The Wavelength: Security and Compliance

If security isn’t top of mind for you or your organization right now, it will be after reading this issue. And while compliance may not equal security, the two certainly go hand in hand; compliance is a reflection of security measures within an organization. We’ve got a top-notch panel of experts this month to answer questions and present us with an excellent reality check on both issues.

Are you addressing GDPR compliance internally and/or offering services related to GDPR to your clients?

Zia Masoom: In December 2016, we implemented a new internal review process to more efficiently assess the collection, use and transfer of personal data within the company. We did so to determine compliance with, among other things, the Privacy Shield principles, the upcoming EU General Data Protection Regulation, Xerox policies, and our contractual obligations. We were previously certified under the U.S.- EU Safe Harbor Framework and are compliant where necessary with the EU Directive 95/46/EC. Our policies and procedures to secure data under the Framework and Directive are still in place and we fully expect to meet our compliance obligations under the EU General Data Protection Regulation.

For our partners and customers, we use a comprehensive strategy for security and personal information protection that crosses several layers of security elements. From data and documents, to people and devices, to overall rules and regulations governing the business, we offer multiple tools and solutions to help maintain tight security with respect to print infrastructure and document workflows. We also continue to bring new security capabilities to market each year; for example, an Auto Redaction App, which enables redaction of sensitive information such as PII on documents.

Corey Nachreiner: GDPR requires data breach notifications within 72 hours unless the lost data was encrypted. This will be a major challenge since, on average, many businesses take significantly longer than that to publicly announce a data breach.

As a company that has many European customers, we have also internally prepared for GDPR compliance. We have transparent documents sharing what customer information we gather and store, and provide mechanisms for those European customers to request or remove that data.

Noah Nadeau: Our company’s headquarters are in Europe, so non-compliance was never an option, both when it came to our internal operations and the products and services we offer.

For operations, GDPR compliance was an extensive project that took about a year to complete and required the support of a cross-functional team with members of IT, HR, Legal, Operations, and our key supply chain contacts. We also contracted a third party to perform an audit of our internal processes and data collection points to ensure that wouldn’t miss anything.

We also needed to provide extensions to our product that would allow an operator to easily comply with the relevant rights of European data subjects, namely the Right to be Forgotten, the Right to Access, and the Right to Restriction of Processing. This was also sourced in-house. Our product support team drove the development effort for these extensions.

How do you prevent security breaches due to employees using their own devices and/or cloud storage?

Newt Higman: Shadow IT – where employees implement solutions and bring in personal devices in an effort to “get the job done” – introduces security risks to businesses. One area of concern is employees connecting at-risk personal devices to a business network and that device being the bridge a bad actor uses to get into the company network. Data exfiltration of business data from employees’ personal cloud storage accounts is another security threat, and not just from disgruntled or malicious employees. The risk of cybercriminals compromising an employee’s personal cloud storage via a compromised personal device, for example an infected home PC that also has the cloud storage account accessible from it, would allow company data to be taken without the organization being aware.

To reduce risk, if BYOD devices are allowed on the company network, they should only be allowed to connect to an isolated guest network that does not have access to company data or resources. Use of cloud storage services should be restricted to only those that are owned and managed by the company. This can be enforced by policies both paper and technology based – controlling which software can be installed on a work device, limiting the websites that are reachable from company devices, and routine scans and audits to alert to any changes.

Brian Horton: Coming from the perspective of a penetration testing firm, “you cannot prevent what you allow.” If a company is willing to allow BYOD and cloud storage, there must be a recognition of the increased inherent risk. To help mitigate this, we encourage our clients to focus more on detection versus prevention. By focusing efforts on the detection of unauthorized data disclosure, etc., organizations can greatly minimize the impact of any potential prevention failure.

Masoom: Security breaches are as much a risk from inside a company as they are from the outside. Our devices have built-in features that allow companies to ensure their sensitive data and documents are secure from external and internal breaches. With PIN code and card-based authentication methods, we enable our partners and customers to ensure that only authorized employees are given access to the device and all user activity is logged and reported.

Once in, role-based controls limit access to device features such mobile and cloud applications. For example, mobile connectivity only allows printing documents available on the mobile device and does not allow access to other print device applications. All data communicated to the print device, including through mobile and cloud applications, is protected with strong encryption and purged periodically (system admin chooses frequency). Single Sign On capability allows app users to automatically sign into cloud services, either at the print device user interface or from their mobile device, without storing any user data on the print device.

Glenn Mathis: Employers need to ensure staff is trained and aware of their digital footprint; this helps your company to understand its own vulnerabilities. It’s all too common that cyber threats are welcomed with open arms through inadvertent mistakes made by employees. Whether it’s downloading a file from an unknown sender, or something more malicious like responding to an email that appears to be from a colleague or superior, cybercriminals have found ways to reach staff at any level. Hosting a mandatory training with your entire staff will help educate them on the do’s and don’ts of online activity, and inform them of various things to look out for when using basic tools like email and web browsers. Password policies also need to be implemented, such as ensuring all employees have different passwords and do not share with others.

