Week 11

CERT - Common Sense Guide to Prevention and Detection of Insider Threats, 3rd Edition- Version 3.1

          This CERT document outlined several issues regarding Insider Threats with real-time practice cases and situations came across the business practices. In this blog, I would like to discuss using layered defense against remote attacks, one of the Insider Threats outlined in CERT document.

While providing the remote access to employee, there is a possibility of attack remotely using legitimate access provided by the organization, although, the main purpose of remote access is to enhance employee productivity.  So, organizations need to be cautious while providing such kind of access to critical data, processes, or information systems. Most of the case it makes easy to an employee to access organization’s assets and use for other purposes such as personal gain, other business advantages because it eliminates the concern that someone could be physically observing the malicious acts. This possible vulnerability emphasizes the need to build multi-layers of defense against such attacks while providing remote access to most critical data and functions and only from machines that are administered by the organization. So, access to these assets should be limited to a small practicable group and system administrator.

Therefore, while providing remote access to critical data, processes and information system, an organization should offset the added risk with closer logging and frequent auditing of remote transactions such as login account, date/time connected and disconnected, and IP address of user should be logged for all remote logins.  Not only the successful remote access, the organization needs to monitor failed remote logins, including the reason the login failed. Most of the time organizations overlook to disable the remote access to terminated employee or someone no longer working with organization, so it is critical to retrieve all company-owned equipment, disabling remote access account, disabling firewall access, changing passwords of all shared accounts, and closing all open connections to the terminated employee to avoid risk and control their access to system.

          Most of the time user’s information like remote access logs, Source IP addresses, and phone records usually helps to identify insiders who intended to attack. It helps to point out the intruder directly, but the organization has to cautious when the intruder tries to frame other users, diverting attention away from his/her misdeeds by using other user’s account or manipulate the monitoring process.

According to CERT study, they found that some of those insider threats came from user’s home machine, and most of the time attacks happened from other remote machines, which are not under the administrative control of the organization using the application like PC Anywhere.  Although the intention could be for personal benefit or any other business benefit, or another possible opportunity, or business advantage, it ultimately cost the organization a big loss and possibly could run out of the business. So it is very important to consider providing the extra layer of security, and document all the incidents as well as document and revise it according to the lesson learned from past incidents.

References:

CERT 2009, “Common Sense Guide to Prevention and Detection of Insider Threats”, 3rd Edition- Version 3.1, Published by CERT, Carnegie Mellon. Retrieved From: https://cyberactive.bellevue.edu/bbcswebdav/pid-7538856-dt-content-rid-10132342_2/courses/CIS608-T303_2161_1/cert_common_sense_guide_to_prevention_and_detection_of_insider_threats.pdf

Week 10

NIST SP 800-111 “Guide to Storage Encryption Technologies for End User Devices”

Threats are unavoidable but can be minimized. There are many threats to the confidentiality of information stored on end user devices, some are unintentional, and some are intentional.  Unintentional threats caused by human errors whereas the intentional threats are more serious and derived by different motives. These intentional threats could cause mischief and disruption and commit identity theft and other possible fraud. Threats could be in many forms such as: internal when employee involve in misusing his/her position to access critical information; and external, when someone remotely accesses to system or device and attempt to access critical information stored on the system or device which could jeopardize the confidentiality of the organization.  (NIST, 2011)

So, securing critical information and components of end user devices is very critical and requires additional measures to protect from threats from unauthorized users or parties. This publication provides a recommendation for encryption on the basis of storage security, security controls, which allows authorized user or parties to access sensitive information stored on end user devices are encryption and authentication.  

1.  When selecting a storage encryption technology, organizations should consider solutions that use existing system features (such as operating system features) and infrastructure.

Some encryption solutions require that you deploy servers and install client software on the devices to be protected, while others can use existing servers and software already present on the devices or built into the devices, such as Federal Information Processing Standard (FIPS)  (Jackson, 2009). So, the more extensive the changes are to the infrastructure and devices, the storage encryption solution will cause a loss of functionality or other problems with the devices. Therefore, comparing the loss of functionality with gains in security and decide if the trade-off is acceptable and should be used when other solution cannot meet the organization’s needs. (NIST, 2011)

2.  Organizations should use centralized management for all deployments of storage encryption except for standalone deployments and very small-scale deployments.

Centralized management is recommended for storage encryption because it enables efficient policy verification and enforcement, key management, authenticator management, data recovery, and other management tasks. It also can automate deployment and configuration of encryption software, distribution and installation of updates, collection and review of logs, and recovery of information from local failures. ( NIST, 2011)

3.  Organizations should ensure that all cryptographic keys used in a storage encryption solution are secured and managed properly to support the security of the solution.

Storage encryption technologies use one or more cryptographic keys to encrypt and decrypt the data that they protect. If a key is lost or damaged, it may not be possible to recover the encrypted data from the computer, which includes all aspects of key management, key generation, use, storage, recovery, and destruction. So, organizations need to consider how key management practices can support the recovery of encrypted data when a key is inadvertently destroyed or becomes unavailable (NIST, 2011). Also, consider how changing keys will affect access to encrypted data on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed. (Jackson, 2009)

References:

·     NIST 2011, “Guide to Storage Encryption Technologies for End User Devices”, published on NIST SP 800-111, on November 2007. Retrieved From: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

·     Jackson, William. 2009. “Five Encryption tips from NIST”, Published on GCN.com, on April 15, 2009. Retrieved From: https://gcn.com/Articles/2009/04/20/Crypto-best-practices-sidebar.aspx

Week 9 

Risk Management: Assessing and Controlling Risk

This week we discussed about risk management and risk control strategies.

