m.a.collins

Are You Gambling with Your Business Continuity?

As security professionals, we’ve been saying this so long that it’s become a bit cliché:  Users are your biggest threat to security and therefore business continuity.  Nevertheless, it remains true.  Sometimes, an employee’s desire to prove helpful is exactly what a malicious actor will use to gain access to sensitive information.  Other times, the gullibility of users provides useful.  Then again, the desire to keep security simple and convenient (remembering passwords) can lead to an opportunity to exploit.  All this being the case, why is it then that so few companies choose to invest in educating their users on what’s at stake and how to reduce the odds of becoming a cybersecurity victim?

There are many reasons for this, but most commonly it’s the business owner’s ignorance of the threats posed and what’s at stake for their business.  According to Inc Magazine, nearly 60% of all small businesses close within 6 months of falling victim to a cyberattack.  Yes, cybersecurity poses an existential threat to small and medium sized businesses. 

One cliché that proves false regarding cybersecurity is “If it isn’t broke, don’t fix it.”  Many businesses are playing digital roulette with their cybersecurity stature.  Business owners think that since they haven’t been attacked yet, they aren’t at risk of falling pray to an attack.  The truth is, though, that every company is one click away from a successful attack.  All it takes is an errant click on one email attachment or malicious banner ad on a website to open the gates for a successful attack. 

Some business owners think they have a firewall and other protections in place, so they are covered.  What makes the user so critical in securing the network, is that users are easier to “hack” than networks. Users are now the front line of digital security – they are the target, because the malicious actors know that the internal user is a trusted agent on networks and Cloud platforms.  By default, and generally for good reason, actions that originate from an internal user within the boundary of a network or application platform are trusted actions.  Thus, if a malicious actor can get behind that trusted perimeter, they will generally have free reign to launch their attack.  Most companies don’t even have the ability to perform a post-mortem on an attack, because they don’t have audit trail capabilities enabled.

What happens next?  Often, once behind the secured perimeter, the attacker lays low and surveils.  They will often siphon sensitive data, disable data protections, and plan out their attack to have the greatest negative impact upon your business.  They realize that you must be desperate if you are going to pay a lot of money to regain access to your information or to avoid public embarrassment.  Even if you can get your information back, many times the reputation hit your company takes from getting breached is enough to pose an existential threat to a company.  The bad actors know this, and they will look to exploit every way possible in order to get paid.

So what can you do to protect your business?

  1. Invest in security awareness training for your users.

This is a very simple and first step to take.  You can vary your tactics to ensure you get the best coverage across all employees/users.  You can use written forms of training and documentation, video training, or even simulations that will give feedback on which users are most susceptible to posing a security threat to the company.  Speak with your trusted security adviser for details on how best to engage your employees with security training.

  1. Invest in products and services that can mitigate the impact of a successful attack.

So many times, we have seen or studied instances where companies had a backup system, but their backup was not ransomware proof (for a variety of reasons).  Due to this, they were forced to pay thousands of dollars to recover their data from ransomware, either by paying for technical labor to find a way to decrypt it or by paying the bad actors to get their data back.  Discuss your backup plan with your trusted security adviser to ensure you are completely protected, and that you have everything in place to mitigate the loss of data in a ransomware attack scenario.  Also, verify with your security advisers that you have tools in place to identify and mitigate attacks as quickly as possible, as well as provide an audit trail for permissions use.  Your business needs vary depending on your attack surface, which differs from company to company.  There’s no good one-size-fits-all approach to security.

  1. Start writing policies and procedures for responding to an attack.

Just like anything else in business, whenever you invest the time to plan ahead for a security event, you’ll be more prepared to cope with a security incident.  Even if the plan isn’t perfect, you will fair better than those who are “winging it” with no plan at all.  The race to the South Pole between Roald Amundsen and Robert Falcon Scott, about which numerous books have been written, highlights the necessity of planning even when reality plays out differently, which inevitably it will. 

The reason we use language like “start writing” is because as quickly as technology is evolving and changing, there will always be a need to refine and expand your policies/processes.  It is imperative to commit to maintaining an updated plan for how to respond to a security event within your organization.

