ANS Blog

What the Heck Is SIEM?

July 12, 2018 in SIEM

What the Heck Is SIEM?

I recently came across a PowerPoint presentation entitled, “SIEM for Beginners: Everything You Wanted to Know, But Were Afraid to Ask.*” I want to share it here (in a re-formatted version), because it’s one of the best explanations I’ve come across on the subject. You don’t have to be a cybersecurity expert to grasp the concept of how it works and understand its tremendous power in providing a better defense against the assault of ever-growing, and perpetually changing, security threats.

Although the IT industry has settled on the acronym “SIEM” as the catch-all term for this type of security software, it evolved from several different (but complementary) technologies before it. These include:

  • LMS – “Log Management System” – a system that collects and stores log files from multiple hosts and systems into a single location, allowing centralized access.
  • SLM /SEM – “Security Log/Event Management” – a log management system focused on highlighting log entries as more significant to security than others.
  • SIM – “Security Information Management” - an asset management system, but with features to incorporate security information too.
  • SEC – “Security Event Correlation” – To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a peculiar sequence of events worthy of investigation. Log correlation (the process of looking for patterns in log files) is a way to raise alerts when these things happen.

SIEM, short for “Security Information and Event Management” is the term used for a solution that merges all of these technologies into a single product, and the generalized term for managing information generated from security controls and infrastructure.

Why you should care about your log files

The information needed to answer the questions, “Who’s attacking us today?” and “How did they get access to all of our organization’s information?” are found within log files.

A log file is a file (typically plain text) that keeps a record of events, processes, messages and communication between various software applications and an operating system. Logging is the process of capturing and storing log file entries. Some very basic examples of when log files are created are when you: sign in to or out of the company network, access a website, or download a file. Just the operation of your firewall alone, can generate 30-50 events per second! So, once you understand what a log file is, you also realize how quickly a mountain of them are created.

We may believe that the security controls we have in place (e.g. a firewall and/or anti-virus) contain all the information we need to do security—but they often only contain the things they’ve been designed to detect. Meaning, there’s no “before and after the event‟ context generated within them. Having the right context is usually a vital part of separating a false positive (a misconfigured system) from true security event (someone is attacking my web server). These days, successful attacks on computer systems rarely look like real attacks—except in hindsight. If this weren’t the case, we could automate all security defenses without ever needing to employ human analysts. Attackers are no longer teenagers working from their basement trying to get into your network for kicks. Today’s attackers are typically highly-trained and highly-motivated cybercriminals who often try to remove and falsify log entries to cover their tracks. Which makes having a source of log information that can be trusted vital to any legal proceeding arising from computer misuse.

Looking at security through a wider lens

SIEM is about looking at what’s happening on your network through a larger lens than can be provided via any one security control or information source.

  • Your intrusion detection system only understands packets, protocols and IP addresses
  • Your endpoint security (anti-virus, etc.) sees files, usernames and hosts
  • Your service logs show user logins, service activity and configuration changes
  • Your asset management system sees apps, business processes and owners

None of these by themselves, can tell you what is actually “happening to your business,” in terms of securing the continuity of your business processes – but all together, they can.  

SIEM is, essentially, a management layer above your existing systems and security controls. It connects and unifies the information contained in your existing systems, allowing them to be analyzed and cross-referenced from a single interface. With that said, SIEM is only as useful as the information you put into it; the more valid the information depicting your network, systems and behavior the SIEM has, the more effective it will be in helping you make effective detections, analysis and response in your security operations. So, in a nutshell, it’s a perfect example of the “Garbage In, Garbage Out” principle of computing.

The power of correlation

The heart and soul of a SIEM is log collection – the more log sources that send logs to the SIEM, the more that can be accomplished with the SIEM. Logs on their own rarely contain the information needed to understand their contents within the context of your business. And security analysts have limited bandwidth to become familiar with every last system that your IT operation depends on.  With only the logs, all an analyst sees is: “Connection from Host A to Host B.” Yet, to the administrator of that system, this becomes “Daily Activity Transfer from Point of Sales to Accounts Receivable.” The Analyst needs this information to make a reasoned assessment of any security alert involving this connection. Which means that the true value of logs is in their correlation, which reveals actionable information.  

A good SIEM deployment includes logs and alerts PLUS knowledge:

LOGS AND ALERTS—WHERE THEY COME FROM:

Security Controls

  • Firewalls
  • Intrusion Detection
  • Endpoint Security (Antivirus, etc.)
  • Data Loss Prevention
  • VPN Concentrators
  • Web Filters
  • Honeypots

Infrastructure

  • Routers
  • Switches
  • Domain Controllers
  • Wireless Access Points
  • Application Servers
  • Databases
  • Intranet Applications

KNOWLEDGE—WHERE IT COMES FROM:

Infrastructure Information

  • Configuration
  • Locations
  • Owners
  • Network Maps
  • Vulnerability Reports
  • Software Inventory

Business Information

  • Business Process Mappings
  • Points of Contact
  • Business Partner Information

In terms of security analysis and threat identification, the power of log correlation is immense. Correlation is the process of matching events from systems (hosts, network devices, security controls and anything else that sends logs to the SIEM). Events from different sources can be combined and compared against each other to identify patterns of behavior that are invisible to individual devices… They can also be matched against the information specific to your business. In short, correlation allows you to automate the detection of things that should not occur on your network.

The beauty of log correlation is best demonstrated in the example provided below. It is the difference between:

“14:10 7/4/20110 User BRoberts Successful Auth to 10.100.52.105 from 10.10.8.22”

and. . .

“An account belonging to marketing connected to an engineering system from an office desktop, on a day when nobody should be in the office.”

Creating actionable intelligence out of log files

As mentioned earlier, your network—even if it’s a small one—generates large amounts of log data. A Fortune 500 company’s infrastructure can generate 10 Terabytes of plain-text log data per month—without breaking a sweat. You can’t hire enough people to read every line of those logs looking for bad stuff (don’t even THINK about trying this). Even if you succeeded, they’d be so bored they’d never actually spot anything even if it was right in front of their face; which it would be. Log correlation lets you locate the interesting places in your logs – that’s where the analysts start investigating from…and they’re going to find pieces of information that lead to other pieces of information as the trail of evidence warms up. Being able to search through the rest of those logs for that one thing they suspect resides there, is one of the other key functions of a SIEM.

