Friday, October 21, 2016

Cyber Security Month: Looking for Answers Part II?


NEW YORK METRO JOINT CYBER SECURITY CONFERENCE
NY Metro Joint Cyber Security Conference
I recently attended the Third Annual New York Metro Joint Cyber Security Conference (http://nymjcsc.org/), held in mid-town Manhattan.  Security conferences are now a dime-a-dozen, but this event is unique in that it is a collaborative effort developed by a consortium of eight leading security, audit, and risk focused, NY metropolitan area, not-for-profit professional associations. Each organization brings its best to the table, creating a rare combination of expertise and diversity of talent.  

There were many informative sessions – some standing room only – but some of the greatest value was in the interaction with the other professionals.  For example, in sessions, we learned that security professionals must adopt the language of Directors to be understood by a Board.  The Internet Security Alliance is even working on metrics for Boards to use in evaluating security risks and controls.  But, after all the talk of security maturity models, cyber risk management frameworks, and “cyber balance sheets,” CISOs (Chief Information Security Officers) will tell you that Boards still “just don’t get it” and don’t seem to be that interested.  Perhaps CISOs as a group aren’t very good at explaining how greater focus on preventing and mitigating cyber threats is in the self-interests of very diverse sets of Directors.  Maybe, despite approaching the problem with the best of business concepts and lingo, CISOs just don’t have influence with Directors.  (As one CISO put it, “formulas don’t work.  Relationships do.”) Or, perhaps it’s because, as one speaker put it, there is not a single instance of a cyber breach that has been demonstrated to have a material impact on a company.  In the end, the surprising takeaway may not be that CISOs are becoming more adept at speaking the language of the Board, but that some Boards are beginning to listen at all.
This sold-out event offered excellent, high-quality presentations with plenty of actionable content.  If you weren't able to attend, you can still benefit from the recordings of many of the sessions.  They are available at http://livestream.com/internetsociety/nymjcsc/.  Presentation slides may be found at http://tinyurl.com/z3fz44d. I would highly recommend reviewing them.
And, don't forget to sign up early for next year's conference.  It's one of the best values in information security education that you'll find anywhere.  Follow www.nymjcsc.org and @NYMJCSC for details.

Phil Froehlich is Chief Operating Officer of Integris Security and a member (who listens) of the Executive Board of New York Metro InfraGard.

Cyber Security Month: Looking for Answers: Part I?


LONG ISLAND BUSINESS NEWS
LI Business New Cyber Conference
Hilton, was once again informative, invigorating and enrolling. With a number of panelists participating, including both the Integris Security CTO, Blake Cornell, and United States Congressman US District 1, Lee Zeldin, nearly 100 individuals attended the breakfast event.
Topics of interest had included Cyber Terrorism, Business Continuity, Government Legislation, Small Business Best Practices and other wide ranging topics. Some of the information shared, information that attendees can use in their day to day business operations.
A goal of Integris Security CTO, Blake Cornell, was to provide “simple and sound information that is short and sweet” further stating that “if your employees are untrained then no amount of technical information will help them understand. You can’t make them understand but you can help them understand”.

Blake Cornell is the CTO of Integris Security LLC.

Sunday, October 16, 2016

Ransomware: Osterman Research Survey for Malwarebytes

https://www.integrissecurity.com/index.php?aboutus=JosephConcannon
Joseph Concannon
Today I receive a note from a friend who said he had fallen victim to a Ransomware attack.  So I figured its a good time to review some up to date expert research.  This review is a product of Integris Security LLC and we gladly share this with the community.

First, Ransomware is a global issue effecting enormous sized companies as well as my local friend.  Ransomware is a global threat/problem.  We must recognize the size and depth of this issue.  A survey was conducted during June of 2016 that included CIO's, CTO's, CISO's and other executives.  The survey included 165 corporations in the United States as well as companies from around the world.  39% percent of the companies that were contacted were impacted by a ransomware attack in the U.S. alone.  This is truly a global problem and issue but let's keep the focus here at home.  The report shows the various priorities by country.

The FBI talks about Ransomware as a, "an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them". Integris Security LLC evangelizes through its President, Joseph Concannon the value of Risk Management and the ongoing development of a solid business continuity program.  Concannon states: "this isn't a once a year review, this is a daily, weekly, monthly, quarterly and semi-annual program.  Risk Management opens the eyes of the Executive Team and Boards of Directors".

Second, it comes as no surprise that the survey results identified healthcare and financial services industry as the prime target.  Each are highly dependent upon business critical information according to Osterman Research, Inc.Cyber criminals lay and weight until they find the prime target for an attack; one which they can not recover from due to the lack of ransomware fighting software.  In Osterman's survey U.S. companies were most likely to fall victim to a ransomware attack (79% fell victim according to the survey).

Third, Ransomware ranks the fourth highest security concern for senior executives in the United States as surveyed by Osterman Research, Inc., and more:

 U.S. organizations are also more likely to place a high or very high priority on investing in education and training about ransomware for their end users; and for investing in resources, technology, and funding to address the ransomware problem.

