Month: September 2014

5 Cyber Security Mistakes Most Companies Make

Cyber security falls under the responsibility of everyone, not just information technology professionals. As with personal security, individuals must pay attention to their surroundings and their actions.

There are a number of areas that businesses and employees fail to pay attention to regarding cyber security. These are in no order of importance as all are critical.

Lack of training for staff

When we raise our children we make sure they know to look both ways before crossing the street, not to take candy from strangers, and never to get in a car with someone they don’t know. To all of us, this is common sense as we received this same education ourselves.

With cyber security, the same principles apply. Don’t open attachments from unknown sources. Don’t go to websites that appear suspicious. Don’t tell anyone your password(s).

Businesses must make sure they have education for all employees regarding these, and other, basic cyber security concepts. The training should occur at new hire orientation and it makes sense to have annual or semi-annual reviews.

Failure to limit/log access

Who has access to what data? What IT Administrator modified the directory structure? Who changed permissions? Do all employees have access to HR files? Does any unnecessary person have access to financial records? Are there logs showing who accessed what data?

Most of the answers to these questions will be “we don’t know” and that’s a problem to acknowledge and address. Companies need to utilize built in tools to log access, and, when necessary, purchase third party software for greater control and granularity. Not only can tracking access prevent a data breach, it enables organizations to find out what happened when data loss does occur.

Caring about corporate data

Most employees simply focus on their day to day job, they are not necessarily concerned with intellectual property at their company. Vast numbers of employees don’t even know what data is critical to the success of their business.

With a myopic focus on what’s in front of us, it’s extremely difficult to protect that which truly matters to an organization. Employees understand financial and human resource records deserve protection, that’s not enough.

Staff must also know about core data critical to the company so they can make sure and take proper action when dealing with that information and when dealing with others who have responsibility for protecting that data.

Understanding cyber threats

Phishing. Spoof. Worm. Trojan horse. Pharming. Hijack attack. All key terms in the cyber security world and, with few exceptions, most people do not know what these expressions mean.

Along with basic education, it makes sense for organizations to make sure staff knows what these attacks are and how to protect against them. There are a number of terms and threats that individuals are familiar with, it’s the responsibility of businesses to help employees understand additional dangers. Common sense goes a long way, and with adding simple communication, businesses can ensure employees know what to look for and how to act when issues arise.

Spending money in the wrong areas, or not at all

Too often businesses focus on revenue generation opportunities and ROI when spending money. Companies must take a defensive posture as well. This doesn’t mean only spending money on networking equipment and edge devices to protect their information assets, they must understand the extent of the threats and spend in numerous areas.

Firewalls, extranets, and intrusion detection systems are all well and good; however, they only protect companies from specific types of attacks. Businesses must take a holistic view of cyber security and invest as necessary. Cyber security is an investment and should be viewed as such through the budgeting process.

Everyone must take ownership for cyber security. In today’s world with major data breaches occurring seemingly weekly, impacting millions of people, it’s imperative to pay attention and share in the responsibility for data protection.

Through education, logging, understanding corporate data, knowledge of threats, and proper cyber security investments, companies will find greater security. When companies have data protection, investors, employees, and consumers receive peace of mind and clarity that they are as secure as possible.

Like Gungon Consulting on Facebook

Eric Jeffery has 20+ years’ experience with Information Technology including stints in the Retail, Aerospace, Defense, Hardware, Entertainment and Healthcare industries. Eric has a Bachelor of Arts degree in Economics from the University of Colorado at Boulder. Mr. Jeffery recently founded Gungon Consulting to help businesses solve the exact problems mentioned in this article. You may contact Eric at eric@gungonconsulting.com.

Gungon Consulting Services Overview

BYOD: Betray Your Own Data

Bring your own device (BYOD) is the newest cyber security challenge for both IT professionals and businesses as a whole. While the idea of individuals using their own technology devices: mobile phones, tablets, and laptops, to perform work, is a boon for the individual and the business, there are a number of security concerns that arise with the introduction of this productivity increase. Both the individual and the organization must come to terms with these challenges.

Numerous statistics show that employees do not take the necessary security measures on their personal devices to justify storing or accessing corporate data from these items. As shown by Zixcorp in their infographic, 81% of employees use personal devices in the workplace, 91% of tablet users and 75% of mobile phone users disable auto-lock security. How can a company trust individuals with corporate data with such a wide spread lack of basic security concern?

Corporate leadership have fiduciary and financial responsibilities to their employees, investors, and customers to protect their data. With 113 phones lost every minute the math quickly resonates that we have a serious problem on our hands. Companies not only need to have policies in place, they must have education around the policies to make sure their employees follow the rules and understand why the rules exist.