So, it’s a fair statement to say that a SIEM is fundamentally a giant database of logs. It would be amazingly useful if every operating system and every application in the world, recorded their log events in the same format – but they don’t. Most logs are written to be readable by humans, not computers. That makes using regular search tools over logs from different sources more difficult. Two log entries can say the same thing to a human being but are very different from the machine’s point of view. Long story short, to be most effective we’re going to need to break down every known log message out there, into some kind of normalized format. So, if you’re looking at information about how many devices a particular SIEM solution supports – what that really tells you is how many devices it can analyze the logs from.

Breaking those log entries down into their components, and normalizing them, is what allows us to search across logs from multiple devices, and correlate events between them. Once we’ve normalized logs into a database table, we can do database style searches, such as:

“Show [All Logs] From [All Devices] from the [last two weeks], where the [username] is [Broberts]”

This is also what allows us to do automated correlation— matching fields between log events, across time periods, across device types— that can establish “red flag” criteria, such as:

“If a single host fails to log in to three separate servers using the same credentials, within a 6-second time window, raise an alert”

Just as with any database, event normalization allows the creation of report summaries of our log information, such as:  

“What User Accounts have accessed the highest number of distinct hosts in the last month?” or “What subnets generate the highest number of failed login attempts per day, averaged out over 6 months?”

So, we now can see that SIEM is a recording device for the systems that form your information infrastructure. SIEM allows you to give analysts access to information from these systems, without giving them access to the systems themselves. Event correlation allows you to encode security knowledge into automated searches across events and asset information to alert on things happening within your infrastructure. It effectively creates a starting point for human analysis by taking important information out of a sea of log data.

###

To better protect your organization against today’s highly sophisticated security threats, you need timely access to the relevant, actionable data that SIEM delivers. Along with our SIEM and Security Operations Center (SOC) resources, Advanced Network Systems provides a host of other cybersecurity services including internal and external vulnerability assessments, proactive security remediation and incident response. Our Managed Security Program takes the cost and complexity out of having a robust cybersecurity system, offering the most advanced services on the market at a price even small businesses can afford.

*Source: Alien Vault
Why systems patching matters

Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct security and functionality problems in operating systems, application software and firmware. Although patches can serve other functions such as adding new features to products, patches are used most often to mitigate software security vulnerabilities.

Although the practice might sound straightforward, patch management is not an easy process. In today's computing environment, it's an increasingly complicated, never-ending cycle, that can create big challenges for IT staff.

At the same time, patch management is also an essential, fundamental part of protecting company IT assets from attack. Gartner’s 2017 white paper Technology Insight for Patch Management Tools reports that a whopping 99% of exploits are based on well-known vulnerabilities, many of which have patches that fix them. So regardless of any other security measures may be in place, if an organization doesn’t develop a strategy to overcome their challenges with patching, they can’t effectively protect their network against security compromises—even ones that were preventable.

Common issues associated with patching

With all of this said, in most organizations, patching is still performed poorly for a variety of reasons:

Too many patches. The sheer number of software vulnerabilities and related patches is second to only the number of unique malware programs released each day. For example, an individual operating system or application may have hundreds of new vulnerabilities each year, each of which needs to be patched. Moreover, almost every program has a different frequency and patching method.

Patches can break things. IT staff often worry that applying any patch -- even a critical one -- can bring down their system. Patches can sometimes close ports, disable critical pieces of infrastructure, crash or otherwise cut off the availability of systems their organization needs to operate.

Patching can interrupt operations. Most patching processes involve either stopping and restarting the affected software—or a complete reboot—which can mean lost productivity.  On top of that, many patches are huge, often into the gigabytes. Patching a large number of systems all at once can overwhelm a network.

Patching is time-consuming. Taking the time needed to evaluate, test, deploy and document all required patches takes time away from more value-add activities. It’s easy to push aside software updates and patches because of the number of projects that are always being managed with tight deadlines. The IT workload has to give somewhere—and the obscure job of software maintenance often gets neglected.

Timing is everything

Patches—especially critical security patches—should be implemented as soon as possible after they’re released. However, the issues cited above lead some organizations to apply patches too slowly; or, worse yet, to not apply them at all. Once the vulnerabilities have been disclosed, it’s only a matter of time – sometimes only a matter of hours– before attackers use that information to devise exploits. For whatever length of time goes by between a patch release and when you install it, your systems will be in a “zero-day” state.

Solving patching issues

Now that you understand the importance of patching, don’t let obstacles stand in the way of employing this critical security practice in your network. Getting beyond them is easier than you think.  As part of our Managed IT Services Program, the burdensome job of managing patches is automated and verified. Our industry-leading patch management tools take ownership of the process, improving your security and ensure your IT systems remain compliant. By including services like pre-deployment testing, and blacklisting of problematic patches, our program is designed to take the biggest headaches associated with patching off your plate. Patch distribution can be customized and set at levels that provide the best strategy for your applications and infrastructure, regardless of where systems are located. Deployments are also built around your operations and scheduled so that fixes are applied at a time that won’t disrupt your employees and businesses operations. When it comes to getting patching right, time is not on your side; so, don’t delay.

Cyber Insurance: Worth the Price?

Unless you’ve been living under a rock somewhere, it’s hard to miss the almost daily stream of media reports about cyberattacks and data breaches. Government agencies, healthcare providers, financial institutions, corporations and, yes, most definitely, small businesses—are all under attack. Savvy business owners and executives are finally beginning to learn about how the growing risks and costs associated with cybercrime can detrimentally impact their bottom line. So, it’s not a surprise that the interest in all forms of protection— including cyber insurance coverage—has also increased. 

But the market for cyber insurance is still relatively new and evolving; so, getting the right coverage at a competitive price isn’t necessarily an easy task.  The average business owner or executive will find the terms and conditions of these policies complicated. Getting the right coverage takes time and tenacity to ensure you’re getting the protection you truly want, without paying for coverage you don’t really need, prior to purchase.

