Why Is It So Hard to Secure a Company?

Why Is It So Hard to Secure a Company?

July 16, 2013 2:00 pm

(Save to cal)


 Adam Goslin, COO High Bit Security provides an informative webinar on the latest information on cyber-theft, and the very real security challenges all businesses face.

Title:Why Is It So Hard to Secure a Company?
When: Tuesday, July 16 @ 2PM ET
Description:This easy to understand session is intended for both business and technical participants to improve their understanding of the reasons it is so difficult to secure a company, the biggest (incorrect) assumption that leads to an insecure stance, and learn ways to get proactive about risk mitigation.

Cyber-crime and data breaches - every day the news is filled with reports of hackers stealing sensitive information from companies. Major companies make big news, but today the majority of the client data and intellectual property theft is targeted at small and medium size organizations as they are typically an easier target.

High Bit Security COO, Adam Goslin, shares the latest information on cyber-theft, and the very real security challenges all businesses face. He reviews security testing solutions your organization can implement immediately to mitigate your risk of being a victim. 



View Slides

April: Hi, everyone and thanks for joining us for another Tuesday at 2:00 webinar. This is April Sage from Online Tech. I’m very pleased to welcome back Adam Goslin, Chief Operating Officer at High Bit Security. Adam has been a guiding light for us and many others guiding us through the dark mazes of compliance and security, helping us and other organizations to learn more about what we need to do to meet some of the compliance standards and more importantly how to truly be secure and put together a process to make sure that your company and clients are well protected in cyberspace. Adam, thanks for joining us again today. We are excited to hear some good insights from you on why it’s just so hard to secure a company.

Adam: Thank you very much, April. It’s a pleasure being back on the Tuesday webinars with Online Tech. I appreciate you guys having me.

Adam: Why is it so hard to secure a company? Quite frankly, it’s a question that we get on a regular basis. Really part of what High Bit Security strives to do is to improve education and awareness about security in the marketplace with other organizations.

We know just like many others that run businesses or own businesses how challenging it is to keep your finger on the pulse of what’s going on, what questions to ask, and what risks organizations are faced with. The disturbing part about our jobs is that just trying to get the education and awareness of these organizations about their security and the risk that their organizations face. Without further ado, we’ll get right into it.

Let’s start off with what’s going on in the world of security today all the current events and trends. As a general statement, there has been an increase in small-scale breaches. The large organizations that have been out there in the marketplace have been getting hammered by security threats for some time now. They have had no choice but to step up their game. The hackers aren’t going to waste their time, if you will, or they want to be as effective as possible. They go after smaller organizations, mid-size organizations that maybe haven’t faced the same security threat because they are softer targets. We’re seeing an increase definitively in small and mid-size companies.

Lost and stolen devices is a big issue out in the marketplace in terms of your phones, laptops, your iPhone and your Android devices. At this point in the game they have more computing power and more data than computers did a decade ago. You lose one of those devices and that poses a fair threat to any organization.

Mobile threats. Certainly with the advent of the mobile platform and the speed at which that arena is growing, there are significant threats that are being directed towards the mobile platform itself. Our critical infrastructure, water, power and utilities are under constant inspection and are attacked by a number of different folks out in the wide world; shall we say.

Adam: Intellectual property theft is a big topic that’s really been on the raise and specifically state sponsored intellectual property theft. The big find there is China. I actually did a presentation alongside congressman Mike Rogers and couple of folks from the FBI. They were indicating that they have been seeing for about the last decade a continuous and steady increase in attempts by specifically the Chinese attempting to gain intellectual property. If you think about it, the amount of money it takes to generate that intellectual property and in many cases, it’s millions and billions of dollars. If you are able to just steal that information, now you don’t have to make that same investment that the original company did. It’s ground for tremendous economic gain.

Massive increases in stolen (PHI) protected health information in the medical sector, (PII) personally identifiable information - there are a lot of things being used for identity theft, as well as PCI information or credit card details. That’s been getting a fair amount of exposure from Eastern Europe block.

Data breach notification and fines are on the rise. Many organizations are being faced with breach notification troubles as well as fines being on the rise across the number of business sectors. One of the common factors there is…the excuse of, “I just didn’t know that I should ‘fill in the blank’.” At this point in the game not flowing with the organizations can levy fines. Certainly one of the misnomers in the security arena is the notion of data encryption.

