Posts

Accepting Credit Cards? PCI Compliance a Concern for Small Businesses

Sue Poremba, contributing writer to Business News Daily, interviewed security experts on why PCI compliance is a concern for small businesses.  Here are the tips we offered on how to stay PCI compliant:

  1. Identify all business and client data, including any cardholder data, its sensitivity and criticality. Correctly defining the scope of assessment is probably the most difficult and important part of any PCI compliance program. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.
  1. Understand the boundaries of the cardholder data environment and all the data that flows into and out of it. Any system that connects to the cardholder data environment is within the scope of compliance and, therefore, must meet PCI requirements. The cardholder data environment includes all processes, technology, and people who store, process, or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.
  1. Establish operating controls to protect the confidentiality and integrity of any cardholder data. Cardholder data should be protected wherever it is imported, processed, stored and transmitted. It must also be properly disposed of at the end of its life span. Backups must also preserve the confidentiality and integrity of cardholder data. Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company-owned computer systems but also leased systems and the storage included in modern copy machines and printers.
  1. Have an incident response plan in place. When a security incident occurs, it’s important to have a plan to return to secure operations as quickly as possible. This plan should define roles, responsibilities, communication requirements and contact strategies in the event of a compromise, including notification of the payment brands, legal counsel and public relations. This will ensure timely and effective handling of all compromised situations. Ideally, companies should have a certified forensics specialist on retainer who can gather evidence and testify as an expert witness if necessary.
  1. Explain and enforce security procedures. You can never be sure that employees understand best security practices and behaviors that can put your business at risk. It is up to you to make sure everyone within the company, from lower-level employees to IT specialists to management, is educated on security procedures and PCI compliance procedures.

To read the entire article, click here.

Data Privacy Market Still Has Room for All Entrants

by Victoria Hudgins, writer, Law.com, July 18, 2019

The rapid growth and complexity of data privacy laws makes the idea of one dominant privacy compliance company unlikely, ensuring lawyers’ seat at the table.

In the midst of growing data regulation laws and compliance needs, some privacy compliance technology companies are attracting a slew of investments. Take for example, data privacy compliance company OneTrust raising $200 million and TrustArc announcing it secured $70 million last week.

But while it may be tempting to say a select few companies have cornered the data privacy market, competitors and observers say the variety and complexity of data privacy regulations makes no platform the single go-to company in the market. Likewise, lawyers’ legal expertise still makes them a valuable asset for understanding regulations.  

Dave Deasy, vice president of marketing at TrustArc, said the combination of stiff fines grabbing companies’ attention and many regulations’ reporting requirements is driving venture capital investment into data privacy compliance tech.

As European regulators begin to levy penalties for high-profile data breaches under the General Data Protection Regulation (GDPR), companies are also concerned about other growing data regulations and the patchwork of U.S. data privacy laws. In turn, companies need a host of services to meet their data privacy requirements.

“There are a lot of moving pieces. I suspect [data privacy compliance] companies will concentrate on a particular area,” said Paul Hill, senior consultant for SystemExperts Corp., a cybersecurity consulting services company. “There’s legal advice, inventory of data and tracking where data goes and then there’s the wide variety of technical controls.”

TrustArc’s Deasy noted he’s seen more small startups sprouting up with specialized functions geared toward single aspects of a data privacy regulation, from solely offering to manage data request services to only providing data discovery. Meanwhile, law firms are now leveraging compliance technology to counsel their clients, he added.

While firms are using platforms from tech companies, they are also creating data privacy compliance tools of their own for clients, said Tsutomu Johnson, Parsons Behle & Latimer of counsel and CEO of the firm’s legal tech lab.

Indeed, various law firms have created privacy compliance tools to provide clients with access to their legal expertise, at perhaps the determinant of the billable hour, to fit clients’ 24-7 needs. That foray into legal tech is law firms’ stepping stone into automating more legal services, Johnson said.

“What I think law firms will do is pivot and leverage the technology they’ve made in privacy to meet a demand … to figure out a way to contain legal costs and the only way you can do that is by automating,” he said.

Likewise, lawyers still maintain the traditional role of drafting contracts in compliance with varying regulations.

“The gap law firms can still fill is creating language that is in compliance with the text of the law,” Johnson said.

