Cybersecurity is an essential aspect of any business or organization. As technology evolves, so do the threats that can harm an organization’s operations, data and reputation. One of the most effective ways to defend against these threats is through the Defense in Depth (DiD) approach.
DiD is a cybersecurity approach in which multiple defensive methods are layered to protect a business. Since no individual security measure is guaranteed to endure every attack, combining several layers of security is more effective.
This layering approach was first conceived by the National Security Agency (NSA) and is inspired by a military tactic with the same name. In the military, layers of defense help buy time.
However, in IT, this approach is intended to prevent an incident altogether.
Essential Elements of DiD
Implementing all the elements of an effective DiD strategy can help minimize the chances of threats seeping through the cracks. These elements include:
1. Firewalls
A firewall is a security system comprised of hardware or software that can protect your network by filtering out unnecessary traffic and blocking unauthorized access to your data.
2. Intrusion Prevention and Detection Systems
Intrusion prevention and detection systems scan the network to look for anything out of place. If a threatening activity is detected, it will alert the stakeholders and block attacks.
3. Endpoint Detection and Response (EDR)
Endpoint detection and response (EDR) solutions constantly monitor endpoints to find suspicious or malicious behavior in real time.
Databranch is excited to announce a new detection software that we have begun implementing for our clients. The Huntress Managed Detection and Response (MDR) for Microsoft 365 secures your users with 24/7 protection.
Huntress MDR can detect and respond to early signs of cyberattacks such as unauthorized access, email manipulation, and suspicious login locations.
The software then utilizes Huntress’s 24/7 Security Operations Center (SOC) which is comprised of experts who analyze and interpret the threats. An actual Huntress employee will review these detections, provide incident reports, and will deliver actionable remediations for recovery.
4. Network Segmentation
Once you divide your business’s network into smaller units, you can monitor data traffic between segments and safeguard them from one another.
5. The Principle of Least Privilege (PoLP)
The principle of least privilege (PoLP) is a cybersecurity concept in which a user is only granted the minimum levels of access/permissions essential to perform their task.
Visit us here to learn more about the risks associated with Local Administrative Privileges.
6. Strong Passwords
Poor password hygiene, including default passwords like “1234” or “admin,” can put your business at risk. Equally risky is the habit of using the same passwords for multiple accounts.
To protect your accounts from being hacked, it’s essential to have strong passwords and an added layer of protection by using practices such as Multi-Factor Authentication (MFA).
7. Patch Management
Security gaps left unattended due to poor patch management can make your business vulnerable to cyberattacks. When a new patch is delivered, deploy it immediately to prevent exploitation.
Databranch offers a Patch Management solution for our managed client’s that automates and manages service packs, hot-fixes, and patches from a single location.
How IT service providers help defend against threats
As a Databranch client, our experienced team members will help you divide DiD into three security control areas:
1. Administrative controls
The policies and procedures of a business fall under administrative controls. These controls ensure that appropriate guidance is available and security policies are followed.
Examples include hiring practices or employee onboarding protocols, data processing and management procedures, information security policies, vendor risk management and third-party risk management frameworks, information risk management strategies, and more.
3. Technical controls
Hardware or software intended to protect systems and resources fall under technical controls.
They include firewalls, configuration management, disk/data encryption, identity authentication (IAM), vulnerability scanners, patch management, virtual private networks (VPNs), intrusion detection systems (IDS), security awareness training and more.
4. Physical controls
Anything that physically limits or prevents IT system access falls under physical controls, such as fences, keycards/badges, CCTV systems, locker rooms and more.
Don’t worry if you are struggling with developing a DiD strategy for your organization. Databranch is here to make things as simple as possible. Contact us at 716-373-4467 option 6, or [email protected] to start the process of making your organization more secure.
Read More
In recent years, email has become an essential part of our daily lives. Many people use it for various purposes, including business transactions. With the increasing dependence on digital technology, cybercrime has grown. A significant cyber threat facing businesses today is Business Email Compromise (BEC).