Adam: Is data encryption good? Yes. But, it doesn’t mean because I encrypt my data that all the sudden I’m 100% secure. It just means that data is sitting there at rest then it cannot be violated. But in some way shape or form, the data has to get there, the data has to leave there and as your organization encrypted truly everything that’s of a sensitive nature. Especially for those organizations just walking into the data encryption arena, it is a significant challenge. It’s easy to go and identify your one stop shopping of your database server, as an example.

What about all of the word docs, Excel docs, PowerPoint, text files that are spread across work stations and servers within the environment? It’s a challenge to try to get to the point where we’ve got everything encrypted and just that it’s encrypted doesn’t mean safe.

There was a story about an accounting firm that got hacked into that came out in the LA Times. The hack on the accounting firm took three minutes and was performed from outside of their network. One of the partners was explaining that they thought that they were safe. This is really a common theme that we see in our business managers and owners of organizations, just not understanding that their business may be at risk.

Adam: This is a slide that we call, “They said it…” One is the chairman, Chris Collins, saying that, “Nearly eight in 10 small businesses believe that they’re safe from cyber-attacks.” They’re too small is the typical answer.

Bottom-line is back in the day, when you had an unlisted phone number all the sudden your phone number would ring and you’d be shocked that some person was doing a sales call. It basically is some marketing firm doing a random dialing of telephone numbers. The same theory applies in the computer space where the hackers will randomly dial servers and just stumble across them. Just because you are small doesn’t necessarily mean that you are not going to be found.

At the presentation we did alongside congressman, Mike Rogers, he made a statement that, “If your IT guy tells you that your company is just fine, and you don’t need to worry about security, then fire them.” I don’t know if I’d go quite as far as saying fire them, but really what Congressman Rogers was alluding to is what we call, you know, the biggest threat to an organization is a bad assumption. That bad assumption simply put is that our developer, network admin, or outsourced IT support company should know how to do their job securely.

If you think about it in a different context, you look at the medical arena. If you have a heart problem and you go to your general practitioner and you don’t get offended when they say, “Hey! I’m not a heart specialist. You really need to go to a heart specialist.” The same mantra applies in the IT arena where developers, network administrators, IT support companies; they’re IT generalists. They may be very good and in all likelihood are very good at doing development or administering a network or making sure you stay up and running. They’re not security specialists. Security truly is a specialty. That’s one of the biggest bad assumptions that’s made by business owners and business managers is that just if they have some IT staff or somebody performing your IT function, they must be secure. Your folks must know how to do it secularly. It couldn’t be further from the truth.

High Bit Security did a review of their 2012 security testing engagements. The one stark reality that came out of that is that all companies that never performed any third party security testing had serious security vulnerabilities in their network, their applications, their software, their hardware, and with vendors applied applications. You name it. This really cut across both staffed IT departments where they had the internal IT staff, whether they had an outsourced IT model, whether the target systems were located at the organization’s corporate headquarters, workers listening in the cloud or were located at a hosting facility. It really cut across all sectors of business types. It was surprising to see that summary come out of the 2012 review. We’ll do it again at the end of this year, but so far, I haven’t seen any indication that there is going to be any different coming to the end of 2013.

Adam: Let’s talk a little bit about the threat landscape. For the sake of this overview, I’m going to use your home environment because it’s something that most people can relate to. It’s easy to talk about. If you look at your home environment and you’ve got your internet connection that comes into your house, you’ve got a firewall or a router that sets the blocks between the internet and your internal network. You may have a separate wireless device. You might have an integrated wireless device in that arena. And then, of course on the inside of your network, you’ve got workstations, laptops, printers, scanners, maybe you’ve got other devices too, DDR, an iPad, an Xbox, and smartphones that are using wireless. That’s the overview of the threat landscape in a home environment.

Now, when we look at externally facing for a business, we add on a couple of different elements to this mix. For external for a business, we’ll also add in hosted solutions. Maybe it’s a hosted solution provider, maybe it’s a vendor, maybe it’s a hosted company; whatever the case may be that’s where the hosted solutions come into play.

Another that sits on the outside of your network but impacts your security could be connected partners. Maybe in your organization you are leveraging some type of payroll service where you are transmitting or moving information or data back and forth and that’s being done by them having connection to your internal environment. That’s an example of where an external entity that is bolted into your internal environment could cause risk to the organization itself.

You also have web servers, email servers, FTP servers, or file transfer style servers maybe externally accessible from your business environment. When we go and look at the internal environment for a typical business, you’ll also add on things like your internal servers, virtual servers, and infrastructure equipment.

