The Information Systems Security Association (ISSA) is an international organization providing educational forums, publications and networking opportunities to enhance the knowledge, skills and professional growth of its member information security professionals. The primary goal of ISSA Is to promote management practices that will ensure availability, integrity and confidentiality of organizational resources.
About ISSA New England
ISSA New England is one of the oldest and largest ISSA Chapters with about 300 members from a broad variety of New England organizations. If you would like to contact any member of our Board of Directors, please click here.
How safe is the software you use? Do you have a system in place to identify vulnerabilities and patch them when they are discovered? How quickly do you react to vulnerability reports? There’s evidence that software vulnerabilities are on the rise, and few companies are taking the necessary action to combat them.
There was some worrying news in the recent Secunia Vulnerability Review 2015. The number of recorded vulnerabilities hit a record high of 15,435 last year, up 18% from 2013. The vulnerability count has increased 55% in the last five years. The report also found a rise in the number of zero-day vulnerabilities with 20 being uncovered in the 50 most popular programs. These are vulnerabilities that have already been exploited by hackers before being made public or being patched.
It seems that many businesses are making dangerous assumptions about open source software. The Ninth Annual Future of Open Source Survey from Black Duck offers some fascinating insights. OSS is gaining in popularity quite dramatically, but there’s a lack of policy in place to manage it. An impressive 78% of respondents reported that their companies run part or all of their operations on OSS, but 55% have no formal policy in place to deal with OSS use.
There’s a belief that OSS delivers better security than proprietary software, as 55% of respondents cited security as a reason for adopting OSS. That may be true, but it doesn’t mean that OSS is free of vulnerabilities. We all remember Heartbleed, andOpenSSL just released a fix for another high-severity flaw. It takes time and resources just to stay up to date on the latest vulnerabilities and keep software fully patched.
According to the survey, more than 50% of respondents are not satisfied with their ability to understand known security vulnerabilities in open-source components. What’s worse – only 17% plan to monitor open source code for security vulnerabilities. That means the majority are content to rely on someone else to find vulnerabilities, and without oversight it’s hard to predict how many vulnerabilities are already being exploited.
The open-source model does offer lots of advantages, and OSS adoption will continue to rise in the next few years. But there’s a real danger that this belief in its superior security credentials is causing companies to bury their heads in the sand.
The importance of rapid patching
Jumping back to Secunia’s report, it’s alarming to find that many organizations simply aren’t taking the threat of software vulnerabilities seriously enough.
A number of vendors took weeks to patch Heartbleed. One unnamed vendor took 160 days. If it’s taking that long to patch highly publicized flaws, then you have to wonder how many vulnerabilities are flying under the radar.
It’s understandable that companies aren’t committing resources to actively search for flaws, though it’s certainly not advisable. But the failure to patch known vulnerabilities is negligent. These kinds of flaws represent the greatest risk of attack. Cybercriminals and hackers tend to follow the path of least resistance, and that’s often known vulnerabilities.
The threat of vulnerabilities is only going to grow as more and more software is rushed out to market. It’s time the enterprise addressed this threat and allotted the necessary resources to patching vulnerabilities at an absolute minimum. Ideally, companies should be monitoring code on an on-going basis to uncover more vulnerabilities. Failure to act could be exposing businesses to serious risk of data leakage, which is expensive and difficult to fix.
Cybersecurity is only as strong as the weakest link. If your organization is using third-party vendors, policing their activity is critical to cybersecurity.
Few can forget the theft of 110 million customer credit cards from Target in December 2013. But not as many know how hackers gained access to such a vast amount of sensitive information. How’d they do it? By compromising the security of a third-party vendor, a Target branch store’s HVAC provider.
Turns out a phishing email duped an employee at the HVAC company, Fazio Mechanical, into installing a piece of malware on their computer. With inadequate anti-malware software in place, the program slipped by undetected and then handed over login credentials to the hackers. With the keys to the castle in hand, the hackers ran wild and stole everything they could.
This massive heist is still being sorted out in the courts, but it serves as a great example of how security is only as strong as the weakest link. While companies pay enormous sums to lock down their most sensitive data (to the tune of $77 billion globally this year, as forecasted by Gartner), how much are they still leaving exposed via third parties?
While the cost of a serious data breach is hard to calculate, it is generally accepted as high. One report estimated it at $400 million for 70 organizations in various industries globally. The question is what the enterprise can do to protect itself from third-party vendor security breaches.
Treasury Department Gets into the Act
Responsible for protecting customers’ money, financial institutions are dealing with the problem of cybercrime. As this threat has grown to include every industry, their investigations into preventing third-party vendor data breaches can provide some insight for prevention.
For example, the Office of the Comptroller of the Currency (OCC) compiled a list of “gotchas” that point to several risk profiles, none of which are exclusive to banks:
Failure to properly assess, understand, and document the risk and cost of outsourcing services.
Failure to perform proper due diligence and ongoing monitoring.
Entering into contracts without a proper assessment of the third-party’s risk controls.
Entering into contracts that could incentivize a third party to take risks in order to maximize profit, even if those risks could be detrimental to the bank or its customers.
Engaging in third-party relationships without a formal contract, or with inadequate contracts.
Obviously, these recommendations can apply to all industries.
Questions to Ask
Prevention is all about planning. Before entering a business relationship with a vendor (or if you’re already thinking of filing for divorce), a company concerned about third-party risk should ask the following questions:
Why are these services being outsourced in the first place?
Is there any possibility the third party will subcontract?
Do they have data centers based overseas?