Why is it important to pay particular attention to BEC attacks? Because they’ve been on the rise. BEC attacks jumped 81% in 2022, and as many as 98% of employees fail to report the threat.
What is Business Email Compromise (BEC)?
Business Email Compromise (BEC) is a type of scam in which criminals use email fraud to target victims. These victims include both businesses and individuals. They especially target those who perform wire transfer payments.
The scammer pretends to be a high-level executive or business partner and will send emails to employees, customers, or vendors. These emails request them to make payments or transfer funds in some form.
According to the FBI, BEC scams cost businesses around $1.8 billion in 2020. That figure increased to $2.4 billion in 2021. These scams can cause severe financial damage to businesses and can also harm their reputations.
How Does BEC Work?
BEC attacks are usually well-crafted and sophisticated, making it difficult to identify them. The attacker first researches the target organization and its employees. They gain knowledge about the company’s operations, suppliers, customers, and business partners.
Much of this information is freely available online. Scammers can find it on sites like LinkedIn, Facebook, and organizations’ websites. Once the attacker has enough information, they can craft a convincing email. It’s designed to appear to come from a high-level executive or a business partner.
The email will request the recipient to make a payment or transfer funds. It usually emphasizes the request being for an urgent and confidential matter. For example, a new business opportunity, a vendor payment, or a foreign tax payment.
The email will often contain a sense of urgency, compelling the recipient to act quickly. The attacker may also use social engineering tactics. Such as posing as a trusted contact or creating a fake website that mimics the company’s site. These tactics make the email seem more legitimate.
If the recipient falls for the scam and makes the payment, the attacker will make off with the funds. In their wake, they leave the victim with financial losses.
How to Fight Business Email Compromise
BEC scams can be challenging to prevent, but there are measures businesses and individuals can take to cut the risk of falling victim to them.
Educate Employees
Organizations should educate their employees about the risks of BEC, along with how to identify and avoid these scams. This includes employees recognizing tactics used by scammers such as: urgent requests, social engineering, and fake websites.
Training should also include email account security, including:
- Checking their sent folder regularly for any strange messages
- Using a strong email password with at least 12 characters
- Changing their email password regularly
- Storing their email password in a secure manner
- Notifying an IT contact if they suspect a phishing email
Contact Databranch today if your company lacks on-going cybersecurity training. Our Breach Prevention Platform and Security Awareness Training will give your employees the resources they need to spot real world phishing attempts.
Enable Email Authentication
Organizations should implement email authentication protocols.
This includes:
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
These protocols help verify the authenticity of the sender’s email address and can also reduce the risk of email spoofing. Another benefit is to keep your emails from ending up in junk mail folders.
Deploy a Payment Verification Process
Organizations should deploy a payment verification processes, such as two-factor authentication. Another protocol is confirmation from multiple parties when making a business related payment. This ensures that all wire transfer requests are legitimate. It’s always better to have more than one person verify a financial payment request.
Establish a Response Plan
Organizations should establish a response plan for BEC incidents. This includes procedures for reporting the incident as well as freezing the transfer and notifying law enforcement.
Use Anti-phishing Software
Businesses and individuals can use anti-phishing software to detect and block fraudulent emails. As AI and machine learning gain widespread use, these tools become more effective.
The use of AI in phishing technology continues to increase. Businesses must be vigilant and take steps to protect themselves.
Here at Databranch, our managed clients have the comfort of knowing that their systems are monitored and maintained on a 24/7 basis. Our tool-stack not only increases your protection from malware and phishing, but is also capable of detecting a breach in you network and isolating that device.
Enable Multi-Factor Authentication (MFA)
BEC can occur when a hacker gains access to your email’s login credentials. However, here are many valuable tools you can use to fend off these bad actors even after they have stolen your credentials.
According to a study cited by Microsoft, MFA is proven to prevent approximately 99.9% of fraudulent sign-in attempts.
