Your company’s data — client information, payment information, personal files, bank account details — is always at risk of falling into the wrong hands. And every day, security threats seem to come from a new place.
In this slideshow, we have collected some of the best advice that leading security experts have shared with IT Business Edge recently, identifying areas of data vulnerability and helping you develop strategies for securing your data and information systems.
Securing Data and Information Systems
Click through for advice from top security experts on how to identify areas of data vulnerability and develop strategies for securing your data and information systems.
Keep Company Data off Social Media
The culture of information sharing that the use of social media has created can also lead to lost trade secrets and the exposure of sensitive company information. James Pooley, an information security consultant and former Silicon Valley trial lawyer who represented clients in patent, trade secret and technology litigation, explains that one way to help mitigate the risk of social media use by employees is to put your social media policies in writing.
“Don’t assume that a few informal warnings and cautionary tales will keep all your employees from tweeting and posting what they shouldn’t. If your company already has general policies about the disclosure of information assets, make sure those policies become part of the official set of rules that govern employees’ use of social media. Larger companies need to have these policies reviewed by legal counsel, since broad confidentiality restrictions can typically violate labor laws that guarantee employees the right to discuss their working conditions.”
Bring HR into the Mix
HR and IT departments are realizing that they must work together more closely to prevent serious data breaches, and Jacqui Summons, international HR director at Clearswift, explained how to start making that transition to closer cooperation and communication:
“The advice I’ve given to HR people is not to make an assumption that this task fits within the IT function, and that there’s therefore no need for them to be involved. Ask the questions you need to ask — don’t just assume that somehow or other this is magically being sorted by your IT function, and that you will never suffer any kind of data breach. The challenge, in terms of asking the right questions, is one I face myself, to a degree — HR people are typically not very technically minded. That isn’t normally what you find within an HR function. For some HR people it’s a whole new world, and a whole new language that they have not in the past had to be involved in.”
Train Employees on Social Media Security
It’s no secret that one of the biggest risks to your company’s security is its employees, but not due to any malicious intent. Most of the time, employees are just unfamiliar with the techniques that can be used to obtain access to company data and tools. James Pooley, an information security consultant and former Silicon Valley trial lawyer, says that, in addition to using MDM tools, it’s important to train employees on methods that information thieves often use can help them avoid falling prey to traps on social media.
“Social media profiles give hackers a lot of information that they can use to compose realistic-looking, customized email phishing messages. But beyond that, websites themselves can be used directly to fool people into joining a fake group, survey, or event, sometimes using a money coupon as a lure. Other traps involve fake ‘like’ buttons, browser extensions offered for download, or compelling offers designed to make the viewer want to share them with friends. All of these social network scams are grounded in the idea that we are all so used to rapidly connecting, sharing, and exposing that we’ll do it more or less automatically with anything that looks attractive. Teaching employees to think twice before clicking can help secrets stay secret.”
Educate Employees About Phishing Attacks
Tools like Google’s Password Alert help battle phishing attacks by warning users if they are typing their password on an unsecure website. But a quarter of phishing emails are still being opened. People need to be better informed about how phishing scams work. So what can be done to lessen the problem of phishing scams?
Sue Marquette Poremba suggests:
“Applications like Password Alert will certainly help, but it really comes down to education. Teaching users to recognize a phishing scam should be done on a regular basis – regular being monthly or quarterly. Once-a-year security training sessions simply don’t work anymore. It helps, too, to make users more invested in the damage. If they know that their information is at risk, as well as company data, they may have second thoughts on opening a potential scam email. It is more important that users understand the damage that can be caused by a single phishing email and have improved knowledge on how to recognize a scam versus a real email.”
Read more at Why We Still Struggle with Email Phishing Scams.
Don’t Be Lax on Mobile App Security
The world of mobile enterprise app security continues to be rather frightening. A study from Ponemon Institute says only 19 percent of IT departments have checked mobile apps brought into the enterprise through Bring Your Own Device (BYOD) work structures. And only 22 percent of IT departments realize that scanning is important.
Subbu Sthanu, director of Mobile Security and Application Security at IBM, suggests that using best practices in order to create secure apps is important, and that code from third parties be scrutinized. He says:
“The security of the mobile device itself is important. Jailbroken or rooted devices are vulnerable. It is important to install remote wiping capabilities. Finally, context and risk factor analysis is an important way to protect the organization when a mobile app is attempting to connect to backend services and databases.”
Protect Your Backed-Up Data
Have you given much thought to the security of your backed-up data? If you haven’t, perhaps it’s time you do. Research from Palo Alto Networks describes the risk to backed-up data as BackStab. It involved accessing private information that was extracted from the phone through a regular backup routine and stored on a traditional desktop or laptop computer.
How can you protect yourself from the risks involved in local backup data? Sue Marquette Poremba suggests,
“Encryption is the first step, followed by unique and strong passwords for your backup that are different from the original mobile versions. Good antivirus/anti-malware software is a must, especially in the iOS environment, where too many users are still convinced they are invincible from malware infections.”
Read more at Backup Data Backstabbed.