  1. Build protections in your finance department and bank for any transaction above a specified amount.

Your banking or trusted financial institution can put policies in place to authorize the transfer of funds above certain amounts.  This can protect you from unauthorized wire transfers and other large payouts of funds, should a hacker gain access to your financial accounts.  Your banking institution wants you to avoid losing money as much as you do, as their reputation is at stake in such an instance.  Be sure to discuss best practices with your trusted finance adviser for how to avoid such scenarios.

  1. Discuss cybersecurity insurance options with your trusted insurance provider.

Cybersecurity insurance is fairly new in the insurance industry, so it is still evolving and adjusting to ensure viability and sustainability.  Many insurance providers now require a security audit and other protections are in place to mitigate risk on their end.  Nevertheless, if you put too much stock in your insurance plan over against taking actions to embolden security in your organization, you could find yourself in a situation where the insurance provider claims willful negligence and decides not to pay out in a security breach.  In order to protect yourself from such a claim, you must be able to demonstrate good faith efforts to protect yourself from security incidents.

  1. Finally, make your security mandates as convenient for the user as possible. 

If your security measures are too inconvenient for the end user, they will find ways to circumvent them and expose your company to unnecessary risk. For instance, there are much easier ways to enforce multi-factor authentication for users today.  A lot of users were frustrated by the cumbersomeness of multi-factor authentication in its early phases.  Today, with authentication apps and the coming technologies surrounding password-less authentication, it is easier than ever to ensure the identity of your users and protect your organization from the vast majority of attacks. Again, users will find creative ways to circumvent annoying security requirements and expose the company to risk, so this is a vital component in today’s marketplace.

In conclusion, don’t gamble with your company’s existence.  There are ways to protect your business from these bad actors that won’t break the bank.  Most industries require less than 5% of gross revenue to ensure their business is protected against the malicious hackers of the world.  While there is no silver bullet that will protect you completely, you can mitigate the effects and ensure business continuity despite a successful attack.  If you need some assistance with knowing where to start with business security and continuity planning, feel free to reach out to TCS for assistance.  We can assess where you are, where you need to be, and roadmap a plan to get there over a timeframe that works best for your organization.

/by
Charlie Waters
, ,

Into the Weeds with Speeds and Feeds

AP English Strikes Again!

Today I will take a detour from our normal topics covering security and the continued progression toward cloud and mobility.  Instead, I want to get in the weeds a bit with what us techies call “speeds and feeds”.  In other words, what are technology standards and why do they matter to you?  Glad you asked!  I will start by showing my answer, then explaining how I got there.  This will be a bit like when I took AP English in high school and would turn in an outline, followed by the rough draft, only then to add all of the spit and polish for the final paper – except, being the hard head that I was (and still am if you ask my wife), I would write the final paper first, then reverse engineer the outline and rough draft from there.  But please keep that little secret between just you and me.

TLDR;

Our recommended operating standards for Small Business look something like the following:

  • Business Class Broadband of 100M down and 20M up with a static IP address for management
  • Laptop or workstation with Windows 10 Pro, Intel i5 4 Core CPU, 16GB RAM, 512GB SSD Hard Drive
  • Firewall with security subscription appropriately sized for subscribed Internet speed
  • Gigabit managed network switches with 10G fiber between connected switches
  • Wireless “AC” access points
  • CAT6 copper ethernet cabling

<RANT>An interesting side note here:  We recently upped our minimum recommended size for hard drives from 256GB to 512GB because of the incredibly large updates pushed by Microsoft every six months.  These are equivalent to downloading and installing the entire OS while keeping a backup copy of your existing operating system in case of the need to roll back to the previous version.</RANT>

Running the Small Business “Enterprise”

A quality Managed Services Provider recognizes the broader ramifications of simplifying the general network design.  A single IT team can support a hundred different organizations because the infrastructure is consistent across all its clients.  It is as if these businesses are all part of one enterprise except for their unique line of business applications.  With software support, we can successfully vendor-manage any issues with these applications.  Technical training and competencies can be aligned to support a finite stack of manufacturers and products.  This translates to faster, more effective support, which lowers support costs, improves issue resolution times, and increases client satisfaction.  Accordingly, our new support contracts provide the firewall, backup hardware, switches, and access points along with M365 subscriptions, security tools, and endpoint management software – standards create more predictable outcomes and multiplies service team effectiveness.  Our three pillars for choosing these products are:

  • Appropriate size and features for small business,
  • Lowest cost and best reliability without sacrificing the above, and
  • Quality vendor support and training to enable efficient installation and maintenance of systems.

