To help organizations select and implement a set of cyber defense best practices that will protect against today’s most pervasive and dangerous threats, the Center for Internet Security (CIS) devised a list of 20 controls. A principal benefit of the CIS Controls is their ability to prioritize and focus on a smaller number of actions with high pay-off results.
Published in itspmagazine.com
With the prevalence of digital transformation in the enterprise, there is a clear necessity to balance IoT security issues and BYOD security measures that will prevent suspicious or malicious devices from gaining access to the enterprise’s assets and data centers, while at the same time, making sure that productivity and easy onboarding of devices is maintained. Employees, guests and contractors are bringing all kinds of Wi Fi enabled devices to the enterprise environment and they expect easy and quick network connectivity.
Onboarding is the process in which new devices gain access to the enterprise for the first time. Unfortunately IT departments can sometimes experience additional workloads while endeavoring to get all the devices on the network so as not to hinder business productivity. At the same time, if they are not handling the process with top security standards in mind, they could potentially place users, devices, enterprise data and the network itself at risk. The question arises: how should IT Security teams allow for BYOD, IoT, contractors, guests, etc. to securely and quickly connect to the network without placing any of its components at risk of a breach or ransomware attack? The answer: automation.
By automating the entire onboarding process enterprises can achieve the following benefits:
- Reducing the costs that are typically associated with manual work (including configuration and support activities).
- Enhancing productivity – getting team members, contractors and guests connected to work faster.
- Increasing end-user satisfaction – instead of hassling end-users with onboarding procedures, the whole process can and should be seamless.
- Decreasing the risks – unmanaged, unpatched, high-risk devices should be blocked or connected from the beginning to a separate segment of the network from where the key corporate assets are stored (the “crown jewels” of the company).
Employees, students, contractors, partners and guests should onboard their devices once and then automatically re-authenticate after that, within an environment that continuously monitors all devices on the networks and automatically provides a risk score for every device. This ongoing scoring allows security teams to understand the security posture of the devices and the network as a whole, at any given moment. At the same time, there is no need to have end users repeatedly re-enter credentials on subsequent network connections unless a device is deemed to have a high risk-score. This way the enterprise can easily onboard BYOD devices belonging to employees that are traveling, working remotely or working at a satellite office location. Additionally, this allows onboarding of IoT and smart devices for business such as flat screens, printers and IoT devices, as well as gaming consoles, smart refrigerators and more. These items, of course, must be on a separate segment from where company assets are kept.
Reducing Risks on the Network
A while ago Ofer Amitai, Portnox CEO, wrote about tips for securing endpoint devices on college campuses, institutions that are always desiring a relatively simple onboarding process. He discussed how changes in onboarding and guest access policies could reduce risks and improve network visibility and control. The principals for securing the enterprise require these steps and more. Having a clear onboarding set of policies will allow IT teams to have automated actions applied (see examples in the next section).
After handling the company’s initial network security audit and collecting the security posture of all devices, it is important to make sure that the enterprise authorization policies include conducting automated and continuous security assessments of the network. This way, every device employs baseline security measures before being allowed to connect. Additionally, the IT security team should use granular policies to govern the level of access while maintaining full visibility and control over network connected devices with the ability to revoke access at any time.
Automated Device Onboarding and Network Authentication
Having an automated onboarding set of policies can allow for automated actions such as:
- Immediately allowing Internet access
- Blocking/ disconnecting
- Segmenting a device to a separate network section
- Remediation actions
For example, IoT devices are considered to be easy to hack. Therefore, once connected to the enterprise network, these devices should be separated from where core assets are located. Having different segments on the enterprise network is a good solution for that. Additionally, if a visitor is being connected, the visitor should gain access to the Internet and not to company files, even when plugging the computer to the wired network.
Two important advanced guest network onboarding features are recommended to be included:
- Easy guest access – allowing for simple and fast connections together with the ability to continuously monitor all devices and ensure security.
- Agentless access – once the IT administrators have set up the onboarding policy – contractors and guests on protected networks should be able to self-onboard without installing an endpoint agent.
