What’s the easiest entrance point for a hacker to attack your organization? People.

In the previous two blogs in this series, we discussed how technology and policies are an integral part of the information security posture needed to protect your business from an attack. However, those efforts will fall short if we don’t also address the human element.

The number one way into an organization is through people. The result may end up exploiting technology vulnerabilities and/or procedural gaps in an organization’s policies, but the entrance almost always comes through people. We have a people problem. If we are going to solve this problem, we must help people understand that information security is part of EVERYONE’S job. This is not just an issue for leadership or IT. EVERYONE has a part to play in protecting information.

Understanding “the why” behind our information security efforts and the important role that everyone should play goes a long way to help people understand their part in the effort. Without the “why,” people see the information security measures as burdensome and impeding their ability to get their work done. We must change the message. We can’t just say “NO! Don’t do things!” We should say “Yes! Do these things …and here’s why!” You will see a remarkable change in people when they realize that we must do this together to protect what’s important to all of us.

INTERESTING INSIGHT

The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, revealed a study in 2016 that uncovered an interesting phenomenon called “Security Fatigue.” In short, people hear about information security attacks, breaches, horror stories, etc., and the response to all of this information is an overwhelming sense of futility. “I can’t understand it, and I can’t keep up with it. Therefore, I’ll do nothing and hope for the best.” This is a dangerous mindset and is brought on when we continually lace the message of information security in fear and scare tactics.

It’s a fact that people are hacked more often than systems, by far. It is also a fact that part of the human condition is to think, “That will never happen to me.” This presents an ongoing challenge that must be addressed.

WHAT TO DO

If you want to successfully assess and address the people side of your information security vulnerabilities and risks, at a minimum you should include these three components in your plans.

• Phishing: It might seem strange, but if we are going to assess our vulnerabilities, we have to test the areas of risk. This includes testing our people.By now, most people are familiar with phishing scams. We’ve all gotten emails that were unsolicited, poorly written and obvious forgeries. Those are the phishing scams of the past. Today’s hackers are very smart people, highly motivated and patient to perfect the “art of the con.” They are also switching to a far more sophisticated tactic: Spear Phishing. This term refers to the hacking technique that doesn’t cast a wide net by sending a thousand emails. It targets an individual with a single email. It is far more effective to appear trustworthy to one person with information specific to them. This type of email is highly effective and is rarely caught by spam filters. Spear phishing accounts for over 90% of the successful inroads into an organization.

  Phishing tests, both emails and phone calls, should be a part of our ongoing information security efforts. The information gained from these tests can be very powerful in educating your people.

• Social Engineering: We shouldn’t stop at phone calls and email phishing tests. The hackers won’t. Gaining access to your organization’s information often gets much more brazen and cleverer than that. So, we too should include social engineering in our penetration tests and vulnerability assessments.First, just try to gain access to your space. If someone walks boldly into your office, looking confident and professional, would you stop them? I’ve personally performed this test more times than I can count, and I’ve never been questioned. Why? Because I never look out of place. We may have implemented information security measures at entry points, but we all know how easy it is to tailgate behind another person with access. What if the person behind you has their hands full, or better yet, is using crutches? Polite society dictates that you turn and open the door.

  Once in, try to gain information or access to systems. This can be done in many ways:

  • Ask the receptionist to print out something from a USB drive for you. USB drives are a very serious vector of attack.
  • Drop USB drives around as bait.
  • Look for opportunities to be left alone with access to someone’s computer (e.g., while someone goes to get coffee).
  • See how far you can walk around before someone speaks to you.
  • Look for information readily visible in paper form laying around.
  • Pretend to be the electrical contractor called in by IT to address an issue in the wiring closet.
• Cybersecurity Awareness: Once you have the information from your penetration tests and vulnerability assessments, it’s time to use that information for good. An ongoing Cybersecurity Awareness Training program is essential in your information security posture. Here are some key elements of an effective program:
  • It should be immersive without being disruptive.
  • It should be an ongoing part of the regular dialog within the organization and not just a once-a-year discussion.
  • It should include active and visible sponsorship from leaders at all levels of the organization.
  • It should include relevant stories of threats facing your industry.
  • It should also include relevant stories about your very own organization. This is a good place to inform people of the phishing and social engineering results. NOTE: Don’t go for a “wall of shame” and post names of those who fell for the phishing tests. Sanitize the results, remove names, use percentages, and let people know that this happened right here within your company.
  • It should ALWAYS emphasize the WHY and encourage people that we are ALL in this together.