Considering the Use of a CPaaS Provider? Look at the Inherent Risks

The rise of the communications platform as a service (CPaaS) model has many enterprises migrating from on-premises communications to cloud platforms and APIs. CPaaS and APIs offer benefits including improved productivity and third-party app integrations, but before proceeding to adopt CPaaS companies should consider the inherent risks.

Remember that the underlying technologies tend to be insecure. Even if an encrypted communications channel is used between the application that initiates the communications with the CPaaS provider, the data is not necessarily secure along the entire path.

CPaaS providers give developers and companies the ability to integrate or embed communications channels such as SMS, MMS, and voice into their applications. SMS and MMS do not define security mechanisms. Ultimately any SMS or MMS message is delivered to the remote endpoint over an unencrypted communications channel. Hence, integration with these services may not be appropriate in all circumstances, because their use may violate regulatory or contractual requirements for some types of sensitive data. In addition a sophisticated attacker may be able to modify the contents during the transmission or replay it at a later time. 

MMS also entails additional underlying risks. If a user of the integrated application receives an MMS message, the message could contain malware. So the endpoints running the CPaaS integrated applications and devices must be running anti-malware software where possible. 

VoIP and SIP services supported by CPaaS providers also have some inherent security risks. These include being subject to Denial of Service (DoS) attacks, message tampering, impersonation of servers, and registration hijacking of the authentication. 

Organizations should also remember that APIs typically add complexity and increase the attack surface area. Attackers might be able to exploit data sent into an API, including URL, query parameters, HTTP headers, and/or post content. Or an attacker might seek to exploit flaws in authentication, authorization, and session tracking. Adding multiple CPaaS providers will increase the complexity and potentially provider attackers with additional opportunities. 

Organizations should also be aware that employees might utilize CPaaS features to exfiltrate data. For example, MMS could be used to send a file containing sensitive or confidential data.

There are a variety of compensating controls that can be used. For example, a Cloud Access Security Broker (CASB) could be used to help prevent the exfiltration of sensitive or confidential information. It could also be used to help block and quarantine malware being received or sent. 

Some Web Application Firewalls (WAFs) can be used to help secure the use of a CPaaS. A WAF may be able to mitigate the risks of server impersonation, some DoS attacks, or even provide some parameter validation. For example, a WAF can be used to block very large messages, heavily nested data structures, or overly complex data structures. 

All of the communications with the CPaaS provider via the APIs should be encrypted using TLS. This can be enforced by properly configured firewall rules. 

Intrusion Detection Systems / Intrusion Protection Systems (IDS/IPS) devices should also be deployed on the network to detect and or prevent some of the potential attacks. 

Given the security issues in some of the underlying protocols, session management should not solely rely on authentication. If practical for the environment, access should be limited to specific IP address ranges, and where practical perform device authentication as well as user authentication.

Ransomware – should you pay or not?

You may have seen the recent news about cities and towns being held hostage to hackers infecting their data. With over 25 years of experience in cyber security, I’ve seen it all. To help guide you in managing a ransomware attack, I’ve outlined the steps you can take to minimize the impact on your organization – including my view on why you should not pay the ransom.

Should I pay? No!

The big question with almost all ransomware attacks boils down to one question: are you going to pay the ransom or not? As a goal, the answer should be no. Let’s start by stating the obvious: you’re dealing with a criminal who has purposely forced ransomware software onto one or more of your computers rendering them unusable unless you pay for the files to be unencrypted. You have no guarantee whatsoever that you’ll actually get the decryption key and it’s quite possible there is additional malware already installed that you’ll have to deal with next. You are essentially a hostage that is being blackmailed for money to get out of your situation, and you have no assurances that there’s an end in sight.

Take out the emotion

One of the real problems is that this is an emotional situation, you and your work environment have been made vulnerable and you’re not going to like dealing with a criminal to somehow extract yourself from the situation. This is easier said than done, but you need to take the emotion out of it and deal with the facts. Dealing with this attack is very similar to dealing with a disaster recovery situation. If you can put it in that light, it will help to diffuse the emotion and get you more focused on recovery and less on feeling like your company is being held hostage.