What is Cyber Insurance? 

Depending on who you’re talking to, it can go by any number of names, including: data-breach insurance, cyber liability insurance, cyber insurance or cybersecurity insurance.  In a nutshell, cyber insurance helps protect businesses against losses resulting from cyberattacks or data breaches.

Cyber insurance is designed to be a post cyber incident safety net for an organization—its use comes into play after a cybersecurity or privacy related loss occurs. As such, it should be viewed as one part of an overall cyber risk management and response plan—never as a sole solution to rely upon when an incident occurs. At best, cyber insurance should be looked upon as a complement to sound, proactive information security programs, processes, policies and practices.

Who Needs Cyber Insurance?

The need for cyber liability insurance isn’t limited to large corporations like Target or Equifax. Small- and mid-sized organizations are also at great risk. In fact, most efforts in the cyber-crime arena are now specifically targeted at smaller organizations; they usually store one or more types of valuable data (payroll/online banking /credit card info, etc.) and, with small or no IT budget, are usually a lot more vulnerable (click here for a more in-depth discussion on why cybercriminals love small businesses). However, despite their high-risk status, most business owners are only now starting to educate themselves about their real risk level and potential exposure.

Types of Cyber Insurance Coverage

Cyber insurance coverages usually fall under two primary types, which can be categorized as either first-party cyber insurance or third-party cyber insurance. First-party coverage is for losses and damage to your own business like legal, forensic, notification, credit monitoring and business interruption costs.  Third-party coverage is for losses to an outside entity, such as your clients or members of the general public, due to an event for which you are liable. To get the right coverage for your operations, it’s VERY important to understand the difference between first- and third-party coverage as well as what the policy excludes. Work with an insurance professional who has a significant amount of experience in selling these policies and can explain coverage options AND EXCLUSIONS to you in plain English. It’s also extremely important to know when coverage begins and what the time period it covers, as most policies won’t cover incidents that took place prior to their effective date.

Buying Cyber Insurance

With growing demand and offerings, the cyber insurance market is still new, or a “soft market.” This means that prices vary and terms and exclusions in cyber coverage are not standardized across the industry. This means you’ll likely see variations in how different insurance companies underwrite, package, and categorize cyber risk exposures and coverages. Coverage costs can vary widely, depending on factors like the industry you’re in, the type and amount of records you store, your annual revenues, coverage limits you need, as well as the risks associated with your organization’s existing network security. 

Reducing the Cost of Cyber Insurance

Like all other insurance policies, the higher the risk involved, the higher the cost of your insurance premiums.

However, cybercrime is a different sort of risk, with a different and often more complicated remediation path than other business risks. So, it stands to reason that the application process for cyber insurance coverage is also fairly unique. Application forms can vary in length from a few pages to more than a dozen. But, regardless of what the application looks like, all insurers will assess your level of cyber risk by collecting information about your organization in three key areas: people, processes and technology/data. 

The “people” part of the application delves into your organizational structure around security. Insurance carriers want to know who in your organization is responsible for responding to a breach, if you have a response plan and whether regulatory or compliance frameworks are involved. They’ll also want to know whether (and how often) your employees are trained on evolving IT threats to your organization. They may also want to know who your vendors are, from Internet service to software technologies to credit card processors.

The “process” part of the application digs into your network and its services; your processes for actively managing your network including software, hardware, updates/patches, user account management, etc.; whether vulnerability assessments and remediation steps are done to mitigate critical vulnerabilities; and whether your systems are audited periodically to maintain data security. The focus here is trying to determine how secure your network and IT processes are, regardless of whether you’re handling these internally or through an outsourced provider.

The “technology/data” part of the application will ask about the systems and software you use, as well the types of records you retain, including:

  • Any client-owned information you may store, or systems you access/interface with
  • Any third-party vendor information you may store, or systems you access/interface with
  • Payment card information
  • Financial records and transactions
  • Employee records and benefits
  • Any other information that could be monetized by cyber criminals

In addition, carriers will want to know how long you archive this information on your systems. All of this data is used to determine risk.

Vulnerability Assessments:
Get Your Ducks in a Row

Before you’re quoted a policy, cyber insurance underwriters will want to know that, as an organization, you are proactively taking steps to minimize the ongoing opportunities for an attack (and subsequent claim). From an IT systems perspective, this means you’ll want to have certain network assessments performed before you start the application process. It’s important to perform both internal and external vulnerability testing, to ensure you get a more complete picture of your organization’s overall risk and exposure. Most organizations tend to focus on threats that come from outside their network; but internal network threats are equally as dangerous and usually harder to identify. Internal testing determines what vulnerabilities exist for systems that are accessible to authorized internal network connections (what someone with a legitimate user login ID can access). External testing (often called penetration or “pen” testing) helps identify vulnerabilities that exist for connections your organization has established that interface with the Internet. Once completed, these tests help you more accurately determine where your true risks lie, so you can make the necessary changes.

Part of a Bigger Plan

Although it may seem like a daunting process at first, securing the right cyber liability coverage can be a valuable part of a larger overall cyber response plan. The coverage can definitely be a conduit to services you’ll desperately need if the worst-case scenario does happen.

More importantly though, the goal is to prioritize the proactive security of your systems and information—and to always put that first. When it comes to cybersecurity, there is no substitute for a strong, active defense that includes the right layers of current technology along with 24/7 network monitoring, real-time threat detection and attack termination. For more information on how to significantly improve your network protection, meet compliance requirements and make better security decisions click here

Anatomy of a Cyberattack

Today, security is everyone’s job—from consumers, to system administrators, to executives. If you’re doing business, you need to elevate the priority of security across your organization. Over the years, cybercriminals have gotten a lot more advanced and, because cybercrime is such a lucrative business, they’re usually well-funded. These days, there are organizations made up of highly-trained hackers; they are systemized, professional and have learned to turn their skills into big business. In other cases, nation-states have their own cyberattack teams. These teams are no less important to their national strategies than their army or navy. These cyberattack teams are prepared to attack anyone, so you should be prepared to defend against anyone. Whether you know it or not, you’re in a cyber war—and you’re under attack. 

