Cyber-Security, Risk Management, and Compliance
- December 1, 2014
- Posted by: Stephen Johnson
- Category: Vistage
There is no single foolproof safeguard to protect your systems (ask JP Morgan, Home Depot and Target) , but Vistage speaker and nationally known IT security expert Mike Foster suggests a combination of simple and easy to implement “obstacle courses” that will make hacking your system beyond the capability of the average hacker and/or not worth the time and trouble of the best ones. Given the number of your company’s devices that are not on premises makes this doubly important. The key according to Foster is to get EVERYONE in your company, especially the remote users, onto the IT security team. To that end, he has provided the below list of IT safeguards; the first portion of these recommendations are actionable by your entire team. The last portion of tactics requires the involvement of your IT professional. He suggests you share it with your IT/Risk Management directors….and you might track how many of these tactics you’re not using. (Thanks to Mike Foster for this valuable checklist).
Find more details in plain English at www.FosterInstitute.com/blog.htm
Empowering CEO/Executives to be Savvy, So You Can Sleep Better at Night
Strategies & Tools for Your Own “Travel Laptop” and/or “Work from Home”
Using a computer to work from the road, or work from home, increases cyber-risk for you and your organization. Remote users, including sales professionals who spend time connected remotely, may unnecessarily expose your organization and increase your vulnerability to cyber-crime. Provide this document to your risk management department. Suggest that they distribute the first three pages to all of your workers who work remotely:
1. Use long passwords. Call them passphrases – 14 characters or longer
2. Use a Password manager so you don’t need to remember all of those passphrases. For your most sensitive sites, like financial sites, keep those passphrases in your memory. Two common solutions Vistage members like include LastPass and RoboForm
3. Do not reuse passwords on multiple sites. When an attacker discovers one of your passwords, he will see where else that password works
4. Use 2-Step Login when available. Many services, including Google and Dropbox, permit 2-Step login. An example is when you enter a password into a website, the site sends a text message to your phone asking if it is really you who is attempting to logon. In theory, if someone else is trying to login to your account, even if they know your password, they won’t be able to authenticate as you unless they have your phone too
5. Set a passcode on your phone. Do not use 1234, 0000, 1111, or 2580.
6. Think twice before using public Wi-Fi. Using Wi-Fi in an airport, coffee shop, hotel, or anywhere else can be very dangerous. Most phones these days permit you to connect your laptop through the phone to use the Internet. The connection speeds are usually very fast, and unless you are watching movies, the amount of data you consume may be less than you think
7. Be sure to use a password on your own WiFi. If they can connect, some loser could connect to your WiFi, then perform some criminal activity (perhaps both disgusting and illegal), and then law enforcement would trace the activity back to you. You’d be the one in trouble then. Even though wireless passwords are sometimes trivial to crack, you don’t want to make it super-easy for someone to connect to your WiFi. So, at least set some password, preferably a long one, and don’t share it. At work, don’t use a “here is our WiFi password” kind of password.
Instead, consider asking your IT pros to configure “WPA2 Enterprise” for your work WiFi. It is much more difficult to crack, and the users never even see the password.
8. Enable automatic update for Apple and Windows computers. Though an update might cause a malfunction, some people deem the risk of an installed patch causing a malfunction to be much smaller than the higher risk of being a victim of a hack because of not being patched. Normally, any malfunctions are easy to remedy. Setting the patches to install automatically saves you time and helps protect you from installing “fake” patches. Never click on a link that says, “Click here for a patch.” That link may be someone trying to “trick” you into applying a malicious program that is disguised as a patch. If you are ever in doubt, visit the actual website, for example www.adobe.com, and download your patches there
9. Update Flash, Java, Reader (as in pdf reader), and your browsers (Firefox, Chrome, Safari, Internet Explorer). The “lack of patches” on these products are often exploited by attackers
10. Upgrade ASAP, after new versions are stable, Windows, Apple OS, and Office
11. Consider using OpenDNS.com They sell services but have a simple, no charge, service that helps protect against Internet threats
12. Add image backup to your strategy. Using online backup is common, and a usually a great idea. Supplement online backup with “Image Backup” that takes a snapshot of your entire computer. If you ever find yourself faced with the need to restore a crashed computer, you would otherwise need to invest a lot of time needing to re-install the operating system and your programs before you could restore from your online backup. An “image” backup, such as Carbon Copy Cloner for Apple and Ghost or Shadow Protect for Windows, allows you to restore a computer in one step. The online backup is helpful too from which to restore files more recent than your last image backup. Additionally, having more than one backup strategy is normally a great idea
13. Windows Bit Locker, and Apple’s FileVault, allow you to encrypt external USB drives to protect sensitive information. BitLocker Requires Windows 8.1: Pro (as opposed to plain Windows 8.1) (If you have Windows 7, you’ll need Ultimate) – so you may need to upgrade your version of Windows if your home computer is using another version of Windows. Microsoft “Enterprise” versions of Windows support BitLocker too. There are other options besides Bit Locker for encryption too – please say if you would like recommendations.