This is because MFA adds a layer of cybersecurity protection by confirming the authenticity of users who are logging in to various platforms. This is completed by entering a code from your mobile device into the application you are trying to log into, or by approving a prompt that is sent to your mobile device.
This means that unless the hacker also has your mobile device, they will not be able to approve the login attempt.
Reach out to Databranch today if your interested in setting MFA up for your business accounts.
Need Help with Email Security Solutions?
It only takes a moment for money to leave your account and be unrecoverable. Don’t leave your business emails unprotected. Get in touch today at 716-373-4467 x115 or [email protected] to discuss our email security solutions.
Article used with permission from The Technology Press.
Read More
Cloud account takeover has become a major problem for organizations. Think about how much work your company does that requires a username and password.
Employees end up having to log into many different systems or cloud apps.
Hackers use various methods to get those login credentials. The goal is to gain access to business data as a user as well as launch sophisticated attacks, and send insider phishing emails.
How bad has the problem of account breaches become? Between 2019 and 2021, account takeover (ATO) rose by 307%.
Doesn’t Multi-Factor Authentication Stop Credential Breaches?
Many organizations and individuals use multi-factor authentication (MFA). It’s a way to stop attackers that have gained access to their usernames and passwords. MFA is very effective at protecting cloud accounts and has been for many years.
But it’s that effectiveness that has spurred workarounds by hackers. One of these nefarious ways to get around MFA is push-bombing.
How Does Push-Bombing Work?
When a user enables MFA on an account, they typically receive a code or authorization prompt of some type. The user enters their login credentials. Then the system sends an authorization request to the user to complete their login.
The MFA code or approval request will usually come through some type of “push” message. Users can receive it in a few ways:
- SMS/text
- A device popup
- An app notification
Receiving that notification is a normal part of the multi-factor authentication login. It’s something the user would be familiar with.
With push-bombing, hackers start with the user’s credentials. They may get them through phishing or from a large data breach password dump.
They take advantage of that push notification process. Hackers attempt to log in many times. This sends the legitimate user several push notifications, one after the other.
Many people question the receipt of an unexpected code that they didn’t request. But when someone is bombarded with these, it can be easy to mistakenly click to approve access.
Push-bombing is a form of social engineering attack designed to:
- Confuse the user
- Wear the user down
- Trick the user into approving the MFA request to give the hacker access
Ways to Combat Push-Bombing at Your Organization
Educate Employees
Knowledge is power. When a user experiences a push-bombing attack it can be disruptive and confusing. If employees have education beforehand, they’ll be better prepared to defend themselves.
Let employees know what push-bombing is and how it works. Provide them with training on what to do if they receive MFA notifications they didn’t request.
You should also give your staff a way to report these attacks. This enables your IT security team to alert other users. They can then also take steps to secure everyone’s login credentials.
Need help enhancing your employee training? Contact Databranch today or visit us here to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.
Reduce Business App “Sprawl”
On average, employees use 36 different cloud-based services per day. That’s a lot of logins to keep up with. The more logins someone has to use, the greater the risk of a stolen password.
Take a look at how many applications your company uses. Look for ways to reduce app “sprawl” by consolidating. Platforms like Microsoft 365 and Google Workspace offer many tools behind one login. Streamlining your cloud environment improves security and productivity.
Adopt Phishing-Resistant MFA Solutions
You can thwart push-bombing attacks altogether by moving to a different form of MFA.
Phishing-resistant MFA uses a device passkey or physical security key for authentication.
There is no push notification to approve with this type of authentication. This solution is more complex to set up, but it’s also more secure than text or app-based MFA.
Visit our website here to learn more about passkeys along with the other 2 main forms of MFA.
Enforce Strong Password Policies
For hackers to send several push-notifications, they need to have the user’s login.
Enforcing strong password policies reduces the chance that a password will get breached.