Beware Security Vulnerabilities with AV Software
Near the end of 2015, enSilo announced the discovery of a critical security vulnerability affecting various AV software products. This was a critical security vulnerability that could potentially turn AV software into an “attacker-enabler tool.” Does this mean that AV software, like username/password combinations, has peaked as a security source? Sue Marquette Poremba says:
“Yes and no. Like passwords, AV software isn’t going anywhere any time soon. It is a mainstay in our security setup, especially so for those who are focused on protecting individual devices and not entire networks. But I think there is a shift happening, as the protection becomes more concentrated on protecting data. Endpoint security is the more pragmatic response.”
Read more at Many AV Solutions Have Critical Vulnerabilities.
Beware of PoS Malware Becoming More Sophisticated
New strains of Point-of-Sale (PoS) malware are increasingly sophisticated. One of the latest, ModPOS malware, has been described as “the most sophisticated PoS malware” yet. Jason Tan, CEO & co-founder, Sift Science, said this about ModPOS:
“The discovery of this sophisticated malware underscores how important it is for retailers to adopt the strongest safeguards possible to protect sensitive payment information – and prevent criminals from successfully using this information to commit fraud. This includes practicing end-to-end encryption of customer data, providing EMV card readers in stores, and implementing a real-time anti-fraud solution online to spot card-not-present fraud before it hits.”
Protect Your Company from BYOD Risks
A study by tyntec says that 49 percent of firms have employees that at least partially use their own devices at work, which poses huge security risks. According to James Pooley, an information security consultant and former Silicon Valley trial lawyer, it’s important to know which devices might represent a risk.
“The growing popularity of BYOD policies means that many of your employees may well be storing sensitive information on the same laptops, smartphones, and tablets they use to scroll through status updates in the evenings. That’s cause for concern, because cyber thieves can gain access to the content of these devices and your company’s systems through relatively easy-to-hack social media accounts and apps. In addition to establishing clear policies on social media use, consider technical mitigation measures. Mobile device management (MDM) tools can remotely configure devices, monitor what’s on them, and even erase their data if lost. MDM techniques can also include encryption for data stored on or communicated from the device.”
Beware of Fake Users Infiltrating Websites
A study from Ponemon Institute and TeleSign looked at the impact of fake users that infiltrate websites and business networks. The study found that 82 percent of companies struggle with fake users. Even though these fake accounts hurt the business, resulting in hundreds of thousands (or more) of dollars lost or stolen or paid in fines and/or lost business, 64 percent of companies prefer a registration that’s easy to use rather than one that requires a lot of security hoops to jump through.
Larry Ponemon of the Ponemon Institute says,
“It is up to the companies themselves to come up with a registration approach that works for everyone. Fake users are one of the first steps in the chain of crime, impacting consumers and businesses both directly and indirectly through acts of fraud, theft of information and control of data.”
Take Security More Seriously
We’re all used to business owners who don’t take security seriously or have the attitude that a breach couldn’t happen to their company. But a recent Ponemon Institute study revealed that nearly half of security professionals don’t think their company is going to be the victim of an attack.
Larry Ponemon said:
“This research reveals some major disconnects that IT professionals seem to have between perception and reality. While even circumstantial evidence points to the increasing volume and severity of cyberthreats, it’s shocking to learn that half of security pros don’t even view themselves as a target.”
Credit Card Fraud Will Continue
Even with new EMV standards, credit card fraud will continue.
Credit/debit card fraud is affecting consumers more and more. It is one of the reasons why the switch was made to the new chip cards (although the jury is still out on how effective the chip cards will be).
The best way for companies to combat potential fraud is to understand where fraud is most likely to happen, as well as the demographics of victims — information you can find in reports like the United States of Fraud report from online fraud detection company Sift Science. A few details from the report:
“Southern states have the highest rate of shipping address fraud, while the west equaled their southern counterparts in billing address fraud. The lowest overall fraud tends to be in the Midwest. Perhaps not surprisingly, the report also found that men are more likely than women to be fraudsters while the elderly are the most likely to be the victims of fraud.”
Read more at Even with New EMV Standards, Expect Credit Card Fraud to Continue.
Health Care Data a Prime Target for Cybercriminals
Nine out of 10 health care organizations have been breached since 2013. Cybercriminals are wreaking $6 billion in annual damage on America’s largest private-sector industry. Why is health care data so vulnerable? First, the health care infrastructure is an easy target because its security is often outdated. Second, medical records are increasingly available online, and connected devices and the cloud provide a broader attack area. But most importantly, health care data is financially valuable to cybercriminals.
What can be done to curb the cyber threats against the health care industry? Sue Marquette Poremba says,
“The easy answer is to upgrade the IT infrastructure to something more secure, but that’s expensive and takes time. But here are some more suggestions: regular risk assessments and better employee security training. And I’ll take it one step further: Industry leaders need to get on board and begin taking security a lot more seriously. Until they do, there will be no budget or support to upgrade security needs, and frankly, this is data that is too important to leave unprotected.”
Read more at Health Care Data Equals Big Bucks for Cybercriminals.
