October is National Cyber Security Awareness Month. What can you do to protect your organization? And what can you pass along to your employees to help protect them online?
Threats against Wall Street by Anonymous, Sony breach (again!), Attacks against Japanese defense contractor, and other cyber attacks have marked the beginning of National Cyber Security Awareness Month (NCSAM)– which is observed every October. I'm not sure how many people are aware of the Awareness month because most are interested in news coming from Apple rather than cyber security. Internet security seems to have become a step child, a necessary evil, an annoyance, and another chore to put off.
This year marks the 8th year of NCSAM. The Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), are the champions and founders of National Cyber Security Awareness Month and work together during the month of October to increase general cyber security awareness.
There are many events being held throughout the United States many by the government agencies and universities but there are also awareness campaigns from various corporations. Google is helping spread the word about security issues. Microsoft launched an initiative for better browser security. Many other companies are also spreading the word. At the kickoff event at Michigan Cyber Summit 2011, Janet Napolitano, the secretary of the U.S. Department of Homeland Security (DHS), and White House Cyber Security Coordinator Howard Schmidt reinforced the need for cyber security and outlined various steps the government is taking to promote cyber security.
Although these are all good steps, what’s concerning is that only a small fraction of the population is involved or even aware of NCSAM. People are continuing to follow unsafe practices both at the corporation and at the individual level. Everyone should be reminded of the risks involved and impact of cyber threats on our daily lives. I have listed a checklist with tips and ideas below for both corporations and individuals. It’s certainly not an exhaustive list and we haven’t gone into too much detail, but if you are doing most of the things on these lists, you are way ahead of the curve.
Checklist – Ten Step Program for Corporations, Universities, Government Agencies
Protect your network – Make sure your network firewalls, routers, Intrusion Detection/Prevention systems (IDS/IPS), Web servers, and other security devices are properly configured with rules and updated on a regular basis. We find that many companies can be easily hacked because they haven’t patched their web servers to the latest versions even though the older versions have publicly known vulnerabilities. Follow other best practices for DMZ and routing of internal and external traffic. Check for vulnerabilities on your network devices and patch them right away.
Protect your endpoints – In this increasingly connected world, the definition of Enterprise has extended. Securing just the network servers and devices are not enough. You have to make sure that all your end-points like user desktops, laptops etc. all have firewalls, anti-virus, and other software to prevent them from downloading something malicious and spreading throughout your network.
Protect your data – Information about your customers and your employees is precious and you have an obligation to protect it. There are various ways to provide an additional layer of security using encryption, truncation, masking, and hashing types of technologies. Ensure you are protecting transmission of data with strong cryptography and security protocols.
Protect your apps – It’s a well-known fact that over 75 percent of cyber attacks occur through the Web application layer. In spite of this fact, most companies are doing little to nothing about testing their Web sites for security vulnerabilities, and then either remediating them or blocking them. Prioritize your applications in three groups – Tier 1 through 3. Start with Tier 1 and create a project plan to get to all your apps. Start assessing these applications either using an automated application scanning solution or a managed service/cloud solution. You might also need help from a manual penetration testing company for certain types of issues. Once you find vulnerabilities (and you’ll find a lot of them), prioritize them based on a quantitative risk score. Assign resources to fix those vulnerabilities and until they are fixed, use a Web Application Firewall type of technology to block them.
Ensure tight access to your cyber infrastructure – Proper authentication and access control is critical to maintain strong security. Ensure that your cyber infrastructure is accessed by authorized personnel, and systems and processes are in place to limit access based on need to know and according to job responsibilities. Ensure tight access to your physical infrastructure - Appropriate facility entry controls and monitoring of physical access to systems is critical. Ensure that only employees with proper authority can access certain areas like data center. It’s also very important to make sure that non-employees do not enter any part of the facilities by following another employee. Once the intruder is in, he can install malicious software on machines and cause havoc.