Standard practices for strong password policies include:
- Using at least one upper and one lower-case letter
- Using a combination of letters, numbers, and symbols
- Not using personal information to create a password
- Storing passwords securely
- Not reusing passwords across several accounts
Put in Place an Advanced Identity Management Solution
Advanced identity management solutions can also help you prevent push-bombing attacks. They will typically combine all logins through a single sign-on solution. Users, then have just one login and MFA prompt to manage, rather than several.
Additionally, businesses can use identity management solutions to install contextual login policies. These enable a higher level of security by adding access enforcement flexibility.
The system could automatically block login attempts outside a desired geographic area. It could also block logins during certain times or when other contextual factors aren’t met.
Do You Need Help Improving Your Identity & Access Security?
Multi-factor authentication alone isn’t enough. Companies need several layers of protection to reduce their risk of a cloud breach.
Are you looking for some help to reinforce your cybersecurity? To learn more about how we can help take this off your IT plate, call 716-373-4467 x 115 or email [email protected].
Article used with permission from The Technology Press.
Read More
It’s common belief that people are the last line of defense during a cybersecurity attack. Wrong. In many instances people are in fact the first line of defense. If your employees are (1) aware and (2) properly trained, then they will be one of your single strongest assets in fighting a never-ending war against cybercrime.
Basic human behaviors such as inquisitiveness, excitement, distraction, and indecision make people extremely vulnerable to one of the most popular and effective cyber-attacks called Social Engineering. Social Engineering is a term used to describe a wide variety of techniques that are used by malicious hackers to exploit human beings and execute a successful cyber-attack.
The most common example of a Social Engineering attack is called Phishing. This is an exercise where an email is sent with the intent of tricking the recipient and convincing them to either click on a malicious link, download a malicious attachment, or even relinquish sensitive information such as passwords, credit card numbers or bank account details. The victim rarely knows they are being exploited until it is too late.
The results of a successful Phishing attack can be devastating. In some cases, the network is infected with malware or a virus causing loss of data and significant outages or disruptions. In other cases sensitive information or data is stolen and further exploited or resold on the dark web. There are even many documented cases of unauthorized wire transfers resulting in tremendous and unrecoverable financial losses.
So, how does an organization take a group of employees and turn them into an effective cybercrime fighting machine? I’m glad you asked. There are three simple steps that must be executed:
Step 1. Develop A Culture Of Security
Cultures are ultimately defined and upheld from the top down. Leadership, Executive and Management teams must commit to the creation and enforcement of cybersecurity policies, procedures and processes. They must also emphatically message and communicate the importance of good cybersecurity hygiene.
Employees should understand how exactly they can be good cybersecurity stewards and more importantly why it is so critical that they are. Lastly, employees who transform into skeptical, protective and enlightened cybercrime fighting soldiers should be recognized and rewarded.
TIPS to help Develop A Culture Of Security:
- Create cybersecurity policies – these are the guidelines and rules.
- Publish cybersecurity policies – allow employees to read and digest the content.
- Assign roles and responsibilities – tell employees what they must do.
- Good governance – enforce the rules, reprimand offenders & celebrate achievers.
- Frequent Communication – talk about cybersecurity often, remind and reinforce!
Step 2. Educate And Train
The best armies are well trained. They are not only armed, but they understand exactly how and when to use their weapon. They understand their mission, know what they are fighting for, and they have practiced and are ready for combat.
Teach your employees about common threats and dangers such as Social Engineering attacks. Show them how to use software and computers in a secure fashion. Explain correct process and procedures are. Provide them with the critical training they need to effectively fight cybercrime.
TIPS to help Educate And Train:
- Implement a security awareness training program – commit to the training.
- Be sure the content is meaningful and relevant.
- Make the training fun and engaging – tell lots of stories.
- Make the training mandatory.
- Make the training frequent – at least once a year.
- Focus on the basics – keep the content simple and easy to understand.
Contact us today to learn how we can help you start establishing cybersecurity throughout your organization.
Step 3. Test The Effectiveness
It will be difficult to know if your new cybersecurity culture is performing as you hoped unless you test the effectiveness of policies, processes, procedures and awareness training. Is the effort you’ve put into creating an army of equipped cybercrime fighting employees actually providing the protection you desire?
