Managing IT Risk (Part 2)

Third Party Risk Management

Following up on my prior post Third Party Risk Management, (4/9/18), I’d like to share my recommendations to monitor and manage IT risk.

There are a number of Governance, Risk, and Compliance (GRC) tools available, ranging from the inexpensive to the extremely expensive. Small to medium size companies are generally not in a position to make good use of those tools. A small to medium size company should investigate and implement logging and monitoring tools, like a centralized Security Information and Event Management (SIEM) tool.

What is an emerging IT risk that is difficult to mitigate and what can you do about it?

Although not emerging per se, there are other security areas that should be addressed or improved. First, small to medium size companies generally do not have a well-defined process to continue operations during a disaster. The comment heard most often is “oh we would have our employees work from home if there was a disaster because we are an Internet-based company.” The issue is that long term loss of the Internet and/or electrical power is generally not planned for in business continuity. If a company has backup data centers outside the region impacted by a loss of Internet or electrical power, some portions of the operations will continue. But a small to medium size company should also define the activities that local staff will perform during the disaster.

How does IT risk management fit into the tech project management process?

Many small to medium size companies still do not get invited to be involved with “all” IT projects. They get invited to some, or at least those that the project team think there may be a security impact. The proper mode of operation would be for security to be invited to participate in all IT projects and for them to determine the level of their security involvement required for the life of the particular security project. For example, if the marketing team wants to host a website, they may go out and contract with a web hosting provider, without getting information security or even the IT department involved.

Managing IT Risk (Part 1)

Third Party Risk Management

Topping my list of information security risks for the coming year is third party risk management. Small to medium size companies do not have the workforce necessary to monitor the security posture of their technology service providers. To properly address the issue, a company will need to put the following in place and dedicate resources to ensure that the tasks are performed:

  • Establish a due diligence process to evaluate the security posture of proposed technology service providers, which can be evidenced (e.g., results from a security questionnaire, results from an onsite security audit)
  • Establish security requirements for the technology service providers, based on the services being provided, rather than making high level requirements like “the provider must be HIPAA compliant” or worse, “the provider must be compliant with all applicable laws and regulations”
  • Ensure that security requirements get included in contracts and ensure that security participates in the contract negotiation process
  • Establish a methodology to risk rank technology service providers (based on the services being provided) to establish a frequency to periodically re-validate the provider’s security posture
  • Establish a process to periodically (based on risk rank) review technology service providers to re-validate that they continue to provided their services in a secure manner
  • Establish a process to highlight, remediate, and track to completion any issues identified at the technology service providers
  • Establish a process to reclaim data at technology service providers if the contract needs to be terminated because of security reasons

End-to-end incident response would come in a close second, as most small to medium size company IT departments can identify and investigate incidents, but they generally don’t have well-defined processes for reporting the incidents/breaches to impacted individuals or the media.

Best Practices for Contracting with Cloud Service Vendors

I was recently asked about best practices for contracting with cloud service vendors – and thought this advice was worth sharing.

What is the best strategy if you decide to change vendors?

Always conduct a parallel transition. This will keep your data in place at your original vendor during the transition. This cost more but will protect your data in a worst-case scenario.

What is the process for removal of data after the conclusion of the contract?

Cloud providers offer different levels of access to data depending on the service purchased (e.g. SaaS, IaaS, or PaaS). With system level access data owners can use standard tools such as dd or shred. Otherwise, data owners will need to make a request to the cloud service provider to delete the data using their tools.  Requesting proof of deletion is also recommended.

Final Recommendations

The organization’s Business Continuity and Disaster Recovery plans are key here. It is important to review BC/DR plans prior to conducting a data migration from vendor to vendor. Upon review, consider allowing the technical staff to “wargame” the data migration with revised BC/DR plan in hand and further allow a follow-up revision to the BC/DR plan based on the outcomes of the wargame. This will ready your staff for the handoff process ready them to react if the worst happens.