We also added a couple of things to the other list to just get the juices flowing. Let’s say it’s a medical setting and you’ve got medical devices or you are in manufacturing facility and you have CNC machines or prototyping machines. Pretty much anything that draws an IP address on that internal network, it falls into that landscape from a security perspective on the internal environment. When we look at the slide and you look at the totality of all of the things that are accessible from a security perspective for a typical organization, there are just a lot of different devices.

When we go to, we’ll call it the threat list. We already talked through externally you’ve got hackers going after intellectual property, PII, PHI, and PCI data. We’ve also got hackers that are after notoriety or maybe it’s part of the anonymous group going after hacktivism. These are all examples of external threats to the organization.

For the network you certainly have firewalls, externally facing servers and communication protocols that they may have available. For applications, you’ve got your websites and your hosted solutions. We’ve talked about connected vendors, it really starts to … as you look at your own organization or an organization you may be responsible for, you start extrapolating the various threat vectors to the organization. You’ve got to look at those connected vendors, certainly the wireless system is another external threat as well as bring your own device.

One of the interesting statistics about the bring your own device arena is in 2013 quarter one, 99.9% of the mobile malware being written was being written specifically for the Android platform because it’s a little bit looser platform, there is more places to go get mobile applications from and more opportunities to get that software onto that mobile device.

When we look at the internal environment, bar none, the human factor is significant because machines can be programmed, they can be set up, they can be configured, but human beings are unpredictable. Really, the education of those internal human factors from a security perspective needs to be taken into account.

As you continue to look down the list of internal threats, you look at the configuration of the hardware, so the configuration of your server that’s called hardware firmware. There is software that runs on hardware. Your firewall actually has some software on it that helps it to run, so that’s another area that would need to be kept up, maintained and attached. If you look at software configurations such as an internal web server as an example, if that web server is misconfigured then there could be security threats as a result of its configuration. Certainly, any software that exists within the environment, so think about your Microsoft Office patches that you get on patch Tuesday.

That’s just one example of in a business setting probably hundreds of different software packages that need to be maintained from a software patching perspective. Default settings and passwords on specifically infrastructure equipment, but really any software equipment that you have in your environment. If those have not been addressed and set with strong passwords that poses another risk. Certainly viruses, malware, trojans and then we already talked about the notion of the vendor connections to that internal environment.

As you look down this list of all the potential threats, externally and internally, literally all of these elements are things that could be playing out as a security threat on any of those devices that we talked about when we were mapping out the typical organization. There are a lot of areas for risk to the organization from a security perspective.

Adam: We then go and take a look at breach risks to an organization. What’s the risk of us actually getting hacked? And, all that good stuff. As you start to do that assessment, you’ve got to look at certainly record counts is one element that plays into it.

So, you look at your number of employees. Let’s say that you are a typical organization, you’ve got 25 or 50 employees. It’s not just the active employees that you have today, but it’s any employee you’ve ever had at your organization. Some are interns and the employees that have come and gone, so that number of employees starts to balloon as you look at that employee count. You also when you are talking about sensitive record counts, think about the employees if you are doing benefits administration and you’ve got information on your employees’ husbands, wives, or children; dependents that may need insurance via the company. That continues to expand that employee count of records.

Certainly the number of customers that you’ve got, plays into it. Not only the number of customers but how many contacts you have in each customer. What type of information do you have on that customer? Certainly you could have banking information, could have credit card information or non-disclosed internal email addresses, so they are getting spammed. That starts to build the count for the customer sizing.

You’ve also got to take into account the different types of data that you may have in your environment. Maybe you’ve got credit card data, maybe you almost assure that they have email addresses, physical street addresses and you may have productive health information in your organization depending on what you do as well.

The question to ask yourself as you start to build up these record counts - and we use this number in a minute – is it’s fairly likely that most organizations are going to in total of all this information probably have at least 2,000 records for a typical organization and in many cases a lot more. Let’s keep that 2,000 record number in mind as we move forward.

We talked about intellectual capital. Certainly the cost for developing that intellectual capital, the number of years that the organization has invested in it, and the uniqueness of that intellectual capital. This could be a piece of software, but this could be a process or an idea; a product. One of the stories that the FBI was bringing up was the Chinese were trying to get into a manufacturing facility to get a sample of a rinse solution for some type of a glass manufacture. It was a coating for glass and they couldn’t figure how they were doing it. So, the Chinese were trying to get a hold this of this rinse solution in the manufacturing setting. These are all examples of intellectual capital and certainly that’s a worth that’s involved there from the security perspective.