This combination creates a win-win for the MSP and its clients!  The safeguard for the client is being backed by a tech company who will not only spec and sell the equipment but own the results.

From English to Calculus

Let us clear the big caveat; there is no cookie cutter approach to IT.  Okay, so why have these standards?  Figuring out the proper specs for workstations, servers, and networks is not exactly rocket science, although it can be somewhat complex.  Solving for this becomes a multi-variable math equation.  The composite system requirements for all software in use can be distilled down into design specifications for technology operations, but there are also some reasonable estimations we can make for SMB.  Software is relatively consistent across a wide variety of organizations except for niche “line of business” applications.  Also, Managed Service Providers generally serve businesses too small to justify staffing a complete technology department (and why outsourcing to an MSP makes sense).  This means the complexity and size of the networks are reduced making the parameters for these technology standards more predictable.

Always Outliers

There are the exceptions to be sure.  An engineering firm or fabrication shop using CAD requires higher end workstations with more RAM, faster processors, and dedicated graphics card, for example.  Even these share common traits with a gaming PC or a Radiology PACS reading station.  The specifications are easy to solve for by looking up the requirements for that application.  But the key point here is we can standardize the ninety percent use case and then invest more expensive engineering/consultant resources for the outliers.  This means we can go fast and be right except when we need to slow down for the other ten percent case.  And while the adage of “Good, Fast, Cheap…pick two” holds true, we can make recommendations for any part of your infrastructure efficiently understanding how these systems perform across a wide variety of clients.  Therefore, we do not need to hold a ten-legged (read: expensive) committee meeting to assess and recommend your next laptop or network switch. 

When Best Buy is not the Best Buy

This means the best opportunity for reducing the total cost of ownership of your IT is to follow the recommendations of your trusted technology partner.  They are responsible for managing your environment along with many others to keep infrastructure and support costs to a minimum.  I know the $299 laptop special with Windows Home Edition at Best Buy is tempting, but it may result in higher support costs, additional hardware upgrade expenses, and reduced worker efficiency.

/by
Charlie Waters
, ,

Endpoint and Application Security vs The Soft Gooey Middle

Soft, Gooey, What?!

Still no Silver Bullet…

In this article we are going to distinguish between various areas of our defense-in-depth strategy.  If you have read our prior posts, you know security is not a single thing and there is no magic silver bullet, but good security is a combination of layers of defense.  So here is the problem with the traditional approach: much emphasis has been placed on the corporate network with its firewalls, intrusion detection, content filters, hard wired ethernet connections, and encrypted corporate wifi – except there is a paradigm shift toward mobility and this puts our endpoint devices and applications at a disadvantage. 

Safety outside the castle

Access is needed outside of the high castle (corporate) walls where the commoners gather.  Places like Starbucks or the now ubiquitous home office.  These external areas most often do not share the same security features of the traditional workplace network. So, what is “soft and gooey”?  Well, the truth is, even the corporate network is not as secure as we would like to believe.  Yes, it is more secure but with the ever-increasing threats of email phishing, zero-day attacks, and other threats, the constant cat and mouse game of securing the network is often a losing battle.  We still need to address these areas, but even more is needed.  And because of the trend to cut the corporate tether and leverage the advantages of mobility, the current best defense strategy is to assume the corporate network is an unsafe zone and beef up efforts to build security around the endpoint (more and more often a laptop or smart phone/tablet these days) and likewise the application itself.

Endpoint Protection

Not your average antivirus

Endpoint protection is generally reduced to signature-based antivirus.  The flaw is these products are ineffective against new threats that have not yet been cataloged by the software vendor and released as updates.  Also, threats evolve into different variants that are not detected by the antivirus engine and leave your device open to attack.  Installing operating system updates helps but still do not offer protection against unknown vulnerabilities.