Acquiring Advanced Onboarding Capabilities
One of the technologies that can help with safe onboarding is network access control (NAC). In the past, companies used only desktops and laptops, connected and authenticated over a wired network, however; nowadays wireless networks and mobile technologies have introduced personal devices (via BYOD policies) and Internet of Things (IoT) to the workplace. In addition, increasingly stringent compliance standards, such as PCI-DSS, SOX, and ISO standards require companies to openly communicate their security controls to external auditing authorities. All of these can be achieved via NAC solutions. Network access security should be a priority for all companies moving forward.
Every enterprise today must support a rapidly proliferating world of devices and platforms. From an operational view point, this shouldn’t pose an obstruction of workflows and productivity. Ideally, the enterprise IT team will automate and secure network onboarding and authentication so that the IT helpdesk doesn’t have to intervene when guests, contractors and IoT devices need to connect. Additionally, an effective plan for secure network onboarding will on one hand improve end-user experience for BYOD, IoT, users and guests and on the other hand improve IT security as part of a layered protection strategy.
Looking to set IT security policies and automate your device onboarding?
Portnox CLEAR offers easy onboarding while never compromising on network security across the enterprise.
As the nature of compliance grows increasingly complex, it becomes more difficult for companies to understand what applies to their business and how to build and implement protocols. Furthermore, as cyber threats grow exponentially, companies are facing problems like potential governmental fines and financial theft, breach of sensitive data and loss of clientele. Author of the bestseller “Security Risk Assessment Handbook” and cybersecurity expert, Douglas Landoll, recently stated that, “Non-compliance with information security regulations remains one of the top mistakes made by companies in their current data security approach.” Don’t say we didn’t warn you.
We have mapped out the four steps that you should follow for your business to become compliant and ready to counter growing cyber instability.
Step 1 – The tight relationship between compliance and cyber security
Once upon a time, organizing cyber defense fell under the domain of the IT guys, but over time, the cybersecurity tent has broadened to encompass CCOs and CISOs. According to a recent survey conducted by BAE Systems, the majority of IT staff want C-Suites at the front and center of cybersecurity decision making. One can have the best technology on the market, but without a clear process and defined roles, it will be exceedingly difficult to prevent attacks.
The New England Chief Audit Executives group conducted a roundtable discussion, which concluded that without a comprehensive strategy of processes in place, your tools are more or less useless. Simply put, having great technology without a compliance program will likely result in failure. We saw this very clearly in the Yahoo hacks between 2013-2015, which compromised one billion accounts and caused the company tremendous damage both financially and to its reputation.
The creation of an efficient cybersecurity compliance program involves many factors like auditing, understanding all relevant stakeholders, understanding country specific regulatory laws and the adoption of the right security technology to meet these needs.
Step 2 – Know your country
Cybersecurity regulations can vary from country to country or region to region. For instance, the EU is 12 months away from implementing its General Data Protection Regulation (GDPR), which covers a wide range of security issues like data security, management, and transparency. It is worth noting that fines can reach up to 20 million euros. This past October at the UK CISO Summit, participants discussed the implications of the new regulations, in that companies will be forced to devise new approaches to storing, protecting, monitoring data, and staff and resources involved in order to be in compliance with GDPR.
In fact, in March, Democrats in the United States Congress began demanding that the Federal Communications Commission (FCC) create new regulations for cybersecurity for cellular networks. However, the FCC claims that cybersecurity is not under its purview and thus they will not act on the issue. This comes on the heels of an executive order by President Trump calling for an extensive review of US cyber vulnerabilities and capabilities. Considering that the United States is a gigantic bureaucratic web, and executive orders are usually short lived, it will take time for the US to get its act together. Other countries like Japan and Brazil are also in the process of developing their own regulations for transparency, consistent access and authentication for various types of data. Countries around the world are recognizing the importance of digital compliance and standards and are making steps toward ensuring the safety of their citizens’ and businesses’ data.
Step 3 – Timelines and shareholders
When first building your compliance structure, start with timelines. Governmental agencies often put time constraints on companies to come into compliance. For example, the new standards for the NY State Department of Financial Services. The agency is giving companies until March 1, 2018 to provide a risk assessment report, but an additional six months to implement the programs that result from the report’s findings. Business and organizations should push lawmakers to prevent a situation where the global marketplace becomes fragmented by regulations, due to rapidly changing technologies and threats. This would lead to the crippling of competition and innovation and subsequent the strengthening of cybercrime.
