fbpx
0
Penetration Test and Vulnerability Assessment

Penetration Test and Vulnerability Assessment

The Difference Between a Vulnerability Assessment and a Penetration Test

There are many views on what constitutes a Vulnerability Assessment versus a Penetration Test. The main distinction, however, seems to be that some believe a thorough Penetration Test involves identifying as many vulnerabilities as possible, while others feel that Penetration Tests are goal-oriented and are mostly unconcerned with what other vulnerabilities may exist.

I am in the latter group, and what follows is my argument for why you should be too.

Language Matters

Language is important, and we have two terms for a reason. We already have an (aptly named I might add) security test for compiling a complete list of vulnerabilities, i.e. a Vulnerability Assessment. If there isn’t a clear, communicable distinction between this test type and a penetration test then we shouldn’t be using separate terms. Such a distinction does exist, however, and it’s a crucial one.

Clarified Definitions

, The Difference Between a Vulnerability Assessment and a Penetration Test

Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have issues and simply need help identifying and prioritizing them.

The more issues identified the better, so naturally a white box approach should be embraced when possible. The deliverable for the assessment is, most importantly, a prioritized list of discovered vulnerabilities (and often how to remediate).

Penetration Tests are designed to achieve a specific, attacker-simulated goal and should be requested by customers who are already at their desired security posture. A typical goal could be to access the contents of the prized customer database on the internal network, or to modify a record in an HR system.

The deliverable for a penetration test is a report of how security was breached in order to reach the agreed-upon goal (and often how to remediate).

A Physical Analog

The Difference Between a Vulnerability Assessment and a Penetration Test

A good analog for this is a Tiger Team working for the government, like richard marcinko used to run with Red Cell. Think about what his missions were: things like gain control of a nuclear submarine and bring it out into the bay.

So imagine that he’s getting debriefed after a successful mission where he broke in through the east fence, and someone were to ask him about the security of the western side of the building. The answer would be simple:

We didn’t even go to the west side. We saw an opening on the east-facing fence and we went after our target.

If the person doing the debrief were to respond with, “You didn’t check the other fences? What kind of security test is it where you didn’t even check all the fences?”, the answer would be equally direct:

Listen, man, I could have come in a million ways. I could have burrowed under the fences altogether, parachuted in, got in the back of a truck coming in–whatever. You told me to steal your sub, and that’s what I did. If you wanted a list of all the different ways your security sucks, you should have hired an auditor–not a SEAL team.

The Question of Exploitation

Another mistake people make when discussing vulnerability assessments vs. penetration tests is to pivot immediately to exploitation. The basic narrative is:

Finding vulnerabilities is a vulnerability assessment, and exploiting them is a penetration test.

This is incorrect.

Exploitation can be imagined as a sliding bar between none and full, which can be leveraged in both vulnerability assessments and penetration tests. Although most serious penetration tests lean heavily towards showing rather than telling (i.e. heavy on the exploitation side), it’s also the case that you can often show that a vulnerability is real without full exploitation.

A penetration testing team may be able to simply take pictures standing next to the open safe, or to show they have full access to a database, etc., without actually taking the complete set of actions that a criminal could. And vulnerability assessments can slide along this scale as well for any subset of the list of issues discovered.

This could be time consuming, but exploitation doesn’t, by definition, move you out of the realm of vulnerability assessment. The only key attributes of a VA vs. PT are list-orientation vs. goal-orientation, and the question of exploitation is simply not part of that calculation.

The Notion that Penetration Tests Include Vulnerability Assessments

It’s also inaccurate to say that penetration tests always include a vulnerability assessment. Recall that penetration tests are goal-based, meaning that if you achieve your goal then you are successful. So, you likely perform something like a vulnerability assessment to find a good vuln to attack during a pentest, but you could just as easily find a vuln within 20 minutes that gets you to your goal.

It is accurate to say, in other words, that penetration tests rely on finding a one or more vulnerabilities to take advantage of, and that people often use some sort of process to systematically discover vulns for that purpose, but because they stop when they have what they need, and don’t give the customer a complete and prioritized list of vulnerabilities, they didn’t actually do a vulnerability assessment.

Summary

Vulnerability Assessment

  • Customer Maturity Level: Low to Medium. Usually requested by customers who already know they have issues, and need help getting started.
  • Goal: Attain a prioritized list of vulnerabilities in the environment so that remediation can occur.
  • Focus: Breadth over depth.

Penetration Test

  • Customer Maturity Level: High. The client believes their defenses to be strong, and wants to test that assertion.
  • Goal: Determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.
  • Focus: Depth over breadth.

Article Provided by: Daniel Miessler

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like to discuss how Liquid Video Technologies can help you secure your data or would like to discuss your next Home Security System, Networking, Access ControlFire, IT consultant or PCI Compliance, needs.  Please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Computer Networks, Business Networking, Small Businesses, Business, Greenville, South Carolina

Computer Networks and Internet Connections for a Business

Can your business benefit from a computer network and Internet connection?

Nearly any business can reap benefits from the tools available on a computer—core office software like word processors and spreadsheet creators, such as Microsoft Word and Excel, have become essential. While a single, unconnected computer is powerful, that computer connected to a network becomes vastly more scalable in its power and usefulness to your business.

Does Your Business Need a Network?

If you want your business to be competitive in the market, whatever that market may be, then a business computer network is almost certainly going to be necessary. It’s not enough to simply have a computer in your business—a computer needs to be able to connect with other computers and systems.

