Skip to content

What is it?

A form of anomaly detection that analyzes and correlates user activity on a computer or network to identify events and patterns that may require further investigation.

Why is it important?

Behavioral monitoring helps security teams quickly pinpoint unusual activity and act upon it. Also known as user and entity behavior analytics (UEBA), behavioral monitoring gathers data to build profiles for different types of users. It can then use those profiles to identify and flag potential threats. It has the potential to catch emerging threats before traditional, signature-based tools.

Why does a business professional need to know this?

Behavioral monitoring is an increasingly important tool for identifying and defending against cyberattacks that is becoming a larger part of security budgets. Gartner predicts that 60% of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020, up from less than 10% in 2014(Moore 2016).

A behavioral monitoring system collects and uses data to build profiles for particular types of users based on role or location. Once profiles are built and activated, significant deviations from the profiles alert security analysts to the need for further review.

Here are some examples:

A remote employee usually accesses the virtual private network (VPN) from her home and from a nearby coffee shop. In the space of 30 minutes her login credentials are used from two different cities on different continents. Behavioral monitoring tools can detect the credentials being used from two places thousands of miles apart and raise an alert.

An accounts payable clerk usually works in the corporate office between 8 AM and 6 PM, Monday through Friday. As part of his usual work, he accesses the accounting system, a shared finance folder, the company intranet, and the inventory system. On his lunch break, he usually reads political news websites and occasionally listens to streaming news broadcasts during the day. Behavioral monitoring would flag these actions:

  • Logging in from a different location
  • Attempting to access different systems or files (source code, human resources files, or mergers and acquisitions information)
  • Logging in at 1 AM
  • Connecting to servers in China or Russia

Any of these activities taken alone could be legitimate user behavior that a security analyst could verify by talking to the user. Taken together, these events could indicate a security compromise. Behavioral analysis allows companies to move quickly to respond to threats and stop attackers before they can exfiltrate data or cause damage to the company’s systems and data.

References

About Holli Harrison

Photo of Holli Harrison

Holli Harrison specializes in security controls, risk management and security education. She has helped government agencies, healthcare companies, universities, and technology companies improve their security postures through assessment, education, and consulting.

Term: Behavioral Monitoring

Twitter: @security_person

LinkedIn: linkedin.com/in/holliharrison

What is it?

An ongoing process to define an organization’s risk and threat environment as it relates to its people, processes, policies, and technology.

Why is it important?

Situational awareness provides the foundation upon which to build a strategy for all other activities related to safeguarding your information and reducing cybersecurity risks. Every organization is unique in its mission, culture, and function; therefore, effective risk management requires that business professionals maintain situational awareness to ensure proper focus and perspective.

Why does a business professional need to know this?

The success of any cybersecurity risk management program depends on the ability of an organization to protect information and digital assets. In order to define a cybersecurity risk strategy, business professionals and cybersecurity specialists must understand the environment their organization operates in. In other words, they must have good situational awareness of their environment.

The situational awareness process considers all aspects of an organization from supply chain to information technology in relation to potential cybersecurity vulnerabilities and threats. For example, what would be the impact on your organization if you lost critical privacy or intellectual property? Would such a loss require operations to cease for a period of time or even permanently? Can you manage the operational impact?

If you attempt to define a risk management program without good situational awareness, you are likely to waste resources on strategies and safeguards that either do not achieve an optimal Return on Investment (ROI) or are ineffective.

2013, the danger of losing situational awareness became clear to the department store chain Target when the company’s vendor system was breached, costing the retailer millions of dollars and damaging its reputation(Abrams 2017)(Kassner 2015). Vendors often have access rights to intellectual property, privacy data, and information systems across multiple business units and functions. Understanding their role in your environment is key to developing an effective strategy to manage cybersecurity risks.

References

About Danyetta Fleming Magana

Photo of Danyetta Fleming Magana

Danyetta Fleming Magana founded Covenant Security Solutions in 2003. Her goal is to change how we think about our information and find new and innovative ways to secure our digital assets. Danyetta is a Certified Information Systems Security Professional (CISSP), a globally recognized certification in the information security arena. In 2011, 2012, and 2014, her company was recognized by Diversity Business as one of the “Top 500 African-American Owned Businesses in the US.” She is a graduate of the University of Illinois Urbana Champaign with a bachelor's degree in engineering.

