Halock Security Labs

There is a great little cartoon I’ve seen on the Internet in which two pigs are marveling at the free barn and free food they get to enjoy.  The message of the cartoon is that they are not the customer; they are the product.

We should ask ourselves why there are so many free internet applications available to us that we don’t need to pay for.  There is certainly a lot of investment that goes into building the data centers, writing the code and running marketing campaigns that make these services available to us.  In fact, nothing is free.  And if you are not paying for a service, then you are the product being sold. Which is fine if you don’t mind being the product, and if you have a full understanding of how your information will be used.  In the medical world, this is called “informed consent.”  We don’t enjoy informed consent when using free Internet services because we are not provided the strategic vision of the companies who beckon us and collect our sensitive data.

So when I see Google Drive, SkyDrive, DropBox and other similar free file storage services, I get nervous.  While they offer to hold our information for us, their privacy policies actually suggest that their systems will grab information from our files to “improve their services.” Moreover, they make limited assurances that they will keep our information safe.  In fact, in 2011 DropBox had multiple embarrassing security breaches, including one that made everyone’s files available to the public.  But because they set our expectations so low about the security they provided, they had limited liability after the breach.

Because these new file sharing services are free and very convenient, people will increasingly choose to store their files there.  And we are very predictable as a species for how we manage information risk.  When we first sign up for the Google Drives, the SkyDrives and the DropBoxes we will at first promise ourselves to play it safe and to never store sensitive information or files there.  But then, on occasion, we will find that we need to move a sensitive file to another device – something slightly risky like a client presentation or a signed contract – and before we know it, our file sharing service of choice will have become a second hard drive, full of sensitive documents that never seem to get deleted.

Like I’ve said before on this blog, and several times with my clients, when business conflicts with security, business wins.  So if you’ve got DropBox, Sky Drive or Google Drive, expect that one day you will put sensitive information on the system.

But does this mean that you should never use these systems?  No.  It means that if you use them, put in some sort of failsafe so that if you decide to use these systems for sensitive information, they are automatically protected.

BoxCryptor is a tool that automatically encrypts files that you share on DropBox.  You control the encryption key, so DropBox will not be able to read your documents and the public will find them useless if they are ever breached.  BoxCryptor works on Windows, Mac, iOS, Android and Linux systems and has free and pay versions.

TrueCrypt is a more flexible and free tool that allows you to create a volume that – like BoxCryptor – automatically encrypts all the files within it, so it works seamlessly (theoretically) with all synchronizing folders and storage services.  However, it is not currently available for portable operating systems, such as iOS and Android.

If you do decide to use shared storage services - even if your security awareness is high - don’t trust your promise to never use them for sensitive information. You will eventually violate that promise. Instead, make sure you’ve protected your information first.  Using tools like BoxCryptor and TrueCrypt make this very easy and give you piece of mind while having all the convenience of these soon-to-be ubiquitous services.

What was once the primary strength of Blackberry, enterprise-grade security and manageability features are now available across the majority of mobile operating systems.  If your organization is considering the implementation of mobile technologies into your environment, you may find following comparison of mobile security and management capabilities from Infoword to be very helpful:

Halock Security Labs has experts on hand that can help your organization develop a strategy to implement mobile devices in a secure, compliant, and cost-effective manner.  Please feel free to reach out to us today with any questions that you may have.

Modern malware attacks are dominating the headlines and most of the focus is directed at the impact of an attack, the potential data loss factor or oftentimes the suspected perpetrator.  An important element to understanding the full spectrum of these attacks is to understand the modern malware ecosystem.

Malware Developers- At the forefront of modern malware is the malware developer.   The developer is in essence the software writer who engineers and designs the malware platform and the command-and-control infrastructure.  The malware developer creates the communication flow for the command-and-control servers and has a strong understanding of how to develop malware and malware supporting infrastructure that is optimized to avoid detection. 

The end product of the malware developer is often a malware toolkit which is supplied downstream to distributors and associates who use the tool kit to engineer variant versions of the malware for field use.  These toolkits are available for purchase from anyone willing to meet the asking price.