Certain businesses have greater concern than others. Healthcare organizations for example must contend with the Health Insurance Portability and Accountability Act (HIPAA). This key regulation states that a breach may occur if unencrypted data is lost. Simple example: a nurse sends an email to a colleague discussing patient John Doe in Room 4 who just received his latest shot of morphine. The nurse needs her co-worker to update the medical record as she forgot before leaving her shift. This message, including electronic protected health information (e-PHI), now resides on her mobile device. In and of itself, this is a HIPAA breach. In addition, not only is it most likely unencrypted, there’s a 75%-91% chance that her device won’t even auto-lock leaving this e-PHI available to anyone that picks up her mobile device.

In the finance industry there are strict regulations as well, primarily surrounding Sarbanes-Oxley. Businesses have the responsibility to follow specific rules on corporate governance, internal control assessment and enhanced financial disclosures. With employees storing corporate data, and transmitting business related information via email, text, and image transmission (SMS), it grows much more difficult for organizations to track who has access to what, and where the information has gone. This creates substantial challenges to validate compliance when auditors arrive.

Companies must secure their data, not only for legal reasons, they must do so to maintain control over their intellectual property. Laptops are lost every 53 seconds, the chance that these devices land in the hands of competitors is too great to risk poor security. Take the recent situation where the U.S. Government “retrieved” the laptop of an ISIS fighter from Tunisia. This device stored large amounts of proprietary data that the leaders would not want their opponent to find. While this is a military/foreign policy example, it goes to the heart of the situation in corporate America.

While working with a global storage company we had a situation where a senior executive lost his personal laptop, a device he coincidentally used for all of his company business, a laptop where the employee never changed the default password. The information technology team had no policy in place to require this executive to secure his laptop, let alone encrypt the data. When the device was lost there was no way to know what he had on it, what security he had, if any, and no idea where it was last seen. Lack of company policy greatly exacerbates the risks of how mobile devices threaten corporate data.

There are substantial challenges presented herein. The good news, technology and service providers exist to assist businesses overcome these issues. Whether utilizing consultants for policy review/creation or implementing mobile device management (MDM) software, companies have means to acquire assistance. Organizations should ensure they have policies, process, procedure, and education in place; all of these actions will substantially reduce the risk of data loss through mobile devices.

Corporate leadership must take ownership for the growing security risk inherent with mobile devices. It makes sense to permit employees to use their own equipment as there are substantial productivity and efficiency enhancements with this model, not to mention cost savings as employees no longer need multiple devices to accomplish the same feat. As with all security concerns we have a tradeoff between security and efficiency, business leaders must acknowledge this fact and take action to protect their corporate data when mobile devices are involved.

Like Gungon Consulting on Facebook

How Does Internal IT Handle Legal and Financial Issues

While internal IT teams play a critical role to the fundamental operations of businesses today, they tend to lack the knowledge and/or opportunity to focus on critical aspects of business vision, cost effectiveness, and legal responsibility. Internal IT organizations do not miss out on these important functions due to lack of desire, they miss out due to opportunity and, at times, understanding of the financial and/or legal ramifications of not performing these tasks.

IT Managers and even Directors of IT usually come from technical backgrounds. Most often they rise through the ranks because they were good with a technology and their leaders supposed that if they were good with technology, they would be a good manager. While this can hold true, most often it does not. I have seen great technologists fail after a promotion; not because they changed, but because they were placed in a role that was not suited to their skill set. Granted that a number of these individuals graduated with Bachelors, and even Masters Degrees, their focus tends to be in a technical field and were not exposed to finance, accounting, business law, etc. Based on these realities, one should have a better understanding as to why Internal IT tends to focus on the day to day operations and not long term visionary or protective projects.

In addition to internal IT leadership not having the experience or skill set to focus on the aforementioned important functions, more times than not, the teams don’t have the time. Internal IT is mostly about firefighting. The network is slow. Great Plains doesn’t work. Salesforce.com doesn’t have the data we need. Email blocks too many external users because spam filters are improperly configured. I can go on and on with the mass numbers of day to day issues that information technology professionals deal with. Based on this well-known fact, one must again ask themselves, if internal IT focuses on these day to day nuisances, how can they pay attention to critical business and legal functions?

IT has a focus to make sure the environment “just runs” and that the infrastructure maintains availability. In performing these tasks, standard information technology teams lose sight of, or never had visibility of, the big picture. IT staff and management rarely focus on the business needs, financial requirements or legal ramifications of the company. They are rote, doing what they’ve always done, maintain availability.