If your business is made up of more than a single employee, then it can benefit from a computer network within your business. A local area network (or LAN) will allow you and your employees to communicate with one another, and share information and office equipment resources such as printers, scanners and fax machines.

Connecting your business network to the biggest network around—otherwise known as the Internet—greatly expands the value and effectiveness of your business. An internet connection expands communications with email, voice and video options; provides access to critical data and information, and grants access to customers on a global scale.

Business Office Networks

Regardless of the size of your business, you will want to connect your computers, printers and any other equipment with a local area network. Setting up an office network will allow you to share information across your business. In addition, you will also be able to share the equipment that you have. For example, one printer can serve several employees.

Your network is not limited to a single building your business occupies. If there are multiple buildings in an area, a campus network can be set up to connect employees and resources in each building. If your business spans more than one city, more than one state, or even if it is spread across the globe, your business network can be connected by a wide-area network or WAN.

Business Networks and Internet Connections

The Internet is “the world’s marketplace.” With an Internet connection, you can communicate with suppliers, customers, prospective customers, employees and anyone else who may be important to your business. You can also advertise and sell your products and services anywhere in the world.

Beyond giving your business access to the Internet and World Wide Web, an Internet connection can also be used to give employees access to the business network from remote locations, such as from home or through a mobile connection while traveling. A virtual private network, or VPN, allows an employee to securely access the business network from anywhere they are able to connect to the Internet.

Network and Internet Connection Security

When you connect your business to a network and with the Internet, security becomes a critical concern. All connected businesses take steps to protect their information through backup systems, network, and data security.

Despite the risks inherent to connecting your business through networks, the benefits greatly outweigh the risks.

Article Provided by: The Balances Small Business

 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security for your School, Greenville, South Carolina, Liquid Video Technologies

How Security Professionals Can Help Create Positive School Memories

Every generation is marked by the safety measures it experienced during its formative years. For those whose school days spanned the 1960s – the height of the Cold War – it was the infamous “Duck and Cover” drills. For the next generation, “Stop, Drop and Roll” exercises became the safety mantra of the day. If we want today’s children to look back on their school days as more than just a time of “Run, Hide, Fight” training, lockdowns and lectures on the potential dangers of online behavior, school systems need to institute security measure that will create safer learning environments without making schools feel like prisons.

Meeting the Four Basic Tenets of Physical Security

There are no absolutes for achieving that delicate balance between strong physical security and carefree learning. But any measures a school considers should incorporate the four basic tenets of physical security: deterrence, detection, delay and response.

  • Deterrence: measures to prevent malicious activity from happening
  • Detection: measures to alert school authorities that malicious activities are happening
  • Delay: measures that slow down the perpetrators who are committing the activity
  • Response: measures that alert perpetrators that they have been detected and will face consequences

 

Keep in mind that these four tenets should apply not only to technology, but to people and processes as well.

Taking a Layered Approach to Security

In the absence of national standards for schools to reference, current approaches to physical security have tended to differ widely from one institution to the next. But one of the most effective approaches schools might consider is one that is built in layers – working from the inside outward.

This concept isn’t unique. Security practitioners have commonly used this defense-in-depth, layered approach when designing security systems for other organizations. In this model, resource deployment is driven by the criticality of the assets needing protection. In the case of schools, life safety would be the most important factor for determining where to invest in security resources.

First Priority (Layer One): The Classroom

Students spend the vast amount of their school day in classrooms, so schools should prioritize those areas first.

  • DOOR LOCKS:

The number one recommendation from the Sandy Hook Advisory Commission was to ensure that classroom doors could be locked from the inside by teachers or substitutes. Upgrading door hardware is often considered too expensive. As a consequence, some schools have been resorting to aftermarket, less expensive “barricade” devices that often introduce other life safety issues by compromising fire codes and ADA requirements.

When the budget is not as much of an issue, Electronic Access Control should be considered as it enables centralized lockdown capabilities reducing human error and dangerously slow reaction time. Regardless of the method, preventing intruders from entering the classroom addresses two important tenets of physical security:  deterrence and delay.

  • BI-DIRECTIONAL INTERCOMS OR PHONES:

Another key technology requirement for classrooms is the ability to communicate with the others in the school building or outside entities. Today, classrooms should be equipped with bi-directional intercoms or phones that provide “push to talk” functionality. You don’t want teachers to have to memorize extensions to call the front office. Modern intercoms are connected to the schools IP network and support the same protocols for communication as the phone system. These Powered-over-Ethernet (PoE) devices can be used not only to connect with the front office but could even allow external entities with the right credentials, such as law enforcement, to connect to the classroom.

With regards to people and process, teachers and substitutes should be trained then tested on these systems regularly. One idea to ensure continued proficiency with the technology is to have teachers use the intercom in their daily routines such as reporting in at the beginning of each day.

Second Priority (Layer Two): Building Perimeter

Moving outward from the classroom our next priority is the building perimeter or “envelope.” We want to control who can enter the facility and limit their movement based on who they are. This can be accomplished through a combination of technology, people and processes.

  • ONE MAIN ENTRANCE:

A best practice is to have all students and visitors enter through one set of doors which is clearly marked as the main entrance. These doors would be unlocked during a specified time in the morning and afternoon for easy entry and egress but would be physically monitored by staff such as a school resource officer who would greet people as they enter. The doors would be locked for the rest of the school day.