Isolate as quickly as possible

The number one priority once ransomware has been identified is to isolate the infected systems as quickly as possible so the problem doesn’t spread. Every second counts. If it’s a single system, don’t be gentle: unplug the power to it. If it’s a collection of systems, isolate that part of the network immediately so it can’t spread to other systems, shared file storage, or other networks. Once it is isolated you can then start to identify the problem, report the situation to authorities, and begin the restore and refresh process.

Dealing with Ransomware is like Disaster Recovery

The final step is to restore and refresh the infected systems from safe backups and reinstall safe versions of the programs and software your systems need to execute normal business activities. In other words, the plan to deal with a ransomware infection is very much modeled after how you plan for disaster recovery: document responsibilities, steps and owners, define vital applications, map out dependencies, determine appropriate backup and redundancy measures, regularly update employees, and as always, test the process periodically.

 

Four Tips for Dealing with Shadow IT

Simply stated, Shadow IT is what happens when people within an organization decide to deploy Information Technology systems and services without approval from the official IT group.  On the positive side, this can be the source of real innovation from within the company without the normal formal approval process that can be time consuming and burdensome. On the negative side, these systems and services may be deployed in a way that is not in line with documented requirements for control, security or documentation.

The abundance of Bring Your Own Devices (BYOD) in the form of smartphones, laptops, IoT devices, and tablets, just to name a few, has created an atmosphere where people are not willing to abandon these devices for the sake of waiting for approval because they offer such a rich variety of applications that people depend on and use every single day.

The obvious fixes are to both establish open communications between the IT staff and other employees to understand why resources are being deployed without approval and to have management demand that the IT department be the sole gatekeeper for technology solutions.  Unfortunately, these fixes don’t often match reality and Shadow IT exists anyway.

Tips for dealing with Shadow IT:

  1. A potentially counter-intuitive solution is to encourage innovation outside of the IT department instead of frowning upon it. For example, have the IT department publish straightforward deployment guidelines (think of 1-2 pages of crisp and clear requirements not a 50 page book that nobody will read).
  2. Have the IT department identify helpful and secure solutions that have been implemented and fast track them into the IT portfolio to show the end user population that new technologies can be quickly embraced.
  3. Support the IT department to put their foot down and categorically deny or remove technology that creates compliance or regulatory violations.
  4. Monitor your own network to identify unexpected additions of either systems or services so the IT staff can immediately work with the users who have decided to deploy solutions on their own.

Cybercrime: Impact on Manufacturers

With the rise in value of intellectual property, cybercriminals are now aiming their activity on the manufacturing sector. Manufacturers in the past haven’t practiced the strictest of cybersecurity measures, making themselves quite vulnerable today. The exception to this are industries, such as chemical and pharmaceutical manufacturing, which are subject to federal regulations regarding cybersecurity.

Within the general manufacturing sector many companies are increasingly worried about intellectual property theft regarding product design and manufacturing costs. In particular they are concerned about this type of information being used by overseas competitors.

SystemExperts recommends that manufacturing companies create a cyber security program that aligns with ISO 27002, aka Information technology – Security techniques – Code of practice for information security controls, or the NIST Cyber Security Framework (CSF). Implementing either of these frameworks will help defend companies from a broad range of threats including the narrow issues of ransomware and intellectual property theft.

In the short term, manufacturing companies should prepare for cyberattacks. First priorities to prepare for such attacks include:

  • Identify all business critical files
  • Ensure all business critical files are backed up
  • Ensure that backup files are isolated and can only be accessed by an account dedicated to backup and restoration operations
  • Ensure that backups can be restored
  • Ensure all devices used for reading email have current, active, anti-virus software installed and running
  • Ensure that all email gateways are performing real-time inspection and detection to completely dissemble email attachments and downloads to remove potential malware threats
  • Restrict user accounts, these should not have local administrator rights nor administrative rights to file shares or servers
  • Educate users about the proper use of email, phishing attacks, and ransomware

For additional information visit the NoMoreRansom.org site and read the materials available on it. Companies that are a victim of ransomware should visit the site and determine if the files can be recovered without paying the ransom.

Disaster Recovery as a Service

Disaster Recovery as a Service, or DRaaS, helps safeguard your company from IT outages and helps build a resilient IT system to maintain servers and network usage throughout recovery processes. DRaaS uses cloud resources to protect applications and data from disruption caused by disaster and gives an organization a total system backup that allows for business continuity in the event of system failure.