   

People are our biggest asset, and business leaders need to invest in educating people as to their role in protecting the valuable information we interact with every day. Help them find their “WHY” in this effort and how important they are. One person can make all the difference in the world.

Technology, policies and people all work together to comprise your overall information security posture. None of them stand alone. A gap in one of them puts your company in a vulnerable place. It takes effort to maintain each, but it is worth it to avoid the burdens of a breach!

Technology solutions provide vital layers of protection to your organization’s information, but they’re not enough to cover the scope of vulnerability. Policies are also an important part of your overall security posture.

Policies are not an exciting topic. We are a “skip to the end and click Accept” generation. However, policies play an important role in risk management, liability, information governance and defining the areas of vulnerability that need to be constantly monitored and addressed by your business.

SECURITY POLICY TIPS

• Security Policies should be reviewed at least annually. Outdated policies do not address the way people currently work.
• Security Policies should have executive sponsorship.
• Security Policies need to be applied enterprise-wide. Security is the great equalizer. It is everyone’s responsibility to align to the same standards.
• Security Policies should clearly state who owns it, who it’s for, and how they are to be informed.
• Security Policies should align with a standard (NIST, ISO, GLBA, HIPAA, etc.).
• Security Policies should address internal threats along with external threats.

POLICIES TO CONSIDER (IF YOU HAVEN’T ALREADY)

• Multifactor Authentication: Passwords are not enough and haven’t been for some time. Adding another factor to authenticate a person’s identity will exponentially increase your security posture.
• Mobility: According to the FBI, “The more mobile, the more vulnerable.” Everyday our culture is becoming more and more mobile. While this is convenient and expected, it also adds layers of risk that need to be addressed.
• USB Drives: This is a serious and increasingly used vector of attack. Think about how easily an office visitor could plug a USB into a device, leave it and then begin mining your data.
• Content-Filtering: Web traffic is inevitable but can be filtered to trap or block sites and web traffic activity.

OTHER POLICIES AND PLANS THAT SHOULD BE IN PLACE

• Business Continuity and Disaster Recovery Plans. These need to be defined, in place and rehearsed/reviewed at least annually. Don’t wait for a disaster to make sure you are ready.
• Incident Response. Assume that at some point things will happen. Plan for this and map out the appropriate steps to take following a breach.
• Vendor Management. Vendors that have access to your data present as big a risk as internal personnel. Address this with appropriate rights management.

The responsibility of organizations today to address the ever-changing threats and vulnerabilities to their information requires a holistic look at all elements of security. In doing so, don’t forget the importance of properly written, sponsored and communicated security policies.

To have a strong security posture you must address the three main areas of defense for protecting your business: technology, policy and people. All three work in conjunction with one another to protect the business. By the way, fortifying your security posture is a business initiative, not an IT initiative. If you position it as “an IT thing” — IT. WILL. FAIL. That’s a tough pill for some to swallow but information security is a business initiative AND everyone’s job.

Now, let’s give each security component the attention it deserves. This first in a three-part blog series is about TECHNOLOGY.

NOTE: There are no perfect solutions for information security, but new tools and resources are being developed that make it easier than ever to protect your assets from the inside and the outside.

TECHNOLOGY TIPS AND SUGGESTIONS:

• Start with penetration tests and risk assessments that check for vulnerabilities inside and outside of your organization. You must have firewall protection, but in this modern world, that is not enough. However, firewalls should always include a visibility tool (IDS) and a control tool (IPS) for monitoring traffic coming AND going.
• The best way to secure your information is to be proactive rather than reactive. Have systems in place to do behavioral analysis and anomaly detection so that you get alerts BEFORE someone gets in or out of your organization.
• Make sure you get regular check-ups. Vulnerability scans should be followed with vulnerability exploits. These should be run more than once a year. Use your internal tools and outside help for a better look at your potential weak spots. Leave no stone unturned.

INTERNAL DEFENSE QUESTIONS:

What are your printer vulnerabilities? This is one of the most commonly overlooked areas of vulnerability. Are you using default credentials on these network-connected devices? If so, the bad guys can get in and possibly spread, do database searches and garner all sorts of information from the content held within that device or the network areas it accesses.

What about your workstations? If I’m the bad guy, I want to get in by any means necessary. Once in, I will spread, elevate and stick around for as long as possible. I want to sniff around your machine and find any leftover administrative credentials.

Then I can go anywhere.

What are the bad guys looking for? Anything. Names. Addresses. Phone numbers. EMAIL addresses. The bad guys want to know where you go and what you do. They are studying you. They do this so that, ultimately, they can convince you that they are someone they are not. The bad guys are extraordinarily patient.

What should you do?