  • VIDEO INTERCOM AND VISITOR MANAGEMENT SYSTEM:

These doors would have a networked intercom system that includes video so that visitors can be screened before the doors are unlocked. In some cases, schools could require visitors to hold up a driver’s license or other photo ID before unlocking the doors. Once inside, the visitor should be required to show a picture ID that would be entered into an electronic visitor management system that produces a credential that indicates this person is a visitor. By requiring visitors to sign in, schools create a deterrent as well as control who can enter the facility.

Third Priority (Layer Three):  Outdoor Space

Not all schools are contained within four walls. Many K-12 institutions in America are made up of multiple buildings, and almost all of them have outdoor spaces that students utilize throughout the day. Often these outdoor areas are considered public property and are used by private citizens when school is not in session. Schools commonly define their grounds by installing fencing around school property. But fencing does not always provide the deterrence value school security professionals hope for, especially if the public is permitted to use the space after hours. This dilemma has led schools to look for detection methods that can provide early warning of an intruder entering school grounds during school hours and prevent after-hours issues such as vandalism or theft.

  • VIDEO SURVEILLANCE WITH ANALYTICS:

Many schools leverage video surveillance with motion detection analytics to proactively notify security when anyone enters restricted areas around school property.  For instance, kids playing on the school’s basketball court over the weekend won’t trigger an alert. But if they approach the school building itself, an alert will be sent to authorities (whether school security staff or local law enforcement).

School Security Shouldn’t Feel Like Prison

Schools are faced with security challenges on multiple fronts. Some of those challenges can be addressed through technology. But people and processes following the basic tenets of physical security are also important to ensure that safe schools don’t feel like prisons.

Article Provided By: Security Magazine

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Security Risk, Greenville, South Carolina

6 Biggest Business Security Breaches and How You Can Fight Back

IT and security experts discuss the leading causes of security breaches and what your organization can do to reduce them.

For the few years, security breaches have made big news. Yet despite the years of headline stories about security leaks and distributed denial-of-service (DDoS) attacks and repeated admonishments from security professionals that businesses (and individuals) needed to do a better job protecting sensitive data, many businesses are still unprepared or not properly protected from a variety of security threats.

Indeed, according to Trustwave’s recent 2016 Trustwave Global Security Report, which collected and organized statistics and analysis from around the world about breach investigations, incident reports and vulnerability research.  It provides information about data compromise incidents, vulnerabilities and exploits, attacks on web platforms, threats delivered through the web and email, and a range of other important and timely security topics.

So, what can companies do to better protect themselves and their customers’, sensitive data from security threats? We queried dozens of security and IT experts to find out. Following are the six most likely sources, or causes, of security breaches and what businesses can, and should, do to protect against them.

Risk No. 1: Disgruntled Employees

“Internal attacks are one of the biggest threats facing your data and systems,” states Cortney Thompson, CTO of Green House Data. “Rogue employees, especially members of the IT team with knowledge of and access to networks, data centers, and admin accounts, can cause serious damage,” he says. Indeed, “there [were] rumors that the Sony hack was not [carried out by] North Korea but [was actually] an inside job.

Solution: “The first step in mitigating the risk of privileged account exploitation is to identify all privileged accounts and credentials [and] immediately terminate those that are no longer in use or are connected to employees that are no longer at the company,” says Adam Bosnian, executive vice president, CyberArk.

“Next, closely monitor, control and manage privileged credentials to prevent exploitation. Finally, companies should implement necessary protocols and infrastructure to track, log and record privileged account activity [and create alerts, too] allow for a quick response to malicious activity and mitigate potential damage early in the attack cycle.”

Risk No. 2: Careless or Uninformed Employees

“A careless worker who forgets [his] unlocked iPhone in a taxi is as dangerous as a disgruntled user who maliciously leaks information to a competitor,” says Ray Potter, CEO, SafeLogic. Similarly, employees who have not trained in security best practices and have weak passwords, visit unauthorized websites and/or click on links in suspicious emails or open email attachments pose an enormous security threat to their employers’ systems and data.

Solution: “Train employees on cybersecurity best practices and offer ongoing support,” says Bill Carey, vice president of Marketing for RoboForm. “Some employees may not know how to protect themselves online, which can put your business data at risk,” he explains. So it’s essential to “hold training sessions to help employees learn how to manage passwords and avoid hacking through criminal activity like phishing and keylogger scams. Then provide ongoing support to make sure employees have the resources they need.”

Also, “make sure employees use strong passwords on all devices,” he adds. “Passwords are the first line of defense, so make sure employees use passwords that have upper and lowercase letters, numbers and symbols,” Carey explains.

“It’s also important to use a separate password for each registered site and to change it every 30 to 60 days,” he continues. “A password management system can help by automating this process and eliminating the need for staff to remember multiple passwords.”

Encryption is also essential.

“As long as you have deployed validated encryption as part of your security strategy, there is hope,” says Potter. “Even if the employee hasn’t taken personal precautions to lock their phone, your IT department can execute a selective wipe by revoking the decryption keys specifically used for the company data.”

To be extra safe, “implement multifactor authentication such as One Time Password (OTP), RFID, smart card, fingerprint reader or retina scanning [to help ensure] that users are in fact who you believe they are,” adds Rod Simmons, product group manager, BeyondTrust. “This helps mitigate the risk of a breach should a password be compromised.”

