Wednesday, July 2, 2014

Business Continuity: No Plan is an Island

“No man is an island, entire of itself; every man is a piece of the continent, a part of the main. If a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friend’s or of thine own were: Any man’s death diminishes me, because I am involved in mankind, and therefore never send to know for whom the bell tolls; it tolls for thee.” Meditation #17 By John Donne From Devotions upon Emergent Occasions (1623), XVII
(Originally posted on Tripwire's 'The State of Security' at
The importance an organization places on their ability to respond to security breaches is critical to that organization’s survival. BCM (Business Continuity Management) is a plan, a team and a process companies use to protect themselves from financial loss.
BCM usually incorporates a Disaster Recovery Plan and a Business Continuity plan. The Disaster Recovery Plan takes effect as soon as an event occurs and is put into place to protect life and get the critical services back up and running.
Business Continuity is the second phase of BCM that takes effect after the initial event has happened and is designed to limit any lasting effects from the event and to bring the company back to pre-disaster status.


The BCM team deals with ‘what if’, even if it has never happened. They deal with known dangers, like earthquakes in California, hurricanes in Florida and Zombies in Washington DC. (Disclaimer: The US government National Institute of Health disavows any imminent danger from Zombies. See ‘A report on the zombie outbreak of 2009’).
The BCM team needs to deal with hackers, data thieves, denial of service attacks and data breaches. Target most likely had a Disaster Recovery Plan to deal with Zombies, but didn’t have an Incident Response Plan that took into account the loading of malware on their POS systems or the loss of 110 Million customer records.
They did not have a Business Continuity Plan in place to recover from the publicity, lawsuits and loss of customer confidence. I think I would consider the loss of 40 Million credit card details and 70 Million customer records a disaster. Apparently the Board of Directors, the CEO and the CIO did not. This has already cost the CIO and CEO their jobs and is likely to cause the termination of 7 of the 10 board members.


Is saving our jobs reason enough to include information security incident response in the BCM plan, or do we need a better reason?
The traditional BCM team will normally start with assembling the team and appointing a team leader; someone who has a thorough understanding of the organization’s business and who has the authority to allocate the necessary resources. The next step is to inventory the assets, do a Business Impact Analysis to determine the cost per hour or minute of downtime and to assign an ‘over the cliff’ deadline.
In other words, how long can our manufacturing plant be down before we lose so many clients that we can’t recover? For security incidents it might also be how many records can be lost before I start to update my resume.


Up to now, ‘IT’ has been held responsible for ‘Information Security’. Incident response has traditionally been thought of as the sole responsibility of the IT or Information Security department but needs to be incorporated into the operational plans and discussions during BCM meetings.
A hacker can take out your network as efficiently as a power outage or fiber optic break. (Downtime costs your company the same per hour regardless of the reason you can’t send or receive email.) Damage is measured not only in time, but in numbers of records. Information Security is responsible for CIA (Confidentially, Integrity and Availability). Traditional Business Continuity Planning and Disaster Recovery usually only deals with Availability.
The BCM team should also consult the information security group to make sure that any backup, recovery, temporary recovery facilities conform to the company’s security policies and procedures. A company could recover from a hurricane by moving facilities off site, but suffer a debilitating breach due to a hastily set up firewall with little or no protection offered to the temporary servers.


We still need the BCM team. We need someone who understands the business and can allocate sufficient resources to keep it running in the event of a hurricane or hacker, a power outage or a denial of service attack, an insider who pulls the fire alarm so he can go home or sends client records offsite for later.
Traditional information security priorities and methods that rely on a 100% block of attackers won’t work. Companies that survive a security breach have a robust incident response plan in place. It’s not just a matter of preventing breaches, but detecting them and responding to them in a timely manner, and it would be better if your internal team discovered the breach rather than reading about it first on Brian Kreb’s security blog.


