True North Networks Blog
What’s The Difference Between An Incident And An Actual Loss Of Protected Data?
Inadequate and ineffective technologies are often the culprit behind the failure of compliance mandates and initiatives for many organizations. Vulnerabilities can be a challenge for organizations to manage but identifying the weaknesses and the threats businesses face with information in a state of constant flux is not something to be ignored.
Cybersecurity incidents and the threat information associated with them may change as information unfolds, similar to Positive technologies’ latest findings regarding the Citrix vulnerability risk possibly affecting 80,000 companies in 158 countries. This number is not reflective of individuals; rather, it represents companies. Though the vulnerability exposing the email address and location for the 250 million records of Microsoft customer support and service records has been patched, and the exposure was less than 48 hours, the vulnerability exposed a window of risk.
Cloud computing continues to increase in market share, and many are left to wonder if data is truly safe in the cloud, and should the management of potential threats and vulnerabilities have a price tag? Technology advances at breakneck speed, and though the expense of data security or even recovering from a breach is deemed essential, is the vulnerability management itself not part of the budget? Learning about the management of vulnerabilities and how to mitigate the problems they create can be challenging, but it is achievable.
Same Players, Different Games
Common vulnerabilities continue to morph with increased speed, increased sophistication, and decreased visibility. Malware continues to change, zero-day exploits continue to rise, and incident management and response is still a challenge.
Regardless of malware type, having software in place to detect changes that have occurred, along with proper security policies and procedures in place, may help prevent these types of attacks from occurring. In 5 Way to help Fix Security Vulnerabilities, we noted steps that can be taken by organizations that include:
- Prioritizing Threat Intelligence
- Focusing on Compliance
- Automating Security Policies
- Addressing Internal Threats
- Making Security a Company-wide Culture
Phishing, infected software, spam, botnets, and weak passwords continue to be used as a way into an organization’s infrastructure. Adding AI into the mix could make the coming years in cybersecurity exciting but not impossible from a management perspective. The key to combating suspicious network activity is via prevention.
Though retrieval methods for obtaining this information may be more sophisticated, how to combat suspicious network activity is best done through prevention and effective endpoint security management.
The management of risk in cybersecurity is ongoing and will expand as new technologies enter the marketplace. Regulatory compliance and best practices of those compliances may require organizations to adhere to appropriate cybersecurity frameworks. For example, PCI requirements 10.5.5. and 11.5 require file integrity monitoring configurations to be performed weekly, and failing to monitor these configurations more frequently can result in the ability to mitigate network vulnerabilities.
In today’s world, using applications will never go away. The number of applications used by organizations enterprise-wide will just continue to increase with technological advances. The sheer number of security flaws within enterprise applications can be overwhelming, as a Veracode report has found that more than 80 percent of tested applications had at least one flaw. Though the security risk for these flaws significantly varies, the number is startling and will most likely not diminish anytime soon.
The potential for exploits will only increase as application security flaws continue to see issues including credential management, cryptographic issues, and overall information leakage.
Misconfiguration continues to be commonplace within enterprise networks, and as many have learned the hard way, one simple error in programming can compromise an entire network. Gartner currently notes that 95 percent of cloud security failures occur due to end-user, or human error, which includes configuration mistakes. With the cloud continuing to be crucial to future business success, misconfiguration is not something to be taken lightly.
One Cannot Monitor What Isn’t Being Managed
Noting statistics from Radware’s Global Application & Network Security Report, the lack of complete visibility across an entire network ecosystem is an ongoing issue.
Maintaining enterprise change is not just a best practice for IT management; it is also a critical component for creating the ultimate security backstop. With ransomware attacks occurring every 14 seconds, the amount it takes to read this sentence, deciphering change that is threatening (unknown changes versus planned changes), becomes the cornerstone to maintaining an appropriate cybersecurity posture.
Changes within an infrastructure often are expected, especially with system and application improvements and upgrades. However, if the enterprise and infrastructure are not consistently monitored for change, the management of those changes will be almost impossible to follow and administer.