Risk No. 3: Mobile Devices (BYOD)

“Data theft is at high vulnerability when employees are using mobile devices [particularly their own] to share data, access company information, or neglect to change mobile passwords,” explains Jason Cook,CTO & vice president of Security, BT Americas. “According to a BT study, mobile security breaches have affected more than two-thirds (68 percent) of global organizations in the last 12 months.”

Indeed, “as more enterprises embrace BYOD, they face risk exposure from those devices on the corporate network (behind the firewall, including via the VPN) in the event an app installs malware or other Trojan software that can access the device’s network connection,” says Ari Weil, vice president, Product Marketing, Yottaa.

Solution: Make sure you have a carefully spelled out BYOD policy. “With a BYOD policy in place, employees are better educated on device expectations and companies can better monitor email and documents that are being downloaded to the company or employee-owned devices,” says Piero DePaoli, senior director, Global Product Marketing, Symantec. “Monitoring effectively will provide companies with visibility into their mobile data loss risk, and will enable them to quickly pinpoint exposures if mobile devices are lost or stolen.”

Similarly, companies should “implement mobile security solutions that protect both corporate data and access to corporate systems while also respecting user’s privacy through containerization,” advises Nicko van Someren, CTO, Good Technology. “By securely separating business applications and business data on users’ devices, containerization ensures corporate content, credentials, and configurations stay encrypted and under IT’s control, adding a strong layer of defense to once vulnerable a points of entry.”

You can also “mitigate BYOD risks with a hybrid cloud,” adds Matthew Dornquast, CEO, and co-founder, Code42. “As unsanctioned consumer apps and devices continue to creep into the workplace, IT should look to hybrid and private clouds for mitigating potential risks brought on by this workplace trend,” he says. “Both options generally offer the capacity and elasticity of the public cloud to manage the plethora of devices and data, but with added security and privacy—such as the ability to keep encryption keys on-site no matter where the data is stored—for managing apps and devices across the enterprise.”

Risk No. 4: Cloud Applications

Solution: “The best defense [against a cloud-based threat] is to defend at the data level using strong encryption, such as AES 256-bit, recognized by experts as the crypto gold standard and retain the keys exclusively to prevent any third party from accessing the data even if it resides on a public cloud,” says Pravin Kothari, founder and CEO of CipherCloud. “As many recent breaches indicate, not enough companies are using data level cloud encryption to protect sensitive information.”

Risk No. 5: Unpatched or Unpatchable Devices

“These are network devices, such as routers, [servers] and printers that employ software or firmware in their operation, yet either a patch for a vulnerability in them was not yet created or sent, or their hardware was not designed to enable them to be updated following the discovery of vulnerabilities,” says Shlomi Boutnaru, cofounder & CTO, CyActive. “This leaves an exploitable device in your network, waiting for attackers to use it to gain access to your data.

A leading breach candidate: the sunsupported Windows Server 2003.

“As of July 14, 2015, Microsoft no longer provides support for Windows Server 2003 – meaning organizations will no longer receive patches or security updates for this software,” notes Laura Iwan, senior vice president of Programs, Center for Internet Security.

Still, almost two years after Microsoft stopped supporting Windows 2003 servers, they are still in use and many more in virtual use. “Expect these outdated servers to become a prime target for anyone interested in penetrating the networks where these vulnerable servers reside,” says Forrester.

Solution: Institute a patch management program to ensure that devices, and software, are kept up to date at all times.

“Step one is to deploy vulnerability management technology to look on your network and see what is, and isn’t, up to date,” says Greg Kushto, director of the Security Practice at Force 3. “The real key, however, is to have a policy in place where everyone agrees that if a certain piece of equipment is not updated or patched within a certain amount of time, it is taken offline.”

To avoid potential problems re Windows Server 2003, “identify all Windows Server 2003 instances; inventory all the software and functions of each server; prioritize each system based on risk and criticality; and map out a migration strategy and then execute it,” Iwan advises. And if you are unable to execute all steps in-house, hire someone certified to assist you.

Risk No. 6: Third-party Service Providers

“As technology becomes more specialized and complex, companies are relying more on outsourcers and vendors to support and maintain systems,” notes Matt Dircks, CEO, Bomgar. “For example, restaurant franchisees often outsource the maintenance and management of their point-of-sale (POS) systems to a third-party service provider.”

However, “these third-parties typically use remote access tools to connect to the company’s network, but don’t always follow security best practices,” he says. “For example, they’ll use the same default password to remotely connect to all of their clients. If a hacker guesses that password, he immediately has a foothold into all of those clients’ networks.”

Indeed, “many of the high profile and extremely expensive breaches of the past years (think Home Depot, Target, etc.) were due to contractor’s login credentials being stolen,” states Matt Zanderigo, Product Marketing Manager, ObserveIT. “According to some recent reports, the majority of data breaches – 76 percent – are attributed to the exploitation of remote vendor access channels,” he says. “Even contractors with no malicious intent could potentially damage your systems or leave you open to attack.”

“This threat is multiplied exponentially due to the lack of vetting done by companies before allowing third parties to access their network,” adds Adam Roth, cybersecurity specialist from Dynamic Solutions International. “A potential data breach typically does not directly attack the most valuable server, but is more a game of leapfrog, going from a low-level computer that is less secure, then pivoting to other devices and gaining privileges,” he explains.

“Companies do a fairly good job ensuring critical servers avoid malware from the Internet,” he continues. “But most companies are pretty horrible at keeping these systems segmented from other systems that are much easier to compromise.”