Hackers Are Targeting the Cloud
We’ve always seen a steady migration of hackers from one platform to the next as popularity grows. Now, unsurprisingly, they are targeting the cloud. In its Cloud Security Report 2015, Alert Logic researchers pointed out that nearly 90 percent of companies are now utilizing cloud computing. That means hackers now have an even greater pool from which to steal information.
To protect your cloud data, according to Sue Marquette Poremba:
“It all comes down to layers. The layered approach used to secure your networks is the same type of approach needed to protect the cloud. It’s just as important to provide security specific to software as a service as it is to provide security for the infrastructure. It’s also important to lay down specific groundwork on what responsibility the cloud provider has in providing security and what the company itself must address so there is no ambiguity.”
Read more at Hackers Targeting the Cloud at Higher Rates Than Ever.
Beware Insider Threats
Beware insider threats when it comes to data loss.
We’ve all come to expect the high percentage of insider-caused data loss. But an Intel Security study on data exfiltration shows that breaches are evenly split between accidental losses and intentional breaches. When it comes to the accidental, we can focus on the need for better end-user education. Sue Marquette Poremba suggests that more needs to be done to examine the intentional acts:
“Are they malicious, with intent to bring harm to the company? Are they due to an employee’s curiosity, such as wanting to learn more about another employee? Or maybe they are an intentional accident, like accessing sensitive documents without realizing security protocols were breached? In order to address these insider breaches, we need to have a better understanding about why they are happening in the first place. Security leaders need to step up their game when it comes to monitoring network behavior to lessen potential insider threats.”
Malware Showing up in App Marketplaces
Last year brought the first occurrence of sophisticated CAPTCHA-bypassing Android malware in the official Google Play store. It appears that the malware developers discovered new ways of packing it into seemingly legitimate apps that can bypass Google’s vetting system.
In addition, more than 200,000 iPhone accounts were compromised via the KeyRaider malware.
Although he was referring specifically to the Android problem, Alin Barbatei, Bitdefender researcher, said something that speaks to overall concerns:
“A mobile security solution needs to be installed on the device to identify malicious applications – regardless from where they have been downloaded – and block threats from causing irreparable financial harm or personal data loss.”
Mobile Infections Are Happening Through PCs
A report from Alcatel-Lucent revealed a new threat to mobile networks: our PCs. In 2013 and 2014, half of the malware found on mobile networks came from PCs. This is because our devices are all interconnected through Wi-Fi connections, or smartphones and tablets are directly connected to PCs. In addition to using Windows as a gateway to mobile infections, cybercriminals are taking advantage of a familiar operating system that already has a rich malware ecosystem.
Patrick Tan, general manager of Network Intelligence at Alcatel-Lucent, said:
“The modern smartphone also presents the perfect platform for corporate and personal espionage, information theft, denial of service attacks on businesses and governments, and banking and advertising scams. It can be used simply as a tool to photograph, film, record audio, scan networks and immediately transmit results to a safe site for analysis.”
It is another reminder of the importance of making sure all the basic security steps are followed – patching Windows and software immediately and having good security software on mobile devices.
Read more at Mobile Infections Happening Via Your PC.
DDoS Attacks Are Becoming More Serious
New research from two security companies shows that DDoS attacks are a lot more serious than was previously thought. Now the nuisance attacks are doing more than shutting down websites, shutting out customers, and giving IT staff the unwanted task of fixing the problems. They’re now being used for malware downloads, which results in data loss.
Evgeny Vigovsky, head of Kaspersky DDoS Protection, states:
“Businesses have to re-evaluate their perception of a DDoS attack. The report clearly shows that the damage scope from such attacks goes far beyond the temporary downtime of a corporate website. . . . Still, many businesses feel that a mitigation strategy is too complex and expensive to implement.”
Avoid Domains Associated with Malicious Behaviors
According to Blue Coat Systems, some web domains (also called neighborhoods) are known for their malicious behaviors. So what can businesses do to prevent being scammed by one of those living in these shady neighborhoods? The easiest thing to do is to make employees aware of the worst domains and to avoid them at all costs. In fact, they should be blocked altogether from the company network. Also, users should be sure to practice safe clicking.
As Dr. Hugh Thompson, CTO for Blue Coat Systems, said:
“The increase in Shady TLDs as revealed by Blue Coat’s analysis is in turn providing increased opportunity for the bad guys to partake in malicious activity. In order to build a better security posture, knowledge about which sites are the most suspicious, and how to avoid them, is essential for consumers and businesses alike.”
Read more at Don’t Hang Out in These Shady Web Neighborhoods.
Endpoints Are a Huge Risk to Enterprise Security
When Bromium, a global enterprise security company, asked Black Hat attendees what they considered the source of the worst security risks, over half of the respondents said endpoints are the security risk they are most concerned about. What makes endpoint so risky? Humans and vulnerable software are two reasons. But security patches not being applied in a timely manner is another. Only 10 percent of those surveyed said they apply patches on the day they are released, while half of the respondents say they apply the patch in the first week. Nearly a quarter, however, said it takes a month or more to apply a patch. Sue Marquette Poremba cautions:
“Patching can be time consuming, but it is also one of the easiest and most crucial security functions. Yet, it is routinely put on the back burner. No wonder the endpoints are at risk!”