Protect your wireless – Check your wireless networks and access points on a regular basis to figure out if there are any rogue devices. Ensure proper password polices are being adhered to. Create a sound policy for mobile devices being used by your employees without making it too inconvenient for them.
Train your employees – Security is not just IT’s job. All employees must go through security awareness training. A lot of mistakes are made not because employees are malicious or stupid but because of lack of awareness. Training should include protocols for security, what to click on vs. not, which files should never be downloaded, etc.
Monitor your logs - Review logs for all system components at least daily. Log reviews must include those servers that perform security devices but also other devices like servers, applications, mobile devices, etc. Use automated tools to make appropriate decisions based on information intelligence.
Be compliant with regulations – If you are doing all the things listed above, chances are that you will be compliant with all the regulations. Focus on security first and then worry about compliance. Going through regulatory standards can help you in understanding what you might have missed.
Checklist – Ten Step Program for Individuals
Strong passwords – Hint: Using “password” as your password is not good. Short passwords can be cracked in a few seconds with online tools readily available. Use long passwords (at least 8 characters) with a mix of letter, numbers, and other symbols. You can also use a long sentence that you’ll always remember. Don’t use the same user nname/password for your bank account that you use for your social networking accounts. Also, don’t use easy to figure out names like your dog’s name, your favorite book, etc. that you so proudly display on Facebook.
How to access a site – Many consumers are searching for sites in Google and then clicking on links. Ideally, you should go straight to the address bar and type in the site you want to go to. There are hundreds of fake sites to lure you into the hacker’s website that looks just like your intended destination. If you have to Google it, make sure that you see if there are any malicious warning signs from Google next to the site before clicking it.
Upgrade your browser – Older browsers have a lot of security holes. Upgrading is easy and it takes only a few minutes. New browser versions are faster and more secure.
Run your AV and anti-Spyware – Although most users are used to having an anti-virus software on their PCs, many of them forget to update or even run the software (unless you have set it up for auto scanning). Also run an anti-spyware software like Search and Destroy on a regular basis. You can use clean-up software like Clean-Up and CCcleaner to clear your temporary files and cookies on a periodic basis.
Look at the address bar – If your address starts with https:// instead of http://, it’s more secure and you know that for the most part you will be connecting to the genuine server. A lot of applications, especially the ones that do e-commerce transactions have moved to a secure server format so type in “https” first when you type in the URL.
Hide those sticky notes – Most users still put their user names and passwords on sticky notes and stick them right on their desk or their PCs. Perfect. Now any one can look at your information and login to your account. Ideally, you should try to remember your credentials. But if you have too many you can use one of the various online services that allow you to store and retrieve passwords like Keepass, PassPack, LastPass etc.
Back-up your files – Even with all the precautions you could still get hacked. Back-up your files either on an external drive or an online storage service like Dropbox, Carbonite, Mozy etc. so you can retrieve them at any time.
Look before you click – Don’t click on anything that looks suspicious. Don’t get lured by enticing ads like “test your I.Q.”, “get a free movie” etc. Usually there’s a code behind those images which could allow the hacker to get access to all your confidential information.
Help out your kids and parents – Although kids are pretty tech savvy these days, they are also trusting since they are used to doing transactions online without thinking of security. Make sure they understand their environment, what sites they should or should not go to, who they should talk to online vs. avoid, etc. Same thing with parents who are not used to technology.
Stop. Think. Connect – Finally, I wanted to mention a sound tip from National Cyber Security Alliance. STOP - Before you use the Internet, take time to understand the risks and learn how to spot potential problems. THINK - Take a moment to be certain the path is clear ahead. Watch for warning signs and consider how your actions online could impact your safety, or your family’s. CONNECT - Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer.
Here are few sources to get more information:
Remember, there are various serious implications to not having a secure infrastructure – from a national to an individual level. So, although you don’t have to send a greeting card, (although Hallmark could look at it as an opportunity) remember this month from now on, to follow some basic rules on navigating the Information Superhighway, and give your security professional a hug.