Articles

5 Steps to Find and Eliminate Security Vulnerabilities

TabletIt’s unavoidable today.  Personal computers, smart phones, tablets, and other network and Internet connected devices run software from multiple sources.    That’s great and it makes us pretty happy most of the time.   We get great software, communicate fluidly and quickly, and work more efficiently.   The problem is that software can be terrible 5% of the time even when it’s awesome the other 95%.

Software developers have made real improvements over the years, but the sheer number of programs required to make even a smartphone useful today means they can’t be completely tested in advance.   Tablets, Laptops, PCs and servers are no different.  The results are exploitable flaws or misconfigurations in devices we rely on every day.  

 

“The electronic equivalent of an unlocked door or a window left ajar, these vulnerabilities create risk at work and at home.”

If we’re lucky, the vulnerability merely interrupts our day.   Unexpected reboots, slow response, and crashing applications are annoying but often only require a restart. In more serious cases, vulnerabilities provide criminals, hacktivists or disgruntled former employees the opportunity to access sensitive information about customers or our business. 

“Left unchecked, our personal data can be stolen, our company trade secrets revealed.  We lose business in data breaches and suffer very public consequences.”

LaptopWhat do companies like mine do?

Our goal is finding only the specific issues in our network environment.   Unfortunately, there are tens of thousands of known vulnerabilities.   Modern vulnerability scanning tools test for over 50,000 uniquely identified vulnerabilities.  While we never see this many issues in a single environment, we always find a subset of Critical, High, and Medium vulnerabilities.  These are the issues organizations focus on before they become security incidents.

To avoid breaches, for regulatory compliance, for peace of mind, or just to prioritize future I/T projects, most organizations actively search for vulnerabilities on their systems following a simple process:

  1. Scan networks and Internet facing systems (including firewalls, VPNs, web and email servers)
  2. Eliminate any unnecessary vulnerable software
  3. Replace or disconnect systems that can’t (or shouldn’t) be patched 
  4. Using a prioritized approach, patch everything that’s left 
  5. Repeat the process

Each step is critical, but understanding individual vulnerabilities and prioritizing the work are the keys to making progress and avoiding wasted time.  While most responsible manufacturers release security patches for their products, they are often difficult to find.  Keeping up with multiple products can be daunting.  Even when those alerts come directly to our inbox, most of us are left asking:

  • Are these vulnerabilities important?  Do they apply to me?
  • Do I need to patch now?   Can I wait?  How long?
  • Will it break other things?   
  • What are my options?

DIY and Experts

For small environments or our homes, reviewing software patches on a few PCs can be done by anyone.  Microsoft, Apple and Linux operating systems can be automatically updated and individual software programs can notify you of available updates.   This step alone can close many critical vulnerabilities.   In addition, anti-virus and personal firewall software can "hide" many issues on a PC.    

For more complex environments, engaging an expert helps an organization quickly assess and efficiently prioritize the right vulnerabilities for remediation.   Trying to fix every vulnerability without a well thought out remediation plan can result in unnecessary work, unplanned outages, and missed alternatives.   Dumping the process onto an existing I/T organization with significantly competing priorities, can result in slow progress.   An expert provides the insight into vulnerabilities and options that help remediation “fit” into an I/T organization's existing plans and operations.   When security and I/T teams coordinate, organizations see the best progress in eliminating vulnerabilities and keeping ahead of new vulnerabilities.

 

12 Cyber Security Tips for the New Year

CalendarAs we start the new year, we look back on countless examples of large and small companies falling victim to cyber security breaches. While the largest cases (often with tens of millions of stolen records) get the headlines, last year was no different than previous years and thousands of smaller companies were hit by breaches, extortion attempts, and employee misuse of data. In what has become a “tip of the iceberg” wave of security breach reporting, most companies suffer the effects quietly.

What’s clear is that protecting the electronic data your business relies on is more important than ever and the monetary, reputation, and regulatory risks are rising.   Many businesses that experience cyber security breaches never recover from the loss of customers, revenue and reputation.

Businesses and non-profits should take pro-active steps each year and throughout the year to ensure they are exercising due care for the information they hold.   Doing so will decrease the real risk of a cyber security breach in your company and put you in the best position to respond quickly and effectively if a breach does occur.   The goals are avoidance and the ability to minimize the monetary losses and regulatory penalties should an event occur.

Steps for Business Leaders

Perform an Information Security Risk Assessment – Business leadership and I/T management should sit down and make a list of any “personally identifiable information”, “trade secrets” or “intellectual property” you rely on in your business.   Where is it stored?   How is it protected?     What would happen if it were shared publically, stolen, or lost?  Even if you don’t hold payment card or health care information, forty-six (46) states have data privacy laws and require compliance from any firm that does business with their residents.