Survey: Small construction companies lukewarm on tech investment

by , author, Construction DIVE, February 28, 2018

Dive Brief:

  • A recent customer survey from small business funding siteKabbage revealed that fewer than 35% of small construction companies planned to make investments at some level this year in technologies that could help their businesses and further bring them into the digital age.
  • More than 65% of contractors who responded to the study did not have a plan to invest in tools like big data solutions or mobile technologies, and the same percentage was either neutral, against or not likely to spend more than 20% on social media advertising.
  • Kabbage also found that even with well-publicized cyber attacks and other computer-related crimes, not even 40% of small construction firms planned to invest in cybersecurity. More than 50% of the contractors surveyed, however, answered that they plann to streamline their operations in 2018 by getting rid of paper and manual processes.

Dive Insight:

The construction industry as a whole is starting to shake the “slow adopter of technology” label, but surveys like the one from Kabbage indicate that there is a category of contractor that still is resistant to technology no matter the benefits or the protections it could provide.

Executives of small companies may believe that cyber criminals only target big contractors, but that’s not the case. Todd O’Boyle, formerly with Precipient and now director of product management at WatchGuard Technologies, told Construction Dive that small and mid-sized businesses also are at risk of a cyber attack. No matter their size, construction companies, he said, tend to be high-cash-flow businesses, making them perfect targets for cyber criminals. Jonathan Gossels, president and CEO of SystemExperts, added even the smallest construction business has something of value to criminals.

And while small construction companies might not have the cloud setups or integrated systems that larger businesses do, many of their employees use tablets and smartphones to help them conduct business, which leaves those firms open to cyber attacks. For example, phishing emails only need one person to click on one link to give criminals access to confidential information.

To better protect company data, attorney Michelle Schaap of Chiesa Shahinian & Giantomasi said contractors should at the very least keep their firewalls and anti-virus software up to date (although that’s no guarantee that new malware can’t make it through those protections). Schaap said contractors should also partition information so that if one device comes under attack from a virus or a scam, the rest of the company’s devises and digital technologies aren’t affected.

The Shift that EternalBlue May Have Caused Within IT Leadership

For leaders in IT, 2017 has been the year of EternalBlue (the weaponized version of the vulnerability described in MS17-010), whether they know it or not.  EternalBlue allowed the trivial exploitation of Microsoft systems allowing an attacker to gain the highest level of system permissions.  This sort of vulnerability set the hacking community on fire and allowed ransomware such as Petya, NotPetya and BadRabbit which impacted industry and individuals worldwide.  This is not something new.  The industry saw the same discovery and exploitation cycle with Conficker (MS08-067) and ShellShock (CVE-2014-6271).

The shift that EternalBlue may have caused within IT leadership is a willingness to forgo the typical patch management process.  The deliberate process of researching the vulnerability, identifying impacted systems, developing a backout plan, testing the patches in a lab, requesting a maintenance period to apply patches, validating patches, rinsing and repeating is simply too lengthy to be effective.  The new mentality circulating is that organizations are best served by swift adoption of patches rather than a liturgical adherence to a patch management process that leaves them unprotected for days or months.  Others will consider this approach reckless.  2018 may be the year that we see a tidal shift towards rapid patch management.  The best bellwether for this industry shift will be if or when Microsoft disbands “Patch Tuesdays.”  This will be the sign that a major industry leader recommends applying patches as available.

Whether organizations adhere to a deliberate or rapid patch management approach solid disaster recovery and business continuity programs are a must.

How to Prevent a Ransomware Attack

It is always better to be proactively prepared and prevent ransomware attacks than having to react after an attack occurs. Paying the ransom is not recommended.

Law enforcement and IT Security companies have joined forces to disrupt cybercriminal businesses with ransomware connections. The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and McAfee – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Steps you can take to prevent a ransomware outbreak:

  • Require all devices to have active, up to date antivirus software installed that cannot be disabled by the end user.
  • Educate all users about the risks of ransomware and appropriate use of email.
  • Educate your users about how to view file extensions and which file extensions can potentially cause problems.
  • Do not let users be local administrators and/or run email or web browsers as an administrator or privileged account.