Target had a breach on November 12th and their FireEye system detected it on the 28th and notified Target’s information security team. December 2nd, a second notification of ‘unknown malware installed’ was sent to the infosec team. By December 12th, the hackers had downloaded 110 Million records including 40 million credit card details, and were using them.
Two days later, Target hires a company to look into the breach. If Target had planned for the breach, they would have had an incident response plan approved by executive management. Now the executive management has to plan a move to a new job, and the assigned parking space might not be as close to the elevator as it was before.
There are other reasons that the BCM team should include information security incident response and share in the duties and responsibilities. Only the infosec team member can identify IT security assets, threats and risks, but only the executive management can approve resources for remediation.


As you assemble the BCM team, reach out to the CISO or senior member of the information security and risk management team. Preferably this is someone who has risk management experience as they will more likely understand how to help with quantifying risks and not just vulnerabilities.
This person should be given the resources and time to help inventory the systems and services and will need to be included in the compilation of Business Impact Analysis. Parallel to the BIA, there should be an internal or external IT security Risk Assessment done.
This can be done in conjunction with the initial system inventory so that you can make sure you cover all critical assets. As the BIA is finished, the manager in charge of the assessment can combine the results of the vulnerability and threat assessment with the BIA to create a quantifiable threat assessment that can be used to prioritize budgetary controls for security incidents. The IT Risk assessor needs this information to help data valuation and classification.


The information you gathered during the inventory, BIA and Risk Assessment can help justify spending money on critical issues. In IT Risk Management, generally, a critical issue is one that would cause loss of life, permanent disability or a loss of over one Million Dollars. Don’t just spend your control dollars on preventing the loss, but spend money on cutting down the cost of the loss if it happens.


Not if, but when. That is the advice of senior directors at major corporations, including RSA. If you don’t think it will happen to you, it most likely already has. You just don’t know it because your company didn’t detect it, or the help desk didn't send you a notice.
Part of good BCM planning is contacting the media and law enforcement. Don’t forget this in your incident response plan, and you won't if you are working in conjunction with a seasoned BCM team.


In loss prevention, Business Continuity Planning and Disaster Recovery we already rely on insurance companies. They provide business continuity insurance, coverage for extra expenses in case of a covered loss, and even pay for loss of profits in many cases.
BCP insurance can also cover information security breach losses including cost to investigate, fix and pay for PR as well as paying for credit monitoring.


“Any man’s death diminishes me, because I am involved in mankind, and therefore never send to know for whom the bell tolls; it tolls for thee,” (Source).
Any damage to your company could be the death bell toll, if not dealt with before it hits the critical point. Learn from your Business Continuity Management Team. Let them learn from you.
There are so many analogies between physical attacks and cyber attacks that we infosec professionals borrow the language. Red Team, Black Team, Attack, Risk Management, Loss Prevention, Downtime and, in some cases, Bankruptcy, ‘early retirement’ and unplanned relocation.
Does your company include information security incident response planning in the organization’s BCM plan? Does your Business Impact Analysis cover denial of service attacks, release of confidential information? Do you even have an Incident Response Plan and an Incident Response Team?

Michael ScheidellAbout the Author: Michael Scheidell (@scheidell) is a Certified CISO, Senior Member IEEE (Computer Society), Corporate Information Risk Management and Privacy Expert, Managing Director of Security Privateers, and works as a consulting CISO for several multinational corporations in government, finance, manufacturing and health care. A recognized expert in the information security and privacy community with a strong history of innovation and entrepreneurship with a US patent on intrusion detection systems, Mr. Scheidell is a frequent conference speaker and subject matter expert in Information Security, Governance Risk, Compliance, and corporate privacy and has worked to secure US critical infrastructure such as Rail, Transportation and Utility companies. Mr. Scheidell can be reached at

Sunday, May 25, 2014

Happy Geek Pride Day!

May 25th: Embrace your Inner Geek:  Celebrate Geek Pride day

If you're reading this, odds are every day
is Geek Pride day for you.
Geek Pride Day (Spanish: Día del orgullo friki ) is an initiative to promote geek culture, celebrated annually on 25 May. The date was chosen as to commemorate the 1977 release of Star Wars (see Star Wars Day), but shares the same date as two other similar fan "holidays": Towel Day, for fans of The Hitchhiker's Guide to the Galaxy trilogy by Douglas Adams, and the Glorious 25th of May for fans of Terry Pratchett's Discworld.[1] Wikipedia

The initiative originated in Spain in 2006 as "Día del Orgullo Friki" and spread around the world via the Internet.