In the past, the financial services and healthcare industries have been the biggest targets. However, over the last few years, these industries have gone to significant lengths to harden themselves against breaches and other forms of attack. Today, the most common type of cyber incident is phishing/hacking/malware at 43%. It was the largest type of attack/incident in all business sectors which means everyone, including small businesses, are at risk.

Common Attack Vectors

Generally, cyberattacks fall into just a handful of attack vectors. As mentioned, social engineering attacks (i.e. phishing, hacking and malware) make up the largest single attack vector at 43%. Of course, vulnerability exploitations (exploiting a bug in software or firmware that hasn’t been patched) is still a common attack vector. Stolen credentials are often used to gain access to systems, and then from there gain access to higher privileged credentials that eventually lead to the data the attacker is after like social security numbers, financial data, or intellectual property.

Malware/ransomware implant themselves into vulnerable systems and then spread across connected networks.

Other examples are Denial of Service attacks (DoS) and Distributed Denial of Service attacks (DDoS). With these attacks a person, group, organization or enterprise is prevented from doing business by flooding their websites and services with artificial network traffic either from within their network or from outside their network.

One thing the most devastating attacks seem to have in common, is that they don’t rely on one attack vector. In fact, combinations of the above attack vectors are combined together to build the most effective attack possible.

As technologies like Internet-enabled (IoT) devices and cloud services grow, they accelerate the growth of the number of users, devices and machines, network traffic and data. This will lead to more attack vectors, more infected devices, larger attacks and a significant increase in the amount of data stolen. New attack vectors like cloud jail-breaking, will grow in use. Under this mode of attack an attacker gains access to a virtual machine in a cloud environment and uses that environment to break into or snoop on neighboring virtual machines or utilizes the virtual machine to gain access to the underlying infrastructure. This potentially gives them access to all the infrastructure and access to all virtual machines in the cloud.

At the end of the day, regardless of where your confidential information is stored, cybersecurity and bolstering your defenses should be a top strategic concern.

How A Typical Cyberattack Is Carried Out

Although cyberattacks are carried out in many different ways, we can, for educational purposes, look at the anatomy of a cyberattack, how a typical attack unfolds, by highlighting its 5 basic stages:

  1. Reconnaissance. Attackers typically start by trying to understand your business to gain as much detailed information as possible about your organization and network.  They’ll also try to identify online behavior of system administrators and other key employees. The employee names and positions are found simply enough through common searches such as a search for “system administrator” on social networking sites like LinkedIn.
  2. Access. Once the attacker has sufficient information, they trick your administrators into exposing sensitive information or downloading malicious software. There are many ways that this could be done. An email can be sent to the employees that looks official asking them to take some action such as downloading a new tool or changing a password on a website. Often, an email is sent to employees that looks like an official email, asking them to click on a link. The link looks legitimate. However, it’s actually a link to a site that with a similar looking name. This is a technique called spear-phishing that takes advantage of the fact that our brains pattern match and make quick assessments. The websites look similar enough that unless you look carefully at it, it makes the link look legitimate. Once target employees sign into the fake site, the attackers have access to their login credentials and, in turn access to the corporate network. Another scenario is where an official-looking email prompts the target employee to download software/malware that infects the user’s systems, giving the attackers inside access to the network.
  3. Infiltration. Once they have access to your network, the attacker now looks to enter your network and systems. Infiltration can come in many forms. Malware or ransomware could log keystrokes, waiting for you to type in a password, or it could become a worm that looks for vulnerable systems and begins to spread throughout your network. If the attacker gained access through user credentials, they can plant a worm and leave, keeping the attack going for months or even years. Attackers have a variety of motives for breaching your network but are often looking for monetizable data. It may be that they want Personally Identifiable Information (PII) or they may want your business data. Either way, their next step will be to look for vulnerable credential servers like your Active Directory servers. Exploiting your credential servers gives them broader access to your network and services. Once inside, they will attempt to establish control of your network. They will covertly hijack as many of your systems as possible. This will give them the ability to control as much of your network as possible and give them high availability of their attack. Once they’ve established a foothold, they can then send requests back to a command server and begin to act on the commands given. At this point, they begin their data collection. This may include your credentials from your credential servers, emails, and business data, payroll system, or transaction data from your databases.
  4. Exfiltration. Most of the time, the point of all this effort, if it isn’t to actively destroy your network, is to get your data out of your network and back to the attackers. To help ensure the success of their mission, they’ll likely encrypt the data prior to sending it on its way. Encrypting it prevents your Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) from detecting and/or blocking the data from being removed from your network. They’ll use your own servers to prevent detection. Your data will be sent via one or more anonymous routes throughout the Internet so that you can’t track where the data is going.
  5. Sanitation. Cleaning up behind themselves is usually the attacker’s last step in the process. They’ll remove all evidence that they were in your network and systems. This is to make a clean getaway but also allowing them to come back in next week, month, or year and attack you again.

Defending Your Network

As you can see, the MO of cybercriminals can be sophisticated and is predicated on stealthy tactics. This means protecting your network and data must incorporate a “defense in depth” strategy, where multiple layers of protection are deployed. The big picture areas you should be concerned with include:

People. It’s a fact that humans are the Achilles’ heel of cybersecurity. People are—hands down—the single largest source of cybersecurity incidents. While you might find a few internal “bad actors” who intentionally breach systems, it’s simple mistakes that typically result in exposure to cyberattacks or information leaks.  

Technology.  This layer includes solutions like Unified Threat Management (UTM), endpoint security, Data Loss Prevention (DLP), as well as a backup and data recovery solution. It should also include proactive solutions like periodic vulnerability assessments, along with SIEM and SOC services

Platforms. These are the physical and virtual machines operating in your datacenter or your virtual machines in the cloud. While people are the root cause for the plurality of incidents, vulnerable systems are still a large portion of successful attacks. Hackers are quick to exploit vulnerabilities. If your systems and applications aren’t patched regularly and quickly enough, you’re creating security exposures.