Nadeau: We have taken steps to mitigate the potential for loss, and accepted the residual risk associated with a BYOD policy after implementing these mitigation strategies. When assessing the risk, it’s important to recognize both the insider threat, malicious or unintentional, as well as the possibility of malware. Insider threats can be prevented through effective management of employees, cybersecurity education, and implementing and adhering to strict data classification policies. By effective management, I mean ensuring managers are able to identify signs of employee dissatisfaction, disengagement, or even financial struggles that could impact one’s judgment when handling company data. We also can detect and respond to potential data leaks through the use of a network IDS that identify anomalous behavior of users. The same goes for malware.

While surveys indicate that about two-thirds of companies have formal cybersecurity policies and procedures in place, two-thirds of those firms have said those steps have proven to be only moderately or slightly effective, or not effective at all. How can you create an effective cybersecurity policy?

Higman: It is important to reinforce the concepts outlined in your policies and procedures to the entire user base. One way to achieve this is by utilizing educational tools, such as a security awareness training solution to test and reinforce topics. As threats evolve and your technology stack changes over time, continual review and adjustment of the policy and procedures is a must. Businesses shouldn’t try to take this on by themselves; instead, it is more effective to engage cybersecurity specialists that do this for other companies.

Nachreiner: An effective security policy requires multiple parts, since no one security product, device or best practice will prevent every attack. A layered security approach that includes multiple types of network security protections, MFA and strong password management, secure Wi-Fi and employee education in security best practices is the best way to prevent data breaches. More than 80% of data breaches leverage weak or stolen credentials, so we know that passwords are a weak link in security overall. Implementing multifactor authentication to protect key online accounts with more than just a password and educating employees about things like password best practices, phishing defense tips and more are both extremely important to a successful cybersecurity policy.

In short, no security solution or program is every perfect, but the right mix of many technical and user security controls will greatly lessen the amount of security incidents an organization will need to handle.

Nadeau: I can think of three things that have brought us a lot closer to making the program more effective, but not foolproof. First, any effective cybersecurity program requires buy-in and accountability from the organization level. Without support from the board of directors, a cybersecurity program is doomed to fail. Second, there needs to be an emphasis on the employees. While they are any company’s greatest asset, they are also, in my opinion, the greatest liability. I’m not saying employees are inherently malicious; rather, they make mistakes that expose the company to potential data leaks that could easily be prevented — for example, clicking on a link in an email from an unknown sender that led to a fake Office 365 login page. Employees are also required as part of their employment contract to read and agree to abide by our company’s security policies and sub-policies. We keep the summaries short and understandable, so they know from day one what is expected of them. Third, these policies should not sit in a drawer and gather dust. The policies need to be reviewed regularly, preferably at least once a year, so as to refine and tweak the policy to better fit the corporate culture, the company’s evolving risk tolerance, and emerging threats. A stagnant cybersecurity policy will indeed become less and less effective as it ages.

What’s the best way for organizations to keep pace with rapidly changing compliance regulations?

Horton: Simply put, hire a consultant. Just as with legal or financial regulations, cyber regulations are rapidly changing and require dedicated expertise. With the California Consumer Privacy Act coming into effect in 2020, the implications are staggering.

Masoom: The best way is to be involved in standards bodies such as Common Criteria/NIAP. I would also suggest taking on advisory roles, attending conferences where compliance regulations are discussed, and staying informed to understand what may be coming, such as data privacy relative to GDPR.

What are some of the newest ways you are seeing security breaches occurring within companies and what are you doing or can companies do to help stop those?

Higman: A big threat in 2019 has been with ransomware-as-a-service being offered, so that even unskilled criminals can engage. The bad actors are getting into environments through the same tried-and-true methods: social engineering, phishing, and brute-force dictionary attacks via RDP (3389/TCP), just to name a few.

Effective strategies for mitigating risk and exposure to current and emerging threats starts with a multi-layered approach, including protection at the edge, layered endpoint protection, user education, security hardening of internal systems, multi-factor authentication, access control policies, network segmentation, event auditing, and secure backups of data.

Additionally, it can never be stated enough how important OS, application, and firmware patching in an environment is. It is easy to overlook the myriad of IoT devices on our networks, such as IP-based DVR and camera systems, or access control systems. If it is on your network, it needs to be kept up to date. If you don’t have the time or expertise, engage an IT services company that specializes in these areas to help.