The critical outcome of the basic premise herein lies with the fact that businesses tend to lack fundamental disaster recovery and business continuity solutions. Additionally, most companies have contracts with 3 party vendors that either don’t offer what they need, offer more than they require and/or come with too great a cost, direct and indirect. Another key item, legal responsibility. Windows Domain Administrators and Unix Administrators with root access have access to everything in the computing environment. They can read every email by every employee. They have access to every file. They have access to every account. What safeguards do most businesses implement to watch the watchers? How about physical access to the data center and network uplinks? The scariest part of the legal issue, the vast majority of IT professionals don’t even realize their obligation or personal vulnerability should things go awry.

Businesses need to understand the strengths and weaknesses of their internal IT organization and ask themselves if their teams provide the necessary technical protections, financial responsibility and legal safeguards necessary for sustaining and hopefully growing the business.

Like us on Facebook

Contact Gungon Consulting for your free consultation today.

Eric Jeffery has 20+ years’ experience with Information Technology including stints in the Retail, Aerospace, Defense, Hardware, Entertainment and Healthcare industries. Eric has a Bachelor of Arts degree in Economics from the University of Colorado at Boulder. Mr. Jeffery recently founded Gungon Consulting to help businesses solve the exact problems mentioned in this article. You may contact Eric at eric@gungonconsulting.com.

Data: The One Ring to Rule Them All

“My Precious!” The famous statement from The Hobbit where Gollum repeatedly screams for his most precious item, the gold ring, the one ring to rule them all. This massive trilogy is all about protecting this sacred item from the evil onslaught of Sauron and his minions. It’s so important that those in control of the ring decide to destroy it rather than allow it to fall into evil hands. This story, and magical and mystical item, correlates exceedingly well to corporate data. Precious company information: finances, sales numbers, source code, legal documents, personnel files, etc. cannot fall into the wrong hands. Data is the life blood of companies and it’s the responsibility of leadership to protect it.

One of the most famous stories of technology intellectual property theft is that of Steve Jobs and the mouse from Xerox PARC. Steve Jobs toured the Xerox Palo Alto Research Center and saw a prototype mouse and was in awe. After he saw what it could do, he went back to Apple and directed his developer to recreate what he saw in a much less expensive fashion with greater longevity. This breakthrough helped propel the launch of Apple Macintosh. The irony of this intellectual property “theft” is that the researchers at PARC did not agree to the tour, it was a business decision. In exchange for money or stock in Apple, Steve Jobs and others were allowed to look around at whatever was “cool.” What would have become of Xerox and their PC unit had they perfected the mouse and proceeded to target the PC market more aggressively? Steve Jobs believed Xerox could have been as big as IBM, Microsoft, and Xerox combined.

The NSA data breach by Edward Snowden is another famous example. While one can debate whether this act was heroism or treason, the fact remains that precious information was taken from the US Government and exposed to the world. When organizations lose data, there’s not only the potential for economic damage, there’s probability for political and reputation damage as well. Businesses are not immune to this impact as shown when Reputation.com experienced a hack and lost user passwords, emails and addresses. Pretty ironic that a business focused on protecting online reputation for customers experiences a data breach itself.

The ailment inflicted upon businesses through data breach and information loss cannot be overestimated. While researching this article I came across numerous statistics regarding outcomes when data loss or theft occur. While validating sources, I found they are not reliable hence I have not republished that information. Saying that the data published is not necessarily true also does not make it false. Common sense dictates that when a company loses data and/or experiences theft there is a financial impact. That damage most certainly can, and does, lead to major financial impact and even bankruptcy.

The scariest data loss and/or theft to most individuals revolves around healthcare and financial services. Kim Kardashian led to the termination of six individuals when the temptation to view her medical records was too great to pass up. While this may seem harmless to the individuals improperly accessing her records, this breach exposed a well-respected medical facility to suffer reputation damage as well as a potential lawsuit, not to mention government punishment due to the HIPAA violation. TD Bank misplaced backup tapes and exposed nearly 270,000 individuals’ data. This data loss should cause great concern to most business as, like themselves, the information was backed up to tape and unencrypted. During my time in the healthcare industry I saw this happen to two of the largest medical entities in the United States. In one instance the tapes were stolen from the driver delivering the backups to storage. The other situation had unencrypted backup tapes lost in the mail. This type of data loss is all too common, impacts large swaths of patients and clients, and most companies have no policies or procedures in place to prevent it.

Organizations should know that they are not alone in the pursuit of data protection. A number of businesses and technologies cater to this need. Whether looking for inventory tracking systems, performing background checks on employees, or having an audit or assessment performed to understand the current state of affairs, numerous companies and products exist to help mitigate risks. Knowing is half the battle, and leadership owes it to themselves, their investors, and their employees to see the risk and take protective action.

