Create a data recovery plan and secure your network

Following the Center for Internet Security’s best practices.


We discussed building malware defenses the last time out, but today we’re going to focus on Critical Security Controls 10, 11, and 12 covering data recovery, secure network configuration, and boundary defense.

It’s unrealistic to think that you can completely avoid cyberattacks and data breaches, so it’s vital to have a proper data recovery plan in place. You can also tighten your defenses significantly by ensuring all of your network devices are properly configured, and by putting some thought into all of your potential network borders.


Critical Control 10: Data Recovery Capability

Do you have a proper backup plan in place? Have you ever tested it to see that it works? Disaster recovery is absolutely vital, but an alarming number of companies do not have an adequate system in place. A survey of 400 IT executives by IDG Research revealed that 40% rate their organizations’ ability to recover their operations in the event of disaster or disruption as “fair or poor”. Three out of four companies fail from a disaster recovery standpoint, according to the Disaster Recovery Preparedness Benchmark.

A successful malware attack can lead to altered data on all compromised machines and the full effects are often very difficult to determine. The option to roll back to a backup that predates the infection is vital. Backed up data must be encrypted and physically protected. It’s also important that a test team routinely checks a random sampling of system backups by restoring them and verifying data integrity.


Critical Control 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

The default configurations for network devices like firewalls, routers, and switches are all about ease of use and deployment. They aren’t designed with security in mind and they can be exploited by determined attackers. There’s also a risk that companies will create exceptions for business reasons and then fail to properly analyze the potential impact.

The 2015 Information Security Breaches Survey found that failure to keep technical configuration up to date was a factor in 19% of incidents. Attackers are skilled at seeking out vulnerable default settings and exploiting them. Organizations should have standardized secure configuration guidelines applied across devices. Security updates must be applied in a timely fashion.

You need to employ two-factor authentication and encrypted sessions when managing network devices, and engineers should use an isolated, dedicated machine without Internet access. It’s also important to use automated tools to monitor the network and track device configurations. Changes should be flagged and rule sets analyzed to ensure consistency.


Critical Control 12: Boundary Defense

When the French built the Maginot Line in World War II, a series of impregnable fortifications that extended along the border with Germany and beyond, it failed to protect them because the Germans invaded around the North end through neutral Belgium. There’s an important lesson there for security professionals. Attackers will often find weaknesses in perimeter systems and then pivot to get deeper into your territory.

They may gain access through a trusted partner, or possibly an extranet, while your defensive eye is focused on the Internet. Effective defenses are multi-layered systems of firewalls, proxies, and DMZ perimeter networks. You need to filter inbound and outbound traffic and take caution not to blur the boundaries between internal and external networks. Consider network-based IDS sensors and IPS devices to detect attacks and block bad traffic.

Segment your network and protect each sector with a proxy and firewall to limit access as far as possible. If you don’t have internal network protection, then intruders can get their hands on the keys to the kingdom by successfully breaching the outer defenses.


The real cost

A lot of businesses argue that they can’t afford a comprehensive disaster-recovery plan, but they should really consider whether they can afford to lose all their data or be uncertain about its integrity. They may lack the expertise to ensure that network devices are securely configured, but attackers don’t lack the skills to exploit that. It’s understandably common to focus on the outer boundary of your network and forget about threats that come from unexpected directions or multiply internally, but it could prove costly indeed.

Compared to the cost of a data breach, all of these things are cheap and easy to set up.


This article was originally posted on NetworkWorld.
Image credit: Victor Cruz, Maunabo, Puerto Rico

2015 International Compendium of Data Privacy Laws

Privacy and data protection issues confront all organizations—whether you handle employee information, credit card data, sensitive financial information, or trade secrets. Securing data is a daunting task that is further complicated by cross-border transfer issues and the differences in privacy laws around the world.

The team at BakerHostetler has developed a prompt and practical PDF to assist and inform your data protection policies.

Download the 2015 International Compendium of Data Privacy Laws >

10 Things I Know About…Hiring a vCISO

10. A hedge against a breach

A virtual chief information security officer can serve as security consul or as an interim CISO to fill the gaps during a planned information-technology security policy review. Better to be safe than sorry.


9. High talent at low costs

As a temp hire, a vCISO offers flexibility and cost controls. He/she can help build programs, conduct employee training, draft security policies and set standards for compliance mandates.