Horton: Our company has seen a rather large increase in “cloud” oriented attacks. With the rapid pace of applications and infrastructure moving to the cloud, companies are typically under-prepared for properly securing their cloud environment. There’s a general misconception that the cloud provider will secure the organization’s data, but this isn’t the case. Most cloud providers have shared security models, in that the customer is required to understand the environment and secure it. Companies who move data to the cloud need to train internally, or hire a consultant, to meet the non-traditional security challenges of cloud computing.

Masoom: The fundamental attack vectors are the same. Ensure proper security controls are in place (access controls, common sense security measures – passwords, networks, firewalls). We have developed a powerful security framework based on the following principles:
• Prevent unauthorized access and log user activity (user authentication).
• Detect and stop malicious and harmful activity such as tampering with the firmware (firmware verification, McAfee whitelisting) and ensure only approved print devices are connected to the network (Cisco Identity Services Engine). In this regard, we have integrated with McAfee DXL and Cisco pxGrid for automated threat response to breaches and instant security policy activation upon threat detection.
• Protect data at rest and in motion with digitally signed, encrypted and password-protected file formats, hard disk 256-bit encryption and image overwrite, and domain filtering that restricts document transmissions.

Mathis: We don’t believe we are seeing new security breach methodologies as much as the increased cadence of the most effective breach mechanisms that have been around for some time. Open RDP ports attacks are being used with a higher frequency than before to deliver ransomware not because it is new, but because it’s easy and lack of cyber hygiene is easy to exploit.

Nachreiner: One of the newest techniques attackers are exploiting to breach networks is “living off the land.” This is simply the act of using legitimate tools to compromise and gain control of a network. Often, these types of attacks don’t use new exploit tools or fancy zero days. Rather, they start with a plain old targeted phishing email. Either through phishing, or the many public password leaks, the attacker gets a valid credential for an employee of an organization. Once they have that, they simply use legitimate business tools like remote desktop services or management portals to get in. Sometimes they can even use the credential to gain access to the central management platform of the security tools the victim uses. Once they are in, they can use normal Windows utilities like PowerShell, PSExec or basic scripts to do anything on the network that the IT department can. In short, attackers are increasingly focused on compromising networks without using new exploits and hacking tools at all, but instead by stealing credentials and leveraging the same tools their targets use.

Nadeau: The most significant threats we have faced in recent years involve the data breach of known contacts from our partners and suppliers. Attackers who have compromised these email addresses have refined their social engineering and research skills to become more effective at spearphishing campaigns that target us. One such email I recently received, along with dozens of other employees including our CEO, redirected to a legitimate OneDrive document, which itself had a corporate logo and signature font in the document, but had a link to a fake Office 365 login page.

While we have had less than half a dozen compromised email accounts over the past year, some modest investment in employee education, as well as notifications in the wake of such events, has been an effective tool in reiterating the importance of double-checking the legitimacy of incoming emails.

Another emerging threat we’ve seen is port scans and brute force PHP attacks. While we are not as concerned about these types of attacks due to the spray-and-pray style, we have considered the use of tailored honeypots that emulate our public-facing systems in order to identify and alert for more sophisticated attacks.

What are your best tips for smaller companies without massive resources to help them stay secure?

Higman: It is no longer a matter of if, but of when a business will be compromised. The proliferation of cybercrime-as-a-service, the relatively low risk of being caught, as well as the low cost of staging an attack for these bad actors means all businesses, from small to enterprise, are targets. It is no longer possible for a small business to take on the security tasks internally or hire a one-man-show IT consultant to protect them. Engage an IT services company and ask them about their approach and experience, in not only mitigating risk of attack, but of dealing with the aftermath of an attack.

Horton: We encourage all small businesses to focus on five specific variables, and to do them well. If nothing else, excel at these items: 1) keep all systems and applications patched and updated, 2) maintain an up to date inventory of all computers and applications, 3) maintain secure passwords and use multi-factor authentication, 4) only use commercial/paid anti-virus software, and 5) perform regular backups that are stored/copied OFFSITE via a commercial backup service.

Masoom: Smaller companies are at higher risk due to limited technical resources needed to combat the complex and growing cybersecurity threats. Our best advice is to employ a vendor that has the expertise and ability to assess a company’s security gaps, recommend and help implement security policies, and provide on-going management and reporting to ensure compliance.

Mathis: To start, we recommend an assessment of your system’s security to proactively prevent security events that compromise data. Even if your business seems secure to the naked eye, cybercriminals often gain access to valuable information only to lie in wait for busier times when their activity may be harder to identify. We offer a quick, 60-second IT security quiz to measure the health of your technology. We also offer a complimentary action plan to help you get in front of major IT vulnerabilities before they turn into larger issues for your business. The top three things you can do:
1. Security Awareness Training (required investment for all knowledge users)
2. Proactive Vulnerability Management Program (patch before you’re hacked)
3. SIEM (Security log monitoring to reduce mean time to detect a breach)

Work with an MSSP that doesn’t just manage and secure your network, but helps to train customers’ larger workforces on how they can take personal responsibility for their security. Engaging with a service provider that actively manages your business’ IT is an important step in securing valuable assets and data, but finding a partner that can work to educate staff on a regular basis ensures your business’ security is top of mind at any given moment. An MSSP will have the bandwidth to monitor security proactively, allowing employees to use their time furthering business goals.