Are you a Geek or a Nerd?  How to tell the difference between a nerd and a geek

More Engineering jokes

Get Your GEEK On!

Dress up in your GEEKEST outfit and post a photo to Security Privateers Geek Pride Day Page

Thursday, May 15, 2014

One Character Can make all the Difference

One small change to your source code, one character, or one person can make all the difference between a robust Information Security and Privacy program or reading about your company’s breach on CNN.
(Originally published on Tripwire's "The State of Security" at

Design in security or design insecurity: Looking at Information Security from a project management framework, many companies wait until just before beta testing to check for Information Security risks or exposures. This is designing insecurity. Built in insecurity. Factory equipped at no additional cost to the user!
picEveryone is familiar with project management 101: You can have any two of the three, Fast, Cheap or Good, but you can’t have all three.
If you want it Fast and Cheap, we can’t tell you how good it will be. If you want it Good and Fast, we can’t tell you what it will cost.
We can think of the information security and privacy aspects of your project in this same way.
picHowever, when you factor in Risk as part of this; Cost, Schedule and Scope (or Budget); you need to use a new paradigm, (and graph!).
We need to add in the triangle of Risk, Resources and Quality as per PMBOX 4.0, Practice standards for Project Risk Management.
Instead of just thinking about project risk in terms of cost overrun, or delays, consider what happens when you build insecurity vs building in security. By building in security you reduce the known unknowns of your information security risk footprint.
Let’s go back to project management 101: It costs you $1 to design it in, $10 to build it in later, $100 to fix it before it goes into production, and $1000 if you need to fix it once it has been turned over to operations.
For Information Security and Privacy issues, you not only have to account for the lost time (risk, poor quality, budget overruns, resources and scheduling problems), but you also have to look at regulatory and financial issues due to litigation. Your quality issues don’t just put users and customers off a little, you could lose them for life. Security Project Management 101 goes like this:
$1 to design in security, $100 to build in security later, $10,000 to fix it before it goes into production, and, an average of $5.4 million dollars once it has been turned over to operations. ($5.4 million dollars is the average cost to US organizations for a data breach in 2013before you add in the Target Breach).
Ask your stakeholders: Do you want to budget $1 extra to design in security, or risk $5.4 million if things go really bad?
One User, Employee, or Vendor
One Character, one user one employee, or vendor who has access to your network can bring it down. The next character that can cause you a problem would be an insider; someone who has internal, privileged access to your network.
Yes, that character. You know who that is and wish you could do something about it. An insider with unnecessary access and a weak password helped bring a huge data breach at Target that could end up costing them $20Billion Dollars. Yes, Billion. That comes after Million, and just before Trillion. Not quite national debt numbers, but this number won’t play well during the next stockholders meeting.
Take as example what happened at Target. Old CIO resigned and new CIO is actively taking steps to keep this from happening again. He rescinded unnecessary vendor access, updated technical requirements for password strength and forced everyone to change their passwords to adhere to this new policy.
What else can I do? What about that ‘one character’? Security Awareness Training, and not just a 30 minute computer based flyby of last year’s ghosts and goblins of data security, but a comprehensive, customized training program that will enroll that ‘one character’ as an ally. Not just for ‘the little people’, but for executives.
Instead of causing problems, that problem character (or characters) will understand their part in keeping the company safe and secure, especially if the executives lead the way by example.
One Byte
Insecurity vs in( )security. One byte. That is all it takes sometimes. During a recent web application assessment for a Fortune 100 company we noticed that one byte was missing. This one byte meant the difference between a reasonably secure user experience and a user experience that exposed massive numbers of users to identity theft, bank fraud, and spam.
What was that one byte? (non geeks can look away now and start humming. Come back in 5 minutes and we can wrap things up). On the company home page the button for the user login function pointed to ‘http://{}/functions/login.asp’. (Do you notice the missing character?). A packet trace of the login function confirmed that the username and password were being sent across the wild world web without using any type of encryption.
The company didn’t need to worry about the HeartBleed bug, this information wasn’t encrypted anyway. Anyone listening would have access to information that should have been encrypted. Depending on how long this bug was in place, this could have possibly affected more than 10 million users just in 2013. Not quite up to Target’s 110 million faux pas, but still a respectable number.
Character of the Boss
The bad news is that you can’t fix everything with just one character, or changing one character, or firing one character. The good news is that the Character of the executive management can have more of a positive effect on the information security culture than all the firewall, audits and scrum masters in the world.
The Character of the Information Security group, CISO or CSO will directly reflect the support given by executive management. This top down approach isn’t just for project management or software programming, it is business 101. “It all comes down from the top”.
Employees who enjoy working for their company and respect their managers are more prone to make less mistakes in general, less mistakes on purpose, less security mistakes, and be less likely to ignore security and privacy policies. Their managers will be less likely to ignore policies and rules if their executive management respects them.
If your executive management does not respect their own security and privacy rules you can be sure that the employees won’t.
One Character at a Time
As you move through life, you will work for good bosses and bad. You will work at companies that have a good security and privacy program and you will work for companies that don’t care. If you are tasked with protecting a company that doesn’t care, there might be nothing you can do about it.
Just do your job, learn your craft and try to keep things in perspective. Ultimately it is only your job to detect the information security risks and inform your management. It is their responsibility to take it seriously. You can help by learning more about your company’s business. Your assumption that the company doesn’t care might just be your lack of understanding of the nature of their business.
Every vulnerability isn’t critical, and nothing is perfectly secure. One character at a time. One byte at a time. That is all that can be expected of anyone. one character can make all the difference. Make that character be you.

Michael ScheidellAbout the Author: Michael Scheidell (@scheidell) is a Certified CISO, Senior Member IEEE (Computer Society), Corporate Information Risk Management and Privacy Expert, Managing Director of Security Privateers, and works as a consulting CISO for several multinational corporations in government, finance, manufacturing and health care. A recognized expert in the information security and privacy community with a strong history of innovation and entrepreneurship with a US patent on intrusion detection systems, Mr. Scheidell is a frequent conference speaker and subject matter expert in Information Security, Governance Risk, Compliance, and corporate privacy and has worked to secure US critical infrastructure such as Rail, Transportation and Utility companies. Mr. Scheidell can be reached at

Tuesday, May 6, 2014

Verizon DBIR: The Hackers are Winning

Verizon has released the 2014 version of their Data Breach Investigations Report with predictable results: The hackers are winning. Cyber-Espionage, DDoS attacks, Crimeware, Web app attacks and credit card theft are among the attacks that Verizon summarizes with “92% of the 100,000 Incidents we've analyzed from the last 10 years can be described by just nine basic patterns.”
Originally published on Tripwire's blog "The State of Security"

I still can't get over how many of these problems would be solved by building-in security rather than building insecurity. How much could the collective world have saved if they had just fixed the Open Web Application Security Project (OWASP) Top 10?
What have we learned from a decade of data breach investigations? The hackers are winning.
Let’s buy toys (tools, IDS/IPS/HIDS/NIDS/NAC) because they will protect us from untrained programmers, bad policies and lack of trained InfoSec professionals. The hackers are winning. Have I said that enough? Obviously not, since the point of every data breach or privacy loss report is that the hackers are winning. Do they have new tools? Are they funded by Wall Street and Startup Funds? Are they better trained or just more motivated?
Toys (tools) are nice, but if your people are well trained, and they care about and have a culture of security and privacy they will be better equipped to catch or prevent a data breach. As an example, the $1.6M worth of tools that Target bought that detected the breach when it first happened and then again when the hackers started to upload the 110 million records to their ‘cloud’ servers. These alerts were ignored.
Did anti-spam and anti-virus products protect RSA who suffered an attack that laid bare their source code? What about the South Carolina Department of Revenue? In both instances the hackers job was easy… Sending in phishing emails. For both RSA and SCDOR it was failed policies and procedures that cost RSA $55M and SCDOR $20M.
The problem is we can’t ‘package’ people. People are not scalable and VCs can’t fund them, and we don’t see billions of dollars in marketing telling companies they need a CISO or CSO. The CEOs, CIOs and CTOs see all the marketing hype about the next silver bullet. (How much in VC funding was announced today for ‘the last security product you will ever need’)?
Trade publications buzz around about a lack of available and qualified information security professionals but the reality is some sectors and industries aren’t ready to trust us(information security professionals). Yes, we have seen a 20% increase in salaries for CISOs nationally, and we read stories about a lack of infosec professionals, but the truth is, the adoption rate is still dismal. (The Hackers are winning!)
Why? Maybe because maybe we (infosec pros) have been crying wolf and asking for toys to do our jobs. We have been lazy. We blame the lack of understanding among the CEO and Board of Directors. I suggest that it is because we don’t understand that the business of business is, well, business. We think our job is to eliminate risks, but it is not. Our job is to ENCOURAGE RISK, responsible risk, measured risk, controlled risk.
We are seen by the CIO and CFO as the adversary, or we see the CIO or CFO as the adversary rather than our business partner. We think our superior knowledge, certifications, ribbons medals (and toys) means we know more about how to protect a company then the CEO who will be called to the carpet when the stock price plunges.
I say show the CFO how you can cut spending on information security and he will be eating out of your hands. Help the CIO increase network capacity while making things more secure and stable and he will light a candle for you and invite you to lunch more often.
If we help our organization deal with risks that are easily fixable and we do it without taking down the whole company in the process or wasting money, we will be trusted to swim in the executive pond; we will be invited to the round table. We will be able to positively affect both the bottom line and lower the risk profile of our company.
On one more note: Mentoring: If you are an experienced information security professional, please use your time and experience to help the up and coming new infosec generation. Give of your time, do presentations at your local ISSA, ISACA, PMI or InfraGard chapters. Not only are you helping with the next generation and the people who will report to you later, but this is good experience for you before you do a presentation before the CIO or CFO.
Maybe next year a new story that reports less data breaches won’t be mistaken for an April Fool’s Day joke, and the hackers won’t be winning.

Michael ScheidellAbout the Author: Michael Scheidell (@scheidell) is a Certified CISO, Senior Member IEEE (Computer Society), Corporate Information Risk Management and Privacy Expert, Managing Director of Security Privateers, and works as a consulting CISO for several multinational corporations in government, finance, manufacturing and health care. A recognized expert in the information security and privacy community with a strong history of innovation and entrepreneurship with a US patent on intrusion detection systems, Mr. Scheidell is a frequent conference speaker and subject matter expert in Information Security, Governance Risk, Compliance, and corporate privacy and has worked to secure US critical infrastructure such as Rail, Transportation and Utility companies. Mr. Scheidell can be reached at .

Monday, May 5, 2014

Announcing my availability as Chief Information Security Officer

I get paid to hack into banks, and not just by the bank president, and not just just before he goes on vacation.  I also get paid by hospitals, universities, power and transportation companies to test their systems and tell them the most cost effective ways to protect themselves.

The time has come for all good CEO’s to come to the aid of their company.  Your CIO is overworked, your users are stressed out wondering if they will be the downfall of their company, and your board of directors is looking at cybersecurity insurance and liability.  You and your CIO know you need help but don’t know where to look.

I am available on a Contract, Retained or Interim position for a dynamic organization that is looking to hire or retain a Chief Information Security Officer and wants someone with a track record of reducing IT risk while contributing to the bottom line.

I am a certified CISO, Senior Member of IEEE – Computer Society and have over 15 years experience working for or with the CEO, CIO and Board of directors of many multi-national organizations helping them build their internal information security team.   

One (little) breach of 110,000,000 records at Target and the both CIO and CEO have resigned.  The board of directors took action against a CEO, president and Chairman of the Board who gave 35 years of his life to the company, but failed to see the coming tsunami.  Hind sight is always 20/20.  "Today we are announcing that, after extensive discussions, the board and Gregg Steinhafel have decided that now is the right time for new leadership at Target," a company statement posted on its website Monday morning

See what my current and past clients have to say:
Always thinking ahead
Highest professionalism
Detail Oriented Security Leader
Always Proactive
Thought Leader
Knowledge and Creativity

Read a couple of my blogs about business and security:
Lessons from a Frog and an Ostrich
To Achieve Good Security, you need to focus on Business
Why I like the new NIST Framework
Ten Basic Steps a Small Business can take to avoid hackers

Call or email me today, don't lose anymore sleep over your information security program.

Follow me on Twitter @scheidell for free security awareness bulletins, tips and alerts.

For a list of other services, including risk assessments, penetration testing and security awareness training call or click

Michael Scheidell, CCISO, SMIEEE
(561) 948-1305 /

Friday, May 2, 2014

Banks drop Target breach lawsuit amid Trustwave liability questions

Originally posted on Search Security:

Banks drop Target breach lawsuit amid Trustwave liability questions

Two banks have suddenly dropped what was expected to be a precedent-setting lawsuit related to the massive data breach at Target Corp., perhaps temporarily sparing the retailer's audit firm, Trustwave Holdings Inc., from being held liable for its client's breach.
They're all PCI compliant, and they're all being breached.
Michael Scheidell,
Managing Director, Security Privateers
In the lawsuit, which was filed on March 25 in Chicago's U.S. District Court by Houston-based Green Bank and New York-based Trustmark Bank, the Minneapolis-based retailer was blamed for the weeks-long data breach, which occurred during the 2013 holiday shopping period. The breach resulted in the theft of approximately 40 million credit and debit card numbers, as well as the personal information of 70 million customers.
Unusually, the banks also sought to pin liability on Trustwave, one of the most prominent PCI DSS compliance assessment firms in the industry, alleging that Target had contracted the company to perform a number of security services, including providing "round-the-clock monitoring services" for its systems and bringing the company into compliance with PCI DSS standards.
Specifically, the lawsuit alleged Trustwave had "told Target that there were no vulnerabilities in Target's computer systems" after performing a scan on Sept. 20, 2013, and ultimately accused the security vendor of failing to "meet industry standards" by not spotting the Target breach in a timely manner.
Trustwave last week repeatedly declined to comment on the suit, but over the weekend the company published a short statement from its CEO, Robert McCullen, on its website denying some of the allegations laid out in the legal filing.
"Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations," McCullen said in the statement. "Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."
Though unclear what impact Trustwave's statement had on the pending litigation,, who first reported on the lawsuit, confirmed court documents indicated the filing has been dropped, though noted it was "dismissed without prejudice," opening the doors for the suit to be refiled in the future.
At the time of publishing, neither Trustmark Bank nor Green Bank responded to Search Security's requests for comment. A Trustwave spokesperson said the company had no further comments at this time.
Michael Scheidell, CCISO, Managing Director for Boca Raton, Fla.-based IT assessment firm Security Privateers, said the lawsuit's allegations had seemed a "little strange." He questioned whether pulling the filing meant the banks' sources behind the information on Trustwave's involvement in the Target breach were reliable.
Though Trustwave's McCullen pointedly denied a number of allegations in his statement, including monitoring Target's systems and processing any cardholder data, McCullen did not deny that Target was a Trustwave client, Scheidell noted, nor that the security vendor had performed at least one PCI assessment for the retailer. If Trustwave did perform an assessment, Scheidell found the possibility of the auditors not finding any vulnerabilities, as indicated in the lawsuit, to be absurd.
"I've been doing this 14 or 15 years, and I've never not found a vulnerability" during an assessment, Scheidell said. "There's always something somewhere -- whether it's small or big, whether it's hard to take advantage of or leads to a data breach, there [are] always vulnerabilities somewhere. So that is a ridiculous statement."
Scheidell said it was unlikely a company the size of Trustwave would purposely ignore problems discovered during an assessment in order to keep a client happy, though he warned auditors and other companies that perform security assessments to be careful when negotiating final reports with clients.
While Scheidell said he has rarely ran into problems with clients that commission assessments, on one occasion a customer did ask his firm to change its assessment results because it couldn't hand over the findings to the executive committee without being asked to fix some issues. In that case, he said the problem was that the customer was running software that could no longer receive updates, a problem many merchants with Windows XP-based systems will face next week when XP's end-of-life date comes to pass.
"There's always the temptation for auditors to make the report look better," Scheidell said, "so they get that business next year."
Enterprises also need to adjust their expectations for what an assessment can accomplish, Scheidell said, especially when a company is found to be compliant with PCI DSS or another regulatory standard. In particular, he noted that PCI auditors come in at scheduled times and that IT and security teams have become adept at giving the auditors what they want. He said being PCI-compliant, as Target reportedly was, does not mean the organization is secure.
"PCI compliance in itself does not mean you're not vulnerable," Scheidell said. "It just means you met the specific requirements for that snapshot; that point in time when auditors came in.
"They're all PCI-compliant, and they're all being breached."

Saturday, April 19, 2014

Ten Basic Steps a Small Business can take to avoid getting hacked

Cybersecurity can be daunting.   The technology, the terms and the cost.  Big companies spend collectively BILLIONS of dollars per year, and yet they still get hacked.  As a small business, what can I do to prevent the same thing from happening to me?  If you don't want to be the next TARGET, pay attention to what is important.

While there is never any guarantee for anyone or any business that they will be totally hack proof, you can make it difficult which will encourage them to pick on an easier target.

Depending on the size of your business, what you have to protect and if you are under government regulations there are 10 common sense and (mostly) free steps you can take.

Even if you don’t think you have anything the hackers want, think again.  Do you log on to your payroll system or the company bank account?  Do you check or pay any bills online?
Your computer, the network and your internet connection are also valuable to the hackers.  A small HVAC vendor was hacked and that network was used to hack into Target.  You don’t want to be the source of an attack on Bank of America or the Whitehouse’s website.

1) Know what you need to protect and why.  Do you collect any private or confidential information?  Where do you store it?  What do you do with it when it’s no longer needed?  If you store any confidential information you should look into encrypting it.  Modern operating systems come with free encryption software or you could use ‘TrueCrypt’.  TrueCrypt can even encrypt those pesky USB drives you use to move your customers data back and forth.  If hackers get encrypted data they can’t do anything with it.  Target did not encrypt their data.

2) Talk to your employees.   Big companies spend thousands of dollars on ‘Security Awareness Training’.  You might just need to remind your employees not to download files from the internet or open attachments in emails without thinking about it.  You could subscribe to our Facebook or Twitter feed and send reminders to your users or have the information posted in your internal ‘intranet’ or ‘Message of the Day’.  Target did not train their employees on what to do if they were infected with malware. The SBA has a short, (30 minute) course of Security Awareness and it is free:

3) Firewall:  If you are on the internet at your office, you already have one from your cable, phone or internet company.  It is designed to keep bad people from easily accessing the computers in your office.  Consider taking it one step further:  Instead of just blocking bad things from getting in, think about blocking bad things from getting out.  Your firewall can also block many attempts by hackers to send data out.  Target ignored alarms from their APT firewall for several days and might have been able to prevent the exporting of the credit card data.

4) Anti-Virus:  You bought a new computer and it came with 6 months of free anti-virus.  The anti-virus is still on that 7 month old computer, but in the last 30 days new viruses have been produced, making that old anti-virus software less useful.   You can get free anti-virus from AVG, but for a paid version I recommend Kaspersky. (Target had a vendor, the initial source of the attack had a free version of malware detection software)

5) Passwords.   Use them.  Don’t reuse them.  Don’t use the same password on your bank web site as you do on the Papa John’s internet order site.  Have different passwords for your business accounts.  Keep in mind that you might have passwords for third party social media accounts like twitter, facebook, and wordpress.  Here is some information from the IEEE Computer Society on passwords:
Changing Your Password:
• Never change your password by following a link in an e-mail that you did not request, since those links might be compromised and redirect you to a site set up to steal your personal information.
• In order to be effective, you should aim to update your online account passwords at least once a quarter or every few months.

Creating a Strong Password:
• Variety – Do not use the same password on all the sites you visit.
• Do not use a word from the dictionary.
• Length – Select strong passwords with 10 or more characters that cannot easily be guessed.
• Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word.
• Complexity – Randomly add capital letters, numbers, punctuation, or symbols.
• Substitute numbers for letters that look similar (for example, substitute “0“ for “o” or “3“ for “E”).
• Never give your password to others or write it down.

6) Wifi/Wireless: Do not use ‘Free’ Wireless hotspots.  Ok, you will do that.  But consider that anyone at all in the area can snoop on any unencrypted data you send or receive.  There is also the possibility that they can hack into your laptop because you are no longer protected by your company firewall.  If you have wifi at work use the best protection possible:  WPA2 Enterprise if you are running a local Active Directory/Windows Domain, or WPA2 with a strong share key (passphrase).

7) Sign out of your account when you are done.  This is especially important for publicly available computers in the business lounge of a hotel or airport.  Even with a computer you own, if you are still logged on to a web site, it is possible a hacker can take remote control over your computer without your knowledge.

8) Patches and updates:  All computer programs have unknown ‘side effects’.  Sometimes known as bugs, hackers call these ‘undocumented features’.   Software companies release frequent patches, mostly right after a hacker figures out one of these undocumented features.  Patch your operating system, patch common third party software such as Java, Adobe pdf readers and Flash software.  All of the above have been used to break into computers.   This includes your company’s servers, workstations, laptops and smart phones.   This also includes any third party web sites or cloud services you might use.  You can’t patch them directly but you should insist that they audit and patch any service you pay for.  You really don't want hackers to do to you what they have done to famous websites like advertise your competitors or post porn.

9) DON'T VISIT THE BAD SIDE OF TOWN.  Don't let your children or employees use a company computer for games.  Web sites of ‘questionable value’ are known to use deception practices to install malware and spyware.  That ‘Anti virus update’ you just downloaded from the ‘artistic’ web site may contain the very virus you were trying to avoid.

10) MAKE BACKUP COPIES.  Consider how much time it takes to make the backup copy vs the time it would take to recreate all the work you lost.  If that is even possible.

The FCC also has a top ten list, some of the same information as I have and some different information:

Is this all?  No, but it is a good start.  The NIST has checklists that contain hundreds of things that need to be checked, but if your small business doesn’t do the basic steps above it won’t matter what else they do.   Target got hacked because:
1) Then didn't train their employees on their APT Firewall
They didn’t make sure their partners had good cyber security
2) Their partner used free anti-virus software and had a very weak password
3) Target let their partner have access to places they had no need to be
4) There were unpatched computers in Target’s network

RSA, a big company that sells CyberSecurity hardware to big business and the government was hacked two years ago.  What went wrong?

1) They had identified critical information, and even had written policies which were not followed
2) Someone opened an attachment in an email that they should not have opened
3) That attachment exploited a flaw in a third party product that was not patched
4) Passwords that should have been disabled once they were no longer needed were still active

And, now the obligatory sales pitch:

Follow me on Twitter @scheidell, Linkedin  or facebook  I publish news on the latest attacks, viruses and patches.  You can use this information for free to educate, inform and warn your users, clients and partners.  Subscribe to this blog and check my latest presentations on  Invite me to do a presentation at your local Rotary or Kiwanis club.

You have something valuable to protect, your company assets and your clients’ privacy and information. If you don’t think the above steps are enough, I can help with a cyber-security survey or IT Risk Assessment.

I have worked with companies from small offices with 20 people to large Rail and Transportation organizations with 20 thousand people.  I have experience in banking and finance as well as medical devices and health care.  Remember, all it takes is one breach to destroy your company.

Michael Scheidell, CCISO, SMIEEE / (561) 948-1305