Malware Distributors- Malware distributors procure the malware tool kits from the malware developers.  Malware distributors drive the demand for malware and are constantly looking to satisfy their appetite for innovative modern malware that can stay ahead of the detection, containment and remediation curve. 

Malware distributors are in constant competition with each other.  In fact, oftentimes malware distributors will try and take-over each other’s command and control infrastructure and leverage a rival’s bot-network their own purpose.  Malware distributors are constantly trying to avoid detection from authorities and other malware distributors.

Malware Associates- Malware associates are the delivery mechanism for infecting targets with the actual malware.  Malware associates are hired out or contracted by the malware distributors to infect users and systems as possible.  The Associates are compensated by the malware distributors based on the number of systems that they can infect.  The more users that are infected, the more money the malware associate is paid.  In addition to the number of users, malware associates earn more money by infecting higher value targets. 

With the modern malware ecosystem alive and well the demand for malware that can avoid detection and stay ahead of the containment curve continues to grow.  

Brian M. Miller
Portfolio Manager - Strategic Security Solutions
HALOCK Security Labs
Purpose Driven Security™

We talk a lot with our clients about the importance of due care and due diligence when it comes to compliance and risk management.  In order to perform proper due diligence, it's important to understand the nature of the attacks being directed against your infrastructure, the motivation behind them, and what steps are reasonable to detect and prevent these attacks.  

One commonly misunderstood point when it comes to the criminal element in cyber-attacks is the actual motivation.  Sometimes the point of a coordinated attack on a company isn't to steal documents or financials, the point may be to borrow or command all of your expensive hardware.  Stealthy worms and trojans that traverse through well-traveled ports can provide attackers the perfect opportunity and backdoor to compromise endpoints and use their processing power and bandwidth to attack another network.  I have seen many environments where malware resides on a few key machines and, with careful and coordinated effort, an attacker can gain the ability to execute commands that help the entire infrastructure behave with a botnet.  A botnet is another term for a robot or automated network that utilizes the network addresses and processing capabilities to execute commands scripted by a malicious hacker.  This can include commanding a poorly defended router to misform packets and send a heavy stream of garbage traffic in coordination with other compromised networks to a victim machine / network.  In this way, a compromised botnet can be a useful tool in staging a distributed denial of service attack. 

Your network that consists of tens or hundreds of thousands of dollars worth of equipment may be the perfect tool a hacker needs in order to carry out a successful attack.  Some botnets can be commanded to attack and compromise itself, the coordinated attack can be dictated a "botmaster" or "bot herder".  The attacker remotely commands and controls these compromised computers via standards-based network protocols such as smtp, IRC, and http.  Typically the stealthy malware that joins the machine to the botnet will encrypt traffic to the control server to make it much more difficult for those communications to be flagged by network intrusion detection systems.  This also makes it much more difficult to see the true nature of the communication between your compromised botnet and the control center. This is important to consider because an infrastructure with a lot of computers and a lot of networking equipment can be devastating to a victim machine during a surprise attack.  If a botnet combines forces with multiple infrastructures and focuses all of its egress traffic to one target address, the victim machine automatically attempts to respond to each and every request until the switch/router/server is so overloaded that it simply stops working.

Due diligence is the key to mitigate risk and reduce liability. If there is gross negligence in terms of security measures, the victim may legally be able to seek compensation for loss of equipment and productivity.   Mass spam mailing from a compromised network can cause domain blacklisting and can lead to delivery failures of legitimate business communications.   The repercussions can lead not only to financial losses, but damage in reputation and brand name.   Halock offers services to help spot compromised endpoints and protect your business and network from being hijacked by botnet controls.

Again, from a Dark Reading article, Microsoft Studies 10 Years of Malware and Threats.  Microsoft, in celebration of the 10-year anniversary of the launch of its Trustworthy Computing Initiative, published a special edition of its Security Intelligence Report.  They looked at the past 10 years and how the threat landscape has evolved.

Trends - The near disappearance of worms and the continued surge in socially engineered malware threats and Trojans.  As software gets less buggy, it raises the bar for attackers.  This is why we're seeing the jump in social engineering attacks that lure users into opening infected attachments or clicking on malicious links that spread Trojans.  They stated that social engineering is probably a mainstay now.