Solution: “Companies need to validate that any third party follows remote access security best practices, such as enforcing multifactor authentication, requiring unique credentials for each user, setting least-privilege permissions and capturing a comprehensive audit trail of all remote access activity,” says Dircks.

In particular, “disable third-party accounts as soon as they are no longer needed; monitor failed login attempts, and have a red flag alerting you to an attack sent right away,” says Roth.

General Guidance on Dealing With Breaches

“Most organizations now realize that a breach is not a matter of if but when,” says Rob Sadowski, director of Technology Solutions for RSA. To minimize the impact of a security breach and leak, conduct a risk assessment to identify where your valuable data resides and what controls or procedures are in place to protect it.

Then, “build out a comprehensive incident response [and disaster recovery/business continuity] plan, determining who will be involved, from IT to legal, to PR, to executive management, and test it.”

Article Provided By:CIO

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

NAC – Network Access Control

What is Network Access Control and is it right for your business?

Network access control (NAC), also called network admission control, is a method of bolstering the security of a proprietary network by restricting the availability of network resources to endpoint devices that comply with a defined security policy.

A traditional network access server (NAS) is a server that performs authentication and authorization functions for potential users by verifying login information. In addition to these functions, NAC restricts the data that each particular user can access, as well as implementing anti-threat applications such as firewalls, antivirus software, and spyware-detection programs. network access control also regulates and restricts the things individual subscribers can do once they are connected. Several major networking and IT vendors have introduced network access control products.
NAC is ideal for corporations and agencies where the user environment can be rigidly controlled. However, some administrators have expressed doubt about the practicality of NAC deployment in networks with large numbers of diverse users and devices, the nature of which constantly change. An example is a network for a large university with multiple departments, numerous access points and thousands of users with various backgrounds and objectives.

Getting started with Network Access Control

To explore how NAC is used in the enterprise, here are additional resources:
Network access control — More than endpoint security: Learn how to gauge if your enterprise is ready for network access control (NAC).
NAC — Strengthening your SSL VPN: This tip explores why and how network access control functions are used to strengthen SSLVPNs, and their relationship to industry NAC initiatives.
Compliance in a virtualized world: Server virtualization and NAC security: Server virtualization presents challenges for network security, particularly NAC and compliance issues. Learn what these challenges are and how to overcome them.

Article Provided By:TechTarget

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Network Security, Greenville, South Carolina

Failing to Prepare is Preparing to Fail with Network Security

Network Security

Network security is now a more pressing concern for businesses than ever before. Indeed, the concern around security/compliance has been found to be business’ #1 barrier to deciding to adopt the cloud, and last year, a report from Cisco estimated that one million cybersecurity jobs would appear in 2016, highlighting a level of investment and dedication not yet witnessed.

What, though, can companies do to help ensure that they are protected against enormously damaging breaches? We take a look at how organizations can help ensure their networks, sensitive data and other critical infrastructure are safeguarded from the huge number of threats now in play.

Be sure to automate

How can IT security departments manually detect threats when users, devices and applications generate such an enormous number of network connections, data transactions and application requests? Indeed, it’s like finding a particular needle in a large stack of needles.

Here’s where security information and event management (SIEM) software comes in, allowing businesses to centralise syslogs and events from network devices, servers, applications, databases and users, while also helping to automate threat detection and offering corrective responses to mitigate risk.

Automation is just one of the vital tools in the fight against security threats, with firewalls, anti-malware, and threat intelligence all having a part to play.

Get your framework in place

A comprehensive security framework is an absolute must for helping to ensure the safety of your organization’s IT. With an audit of the available inventory, from the types of transactions to BYOD policies and account roles, your company can get the framework off on the right foot.

An IT security framework is only achievable with a significant degree of cooperation, with management, IT and many other business departments all playing a part. Indeed, it only ends with the technology used, and is comprised of the organization working together to evolve and help ensure better security standards 

Keep an eye on endpoint devices

A flexible workforce is becoming a more pressing need for the modern enterprise, with employers and employees keen to make use of the freedom this approach can offer. Yet such an approach represents a threat. Say an employee with malicious intent and access to confidential data on their laptop decided to share this, how could you stop it? 

By monitoring all endpoint devices, from laptops, to mobile devices to a USB drive, you can help ensure sensitive data is not leaving your environment. For example, if a USB device is ejected/blocked automatically as soon as any nefarious activities take place, and corrective action, such as account blocking, is implemented then you can minimize the impact of an attack.

Keep insider threats at bay

The example used in the previous entry on this list – of a malicious employee – highlights that the most damaging security compromise can sometimes happen from the inside. By monitoring which users attempt to access sensitive data, as well as network traffic, logs and credentials you can identify and combat any insider threats, with monitoring able to flag any user attempting to access something they shouldn’t. 

Analytics are a must

The importance of gaining insights from your data using analytics cannot be overstated. With access to real-time network data, a business can identify and act upon suspicious network activity, seeing whether there are seemingly threatening connection requests from outside sources, or an increase in web traffic activity on a critical router or firewall.

Data-driven analysis can also help investigate the cause of an attack after the fact. If you’re unlucky enough to have been breached, then analytics are vital in discovering how it happened through root-cause analysis, and will help you figure out how to prevent it in the future. 

Be PCI DSS compliant

By being compliant with regulatory standards, your business not only helps to ensure better data protection, but also helps avoid fines or even criminal charges. This is a particular concern in the payment card industry, for example, where data breaches can mean compromising data from millions of credit cards. 

