Stratus Concept

News & Events

What do you know about Data Breaches?

No phrase has dominated the tech world this year more than the term “data breach.” From breaches that have impacted travel, Texas Department of Transportation, Uber, Holiday Inn and American Airlines, to entertainment, Rockstar and DoorDash, to health, Choice Health Insurance, Alameda Health System and Shields Health Care Group; the last year has been saturated by headlines of cybersecurity mishaps. Yet, despite the prevalence of the breach-centric news, many business owners may not know what exactly a data breach is, how they typically start, and why they occur.

According to an IBM report, the average time it takes to identify that a breach has occurred is 287 days, with the average time to contain a breach clocking in at 80 days. And with 81% of businesses experiencing a cyberattack during the COVID pandemic, it is essential that individuals are familiar with the anatomy of a data breach so that they can keep their data, as well as their colleagues and customers’ data, safe.

With that in mind, here is some helpful background on what data breaches are and why they are so problematic.

What are hackers interested in getting?

Unfortunately, cyber criminals look to get their hands on any information that they possibly can ranging from more obvious sensitive information such as social security numbers and credit card information to more obscure data like past purchase history.

What is a data breach? 

While it usually obscured by complex jargon, a data breach is very straightforward to explain. According to Trend Micro, a data breach is “an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner.” A data breach can be the result of a system or human error, but most data breaches are the result of cyber-attacks, where a cybercriminal gains unlawful access to sensitive system data. According to Security Magazine, 92% of the data breaches in Q1 2022 were the result of cyberattacks.

What are some of the tactics used to execute data breaches?

Cybercrime is getting more sophisticated each day. However, cyberattack tactics do not have to be cutting-edge or advanced to be very effective. Here are a few examples of popular tactics used by cybercriminals:

  • Phishing: Phishing is when a cybercriminal uses social engineering in hopes of tricking an individual into giving them access to personal information. Phishing is one of the oldest tricks in the book for cybercriminals, but it is just as effective as ever. For example, 80% of security incidents and 90% data breaches stem from phishing attempts according to a 2022 report by Spanning Cloud Apps.
  • Malware: Another criminal-trusted method is malware. Malware is malicious software that secretly installs itself on devices – often by way of a user engaging with fake links and content – and quietly gains access to the data on an individual’s device or a business network.
  • Password Attack: Through password attacks, cybercriminals look to gain access to sensitive data and networks by “cracking” user passwords or purchasing them on the dark web then using these credentials to get into networks and extract data from a given network.

What can you do to stop data breaches?

The best way to stop a data breach is to stop it before it even starts. The number one thing is making sure your passwords are unique and are accompanied by multi-factor authentication. Next, report all suspicious emails. If you do suspect that you have been the victim of a breach, immediately contact your IT security professional to notify them and follow subsequent protocols to help them scan, detect, and remediate any issues that exist.

Developing Cybersecurity Policies

As you probably know, the cyber threat is constantly growing.  I was just watching this morning about how school systems are being attacked and that the issues that they’re running into are so pervasive.  All organizations are under the persistent threat of having their data compromised.

In this post, I hope to demonstrate how you can identify what kind of information that your firm might handle, what kind of responsibilities you might have for information, and then also, how do you address those responsibilities with policies and procedures? 

I want to start out with something everyone has probably seen, the “I’m not a cat video”, you know it was a zoom court. 

When I saw Rod Ponton, a county attorney in Presidio County, Texas, unable to figure out how to turn off the cat filter on his Zoom call during a court hearing, I laughed. 

Zoom meeting screenshot of 394th Judicial District Court where 1 person looks like a cat

While we may chuckle about it, and the judge said “Everyone involved handled it with dignity, and the filtered lawyer showed incredible grace. True professionalism all around!”, I think there are some serious takeaways. 

It was reported that Mr. Ponton’s computer had a problem, so he used an assistant’s computer for the zoom session. The assistant’s daughter had previously used the same computer and had installed a Snap Camera cat filter. 

Lawyers and other professionals have a responsibility to keep specific information about the clients private. If that computer is used by the assistant while doing work for Mr Ponton, then that computer may have client data both in local files and remotely accessible files. 

Making private client information accessible to direct viewing be the assistant’s family member is s a mild risk, but by allowing the download and installation of unvetted software can lead to malicious exfiltration of that private information. Putting Mr. Ponton and his firm at risk of PCI, HIPAA or other costly violations. 

How do we know?   How do you keep your firm safe from this kind of exposure? 

In this post, I will address; How do we analyze where we’re at? And what we need to do? 

We need a plan.  Cyber security can be really overwhelming for everyone. We want to limit the scope, but we need to identify where vulnerabilities lurk. 