The report looked at the "cleanest" countries malware infection-wise.  Finland had the lowest rate of infected machines in 2011, with just over 1 infected machine per 1,000 machines.  Japan had just over 2 per 1,000 machines, followed by Norway, Switzerland, and Australia, all of which had fewer than 4. Turkey (57), Korea (20), Brazil (just under 20), Taiwan (more than 15), and Spain (just over 10) didn't do so well.

They examined Finland more closely to find out why, and did a case study on TeliaSonera, Finland's largest ISP.  TeliaSonera wanted security to be a competitive differentiator in its services.  In the wake of the Rustock botnet takedown and Microsoft's Digital Crimes Unit giving Finland's CERT a list of Rustock-infected IP addresses, TeliaSonera found that it was taking an average of 40 minutes per customer to clean up the machines.  So they automated the process, and used the  Rustock data to identify infected machines on its network and kept them quarantined until they were cleaned up.  TeliaSonera alerts infected customers and place's the user's machine in a "walled garden" until the machine is remediated and cleaned.

There were also strong relationships between the ISP and other organizations in the region - including public and private sectors, and they tended to be more proactive.  The regions also had aggressive public service campaigns to educate users, promoted up-to-date software, and had low software piracy rates.

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

This was from an article published on Dark Reading recently.  It was from a survey of 300 IT professionals, conducted by PhoneFactor, an authentication tool vendor. 

They were asking IT professionals if they would be willing to bet any of their own money that their networks would not be breached in the next 12 months.  57.7 percent refused to take the bet, opting for $0.

More than two-thirds (70.3) percent of the respondents were only somewhat confident or not at all confident that an unauthorized person could not gain access to their networks.

Only one quarter, (25.7) were very confident that they would know that their networks had been infiltrated.

When asked if an expert hacker could gain access to their networks, 84.4 percent thought it was at least possible, and 23.1 percent said that an expert hacker could definitely gain access to their corporate networks.

Top reasons given:

• The networks may be vulnerable to malware (55.4 percent)
• Use of personal devices to access company resources (45 percent)
• Sheer volume of attacks (35.2 percent)
• Widespread use of remote network access (32.6 percent)

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

As a follow up to Security Awareness Training, I challenge you to do some Social Engineering tests!

Social engineering can be done remotely, using telephone and carefully crafted email messages to try to coerce the employee to provide information they should not be providing.  Giving away sensitive information, passwords, clicking on an email and unknowingly downloading malware are pretty much red flags.

On-site social engineering uses techniques to gain physical access to office locations, and once inside, to find information physcially displayed, gain access to a network, or locations normally considered to be off-limits.

Some organizations regularly are testing their employees through email campaigns to see if anyone takes the bait.  It may seem a bit harsh, testing your own employees' security awareness, but it's a fact these days that it's best if you find out if further training is needed, before the bad guys beat you to it.

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

I often write about security awareness training, but it bears repeating periodically.  Security awareness training is required by some standards - the PCI DSS is pretty specific about requiring it.  Security awareness training for the general employee population on at least an annual basis is a good idea.  More technical training for IT or application developers is also a good idea.

There's some excellent training available these days.  We've developed our own program that we offer clients for employee security awareness training.  We've also partnered with organizations to provide specific technical training/LMS.

Our Incident Response/Forensic Practice provides training - First Responder training.

Having a well trained team of employees, from the receptionist to the IT CIRT team, can only help safeguard against the extremely sophisticated attacks that being frequented by the hacker groups these days.  And, of course, include all levels within the organization.  Sometimes the least "information security aware" employees are among the highest ranking in the organization.

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

Remember when the big car companies in Detroit went through their quality measures and certifications, then began requiring all their 1st tier vendors to undergo the same quality certifications?  This later trickled down to the multiple tiers of vendors that supported the 1st tier vendors.  It was (is) called QS 9000.

Well, basically the same thing has happened in information security.  PCI states it, HIPAA states it, ISO states it.  Not only does the end client organization need to adhere to these quality standards for information security, but any partners, 3rd parties, that may access, hold, transfer, or otherwise impact the security of sensitive data need to take measures to safeguard that data.