If you look at patents, the patents that you may have on file or that are in progress and the security of storage around those. There was a story of an organization that had spent some number of years developing a patent. They were just about to file it and found that they have gotten hacked by the Chinese. The Chinese filed for the patent. Because the organization had all of their entire business revolved around this work that they’ve been working on for so long, they literally had to pay royalties for the Chinese just to use the patent that they developed themselves that got hacked out from under them. Certainly you’ve got to look at as an organization is the information in data that I have in my systems worth protecting.

Adam: Let’s go over to breach cost measurement. There is an institute up in Traverse City, Michigan called the Ponemon Institute. There are a lot of organizations that put out various breach cost numbers. For us having looked at many of them, certainly the Ponemon Institute number is the one that is the easiest to use, the most relatable and seems to have a fairly accurate read on the cause of a breach.

They released their 2012 study and that covered 54 companies over 14 industry sectors. These were record counts from 5,000 to 99,000. They specifically excluded those organizations that have more than 100,000 records because they didn’t want to sway the numbers dramatically in one direction or another.

Now the one important thing to keep in mind is these were real companies that really got breached, where they were looking at the cost that these companies had to pay as a result of being breached. As they average it out across all 54 companies it came out to an average about $188 a record. Now, we go back to the 2,000 record mark that we were talking about a little bit ago, now that number starts to get fairly prohibitive in terms of actually having them breach and in terms of total cost being about $375,000. As you started looking at different industries, the financial industry or healthcare industry; financial industry for companies net sector were $254 a record versus $305 for healthcare.

As you look at these numbers the total starts going up dramatically over $500,000 over $600,000. When they looked at the causes of the breaches, malicious or criminal attacks accounted for 41% of the causes for the breaches and 26% fell into the bucket of system glitch.

If you look at those numbers and you combine them together that effectively means that two thirds of the issues that caused these breaches could have been prevented, through doing some type of proactive security stands or security inspection. Some of the things that we’re reducing the cost of those breaches, certainly employing third party security consultants, taking a strong proactive security stance, for organizations that had done that dramatically drop the cost of the implication of a breach.

Another interesting factor was the customer churn rates by industry. There were the highest rates of what they call the abnormal churn for customers was in the financial and healthcare sector. If you think about it, customers that depend on organizations working in the financial and healthcare industries; they expect that these organizations are taking those securities seriously and understand the importance of the information that they’re in charge of protecting. Usually, we’ll have the strongest reaction when something goes wrong.

Adam: Some of the examples of breach costs that an organization faces … and believe it or not, this is a subset of them, just to give you an idea of the types of things that happen to an organization when they’re breached.

Certainly professional security testing needs to be performed otherwise known as penetration testing. There are consulting fees for auditors and for security specialists. Legal fees are normally a fairly hefty portion of it for handling of the breach and handling lawsuits. Regulatory fines that are doled out.

Communication. That’s actually a larger issue than most people anticipate when they get breached. The reason for that is there are presently 47 different state breach notification laws. So if your organization is breached, then you need to go take a look at what was the information that they potentially could have gotten access to and determine the location of all the individuals that fall into that pool. Then you have to figure out how many states that covers and then you’ve got to figure out what communication do we need to do to adhere with each of these state clauses.

The communication realm becomes phenomenally complicated. Certainly, employee training comes into play. Investigation and forensic costs, performing security awareness for internal employees, vendor management, maybe you need to make some changes to your vendors. Workforce modifications, improving the education of some of the internal workforce, maybe you need to get some new folks in.

And the probably the biggest negative that comes out of a breach is the impact of reputation. Anybody that’s in business today knows how hard it is to get a customer. Can you imagine how much more difficult that would be if your organization have gotten the black eye publically about the fact that you didn’t take your security seriously? It just makes that customer acquisition process that much more difficult.

Adam: Talking about assessing security. We alluded to this on the previous slide, but it’s an engagement called the penetration test. When a company takes on a penetration test, it is an attempt by a hired security firm to effectively attempt to penetrate the environment. The test is typically performed remotely and it should be done by experienced security engineers. It should involve a large volume of manual testing that’s involved in the process.

The nice part about a penetration test is you have the capability to do what’s called whole system published. It will cover your network layer, your web applications, internal servers, workstations, laptops, printers, wireless systems. You name it, anything that pretty much draws an IP address has the capability to be included in the penetration test.