It has been reported that approximately 50 percent of IT outages are software or network failures – this means that it is highly likely that your business will experience a system failure at some point in time. Taking steps to manage this risk is important to alleviate the damage and financial costs that can result from such a disruption.

DRaaS can be categorized into three separate types: Self-service DRaaS, Assisted DRaaS, and Managed DRaaS.

  1. Self-service DRaaS gives the business full control over all aspects from recovery planning to testing and management and has the least financial obligation as far as the outsourcing cost.  
  1. Assisted DRaaS helps alleviate some of the cost by supplying the resources needed along with a low level of support.  
  1. Managed DRaaS helps alleviate responsibility by fully outsourcing the businesses disaster recovery needs in order to provide more time to focus on other business priorities. This also offers the highest level of support. With a Self-service DRaaS, the business will require employees who are well versed in disaster recovery. The recovery team must also be available should a disaster event occur.

If you are considering implementing DRaaS, feel free to contact us for an assessment and recommendation to meet your specific business requirements.

How important is AWS certification for career success?

Many companies specify the need for a certification in job postings simply to weed out unqualified candidates as quickly as possible. The reality is that for most companies, real world experience and demonstrated success will count more than a certification.

For a long term career path with few limitations a much better choice is to obtain a B.S. in Computer Science, or an advanced degree, from a school with a renowned reputation. These degrees demonstrate that a candidate can absorb abstract ideas, apply them to new situations, and have the discipline to succeed.

However, certifications in limited subjects have their uses when evaluating candidates that haven’t had the opportunity to be admitted and graduate from schools offering computer science programs.

Amazon currently offers ten different certifications. The graphic from Amazon’s certification page (https://aws.amazon.com/certification/) provides the names of the certifications, how they are categorized, and the recommended experience associated with each of the certifications.

Note that to obtain some of these certifications, Amazon requires individuals to have already obtained a prerequisite certification. For example, to obtain a Professional Solutions Architect certification, the Associate Solutions Architect certification is a prerequisite. For any of the specialty certificates, both a Foundational Cloud Practitioner and one of the Associate certifications are needed as a prerequisite.

In my opinion, most technical people interested in obtaining an Amazon certificate should start with the Associate Solution Architect. This demonstrates more advanced knowledge than the Foundational Cloud Practitioner and serves as a good prerequisite for later advancement or specialization.

To prepare for taking a certification exam there are many options. Amazon itself offers seven on-demand Exam Readiness courses available at no cost. This is a great choice for people that have the self-discipline to learn without an instructor at their own pace.

For people that need a more structured learning environment there are a variety of online courses from various training vendors including Udemy, Cloud Academy, Lynda.com, and many others. In addition, many community colleges and adult education programs around the country offer traditional classroom courses to prepare to take the AWS certification exams.

How Companies Can Protect Themselves from Ransomware

I was recently asked about ransomware and how companies can defend themselves. The most common vectors of infection for ransomware are via email, such as attachments and malicious links in the email,  and exploit kits, which are usually executed when a victim visits a compromised websites.

Some organizations assert that approximately 60 percent of ransomware infections result from email vectors. To address this, we encourage our clients to fully implement the recommendations of a well-established security framework such as:

  • ISO 27002, Information technology – Security techniques – Code of practice for information security controls
  • The Center for Internet Security’s (CIS) Top 20 Critical Security Controls
  • NIST’s Cyber Security Framework (CSF)

A subset of the controls defined in the above that are directly relevant to defending against ransomware infections are:

  • Server side anti-virus software on incoming email gateways
  • Endpoint anti-virus software on all user’s desktops, laptops, tablets, and smartphones
  • Email and web browsing should only be read from non-privileged accounts
  • Keep up to date with security patches on servers and endpoints
  • Implement DMARC, SPF, and DKIM to reduce the likelihood of receiving ransomware

Security awareness training: Train users to be cautious about the use of email and the Internet:

  • Don’t open any unexpected attachments, even those apparently from people you know
  • Don’t click on any links in email received from unknown third parties
  • Examine the sender’s email address to see if the email really originates from the person you think sent the email

Note, in addition to traditional signature based anti-virus software, consider deploying next generation (aka signatureless) anti-virus / anti-malware tools. Techniques in these tools include sandbox detection, data mining, behavioral detection, artificial intelligence, machine learning, and cloud-based file detonation.