14. Categorize what to put into cloud storage. Realize there is always a slight chance that the data could be breached. One strategy is to encrypt data before you put it into the cloud
15. Microsoft provides a way to encrypt files by choosing File > Protect Document.
16. Do not renew antivirus; buy the new release. Your anti-virus company will offer you a way to renew your existing license, but if you buy a new one, you may get a “brand new updated version” that will potentially protect your systems even more
17. When you do buy anti-virus, be sure it includes other tools like a software firewall, perhaps a host based intrusion detection (HIDS) component, application control, and other more advanced features
18. Consider using location tracking programs on your laptops too – not just your smartphones. LoJack for Laptops is an example of a solution, and there are others from which to choose
19. Remove pre-installed junk-ware. New computers sometimes come laden with extra programs, some of them temporary trial versions, which you’ll never need. Every extra program is just one more place an attacker might gain a foothold. Strip your computers to the minimum components and programs necessary to get the job done, and that will help increase your cyber-security
20. Lock your screen and keyboard when you step away from your computer. To unlock the screen, you’ll simply enter your usual password, so there is nothing new to learn. On Windows machines, hold down the “Windows” key and press the L key to lock your screen. On Macs, first go to System Preferences > Security > General > “Require Password after sleep or screensaver begins.” After that, Shift + Control + Eject will lock your screen and keyboard. If your Mac doesn’t have an Eject key, then use Shift + Control + Power
21. A good tool that can remove malware, a tool from Microsoft, is called Try Windows Defender Offline. With Windows Defender Offline, you download a file from Microsoft to a USB media. It is important to download the file using a clean computer, not the infected computer. Now is a good time to be sure you’ve backed up the data on the infected computer. Then, follow the instructions to reboot the infected computer from the USB drive. Remove the malware when prompted.
22. Download and install Microsoft EMET. It is a free tool designed to protect your computers from some, though not all, hacker techniques. Many people consider EMET one of their secret weapons to ward off cyber-crooks
23. Make sure that laptop / desktop users have been changed from the default “local administrator” status to the “standard user” designation. By default, Windows gives administrative rights to the first user on a system. When a user is authenticated as a local administrator, attackers have the opportunity to gain higher access and do more damage
Find more details in plain English at www.FosterInstitute.com/blog.htm
Discuss with Your Compliance Officer, CFO, and Whomever Manages Risk & Quality:
“Estimated cost of a breach to the organization is $____________” (How much?)
“How would a breach affect the company’s reputation? What steps are in place to prevent hackers from using our computers, network, and websites?”
“One of the best things about cyber-security is that we probably already paid for, and have, most or all the necessary cyber security tools. How do we make sure that everything is configured optimally?”
“Have our customers or prospects asked us to comply with standards such as SAS 70, SSAE-16, SOC, ISO 27K, PCI-DSS, HIPAA, etc.? If a prospect does ask, how long will it be until we can provide them with the documentation they need?” (It is unfortunate to delay acceptance of a proposal or lose a potential customer)
“Have we considered that hackers do not need to know passwords as long as they attack a computer when the user is already logged in?”
“What is the next step in implementing and testing our DRP? Business Continuity Plan?”
“If we use the Cloud, what are our associated cyber risks? What are we doing now to manage that risk?”
“A worker might accidentally disclose sensitive information, or purposefully take information before they quit their job. What Data Loss Prevention strategies do we use to prevent someone from stealing data?”
“An example of a leading-edge technology which should at least be on the strategic roadmap: Application Whitelisting. This technology only allows the computer to run the programs you specify, effectively preventing viruses from running.” https://www.fosterinstitute.com/blog/stonewall-not-firewall-use-application-whitelisting/
“Applying patches to Microsoft, Flash, Java, etc. can make us more secure, and also break something. Have we made a conscious decision? How aggressive are we at applying patches?”
“Do we use any MDM Mobile Device Management for our BYOD and “in the field” users?”
“What independent third party helps us maximize our investment in IT? Who advises us on our strategies?”
“When and how do we audit our cyber-security? Is it part of the financial audit or a full cyber-security audit?”