Cybersecurity is only as strong as your weakest link—your employees

Stay on top of account management and assess staff security skills with CIS Controls 16 and 17

 

You can have the most secure system in the world, but hackers will always seek out the path of least resistance. When your defenses are good, the weak link is often your employees. Data breaches are most likely to be the result of employee error or an inside job, according to the ACC Foundation: State of Cybersecurity Report.

It’s good to focus on firewalls, malware defenses and data protection, but too often employees are an afterthought.

To help you with that, we’re going to look at Critical Security Controls 16 and 17, covering account management and security skills assessment and training. The Critical Security Controls are best practices devised by the Center for Internet Security (CIS) and designed to help the public and private sectors tighten up cybersecurity.

 

Critical Control 16: Account Monitoring and Control

Inactive user accounts are ripe for exploitation by attackers. By using legitimate, but inactive accounts, they can easily impersonate legitimate users and mask their nefarious activity.

There’s also serious potential risk involved when accounts associated with former employees or temporary contractors are not deleted when employment ends. They may be left with unauthorized access to sensitive data, which is especially dangerous if the split wasn’t amicable. Some unscrupulous former employees may see an opportunity to profit.

There are a few simple rules you can put in place to ensure inactive accounts aren’t a potential route in for attackers or a potential route out for sensitive data.

  • Account access should be revoked immediately when an employee or contractor is terminated or leaves for any reason. You may prefer to disable access rather than delete accounts.
  • Accounts should be monitored and flagged if they don’t have an associated business process and owner.
  • Automatically log off users after a period of inactivity and use screen locks to guard against access via unattended computers.
  • Be vigilant for failed log-ins and attempts to access deactivated accounts.
  • Profile user behavior so that log-ins at odd times of the day or night, or log-ins from new devices, are flagged.

You’ll also want to enforce multi-factor authentication wherever possible, ensure that passwords and usernames are fully encrypted, and configure and authenticate centrally.

Careful account monitoring is especially important at large organizations where breaches are more than twice as likely, according to that same ACC Foundation report.

 

Critical Control 17: Security Skills Assessment and Appropriate Training to Fill Gaps

It’s easy to focus in on the technology you need to employ to bolster your cybersecurity defenses and forget that people can neatly sidestep all your efforts by taking the wrong action. Perhaps your IT staffers aren’t quick enough to patch or review logs, maybe your security policies are not enforced in any meaningful way, or your employees don’t know better than to click on a malicious link in a phishing email.

Attackers will go to great lengths to exploit any weaknesses or gaps here, and in many cases they can persuade people to effectively lower the defenses and let them in.

The first thing to do here is to perform gap analysis and find where employees lack the skills required to implement your cybersecurity plans and policies. You have to know where they are going wrong before you can hope to fix it.

Provide relevant training via senior staff with the right skills, outside experts, or even conferences and online courses. Make learning modules bite-sized and easy to understand. They must be updated to reflect the latest threats, and employees should complete them every few months. No one should be immune from this. Senior management may be resistant, but they actually pose the greatest risk if a phishing attack is successful, so they should complete the same training.

It’s all well and good to run training courses, but you have to test their effectiveness before you can rest easy.

As a case in point, JPMorgan boosted its cybersecurity spending after a data theft, but when it tested staff with a fake phishing email a few weeks later, 20 percent of them clicked on it.  Had it been real, that action would have downloaded a malicious payload onto the bank’s network.

If you don’t spend resources on awareness for employees and specific training where necessary, you can undo all your good efforts to improve your cybersecurity.

 

This article was originally posted on NetworkWorld.

Image credit: Nick Carter

Sophos First to Introduce Always-On File Encryption for Data Shared Across Windows, Mac, iOS and Android Platforms

OXFORD, U.K., July 19, 2016 – Sophos (LSE: SOPH), a global leader in network and endpoint security, today announced Sophos SafeGuard Encryption 8, a new synchronized encryption solution that protects data against theft from malware, attackers or accidental leaks. All organizations can now choose to adopt the best practice of “always-on” file-level encryption to protect data accessed from mobile devices, laptops, desktops, on-prem networks and cloud-based file sharing applications. Sophos is the first vendor to provide persistent, transparent and proactive encryption that protects files across Windows, Mac, iOS or Android platforms by default.