The recommendations for most organizations if they are under a compliance mandate to do so, just for instance, PCI compliance mandates that organizations that have credit card data are performing external and internal penetration testing once a year on top of a whole lot of other things. I’ll certainly recommend that you do the testing once a year.

As far as the reports go, it’s probably the best part about doing a penetration test is that because you’ve got security engineers that are experienced, they are using some tools to help drive the process, but ultimately they are eliminating what we’ll call false positives. Your final report is very clean. These are specific issues that are actually security problems. The report will tell you what was found, where it was found, what it means, and how severe the issue is on your system.

This isn’t a machine based this particular vulnerability is a low. This particular issue is normally called a low, but in your case, you have these other three vulnerabilities, which really turn this low into a critical issue that you need to get addressed immediately. That’s the type of insight that you get.

The best part about when you are doing a penetration test is, you get specifics about how to fix it. The easy one is if it’s a patch, then here is your patch. If it’s a configuration setting on a server; it’s this setting, it’s currently set to this, change into that. When it comes to web code, here is a copy of your existing code today, here's what you need to change that code to. With many organizations that do a penetration test, we’ve had some organizations, they’ll come back within a day or two, because it's so quick for them to hand that off to their network administrators and to their development teams, have them go and make the changes and come and say, “Okay. We’re ready for you to validate that these issues are closed.”

In the use for penetration testing engagement isn’t just, “Am I secure?” but if you use the result of a penetration test appropriately, you can also gain a lot of insight into your existing policies and procedures. Let’s say that you had some web code that was needed to be addressed from a security perspective. Then you start to ask yourself the question, “How did that web code make it through my software development lifecycle and not get caught or flagged as a potential security issue?” If you're missing patches; why was this patch missed? Are we not monitoring for that? Depending on how you use the results of that penetration testing engagement, you can really gain a significant amount of insight into the organization overall.

For High Bit in 2012, for the average small or medium size business to do both external and internal penetration testing, the total cost was well under $10,000. So, if you go back to the notion that most organizations, in totality, have 2,000 records and they’re facing an average of $375,000 if they happen to be on the receiving end of a hack. Less than $10,000 starts to become a drop in the bucket at that point.

In the last piece about penetration testing is that penetration testing vendor should be leveraged as a partner to the existing internal IT staff or your IT provider. Certainly one of the challenges that we bring up in our engagements is that we want business owners and managers to understand that they need to understand that these folks aren’t security experts, that’s why we’re there. It really should be leveraged as a partnership to that existing IT staff, we don’t want any conflict occurring between the internal IT staff and the new security vendor. It should be a partnership style relationship.

April: Hey, Adam. Let me ask a dumb question here and just ask you to clarify. Is penetration testing something that you can do with an automated software tool or what's the difference between penetration and some of those automated tools, if there is one?

Adam: There are several automated tools that exist. One of which is what's called a vulnerability scan is a good example. There are lots of things out in the market place that some vendors will put out as a penetration scan. Basically the way you can look at those tools is they’re very similar to your local, antivirus, or anti malware engine that runs on your workstation. Your antivirus or anti malware is looking for patterns in files. If it sees a pattern, it draws a flag.

A vulnerability scan or what some firms will call penetration scan, it basically works the same way. “Hey, I saw a pattern, and the pattern matched my file, so here you might have an issue.” The biggest challenge with those and this would be an example, April. We had one customer that ran an internal vulnerability scan on their environment and came up with a 1,500 page report that they didn’t quite know where to start. They wanted some help through that process through doing penetration testing, we ended up translating that 1,500 page report into about eight distinct issues that needed to get addressed and all of the false positives had been removed from that. So the customer, instead of spending their time trying to figure out which of these 1,500 were real issues or not, just went about addressing the eight that they knew were problems from the results of that scan.

The one important thing to keep in mind with those automated tools, they are cheap and they are easy to use and you can go get a button and quickly get a report, but there's a ton of work in trying to figure out what of those are real issues. And the scarier part about that is that running a vulnerability scan doesn’t mean that you're not vulnerable. We do testing all the time for PCI compliance, as an example, where a PCI compliance mandates regular vulnerability scans to be performed on the environment.

If those tools were finding every vulnerability, then a penetration test would just be an exercise that was performed. There's a reason why the PCI council mandated that penetration testing be done in spite of the fact that these organizations are using those automated tools and that’s because the automated tools are really good for a high level check, but it doesn’t necessarily mean that you are secure. That’s part of the challenge there, did I cover your answer for you?