Organizations should also assume that they will still occasionally get infected with ransomware. There are critical steps to take to reduce the impact:

  • Perform frequent backups of all critical systems
  • Perform table top exercises to help determine:
    • What needs to get backed up
    • How frequently backups should be performed (recovery point objectives)
  • Test your ability to recover from backups, this ensures employees know the procedure and validates that backups are being performed correctly
    • Know what your practical recovery time objective (RTO) can be
  • Segregate backup storage, if one of your system administrator’s accounts is infected you don’t want the ransomware spreading to the backups. (Remember,  email and web browsing should only be read from non-privileged accounts)

If your organization is infected by ransomware and restoration from backups does not resolve all of the problems, then try to determine if the decryption keys are freely available from a third-party.  See:

Protecting the Critical Infrastructure from cyber warfare

by Joe Clapp, senior consultant, SystemExperts for SC Magazine, March 13, 2019

Cyber attacks are hard to prevent. A cyberattack against our nation’s critical infrastructure (CI) is especially hard to thwart and could have devastating consequences to our human existence. Most everyone is aware of the catastrophic risk the electrical grid faces from a cyberattack. To put it in perspective, a complete outage of the electrical grids due to a hostile attack is estimated to have a 70-90 percent casualty rate within 12 months.

But the electrical grid is not the only critical infrastructure that is vulnerable to cyberwarfare. According to the Department of Homeland Security, there are 16 sectors that make up our nation’s critical infrastructure. They include: chemical/energy/nuclear, commercial/government facilities, communications/information technology, critical manufacturing, defense, financial services, food/agriculture, healthcare/public health/emergency services, transportation, and water/wastewater systems/dams. To be blunt, there is a devastating cost to human life for failing to safeguard these critical systems.

In the past, our critical infrastructure was isolated and non-networked. If you wanted to turn a valve off at a water station, there was a physical valve that needed to be turned at the station. In the past few decades, technology progressed to allow that same valve to be turned on or off using a computer system that was physically available only from within the confines of that station.

More recently, these systems have migrated to a network environment, beyond the physical presence at the station. That last move – exposing the systems beyond the physical and into the cyber realm without a primary focus on security – introduced a lot of vulnerability and risk to the critical infrastructure.

Additionally, the management of a large portion of these critical systems are controlled by small municipalities and service providers that lack the funding to test the security systems that are currently in place, or to conduct important exercises like incident response testing and business continuity testing.

Knowing these limitations, the question remains, “How can the nation’s critical infrastructure be safeguarded against a cyberattack?”

Unfortunately, there is no easy answer, but there are a number of steps local municipalities and providers can take to help protect its critical systems:

1. Build with security in mind from the ground up. It is very important to build security into the critical system from the very beginning stages, and not try to interject it after the infrastructure has already been built. This approach allows for systems to be designed specifically for that organization’s security needs and eliminates extra legwork later in the process.
2. Test network systems regularly. Network systems should be tested regularly, from both a security perspective and from a recovery perspective. The testing organization should be able to determine whether the disruption is an artificial cyberattack on its system or just bad luck, as well as be able to respond to and recover from it, no matter the cause.
3. Understand the threats against it. Understanding the threats against the critical infrastructure is key to being able to protect against them. There are private companies that provide detailed threat intelligence to clients by scanning the internet and dark web for threats that relate to a specific industry, company or region. Having this kind of detailed threat intelligence service is very valuable and worth pursuing for even small municipalities and providers.

Currently, when it comes to securing the critical infrastructure, we rely on the cooperation between local municipalities and service providers, such as the water distributors and the power companies. For the most part, our critical infrastructure is a patchwork of small organizations working together, and there is no single button to push for a major security event. There are literally thousands of buttons to push, and hundreds of hands working together to secure their specific piece of the critical infrastructure.

On a national level, one thing the government can do is declassify or not “over-classify” the threat intelligence it gathers in order to effectively share that important information with the critical industries in the United States. There are programs currently in place that provide threat intelligence, but they require security clearance from the government, which is virtually unattainable by small service providers like the small-town water distributor with the shut-off valve at the station.

There is still a long road ahead to secure the critical infrastructure against a cyberattack. However, the more aware we are of the threats against us, the better able we are to work together to protect against them.