There are only two ways to find out. One, wait for a legit attack to occur and hope for the best – or – two, launch a simulated attack yourself. Controlled Phishing attacks, penetration tests, table top incident response exercises or even a Monday morning pop quiz can all be effective exercises to test your employees’ level of understanding and compliance.
Use the test results as an opportunity to re-engage with employees or even re-tool training efforts. Get better with practice.
TIPS to help Test The Effectiveness:
- Launch simulated Phishing attacks – see how employees actually behave.
- Spot check for policy compliance – it is after 5PM, is the Clean Desk Policy working?
- Include social attacks in the scope of penetration testing.
- Conduct table top exercises.
- Document and share results.
- Learn and get better.
Right now, your employees are probably the weakest link in your cybersecurity defense chain. Make them your strongest link. Our Breach Prevention Platform and Security Awareness Training with simulated phishing tests will give your employees the tools they need to spot a phishing attempt. Reach out today at 716-373-4467 x115 or [email protected] to speak with one of our experienced team members about getting started.
Content used with permission from Cyberstone.
Read More
Once data began going digital, authorities realized a need to protect it. Thus, the creation of data privacy rules and regulations to address cyber threats. Many organizations have one or more data privacy policies they need to meet.
Those in the U.S. healthcare industry and their service partners need to comply with HIPAA. Anyone collecting payment card data must worry about PCI-DSS. GDPR is a wide-reaching data protection regulation that impacts anyone selling to EU citizens.
Industry and international data privacy regulations are just the tip of the iceberg. Many state and local jurisdictions also have their own data privacy laws. Organizations must be aware of these compliance requirements along with any updates to these rules.
By the end of 2024, about 75% of the population will have its data protected by one or more privacy regulations.
Authorities enact new data privacy regulations all the time. For example, in 2023, four states will have new rules. Colorado, Utah, Connecticut, and Virginia will begin enforcing new data privacy statutes.
Businesses must stay on top of their data privacy compliance requirements. Otherwise, they can suffer. Many standards carry stiff penalties for a data breach and if security was lacking, fines can be even higher.
The Health Insurance Portability and Accountability Act (HIPAA) uses a sliding scale. Violators can be fined between $100 to $50,000 per breached record. The more negligent the company is, the higher the fine.
Don’t worry, we have some tips below for you. These can help you keep up with data privacy updates coming your way.
Steps for Staying On Top of Data Privacy Compliance
1. Identify the Regulations You Need to Follow
Does your organization have a list of the different data privacy rules it falls under? There could be regulations for:
- Industry
- Where you sell (e.g., if you sell to the EU)
- Statewide
- City or county
- Federal (e.g., for government contractors)
Identify all the various data privacy regulations that you may be subject to. This helps ensure you’re not caught off guard by one you didn’t know about.
2. Stay Aware of Data Privacy Regulation Updates
Don’t get blindsided by a data privacy rule change. You can stay on top of any changes by signing up for updates on the appropriate website. Look for the official website for the compliance authority.
For example, if you are in the healthcare field you can sign up for HIPAA updates at HIPAA.gov. You should do this for each of the regulations your business falls under.
You should also have these updates sent to more than one person. Typically, your Security Officer or equal, and another responsible party. This ensures they don’t get missed if someone is on vacation.
3. Do an Annual Review of Your Data Security Standards
Companies are always evolving their technology. This doesn’t always mean a big enterprise transition. Sometimes you may add a new server or a new computer to the mix.
Any changes to your IT environment can mean falling out of compliance. A new employee mobile device added, but not properly protected is a problem. One new cloud tool an employee decides to use can also cause a compliance issue.
It’s important to do at least an annual review of your data security. Match that with your data privacy compliance requirements to make sure you’re still good.
4. Audit Your Security Policies and Procedures
Something else you should audit at least annually is your policies and procedures. These written documents that tell employees what’s expected from them. They also give direction when it comes to data privacy and how to handle a breach.
