Cybersecurity is an unwinnable war

Cybersecurity is an unwinnable war

You can’t actually WIN.

You can SUCCEED though.

But that doesn’t mean you don’t have to fight it anyway. Like many things in a safety and security realm, the threat is ever changing, and your strategy must flex with it. You have to manage the threat and fend attackers off while serving your customers and enabling your employees to do work.

AND you even have to let your employees do the work in the way they want to.

Top-down authoritarian restrictions don’t really work in the long run.

“The more you tighten your grip, Tarkin, the more star systems will slip through your fingers.” – Princess Leia

Security only works if EVERYONE on board participates and WANTS to be part of the culture that puts it near the top of the list.

Treat your employees and customers like robots, and they WILL find somewhere else to go. They WILL leak data through the cracks. They WILL leave the side door unlocked.

If your culture is a stance of defense and diligence, one of self-awareness and reliance and constant learning and improvement, then this should include your security posture as well.

The war is not winnable, but that doesn’t have to keep you from succeeding.

Need help? Contact us.

Death of a thousand cuts for your security posture

Death of a thousand cuts for your security posture

The make-up of a great security posture comes from having your “ducks in a row”… meaning you have the three Threat Management Vectors working effectively. These Threat Management Vectors are Detection, Prevention, and Response.

Yup, that’s right, all that jargon and spin to sell security products muddies the waters of what you should be doing to manage threats. These security products don’t take away any responsibility from your company, and these products are not sufficient without proper configuration. Even the best product can do very little without on-going tailoring to your business. Care and feeding of these security products by trained people will keep your CIO/ CSO out of negligent waters (jail) and your corporate brand safe and secure (without fines)

ADi helps hundreds of customers every year get security products off the ground while training the company’s engineers on how to use these products effectively and ensure these products are tuned well for Detection, Prevention, and Response.

However, ADi does regular health-checks and frequent security reviews. You might be asking, “If you are so good at training the company’s Engineers how to care for the security products, why would you need a heath-check or a security review?”

The answer to this question is at the heart of IT operations,… The HELPDESK or helpless desk as I often hear it referred. Most of us IT’ers have done our time at the helpdesk, and maybe some of you are there right now (don’t worry it’s not forever!).  Don’t get me wrong, in some companies you have a few rising rockstars but they quickly jump the ranks or go work somewhere else for more money (truth) The helpdesk usually ends up as an operational ticket “triage” that merely forwards the tickets to the right Engineers to solve the problem.

“Eventually the hole is so deep you are just shoveling dirt in your own face.”

As the Engineers become bogged down solving help desk requests or adjusting security policies to accommodate the office Halloween party, an endless cycle starts. The Engineer becomes consumed by helpdesk tasks while security tuning and threat hunting and response go by the wayside to accommodate business workflow tasks. This causes more helpdesk tickets. Before you know it, your environment needs a little housekeeping!

For security’s sake, get yourself a housekeeper! That is a reliable partner/ reseller, who is going to add value to your team and not just sell you stuff.

Keep your ducks in a row!

How do you treat your employees in a cyber war environment?

How do you treat your employees in a cyber war environment?

The most effective method for long-term cybersecurity is training.

It’s important to create a culture where security is just part of what you do. You can’t force users to be secure. Not in the long term. A lot of companies create endless sets of rules and lock down everything.

Of course, employees put their work ahead of your rules. They have stuff to get done. That’s how they end up sneaking in a thumb drive because they need to take work home. Then your design files get compromised on a coffee shop wifi, and we’re off to races.

Treat people with respect. Make it the cool thing to do in your culture to be secure. A healthy culture is more secure than a prisoner culture.

Need help? Give us a call.

2 factor and phishing

2 factor and phishing

Usernames and passwords. They’ve been around a long time. They work, sorta. They work better with a password manager that helps you make strong passwords unique to each of your logins.

But usernames and passwords have many problems. You could easily watch someone type their password in a coffee shop. I was on a commercial flight not long ago, and an executive from a MAJOR bank logged into their system in the row in front of me holding their smartphone at eye level for the whole plane to see.

