Is your data already out there?

CIOs cannot underestimate the creativity of online organized criminals to quietly penetrate their IT systems through a growing area of vulnerability: employees and vendors, according to 360 Advanced.

David James Smith, an information technology security consultant at 360 Advanced said: “It has been my experience that a lot more is happening inside a company and inside a network that is just as dangerous. Your information, your data, may already be out there and you don’t even know it.”

With the growth of APTs, Smith explains there is an expanding number of attackers who are intentionally going through small numbers of trusted but lax employees and vendors to get into information systems, and managing to stay there because they have such a small footprint. They work inside, often undetected for months, because they entered through so-called trusted routes.

Smith, a CompTIA Certified Advanced Security Practitioner who worked for the U.S. Department of Defense, offers the following advice:

Be careful about BYOD. Allowing company information to be shared over numerous employees’ personal devices puts all data at risk because you cannot be sure the machines are safe. If you don’t have the ability to see into them to make sure they are running controls and have the latest virus definitions, all of your corporate secrets could be going out the window. Smartphone infections are common and becoming moreso. You should have a corporate policy in writing limiting access to financial information, client contracts and other sensitive (and valuable) data on personal devices.

Don’t think you are too small to be hacked. In fact, a clear trend now is for smaller companies with lax IT security standards and numerous unmanaged permissions to become easy platforms for hackers to hide and wait to enter larger firms with whom the small ones do business.

Renew your dedication to the principle of least privilege. Immediately conduct an audit of permissions of access, and cut back. Over time, through the phenomenon of permission creep, too many people have access to information who should not. The big problem is awareness. On several projects, when we point out the dangers of too many permissions, we’re told, ‘well, nobody could do anything with that data,’ and then we’ll show them what could be done with that data using the privileges that they thought were safe.

Beware vendor access. Smith warns that a vital component of the rule of least privilege is to thoroughly and regularly analyze what access you have allowed for your vendors. As increased use of extranets grows, know your vulnerability, and avoid opening the door to a vendor’s access to vital company information without a thorough compliance audit. Obviously, your HVAC vendor should not have access directly to the same set of computers where you store your payroll data. Such routes through vendor sharepoints and extranets are favored by hackers.

Consider your liability. If you are a third-party vendor managing information for one or more – or dozens – of clients, be aware of the civil liability of not having the proper controls and allowing unauthorized criminal access to your client’s propriety data. While carelessness in this area has not reached the level of criminal negligence at this point, there are indications that governments are moving in that direction. If you unknowingly allow one of your machines to essentially become a bot working for paid hacker, you can be held liable for real and actual civil damages. At the least, you will lose perhaps hundreds or thousands of man hours and participating and supporting the criminal investigation into how it happened.

Don’t just check the boxes. If you manage data for a client, invest the time and money to achieve compliance in one or more of the nine most important information security levels you may need, depending on the type of client information housed. Those levels are compliance with the Health Information Portability and Accountability Act (HIPAA); SOC 1 and SOC 2, which are the AICPA Service Organization Control Reports; Penetration Tested Service Organization (PEN); Payment Card Industry Data Security Standard (PCI); ISO 27001; Standard Information Gathering (SIG); Federal Information Security Management Act (FISMA) and the Experian Independent Third Party Assessment (EI3PA). However, after you earn compliance, the real work begins.

You can’t just check the boxes and relax. Develop a culture dedicated to information security. Self-test is a continual thing. Any time there is any structural change to the network, a new server, a new gateway, a new firewall, especially if you bring in a new vendor, or host new client server, consider how these changes can impact overall security. Avoid complacency at every level.

Ask for credentials from security assurance contractors. Information security is big business and getting bigger every day. More and more so-called experts are entering the field, and many are providing inadequate examinations/audits that only superficially analyze your vulnerabilities and then certify compliance. Make sure your compliance contractor is a multi-service, licensed Certified Public Accountant (CPA) and Qualified Security Assessor (QSA) firm that specializes in integrated compliance solutions for service providers related to internal controls, security, confidentiality, privacy, processing integrity, availability and other elements critical to information surety.