So many times you read about breaches that occurred that resulted from a 3rd party that mis-handled data, or accessed systems to provide support, but didn't restore the system to a pre-established level of security before departing, leaving something open for the bad guys to find.

It's always a good idea to throroughly review the contracts you have in place with your 3rd party providers to ensure appropriate levels of control are in place to safeguard your data.  Independent audits of the providers are also commonplace, so it's a good idea to include a right-to-audit clause in your contracts with those partners.

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

Web application security assessments should be part of a mature security program.  Both ISO 27002 and the PCI Data Security Standards call for in-depth web application security testing.

Here are some of the most serious web applications vulnerabilities as seen by the security community, as reflected in the OWASP Top 10:

• Injection flaws
• Cross site Scripting
• Broken Authentication and Session Management
• Insecure Direct Object Reference
• Cross Site Request Forgery
• Security Misconfiguration
• Failure to Restrict URL Access
• Unvalidated Redirects and Forwards
• Insecure Cryptographic Storage
• Insurrificent Transport Layer Protection

We regularly perform web application security testing for our clients.  Oftentimes, it's an ongoing program, with rolling tests over time of significant applications.  At a minimum, it should be annually, and after any major revisions to the application.

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

In a mad dash toward security compliance or to plug known vulnerabilities, IT professionals have a tendency to implement security controls without thinking through what could go wrong with them.

They mean to do well. They really really do. But sometimes people can create new risks when our intention is to reduce them.

Take my favorite humbling story from early in my information security career. I was auditing a company whose information analysts were paid by the hour to crunch financial databases.  If a batch of data analysis took 6 hours to run, then that was 6 hours billed. If they had enough demand and two data analysis systems, then they could bill for 12 hours in that 6 hour period. So I asked during the audit how the analysts kept their information processing going over the week-end, after seeing that they ran billable analysis all week long when the demand was high.  “Well,” they said, “We’ve got computers at home, too.  We log on through the VPN, download data to our home computers and crunch numbers there at the same time.”  Knowing that some of that data could potentially be personal, sensitive data I reacted strongly, “You’ve got to prevent data from being sent to home computers over the VPN, NOW!”

And the IT team agreed, as did their CIO, and they shut down data transfers over the VPN to personal computers.  It would be tough on billable work, unless some power-house laptops that the company controlled and encrypted could be used for the same purpose.

I stopped by the analyst team the next week and asked whether they got their new laptops, or were they coming in to work after hours to manage their week-end-long analysis. “Oh, no problem at all,” they said, “We’re able to continue billing through the weekend and overnight still.”  “Good,” I said.  “And how are you doing that?” “Well, when we’re in the office, we just copy the databases onto these USB thumb drives . . . “

*sigh*

What had I done?  I had prompted the analysts to increase their risk by blocking their normal business activities without thinking of the consequences. What if they drop those USB sitcks?

There are two complementary lessons here that we need to keep in mind as we design information security controls:

1. When information security controls interfere with incentivized activities, the incentivized activities will win . . .
2. . . . and when they do, there will be new risks created.

So how do you implement these controls without adding new risks?

Whether you are applying the ISO 27001 standard, working toward PCI DSS compliance or compliance with laws and regulations, new information security controls should be designed in cooperation with the end-users who will have to live with those controls.  If the planned control is feasible from a process, business, technology and physical standpoint, then try it out. Test it.  Observe how people behave during the testing.  Interview the end-users and the administrators who are responsible for working with the new controls.  Are there un-necessary impediments to business?  Are the controls sustainable? Are these controls interfering with other controls?

If your test of the new controls reveals these shortcomings, then tweak them, again with the cooperation and ideas from the end-users, and test your revised controls.  In short: reduce their need to work around security controls so they can get their work done!

Your information security controls must support business; by reducing risks while allowing the business processes to succeed.  Working with end-users to design security controls that meet both of these requirements is a certain way to achieve both of these goals.

PCI Compliance has been around for a while now.  It's funny to me to see QSAs now offering special pricing to provide services to Level 2 Merchants.  Their packaged pricing includes fixed fee services to assist Level 2 Merchants in getting validated.

Well, news flash!  Most QSAs provide their validation services on a fixed fee basis.  Always have.  For all levels of merchants.