Arrows pointing to the right. 1st is Responsibilities pointing to Risks pointing to Policies. Policies point to 2 arrows Procedures and Tools.

We want to set some rules and we want to enforce and be able to enforce and monitor those rules. 

This plan is derived from a number of different frameworks.  I’ll talk about what a Framework is later in this post. 

The first thing is responsibilities, you want to identify what are you responsible for, what kind of information, where is it held and used, etc.  

Once you can list you’re responsibilities, then you identify the risks related to those responsibilities. 

Then based on that, create some policies, some rules that you’re going to follow that will help you mitigate those risks. 

Procedures will help follow those policies and tools that will also help you ensure that things are being done, so you’ll use the tools within the procedures so they kind of go hand in hand. 

Once you start to break it out this way, then it becomes manageable, manageable, and that’s where kind of we’re going to go. 

You want to identify what kind of data you’re working with? 

What information are you collecting?  

Someone fills out a form an intake form and they become a client. 

Some personal identifying information, payment information, business information. 

Think about why you’re collecting it and how it’s being used. Then also think about how sensitive that is. 

This is essentially an information audit and it provides a profile of the kind of data that you’re keeping. 

Is it, you know, just like I said PII, which is Personal identity identifying information. 

Is it payment information which is falls under PCI? 

Is it health information which would invoke HIPAA? 

Is it company confidential information like patent information or trademark registrations or product development plans? 

Once you know kind of your responsibilities, you can work on a framework and yeah, it may actually work under a couple of different frameworks. 

NIST Framework diagram. Circle with 5 segments: Identify, Protect, Detect, Respond, and Recover

NIST, I’ll get into a little bit more detail in the next slide as well as PCI. 

NIST is National Institute of Standards and Technology, and it’s a government agency and they created a cyber security framework, which is an overarching concept which a lot of other frameworks incorporate. 

Almost always, every business will begin with the NIST framework.  If you’re doing sales or ecommerce the add the PCI DSS requirements. Depending on how your business runs, maybe the whole business falls under that and the others then become very specific: HIPAA, NERC CIP, …  

The Cybersecurity Maturity Model Certification extends DFARS CDI for anyone who is a supplier of services to the US government. Depending on the type of supplier, there are different levels that that you’ll have to meet. 

The NIST CSF is a ring because it’s a continuous improvement cycle.  Let’s start with something basic like your desktop computer or your laptop. 

You’ve identified that you’re going to PROTECT it, so you want some endpoint protection on it, which is essentially antivirus / antimalware. 

Once you’re protecting it, then you will to move to DETECT.   Which is knowing an attack is underway.  Rapid Detection and Response (RDR), which is a feature of some of the advanced endpoint protection products. They detect that malware is actually starting to run on the system. By looking at the profile of the applications that you run, it can identify that something abnormal is happening.  It will provide a warning if for example, an application trying to access a system file it does not normally access. 

The next step is to RESPOND.  Where decide what you want to do about the potential attack? Do you want to isolate the computer? Do you want to try to stop that application from running? You’ll see a number of different things that some of the advanced protections do. 

The last step is to RECOVER.  Yes, you’ve stopped the attack, but was any data compromised or damaged?  How do you get it back up into the normal running state. 

From there you start the cycle over. You identified something new, for example email or your network, and start with how do you Protect it? 

You’re constantly improving by running through that cycle using that framework. 

Another framework is the payment card industry.  They’ve created a security standard, PCI-DSS.  You’re not legally obligated to follow it, but if you do any dealings with the bank, they will require you to certify for it.  You could lose your ability to collect credit card payments if you don’t. If your credit card usage is minimal, you may be able to self-certify.  If you have a significant number of transactions or have your own applications or network, then you may need to use a Qualified Assessor. 

 PCI-DSS is broken it up into 12 different modules and this can be reduced to six subsections. 

Secure Networks: Build and Maintain a Secure Network and Systems 

1. Install and maintain a firewall configuration to protect cardholder data 

2. Do not use vendor-supplied defaults for system passwords and other security parameters   

Secure Cardholder Data: Protect Cardholder Data 

3. Protect stored cardholder data 

4. Encrypt transmission of cardholder data across open, public networks 

Manage Vulnerabilities: Maintain a Vulnerability Management Program 

5. Protect all systems against malware and regularly update antivirus software or programs 

6. Develop and maintain secure systems and applications 

Authenticate & Control Access: Implement Strong Access Control Measures 

7. Restrict access to cardholder data by business need to know 

8. Identify and authenticate access to system components 

9. Restrict physical access to cardholder data 

Monitor and Test: Regularly Monitor and Test Networks 

10. Track and monitor all access to network resources and cardholder data 

11. Regularly test security systems and processes 

Policies and Awareness: Maintain an Information Security Policy 

12. Maintain a policy that addresses information security for all personnel 

The title of section PCI-DSS section 12 sates it is about policies, but awareness training requirements are also in that section. That is, cybersecurity awareness training for staff.  How can someone identify if an email is a valid email or a phishing email?  What kind of phishing emails there are? 