Data. This layer involves processes, procedures and policies (systems controls) for storing and isolating data in a way that prevents unauthorized access. Control over access to data can be managed through things like Active Directory Services, network segmentation (physical or virtual), encryption, and the like.

Outsourcing. Using an outside vendor for handling security functions is a good choice, for small and midsize organizations in particular. Their resources are often already stretched thin and most lack the bandwidth to adequately perform security functions. Smaller organizations are also less likely to have people with specialized security skills who can focus on staying on top of a continually shifting landscape. Along with handling day-to-day security operations a partner can help with important things like security strategy, proactive planning and regulatory compliance.

Cybercrime: There’s No Dodging the Bullet

Whether or not you’ve fully considered your risks and exposure, cybercriminals are knocking on your door.  In today’s threat environment, you have to assume that eventually you’ll experience some form of attack. So, it’s no longer a matter of “IF” they will wage an attack, only “WHEN.”  Advanced Network Systems offers a Managed Security Program designed to help small and medium-size organizations improve their security posture and respond more effectively to cyberattacks. The program provides essential security services including vulnerability assessment, systems data collection and correlation, threat analysis, incident notification and response services. In the past, these enterprise-quality security services— because of their cost and complexity—were out of the reach of smaller organizations. Knowing that smaller organizations need the same protection as large corporations, we’ve designed a highly-effective program, provided for a flat monthly fee, at a price they can afford. 

Sharing Personal Data: When You Become the Product

This week as you browse the web, shopping for special deals, watching YouTube videos or using your Gmail account, keep one important thing in mind. When you're not paying with cash, you're paying with your personal information.  

These days, in order to access all the awesome free, or discounted, stuff on the web, we willingly give up a whole lot of our personal information. It’s a movement that most of us have just simply come to accept. Or have we?

A 2010 quote posted by a seriously unhappy MetaFilter user sums it all up nicely: “If you’re not paying for it, you’re not the customer; you’re the product being sold.”  It’s hard to know just how many people are actually aware of the big implications of this statement; or whether they even care. What can be definitively stated is that, if they don’t, they should.

The Cost of "Free"

The recent Cambridge Analytica/Facebook data privacy controversy is proof point that everybody wants stuff for free, but seldom do we ever question what it really means to get something for free. Over the last decade, the focus on personal data privacy and protection has had its ups and downs. But it’s headline news like Facebook’s data sharing debacle that shines a floodlight on how social media companies, and so many others we interact with, collect our information and make it available to others.

Studies conducted by the Pew Research Center show that most people are anxious about all the personal information that is collected and shared, as well as the security of their data. In addition, almost all participants agree that we’ve lost control over how personal information is collected and used by all kinds of entities. Yet, even as they express great concern about the privacy implications of doing so, the number of people who say they would find it hard to disconnect continues to rise.

So how do we bridge the chasm that exists between the control people say they want, and what actually happens with their personal data?  A big part of the problem is that even though the vast majority of people will tell you that it’s very important to be in control of who has information about them, most people don’t truly understand how and what data is actually being collected.

The reality is, social media sites are only part of the overexposure of our personal data. We ourselves, are constantly sharing our own personal information with entities that we don’t really know, and without fully understanding the implications, in exchange for something. Why? Because we humans can’t resist the lure of convenience and cost savings when we want or need something. So, in those moments when we are filling out a very innocent looking profile form or questionnaire, we don’t choose to over analyze the fact that we’re paying for that something with the data we also want to protect.  Here are just a few common examples of where this can happen:

  • You created and use a Google account.
  • You registered for a grocery store, or other retail store, customer loyalty card.
  • You agreed to let your car insurance company monitor your driving habits to get a discount.
  • You posted your resume online for your new job search.
  • You used the free Wi-Fi available because it helps save your data plan and is a lot faster than 4G.
  • You loaded apps on your smart phone that require knowledge of your present location or request access to your contacts or camera.

The bottom line is that we now live in a time when we generate and share (both knowingly and unknowingly) a tremendous amount of personal information. And that personal data is extremely valuable.  Not just to cybercriminals, but also to marketers who have figured out how to make it a multi-billion-dollar industry that’s become increasingly invasive. Let’s just take Facebook, for example. Last year, Facebook's average advertising revenue per user was $20.21—that’s double the amount it generated just three short years ago. When you turn that situation around, it seems like most people, if asked to trade a large portion of their personal information for $20.21, would not be willing to share it for that price.

What can we do to protect ourselves?

We first need to acknowledge that the concept of personal data has changed drastically over the last decade. It’s gone way beyond our credit card numbers or passwords. It’s now our own behavior—who we are, what we like, what we buy, who we know, where we are, and where we plan to go—that’s being captured and monetized by others. So, we have to educate ourselves and learn to share in the responsibility for the digital footprint we leave behind each day. An important part of controlling our personal data can start with our own behavior. Stopping to ask the question, “Do I really want (and need) to share this information?”

It’s also about learning how to handle your data and, as much as possible, make sure there’s a greater level of informed consent involved before you give it away. Taking the time to read privacy statements and lock down your privacy using the settings available on each of your online accounts. Making a conscious, informed decision that the something that you’re getting is of real value to you before you fill out the next form. While I’m not suggesting this is the solution to all of our data privacy abuse issues, I’d say it’s a start; and we should do whatever we can on our own behalf.

As we watch the EU implement its General Data Protection Regulation (GDPR)— a regulation that requires businesses to protect the personal data and privacy of its citizens—I believe that America will eventually be forced, based on growing awareness and demand, to develop its own standard for consumer rights regarding their data. Only time will tell if GDPR is successful in changing the business models of companies that monetize personal data; but to be sure, the rest of the world will definitely be watching.

Why Cybercriminals Love Small Businesses

Small businesses are in the crosshairs of an increasingly complex and sophisticated array of cybersecurity threats.  Although major hacks of large corporations are now regularly headlining the news, small businesses are actually being attacked more regularly–and with increasing frequency. In fact, a recent Verizon study reports about 71% of data breaches occur in businesses with fewer than 100 employees.