Keep in mind, all levels of merchants need to comply to all the standards of the PCI Data Security Standard (now version 2.0) that apply to them.  It's not just the level 1's.  It's all merchant levels, even the level 3's and 4's.

Any QSA worth their weight is going to approach each client individually, of course.  Every client environment is a little bit different.  As far as the services being provided on a fixed fee or hourly basis, if a QSA has done enough validations and has the experience level, they will know exactly how to price their services fairly and competitively.

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

Sometimes we'll talk with clients and they feel like they don't know where to begin in managing information security.  A great first step would be a Risk Assessment.  A risk assessment recommends treatment of discovered risks and then manages remediation of gaps in risk controls.

You will be looking at your organization holistically - security infrastructure, technology, people, and processes, to compile a list of organizational risks based on potential business impact.  This enables executive management, to better understand the importance of information security remediation steps, because they'll "get" the business impact.  This also enables Operations/IT, to select appropriate controls and gain funding from executive management because everyone is on the same page when it comes to the impact on the business.

When you start thinking in terms of what is the likelihood of a threat occuring to a particular asset, and what would be the impact to the organization if that asset was compromised (confidentiality, integrity, or availability), it make more sense. 

You'll pair the vulnerability with an applicable threat.  Each risk will have an impact rating associated with it.  The likelihood that the threat/vulnerability pairing could occur will be determined and rated.  This is your Risk Register.

Next comes the Risk Treatment Plan.  You can choose to Reduce the Risk, Transfer the Risk, Avoid the Risk, or Accept the Risk.  Controls can be implemented to reduce the risk.  Sustainability of the controls should be considered.  Finally, a description of the threat/vulnerability is documented that would exist after the proposed controls were implemented.

So it really makes sense to do a Risk Assessment first.  Otherwise you may be implementing controls that aren't actually protecting the most important business assets, or implementing solutions that may be over-controlling assets or under-controlling assets.

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

This is a great recommendations list published recently by the OTA - Online Trust Alliance:

The Top 10 recommendations address the most frequent exploits including malicious email, phishing and deceptive websites as well as emerging threats impacting online trust and confidence. 

1. The browser is the first line of defense, yet over 40% of users have outdated and insecure browsers, lacking integrated anti-phishing, malware protection and online tracking privacy controls.  Businesses are recommended to upgrade all employees to the most current rowsers and encourage consumers by notifying them of insecure and outdated browsers.  In addition, consider terminating support for end-of-life browsers with known vulnerabilities by preventing logons and providing instructions to upgrade.

2. Upwards of 10% of computers are infected by “botnets”.  Scan your systems weekly with remediate the threats.

3. Deceptive and malicious email continued to grow in the past year, targeting business users, government agencies and consumers.  Implement Email Authentication to reduce the incidence of spoofed and forged email, which may lead to identity theft, and the distribution of malware and tarnish your brand reputation.  Authenticated email allows ISPs, mailbox providers and corporate networks an added ability to block deceptive email, reduce false positives and protect online brands and sites from deception.

4. Cybercriminals are increasingly snooping and eavesdropping on wireless connections, including airports, coffee shops and the library.  Always-on SSL (AOSSL), encrypts all connections and communication -- including users’ names and passwords. This standard is now implemented by leading sites including Twitter, Facebook, PayPal and Microsoft.

5. Encrypt all data files containing customer profiles, email address and or PII, which are transmitted externally or stored on portable devices or media including flash and USB drives.

6. Develop and test a proactive Breach & Data Loss Incident plan to be prepared for data breach and data loss incidents, minimizing the risk and impact to customers and business partners. Such plans help to inventory data collection policies, user access and destruction processes while developing a plan to respond to data loss and breaches.

7. Require strong passwords and educate users on effective Password Management to minimize the risk of account takeovers.  Consider modernizing password/passphrase requirements. Include security questions with highly variable answers which are not publically discoverable on social networking sites.  Consider requiring a) strong passwords for employees and restrict customers from using weak passwords; b) force password reset every 30 to 60 days, c) ensure services accounts are not used by staff or able to be used through customer facing applications; d) perform regular entitlement reviews and remove unused or terminated employee accounts immediately; e) limit the number of access attempts and force account shut down requiring administrative interaction.