Complying with standards such as PCI DSS can help ensure all of the above. However, being compliant does not mean you can rest on your laurels, so make sure to leverage this obligation to actually increase security, instead of just trying to tick the box for a regulator. There are many ways you can do this, for example, if you are required to produce a report of all admin activity, have your internal security team review it as well. Make sure you get the most out of being compliant. 

While there are a number of other steps businesses can take to help ensure IT security is in the right place, from enabling threat intelligence to practicing knowledge sharing, the above tips should stand your organization in good stead for the threats that lay ahead. 

With the right preparation, people, strategy and tools, your company can be confident that it is ready to overcome the new challenges it is likely to face.

Article Provided By: Info-Security Magazine

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Data Security, Greenville, South Carolina

How to Quantify the Risk of an Insider Threat

Insider Risk

 

Never before have there been so many platforms that let a growing number of people touch, manipulate, download, and share sensitive data.

But there’s a dark side to all that access: It exposes a company to malicious intent and theft of information worth thousands, sometimes millions, of dollars. More alarming is the fact that less than half (42 percent) of all organizations have the appropriate controls in place to prevent these attacks, according to the Insider Threat Spotlight Report.

How do you get a handle on this threat? Mitigation begins with assigning risk levels to employee roles. Who has access to sensitive information, intellectual property, trade secrets, customer lists, and any other proprietary data? That’s the foundation of your risk model. Many companies use a simple numerical scale of 1-10, with 10 as the highest risk. Others may prefer simpler categories like Low, Medium, and High or yellow, orange, and red alerts.

It turns out that nearly 80 percent of employee fraud takes place in accounting, operations, sales, senior management, customer service, and purchasing. But it’s critical to establish a risk profile for everyone in the company, no matter which department. Take into account employees’ current roles, levels of privilege, and required access to proprietary information. Senior IT people and C-Suite executives obviously have more privilege and access than mid-level managers and clerical workers. And, of course, the higher the risk in a potential disaster, the greater the need to monitor an employee’s activities.

Prepare to update the risk profile of an individual. Organizations are dynamic, and employees regularly make lateral moves or get promoted. Someone who doesn’t touch sensitive information in one role may very well have access and new privileges in a different assignment.

Employees’ personal lives change constantly, too. A traumatic event, like a death in the family or divorce, psychological problems, or a shift in financial circumstances for the worse—any of these can cause behavioral changes in people. And they all may require re-evaluation of an individual’s level of risk.

Once you’re committed to the process, we recommend taking the following steps:

  1. Create an insider-risk team. While IT and its security team may oversee the monitoring of user activity, the process really requires support from the most senior ranks, as well as other departments. Your legal department help can help decide how to monitor while complying with the law and act as a critical liaison between executives and the security group. Human resources can help support the need and processes for monitoring, as well document employee cases—and put a “human” face on the operation.
  2. Designate risk levels. This, of course, is what I’ve been discussing in this post all along: using job titles to assign a scale of risk, depending on levels of privilege and access.
  3. Pinpoint inappropriate conduct. Just because you’ve assigned someone a high-risk level doesn’t necessarily mean that he’s committing an offense. Conversely, an employee’s inappropriate behavior can sometimes be misread as performance of normal job-related tasks. That’s why it’s critical to develop ways to identify truly improper conduct through changes in an individual’s communication and behavior. You can do that through software that is known as user-behavior analytics and, less technically, by means of procedures your employees can follow to report troublesome behavior.
  4. Set up a system of insider monitoring. When you’re establishing a system to keep an eye on employee activity and behavior, it helps to decide what level of monitoring goes along with the different risks they may pose to your organization. For example, someone in a low-risk category probably can’t interact with sensitive information and therefore needs little more than the less-technical sort of monitoring suggested above. Medium-risk employees do have access to proprietary data and, so, may require monitoring additionally with user-behavior analytics. So, too, with those high-risk individuals who should probably be subject to the most active monitoring and review.

Quantifying risk is just the start of mitigating insider threats. But if you develop the initial baseline—starting with job title and access to privileged information—you can get a better handle on which employees you will have to monitor during such critical periods as hiring, job title and personal changes, and the high-risk exit period.

Article Provided By: Info-Security Magazine

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Security Detection Monitoring, Greenville, South Carolina

4 information security threats that will dominate 2017

Cybercriminals are becoming more sophisticated and collaborative with every coming year. To combat the threat in 2017, information security professionals must understand these four global security threats.

 

As with previous years, 2016 saw no shortage of data breaches. Looking ahead to 2017, the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017.

“2016 certainly lived up to expectations,” says Steve Durbin, managing director of the ISF. “We saw all sorts of breaches that just seemed to get bigger and bigger. We lurched from one to another. We always anticipate some level of it, but we never anticipate the full extent. I don’t think anybody would have anticipated some of the stuff we’ve seen of late in terms of the Russians getting involved in the recent elections.”

The ISF says the top four global security threats businesses will face in 2017 are the following:

  1. Supercharged connectivity and the IoT will bring unmanaged risks.
  2. Crime syndicates will take quantum leap with crime-as-a-service.
  3. New regulations will bring compliance risks.
  4. Brand reputation and trust will be a target.

