AWS-Cloud-Security-Consulting.jpg

CYBER SECURITY CONSULTING SERVICE AWARDS AND RECOGNITIONS

CyberSecOp's comprehensive managed security services, cyber security consulting, professional services, and data protection technology are recognized as industry-leading threat detection and response solutions by major analyst firms, key media outlets, and others.

Security Compliance, Security Consulting, NIST, GDPR compliance, Data Breach CyberSecOp Cybersecurity & Breach News Security Compliance, Security Consulting, NIST, GDPR compliance, Data Breach CyberSecOp Cybersecurity & Breach News

Corporate Information Security Steering Committee

Organizations are becoming increasingly aware that if they fail to implement successful security management processes, it could expose them to untenable risk.

The role of the corporate information security steering committee has become an essential tool in the quest for a coordinated corporate security strategy, for reducing duplication in security spending, taking control of complex infrastructures, and, ultimately, reducing security risk. 

One of the first steps for many organizations has been to set up a common security team and embark on enterprise-wide information security programs. However, many of these teams have struggled to align corporate business objectives with strategic security investment.

META Group's research indicates that the majority of new security teams struggle to define and establish their corporate missions, scope, influence, and power bases. Furthermore, these security teams have poorly defined executive charters and operate without effective communications plans. The unfortunate result of such poor grounding is the temptation for newly established teams to immerse themselves in technology quests, searching for elusive enterprise-wide technical solutions.

In contrast, the most effective security organizations are those with clear responsibilities and well-defined processes based upon five primary organizational roles:

  • Leadership - this is the role of the chief information security officer who deals with both the day to day management of the security team as well as continuous communication of the importance and value of security measures

  • Analysis/design - these security analysts help information owners develop meaningful security policies as well as adequate security solutions

  • Security administration - these people look after the day to day administration of access rights, passwords, etc

  • Security operations - resources that continuously monitor the organization's security status and manage incident response procedures.

  • Awareness communication - resources that design and manage ongoing security awareness and training programs. 
    Executive custody and governance -represented by an information security committee

The role of the corporate security steering committee is to coordinate corporate security initiatives at the executive level and thus enable an organization to optimize spending, manage their infrastructure, and minimize security risk. Obtaining consensus and support for corporate-wide security initiatives is especially difficult in highly decentralized and multinational organizations with devolved authority and autonomy. In this type of organization, an executive governance body becomes essential.

Corporate information security steering committees (CISSC) must have a clear charter with a range of functions that should include:

  • Managing the development and executive acceptance of an enterprise security charter.

  • Assessing and accepting corporate-wide security policy (e.g., the corporate policy on security incident response, general behavioral approach). This function's primary objective is to ensure that business requirements are reflected in the security policy, thus ensuring that the procedure enables rather than restricts business operations.

  • Assessing any requests for policy exceptions from individual business units.

  • Assessing, accepting, and sponsoring corporate-wide security investment (e.g., identity infrastructure deployment, remote access infrastructure) and requests to be excluded from common investment.

  • Providing a forum for discussion and arbitration of any disputes or disagreements regarding common policy or investment issues.

  • Acting as custodian and governance body of the enterprise security program by ensuring visible executive support and monitoring progress and achievements. The role of a permanent governance structure reinforces the message that enterprise security becomes an ongoing, long-term initiative.

  • Assessing and approving the outsourcing of common security services and coordinating investment of inappropriate relationship management resources. As the lack of skilled resources increases the need to outsource operational services, executive due diligence, risk assessment, and ongoing effectiveness assessment must be coordinated through the steering committee.

  • Initiating ad hoc projects to investigate the advantages, disadvantages, risks, and costs of common security initiatives and advising the committee with appropriate recommendations.

  • Representing the executive (board of directors) or its nominated information governance body (e.g., an information executive board) in all corporate security matters. Reporting back to these forums on the activities and effectiveness of corporate security programs and investments.

  • Acting as custodian of corporate-wide strategic security processes (e.g., role analysis, data classification) by validating process ownership, responsibilities, and stakeholders.

  • Acting as the respondent to enterprise-level audit exceptions (i.e., those audit exceptions where a specific individual cannot be found to be responsible).

  • Coordinating and validating any external, security-related corporate communications plans and activities (e.g., in the event of a high-profile, publicized security breach).

  • Tracking major line-of-business IT initiatives to identify synergy opportunities or leverage security investment.

  • Governing trust relationships with major e-business partners.

It is essential that steering committee members can make decisions at meetings. This requires the active participation of senior executive business managers, or it must be a permanent subcommittee of an organizational information board. To prevent the committee from becoming an ineffective 'debating society' or forum for driving political agendas, the committee's scope, powers, and objectives should be documented and measured.

Typical members of an information security steering committee include all line of business managers, application owners, regional managers, IT managers, the IT director, the chief security officer, the corporate risk manager, and the chief internal auditor. A clear distinction must be made between the role of the CISSC (i.e., executive custody and governance) and the leadership role (i.e., day-to-day management of the security team) of the chief information security officer.