8. Bridge the divide

Most small and midsize businesses do not have senior security talent on call. Having someone conversant in identifying and analyzing threats, creating strategic security plans and ensuring compliance requires the right level of expertise.


7. Help companies succeed

Cisco reported only 29 percent of organizations have a CISO. Businesses with a CISO recorded the highest levels of confidence in their security stance in terms of optimization and clarity.


6. Finding the shoe that fits

For small to midsize businesses, it doesn’t make sense to invest in a full-time CISO. A virtual one delivers a pay-as-you-go option and specialty skills required to draft a strategic security plan for a sound future.


5. How to contract

There’s no universal standard for hiring a vCISO. Set up a retainer for a number of hours, contract on a per-project basis, or buy a chunk of hours to use as needed.


4. What to look for

A qualified vCISO will be up to speed on the latest best practices, with experience in conducting risk assessments, penetration testing, intrusion detection and other key services. Should also have ability to train internal security staff.


3. Comparative costs

A contract rate for virtual CISOs is 35-to-40 percent of the average salary for a full-time information security person.


2. Trust in leadership

Many companies are forced to spend an increasing proportion of budget on cleaning up after a breach. A vCISO can be invaluable as a firefighter and leader. Don’t wait until a breach occurs; prevention is better than cure.


1. Who needs them

Businesses with access to personal consumer data or companies in regulated industries, or with proprietary intellectual property, or with data security concerns are the best candidates for a vCISO.



This article was originally posted on the Worcester Business Journal.

5 cybersecurity trends to watch for in 2016

As threats evolve and grow more sophisticated, securing IT systems is more important than ever.


We may welcome in the New Year with open arms, but we must also prepare for the cybersecurity threats ahead of us. The 2015 Cost of Data Breach Study from IBM and the Ponemon Institute put the average cost of a data breach at $3.79 million, and that figure is expected to grow in the year ahead. With the right resolutions, you can drastically reduce your chances of falling prey to cybercriminals.


1. Cloud services


As more and more of the services we use reside in the cloud, IT departments can lose oversight and control. Employees are bypassing IT to snag the services they feel they need, and there’s a real danger that they’re bypassing security protocols and systems in the process. You should take steps to ensure that your IT department has full visibility.

Even approved cloud vendors must be scrutinized on an ongoing basis. Do you know where your data resides? Do your cloud service providers meet your security standards? If they aren’t in compliance, their failure to meet regulatory requirements could be something that you’re liable for. Don’t take it on trust, test your third-party vendors and verify for yourself.


2. Ransomware


The impact of ransomware is growing. According to the Cyber Threat Alliance, the recent CyrptoWall v3 threat has cost hundreds of thousands of users worldwide more than $325 million so far. This kind of attack encrypts important files, rendering data inaccessible until you pay the ransom. It often relies upon social engineering techniques to gain a foothold.

It works, and we expect to see a lot more of it over the next 12 months, because the easiest way for many individuals and businesses to get their data back is just to pay the ransom. With a bit of forethought, better education and real-time security protection, not to mention a regular, robust backup routine, the threat of ransomware can be cut down to size.


3. Spear phishing


Cybercriminals follow the path of least resistance and the easiest way for them to gain access to your precious data is usually by tricking a person into handing over the keys, not by writing a clever piece of code. Phishing attacks are growing more sophisticated all the time, as official-looking messages and websites, or communications that apparently come from trusted sources, are employed to gain access to your systems.

The targeting of high-level execs or anyone with a high security clearance is on the rise. If cybercriminals can hack a CEO’s account, for example, they can use it to wreak havoc and expose a lot of sensitive data. Educating potential targets about the dangers is not enough. You need a combination of real-time monitoring and scanning systems, with protective blocking capabilities. That said, sometimes laying down a security policy for employee education is all you need.


4. Known vulnerabilities


The open source movement has leveled the playing field for many companies, and there are also lots of off-the-shelf software packages that are very popular. Integrating this software will often make more business sense than developing something in-house, but you have to keep vulnerabilities in mind. Publicly known vulnerabilities are one of the biggest threats for IT departments.

Consider that HP’s 2015 Cyber Risk Report found that 44% of 2014 breaches came from vulnerabilities that are two to four years old, and you can see the problem. Software must be patched regularly, and expertise is required to avoid common misconfigurations that offer attackers an easy way in.