Let's talk about some security mistakes we do in our everyday work.

·               The not-so-subtle Post-it Note. Yes, those sticky yellow things can undo the most elaborate security measures.

·               Leaving unattended computers on

·               Opening Email from strangers “I Love You Virus”

·               Poor password selection. A good example is: "I pledge allegiance to the flag" becomes "ipa2tf."

·               Laptops have legs. Physical security

·               Loose lips sink ships. People talk about passwords

·               Plug and Play (technology that enables hardware devices to be installed and configured without the protection)

·               Unreported security violations

·               Behind the times in terms of patches

·               Not watching for dangers within your own organization.

So, to keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function. This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data. These objectives are met via the application of the principles of risk management.

Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk:

1.  Apply safeguards (avoidance)

Avoidance is accomplished through:

·               Application of policy

·               Application of training and education

·               Countering threats

·               Implementation of technical security controls and safeguards

2.  Transfer the risk (transference)

This may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or by implementing service contracts with providers.

Some rules of thumb on strategy selection are:

§  When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exercised.

§  When a vulnerability can be exploited: Apply layered controls to minimize the risk or prevent the occurrence.

§  When the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the attacker’s cost, or reduce the attacker’s gain, using technical or managerial controls.

§  When potential loss is substantial: Apply design controls to limit the extent of the attack, thereby reducing the potential for loss.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information

Security”, Published by Cengage Learning, Fourth Edition

Week 8

Why you should adopt the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework comprises best practices from various standards bodies that are proven and successful when implemented, and it also may deliver a regulatory and legal advantage that extends well beyond improved cyber security for organizations that adopt it early.

The framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cyber security programs.  It comprises three primary components: Profile, Implementation Tiers, and Core.

For most organizations, whether they are owners, operators, or suppliers for critical infrastructure, the NIST Cybersecurity Framework may be well worth adopting solely for its stated goal of improving risk-based security. An organization that adopts the Framework at the highest possible risk-tolerance level may be better positioned to comply with future cyber security and privacy regulations.

It is impossible to include all the aspects of cybersecurity in one practice framework but NIST provides comprehensive, prescriptive guidelines for all entities across industries.  But the framework offers worthwhile standards for improving cybersecurity, it does not fully address several critical areas.

The NIST Cybersecurity framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards. Organizations across industries may gain significant benefits by adopting the guidelines at the highest possible risk-tolerance level given investment capital.

Although, Adopting the NIST Cybersecurity Framework have lots of benefits but implementation may involve certain challenges. Critical infrastructure owners and providers may find difficulties to assess their Implementation Tier, which demands a holistic view of the entire eco-system and the ability to the truly objective.

References:

• NIST 2014, “Framework for Improving Critical Infrastructure Cybersecurity”, Published on NIST.gov, on February 12, 2014. Retrieved from: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

·       PWC 2014, “Why you should adopt the NIST Cybersecurity Framework”, Published on PWC.com, on May 2014, Retrieved From: https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf

 

 

 

 

 

 

Week 7

How to secure your Email communication?

Communication is important to any organization and email is getting more popularity than ever. Now-a-day, using email as the main tool to communication with all individuals related to your organization benefiting in many ways. There is no doubt that to the Internet-based organization; email is bringing several threats that most of the employees are not even aware of it. So, there is always a need for training and awareness regarding how to use email, what to access, what not to, how to find out your email is trustworthy or not.

Here are some common issues and consideration to use email in a secure way and be cautious of possible threats come across the development of technology and several possible threats.

1. Organization should implement acceptable use policy for email communication that all employees must comply with. This kind of policy will help the organization to protect employee and business. The policy should provide a necessary measure to monitor email communication on a regular basis.
2. All email should be encrypted, which help to protect the information system and security of an organization as well as organization’s assets. While sending sensitive information via email, it is necessary to use commonly used methods for email encryption such as PGP and S/MIME.
3. Take necessary measure while sending or replying email. When responding email-using reply all function could send your classified information to the non-related person, so it is important to check recipients carefully and avoid unwanted recipients from your email before sending your sensitive information.
4. Keep your software up to date to avoid possible malware or unnecessary threats, which could expose sensitive information or could be vulnerable to such threats.
5. Always use the secure software before spreading malware and victimizing from Phishing attacks. It is necessary to use trusted security software approved by your organization and keep them up to date malware prevention, and a securely configured firewall.
6. Avoid email from unknown users and the un-trusted email contains. Do not click any attached websites or any attachments to your email. Malicious emails often contain attachments that contain malware or hidden in your attached pdf and zip files. Always perform security scanning to your mail before opening any contents.
7. Always disable automatic content downloads, because that download could open the door to hackers to access your system and your organization’s sensitive information.
8. Always use the unique and strong password to your email to prevent an attacker from accessing your email account and sensitive information stored or linked to your system. Always use the algorithmic pattern to create a password, use at least 8 characters, and include numbers and special characters.
9. Always log out your system after checking or sending the email out. It will provide security measures and avoid unauthorized user accessing the system.
10.  Perform email filter and delete or archive old email or email which are no longer in use.

There is no doubt that all organization has their set of policies and guideline to use email in secure manners and avoid vulnerability of sensitive information from disaster. And always keep a close eye to monitor the security software and make sure all software has latest updates. 

 

References:

PJ 2009, “Secure Email Communication and Use”, Published on MindfulSecurity.com, Retrieved From: http://mindfulsecurity.com/2009/11/06/secure-email-communication-and-use/