More needs to be done.  New “next generation” antivirus products build on the traditional approach by using behavior monitoring and artificial intelligence.  These security products not only block known/cataloged threats but are able to detect unknown threats by looking for malicious behavior by the application running on your device.  Advanced heuristics establish a baseline of “normal” behavior and shuts down activity when a process misbehaves.

Even more is needed

An additional capability involves moving content filtering from the corporate firewall to the endpoint itself.  This can be accomplished with very little additional overhead as the filtering takes place on secure Internet DNS servers (hosted by the security vendor).  This is a valuable security measure when developing a mobility-first strategy.

Who has not seen a VPN commercial these days?!  There seems to be an endless number of companies selling virtual private network technology.  These can be used to extend the corporate network for secure access to on premise and/or cloud-hosted applications. Also, a VPN can be leveraged to encrypt general Internet traffic on an endpoint connected to unsafe/open wireless networks (like Starbucks).

Further, endpoint cloud backup is desirable when there is critical data on a laptop that is not saved frequently to servers. This trend is more common as we rely less on servers and move our data to cloud storage.

Application Protection

C squared = B + HS = I V

Reading a bit like a Phil Mickelson formula to defeat Tiger Woods, the alphabet soup of IT Security can be equally intimidating – we get something like HTTPS+VPN+2FA-MITM = GTG. Much like securing the endpoints in untrusted environments, the applications can be protected from unauthorized access.  Two-factor authentication along with forcing an encrypted connection is a common approach these days.  You will notice most web sites you visit these days use https instead of http.  The former is an encrypted connection while the latter is open to what is called “Man-in-the-middle” (MitM) attacks due to the lack of an encrypted session.  Essentially a hacker can read user passwords and other data sent back and forth over the unencrypted connections while it is much more difficult to do the same thing when the connection is secured using advanced encryption.  Cloud-hosted applications can also use software firewalls to enable many of the same security features traditionally found on the corporate hardware firewalls. 

M365 to the rescue

Microsoft 365 is a good example where application security can be enhanced.  Companies using 365 email have the mail transport encrypted end to end between internal and external parties running on the same Microsoft hosted platform.  Further, anti-phishing and cloud-to-cloud backup can be used to protect the documents and emails stored on the M365 system.  Additionally, Microsoft Teams communications through chat or voice/video calls are encrypted.  There are huge benefits to living within this ecosystem as much as possible as the number of security products needed to protect communication and collaboration can be reduced.  Less complexity also means greater security as there are fewer configurations needed to make the security work.  When combined with Microsoft Azure virtual server hosting, it is now possible to move niche line of business applications and critical company workflows to the secured Microsoft environment.

So What, Now What?

Will legislation force all of our hands?

Responsibility is being placed on the Managed Services Provider to enforce these security measures.  For example, Louisiana Act 117 – Senate Bill 273 requires MSPs that manage infrastructure or end-user systems for “public bodies” to register with the state.  Additionally, MSPs are now required to disclose cyber incidents to the state. 

It is expected for similar legislation to make its way to other states and there will be an increased top-down accountability between regulated organizations and their technology vendors.  This means MSPs will continue to up its security game or be left behind.  Also, managed service providers will become more selective when choosing its clients to ensure there is a closer alignment of operational maturity levels (OML), otherwise there will be constant tension between the MSP obligations versus the organization’s cooperation to improve security.

Follow the leader

The best approach is when a security-minded MSP articulates the reasons behind the need and the client trusts the advice of its technology partner and follows their lead.  For those who refuse to take security seriously, MSPs may be eventually forced to document the opt-out on the client’s part by issuing a legal letter advising of the dangers of not implementing the needed defenses.  This will strain relationships where there is a mismatch of OML or where trust is lacking.  What this means for all of us is the cost of doing business will continue to go up as more products and time will be needed to implement these solutions.  But the risk is too high to ignore the warnings and being wrong about security can result in a higher cost to business due to downtime, stolen data, or potential fraudulent wire transfers.  Be sure your organization has implemented the latest and greatest security tools and services by having a conversation with your trusted security advisor.

/by