By developing the emerging role of the chief security officer (CSO) and the security team, enterprises can foster a holistic approach to information security - one that recognizes that policy, process, and communication are as important as technology.

Read More
Security Compliance, Security Consulting CyberSecOp Cybersecurity & Breach News Security Compliance, Security Consulting CyberSecOp Cybersecurity & Breach News

Cloud to Streamline Security for Strategic Growth

As the technology director at Inspira Health Network, François Bodhuin and his staff have their work cut out for them, as they strive to support the organization’s strategic growth, stay on top of technology needs and keep patient data secure.

The New Jersey-based organization, in fact, is constantly looking to expand. “We are a medium-sized system, but we are very active in our expansion plans,” Bodhuin said, noting that the system now has more than 150 service locations in five counties. The health network is currently building a new hospital, adding a two- story patient tower to one of its existing hospitals, expanding its behavioral health program, renovating a satellite ER, recently opened a senior emergency department and purchased a regional medical transport company.

In addition, the Inspira technology department has developed an app to better serve all the patients that will flow into this continually growing health system. The app enables patients to request appointments, get directions to facilities, access a list of providers, view emergency department and urgent care wait times, pay bills and even participate in virtual visits.

So, it made perfect sense for Inspira to move its compliance management software to the cloud when FairWarning introduced a cloud-based managed shared services solution that works to ensure all data is secure by continually monitoring user activity and sending out alerts for any suspicious actions. After all, the health system had already moved a variety of systems to the cloud including its electronic health records, security information and event management (SIEM) and wound care solutions, and has experienced myriad benefits by doing so.

“The cloud saves costs; because you are getting a virtual server, the hardware itself costs less,” he said. In addition, when a managed services provider hosts a solution in the cloud, the healthcare organization does not incur on-boarding or ongoing training costs.

By hosting the compliance solution in the cloud under a managed services arrangement, Inspira will be positioned to:

Take advantage of a team of privacy and security experts. “The team concept to me is a key with managed services. We’re always being asked to work more efficiently. In this case, we will be able to really do that because we will have a team of experts that is performing the function,” Bodhuin said. “Because they’re experts, they know when a complaint is significant. They know when an alert is significant. They know when to ask for an investigation.” In addition, because these experts are well versed in the compliance solution, the learning curve that is typically associated with implementing a new solution is eliminated.

Reduce the need to search for IT staff. Hiring experienced, qualified IT staff is a challenge for all healthcare organizations. “In South Jersey, it is especially difficult to attract people to work in security and privacy. [With managed services], we don’t have to search for IT staff and we won’t have any onboarding costs. All that is built-in to our fees,” he said.

Maintain flexibility. With a managed solution in the cloud, it will be easy for Inspira to grow – as the organization does not need to add staff but can instead simply adjust the services agreement to meet evolving needs.

More readily deal with infrastructure challenges. With managed services, Inspira staff do not need to “worry about patching or managing the server,” he said. In addition, staff don’t need to be concerned with “upgrading the hardware, or the software . . . or worry about disaster recovery,” something that traditionally generates significant downtime, according to Bodhuin.

Leverage the experiences of many. Managed services providers work with a variety of organizations making it possible to “bring many best practices to the table,” which is difficult to do when hosting and maintaining systems internally, Bodhuin noted.

Save considerable time. “There's a lot of daily work that, all of a sudden, you don't have to do because it’s being done by the managed service. In privacy and security, we expect to regain about one to two hours a day for each analyst,” he said. “Now, they can focus their time on responding to issues that are reported to them. All that saved time can be allocated to another function.”

Doing managed services right

While Bodhuin expects to realize these benefits when moving the compliance software to the cloud, his past experience with managed services has provided a litany of lessons learned. More specifically, he knows that to successfully work with a managed services provider requires:

  • Defining expectations explicitly. “You have to define what you trust them to do. You could let the managed service provider run the whole show if you wanted to, in certain functions,” or limit their scope to a defined set of functions, according to Bodhuin.
  • Proactively managing the working relationship. “You really have to keep them on their toes. Make sure they deliver what they say they will deliver,” he advised. “So you really have to pay attention to your statement of work to ensure that you will get what you expect.”
  • Treating the managed service provider as one of our own. “It’s really important that you make these people a part of your team. And if you do that, then you’ll get success. If you don’t do that, then there will be a lot instances where there are conflicts in your priorities,” Bodhuin said.

In the final analysis, with the expertise gained via a managed services arrangement, Bodhuin expects Inspira to save time, reduce costs while minimizing the organization’s overall risk profile. As such, Bodhuin can help the health system support its strategic growth goals. “The technology/security must be ‘a department of yes’, not a ‘department of no’. When you start saying no to people, you're going against the business itself and that can be a real problem,” he concluded.