April: Yes, you did. Thanks very much. I think this might be also a good place to add another question that came up. Are there methods that you use to measure security or how do people track and benchmark security within their organization?

Adam: With a penetration test, certainly, when you go through and get the penetration test performed, you’ll get a list of every identified security vulnerabilities number one, two, yes, they will be prioritized. You’ll have everything from critical findings all the way down to informational findings.

When you get those under the context of a penetration test because it's taking into account all of the other security vulnerabilities that particular organization’s been subject to, it really does provide a provide a good benchmark from that perspective. When you come back around through your second year, what normally happens on a penetration test? You think about you got security engineers sitting there doing the testing. When they go in for the first test, often times it's you know it's identification of a lot of vulnerabilities.

The first test really is picking up what we’ll call the low hanging fruit from a security perspective. There's a lot of issues to get and go through, try and provide as many of those as possible. If you get to your second and your third years of penetration testing, a lot of the nature of the results come down to a couple of different factors. One, how much change exists in that organization over that period of time? But more importantly is that second and third year test, those are the ones where the security engineers are truly able to get a level of depth into the organization and really start looking for some of the maybe less obvious security issues that may exist in the environment.

April: Great. Thanks, Adam.

Adam: No problem. Let’s move on to … let’s see, I’ve got about 12 minutes before I’m looking to stop. I’m going to keep moving.

These are some case studies. This is to give everybody an idea and an example of what occurs when you do a penetration test or types of things that are found. In the first case, it was for a medical facility. The medical facility had an electronic medical records system in place and they figured that, well what better organization that knows more about the security of the data that they are intending to protect then an electronic medical records provider. They employed the EMR provider to do their day-by-day support. They had some concerns about their security and so they had a penetration test performed.

Even with using the EMR provider we ended up gaining external access to the internal environment, in other words, from sitting at any of your desks, could have gained access to the internal environment of this medical provider. Once there, found a large number of vulnerabilities, where basically took over every server, workstation, firewall, every device that was within that environment, ended up being taken over through testing and gained access to sensitive medical data including prescriptions, contact information, social security numbers, doctor’s signatures, narcotic IDs; you name it. In this particular case, because they were using an automated system for distribution of prescription information out to the pharmacies, we would have had the capability to really line ourselves up with as much controlled narcotic as we wished through that process. It was kind of eye opening if you will.

The next one was the rebate processor. Effectively the story is the same, got in through the outside, once they’re basically took over most of their internal systems. This one was important because we were taken on to help a company that had been breached, and in this particular case, we stop counting when the total dollar amounts passed the quarter million dollar mark. For us, it gave validation to some of those numbers that the Ponemon Institutes is coming up with, we’re just keeping track of it as we went through that engagement. It really brought it home for us in terms of the real cost of these organizations.

When you look at an organization and security, certainly, penetration testing bar none is the best way to identify the question, “Am I secure?”. But certainly there are a number of tools, a number of security solutions that all need to play into on the security of an organization. Not the least of which is those aspects that support a secure stance. Things like your information security policy for your organization, acceptable use policy, or what are the except for uses of the technology for the employees of the organization? Looking at the way that you deploy software and infrastructure, keeping up on patching, monitoring on what’s really going on within the environment. How you grant and remove access to individuals within the organization and only provide them the rights that they need to do their jobs, performing organizational risk assessment. Certainly having an incident response plan in place is a big issue because you don’t want to be trying to figure out what to do when you’re faced with the issue. Security awareness training, improving the awareness of the employees so they know what to look for or what are signs that we could have a problem, when should my alarm bells go off and when someone is asking me a question over the phone or via email. Those types of things are things that come up within a security awareness training program.

At a high level, we’ll cover some general security tips and that is certainly do proactive testing security testing to close your security vulnerabilities. Keep in mind that your firewall, servers, workstation, wireless equipment; they all need security attention. We talked about policy updates and security awareness training.

Don’t forget about physical and electronic data destruction. I actually just read a story this morning about a medical institution that had given hard drives off to a third party that were supposed to be wiped, but weren’t. Certainly, keeping an eye on your physical and electronic information and making sure that it gets cleared out.