5. The Internet of Things


We’ve seen a wave of mobile devices and wearables stream into the workplace, each offering a new potential inroad for a cybercriminal, but the Internet of Things represents another looming threat. As connectivity spreads into every corner of our lives and businesses, it becomes more and more challenging to maintain a clear view of entry points and data flow.

The IoT may herald some exciting business opportunities, but we must be mindful about ensuring that access is limited and secure. Sensitive data should be encrypted, access must be restricted, and oversight is needed. It’s important to be able to manage and block access to enterprise devices and networks when necessary.

If you expect to enjoy success in 2016, and you want to ensure that your plans aren’t derailed, then make sure that these cybersecurity trends are on your radar.


This article was recently published in Network World.

Ransomware is only getting worse. How do you prepare for it?

Ransomware-as-a-service, help desks, third parties — all point to a mature yet illegal enterprise undergoing serious growth. Here are tips to protect yourself and your company.


Ransomware is big business. Over the last few years we’ve observed the steady rise of ransomware, with some trepidation. It is fast becoming a multi-billion dollar business, and it’s getting surprisingly sophisticated. The ransomware industry is continually innovating, offering cybercriminals new technology, various business models, and all the support they need to conduct successful attacks on unsuspecting individuals and companies.


Changing face of ransomware

Ransomware has come full circle since it first appeared on the scene in 2005. Early crypto ransomware soon gave way to misleading apps, fake antivirus tools, and lockers. But it’s back now, it’s mature, and it’s here to stay, according to Symantec’s Evolution of Ransomware report.

In the early days of ransomware, attackers would use misleading apps and fake AV tools to alarm victims and then ask for fees to fix the fake problems. Or they might flash up bogus FBI warnings, threatening prosecution unless money was paid. Eventually, they began to lock down systems, blocking access to specific apps or the whole system until the ransom was met.

The main threat today is crypto ransomware, where files are securely encrypted and victims have to pay to secure the key and unlock their own files, and it’s very tough to beat.

“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in Boston, talking to The Security Locker.  “To be honest, we often advise people just to pay the ransom.”


Cost of ransomware

There are lots of different ransomware packages out there. Just looking at one of the most popular examples, CryptoWall, the FBI’s Internet Crime Complaint Center (IC3) received 992 related complaints between April 2014 and June 2015, with victims reporting losses of more than $18 million. That’s just what was reported.

The Cyber Threat Alliance put together a report profiling the CryptoWall v3 threat and suggested that it had afflicted hundreds of thousands of users worldwide and caused damages in the region of $325 million.


Services for cybercriminals

In McAfee Labs’ 2016 Threats Predictions report, ransomware features prominently and the report makes special mention of the success of the ransomware-as-a-service business model. Experienced cybercriminals are offering high-quality ransomware to would-be attackers with little or no technical knowledge or skills in return for a cut of the extortion profits. The ransomware is typically hosted on the Tor network, and payment is made almost untraceable with virtual currencies like Bitcoin.

Users of these ransomware services can expect to get helpdesk support, and it’s in the interests of the extorters to ensure that data is returned to those who pay. These service providers will skim anywhere from 5% to 20% of each ransom, so they aim to make it as easy as possible for the cybercriminals who sign up.


What can you do?

Just like any other malware, you have to install ransomware before it can encrypt your files, so there are some simple precautionary steps that everyone can take to drastically reduce the risks:

  • Install reputable anti-virus and anti-malware software.
  • Don’t open attachments in emails, unless you know what it is.
  • Don’t follow links in emails, close the email, and go directly to the website in your browser.
  • Use strong passwords, and don’t reuse the same passwords.
  • Make sure all of your system software and browsers are patched automatically with security updates.
  • You should apply all of these rules to whatever device you’re using. Smartphones, tablets, and Macs are not immune to ransomware.
  • Finally, make sure you have solid back-ups of all your data.

You can also mitigate the risk of ransomware by having a robust and regular backup routine. If your files are backed up and you can access them, there’s no need to pay to unlock them, but it may still require some serious effort to rid yourself of the ransomware once your system is infected.

Ransomware is sure to be an even bigger issue in 2016, so it’s very important that you take steps to prevent infection. If you do fall prey to something like CryptoWall v3, there’s no way around it. Your only realistic prospect of getting the files back is to pay the ransom, or, better yet, restore from back-up!

When it comes to ransomware, the old saying, “an ounce of prevention is worth a pound of cure,” could not be more fitting.


Thia article was originally posted on NetworkWorld.

Image credit Cutcaster