Are you doing Full-Packet Captures or collecting and analyzing NetFlow data?

The Driver Behind This

Full Packet Captures (FPCs) and NetFlow are probably the most important data you will need during an incident.  FPCs contain all of the data, think of them like a DVR.  FPCs record all communications over a network.  FPCs allow you to reconstruct network activity between systems, allowing you to “re-play the conversation between two systems”, which you will need (note need, not want) when an incident occurs.

Continue reading “Are you doing Full-Packet Captures or collecting and analyzing NetFlow data?”

How do you define and manage your perimeter?

The Driver Behind This

Just like the first step of avoiding a trap is knowing of its existence; the first step in protecting against something is knowing it’s there.  Knowing the variety of ways in and out of your organization’s network environment is equally important.  Those points of entry and exit NEED TO BE MANAGED AND PROTECTED TOO. While your firewall is normally the first line of defense when employing a Defense in Depth model, it should not be your only line of defense.  You should be including not only your perimeter firewall, but also applications that allow data exchanges (including APIs), X-as-a-Service providers, Wireless Access Points, mobile devices, as well as Shadow IT (i.e., Gramarly, OneDrive, DropBox).  When networks are poorly designed and architected, they will degrade other security capabilities.   Make sure the perimeter is documented (inventoried, if you will) and that it is centrally managed.  Ensure you know what data is flowing where, how it’s being exchanged, what the classification is (e.g., public, private, secret), when it’s being shared and how it gets from point A to point B. 

Continue reading “How do you define and manage your perimeter?”

How do you manage remote access?

The Driver Behind This

Single factor authentication is like locking a screen door.  Sure, you’ll keep out the small pests, but the neighbor’s German shepherd is going to get in. When an adversary gets into a network (or gets credentials from any number of data dumps), they’re going to capture credentials via any number of relatively easy methods (passive monitoring is second only to reviewing freely accessible anonymous file share).  This allows an adversary the ability to move, largely undetected, throughout the network.  If an organization is using single-factor authentication on their VPN or email, it’s not difficult to find weak passwords through password spraying.  When done properly, you’ll never see it coming. Once the adversary finds those credentials, they’re now the insider – same permissions, levels of access, read/writes on shares, databases, etc. Because compromised credentials look like, well valid credentials.

Continue reading “How do you manage remote access?”

How do you manage network traffic to and from your network?

Another question to consider: Do you allow anything in your network to talk directly to the Internet?

The Driver Behind This

Systems that can communicate directly to the Internet in 2020 are just asking for problems.  This means that those systems can bypass all the safeguards and countermeasures (you know, the controls management has invested in to prevent attacks?) that would otherwise provide and enforce proper monitoring in addition to the ability to effectively identify and respond should a system be compromised.  This also opens the organization with additional liability if they fail to screen out harassing content.  So, in addition to the added liability, what else? Well, as it turns out adversaries LOVE this type of setup.  It’s like finding that $100 bill in your winter coat that you forgot about or finding that scratch off ticket you thought was for a $100 really was really for $10K.   Why do they like it you ask?  Well remember when we said, “this means that those systems can bypass all the safeguards and countermeasures”?  We’ll wait for you to finish processing that thought, because while you’re thinking about all those systems that may be able to connect directly to the Internet, just keep in mind the adversary isn’t having to deal with all those pesky defenses.

Continue reading “How do you manage network traffic to and from your network?”

How will your organization respond when sensitive or regulated data is lost/stolen/ransomed?

Another question to consider: Is there a clear plan for response, including incident and crisis communication?

The Driver Behind This

Incidents are going to happen, it’s not a matter of if but when.  Whether it’s a result of you being placed in the crosshairs by a sophisticated adversary or an employee who has a laptop with personal information stolen out of their locker while at the gym, the organization’s leadership must be engaged.  Understand, this is not an IT function, this is a joint effort and means having the appropriate authoritative representatives available and ready.  Ensure general counsel is engaged to address any regulatory or privacy implications, the corporate communications lead is effectively communicating with the media and identified staff are sufficiently trained to answer questions from concerned customers. Engage with the appropriate team members from IT Operations, Information & Cybersecurity to understand what happened from the technical aspect; as well as internal audit teams to understand what control weakness allowed the incident to occur in the first place.   Based on the type of breach, you may have to notify third parties such as Attorney Generals, specific payment card brands (e.g., Visa, MasterCard) or a federal agency (i.e., Department of Health and Human Services).

Continue reading “How will your organization respond when sensitive or regulated data is lost/stolen/ransomed?”

Who has access to our systems?

Other questions to consider: How do we identify who has access? After third parties have access, how quickly can we sever access to our systems and data?

The Driver Behind This

This expands on the previous question from the last post, adding additional granularity to the matter.  Specifically, which third parties have access to regulated/sensitive data your organization has been entrusted with?  This includes everything from cloud applications to service providers (e.g., HRIS, ERP, CRM systems).  It doesn’t matter if the system is onsite managed by a third party (i.e., HVAC system) or hosted offsite (i.e., Amazon Web Services), you need to know who has access to your data (and why?). Accept that an adversary will consider all available attack vectors, to include your providers, business partners and vendors. These are common attack vectors used to gain access to systems as they advance on their objectives.

Continue reading “Who has access to our systems?”

How are you protecting and handling sensitive or regulated data? Are you protecting data on devices that can be lost or stolen?

The Driver Behind This

The fines and penalties, as well as brand impact for data violations (e.g., PII, PHI, Credit Card) can be severe as well as being very, very public. Legal requirements frequently differ greatly between states, and considering most now operate with our global marketplace, it is important to understand that this is especially true when operating between countries. In 2020, most employees rely on a variety of methods and means to support routine operations, systems which are comprised of components such as smartphones, laptops and tablets, all of which carry an inherent risk of being either lost or stolen.  To not be prepared on addressing this threat is sheer folly. 

Continue reading “How are you protecting and handling sensitive or regulated data? Are you protecting data on devices that can be lost or stolen?”

Cyber: Q&A with the Board

As an information security professional, whether you’re working within Risk Management, Information Security, or Cybersecurity; you need to be prepared for a multitude of situations.  This includes being asked very direct and candid questions around your current security posture.  This series is based on our experiences and interactions with a variety of Boards of Directors, Advisory Boards, and other Governing Bodies with our clients across multiple industries. 

Continue reading “Cyber: Q&A with the Board”

Global IT Governance Expert Panel, Session 3: Governance systems

Global experts weigh in with their top tips on transitioning to the new normal in the context of privacy, cybersecurity, and IT governance systems. Join us for this three-part webinar series as we engaged with these experts on their advice on today’s hot topics.

Meet the Panel

Global pandemics don’t stop IT governance, they expose the need to change it! Top experts offer their tips on the new normal in IT governance systems.

Recorded May 27, 2020 07:00 AM Central Time

Webinar is now available!!!

Audio only version available here

Global IT Governance Expert Panel, Session 2: Cybersecurity

Global experts weigh in with their top tips on transitioning to the new normal in the context of privacy, cybersecurity, and IT governance systems. Join us for this three-part webinar series as we engaged with these experts on their advice on today’s hot topics.

There’s no such thing as post‐pandemic cybersecurity. Top IT Governance professionals offer practical tips on the post‐pandemic cybersecurity environment.

Recorded May 20, 2020 07:00 AM Central Time

Webinar is now available!!!

Audio only version available here