Note well: What the Osterman Research reveals is the power play between tenured industry executives and newly appointed CIO's, CISO's, CTO's learning the mine field of budgeting.  Where do these technology executives make the push to gain budget for their projects and can they convince business unit managers to join their team?  Who pays for training and education and how does that weigh in the balance of getting things done?  Here's how its playing out so far:
Somewhat ironically, however, U.S. organizations are also the least likely to have implemented any sort of ransomware training for their end users, and are among the most likely to offer only minimal training when they actually do so.  U.S. companies rate Ransomware as a high or extremely high priority, unlike their European counterparts in Germany and the UK or Canada which consider it less of a threat. 
Yet the training dollars in the U.S. continue to lag behind.   

The survey that I am reviewing is called, "Understanding The Depth of The Global Ransomware Problem" a report promoted by a company called Malwarebytes
The perceived importance of regular, on-premises backups as a ransomware-recovery tool is quite high among U.S. and German organizations, but somewhat lower among the organizations we surveyed in Canada and the United Kingdom. However, Canadian and UK-based organizations were more likely to use regular, cloud-based backups to recover from ransomware. Other capabilities in place to address ransomware included on-premises ransomware-detection solutions (highest penetration in the U.S.), network segmentation (highest in Germany), and air gaps between data stores and the Internet (highest in Canada).
At Integris Security LLC we point out that segmentation and air gaps are important as well as on-premises backups NOT connected to the network you are backing up.  Strong passwords that are changed every 90 days.  Here are the top 15 Cyber Security Precautions to follow.  Here are some very good tips for enterprise environment security teams to review (FBI):

Here are some tips for dealing with ransomware (primarily aimed at organizations and their employees, but some are also applicable to individual users):
  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
  • Disable macro scripts from office files transmitted over e-mail.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

For those at home we strongly recommend backup on USB stick, or other storage drive with proper security "on board" to assess the devices health each time the device is accessed.  Saving important documents to a computer is a thing of the past.  Time to think 2016 and the threats that come with the technological age we live in.  Store important documents in a safe deposit box (whether in paper or USB or storage drive or other form).  If its important, then take the extra security steps.

https://www.stopthinkconnect.org/STOP THINK CONNECT is the U.S. Department of Homeland Security Campaign promoted during Cyber Security Awareness Month (October each year).  However, the evil email attachment continues to lure an seemly endless waterfall of users into the brink.  Nothing beats education and awareness in preventing the lost of your computer to a cyber attack.  While on the computer remember you are not in your living room.  You are in the "Wild West" and everyone's your friend.  You wouldn't leave your front door open at night, so don't leave your computer open either.  
Integris Security LLC grew from our passion for protecting our nation’s critical infrastructures and years of providing industry professionals with best of breed solutions, proven best practices and top notch security education. We work tirelessly to nurture our clients’ TRUST. We will work equally diligently to EARN your trust.


Thursday, October 6, 2016

LIBN Cyber Security Conference - October 6th, 2016

Today's cyber security conference held by the Long Island Business News at the Huntington Hilton was a huge success.  The conference was packed and the panel with headliner U.S. Congressman Lee Zeldin was both informative and far reaching.

A wide range of cyber security topics included  a discussion of the potential federal funding of security awareness strategies like, "If you see something, Say Something".  Attendee's suggested a new cyber security awareness strategy like see something be started. Blake Cornell, CTO Integris Security suggest we use, "Think twice before you click twice".  The simple message was something that everyone agreed was needed.

The panel touched upon some key areas and agreed that security awareness training when implemented correctly brings everyone into the company's security strategy and not just the security team.  Twenty - thirty employees watching the security posture of a company is better than 3-5 employees from the security team.  Chief Security Officers have their hands full and gaining the trust and confidence of all employees to be on the look out makes the CSO's job 100% easier. 

Is it IT or is it Business?  A lively discussion broke out concerning the politics, budgeting and organizational culture in which professional security people work in.  This environment is not always 100% on board with a strong security posture.  General agreement was reached on the theory of security starting from the top down works best.  If the boss is concerned about security so is everyone else.  The next discussion was about whether it was the business or IT department.  Well, this was put to rest quickly.  The IT staff and security personnel need to team with business unit managers and ask them to take ownership for what belongs to them and what is enabling their success. The better the integration with business leaders on function and feature of the computer tools used to bring profits to the business,  the smoother the discussions will be for improvements to strengthen the security budgets so that the profit center environment is safe and secure.  The better everyone will sleep.

Their are a great many things that people can do to keep the internet secure.  Unfortunately their are a great many things which LURE us away from this common sense approach to internet safety.  Changing (long with symbols, CAPS, lowercase letters and numbers) passwords every 90 days is driving a positive change for your safety and security on the internet.  Writing those passwords down and storing them in a secure place is also a good idea. See more ideas on our web site.