It is furthermore important that all stakeholders, including directors, management, security staff, and vendor partners be connected via a shared platform. This will allow them to collaborate within a defined framework. The platform should incorporate governmental regulations like FINRA, HIPAA, FERPA to better connect directors with technological experts, track progress or changes, and allow for effective oversight. However, it is becoming increasingly clear that the bulk of the responsibility for heavy decision making is shifting from IT personnel to the board of directors. This is a natural response to increased demands from organizations like the SEC and FTC. However, it is imperative for communication between the board and all stakeholders to remain strong. It should be noted that compliance is critical in order to prevent theft and mishaps similar to what happened at Bangladesh Central Bank.
Step 4 – Compliance starts at the CORE
Once your organization fully understands the regulatory policies it is subject to, it must then learn how to see and profile all network devices, remediate any security issues and automate actions that have traditionally been conducted manually.
There are four segments to this process:
- Understanding how mobile, BYOD and IoT devices will affect and transform not only the organization, but the industry and implementing the right processes and tools control them.
- Tracking any network related device or program in real time via a centrally secured platform providing full and actionable visibility.
- Addressing cloud security is paramount, because everything today is going through the cloud. It is important to strictly control access to the network and to cloud applications, even based on the geographical locations of users.
- Ensure that your business is in compliance with governmental regulations like SOX, PCI DSS, HIPPA, FINRA, FISMA, GLBA among others. Strict compliance will provide legitimacy with clients and partners.
Once your organization understands that without full and actionable visibility on the network it will be impossible to control devices or maintain compliance standards, the next step is finding the right tools. Portnox’s advanced system allows network operators to see and control any device, at any time, and from anywhere, making compliance a more straightforward and smooth process. Portnox continues to lead the way with its innovative technology that will allow you to tackle risk challenges in a simple and straightforward manner.
Check out our “Compliance as a Strategy for Business Success eBook” to learn more on how to become complaint with security regulations and grow a successful business.
In our recent “Cyber Threats Cannot Compete with Strong Compliance” blog, we covered cyberattacks in the financial and retail industries and the importance of visibility, network access and control, and risk management to achieve strong compliance, defend against cyberattacks, and grow a successful and secure business. In this blog, we take a quick look at the attacks that hit government and medical industries, the regulations these verticals face and how to build a strong compliance foundation. A deep dive into each of these verticals can be found in “The Compliance as a Strategy for Business Success eBook”.
The DNC Got Phished
How did Russian hackers gain access to the email correspondences of the Democratic National Convention throughout the recent US election? The answer is by using the oldest trick in the book: phishing emails. In one case, John Podesta, chairman of Hillary Clinton’s campaign received a phishing email, which was in fact correctly identified as such by an aide. The problem was that the aide accidentally made a note calling the email “legitimate” instead of “illegitimate”, leading Podesta to open the email. This single mistake placed over 60,000 highly sensitive emails in the hands of the Kremlin, which went on to distribute the information to websites like WikiLeaks.
Even after the FBI sent a special agent to warn to the DNC of the phishing emails, their IT did not respond to the warnings because computer logs did not reveal any intrusion. Podesta should not have required an aide to manually mark the email as illegitimate. Had the DNC incorporated an agentless solution into their network, they could have automatically monitored, identified, tagged, or blocked a potential attack.
The Dark Web Over the Medical Industry
Since 2010, the number of attacks against healthcare providers has risen by over 125% and risk levels in the industry are now at the highest ever. In fact, just last year, cyber criminals hacked over half a million patient records and began selling them over the Dark Web for profit of approximately $365 per record. That is about one-third more costly than selling stolen financial records – no wonder that this form of theft is growing at a dizzying speed. Part of the big issue is that hospitals, private clinics, vendors and insurance companies all share digital information, which of course creates the perfect conditions for cyber-criminal activity.
There is no doubt that the medical industry is struggling to uphold HIPAA regulations regarding privacy, security and enforcement. As medical connected devices continue to grow, a solution that is scalable across a wide range of institutions is a must. It is crucial that every institution sharing this data implements a solution that enables security teams to have complete visibility of all connected devices in real time, including switches, wireless controllers, VPN gateways, and routers.
A Boardroom, Samsung and the CIA
Among the 7,800 CIA records released via WikiLeaks, it was revealed how the CIA has been taking advantage of devices like Samsung’s smart TVs to spy on people across the United States. Under the codename “Weeping Angel”, the CIA used malware that makes the television act like a bug and send recordings back to them.