Audit your security policies annually. Additionally, audit them whenever there is a data privacy regulation update. You want to ensure that you’re encompassing any new changes to your requirements.
5. Update Your Technical, Physical & Administrative Safeguards As Needed
When you receive a notification that a data privacy update is coming, plan ahead. It’s best to comply before the rule kicks in, if possible.
Look at three areas of your IT security:
- Technical safeguards – Systems, devices, software, etc.
- Administrative safeguards – Policies, manuals, training, etc.
- Physical safeguards – Doors, keypads, building security, etc.
6. Keep Employees Trained on Compliance and Data Privacy Policies
Employees should be aware of any changes to data privacy policies that impact them. When you receive news about an upcoming update, add this to your ongoing training.
Good cybersecurity practice is to conduct ongoing cybersecurity training for staff. This keeps their anti-breach skills sharp and reminds them of what’s expected.
Include updates they need to know about so they can be properly prepared.
Remember to always log your training activities. It’s a good idea to log the date, the employees educated, and the topic. This way, you have this documentation if you do suffer a breach at some point.
Visit our website here to learn more about our Breach Prevention Platform and Security Awareness Training which includes simulated phishing tests and weekly micro-trainings!
Get Help Ensuring Your Systems Meet Compliance Needs
Setting up well-designed IT compliance may be a long process, but it can make a world of difference in terms of business security. It keeps your business reputation intact and allows you to avoid penalties and fines.
However, you’ll need to pay special attention to several aspects and one of the most significant ones is your IT provider.
If your IT isn’t living up to its potential, you’re bound to face compliance issues. This can cause tremendous stress and halt your operations.
Luckily, there might be an easy way out of your predicament. Contact us today at 716-373-4467 x115 or [email protected] to schedule a quick chat with Databranch to discuss your IT problems and find out how to get more out of your provider.
Article used with permission from The Technology Press.
Read More
Imagine you’re going about your day when suddenly you receive a text from the CEO asking for your help. They’re out doing customer visits and someone else dropped the ball in providing gift cards. The CEO needs you to buy six $200 gift cards and text the information right away.
The message sender promises to reimburse you before the end of the day. Oh, and by the way, you won’t be able to reach them by phone for the next two hours because they’ll be in meetings. One last thing, this is a high priority. They need those gift cards urgently.
Would this kind of request make you pause and wonder or would you quickly pull out your credit card to do as the message asked?
A surprising number of employees fall for this gift card scam. There are also many variations. Such as your boss being stuck without gas or some other dire situation that only you can help with.
This scam can come by text message or via email. The unsuspecting employee buys the gift cards and sends the numbers back to the boss. They find out later that the real company CEO wasn’t the one that contacted them, it was a phishing scammer.
The employee is out the cash.
Without proper training, 32.4% of employees are prone to fall for a phishing scam.
Read about our Employee Security Awareness training and the services it offers here.
Why Do Employees Fall for Phishing Scams?
Though the circumstances may be odd, many employees fall for this gift card scam. Hackers use social engineering tactics and manipulate emotions to get the employee to follow through on the request.
Some of these social engineering tactics illicit the following:
- The employee is afraid of not doing as asked by a superior
- The employee jumps at the chance to save the day
- The employee doesn’t want to let their company down
- The employee may feel they can advance in their career by helping
The scam’s message is also crafted in a way to get the employee to act without thinking or checking. It includes a sense of urgency. The CEO needs the gift card details right away. Also, the message notes that the CEO will be out of touch for the next few hours. This decreases the chance the employee will try to contact the real CEO to check the validity of the text.
Illinois Woman Scammed Out of More Than $6,000 from a Fake CEO Email
Variations of this scam are prevalent and can lead to significant financial losses. A company isn’t responsible if an employee falls for a scam and purchases gift cards with their own money.
In one example, a woman from Palos Hills, Illinois lost over $6,000. This was after getting an email request from who she thought was her company’s CEO.