8. Enable automatic patch management for operating systems, applications, including add-ons and plugins.  Proactive patch management can harden your system from known vulnerabilities.  End-of-life applications which are no-longer supported, should be removed or used in isolated and secure sessions.

9. Continuously monitor third-party code, links and advertising on your site to help prevent malicious content and ads being served on your site.  Request third-party content providers and ad networks to adopt anti-malvertising guidelines.

10. Enable encryption on all wireless routers and Access points and hide your SSID (Service Set Identifier Names), or name it to help ensure that SSID does not provide details which identify your business.  Change your keys frequently to help prevent key disclosure or unauthorized use.   If you are providing free wireless services, limit how and when your network can be used, monitor usage and keep the network isolated from your business network.

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

With advanced malware these days, you've got to assume you're probably already infected.   Typical testing methods, though good for spotting vulnerabilities, may not find the malware already lurking in your environment.

We partner with one of the best advanced malware threat protection firms to provide our clients with additional assessments to find and eradicate advanced malware.  This solution:

• Actively analyzes unknown code and suspect web objects
• Cuts off outbound malware transmissions across multiple protocols
• Dynamically generate malware intelligence
• Blocks spear phishing attacks

There's been very few environments where we've installed one of the appliances that have come out clean.  Usually there are multiple malware findings, with client information sailing out the door.  It's pretty compelling when you see a report.

I would expect that one day everyone will have an advanced malware threat detection appliance in place.  It will become as common as your firewall.

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

An offering of ours, Incident Response Readiness, I think, is going to see a lot more attention in the coming year.  Already noticing it.

Many organizations do a great job of protecting their information.  At some point, you may be breached.  Actually, most now are saying not "may", but that you likely will be breached.  Do you have a plan in place to react?  Do you and your team know what to do?

You test your Disaster Recovery plan, right?  Do you have an Incident Response plan and test it?

We assist organizations in establishing IR readiness plans, training the First Responders, and testing the IR plan.

Important components in an IR plan:

• Technology Assessment
• Incident Response Strategy and Planning
• First Responder Training
• Contractural Requirements Identification
• Breach Notification
• Requirements Identification SLA for 3rd Party Response

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

Just read a interesting survey finding.  The 2012 survey was done by Carnegie Mellon CyLab, sponsored by RSA.  They surveyed how boards and senior executives are governing the privacy and security of their organizations' digital assets.  They used the Forbes Global 2000 list - respondents included:  CEO/Presidents (52%), Corporate Secretaries (15%) and Board Chairs (24%).

The general take away was that boards and senior management are not exercising appropriate governance over the privacy and security of their digital assets.  Sample table from the finding:

The findings are consistent with complaints by CISO/CSOs that they cannot get the attention of their senior management and boards and their budgets are inadequate. 

The survey results indicate a serious lack of attention at the top.

Nancy Sykora
Sr. Account Executive
HALOCK Security Labs
Purpose Driven Security™

When a company decides to implement a cloud based solution for centralizing business processes there are many factors that need to be considered.  Many times a company may be blind or have limited visibility into provider facilities.  When choosing a vendor for cloud services it is imperative to complete a comprehensive physical assessment of the provider or vendor facility. There is simply no way to choose a provider based on price and then trust that the facility is in the condition that they claim to be.  

A detailed assessment of the datacenter can reveal security or compliance gaps that would not be possible to uncover by just "taking their word for it".  When it comes to choosing a cloud services partner every detail about that datacenter facility should be taken into consideration prior to migrating to a cloud based solution.  Without an on-site visit to the datacenter and a comprehensive evaluation, it can be a challenge to select with confidence a vendor for cloud based solutions.  Deciding to route sensitive mission critical traffic to an offsite facility is a very important business decision.  There should be many layers of security and redundancy built into the architecture of the datacenter.   An on-site comprehensive evaluation can offer a detailed overview into the security, availability, and performance of the facility. This can also help validate vendor selection and assure that transitioning to the cloud solution will go as smoothly as planned.  Halock offers on-site datacenter and vendor evaluation services that are designed to fully identify strengths between competitors and give a fair and accurate overview into cloud service provider facilities. 