Steps you should take to prepare for a ransomware outbreak:

  • Ensure that you have working backups that can be used to restore all critical or essential data.
  • Test your restoration processes, know how to long a restoration will take.
  • Ensure that the backup system is segregated from users so that if a user’s machine is infected with ransomware, it cannot spread to the backups.
  • Educate your users about how to report an outbreak of ransomware and what steps they should take right away.

Steps you should take after an attack occurs:

  • Eradicate the infection.
  • Restore from backups.
  • If the backups are encrypted or destroyed by the ransomware, check to see if the keys to decrypt your data are  available from a free source, rather than attempting to pay the ransom.

The Crypto Sheriff link will help the people behind the site check whether there is a solution available. If there is, the site will provide you with the link to download the decryption solution. See

Of course, if the site is not able to decrypt your files and you are unable to restore your files from backup, you have to assess the risk of actually paying the ransom. Remember that paying the ransom may not result in the restoration of your files. But for some companies, the choice is to cease business forever, or pay the ransom. It is much better to have all of the preventative and recover controls in place before ending up facing such a decision.

How to Ensure the Security of Your Cloud Storage in 2018: The Top Experts Speak

by Megan Thudium, writer, IT Security Central, January 25, 2018

We’ve heard of the challenges of Amazon S3 Buckets and the exposure of customer data to the world wide web. When cloud storage technology emerged, the new technology had plenty of hype. Companies flocked to the new technology, and they started integrating it into their daily work structure. However, security was usually overlooked, limitations not put into place and nonessential employees given administrative access to make important changes to data.

It’s a new year, so it’s time to find a new approach to your cloud storage security. To help you start the new year off right, we’ve reached out to top cyber security experts in the field to share their insight. This is the question we posed:

What can organizations do right now to ensure security of their cloud storage?


Jonathan Gossels is the president of SystemExperts, a network security consulting firm specializing in IT security and compliance. He plays an active, hands-on role advising clients in compliance, technology strategies, managing complex programs and building effective security organizations. Jonathan brings a business focus to this work, balancing all technical initiatives with business requirements and impact.

Secure your cloud storage by…

In addition to using unique passwords and changing them frequently, organizations should allow regular OS and software update patches, as well as use antivirus that scans emails and Internet URLs looking for malware.

To read what other security experts say on this topic, click here.

Intel’s Meltdown and Spectre Vulnerabilities

By now you have probably read some articles about the Meltdown and Spectre vulnerabilities but you may still be seeking guidance for how your organization should react.

First a quick recap, Meltdown and Spectre were announced early in January of 2018. Unlike most other vulnerabilities, Meltdown and Spectre exploit critical vulnerabilities in modern processors. Meltdown primarily affects Intel chips and it allows any application to access all system memory, including memory allocated for the kernel. Spectre allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. Spectre impacts Intel, AMD, and ARM chips.

The statements about the vulnerabilities implies that in some circumstances the security boundary between virtual machines on a common hyper-visor may not be absolute. In theory, the memory contents of virtual machines running on an unpatched physical host could be read by other virtual machines on the same physical host or read by the physical host.

Various operating system vendors have been issuing security updates to help mitigate the vulnerabilities. Also some vendors have issued security updates for specific applications. Unfortunately, none of these offer a long term general solution to the vulnerabilities since they exploit the design of modern processors. With this in mind it is fair to expect future exploits that will use the same vulnerabilities in new ways that circumvent the mitigations in place.

What’s Intel Doing

Intel has published microcode updates to address their processors, however, reboot issues have been reported and at the time of writing this post, Intel has recommended that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of its most recent patches. Intel expects to release new patches in the near future.