Identify an Information Security and Privacy Officer – As a business risk, this doesn’t have to be someone in I/T or even someone in-house, but shouldn’t be someone focused on selling I/T products.  The key is to have someone that regularly helps the organization work through information risk management and follows up on operational security activities and incident response planning and resolution.   An Information Security Officer can help organizations avoid risk and assure business partners, customers, and regulators that a reasonable standard of care is in place for handling sensitive information.

Establish a Cyber Security Incident Response Plan – At times it can feel like cyber security incidents are purely I/T matters, but the Incident Response Plan must include business leaders, counsel and technical resources.  A good incident response plan accommodates the more frequent yet lower impact I/T security incidents, but also prepares the organization for the potential of larger issues.

Security Test your Website, Networks, and Firewalls – Asking your I/T provider to perform their own tests can yield useful information, but often the conflict of interest between I/T support and security audit means critical risks can be overlooked.   Schedule a network penetration test or vulnerability scan with an outside party at least annually so you can improve security and assure partners of good practices.    If your vendors say they do annual tests, now is a great time to ask for the latest copy of that validation and keep it on file.

Policies – Review policies to ensure you have rules and guidelines for employees and contractors.   With policies in place, make sure everyone has reviewed them at least once a year.   Legal protections for sensitive information depend on proving the business treats information as valuable and informs staff and vendors of expectations.

Steps for I/T Managers or leaders responsible for Managing I/T vendors

Organizations large enough to have I/T support and leadership in-house are often challenged to balance the traditional role of I/T (enabling the business and improving productivity) with the risk management focus of information security.   Smaller organizations may not have dedicated I/T support and may rely exclusively on I/T support companies for services.   In all situations, the end of the year is a good time to plan or conduct a few key activities:

Computer Security

Patching Operating Systems - Have your I/T team or provider verify that PCs are running an operating system that is currently supported.   For example, in April of 2014 Microsoft stopped providing security patches for Windows XP.   While companies don’t need to run the latest version of Windows, running one that still receives patches is critical.  

Anti-Virus / Malware Protection / Personal Firewalls – Check to see if PCs are running the latest updates of protection software.   Like an operating system, this doesn’t mean the latest version available from the vendor, but it should be a supported version and receiving regular updates on virus signatures and malware profiles.

Backing up and Protecting Data

Testing Backups - If you’ve completed a risk assessment, you should have a good idea where your critical data resides and be backing it up to disk, tape or the cloud.    Testing your backup regularly is key to knowing it will be there when you need it most.   Choose a small test file on key systems that is backed up on a schedule and then restored to confirm the process works end-to-end.

Network, Server, and Firewall Security

Patching Servers and Firewalls - Just like PCs, devices like servers, routers and firewalls have software that contains software bugs.   Check for updates to the software and even if it can’t be patched immediately, get the upgrades on the calendar and plan the work.

Secure Wi-Fi – Make sure networks are secured with non-WEP encryption and network passwords are changed regularly.   If your wireless router supports multiple networks, create a separate wireless network not connected to your internal network for guests and business visitors.   Keys on guest networks can be changed less frequently.   Keys for networks connected to the businesses internal network should be changed at least when employees leave the organization or more frequently throughout the year to ensure unauthorized users don’t connect to your network.  

Facility and Physical Security

Lock it Up - Keeping sensitive information safe starts with keeping your facilities, data centers and wiring closets secure.   Perform a walk around and look for any removable media (disks, DVDs/CDs, tapes, flash drives) that are left out in I/T support areas, employee work areas, wiring closets, or server rooms.    Removable media should have a permanent lockable designated storage area and access to servers, firewalls and network devices should be limited.

Vendors and Log Reviews

Hold Vendors Accountable – Many companies outsource some or all of their I/T support to outside firms.   Request an annual report from vendors.   If they manage firewalls, email services (spam filtering), or other activities request a written verification that they’ve reviewed logs related to your systems for unusual activity and brought it to your attention.   Ask if there are any software upgrades on the systems they support for you and if available get them on a schedule for future implementation.

News and Media

SpeakingAt Working Security, we believe improving privacy and security for the public includes sharing information when possible.   We offer expert speakers and panelists for events upon request and support the media through interviews.  Our staff contribute regularly to stories on privacy and security, author papers and articles for industry journals and speak at professional events.  

  • Media Interviews
  • Articles, Blog and Newsletters Contributions
  • Keynote and Panel Speakers
  • Security Awareness Training
  • Privacy and Security topics for Leaders

To schedule a presentation or consultation, contact us at 314.632.6334.

Contact Us

 

 

Illinois Health Care Association

IHCA

Thank you to the Illinois Health Care Association for the opportunity to present HIPAA Risk Assessment and Mitigation.   The Illinois Health Care Association is a non-profit organization comprised of more that 375 licensed and certified long term care facility and programs throughout the state.   We presented with Mason Rothert from Mediprocity a leading secure messaging platform for health care professionals.