Policy and knowledge are not always enough when it comes to eliminating vulnerabilities. Previously, we had noted the eight device types and elements that should be monitored for changes in real-time. Those include:
- File Contents
- Network Devices
- Active Directory
- Point of Sale(POS) Systems
- VMWare Configurations
- Compliance Policy
Though there is a concern for data in the cloud, and Radware’s report mentions that 30 percent of organizations feel data is secure in the cloud, it was noted that the benefits of cloud services outweigh the potential risks, which can include web app invasions and stealing of credentials.
For many within IT, network vulnerabilities may not be looked at as emerging risks but viewed more of as oversights. Maintaining compliance and the integrity of an IT infrastructure is not always standardized or even given consideration as most organizations lack the understanding of what “integrity” means in the context of IT Security.
Change control, which should be automated for accuracy and convenience’s sake, can be best automated with next-generation file and system integrity monitoring software, which significantly decreases time constraints when effectively monitoring for changes. Change monitoring consists of several aspects when correctly administered. This includes:
- Centralized Audits
- Real-time Change Reporting
- Unalterable logs
- Intelligent classification of changes
- Human Readable reporting
Data Protection and Security
It has been stated before, but worth saying again, “Data Protection is Integrity and Control.” Real-time detection and remediation can mean the difference between an incident and an actual loss of protected data/information. This data loss can, in turn, lead to devastating repercussions financially as well as brand reputation.
Many organizations may notice changes occurring within an enterprise infrastructure, but lack the time, resources, technology, or knowledge to determine if those changes are good, expected, unexpected, or even malicious. Additionally, those same organizations are not aware of to roll-back changes to a previously known or trusted state and a potential data loss/data breach can occur.
Five signs to watch for with a potential data loss/data breach in progress can include:
Critical File Changes
The addition, change, modification, or deletion of critical system files can occur once cybercriminals gain entrance into an organization’s network. Unless critical systems are being monitored for unknown or unwanted changes, these types of changes can go undetected for long periods.
Devices left on or turned on by a non-user could signify on-site or remote access tampering.
Unusual Device/Internet Response Time
Immediate reporting and investigation of devices or company network should be addressed by a security policy or end-user policy. If devices or the company network suddenly appears to be running more slowly than usual, this can be indicative of malware or viruses.
Unusual Outbound Traffic
A high volume of outbound traffic could signify a transfer of data. The detection of suspicious activities could be thwarted with regularly monitoring traffic patterns.
Abnormal Admin User Activity
Are logs being reviewed on a regular basis? Perhaps red flags have occurred — and may have been noticed — but lack of time by superusers has not prompted any action. To respond appropriately to incidents, organizations need to have full knowledge of their networks and the policies, procedures, and tools in place for monitoring assets regularly.
In addition to monitoring the above signs, user tracking and audit trails should be able to be monitored and should not be altered. Protection against threats with an ability to restore systems and files to a prior state is critical.
Fix Security Vulnerabilities and Stay Compliant
Prioritize: The first step to begin to fix or remedy vulnerabilities found within an organization’s network is to prioritize threat intelligence. Gaining access to comprehensive threat intelligence allows an organization to fully comprehend and respond to changes before a breach occurs. Without knowledge of threats and truly what is happening within an environment, risks cannot be addressed. Total network intelligence and compliance management can be the starting point for many businesses.
Make Risk and Security a Company-Wide Culture: Risk and security isn’t just a “compliance” or “IT” thing. This is a topic that should involve close collaboration with IT and overlapping departments. Knowledge of the risks within an organization’s structure is the first step, and knowing who may be affected is critical.
Focus on Compliance: Being compliant isn’t merely looking at a list and checking boxes. As previously mentioned, compliance represents a set of tools and best practices for protecting data, whether it is internal data or your customer’s data. Regardless of the type of compliance, whether it is PCI DSS, HIPAA, or GDPR, creating policies that support automation and action for constant compliance could help avoid a data breach and costly fines associated with a breach.
To learn more about Compliance and Vulnerability Management with CimTrak, download the Compliance Solution Brief today.
– Robert Johnson, III, President & CEO at Cimcor, Inc