The ugly truth is that regardless of how often cybercrime is talked about, small and medium-sized organizations continue to fall short at managing their cyber risk. As a result, they make easy pickings for hackers; that’s why they love to target them. So, if you own a small to medium-sized business or non-profit, here are a few reasons why organizations like yours are frequent targets:

1. Small businesses have lots of information cyber-criminals want

No matter what you may believe, you DO have information on your computers that can be monetized and, therefore, worth stealing.  If your organization uses accounting software, online banking, or processes credit cards then you are a perfect candidate for a network hack. If you have employee payroll data or keep patient-student-client-or vendor records in your systems, you are also a worthy target.

2. Their limited resources are not focused on IT security

Most smaller organizations focus their limited people and money resources on things other than network security. A majority have a low-level of security awareness, and often little to no security policies implemented. Even if a basic firewall and an anti-virus product are in place, these baseline security measures often don’t fully protect against the newer, more sophisticated versions of malware being generated every day. In fact, the newest forms of malware are specifically designed to bypass or evade these basic defenses.

Unlike large organizations, small ones don’t have the budget to hire the right people or deploy the best security technologies to protect themselves. In fact, even though they are aware of the dangers a cyberattack can pose, they usually still don’t allocate any additional budget for security. They prioritize things like maintaining a healthy cashflow and implementing new marketing strategies, but neglect the equally important matter of data security. Cyber criminals know all of this, and relentlessly search for ways to get into under-defended networks.

3. Their under-trained employees make them vulnerable

Smaller organizations often don’t foster a culture of security awareness. Often there are no formal IT security policies enforced, nor is there a training program to educate employees on the topic of information security and how to spot/avoid potential threats.

Hackers love to target unsuspecting employees with email phishing scams and other social engineering techniques in order to trick them into providing confidential information. Due to their continued high success rate, email links and attachments are the #1 delivery vehicle for malware. Since a plethora of current research tells us over 80% of data breaches are caused by some form of human error, it’s easy to see how untrained employees are the weakest link in the cybersecurity chain.

4. They are low-risk targets that offer big returns

In many instances, cyberattacks are designed for a quick, short-term payoff. Sometimes, the attackers goal is to get employees to provide access to their computer in order to launch a ransomware attack. Other times, their goal is to get employees to provide information that can be quickly monetized; like payroll records, credit card information, or access to an online banking site. Still, other times, the payoff is over the longer term including breaches aimed at stealing specific company assets like intellectual property, trade secrets and other proprietary information.

These kinds of breaches can go on inside the unknowing victim’s network for months and sometimes even years before they’re discovered. Overall, the chances of a cybercriminal getting caught are relatively low. Cybercriminals can launch attacks on hundreds of thousands of small businesses from anywhere in the world, making it increasingly difficult to catch them. Only a small percentage of cybercrime waged against small businesses get reported in the police or the media; and even when cybercrimes are reported to authorities, they rarely result in a conviction.

Protecting your data can mean staying in business

As I mentioned earlier, the ever-growing number of announcements of corporate data breaches has become almost everyday news. What’s different about these kinds of attacks, when they happen to small organizations, is their effect. The impact of a data breach on small businesses is usually much more detrimental than for larger companies. Phishing scams can drain your bank accounts and ransomware attacks can grind your business operations to a dead halt. Remediating a breach costs money—to repair your network, recover lost assets, to notify affected parties and restore your good name with customers and vendors.

On average the cost per lost or stolen record is $221. As a result, a National Cyber Security Alliance Study found that 60% of small to mid-size companies go out of business within 6 months of a data breach. This is a pretty depressing statistic that only serves to underscore the fact that no small business can afford to operate in a blissful state of denial. Better protection for your network doesn’t have to be a complicated process or financial burden. Learn more about how our managed security programs can cost-effectively defend your organization against an ever-changing cyberthreat landscape.

2-factor authentication (2FA) reduces account compromise

In the world of IT, authentication is the process of identifying that an individual is who he or she claims to be.  It can be based on providing information like a username and password, an ATM card and PIN, a device that can generate or receive a code that can be used to login, or a biometric like a fingerprint that can be scanned. Authentication is a key requirement if you want to carry out a transaction online; but like all other credentials we use, it’s susceptible to being compromised.

Single vs. 2-Factor Authentication

Authentication can be single factor, where a user enters a username and password. It can also be two-factor (2FA), where a user logs in using a username and password, plus enters a one-time-passcode received from another electronic device, like a mobile phone. Authentication can also be multi-factor (MFA) which requires two-factor authentication plus another factor like a voice or fingerprint. A risk-based multi-factor authentication system requires MFA dynamically, based on set of risk-based rules (such as what device you are trying to log in from).

The traditional, and not so secure way to log into an account, like Netflix.com, is single factor authentication. Most people like to use their email address and a familiar password so they can remember it. Enter these two pieces of information and you’re in and able to use your account.  Unfortunately, if you’re one of the 54% of consumers who use five or fewer passwords for all of their accounts, you could create a “domino effect” that allows a hacker into any number of different accounts (most containing a lot of personal information), just by cracking ONE password! That’s where two-factor or multi-factor authentication comes in, both of which offer better protection.

Even though two-factor authentication requires an extra step in the login process, most commercial sites offer the option, and make it a relatively easy process. In fact, you may already be using it now with your online banking or favorite shopping site and not realize it.  A typical 2FA experience is when you log into a web site that sends a numeric code to your mobile phone which you in turn need to enter into the site to access your account.

Increased Security

2FA adds an additional layer of security, making it harder for someone to impersonate you online. So, in the example I gave above, someone would need to steal both your password and your phone to compromise your account. If your mobile phone is locked (which it should be), they would also need your phone PIN, swipe pattern, or fingerprint to unlock it rendering it even less useful.

Unfortunately, there is no safe practice or product available that can guarantee you’ll never experience online, or any other type of, fraud. But using 2FA can help significantly reduce the chances you’ll end up a victim. 2FA should be used whenever possible. Especially when it comes to your most sensitive data—like your primary email, your financial accounts, and your health records. Some sites require you to use 2FA, and many others offer it as an extra option that you can turn on—but you have to take the initiative to do it. You can look here to find a list of websites that offer 2FA; and here for step-by-step instructions on enabling it for your accounts on sites that do offer it.

