Friday, October 21, 2016

Cyber Security Month: Looking for Answers Part II?

NY Metro Joint Cyber Security Conference
I recently attended the Third Annual New York Metro Joint Cyber Security Conference (, held in mid-town Manhattan.  Security conferences are now a dime-a-dozen, but this event is unique in that it is a collaborative effort developed by a consortium of eight leading security, audit, and risk focused, NY metropolitan area, not-for-profit professional associations. Each organization brings its best to the table, creating a rare combination of expertise and diversity of talent.  

There were many informative sessions – some standing room only – but some of the greatest value was in the interaction with the other professionals.  For example, in sessions, we learned that security professionals must adopt the language of Directors to be understood by a Board.  The Internet Security Alliance is even working on metrics for Boards to use in evaluating security risks and controls.  But, after all the talk of security maturity models, cyber risk management frameworks, and “cyber balance sheets,” CISOs (Chief Information Security Officers) will tell you that Boards still “just don’t get it” and don’t seem to be that interested.  Perhaps CISOs as a group aren’t very good at explaining how greater focus on preventing and mitigating cyber threats is in the self-interests of very diverse sets of Directors.  Maybe, despite approaching the problem with the best of business concepts and lingo, CISOs just don’t have influence with Directors.  (As one CISO put it, “formulas don’t work.  Relationships do.”) Or, perhaps it’s because, as one speaker put it, there is not a single instance of a cyber breach that has been demonstrated to have a material impact on a company.  In the end, the surprising takeaway may not be that CISOs are becoming more adept at speaking the language of the Board, but that some Boards are beginning to listen at all.
This sold-out event offered excellent, high-quality presentations with plenty of actionable content.  If you weren't able to attend, you can still benefit from the recordings of many of the sessions.  They are available at  Presentation slides may be found at I would highly recommend reviewing them.
And, don't forget to sign up early for next year's conference.  It's one of the best values in information security education that you'll find anywhere.  Follow and @NYMJCSC for details.

Phil Froehlich is Chief Operating Officer of Integris Security and a member (who listens) of the Executive Board of New York Metro InfraGard.

Cyber Security Month: Looking for Answers: Part I?

LI Business New Cyber Conference
Hilton, was once again informative, invigorating and enrolling. With a number of panelists participating, including both the Integris Security CTO, Blake Cornell, and United States Congressman US District 1, Lee Zeldin, nearly 100 individuals attended the breakfast event.
Topics of interest had included Cyber Terrorism, Business Continuity, Government Legislation, Small Business Best Practices and other wide ranging topics. Some of the information shared, information that attendees can use in their day to day business operations.
A goal of Integris Security CTO, Blake Cornell, was to provide “simple and sound information that is short and sweet” further stating that “if your employees are untrained then no amount of technical information will help them understand. You can’t make them understand but you can help them understand”.

Blake Cornell is the CTO of Integris Security LLC.

Sunday, October 16, 2016

Ransomware: Osterman Research Survey for Malwarebytes
Joseph Concannon
Today I receive a note from a friend who said he had fallen victim to a Ransomware attack.  So I figured its a good time to review some up to date expert research.  This review is a product of Integris Security LLC and we gladly share this with the community.

First, Ransomware is a global issue effecting enormous sized companies as well as my local friend.  Ransomware is a global threat/problem.  We must recognize the size and depth of this issue.  A survey was conducted during June of 2016 that included CIO's, CTO's, CISO's and other executives.  The survey included 165 corporations in the United States as well as companies from around the world.  39% percent of the companies that were contacted were impacted by a ransomware attack in the U.S. alone.  This is truly a global problem and issue but let's keep the focus here at home.  The report shows the various priorities by country.

The FBI talks about Ransomware as a, "an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them". Integris Security LLC evangelizes through its President, Joseph Concannon the value of Risk Management and the ongoing development of a solid business continuity program.  Concannon states: "this isn't a once a year review, this is a daily, weekly, monthly, quarterly and semi-annual program.  Risk Management opens the eyes of the Executive Team and Boards of Directors".

Second, it comes as no surprise that the survey results identified healthcare and financial services industry as the prime target.  Each are highly dependent upon business critical information according to Osterman Research, Inc.Cyber criminals lay and weight until they find the prime target for an attack; one which they can not recover from due to the lack of ransomware fighting software.  In Osterman's survey U.S. companies were most likely to fall victim to a ransomware attack (79% fell victim according to the survey).

Third, Ransomware ranks the fourth highest security concern for senior executives in the United States as surveyed by Osterman Research, Inc., and more:

 U.S. organizations are also more likely to place a high or very high priority on investing in education and training about ransomware for their end users; and for investing in resources, technology, and funding to address the ransomware problem.