Performance issues have been reported for systems with Spectre and Meltdown mitigations in place.  Performance hits ranging from 0% to 30% have been published.  PostgreSQL servers in AWS have been identified as taking a 12-17% reduction in performance.

It is critical to test the security updates for these vulnerabilities in test environments before promoting the updates to production systems.  It is also important to plan a response if performance is impacted and affecting service level agreements with customers.

SystemExperts Recommendation

SystemExperts recommends that mitigation plans address a number of different areas of concern:

  •        Systems in public clouds
  •        Systems in private clouds
  •        Physical servers
  •        Appliances
  •        Employee endpoint devices (workstations, laptops, smartphones, and tablets)
  •        Security Awareness
  •        Evaluating third party service providers
  •        Communicating with customers

Public Cloud

Organizations that use public cloud services should start by determining what they need to do to secure their cloud environment. Amazon AWS, Microsoft Azure, and Google all had some lead time and they had all of their hyper-visors patched shortly after the initial vulnerability announcement. However, organizations that manage virtual machines in these environments still need to apply patches to the machines they manage. Check with the operating system vendor and thoroughly test any updates before promoting the patches to production environments.

Many other smaller public cloud services did not necessarily have a head start on patching their hyper-visors before the vulnerability announcement was made. Customers of these organizations need to reach out to their cloud provider to understand what has been patched, or when will all relevant physical servers be patched.

Private Cloud

Even if an organization operates a private cloud that doesn’t enable any external party to run arbitrary software on the servers –  they should evaluate their systems. The security of all of the virtual machines might not be equivalent. For example, some large private clouds might have a variety of server configurations deployed. A server to monitor environmental controls might grant remote access to an HVAC contractor, but the virtual machine might be on the same hyper-visor as database server that contains highly sensitive data or a file server that contains confidential customer data. Organizations operating private clouds should prioritize patching their hyper-visors.

Organizations with a small virtualized environment may also be at risk. Consider a small organization that has a three tier system consisting of a web server in a DMZ, a database server in subnet that can only be accessed by the webserver in the DMZ and system administrators from the internal network, and an internal server that is not directly accessible from either the Internet or the DMZ.  If these servers were all on the same hyper-visor and the DMZ server were breached, it might be possible to read the memory contents of the servers in the other network tiers.

Physical Machines (servers and endpoints)

Of course, while organizations should likely prioritize updating their hyper-visors, they must not forget about testing and applying the patches to all other physical servers, desktops, laptops, smartphones, and tablets as the patches for the various operating systems and microcode updates for processes become available.


Network appliances that run Linux, Windows, or other general purpose operating systems may also be impacted by the vulnerabilities. Organizations should review their inventory of network appliances and closely monitor vendor security bulletins to learn when security updates are available, learn of any configuration work arounds, or learn if the vendor believes the appliance is vulnerable.

Security Awareness

SystemExperts recommends that organizations notify employees and contractors about the Meltdown and Spectre vulnerabilities. Remind staff how to report suspected security incidents, and what to do if a customer asks what the organization is doing to mitigate the vulnerabilities.

Third Party Service Providers

Many companies now rely on SaaS, PaaS, and IaaS provided by third parties. Organizations should review all of its third party service providers, identify the risks, and determine what the vendors are saying about their mitigation strategies.

As an example, Box stated on January 8, 2018 that, “Box is applying patches where relevant to our infrastructure. At this time, we believe the Box service is not directly impacted, and we assess the risk as low. Though the underlying CPU and OS combination in our infrastructure may be affected by these vulnerabilities, the Box service is a closed system that does not allow customers to run custom code against our underlying infrastructure.”

Each organization will need to assess what the service providers say against its own perception of the risk and determine how it would like to proceed. Organizations should consider enabling additional security options that it has chosen not to employ in the past, or it may decide that the time has arrived to seek an alternate service provider.

Communicating with Customers

Organizations should craft its message about what it desires to communicate to its customers in response to the Meltdown and Spectre vulnerabilities and communicate to all employees exactly who can response to customer inquiries and how to refer customers to the correct information or contact point. Ideally, the response should indicate that organization has a depth of knowledge, has evaluated the risk and has taken actions to remediate the risks in a timely manner.