For a two hour conference this one was packed with information and many new contacts as well.  Good job to LIBN and we look forward to next years conference and some of the articles to appear in LIBN which should keep everyone on their toes.

For additional information on security tips, visit www.integrissecurity.com.  we have a full page of tips on our web site.

Wednesday, September 28, 2016

Information Security in Corporate Valuation

What do you look at when considering the corporate valuation of a company?  Chief financial officers pour over spreadsheets, public filings and much more to get a temperature so they can inform investors, boards and others in the decision making process.  Where is Information security in this discussion?  Who is the chairman of the board's audit committee and how comprehensive are the details and reports?  How accurate and truthful are these reports and details?  Who is the chairman of the technology committee and are his/her reports accurate, timely and reflective of the needs of the company to support the basic operations of the company.
Whether your a big box company like Target, credit card processor like Hartland Payment Systems or just one of the largest email giants like YAHOO!  these and many other questions have to be answered, accurately, timely and honestly and yes, sometimes even painfully.

We have all read in the news that VERIZON is on the path to make an offer to Yahoo! with finalization next year and this latest exposure is certainly going to figure large into pricing.  Verizon
will pay a competitive price, but will not buy based on a hunch.  They will skillfully look at every single part of the Yahoo! digital empire and figure out just how much work will be needed to mend the broken system.  Information security practice will loom large as the price for Yahoo! could potentially shrink.  Information security is going to have to push its way into the board room and profit center discussions.  If not the corporate valuation is just not honest and leaves a lot to be desired when looking at the totality of the circumstances concerning corporate valuation.  Assessing a computer environment can be a very straight forward business.  But what we're seeing are limitations put on security professionals or very narrow scoping of projects which is shaving away a more wholesome look into the entire computer enterprise.  This is just a delaying tactic which is putting off the unavoidable.  Auditing should be ongoing quarter to quarter, year to year and used in helping to set budgets for the out years.  Audit chairs should be apart of the internal profit center discussions and everyone should be mindful of function over feature creep without warranted information security checks prior to implementation.  The sales guys are going to have to get involved in security the environment which they play a critical role in.

Integris Security is your trusted IT Security team that can help you as we provide tailored, high quality security solutions based on industry best practices and our principals combined experience of more than eighty years.  Call us for an appointment and free consultation.

Friday, June 24, 2016

Drones: Are they on your radar?

Drones - friend or foe?
Early in the computer industry programmers used to write computer code to automate many functions and features.  As the years progressed the same code was used for more nefarious purposes. Computer code used for these nefarious purposes is commonly called malware: Viruses, Worms and Trojans. 

Now early in the drone industry we are being teased with visions of Amazon dropping boxes in our rear yard, fast food deliveries arriving with piping hot pizza via a drone and many other examples of how the use of this technology can enhance our lives.  The examples are endless.

However, while drones can in fact do much to enhance our lives the use of drones can also be pointed to more nefarious purposes.  Common perimeter defenses can be easily undermined with relatively little effort for the determined attacker.  With a few thousand dollars your intellectual property can vanish in seconds.  Installation of an onboard camera with pan tilt and zoom could steal your ideas right out of your board room.  The drone can do this and more while still being blocks away.  As drones mature and their payload capability increases security directors and facility personnel concerns will only increase.

Integris Security LLC has for years identified both leading and bleeding edge technologies.  Today, we have identified a strategy, a technology and method to address not all but some of the issues concerning drones.  We would like to set an appointment to speak with you and see if this is on your radar screen.  Drones can be managed and can be one less thing that keeps you up at night.

Press Release:
http://tinyurl.com/hjwpt54

FAA News:

http://thecipherbrief.com/article/exclusive/tech/implications-new-faa-commercial-drone-rules-1092

Integris Security Web Site 6/25/16:





Drones: Are they on your radar?

Drones - friend or foe?
Early in the computer industry programmers used to write computer code to automate many functions and features.  As the years progressed the same code was used for more nefarious purposes. Computer code used for these nefarious purposes is commonly called malware: Viruses, Worms and Trojans. 

Now early in the drone industry we are being teased with visions of Amazon dropping boxes in our rear yard, fast food deliveries arriving with piping hot pizza via a drone and many other examples of how the use of this technology can enhance our lives.  The examples are endless.

However, while drones can in fact do much to enhance our lives the use of drones can also be pointed to more nefarious purposes.  Common perimeter defenses can be easily undermined with relatively little effort for the determined attacker.  With a few thousand dollars your intellectual property can vanish in seconds.  Installation of an onboard camera with pan tilt and zoom could steal your ideas right out of your board room.  The drone can do this and more while still being blocks away.  As drones mature and their payload capability increases security directors and facility personnel concerns will only increase.

Integris Security LLC has for years identified both leading and bleeding edge technologies.  Today, we have identified a strategy, a technology and method to address not all but some of the issues concerning drones.  We would like to set an appointment to speak with you and see if this is on your radar screen.  Drones can be managed and can be one less thing that keeps you up at night.

Press Release: