Hackers, Ransomware, and denial of service attacks get all of the attention when it comes to Information Security. However, you will quite often hear IT Security personnel state that the biggest threat to an organization is from within. With this in mind, if an organization’s biggest threat is its own employees, what can be done about this as an organization to mitigate risks associated with employees?
Compliance and security at times go hand in hand. In most cases, being compliant does not truly ensure you are being secure. I titled this blog “Don’t just check the box!” because the thinking that if your company can check the compliance box it will be secure enough is just not true.
Compliance is usually a point in time or period of time; a specific set of controls are in place and/or operating effectively. When you go through a PCI Report on Compliance, you are looking at a specific period of time, the last 12 months. When you go through a SOC 2 Type 2 report, you are looking at a specific period of time, usually anywhere from 6 to 18 months. Security, or Cybersecurity as they say, is never a point in time approach. Security is and should be an ongoing process that is constantly being assessed and improved. The subset of true security principals within whatever compliance requirements you have, may not meet the best practices or standards of good security. Your company should take a big picture approach and design its security program to exceed what is within your annual compliance requirements.
This is part 4 of our ongoing blog series on the NIST Cybersecurity Framework. To view our previous posts in this series, please see the links below:
After the countless hours and days that were put into identifying assets within the organization, researching and implementing ways to protect these assets and even going the extra mile by implementing detection mechanisms to alert us in the event of an incident, the stressful day has arrived, and now the fourth function will have to be initiated, which is Respond. The NIST Cybersecurity framework defines the Respond category as; "Develop and implement the appropriate activities to take action regarding a detected cybersecurity event." The Respond function is further broken down into five categories (outlined below) which identify specific areas that organizations should consider in their risk management analysis. Of the 98 subcategories within the NIST Cybersecurity framework, 15 are addressed within the Respond function.
As the one-year anniversary of the most widely spread ransomware attack approaches, WannaCry is still active in the wild. Fortunately, so is the “kill switch” domain, rendering the attack mostly benign. During the WannaCry outbreak MalwareTech, a UK-based researcher, discovered that WannaCry attempted to contact an unregistered domain. When this domain was registered, any newly infected devices that made a successful connection to this domain would place the malware into a dormant state. This is known as sinkholing and has removed the teeth from WannaCry so far. However, it is not a perfect fix. Only newly infected devices are rendered harmless so long as they can reach the kill-switch domain as Boeing recently discovered. In March several dozen computers in Boeing’s Commercial Airline division were infected suddenly with the full Ransomware WannaCry attack.
In the ever-expanding world of PCI DSS, and the emerging GDPR world, data classification is a concern that is often left unattended. Organizations who work with Compass IT often find the value in tagging data that together we deem valuable if manipulated, stolen or destroyed. Organizations that implement such data classifications can confidently control the data through access rights given to specific individuals for example. Given the large amount of data an organization can generate, data classification gives the entity another layer of security when it comes to cyber-security.