What data is being shared?
What is the plan in the event of a third-party failure or breach?
How often are vendors assessed?
These questions should be answered with solid documentation, including a map of third-party relationships, performance reports, audits, reviews, and a comprehensive due diligence report. If a company is serious about security, what was previously agreed upon with verbal promises has to be supplanted with a paper trail.
Trust is necessary in every relationship, but too much blind trust, while expedient, can potentially open your company to breaches and legal liability. As we’ve seen with the Target case, sorting out a large data breach is a long and costly process.
Re-Evaluating Vendor Assessments
No two vendor relationships are alike, and not all vendors should be treated the same or painted with the same security assessment brush. As it is, traditional vendor assessments fall short in two areas:
Rating reports largely produce an arbitrary score which fails to encompass the bigger picture. Important questions to ask instead when dealing with a vendor include, “What is the nature of this relationship?” and “What is our potential exposure in the event of an incident?”
Regular reviews are typically performed on an annual basis which hardly bring urgency to the issue. In potentially risky relationships, continuous monitoring done in real-time may be necessary.
Unfortunately, you can’t leave house keys under the doormat for the plumber. Businesses put themselves at serious risk if they expect their third parties to do the right thing, or if they assume their vendors are infosec-savvy. Perhaps “Trust but verify” should be replaced with, “Confirm partners take security as seriously as you do.”
Falling victim to a ransomware attack is most definitely inconvenient, but it could also serve as a wake-up call to the importance of backing up important data.
You’re minding your own business, sitting at your office computer. Suddenly, a pop-up appears – with the logo of the FBI – warning that you’re under investigation for trafficking in child pornography. Your computer locks up. The message also instructs you to pay a fine with a gift card or money order, or risk being arrested. In return for the payment, your computer will be unlocked, the message says.
The goal of the ransomware thief is to extort a “fine” of $100 to $200, purportedly to be paid to the U.S. Department of Justice. Send it as a MoneyPak order, you’re told, and your computer will be unlocked. If you pay, you may receive a 10-digit password that allows you to unfreeze your computer. Or you may get nothing, or demands for more payoffs to the people who are holding your computer hostage. That’s why the virus is called “ransomware.”
The nerve of these criminals, you say. They lure me to open a file or click on something while surfing on the Internet and not only infect and disable my computer, stop me from working on files, then they ask me to cough up money to get a code so I can “unlock” my computer.
I say don’t get mad at them. Instead, ask yourself why you haven’t been backing up your data to a remote site, preferably in the cloud. Because if you regularly do this, you’re protecting your data from these cyber thugs, and a whole lot more.
Having duplicate copies of your most important information saved in a remote location keeps it safe in case anything goes wrong with your computer.
When you think about it, there are a number of ways files can be lost unexpectedly, beyond aggressive malicious viruses like ransomware:
Computer crashes. They always happen when you least need it, and can lead to data loss.
Hard drive failure. Hard drives have a finite lifetime and can fail suddenly and without warning. The sudden death of a hard drive can cause the painful loss of months or years of irreplaceable files and the timing can be catastrophic – if this happens close to a work deadline, it could be a nightmare scenario.
Physical computer damage. Your files are more at risk if you use a laptop. Light and portable comes at the price of reduced durability. Laptops are sensitive and are easily damaged if dropped or even just have drinks spilled over them.
Theft. Computers are sought after by thieves and cannot always be kept secure whilst travelling.
The bottom line is that if you value what’s kept on your computer, it’s wise to take steps to protect your information from sudden loss.
According to Minneapolis-based company Kroll Ontrack, 65% of survey respondents last year had a backup solution in place at the time of data loss, up 5% from 2013. Of those respondents, 59% used an external hard drive, 15% had cloud backup, and 10% used a tape backup system. Additionally, 55% said they diligently backed up their data on a daily basis.
So why did they still lose their data? Regardless of the solution or backup frequency, data loss may have occurred as a result of one of the following oversights and/or failures:
The external drive was only connected on an occasional basis; backup not automated
The computer was not on during a scheduled backup and not configured to perform at a different time
The backup software failed
The backup ran out of destination space
The backup profile did not cover all of the device, requiring backup
A file was lost before a scheduled backup occurred
Many users regularly back up their files to their computer hard drive, and it’s always a good practice to use encryption when backing up your data in the cloud.
Saving data to a separate location makes good sense and can be done easily if you have an external hard drive or a large-capacity pen drive. However, this method is only as secure as the device you’re using for backup. When saving your files on physical devices, the backup device needs to be kept in a different location than the computer, and can in turn fall victim to damage or loss. Despite your best intentions, you may forget to copy your files as often as you should, leaving a large amount of recent work unprotected. Online backup is a safer and more effective method of securing files.
Files stored online are safe from damage to your computer, and if something goes wrong with your machine you will still have remote access to your information from any computer with internet access. This means files can be quickly and easily restored to your computer from a secure online server.
So, instead of wanting to launch your fist into the face of a ransomware thief, maybe a ‘thank you’ is in order. The ransomware thief’s shenanigans enable data security specialists to shine a spotlight on best practices for regularly backing up data. In addition to rendering a ransomware attack inconsequential, cloud back up provides peace of mind.
Towerwall we have helped scores of companies safeguard their data and leverage their investment in IT with advanced information security solutions and services. As a market leader within the IT security industry, we offer complete IT security services. Advanced Information Security Solutions in Massachusetts, New Hampshire, New York, Rhode Island, Connecticut, Vermont, Maine, & the Caribbean.