Reducing IT Threats with Security Awareness

As good as many of our IT solutions have become at thwarting security threats, some incidents can’t be 100% prevented by technology. The threats from social engineering are one of them. Within the realm of IT security, social engineering is the art of manipulating people so they unknowingly give up confidential information.

The types of information criminals are looking for can vary but, when someone is targeted, criminals are usually trying to trick them into providing website user ids and passwords, social security numbers, or credit card and banking information. Social engineering can also be used to secure company network logins, allowing access to your computer. Once inside, malicious software can be secretly installed that allows a criminal to quietly steal confidential company or personal information or control a device.

Cybercriminals use social engineering tactics for two reasons. First, because it is usually a lot easier to exploit a person’s natural inclination to trust, than it is to discover ways to hack their information. Second because, so often, it works.

At its core, security is about knowing who and what to trust. Knowing when to trust that the person you are communicating with is indeed the person you think you are communicating with; when to trust that a website is legitimate; when providing your information is or isn’t a good idea.

The Weakest Link

Security professionals will tell you that the weakest link in the chain is the human being who accepts a person or scenario at face value. There are some people who will invariably trust the person in the email who says that they need all employee W-2 information sent to them immediately, or that access to their online banking accounts have been revoked. If you don’t know the sender is legitimate, it doesn’t matter how many layers of technology you have in place; you are completely exposed to whatever risk that scenario represents.

The art of manipulating people into providing access to confidential information isn’t new; and it doesn’t even have to require the use of technology. It can also result from someone providing password information over the phone; or someone talking their way past a security guard and gaining physical access to a restricted area.

In each of these cases, there are few technical controls that can be used to prevent this sort of attack.  So, in addition to the physical and technological layers of security you use, you should also teach your users to be aware of these kinds of threats and how to deal with them. 

It’s important to understand that focusing attention on security awareness is key to reinforcing more responsible behavior. Information security is everyone’s responsibility. That means security awareness should be taught to, and expected from, your entire organization; from top executives all the way down.

Should my company invest in cybersecurity awareness training?

In a word, yes. One of the best ways of fortifying the weakest link in the chain is through the use and enforcement of cybersecurity policy along with cybersecurity awareness training. It’s important for every organization, regardless of size, to have (and apply) a documented set of rules and practices surrounding IT security (a security policy).

Adding an awareness training program—one that covers topics including social engineering (with or without the use of technology), phishing, acceptable use of information,  password management, data encryption and incident reporting—can play a significant role in further reducing data breach incidents.

Awareness training also raises the level of understanding about why information security is a vital aspect of your organization, what the consequences of security incidents are, and what’s expected of them. In certain industries having formal information security awareness program is not even an option, since regulations including FISMA, HIPAA and GLBA require it.

Whether your organization is subject to government regulation or not, at the end of the day, the main goal of security awareness is to provide a greater level of protection.  An awareness training program helps ensure employees are better aware of policies, understand the basic controls in place, know how to spot/avoid potential security threats, as well as report an incident.

This information can go a long way in reducing your overall business risks and costs, and foster a more security-minded organizational culture. If you’d like more information on how to implement a security awareness training program at your organization, see our handout on Security Awareness Training.

Tips for Creating an Acceptable Use Policy

Organizations of all sizes have to worry about what their employees are doing with company computer equipment and Internet connections. It's no longer just a matter of wasted time that should be spent on job duties or the cost of network bandwidth. In the growing jungle of government regulations, civil lawsuits, and criminal charges for inappropriate online behavior, it's essential that companies cover their assets by establishing and enforcing clear rules governing computer and network usage. Policies are also needed to protect the security of the network and prevent users from introducing viruses or opening their systems and the entire network to attacks.

That's the reason you need an Acceptable Use Policy (AUP). It's not enough to just tell your employees not to use their work machines for non-work-related activities. You need to create and distribute a written policy and have users sign off that they've received and read it. The trick is to design a policy that's effective, fair, and won't be outdated as your organization grows.

Elements of a Good Acceptable Use Policy

An AUP sets out a formal set of rules that limit the ways in which network and computer equipment can be used. It should contain explicit statements defining procedural requirements and the responsibilities of users.

Some tips for creating your policy include the following:

  • Prohibited activities should be clearly spelled out. Phrases such as “Inappropriate use is prohibited” are vague and ambiguous. You must define what constitutes inappropriate use. Of course, you probably won't be able to think of every single individual action that would be considered “inappropriate,” but the most common misuses should be specifically named. For example, you can prohibit sending e-mail containing sexually explicit text or images, prohibit using the Web browser to visit online gambling sites, and so forth.
  • Blanket statements can address activities you don't specifically name. For example, you can prohibit engaging in any Internet activity that violates any local, state or federal law, or from sending any e-mail, instant messages, documents, or other communications that disclose any confidential information about the company, its clients, or partners.
  • To be effective and enforceable, the policy must be supported by management and there must be a designated person who has the responsibility for overseeing development and updating of the policy. This is often the Information Technology Director, CIO or other member of management.
  • The policies should be reviewed by the company attorney. Although it may be necessary to include some legal jargon in the policy document, each policy should also include a summary that explains in layman's terms that the average user can be expected to understand.

Consequences and Enforcement

It would be nice to think that, once your AUP is put in place, all employees will fully comply and use their network resources solely for business purposes; but, they won’t. This means that a monitoring/enforcement mechanism, and consequences for infringement, have to be built into the policy implementation process.  Implementing a policy without these two elements not only leaves you open to continued risk of dangerous scenarios, but also to serious liability issues.   

The consequences for violation of the policies should be defined in the policy itself. Since violations themselves vary in severity, consequences should also vary depending on the specific violation and the violator's intent. For instance, consequences for sending a short personal e-mail to a friend with innocuous content would not be the same as consequences for using the company network to conduct a part-time (legal) business, which in turn would not be the same as those for downloading child pornography to the company's computers.