“The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations,” Durbin says. “In 2017, we will see increased sophistication in the threat landscape with threats being tailored to their target’s weak spots or threats mutating to take account of defenses that have been put in place. Cyberspace is the land of opportunity for hacktivists, terrorists and criminals motivated to wreak havoc, commit fraud, steal information or take down corporations and governments. The solution is to prepare for the unknown with an informed threat outlook. Better preparation will provide organizations of all sizes with the flexibility to withstand unexpected, high-impact security events.”

The top four threats identified by the ISF are not mutually exclusive. They can combine to create even greater threat profiles.

Supercharged connectivity and the IoT bring unmanaged risks

Gigabit connectivity is on the way, and it will enable the internet of things (IoT) and a new class of applications that will exploit the combination of big data, GPS location, weather, personal health monitoring devices, industrial production and much more. Durbin says that because connectivity is now so affordable and prevalent, we are embedding sensors everywhere, creating an ecosystem of embedded devices that are nearly impossible to secure.

Durbin says this will raise issues beyond privacy and data access: It will expand the threat landscape exponentially.

“The thing for me with 2017 is I describe it as an ‘eyes-open stance’ we need to take,” Durbin says. “We’re talking about devices that never ever had security designed into them, devices that are out there gathering information. It’s relatively simple to hack into some of these things. We’ve seen some moves, particularly in the U.S., to encourage IoT manufacturers to engineer some level of security into their devices. But cost is an issue, and they’re designed to link.”

Durbin believes many organizations are unaware of the scale and penetration of internet-enabled devices and are deploying IoT solutions without due regard to risk management and security. That’s not to say organizations should pull away from IoT solutions, but they do need to think about where connected devices are used, what data they have access to and then build security with that understanding in mind.

“Critical infrastructure is one of the key worry areas,” Durbin says. “We look at smart cities, industrial control systems — they’re all using embedded IoT devices. We have to make sure we are aware of the implications of that.”

“You’re never going to protect the whole environment, but we’re not going to get rid of embedded devices,” he adds. “They’re already out there. Let’s put in some security that allows us to respond and contain as much as possible. We need to be eyes open, realistic about the way we can manage the application of IoT devices.”

Crime syndicates take quantum leap with crime-as-a-service

For years now, Durbin says, criminal syndicates have been operating like startups. But like other successful startups, they’ve been maturing and have become increasingly sophisticated. In 2017, criminal syndicates will further develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations. This, he says, will facilitate their diversification into new markets and the commoditization of their activities at the global levels.

“I originally described them as entrepreneurial businesses, startups,” Durbin says. “What we’re seeing is a whole maturing of that space. They’ve moved from the garage to office blocs with corporate infrastructure. They’ve become incredibly good at doing things that we’re bad at: collaborating, sharing, working with partners to plug gaps in their service.”

And for many, it is a service offering. While some organizations have their roots in existing criminal structures, other organizations focus purely on cybercrime, specializing in particular areas ranging from writing malware to hosting services, testing, money mule services and more.

“They’re interested in anything that can be monetized,” Durbin says. “It doesn’t matter whether it’s intellectual property or personal details. If there is a market, they will go out and collect that information.”

He adds that rogue states take advantage of some of these services and notes the ISF expects the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously.

New regulations bring compliance risks

The ISF believes the number of data breaches will grow in 2017, and so will the volume of compromised records. The data breaches will become far more expensive for organizations of all sizes, Durbin says. The costs will come from traditional areas such as network clean-up and customer notification, but also from newer areas like litigation involving a growing number of partners.

In addition, public opinion will pressure governments around the world to introduce tighter data protection legislation, which in turn will introduce new and unforeseen costs. Reform is already on the horizon in Europe in the form of the EU General Data Protection Regulation (GDP) and the already-in-effect Network Information Security Directive. Organizations conducting business in Europe will have to get an immediate handle on what data they are collecting on European individuals, where it’s coming from, what it’s being used for, where and how it’s being stored, who is responsible for it and who has access to it. Organizations that fail to do so and are unable to demonstrate security by design will be subject to potentially massive fines.

“The challenge in 2017 for organizations is going to be two-fold,” Durbin says. “First is to keep abreast of the changes in regulations across the many, many jurisdictions you operate in. The second piece is then how do you, if you do have clarity like the GDP, how do you ensure compliance with that?”

“The scope of it is just so vast,” he adds. “You need to completely rethink the way you collect and secure information. If you’re an organization that’s been doing business for quite some time and is holding personally identifiable information, you need to demonstrate you know where it is at every stage in the lifecycle and that you’re protecting it. You need to be taking reasonable steps even with your third party partners. No information commission I’ve spoken to expects that, come May 2018, every organization is going to be compliant. But you need to be able to demonstrate that you’re taking it seriously. That and the nature of the information that goes missing is going to determine the level of fine they levy against you. And these are big, big fines. The scale of fine available is in a completely different realm than anyone is used to.”

Brand reputation and trust are a target

In 2017, criminals won’t just be targeting personal information and identity theft. Sensitive corporate information and critical infrastructure has a bull’s eye painted on it. Your employees, and their ability to recognize security threats and react properly, will determine how this trend affects your organization.

“With attackers more organized, attacks more sophisticated and threats more dangerous, there are greater risks to an organization’s reputation than ever before,” Durbin says. “In addition, brand reputation and the trust dynamic that exists amongst customers, partners and suppliers have become targets for cybercriminals and hacktivists. The stakes are higher than ever, and we’re no longer talking about merely personal information and identity theft. High-level corporate secrets and critical infrastructure are regularly under attack, and businesses need to be aware of the more important trends that have emerged in the past year, as well as those we forecast in the year to come.”