Our own Michelle Drolet shared her thoughts on the new Sophos solution:

…Michelle Drolet, president and chief executive officer of Mass.-based Towerwall, Inc.: “As a company, we’ve experienced continued success with the Sophos SafeGuard Encryption solution and believe that encryption is a fundamental part of data protection and the overall threat protection landscape. Sophos SafeGuard Encryption expands Sophos’ synchronized security strategy that directly shares intelligence between security products to respond automatically. We’re excited to bring synchronized encryption to our customers.”

 

Click here to read the press release >

Marijuana Industry Brings Compliance to a High Bar

Ensuring overall compliance with strict regulations is the next growth opportunity.

 

Whatever you think of it, marijuana is here to stay and coming to full legalization in a state nearest you. Controversy follows cannabis into every branch of society: political, cultural, science, health, education, legal and finance. A quick search on YouTube will show heartbreaking stories of families using marijuana to treat children with severe epilepsy. More than a hundred of these families uprooted their lives and moved to Colorado for access to Charlotte’s Web, a low-psychotropic strain proven to drastically reduce fatal seizures. The economics are also compelling. Even tiny Pacific islands see the value. The Hawaii Dispensary Alliance is projecting $80 million in medical marijuana sales over the next two years; a figure based on 40,000 registered patients.

To parents of young children, legalized recreational use of cannabis means the sky is falling with possible substance abuse issues causing another worry to lose sleep over. For others, insomnia is cured by one puff from a vaporizer. Legalization means less incarceration of marginalized groups who face a disproportionate amount of unnecessary suffering. More than 700,000 marijuana-related arrests were made in 2014, according to Drug Policy Alliance. On the medical side, here’s a blog post fromAmerican Cancer Society : “The National Institute of Health, via PubMed public medical library, has listed 10,982 research reports on cannabinoids and their ability to induce apoptosis and cause autophagy leading to programmed cancer cell death without damaging healthy tissue.”

Considered safer than aspirin, the five-million- year old cannabis sativa plant was used two-thousand years ago in China for treating ailments. Not a single reported fatality. For the record, I am not a cannabis user. I do however support responsible adult use and the establishment of safe protocols, regulation and taxation. Doing so will remove the criminal cartel element and limit the black market.

Because my business is about helping companies manage their InfoSec needs, a large portion of what we do involves governance, risk and compliance. Let’s assume we can now add the emerging billion-dollar cannabis industry to the list of highly regulated industries like healthcare, banking and insurance. Let’s act responsibly to ensure access is restricted to adult use only, and that dispensaries are held accountable and act responsibly in full compliance with mandated rules and regulations, which differ widely from state to state.

The compliance opportunity is budding for software vendors and IT service providers. Point of sale systems, “seed to sale” RFID tracking, local and cloud storage, CRM, compliance and inventory software present “green rush” opportunities.

Let’s review but a few Massachusetts regulations – some of the most stringent in the nation — to show just how regulated the compliance environment is for Registered Marijuana Dispensaries (RMDs). Nobody can just walk into a RMD. Managed by theMass Department of Public Health, DPH sets restrictive rules for all aspects of the business: cultivation, processing, storage, testing, dispensing of marijuana in all its consumable forms.

DPH regulations require RMDs to use a single electronic system for “Real-Time Inventory” to tag and track all marijuana seeds, plants, and products, from “seed to sale,” as well as recording all dispensary agents, patients, or caregivers involved in handling or possession. Tracking must also include both plant and crop/batch identification. RMDs must keep written records for operating procedures, inventory and waste disposal.

The DPH has set the bar too high for any mom and pop business to dream of pot riches. For starters, they must file as non-profit organizations depositing an escrow of half a million dollars.

That’s after putting down a non-refundable fee of $30,000 just to apply for a license. The vast majority of applicants are rejected.