Whether you run a financial, governmental, retail or healthcare organization, it is essential to see, control and automate your network. Without full network visibility, it is impossible to control devices or maintain compliance standards. The challenge for many is how to maintain a level of security (even large companies struggle to attain compliance) often with limited resources and budgets. Portnox’s advanced technology – available both on-premise and in the cloud – gives security officers and network operators the tools they need to see and control any device, at any time, from any place. With these tools, Portnox makes compliance a more straightforward and smooth process, setting your business up for success.
Download our new eBook on “Compliance as a Strategy for Business Success and learn how you can stop cyberattacks by maintaining strong compliance and visibility over your network.
2016 saw several high profile cyber-attacks, which resulted in costly breaches and damages to reputable companies and corporations. There have been several discussions in how to effectively preempt such cyber-attacks with solutions ranging from firewalls, endpoint device security, to network access management solutions.
Mindful that many industries maintain tough regulatory standards, companies are now required to implement automated systems to keep up with reporting, while also preventing breaches. The “Compliance as a Strategy for Business Success eBook” covers the key points that need to be considered when trying to achieve security compliance for regulations like SOX, HIPAA, PCI-DSS, FISMA, and GLBA. For instance, any company that stores, processes, or transmits cardholder data, must be PCI-DSS compliant. Compliance includes restricting access by what businesses need to know, creating processes to provide user access to system components, initialization of audit blogs, and more. However, these processes come with significant cyber risk.
If the cyber-assaulted companies had stronger foundations for compliance, they would not have needed to devise new and expensive technologies.
The Importance of Visibility to Achieve Compliance
When Yahoo Got Stuffed
Yahoo is no stranger to breaches. This past year it came to light that nearly 1 billion Yahoo accounts had been compromised between 2013-2015. How did this happen and what could have been done to mitigate or even prevent the hacks all together?
This was a type of mass-scale brute force attack called “cyber stuffing” which took advantage of previously hacked credentials by inserting them into random websites via automation until they found a match. Automation allowed this attack to be conducted quickly and more often than not, completely anonymously. Shuman Ghosemajumder, CTO of Shape Security, found that credential stuffing is successful in 0.1-2% of attempts and considering that many people reuse passwords across a range of websites, it can be damaging. This is especially concerning because as a publicly tradable company Yahoo is subject to SOX compliance, which was designed to protect data integrity via compliance.
If Yahoo had implemented an intelligence engine to provide admins with wider and deeper visibility of their network in real time, they would have better understood the warning signs presented in 2008 by Carnegie Mellon University’s Software Engineering Institute. The institute urged Yahoo to replace their encryption technology, MD5, which was considered cryptographically broken. Despite years of warning before the major hacks of 2013-15, Yahoo never brought the encryption up to date, because they lacked visibility and oversight.
The Ghost of Bangladesh Central Bank
In February of 2016, $81million disappeared from Bangladesh Central Bank and was subsequently laundered in casinos throughout the Philippines. Cyber criminals used bank employees’ stolen Society for Worldwide Interbank Financial Telecommunication (SWIFT) credentials to send dozens of fake money transfer requests to the NY Federal Reserve, requesting a total of a $1 billion to be transferred to various bank accounts that had been set up a year earlier in Asia. While most the requests were blocked, $81 million was released in four transfers of about $20 million each. So how was the heist pulled off and what could have been done to stop it?
The hackers implanted malware on end-point devices on the bank’s network, which prevented the automatic printing of SWIFT transactions. This undoubtedly, brought the bank into conflict with GLBA, which demands financial institutions to protect data. Both the bank and the Federal Authorities are playing the blame game. The Feds claim they followed protocol which permitted several transfers, while blocking dozens of others. There is no doubt that lack of end-point visibility and virus protection were massive issues here. The theft could have been avoided if both the bank and the Feds had total control over all network infrastructure.
To become security compliant and run the business successfully, companies need visibility on what is happening on the network. In other words, what devices are connected to the network, when they connected, what OS, applications and services they are running, who has access to what data, and proof that mechanisms to secure private data are operational. Without visibility into what is on the network, it’s impossible to control the network and ensure compliance. Check out our “Compliance as a Strategy for Business Success eBook” to grow a successful and secure business.