Which brings us to another issue: you should only set policies that you intend to enforce. If you create an overly restrictive policy “just in case” you might need to use it against someone, and then proceed to ignore it, users who are subsequently disciplined for violating that or other policies could argue that you had established a conflicting unwritten policy by knowingly permitting violation of policies in the past, and/or that you enforce policies in an arbitrary or discriminatory manner. The disciplined employee might even be able to successfully sue you on those grounds.

Enforcement should have teeth, but doesn't necessarily have to be confrontational. Organizations have a number of options for discreetly enforcing acceptable use policies. For example, your IT department or vendor can use firewall rule sets, blacklists, and content filters to block prohibited activity. The implementation of sound network security practices, to prevent theft and unauthorized use of sensitive or confidential information, is also important. This should include things like restricting access to sensitive resources, locking down file directories and configuring desktops and laptops to prevent the installation of unauthorized applications.

Despite all the various preventive measures a company can take, users will invariably find ways to violate security policies. As more organizations adopt stronger policies and enforcement, employees should know and understand their organization’s security policies—and to expect punishment, up to and including termination of employment, that come with violations.

Developing Your Policy Content

While there is some content which is normally considered a standard part of an AUP, each organization should customize their policy to fit their unique corporate operations, values and culture. If you would like assistance developing and implementing your acceptable use policy, please contact your Advanced Network Systems account executive for more information.

The Case for Building a Cyber Incident Response Plan

A strong defense is critical to fighting the battle against cybercrime. But having a plan to deal with a cyber incident—should one occur—is equally as important. Why? Because when it comes to preventing a cyber-attack, there is no such thing as guaranteed protection. That’s right, there is no “silver bullet.”  We live and do business in a world marked by increasing cyber-attacks, and all new rules. Beyond the increase in frequency of attacks, we also face an increase in the types of organizations that have become targets. As you can see, from the onslaught of daily news reports, no organization—even ones with the best defended networks—are immune.

A quick and effective response to a cybersecurity event can go a long way when it comes to minimizing the financial damage and most importantly, protecting your organization and its reputation.  In short, how you plan and respond to security incidents can make the difference between a “crisis” and an “event.”

Having a cybersecurity incident response plan builds on your overall information security program by establishing a set of response tactics and tools to ensure that when an attack does happen, you have the people, processes, and technologies in place to respond effectively.

In the event of an attack, time is of the essence, and being able to respond to both the attack itself and the people impacted are key strategies for mitigating the damage in cost and reputation to your organization.  

While each organization should always have a cybersecurity incident response plan tailored to their specific business operations and industry requirements, a response plan should include these general components:

People

  1. Management support and buy-in.
  2. A designated incident response team made up of staff from all functional departments.

Technical

  1. Identification of all critical IT resources (systems, applications, data, IT services), who needs access, and where they reside.
  2. A plan that defines how critical systems and data files will be backed up or made redundant
  3. A plan describing how critical systems and services will be restored
  4. A plan that defines how data files and applications will be restored
  5. A relationship with qualified cybersecurity vendors who may be required to assist in remediation and restoration

Communications

  1. A communications plan that helps you talk to your staff.
  2. A communications plan that addresses how external communications (customers, vendors, media, etc.) will be handled.

Procedures

  1. A clear definition of what constitutes a cyber incident.
  2. Processes and procedures that are in-line with, and support, your organization’s overall business continuity plan.
  3. A clearly defined protocol for how a response will be handled (action steps) and who is responsible for each required task.
  4. Having cyber-liability policy in place for your own organization.
  5. The incorporation of cyber-risk/cyber-liability insurance and liability language in contracts with outsourced service providers.
  6. A method and schedule to practice your incident response plan.

When it comes to cyberthreats, the only things that are really certain are the increased probability of becoming a victim of cybercrime, and the exponential rise in bad actors capable of successfully attacking even the most reputable, well defended organizations. This makes an extremely strong case for every organization to develop its own incident response plan, along with a solid defense strategy, more important than ever. Start yours today.

Why Being Compliant Is Not the Same as Being Secure

There is a dangerous misperception that often comes up, regardless of which regulatory standard we talk about (PCI, HIPAA, etc.).  The misperception is that compliance equals security. Sometimes organizations think they’re the same thing; sometimes they get so consumed by complicated regulations that they stop focusing on security altogether.

To be clear, compliance does not equal security — it’s basically just a snapshot of how your security program meets a specific set of security requirements at a given moment in time.

What’s critical to understand is that in order to truly protect sensitive data, having both the proper security program in place, AND being compliant are critical. Without a complete and active security program, paired with a solid compliance plan, any organization is at significant risk of being breached. To keep your entire network environment protected from the criminals targeting your data every day, you have to build and manage an advanced security program that goes far beyond specific sets of compliance requirements.

Security and Compliance Are NOT the Same

Security and compliance play different roles, both in your internal and external environments. The right cybersecurity measures protect your information from threats by controlling how that information is used, consumed and provided. Compliance, on the other hand, is a demonstration — a reporting function — of how your security program meets specific security standards as laid out by regulatory organizations.

Beware of the "Checkbox Mentality"

Meeting compliance regulations will never cover all of your security needs. This “checkbox” mentality results in inadequate protection. Why? Because compliance only ensures that a specific set of requirements that change slowly (typically only once a year) are in place. As a result, it can’t possibly keep pace with the changes that are occurring daily in the world of cybersecurity.

To truly safeguard against the growing number of sophisticated threats, organizations have to elevate security and develop an overall approach that integrates all the necessary controls with each other to create a cohesive, multilayered web of security. This isn’t something that satisfying a regulatory standard can ever provide.

Don’t Use Compliance as Your Security Blueprint

Using compliance requirements as a plan for building a security program is another common mistake. An effective cyber security program should be built from the ground up and be based on an organization’s needs. Focusing on compliance first is putting the virtual cart before the horse. Compliance should be a byproduct of a solid security program, not the source of it.

Remember, investing in a proper, thorough and ongoing cybersecurity strategy now will make future compliance audits easier, save money in the long term, and protect your data, business and brand.