 

Read More
Security Compliance, Security Consulting CyberSecOp Cybersecurity & Breach News Security Compliance, Security Consulting CyberSecOp Cybersecurity & Breach News

Bypass Two-factor authentication - 2FA Bypass

A majority of users and companies are moving to Two-factor authentication (2FA) for enhancing the security of its data and systems. But contrary to popular belief, it cannot provide a fool-proof layer of security to online accounts since Kevin Mitnick at KnowBe4 has demonstrated that it is very easy to deceive this defensive measure.

KnowBe4 is the world’s leading security awareness training provider and simulated phishing firm with a massive customer base of 17,000 organizations across the world. Mitnick is the company’s chief hacking officer.

In his new exploit, he proved that 2FA is exploitable because hackers can spoof the 2FA requests by sending a fake login page to the user. This may lead to stealing of sensitive user data including username, password and session cookie.

The hacking technique can be seen in the video uploaded here:

The purpose of using 2FA is to add an extra layer of security by combining what an employee already has and what they know. This combination could be between username and password or a code that is sent to the user on the phone or an app.

To exploit the 2FA method of security, the victim is lured into visiting a typo-squatting domain such as LunkedIn.com in order to steal the required user data. Once the information is obtained, the hacker can easily access the actual website and capture session cookie. Once this is achieved, the hacker can remain logged in indefinitely. But this is reliant on accessing the 2FA authentication code once.

As per the CEO of KnowBe4Stu Sjouwerman, Kuba Gretzy, a white hat hacker, and friend of Mitnick, developed a tool for bypassing the 2FA authentication via social engineering techniques and this tool can be “weaponized” for just about any website.

“Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization,” added Sjouwerman.

The tool is called evilginx. The attack method is based upon proxying the user via the hacker’s system through a credentials phishing technique, which requires the use of a typo-squatting domain. The idea is to let the user give away his/her credentials so that the hacker could steal session cookie.

The phishing email is the core of the attack method. In this particular case, the phishing email is supposedly sent by LinkedIn to a member of the site indicating that somebody is trying to contact through the social network. The email looks authentic initially but if looked closely, it becomes evident that it is a fake email since the return address is incorrect. But, if the user falls for it and clicks on the “interested” button, the malware will soon be downloaded onto the device.

This is the stage when the victim is taken to the authentic LinkedIn website so as to enter login information, which the hacker required. The login information is recorded by the malware as well as the session cookie using the cookie, the attacker acquires direct access to the account and manages to avoid the 2FA phase of the signing-in process.

Watch The Demonstration Here

Read More
GDPR compliance, Security Compliance, Security Consulting CyberSecOp Cybersecurity & Breach News GDPR compliance, Security Compliance, Security Consulting CyberSecOp Cybersecurity & Breach News

GDPR Questions Answered: Do We Need Consent to Hold Information in a Database?

Now just a few weeks remain before the deadline for the General Data Protection Regulation (GDPR), so data protection advisor Jon Baines is here to answer your questions.

Today, Jon was asked:
 
Q: “If our database holds names, email addresses, telephone numbers addresses and job roles of people involved in the classical music industry, of which most of the information is available on their websites, do we have to have specific consent to hold this information, which we use to contact them in terms of business and to occasionally send out a newsletter (twice a year) from which they can unsubscribe? There are a few thousand names involved so it would be good to know whether we need to contact them or not!”
 

A: “I wish my answer could be a simple one, but, regrettably, the law here is rather complex. However, I will try to explain.

“Unfortunately, what we don’t have here are details on how the business gathered this personal data, and whether the marketing they wish to send is by email (I’ve assumed it is). The author says the information gathered appears publicly on websites, so it might be inferred that the business has ‘scraped’ the details from those sites. If that’s the case, then there may be some problems. 
 
“As a general rule people should be aware (or be made aware) that their personal data is being gathered and collated, even if it’s publicly accessible. Furthermore, sending marketing in electronic form to individual recipients (which I think most of the musicians here would be) requires explicit consent from the recipient (or, in some circumstances, and subject to various qualifications, a prior customer relationship). Sending email marketing, therefore, without consent, would almost certainly be a breach of the law.
 
“If, contrary to what I’ve inferred, the business got the musicians’ details direct from the musicians themselves, then the question as to whether they can send them email marketing is a bit different. If the business has their prior explicit consent to receive marketing emails, then they can continue to do so. Or if they got the musicians’ details during the sale (or negotiations for sale) of a product or service, they can send them marketing emails, provided that at all stages they have offered, and continue to offer, the option to opt out of receiving them.

“The irony here is that the law in question is not the GDPR but the Privacy and Electronic Communications (EC Directive) Regulations 2003, which often get overlooked. Over recent years the Information Commissioner has issued plenty of fines for breaches of this 2003 law.

“Generally, the firms getting those fines have sent very high volumes of unlawful electronic marketing, and the Commissioner has not tended to target SMEs. Nonetheless, even if the risk to a small business of big fines may be relatively low, they do need to be aware of the other risks, particularly of legal claims by individuals, and reputational harm.”

Read More