What other kind of behaviors that might be encouraged or discouraged for during business hours, or even at home. 

A good training program is not very intrusive. Typically, 45 minutes to an hour one time for the year and then periodically after that for just a couple of minutes at a time. 

PCI-DSS digram. 12 circles grouped into 6 sections: Secure Networks, Secure Card Holder Data, Manage Vulnerabilities, Authenticate & Control Access, Monitor & Test, Policies & Awareness

Now you are aware of the various frameworks that we modeled this process on, the next step is a risk analysis. 

We want to say OK, so where is the data? Where is it being saved? How long is it being saved? Do you have a data retention policy?  This is where you delete data after a certain period of time. 

All this information combines to give you an exposure profile. Which tells you where you might have some vulnerabilities. Is that data you know susceptible to loss?  

 What if something happens at Microsoft: They do an update and it goes out for a couple of hours and it comes back and your data is missing. It was not malicious, but you still lost some data.  Microsoft and Google don’t guarantee that they will have your data, all they guarantee is that they will provide you the services. 

Are you preventing information leaks.? Are you checking to see that the emails are not carrying passport numbers or credit card numbers?  

What happens if you are exposed to ransomware? Your server gets locked up, do you have a backup that is isolated from the server? 

Do you have that data backed up somewhere offsite?  Is it you know up in the cloud somewhere that you can come back, wipe out the server and restore the data?  What’s the time gap between backups? How long will it take to restore the data?  

These are the things you are Going to be looking at.  The output of this is something that’s called a risk register. And the first part of the risk register is that you’re is determining the probability of the identified risk happening. Then, what’s the severity of impact that should that risk happen. 

For example:  

  1. Your email system goes unavailable.  It does not happen often, and it’s a very low impact because it is Microsoft 365, you have a backup service, and all messages get delivered eventually.  So, your score it appropriately and it may be yellow or even green.  
  1. You have a single server just holding all your data and you don’t have a backup on it and it’s all of your client data. There’s a high probability of a single computer having a fault and crashing is relatively high. Losing all your all or a lot of your client data would be a large impact.  This would score high on both axis and probably end in the red zone. 

You build out the register this way. I had used an example scoring of 1 to 3, but the more granularity you can provide the better you can identify the top risks. 

The Risk Register should be more than just a summary of what risks you have.  You will want to assign who’s going to be responsible for taking on this task of mitigating each risk. 

The risk register is really a good way to actually map out where you are today and it highlights what you need to work on next.   

Now that you’ve analyzed everything and you know where you’re at, you enter the Definition phase.  Itis time to create your policies. 

The first policy you need is an umbrella document, which is normally referred to as the written information security policy (WISP).  This will set up the overall scope and key definitions, very high level. 

All of your other policies will branch from the WISP.   

The purpose for all of your policies, are to provide the definitions, architectures, and responsibilities within the scope of what those policy cover. Policies can enumerate what is allowed, what’s not allowed and what’s restricted. 

It is important that everyone in the organization should acknowledge that they’ve received and read these policies.  Otherwise, they’re just documents.  

Back to the zoom “I’m not a cat” incident; if you had a Computer Use policy that said, the computer is for business use only.    The assistant would have known that the daughter couldn’t use the computer and he wouldn’t have had that embarrassing little thing of being a cat. 

An option might be to leverage access controls, your policy could say you do allow non staff people to use the computers but they need to use a guest account on the computer.  The guest account can be restricted to web access without administrative capabilities, so that malware is much less likely to be able to get installed on it. 

A policy may address email. Do you want to restrict email from private use?  The policy would let staff know that any email within the business can be read by the owner of the business because it is business property. It is like any other business documentation. 

There should be a policy to address passwords.  In the past, frequently changing their password was considered a good thing. The problem with that is people run through password burn out and they start to choose less and less strong passwords.  Maintaining many strong passwords is one reason for using a password manager, but many businesses are not using one consistently. 

Another thing that’s mitigated the frequent changing of passwords is multi factor authentication, commonly every 4-6 months.  With MFA you have a username & password and then you have some alternate path of verification. It might be a text message or an acknowledgement email back to you with the code, or it might be an authenticator app. 

 Microsoft has an authenticator app, Google has one, there’s at least half dozen more authenticator apps out there. With strong unique passwords and MFA, the current recommendation is to you never change the password unless a breach has occurred. In which case then you want to be as conservative as possible and have everyone change and grow and evolve, change their passwords. But in general, you don’t need to change the passwords if you’re using a multi factor method of authentication. 