Protecting Systems and Data for a Traveling Workforce is Crucial

by Samuel Greengard, writer, Security Roundtable, January 24, 2018

Mobility is at the center of today’s enterprise. Employees rely on smartphones, tablets, and personal computers to access data anywhere and at any time. It’s no news flash that these devices are now a critical piece of the enterprise productivity scheme. Yet, all the gain doesn’t come without some pain: employees carrying devices and data wherever they go—and sending and receiving data and files over the air—dramatically increases the odds of a security breach.

“There are enormous risks associated with the loss of data and information,” said Benson Chan, senior partner for Strategy of Things, a Hayward, California, technology-consulting firm. “Today’s business environment makes it very easy for data to be lost, stolen, or otherwise compromised.” This encompasses everything from how people use and store laptops on business trips to how, when, and where they use public Wi-Fi networks and personal devices.

What this all means is that it’s essential to create a framework for protection. According to Paul Hill, a senior consultant at SystemsExperts Corporation in Sudbury, Massachusetts, a program must focus on three key areas: device configurations, physical security, and the use of networks. “Companies should provide detailed guidance on the acceptable use of mobile devices to all traveling workers,” he explained. “The guidance should be based on the perceived risk resulting from the type of data that travelling workers might access, could have stored on the device, and where they travel.”

Risky business

There’s certainly no shortage of news reports about laptops and data being lost or stolen. These incidents not only pose a threat by exposing the data on the device, they can lead to further breaches or break-ins. They might also lead to legal problems. For example, in 2015, EMC and Hartford Hospital agreed to pay US$90,000 to the state of Connecticut over the theft of an unencrypted laptop that was stolen from an EMC employee’s home. It compromised personal data for 8,883 residents of the state.

Data thieves also intercept data over the air and establish free Wi-Fi networks—sometimes with SSIDs that trick users into thinking they are legitimate networks—to take advantage of harried travelers. Yet, even a legitimate network at a hotel or coffee shop represents real-world risks. Anyone with access to the password can lurk on the network, view activity, and use specialized software to steal data. A password and login simply aren’t adequate for ensuring security and privacy.

According to Terry Young, senior product marketing manager, at Palo Alto Networks: “Today, the risks come from many directions.”

Secure Horizons

Here’s how your enterprise can better protect devices and data when employees hit the road:

Focus on device configuration. IT teams should ensure that all devices require a password, pass phrase, or PIN access, Hill said. In addition, mobile devices must have full system or full disk encryption enabled. These devices should have malware protection installed and the systems should be configured so that end users cannot shut them off or modify the security software in any way. It’s also wise to require the use of a virtual private network (VPN). “A VPN adds another layer of security,” Chan said.

Provide protection for devices. A growing problem, Young noted, is a lack of protection on mobile devices. This is particularly a problem on Android devices, which come in hundreds of different models. “We are witnessing an uptick in malicious activity on the Android platform,” she said. Not only can devices wind up compromised, but hackers and attackers can worm their way into an enterprise network and unleash spyware, ransomware, and other threats. In some cases, attackers might use Android phones to propagate Windows malware. “It’s critical to use malware protection and monitor devices and activity,” Young added.

Address physical security. Many problems occur because workers fail to follow basic precautions and protocols when they are working outside the office. One fundamental safeguard is avoiding business centers and kiosks at hotels, airports, and other locations.

Hill noted that several other critical precautions are important: make sure devices are locked in the trunk of rental vehicles; always place mobile devices in carry-on luggage; power down devices at international borders; and inform corporate security if an agent demands a login or forces an employee to disclose a password. Chan said that a privacy shield is essential on airplanes and other public locations. “People should always be aware that someone sitting next to them could be a competitor or a thief.”

