hire.

Qualifications: Good security starts with good people. You want smart, well educated, experienced and well skilled consultants. A computer science degree, high level professional certifications, and a track record of continuing education are good indicators. There are many trash certifications – don’t be fooled by the number of certifications.

Track Record: Here SMBs need to ask to review the client list and ask for specific reference accounts.  Speak to the references and ask them questions such as:

  • What was the quality of the work?
  • How timely was the work performed?
  • Was it a one time project or an ongoing relationship?
  • What did you think of the skill level?
  • How responsive and communicative?
  • Would you use the consults again?

Quality: Review the consultant’s written collateral – if you find spelling errors or poor grammar that is a red flag. Review a sample report carefully and assess the thoroughness of the methodology and the clarity of the presentation of the findings.

Breadth of Technical Services: Does the consultant offer the services the SMB needs? Does the consultant offer a specialized cyber security service or a portfolio of services?

Cultural Fit: Is the SMB looking for a one-time project or an ongoing relationship? Does the consultant charge by the hour or fixed price engagements?

Price: Don’t get hung up on the nominal professional fee – you get what you pay for. Usually the higher priced consultants can do the work faster and deliver better quality. In cyber security small mistakes or omissions can be big trouble; you don’t hire the cheapest surgeon.

Top Tips for World Password Day – May 4th

To commemorate World Password Day today, I thought I’d share my top tips for for creating passwords.  They are very basic, but if you follow these guidelines, you will have a added layer of protection for your digital information.

1. A password should not be a dictionary word.

2. A password should not be easily guessable (i.e. “go pats”).

3. A password should not be obviously personal (i.e. “JonG”).

4. A strong password should be at least eight characters long and contain a mix of letters – upper and lower case, numbers, and special characters (such as !,@,#,$,%,&). The purpose of the numbers and special characters is to thwart or at least slow down any dictionary based attack tool.

5. No one should use the same password for business and personal life.

6. Change your passwords periodically.