A policy will include a general description of its purpose a and scope.  What issues does the policy address? Who does it apply to? 

The next part of a policy would be definitions to ensure everyone understands the terms in proper context.  Staff may mean employees and contractors.  Devices may mean Desktops. Laptops, tablets and smart phones. 

The next part would be the directives.  Activities may be explicitly permitted, prohibited and restricted 

The final part of a policy would be document revision control.   Policies will often be updated and revision control is important to ensure everyone has the current version. 

Once your policies are in place you move from the definition phase to enforcement.  Procedures are the way to document how you enforce the policies in practice. 

  • What gets recorded for your audit trail? 
  • How do you respond to incidents? How do you report an incident? What kind of triage needs to be done? Who gets notified?  
  • How are backups done? How do you verify backups are good? How do you restore from a backup? 
  • How do you on board and off board staff?  How do you track assets?  

You do not need to create everything from scratch. There are document templates and many tools whose use will be documented within both the policies and the procedures.   

Some of those tools you may already be aware of, and even use them now: 

  • Advanced endpoint protection includes antivirus and malware detection with profiling and the ability to enforce updates are applied 
  • Email filtering to reduce SPAM and malware.  You can also limit data leaks with outbound filtering. 
  • Encrypted messaging is important if you frequently deal in sensitive information with your clients. 
  • Password managers 
  • SaaS backup protection. Cloud services need backup protection the same a on premise servers.
  • Awareness training for staff training is important.  Expanding on what I wrote earlier, you can actually gamify it. Who’s got the best score this month?  But more importantly you can see how well the business itself is moving up in cyber awareness maturity. 
  • Network scanning. If you only have one or two computers and network scan isn’t going to tell you much more than what you might already know by looking at the computers themselves.  If you have a dozen or more network devices, network scan will go through and find vulnerabilities, classify them and let you work on it. 
Same as the Mapping it out diagram with a right to left arrow added. The arrow indicates to Iterate the process

The initial diagram I presented really has a back arrow to indicate that you iterate the process similar to the NIST framework where you have that circular view of things, a constant improvement cycle.  As you iterate, you get more and more secure.  The goal is first to address the issues that you are required to do, and then the things that you should do, and then the things that you can do. 

Why should your website use HTTPS now?

If your site collects any kind of data through a form or an account login, then the short answer is “Yes”. Before I discuss why, it is important to know what HTTPS does for you.

keyboard with "Afraid" keyHTTPS is the secure version of HTTP, the protocol that is used to move data between your user’s browsers and your website server. HTTP is an open text protocol. In other words, when you fill out a form in your browser, that information is sent as readable text to the web server. Using HTTPS the browser will encrypt the form data and the web server will decrypt the data. This protects the data from being read anywhere between those 2 points.

For HTTPS to work properly, it relies on SSL Certificates. Like Domain Authorities that issue the domain names you use for your website, there is a known set of trusted Certificate Authorities that issue SSL certificates. The SSL Certificate can be authenticated by a Certificate Authority, this ensures that the browser is not connecting with a fake version of your website.

Because of the privacy that HTTPS offers, Google’s Chrome, Apple’s Safari and Mozilla’s Firefox browsers have been encouraging website owners to move to this encrypted protocol. However, Google has announced (https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html) that, in January, Chrome will take this “HTTPS everywhere” concept to the next step by not just identifying sites with HTTPS as secure, but it will mark a site without HTTPS as “Not Secure” if the site has any input fields.

This means that visitors to your website may be told by their browser that your site is not a secure site. Many visitors may not feel comfortable providing information to a website that is labeled ”Not Secure”.  Your best choice is to switch to the secure protocol for your website.

To convert a website from HTTP to HTTPS you need to add an SSL certificate and tell the web server to use the new protocol. The seemingly straight forward task of switching your site to HTTPS with an SSL certificate can easily be mismanaged. Some of the challenges you will need to address are:

  • What kind of certificate do you get?
  • Is the certificate installed properly?
  • Does the content on your pages need adjusted?

There are a variety of validations used by Certificate Authorities and depending on the validation used and SSL certificates run in price from under ten dollars per year to hundreds of dollars per year. Choosing the right level of validation can save you money, or prevent you from having to redo the process.

Many servers don’t disable deprecated ciphers. Testing against known vulnerabilities will highlight any configuration deficiencies with the installation of the certificate.

Your website pages may reference internal content in a non-secure way. This is a typical problem found on sites that were converted from HTTP to HTTP after being deployed. Links to internal content may still be coded to use HTTP. While easily fixed, this will block the browser form displaying the secure page indicator.

Should your website use HTTPS? In the long view, all websites will have HTTPS, you just need to decide when you want to make the change.