Keep an eye on Wi-Fi. Wireless technology also represents real-world risks.“Employees should be extremely cautious about using hotel networks or public Wi-Fi hotspots,” Hill warned. Airline Wi-Fi is also a serious security concern, since it’s a public network. “In general, these networks should only be used in conjunction with a company VPN.

However, a VPN does not mitigate all threats when using these networks. Employees should be trained in what to be suspicious of and how to identify a valid SSID.” One way to avoid the problem altogether is to supply employees with a Mi-Fi connection option or ensure that they use a personal hotspot through their mobile phone. If an organization opts for the latter, it’s crucial to configure devices with a strong password.

Likewise, it’s important to ensure that Internet of Things (IoT) devices and personal accessories are properly configured. Bluetooth is especially vulnerable. “Companies should provide employees with guidance on the acceptable use of Bluetooth devices, acceptable profiles, and how to properly configure devices securely,” Hill said.

Forward thinking

A traveling workforce represents the classic challenge of balancing productivity and security, Chan concluded. What’s more, as the use of mobile devices has become pervasive—and the cloud has entered the picture—the goal of protecting sensitive data has become more difficult.

Securing devices starts with establishing clear policies and strong controls. Organizations frequently benefit by using mobile device management (MDM) software that can track, oversee, and wipe lost or stolen devices. “But technology and processes are not a silver bullet,” Chan warned. “Organizations still face a basic problem: If someone decides to bypass controls, whether intentionally or unintentionally, they have created a gap.” He suggests adopting a balanced approach that focuses on three things: technology, policies, and education. “In many cases, security gaps occur because someone is simply trying to get their work done and they require Internet access.”

It’s also important to conduct audits and keep an eye on evolving technology. In the end, according to Chan, good security practices are as much about behavior as they are controls and enforcement. “People must understand what puts data at risk and when they are engaging in risky activity. If something is extremely sensitive, then it’s wise to ensure that you’re on a secure network and using encryption or take it offline.”

The Internet of Things: Still Lots for You to Learn

by John Edwards, InformationWeek, January 11, 2018

IT groups will need to provide architecture, data-mining tools and connectivity, while giving business groups the freedom to innovate on their own with the Internet of Things.

The Internet of Things (IoT) is already making a significant impact in a variety of business areas, including industrial monitoring and production, supply chain tracking, and multiple retail processes.

Down the road, experts see the IoT becoming nothing less than an integral aspect of everyday life, with a huge role for IT to play.

Earlier this year, Gartner forecast that 8.4 billion connected “things” will be in use worldwide this year, up 31% from last year. These include door locks, industrial robots, traffic lights, smoke detectors, heating and cooling systems, smart cars, heart monitors, trains, wind turbines, and even toasters. The total number of connected devices will reach 20.4 billion by 2020, Gartner predicted. Meanwhile, total spending on IoT-related endpoints and services was estimated at almost $2 trillion in 2017, Gartner added.

Important considerations

The IoT has profound implications for businesses of all types and sizes, yet industrial IoT holds the greatest potential, said Matt Rossi, director of technology at Janeiro Digital, a Boston-based business consultancy. “While it may not have the popularity of many consumer based markets — smart home, wearables, etc. — there is massive potential in connecting manufacturing, agriculture, energy, robotics, and so on,” he explained.

The most important part of becoming familiar with IoT is understanding how to capture and manage data to make better, informed decisions, said George Westerman, principal research scientist at MIT Sloan Executive Education. “Once businesses get control of the data through IoT integration, they can make it available for use,” he noted.

Enterprises must also be prepared to meet IoT’s sizeable resource demands. “The key issue created by IoT is one of scale,” observed Paul Hill, a senior consultant at System Experts, an IT security and compliance consulting firm in Sudbury, Mass.

Individually, IoT devices don’t possess much computational power, but they will be legion. “The number of devices in some industries will be much greater than the total number of employees,” Hill predicted. IoT has the potential to cripple inadequately built networks and data centers.

To read the complete article click here.