 

Licensing:

Once granted a license, registered dispensaries must self-produce every consumable product they sell. A license to sell also includes the license to grow the plant. If they are cooking up edibles, RMDs need to comply with food handler sanitation requirements Security. Facilities must be kept locked at all times. Video must record every corner of the grow facility, kitchen, retail operations, and parking lots; even the transportation of product from hothouse to retail, and every customer delivery. Files must be securely stored, logged and shared with the DOH on demand. Alarms have to be set at all entry points and be connected to local police station. All security equipment must be tested once every 30 days and require a yearly security audit by a DPH-approved vendor.

 

Testing:

Must be done by an independent laboratory that meets DPH approval and tested for profile and contaminants.

 

Transportation:

Two authorized employees (themselves issued a separate license as “dispensary workers” at $500 per head) must accompany the transport. Product must be safe-locked in a container permanently attached (welded) to the vehicle itself.

 

Marketing:

No marketing is allowed. No logos can be exhibited outside the facility, on the door of the facility, or on vials or packaging sold to consumers. Packaging must be child-proof. No sight lines are allowed into the facility via window or door.

 

Tracking:

There are too many to mention here, but “seed to sale” tagging and POS must record every movement of the plant as it develops and moves from seedling to drying to trimming to displaying and final sale. Every patient sale needs to be logged and every disposal needs to be documented following state/local solid and liquid waste laws.

These are just a few of the DPH compliance regulations. At the Salem, MA dispensary, three checkpoints must be passed through, including a metal detector similar to what you find in court houses.

Yesterday’s image of the stoner culture, the Bob Marley references and such, is rapidly being weeded out by people with deep pockets and pinstripes. The annual Marijuana Business Conference held in Las Vegas doubles in size every year. You’ll note insurance brokers selling “Raid Coverage”, venture capitalists, law and accounting firms and licensing consultants milling about exhibitors selling wares for LED lighting, oil extractors, packaging concepts, basement grow tents, compliance software and more. We are witnessing an historical event with the creation of this entirely new economy. Software developers, data scientists, infosec experts and IT pros all stand to benefit.

 

This article originally appeared on Cannabis Business Executive.

Join Towerwall & SnoopWall for a timely webinar on: Breach Prevention & Near-Term ROI

Towerwall & SnoopWall Complimentary Webinar:
Breach Prevention & Near-Term ROI

Tuesday, July 26
11:00am – 12:00pm EST

Register Now >

 

Today’s hyper-aggressive cyber landscape finds 40% of organizations are breached and the threat of regulatory and compliance fines are impacting productivity and business operations. 95% of these breaches occur behind firewalls on antivirus protected endpoints.

Our complimentary webinar on enhancing your breach prevention strategy will focus on:

  • Securing networks from the inside out by ensuring only trusted, known and wanted assets access the network
  • Zero-day malware and phishing attack quarantine with no false positives – a tremendous complement to AV
  • Affordable auditing, vulnerability identification and patch management
  • Compliance enforcement and reporting (HIPAA, SOX, PCI, etc)

 

About the Presenter

GaryMiliefsky

Gary Miliefsky, CEO of SnoopWall

Gary is the CEO of SnoopWall, Inc. and a co-inventor of the company’s innovative breach prevention technologies. He is a cyber-security expert and a frequent invited guest on national and international media commenting on mobile privacy, cyber security, cyber crime and cyber terrorism, also covered in both Forbes and Fortune Magazines. Miliefsky is a Founding Member of the US Department of Homeland Security, the National Information Security Group and the OVAL advisory board of MITRE responsible for the CVE Program. He also assisted the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace as well as the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University.
See Gary in the News >

About Towerwall

For nearly 25 years, Towerwall’s dedicated team has helped scores of companies safeguard their data and leverage their investment in IT with advanced information security solutions and services.

About SnoopWall

SnoopWall’s mission is to be a trusted provider of cost effective, proactive security solutions to enhance organizations cyber-risk mitigation strategies.
More about Snoopwall >