Note well: What the Osterman Research reveals is the power play between tenured industry executives and newly appointed CIO's, CISO's, CTO's learning the mine field of budgeting.  Where do these technology executives make the push to gain budget for their projects and can they convince business unit managers to join their team?  Who pays for training and education and how does that weigh in the balance of getting things done?  Here's how its playing out so far:
Somewhat ironically, however, U.S. organizations are also the least likely to have implemented any sort of ransomware training for their end users, and are among the most likely to offer only minimal training when they actually do so.  U.S. companies rate Ransomware as a high or extremely high priority, unlike their European counterparts in Germany and the UK or Canada which consider it less of a threat. 
Yet the training dollars in the U.S. continue to lag behind.   

The survey that I am reviewing is called, "Understanding The Depth of The Global Ransomware Problem" a report promoted by a company called Malwarebytes
The perceived importance of regular, on-premises backups as a ransomware-recovery tool is quite high among U.S. and German organizations, but somewhat lower among the organizations we surveyed in Canada and the United Kingdom. However, Canadian and UK-based organizations were more likely to use regular, cloud-based backups to recover from ransomware. Other capabilities in place to address ransomware included on-premises ransomware-detection solutions (highest penetration in the U.S.), network segmentation (highest in Germany), and air gaps between data stores and the Internet (highest in Canada).
At Integris Security LLC we point out that segmentation and air gaps are important as well as on-premises backups NOT connected to the network you are backing up.  Strong passwords that are changed every 90 days.  Here are the top 15 Cyber Security Precautions to follow.  Here are some very good tips for enterprise environment security teams to review (FBI):

Here are some tips for dealing with ransomware (primarily aimed at organizations and their employees, but some are also applicable to individual users):
  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
  • Disable macro scripts from office files transmitted over e-mail.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

For those at home we strongly recommend backup on USB stick, or other storage drive with proper security "on board" to assess the devices health each time the device is accessed.  Saving important documents to a computer is a thing of the past.  Time to think 2016 and the threats that come with the technological age we live in.  Store important documents in a safe deposit box (whether in paper or USB or storage drive or other form).  If its important, then take the extra security steps. THINK CONNECT is the U.S. Department of Homeland Security Campaign promoted during Cyber Security Awareness Month (October each year).  However, the evil email attachment continues to lure an seemly endless waterfall of users into the brink.  Nothing beats education and awareness in preventing the lost of your computer to a cyber attack.  While on the computer remember you are not in your living room.  You are in the "Wild West" and everyone's your friend.  You wouldn't leave your front door open at night, so don't leave your computer open either.  
Integris Security LLC grew from our passion for protecting our nation’s critical infrastructures and years of providing industry professionals with best of breed solutions, proven best practices and top notch security education. We work tirelessly to nurture our clients’ TRUST. We will work equally diligently to EARN your trust.

Thursday, October 6, 2016

LIBN Cyber Security Conference - October 6th, 2016

Today's cyber security conference held by the Long Island Business News at the Huntington Hilton was a huge success.  The conference was packed and the panel with headliner U.S. Congressman Lee Zeldin was both informative and far reaching.

A wide range of cyber security topics included  a discussion of the potential federal funding of security awareness strategies like, "If you see something, Say Something".  Attendee's suggested a new cyber security awareness strategy like see something be started. Blake Cornell, CTO Integris Security suggest we use, "Think twice before you click twice".  The simple message was something that everyone agreed was needed.

The panel touched upon some key areas and agreed that security awareness training when implemented correctly brings everyone into the company's security strategy and not just the security team.  Twenty - thirty employees watching the security posture of a company is better than 3-5 employees from the security team.  Chief Security Officers have their hands full and gaining the trust and confidence of all employees to be on the look out makes the CSO's job 100% easier. 

Is it IT or is it Business?  A lively discussion broke out concerning the politics, budgeting and organizational culture in which professional security people work in.  This environment is not always 100% on board with a strong security posture.  General agreement was reached on the theory of security starting from the top down works best.  If the boss is concerned about security so is everyone else.  The next discussion was about whether it was the business or IT department.  Well, this was put to rest quickly.  The IT staff and security personnel need to team with business unit managers and ask them to take ownership for what belongs to them and what is enabling their success. The better the integration with business leaders on function and feature of the computer tools used to bring profits to the business,  the smoother the discussions will be for improvements to strengthen the security budgets so that the profit center environment is safe and secure.  The better everyone will sleep.

Their are a great many things that people can do to keep the internet secure.  Unfortunately their are a great many things which LURE us away from this common sense approach to internet safety.  Changing (long with symbols, CAPS, lowercase letters and numbers) passwords every 90 days is driving a positive change for your safety and security on the internet.  Writing those passwords down and storing them in a secure place is also a good idea. See more ideas on our web site.

For a two hour conference this one was packed with information and many new contacts as well.  Good job to LIBN and we look forward to next years conference and some of the articles to appear in LIBN which should keep everyone on their toes.

For additional information on security tips, visit  we have a full page of tips on our web site.