Nachreiner: Smaller companies without much budget or security expertise on staff should look into working with a managed service provider (MSP) that offers security services or a dedicated managed security service provider (MSSP). We’re seeing more and more resellers move to a service provider model where they fully manage security for clients, rather than just reselling security products. This can be a very cost-efficient option for midmarket businesses to get strong security without needing to build it all themselves. If you do want to manage your own security, consolidated, single-pane-of-glass solutions like Unified Threat Management (UTM) devices really lessen the cost and management burden of achieving multi-layer security by combining all your security controls into one device.

Nadeau: I started out as a one-man cybersecurity organization and a part-timer at that. No matter how large your operation grows, cybersecurity will always fight for resources because at the end of the day it’s a cost center; it never directly generates revenue. It may be a revenue enabler when the security questionnaires come in as part of an RFP for print management and document capture, but it’s generally seen as the cost of compliance, and organizations always want to do this as efficiently (read: cheaply) as possible.

First, it’s always cheaper in the long run to build systems with security in mind, than it is to retrofit solutions at a later date. Second, take inventory, establish baseline controls, and maintain those records. This is the most cost-effective solution in the early days, and is also identified as the first two controls in the Centers for Internet Security’s Top 20 list. Which brings me to number three: On the operations side, look at the CIS Top 20 and implement those in order. On the R&D side, especially if you’re a software development firm, bookmark the OWASP Top Ten Project.

Do you worry about data center security?

Higman: The common misconception is that the cloud is safe and can’t be compromised. The cloud is just your data and applications sitting on another’s servers, and in many cases those servers are sitting in yet another’s data center. Cloud providers in general recognize the risk to their infrastructure and your data, and take necessary precautions to keep both safe. However, they are targets for attack, and there are certain things that they cannot or do not protect against. Understanding where you are at risk when you use a data center or the cloud is important. Does the provider back up your data? If so, for how long, and where is it stored? Do they offer robust security and logging off access? Do you have 2FA/MFA enabled? These are just some of the questions that a qualified IT services company can help you get answers to.

Mathis: Yes, all data centers are target-rich environments for cybercriminals. The wealth of data is concentrated and therefore the security measures (controls) in place should be commensurate with the risk (value) to the organization’s data and security. Data center security typically needs to be enhanced.

Nadeau: Absolutely, even when I’m 5,500 miles away from it.

What are your thoughts on cybersecurity insurance?

Higman: Businesses need to have discussions with their insurance providers and make sure they understand and correctly size their policies to best protect them from cybercrime. As the risk of cybercrime across the board increases, insurance companies are going to increase the requirements that a business needs to meet in order to qualify for protection against certain events. It is very important that businesses work with a qualified IT services company to make sure they continually meet those requirements.

Horton: In general terms, cyber insurance is getting better. Where it used to be an unknown, most companies are now seeing the value of having it. I would highly recommend that any company that stores or transacts sensitive data of any kind obtain cyber insurance. If a company is breached, even with a relatively small amount of data, the recovery and reporting fees can be staggering. Having the proper insurance will mitigate this risk.

Nachreiner: I believe that cybersecurity extortion insurance options that pay ransoms incentivize the bad guys to continue launching ransomware attacks. While I understand that paying the ransom is often the most cost-effective way to resolve a successful attack, this practice encourages attackers to continue. I’d counsel companies to focus on making sure they keep accurate, up-to-date backups of their data and to regularly test those backups. That way, if they’re hit with a ransomware attack, they can restore their systems and data without paying the ransom. In any case, cybersecurity insurance is still a useful addition to your security strategy. It can sometimes lessen the cost of a breach. However, it doesn’t override the need for security controls and backups. After all, there are soft costs to a breach, such as reputation damage, that cybersecurity insurance cannot protect.

Nadeau: In all the materials I’ve read on risk management programs, the four most commonly accepted strategies for managing risk is to employ a combination of mitigation, avoidance, acceptance, and transference. ISO 27005 calls the last one risk sharing, and cybersecurity insurance falls within this category. When used as an umbrella for cybersecurity risk in an organization, I see it as a waste of money and resources, and not what its original intent was. However, as cybersecurity professionals, our job, and particularly those involved in risk management, is to advise companies on the range of options and costs, residual risk, and the forecasted loss frequency and magnitude if we do nothing. If we’ve implemented mitigation and avoidance strategies, and have residual risk that is still outside of acceptable parameters, cybersecurity insurance is a good way to bridge that gap.