While most information security professionals will point to people as the weakest link in an organization’s security, that doesn’t have to be the case. People can be an organization’s strongest security control, Durbin says, but that requires altering how you think about security awareness and training.

Rather than just making people aware of their information security responsibilities and how they should respond, Durbin says the answer is to embed positive information security behaviors that will cause employees to develop “stop and think” behavior and habits.

“2017 is really about organizations having to wake up to the fact that people do not have to be the weakest link in the security chain,” Durbin says. “They can be the strongest link if we do better about understanding how people use technology, the psychology of human behavior.”

Successfully doing so requires understanding the various risks faced by employees in different roles and tailoring their work processes to embed security processes appropriate to their roles.

Article Provided By: CIO

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Canary Flex, Audio System, Greenville, South Carolina

Canary Flex is a small, weatherproof security camera

Canary Flex

Security cameras are slowly making their way out of your house and onto your porches and yards. Canary Flex is following the footsteps of rival Nest by launching a new, smaller weatherproof camera called the Flex that can be plugged into an outlet or powered by batteries. It’s available for pre-order today for $199 and will be in stores by the holidays. Canary is also introducing a new pricing model that is pretty different from what’s on the market, but we’ll get to that in a bit.

Rated IP65, the Canary Flex can withstand splashes of water, and thanks to the included weatherproof cord, it can remain plugged in even when it’s wet. If you’d like to go wireless, you can use the bundled rechargeable battery, which should last two to three months of average use, the company said. When it’s running on batteries, the Flex runs on a low power WiFi state to stay connected to the servers without sucking up the juice and also uses a passive infrared (PIR) sensor to detect incidents before triggering the rest of the system. Otherwise, the Flex uses the camera (or “computer vision,” as Canary called it) to monitor activity when plugged in. When triggered, the Canary Flex will record HD video to the cloud.

Unlike its predecessor, the Canary Flex is compact, and fits comfortably in your hand so you can easily move it around should you need to. It also has a magnetic base that lets it swivel 360 degrees in its companion mount. However, you’ll lack the siren that the original camera had, as well as what Canary called the home health sensors. The latter relay feedback on your house’s temperature, humidity, and air quality. Those who already own the older Canary camera can use the same app with the new device, and no hub is required.

To make it easier to place the Flex around your house, Canary is also launching a series of accessories, such as a secure mount, a stake mount to stick your camera in your flower pot, and a fun twist mount to wrap your Flex around almost anything.

For those who want complete peace of mind, Canary is also launching a 4G LTE mount with Verizon that will let your Flex switch to cellular data in the event that your WiFi network drops out. The 4G mount can be plugged in, but also has enough onboard battery to last as long as the Flex’s power pack will. This would be great for those who want to prepare for power outages. It’ll be available shortly after the Flex hits store shelves.

One of the coolest things about this launch is Canary Flex ‘s new pricing model that does away with the industry’s conventional tiers system altogether. Instead of making you pay more to store more of your footage like competitors do, Canary is letting you access the last 24 hours of your timeline for free. That’s twice the 12 hours it previously let nonpaying customers have.

The company is also removing its previous limits on features such as saving and downloading clips, as well as sending them to other contacts. Those who want more support can pay $9.99 a month for one device ($15 for two to three cameras), and that membership will come with up to $1,000 in homeowners deductible reimbursement (for qualifying incidents), as well as dedicated agents who will follow you through your incident report process. Members also get extended warranties and access to footage from the prior 30 days.

That’s quite a big bump from the free version and could give Canary Flex a serious edge over its competitors. Both Nest and Canary’s devices cost $199, but the latter says it is working on a more personable approach to security that could make its outgoing alerts more meaningful. Some of these upcoming improvements include a refined object, people, and animal recognition, as well as better understanding of new versus repetitive motions. These changes will soon roll out to the Canary app as well. In the meantime, you may want to finetune your security camera settings so you’re not getting buzzed for every time your neighbor’s dog jumps, or for random tree branches smacking against your window.

Article Provided By: engadget

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

 

Secure Downloads, Greenville, South Carolina

Cost of data breaches increasing to average of $3.8 million

Data Breaches

The cost of data breaches is rising for companies around the world as sophisticated thieves target valuable financial and medical records, according to a study released on Wednesday.

The total average cost of a data breach is now $3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp.

The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.

Data breaches are becoming more common and significant, with high-profile attacks on Sony Corp, JPMorgan Chase and retailers Target Corp and Home Depot Inc in the past year and a half.

“Most of what’s occurring is through organized crime,” said Caleb Barlow, vice president of IBM Security. “These are well-funded groups. They work Monday to Friday. They are probably better funded and better staffed than a lot people who are trying to defend against them.”

IBM, which sells cyber-security services to companies, has a vested interest in highlighting the costs of data breaches.

The cost of a data breach is now $154 per record lost or stolen, up from $145 last year, according to the study, based on interviews with 350 companies from 11 major countries that had suffered a data breach.

The study’s authors said average costs did not apply to mega-breaches affecting millions of customers, such as those suffered by JPMorgan Chase, Target and Home Depot, which cost the companies far greater sums. Target alone said last year its breach cost $148 million.

The study found that the healthcare was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.

That reflects the relatively high value of a person’s medical records on the underground market, said IBM, as Social Security information is much more useful for identity theft than simple names, addresses or credit card numbers.

Article Provided By: Reuters

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

1 2 3