Security Blocking and Tackling

by Randolph P. Johnston, shareholder in K2 Enterprises, LLC 

How valuable is your data or your client’s data? Protecting confidential information or information that could do you or your organization damage is what security is all about. What are acceptable business risks? What actions should be taken to protect valuable information?

Attempts and success at obtaining valuable data are frequent and rewarding for hackers and other bad actors. In relationship to technology, Bill Gates said, “We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten. Don’t let yourself be lulled into inaction.” It is wise to apply this thinking to security, which will improve in the next ten years. But our computer security is more vulnerable today than it was 20 to 30 years ago. In the short term, expect more bad events to happen to others, your clients and possibly even you.

Good security reviews reduce the risk of exposure and eliminate the obvious. Bad actors will use attack vectors (methods) that are not so obvious and are very difficult to protect against. However, common sense best practice techniques should be considered the minimal protection to implement. For example, it is common knowledge that having an anti-virus software running on servers and workstations is needed, encryption should be used, and having a firewall that is properly maintained is the minimal protection today. Firewalls and anti-virus software should be used on all computers and in both businesses and homes. However, some sources note that anti-virus software may catch less than 60 percent of all attacks. Further, if these products are not updated continuously/daily, their effectiveness declines. Jack Danahy of Barkly Protects suggests in the “Cybersecurity Made Simple” guide that there are five potential solutions to Cybersecurity:

Technology Purpose Cost
Anti-Virus (A/V) Keep dangerous software off systems $
Security Information & Event Management (SIEM) Identify unauthorized or destructive behavior across the network $$$
Identity & Access Management (IAM) Enable only authorized access to systems and services, and tie individuals to those accesses $$$
Encryption Keep data obscured from everyone who lacks the authority to see it $
Firewalls Create a gateway to separate internal networks from external traffic and to block threatening network actions $$

You need to determine the scope of your security concerns to effectively mitigate risks and remediate technology properly. The scope of your security concerns could include: large amounts of data to store and secure; rapid increase in mobile devices; need for anytime, anywhere access to data; the large number of organizations being hacked; and the relative risks of the Cloud compared to on-premise data storage/ processing. Regulatory issues like HIPPA, GLB, PCI and other areas where there are penalties to enforce compliance are certainly risks. Additional risks include: ransomware, other viruses and malware, the Internet of Things (IoT), Cyber-espionage, Cyber theft/crime, insecure passwords, BYOD, unauthorized data access, data stored improperly without controls, privacy and regulation, and staff engagement. Some take the attitude that all data is public data anyway, so why spend any effort protecting it? You should determine how much of your data is okay to be readily available to the public.

The Verizon 2016 Data Breach Investigations Report provides additional alarming statistics. Four out of five breaches are attributable to external attackers. Most breaches target users and their devices including: servers – 40 percent, user devices – 35 percent, and users – 20 percent. Other data breach statistics are the following:

  • 63 percent of breaches involve weak, default, or stolen passwords.
  • 93 percent of breaches are accomplished within minutes
  • 99 percent of malware hashes are seen for 58 seconds
  • 85 percent of exploits were due to 10 vulnerabilities in 2015
  • 50 percent of breaches occur within 10-100 days of when a vulnerability is published
  • Phishing messages are opened 30 percent of the time
  • Email attachments are the number one delivery vehicle for malware
  • 90 percent of data breaches followed 1 of 9 common patterns
  • 362,000 new crypto-ransomware variants were identified in 2015

Further, the top five delivery vehicles for malware from the 2016 report include:

  1. Email attachments – 63 percent
  2. Web drive-by – 61 percent
  3. Email link – 39 percent
  4. Download by malware – 10 percent
  5. Network propagation – 10 percent

So, what can be learned from these security breaches? There are some technical issues that you can address with your IT Team:

  • Firewall Setup
    • VPN
    • DMZ
    • Intrusion detection/intrusion prevention
    • Gateway anti-virus
    • Site blocking
    • Geographic blocking
    • Outbound proxy apps blocking
    • Secure Transmission
  • Infrastructure Setup
    • Encryption of offsite data backup
    • DNS, Active Directory (AD) and Azure AD (public and private DNS)
    • Group policies and how your domain works
    • Software restrictions
    • NTFS and Access Control Lists (ACLs)
    • Data loss prevention (DLP)
  • Ongoing IT Responsibilities
    • Wireless networking security
    • Security suites/AV updates
    • System patching
    • Firewall updates
  • User Protections
    • Physical access and biometric access control systems
    • Remote access security
    • Smartphone security and encryption
    • Mobile Device Management
    • Two factor authentication – generally, easy to implement and easy for users
  • Recommended IT Resources

Recognize that security threats are real, continuous and in all places. It doesn’t matter whether you are running in the cloud, on-premise, or on a smartphone, tablet, Mac, Linux or Windows machine. You have threats using all technologies. Internet access, wireless, Bluetooth and other technologies of convenience have increased the risk of remote access to your data by bad actors. Some technologies that aren’t quite as convenient, for example multi-factor authentication, will provide more protection, but will be less convenient for users. Virtual Desktop Infrastructures (VDI) can be more readily secured, but because they are remotely accessed, are vulnerable. SaaS data can be intercepted in transit or in the browsers. Large data centers work hard to protect the data, but often do not know bad actors are in their systems for weeks, months or even years. Clearly, governments want access to the data as well. When everything is said and done, though, most of us will not give up the convenience and benefits of Internet access for the risks of thefts of data.

If you attach to the Internet, you must assume all data and email that you have is accessible by everyone. This data is more like a post card than a safety deposit box. You need to act to protect data, and your client’s information using the industry’s recommended best practices to show you are not negligent. Once you know of an issue, you will need to act on these issues. Formal security audits could trigger formal remediation from you. Perhaps you would be better served by doing your best to protect the data, have cyberinsurance for the eventuality of a breach, and understand you’ll have to act to minimize the reputational damage of losing client data. Let’s face it, how many organizations can you name that have had a breach that continue to be in business? It might be expensive and inconvenient, but losing all your client’s data today isn’t as much reputational damage as it was a decade ago. Finally, remember that if you know you need to act and don’t, the financial consequences to you will be greater.

Reprinted with permission of K2 Enterprises

Learn more at the 2017 Technology Conference

July 28, 2017
GSCPA Learning Center


Join GSCPA and K2 for one of the largest technology conferences for CPAs. Leaders Tommy Stephens and Mac McCelland from K2 provide attendees with tools that can be immediately put into practice. Longer sessions allow for a deeper dive into practical application of the information.

 

Register