A few suggestions:

Know who has access to what data and prohibit access to any resource that does not have a need for such access.
Encrypt data in transit.
Consider encrypting data at rest, especially intellectual property and other fundamental business information.
Do not let employees take backups home, no matter their position with the company.
Be aware of who comes into the business, what they see, and what they take away, physically and intellectually.

Just as Bilbo, and then later Frodo and the Fellowship protected their “precious,” leadership in organizations must do all they can to protect their data. Management needs to understand the risks are not solely from the nebulous hacker in the Cloud trying to steal information. Data theft and destruction comes from innocent curiosity to nefarious intent. No matter the reason, businesses are at extreme risk, financially, reputation wise, and potential legal liability, and management must mitigate as much risk as is reasonable.

Contact Gungon Consulting for your free consultation today!

Make sure to “Like” Gungon Consulting on Facebook for up to date technology and security information.

Eric Jeffery has 20+ years’ experience with Information Technology including stints in the Retail, Aerospace, Defense, Hardware, Entertainment and Healthcare industries. Eric has a Bachelor of Arts degree in Economics from the University of Colorado at Boulder. Mr. Jeffery recently founded Gungon Consulting to help businesses solve problems mentioned in this and his other published articles. Please contact Eric at eric@gungonconsulting.com.

Social Engineering – The IT Security Risk that Impacts Everyone

How do you know the person sending an email is the person you believe it to be? How do you know the person on the other end of that instant message is the true account holder? How do you know the text you just received came from the owner of the phone? All employees must show vigilance and to be vigilant they have to have process and proper expectations.

Imagine a stalker finding the name of the senior VP of HR on LinkedIn and then calling IT pretending to be that individual, demanding his password be reset. Next, the criminal contacts his victim’s manager via email asking for personal information about the individual?

How about a hacker pretending to be the CFO and then sending an email to an accounts payable clerk to cut a check to a 3 party vendor for services rendered. This false CFO then follows up that email with a quick instant message. How many employees would think to question this? Does your business have processes and training in place to protect your business from these types of attacks?

Social engineering, also known as human hacking, takes on several forms. Some as basic as a phone call with the caller pretending to be someone they are not, others as sophisticated as outlaws getting a job with a cleaning crew or telephone company for physical access to an environment. Corporate leadership must understand the risks of social engineering and take steps to protect their organizations.

One of the greatest “hackers” of all time, Kevin Mitnick, would pretend to be someone he wasn’t to gain trust, and later access, to company systems. He was so thorough in his actions he once joined a cleaning crew so he had physical access to environments where he easily penetrated their systems and stole valuable information. Social Engineering grows more and more sophisticated and much of it comes from what Kevin Mitnick started decades ago.

Ever notice how almost no one locks their computer when they walk away? I’ve seen lawyers, human resources employees, and even the controller of an organization leave for long periods of time without locking their computers. How much critical, private, and personal information do these employees have access to? How difficult is it for a disgruntled employee to walk into one of these offices, close the door, and have at the information these key staffers have access to? How hard would it be to get on their managers computer, or an HR system during a company event, or lunch break? Once on the system they could send payroll an email pretending to be a person of authority, and ask for additional funds to get transferred as a “bonus” or “expense reimbursement?” Does your organization think in these terms? If not, it should.

One company I worked at had a situation where an outside party registered a similar Internet domain name to ours. They then created email accounts using the CEO and CFO names. The criminals sent an email to the controller pretending to be the CEO asking the CFO to wire money to an account. The controller began the process to send the money. Internal checks and balances caught this employee’s error and prevented the funds transfer. The controller made an egregious error, fortunately process saved the day. Does your company have this protection? Does the leadership of your business have the awareness to protect corporate funds from attacks such as this?

Most people are aware of phony email when it comes from a trusted source. For example, when a friend or co-worker sends the ubiquitous message “Hey check out this cool website I found…” we all know this is bogus and we stay away. It’s important for business to reach this level of awareness for the more sophisticated human hacking attempts mentioned above as well as dozens of others. Leadership has an obligation to protect company information. The way around the vast majority of attacks is simply awareness. Processes and procedures must exist that protect against human error.

Humans are easier to hack than computer systems and networks. Most people are raised to be kind and helpful leading them to inherently trust others. The concept of bad people taking advantage of the good and honest does not sit well with most people. Unfortunately, evil exists and we all must have awareness and behave in a fashion that balances our desire to help others while protecting that which we are responsible for. “Protecting the organization from being victimized by hackers using social engineering tactics has to be the responsibility of each and every employee – every employee.”[1]

Like Gungon Consulting on Facebook
Follow us on Twitter @Gungonconsult