“2 factor” is a concept that has been around for a long time, and is much more straightforward than the marketing fluff may make it seem. The idea is to add a second method of authentication to your existing login. So in the case of a username and password login system, having something physical that you also have to authenticate with as another layer of security. Sometimes the second factor can be who you are. Your fingerprint is an example.

While not foolproof, adding more layers does make unauthorized access to your accounts more difficult.

And that’s a foundation of security: make it more expensive to steal than the information is worth.

It’s very common to see text messages be used as a second-factor authentication, but we highly recommend at least an Authenticator app like LastPass, or Google Authenticator. If you really want to step up your game, a physical device like a Yubikey is an excellent and affordable choice.

In our research adding hardware 2-factor authentication dramatically reduces the chance of employees being phished.

What are red and blue teams anyway?

What are red and blue teams anyway?

Inside baseball (metaphor) : It usually refers to a detail-oriented approach to the minutiae of a subject, which in turn requires such a specific knowledge about what is being discussed that the nuances are not understood or appreciated by outsiders.

Security professionals are a detail-oriented bunch. It goes with the territory, but as the person making the financial decisions, it’s important to know the high-level concepts when they are making a case for why you should spend more money on security.

This brings us to Red Teams and Blue Teams.

It’s pretty simple. These are the basics. There are nuances and not every strategy follows these concepts exactly.

Red Team:

An external team that tries to infiltrate, Phish, and tests your security program. Sometimes referred to as penetration testing, but that’s a more specific set of tasks. The red team may use social engineering, network attacks, vulnerability attacks and the like to defeat your security. It’s important to note that this isn’t just merely testing how strong the wall is you’ve built. Often your security is weakest inside that wall you’ve spent so much time building.

Blue Team: 

The (often) internal security team that defends against the Red Team. But also the real attackers.  Depending on the organization, this may be a separate team from your regular security team or made up of some of those members. The primary goal of this is to assume you’re ALWAYS being attacked and defend against this by refining security processes.

Remember that security doesn’t mean just building a bigger wall. Security is a process that needs constant attention and starts from the inside out.

 

 

 

Being secure in public

Being secure in public

A few weeks ago I was sitting on a commercial airline flight minding my own business. When we landed, there was the usual mad rush to turn on cell phones and check whatever people check on their phones. Seated directly in front of me was a woman who held her phone up about eye level and typed her VPN password (to a major bank) in plain view for at least 3 rows behind her.

Let’s talk about being secure in public, shall we?

You can talk to your IT department on what to use or use a VPN service like VyprVPN to help keep your network connection secure while out of the office. The VPN on her phone was a great idea, but she missed the mark on the rest of her security posture.

We often overlook physical security when out and about. All of the network security in the world won’t matter if someone can look over your shoulder and watch your screen.

There are terrific screen covers that limit the viewing angle of your screen for your laptop. The best ones are even easily removable and tucked into your bag for the times when it’s not needed.

These are available for your phone as well, but on your phone, it could be as simple as paying attention to who might be able to see what you’re typing. Especially when you need to authenticate something important.

Remember, security is both process and posture. Don’t build up a huge wall and moat around your castle and then leave the side door unlocked.

 

 

 

Tips and Tricks Tuesday: Two tips for keeping yourself secure

Tips and Tricks Tuesday: Two tips for keeping yourself secure

Security depends very much on your actions as an end user. The more secure you are personally, the more secure you organization can be.

Let’s start with a simple things you can do right now to make yourself more secure.This week we’ll focus on passwords and authentication.

Use a password manager AND a different password for EVERY account

Data breaches happen. But it’s easy to mitigate the damage if you use completely different passwords for EVERY login. Managing this is easy with apps like Lastpass and 1Password (there are many others). You remember one login, and the app helps you generate secure passwords you don’t even have to know for every service.

Surely you can see how “!D4sL@nN1pJRbG” is a better password than your kids birthday right?

Turn on 2 factor everywhere it’s available

Most major services, from Facebook to Flickr offer a free way to get a text or use an authentication app like Lastpass authenticator to give you a second layer of password protection. This isn’t perfect, especially if you use text messages for this, but it’s better than your password alone. Check with your help section in the app on how to enable this and do it for EVERYTHING.

These two simple things can help make you dramatically more secure in your day to day internet interactions. Need a solution for enterprise password management or authentication? Let us know.