The woman received an email purporting to be from her boss and company CEO. It stated that her boss wanted to send gift cards to some selected staff that had gone above and beyond.
The email ended with “Can you help me purchase some gift cards today?” The boss had a reputation for being great to employees, so the email did not seem out of character.
The woman bought the requested gift cards from Target and Best Buy. Then she got another request asking to send a photo of the cards. Again, the wording in the message was very believable and non-threatening. It simply stated, “Can you take a picture, I’m putting this all on a spreadsheet.”
The woman ended up purchasing over $6,500 in gift cards that the scammer then stole. When she saw her boss a little while later, her boss knew nothing about the gift card request. The woman realized she was the victim of a scam.
Tips for Avoiding Costly Phishing Scams
Always Double Check Unusual Requests
Despite what a message might say about being unreachable, check in person or by phone anyhow. If you receive any unusual requests or one relating to money, verify it. Contact the person through other means to make sure it’s legitimate.
Databranch recommends using the SLAM Method to review your emails and act accordingly. Don’t know what the SLAM Method is? Click here to read all about it.
Don’t React Emotionally
Scammers often try to get victims to act before they have time to think. Just a few minutes of sitting back and looking at a message objectively is often all that’s needed to realize it’s a scam. Don’t react emotionally, instead ask if this seems real or is it out of the ordinary.
Get a Second Opinion
Ask a colleague, or better yet, your company’s IT service provider, to take look at the message. Getting a second opinion keeps you from reacting right away. It can save you from making a costly judgment error.
Need Help with Employee Phishing Awareness Training?
Phishing keeps getting more sophisticated all the time, are your employee’s up to date on their security awareness training?
Take training off your plate and train your team with cybersecurity professionals. We can help you with an engaging training program that helps your team change their behaviors to improve cyber hygiene.
Contact Databranch today at 716-373-4467 x 115 or [email protected] if you would like to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.
Article used with permission from The Technology Press.
Read More
The CIA Triad is an information security concept that consists of three core principles, (1) Confidentiality, (2) Integrity and, (3) Availability. These core principles become foundational components of information security policy, strategy and solutions. Cybersecurity professionals and Executives responsible for the oversight of cybersecurity programs should have a deep understanding and appreciation for each of the three core principles.
Ultimately, all vulnerabilities and risks should be evaluated based on the threat they pose to one or more of the CIA Triad core principles. In addition, all security controls, or countermeasures, should be evaluated on how well they address the core principles of the CIA Triad.
Confidentiality
This core security principle is defined as the ability to restrict unauthorized subjects from accessing data, systems, objects or resources. Imagine an employee punches the timeclock and goes home for the evening but forgets to shut down or lock their computer. Even worse, they are still logged into the client database that contains all sorts of Personally Identifiable Information (PII) like your client’s names, addresses, and social security numbers. What happens if the janitorial service shows up to clean the office space and one of the cleaners notices the unlocked computer and helps themselves to the valuable info? This example illustrates the importance of Confidentiality.
There are many cyber-attacks used to violate confidentiality including, social engineering, theft of credentials or passwords, eavesdropping and network sniffing. Here are a few controls that you should consider incorporating into the program:
- Inventory of Devices and Software – It is very difficult to manage access to devices, applications and systems unless you have an accurate inventory of those assets. Once you understand what assets you own, only then can you begin to think about who is authorized to access and use them. At Databranch, our Managed Services clients have their inventory maintained for them by their Databranch Account Manager
- Data Classification – You must understand what data or information resides on your information systems. More importantly, you have to classify this data so that it can be protected according to value, sensitivity, and regulatory compliance.
- Access Controls – Systems and information should be physically and / or logically segregated based on data classification efforts. Access to systems and information should be granted to authorized users on a need to know basis. Procedures for granting and revoking access should be documented and enforced. Strong password policies should be implemented and enforced. Privileged accounts should be minimized and monitored very closely using logging and notification technologies. Multifactor Authentication (MFA) should be used by authorized users when accessing systems and data according data classification efforts and regulatory requirements.