Adam: Probably one of my favorite topics for the individual, if you will, but certainly for the organizations as well is passwords. You look at the vast majority of people will have, let’s say, less than five passwords if they aren’t using a password manager. Maybe they’ve got five, most people have one or two. Even if they change those, it’s usually incremented by incrementing the number on the back end. Make sure you’re using strong passwords more than 8 characters, upper-lower case, numbers, symbols. It’s very hard to do that if all you are doing is trying to use keep it all in memory.

They do have devices out there called password managers. There is a number of different types and styles, but an example would be KeePass. It’s on the screen there, K-E-E-P-A-S-S. KeePass is it’s really available. Go online and download it and play around with it. The recommendation for using a password manager is get a password manager and implement a really, really long, ugly, nasty, you’ve never used it before password as your password to the password manager. Because effectively that’s the only password you’re ever going to need to remember if you’re using a password manager.

Within the password manager you can set up accounts, or let’s say it’s your Google account, your Gmail account, your Comcast account or whatever it maybe, your accounts for your banking systems and all that good stuff. You can go ahead and create profiles in there, and then what I do is I will look at the requirements for the site that I’m generating a password for, so let’s say they say, “You can use a password that’s up to 250 characters long,” Great 250 characters upper-lower case, numbers, symbols and I’ll get and generate. It will put out this 255 long random string of numbers, letters, characters all that stuff, but I don’t care because I’ve stored in my password manager. Certainly back up your password manager as you go.

One of the other comments that we’ve got from different discussions that we’ve had previously on the password manager is, “What about the emergency reset questions or the security questions?” What I’ll do for those is, I’ll use “What city where you born in?” as an example, I’ll use some random password generator and I’ll create a different value and I’ll just note it in the notes within the password manager. Even my security questions are different on every single site. Somebody in one of our sessions said, “That’s a little extreme.” Your eyes get opened as you sit in the security space, so I tried to walk the walk, shall we say. That’s about it on password managers. KeePass also is capable of being leveraged on a USB device. So you can take the USB drive, hook it to your keys, which is what I do, and that way I have always got my passwords with me whenever I need to use them.

Adam: Let’s move on to the last piece of this, which is “Who really needs security?” Just prompting the question, if you will. One example, we were giving a similar security related presentation, and one of the participants in that presentation was a multi-county medical system that attended and went in had some external penetration testing performed. Again, they’re in the medical space. They thankfully know and understand their responsibility for security. They had the testing done and we ended up finding numerous vulnerabilities in their systems, both the systems that they maintain. And scarier part was the systems that had been provided by vendors that worked in the medical space.

These were providers that worked in the medical sector that were providing solutions to people in the medical sector. Even these vendors’ solutions ended up having security issues. They’re in the process of planning up their internal testing as we speak, because I’ve seen the benefit if you will of having done it, which was an example. You look at your company. Is your company ever done penetration testing? Maybe you’ve got customers or partners that have sensitive information, certainly, spread the word.

Look at vendors. One of the recommendations that we give to our customers is look at the vendors you have. Go ask them the question, “Can you produce a penetration testing report from a third party to revalidate your security?” You may be surprised how many times you don’t get the answer that you expected. Without further ado, April, I will hand the virtual baton over to you for a review of some of the upcoming webinars through Online Tech.

April: That’s great. Thanks, Adam. I want to let everyone know please submit your questions on this presentation. We do have a few minutes to follow up on them. Let me briefly just give you a heads-up for the next two Tuesday @ 2 webinars, we’re going to be joined next week by our friends in security experts at Duo Security.

Adam, I know you mentioned that passwords tend to be a real weak point in the security chain. Duo Security has come up with a fantastic innovative way to never have to worry about a weak password again. Join us next week Tuesday @ 2. We’re specifically going to be talking about, how to achieve a cost effective solution for protecting access to protected health information with their tool.

The following Tuesday @ 2, we’re also going to be focusing on the healthcare area and learning what we can do to improve ROI with an electronic medical records implementation. We’re going to be looking uniquely at how to handle documents securely and to eliminate all the hassle of paper based documentation or with ImageDoc USA.

April: Adam, let me share with you some of the questions here that have been submitted. One of them is, given that you are a little paranoid about security, what OSs do you use or prefer?

Adam: I’m fortunately stuck with on a Windows based system at present, and that’s just because of tools that I have to use for what I do. That doesn’t make me warm and fuzzy, shall we say. As far as a preference goes, as soon as I can get over to an Apple or Mac based system, that’s the definitively direction that I personally am going to head just because of the security implications. But that said there is also a number of a number of Linux based operating systems that have some good hardened profiles for them as well. And definitely consider some of the boxes in that space well.