Cloud computing is rapidly evolving into a service model that has the potential to save money and create efficiencies for organizations large and small.  This new model can help achieve significant cost savings, reduce IT complexity, and increase flexibility in adapting to a changing business environment. The benefits are clear, but organizations must carefully consider the security implications for securing sensitive data.  Without a thorough risk assessment, these gains can be eliminated due to an increased risk exposure.  

Organizations must first consider which functions should be implemented in a cloud environment versus a secure internal network.  The common approach is to utilize a cloud environment for less sensitive functions such as accounting and HR management, while keeping intellectual property and mission-critical applications within the internal network.

Once an organization determines which functions to implement in the cloud, it must then determine the appropriate controls that need to be in place.  Furthermore, these controls must take into account applicable compliance regulations such as the PCI DSS and HIPAA.  

So what must be carefully considered with cloud computing?  Halock Security Labs recommends that organizations consider the following:

• Contractual Agreements: provide the essential legal recourse in case of a security breach
• Third-Party Audits: such as ISO 27001 or SSAE-16, further demonstrate that the cloud provider has appropriate controls in place
• Availability: define the acceptable availability requirements to satisfy your business needs
• Back-Up and Recovery: agree on the acceptable back-up and recovery requirements that follow your incident response plan
• Decommissioning: confirm that data will be securely deleted in case your organization decides to move out of the cloud or to another service provider
• Security: ensure that appropriate data encryption, segregation, access controls, and systems management processes are supported within the cloud environment
• PCI Compliance: if your organization handles cardholder data, your cloud service provider may be considered a PCI Service Provider, depending on the services provided, and would have to be able to demonstrate compliance with the PCI Data Security Standard

Halock Security Labs can help your organization realize the full potential of this new computing model.  Please give us a call today to learn more @ 847.221.0200.

On January 18^th, Jon Stewart of The Daily Show  teased U.S Representative Mel Watt for failing to understand a bill that he was trying to pass.  The House Subcommittee on Intellectual Property, Competition and the Internet was deliberating on the now infamous SOPA bill that, while being designed to limit media piracy on the Internet, was over-reaching.   What was particularly funny to Stewart was that Watt and his colleagues said, several times, that they needed to consult the “nerds” to find out how the Internet worked, and thus how the law would work.  The reason the Internet bill was over-reaching, it turns out, was because Watt and his fellow Congress members had no idea how the Internet worked.

Sorry to break down a joke like that, but I have a point.

Information security, like Internet laws, can only work if organizations take an interdisciplinary approach to compliance requirements.  But business managers are commonly asking their IT managers to take on information compliance as their sole responsibility. 

Here are three major flaws with this approach:

Flaw 1: Laws and regulations like HIPAA, CMR 17.00, Gramm Leach Bliley and EU Safe Harbor are not particularly IT issues.  They have specific non-IT requirements that must be owned by the appropriate management.

Flaw 2: Information security laws and regulations are regulating information, not technology.  But IT does not own the information!  They administer it, they make it efficient, they can help make it safe, they may even design strategic processes for information.  But they do not own the information!  Therefore, they cannot enforce rules for using it.

Flaw 3: IT staff are as good at interpreting legal documents as sales people are.  And administration support.  And carpenters.  Or bakers.  In fact, I can only think of . . . oh . . . attorneys who would be good at interpreting laws.  I’ll ask IT to take charge of compliance the day I ask my dentist to submit my income forms.

Information compliance laws and regulations require attention by management who have responsibilities for information . . . not only information technology.

So how should you get to compliance?  Develop a team of managers who have information  responsibilities, gather authoritative guidance for interpreting laws, and create a road map (gap assessments and risk assessments are critical!) to move toward compliance.

These managers, including IT, should be assigning controls to their team members that align with detailed requirements that come from laws regulations and even contracts.  And those controls should be prioritized by the compliance team because you share resources (like budgets, time, and people).

If you assign sole responsibility to IT for anything that is not IT, make it party planning, or lunch ordering, or first choice in the Book Club.  Compliance is something you will all need to do together.