• Verify all patch levels are current (from gear to servers to endpoint software).
• Verify software settings are in line with security best practices (e.g., Microsoft Office Trust Center Settings such as Protected View and Macro Security).
• Verify that user access and user roles are set to correct permissions.
• Use drive encryption on local machines.

EXTERNAL DEFENSES SUGGESTIONS:

If I’m the bad guy, what information can I get from the outside? I can collect tons of information about your firm, simply by studying your website. I can get names of authors and email addresses. I can find out what versions of software you are using. All of this is being collected to find the chink in your armor.

What should you do?

• Scrub all metadata from content accessible from the outside
• Ensure you have the ability to add and remove people and permissions quickly and easily
• Utilize detect, flag and alert solutions that analyze behaviors and do threat protection

GENERAL CONSIDERATIONS:

• Take advantage of AI machine learning
• Stay abreast of new technologies as they become available
• Implement Mobile Device Management (MDM)
• Always utilize Multifactor Authentication (MFA) for all business and personal accounts

Remember, people will have grace if you get fooled. They will not have grace if you know how to prevent an attack and you didn’t take the necessary measures to prevent it.

We are currently in a state of heightened awareness regarding information security. That gives us a real opportunity for change.

With the Fall comes colder weather, and layers are the fashion of the season! Layering up from head to toe helps keep you cozy and safe from the elements. Pair boots with some thick socks, add warmth with a favorite turtleneck, and incorporate a pop of color with a scarf. Add in sweaters, jackets and hats, and there are a multitude of opportunities to layer up!

Fall fashion is similar to cybersecurity awareness training in that you should layer learning opportunities to improve your overall program. Try to cover all the essentials – websites, videos, podcasts and blogs. Every measure helps keep your organization safe from possible data breaches. In addition to turning to your favorite Alterity Cybersecurity Awareness Training consultants, here are some resources you can use to layer up:

Websites IT Security Guru Dark Reading Wired Videos The PCSecurity Kaspersky Black Hat Articles Infosecurity Magazine PC World CIO Webinars Infosecurity Magazine BrightTALK Gartner

News, Analysis, Opinions CSO Online ThreatPost Krebs on Security Podcasts SANS Internet Storm Center Podcast Risky Business The Cyber Wire Blogs (Curated Blogs) The State of Security LiquidMatrix Data Gravity IT Security Shows Paul’s Security Weekly Hack Naked TV Enterprise Security Secure Digital Life

There is no shortage of scary and fearful things going on in the world around cyber threats and crime. This constant flow of information around cyber threats and dangers has caused a general sense of fear and dread that needs to be addressed.

The National Institute of Standards and Technology (NIST) came out with findings from a study that indicated that many people are experiencing what they refer to as a new “phenomenon” …Security Fatigue. This is the condition that happens when people are inundated with cybersecurity information that for most is incomprehensible. What does another breach of a BILLION records actually mean to me? If it’s just a matter of when and not if, why should I bother making changes? I’ll just hunker down, brace for impact, and take my chances. Security Fatigue!

This is a dangerous position. Hope is not a plan! If someone wants your information, they are praying you have Security Fatigue.

It is important for an organization’s leaders to put this information into context and make it relevant to their people. Let them know why they should care. For example, knowing that there are dangers walking down a certain ally is good information. With that information, I can make informed decisions and take a different route. It’s the same with cybersecurity information.

We are dealing with a human condition. People get scared of things they do not understand or know about. Cybersecurity information can be scary and confusing, but it doesn’t have to be. Translate the threat into actionable things that real people can do in their real lives.

For example:

• Learning about another breach of data from a major organization should remind us to protect our personal data by placing a freeze on our credit and/or putting monitoring in place for the important accounts in our life.
• Hearing news about identity theft should remind us how valuable our identity really is and to add multiple ways of verifying that you are who you say you are when connecting to your personal and professional accounts. You can do this with some easy steps, such as adding multifactor authentication and using a password management software solution.
• Learning about phishing and spear phishing attacks should raise our awareness that not all emails are legitimate. You should make a concerted effort to verify email messages and avoid blindly following links or opening attachments.
• Being aware of Smart home technology options should remind us that all internet-connected devices (the IoT) can be a threat. Small changes like modifying default administrative passwords can add a level of protection and allow you to safely enjoy the benefits of Smart technology in your life.

It is time to help people overcome Security Fatigue! There are constant threats of cyber attacks, but being informed about cybersecurity risks and dangers helps us protect the information that is most important to us. Fear is cancerous and debilitating, but knowledge is power. Knowing information…even bad information…is a good thing. Live informed, not in fear!