The biggest challenge comes down to for most folks is on just what they need to do in their software requirements, what platform will be acceptable or will work for them. Yeah, I definitely would tend toward the Apple, the Apple platform.

Apple actually, in the grand scheme of things, does a fairly good job with vetting applications, vetting systems, vetting software that needs to go onto their platform and put those the manufactures of those platforms through a fair amount of rigor, far more rigor than I’ve seen certainly in the Microsoft space and even over from Linux and Android platforms. You start talking Android when you start talking about mobile. At least at this moment, they are winning the battle in my opinion. That would be the platform that I would use.

April: Fair enough. Second question. How long does the typical small, medium business penetration tests or audit take?

Adam: The answer is going to be at face value, it depends. I would say an average external penetration test typically is scheduled over a period of approximately two weeks. That involves a large number of tests and functions. An internal penetration test, again over about a two to three week timeframe. It really depends on how much scope there is to that organization, but I would call a good average, and by the way both of those engagements can typically be performed simultaneously and remotely.

You are not going to have people sitting in and onsite at your facility or anything like that. The largest challenge when you do a penetration test is, just collecting up the scope and for an internal engagement getting the testing host connected and making sure that that his access to everything that needs to be tested are the biggest challenges.

When you do a penetration test, just to give you a quick overview of the types of things that are included or done, which it gives some explanation to why it takes that period of time. Let’s say, it’s a typical organization that has some IP addresses, some servers that are facing on the internet, and they also maybe have a web application or two.

Under those circumstances, the first thing that would be run would be court mapping exercise. Go through each of the externally facing servers and look at … there is two sets of about 65,000 communication protocols that occur on every server that’s out there. We would go through both sets of those protocols for all of the externally facing servers. That’s one input that goes to the penetration testing team. Certainly running a vulnerability scanner, so it got the input from that, would be another tool that will be used.

In our case, we have all of our security engineers have development background. There are coders. Coders are heart, if you will. So they will actually walk through the web applications manually. They will be looking for what we’ll call logical coding faults or maybe assumptions that the developer made in the way that they coded the application and looking for areas that they want to come back and look at more deeply. But also to familiarize themselves with that web application, as that they’re going through and doing testing on.

There is one final tool that’s used in that web application arena and that is, it’s called a web application buzzer. What the web application buzzer does is, it goes through each of the input parameters on the website and it will push a series of different values at each input parameter. You look at a typical login page where you’ve got a username and a password. Each of those would be inputs on the web page. We would push about 1,700 different values at each of those input boxes. We’re looking for a wide variety of security holes that could be in place with that webpage.

Once all of those tools have been run, the security engineer then starts really going through and doing manual testing and manual assessments of the results of all of these various tools confirming which issues out of those tools are real issues versus which ones are real issues, validating what they need to have improved and start composing that report.

When they finish with all the automated tool portion, they then will go through the system and say, “Hey, if I’m attempting to penetrate this environment, knowing what I now know, what am I going to do?” Then if you look at some of those logical coding faults or assumptions that the developer made and they’re really just going to follow their nose and that’s in a phase of the testing portion that quite literally cannot be performed by any tool that exists today. If you’re drawing outside the lines, you are finding things that wouldn’t otherwise be found by other tools. That’s the part of the power, if you will, of the penetration test.

April: Great. Thanks, Adam. If anyone else has further questions, I would advise you to feel free to reach out to Adam and the team HighBit Security. Adam has always been very generous with his time and expertise. He’s done for day. Thanks so much, Adam, for giving us some good insights and good tips and helping us understand the security landscape.

Adam: Thank you very much April for having me. I appreciate it. I’ll look forward to the next time.

April: Thanks for joining us everyone. Hopefully, we’ll see you soon in another Tuesday @ 2 o’clock.


Adam GoslinAdam Goslin, COO, High Bit Security, LLC

Adam has an IT career that spans more than 15 years, going on to found High Bit Security, a national security services provider, providing penetration testing solutions to clients who need to protect sensitive data in industries such as Healthcare, Credit Card, Financial, or companies that otherwise store Intellectual Property or Personally Identifiable Information. High Bit Security also provides security consulting services to our clients to assist them with their compliance objectives across PCI-DSS, PA-DSS, or simply wish to perform a security best practices audit of their organization. www.HighBitSecurity.com

Webinars    |    Online

Get started now. Exceptional service awaits.