- Encryption – Information should be encrypted at rest and in transit according to data classification, regulatory requirements and the annual risk assessment.
- Personnel Training – Many confidentiality breaches occur by accident or mistake. Authorized users need to be properly trained. They should understand your data classification policy and acceptable use policy. They should understand why certain security controls are in place, how to properly use them and why they should never attempt to circumvent them. Lastly, they should understand the threat landscape as it relates to confidentiality and what their actions and behaviors can do to help mitigate those risks. Click here to learn more about Databranch’s Annual Security Awareness training.
Integrity
This core security principle is defined as the ability for data and information to retain truth or, accuracy and be intentionally modified by authorized users only. Imagine a patient under the care of doctors and nurses at a hospital. The patient requires 100mg of medication every six hours. What happens if the nurse accesses the patients’ medical records and the 100mg has been modified (with malicious intent or by accident) and now reads 1000mg? This example illustrates the importance of integrity.
There are many cyber-attacks used to violate integrity including, computer viruses, malware, logic bombs, database injections and altering system configurations. Your cybersecurity program should absolutely work to promote integrity and defend against these attacks. Here are a few controls that you should consider incorporating into the program:
- Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) – IPS / IDS examines network traffic flows to detect and prevent vulnerability exploits. Many times this technology is embedded in perimeter defenses such as firewalls but, it needs to be enabled and configured to work properly.
- Anti-Virus / Anti-Malware – This powerful tool can be used to detect, quarantine and even remove malicious code from computers and systems. It is imperative that Antivirus software is installed and configured on all computing devices.
- Vulnerability Management – There should be a process for identifying known vulnerabilities across systems and applications and then remediating those vulnerabilities typically by installing patches. Click here to request your free Databranch baseline security assessment.
- Log Monitoring and Analysis – The ability to collect system and application logs and then monitor / analyze them is critical. It can detect anomalies in system behaviors and be used in forensic efforts post incident.
Availability
This core security principle is defined as the ability to grant authorized users uninterrupted access to systems and information. Imagine logging into your computer on Monday morning. You are refreshed from the weekend, ready to work and conquer the world. Then suddenly, a message flashes across your computer screen. The message explains that your computer and everything on it has been encrypted by ransomware, and you must pay a fee to receive the decryption key and resume regular work activities. You no longer have access to email, customer records, financial records, etc. What would you do if the applications and data on your computer were no longer available to use? This example illustrates the importance of Availability.
There are many cyber-attacks used to violate availability including, computer viruses, malware and denial of service (DoS). There are also circumstantial events that violate availably such as hardware failure and natural disasters. Your cybersecurity program should absolutely be influenced by the availability principle. Here are a few controls that you should consider incorporating into the program:
- Data Backup Systems – Effective data backup strategies should be defined, implemented and monitored for success. If systems or data suddenly become unavailable, recovery efforts almost always start with restoring from a successful backup job.
- Disaster Recovery (DR) and Business Continuity Planning (BCP) – Documenting DR and BCP plans is an absolute must. In addition, these plans should be tested, at least annually to verify effectiveness. Learn more about our Dataguard Backup and Recovery solution here!
- System Monitoring – Critical systems and applications should be continuously monitored for performance and capacity requirements. Proactive monitoring can often prevent unwanted outages or disruptions.
- Incident Response Plan – Having a plan to contain, eradicate, and recover from a cybersecurity incident is invaluable. Incidents create stress and chaos. Having an incident response plan introduces confidence and organization.
As one can see, the core principles of the CIA Triad (Confidentiality, Integrity and Availability) are simple information security concepts that when properly applied to policy and program creation can have a real meaningful impact our ability to stay safe and protected.
Contact Databranch today at 716-373-4467 x115 or [email protected] for any questions about the information above. You can also fill out the form below to set up a meeting with one of our experienced team members to discuss how we can help enhance your businesses cybersecurity.
Article used with permission from Huntress.
Read More