Term: Situational Awareness

Email: fleming_danyetta@covenantsec.com

Website: covenantsec.com

Twitter: @fleming_magana

LinkedIn: linkedin.com/in/covsec4u

Facebook: facebook.com/covenantcyber

What is it?

A state of understanding current security issues.

Why is it important?

Security awareness is important because employee mistakes are the number one cause of data breaches. Therefore, it is important to educate staff on security risks to help prevent cybersecurity incidents.

Why does a business professional need to know this?

Every business today needs to combat cybersecurity risks and, as such, must educate their employees and customers about the risks associated with their business.

Employees are primary targets for cybercriminals, and they need to understand how their actions can expose the business to a loss. Whether it is the risk of financial loss, loss of data, loss of privacy, or loss of confidential customer information, security awareness helps employees understand how to protect data.

Because employees are the first line of defense, they need to have a basic understanding of security risks. If employees have a baseline understanding of security issues, the business can be more agile combatting threats.

You can raise employee security awareness through effective training, but your efforts should not stop at training. Security awareness training is just one component of an overall security awareness program. Other components in such a program include newsletters, blogs, posters, teachable moments, computer-based training, security portals, and more.

Together, all of these elements can be the ingredients for a successful security awareness program. Although security specialists can create and deliver some aspects of a security awareness program, all business professionals are responsible for maintaining an awareness of potential vulnerabilities and the steps they can take to mitigate risk.

In addition to being a best practice, security awareness training is required to be in compliance with industry and governmental standards, including the Payment Card Industry Data Security Standard (PCI DSS), which is a global standard, and the Health Insurance Portability and Accountability Act (HIPAA)(HIPAA) in the US.

References

  • (Knowbe) Knowbe4: Library of best practices, white papers, and free tools to help those attempting to develop cybersecurity awareness training programs.
  • (Sans 2017) SANS 2017 Security Awareness Report: SANS Institute (2017). PDF. Registration required.
  • (Amoroso) NIST Framework Overview: Amoroso, Edward G. New York University Tandon School of Engineering. Video. An introduction to the NIST framework and to many practical aspects of modern cybersecurity including awareness, compliance, assessments, and risk management. Registration required for the full course on Coursera.
  • (Mediapro 2016) NIST Cybersecurity Framework Improves Security Awareness: Mediapro (2016). PDF. Registration required.

About Justin Orcutt

Photo of Justin Orcutt

Justin Orcutt has worked with Fortune 500 companies to address information security and compliance concerns. Justin has supported incident response projects that investigated large-scale breaches. An active member of several organizations, including the Technology Association of Georgia, ISACA, and the Information Systems Security Association (ISSA), Justin is on the Gwinnett Tech Cybersecurity Program Advisory Board.

Term: Security Awareness

Email: jorcutt2017@gmail.com

Twitter: @jtech2014

LinkedIn: linkedin.com/in/justinorcutt

What is it?

A means by which a person can be uniquely identified by analyzing distinguishing traits such as fingerprints, retina and iris patterns, voice signatures, gait, and facial characteristics.

Why is it important?

Biometrics-based security is increasingly being used to identify people -- for example, using a fingerprint to unlock a smartphone. Security professionals are turning to biometrics both for convenience and because password-based security is not secure enough. Inherent traits, such as a retina pattern or gait, cannot be easily counterfeited, making them potentially more secure, especially when used as an additional factor in a multi-factor authentication scheme.
...continue reading "Term of the Week: Biometrics"

What is it?

The ability to control entry to physical locations based on factors such as date, time, and access level. Access control systems can also create audit trails, raise alarms, and adjust authorizations based on the threat level.

Why is it important?

Access control helps ensure that only authorized people have access to your facilities.
...continue reading "Term of the Week: Physical Access Control"

What is it?

The information security discipline that establishes and manages the roles and access privileges of individual users, including humans and machines, within a computer network. Identity management is also known as identity and access management.

Why is it important?

Identity management enables companies to control who, how, when, and which users access information or digital assets. Identity management systems can enhance productivity in addition to protecting assets.
...continue reading "Term of the Week: Identity Management"

What is it?

A combination of two or more dissimilar authentication modes, called factors (possession, knowledge, inherence, location, or habit), that must be presented together as part of the process of authenticating the identity of a person or device requesting access.

Why is it important?

When properly implemented, multi-factor authentication (MFA) makes it harder for someone to impersonate an authorized user, giving you a higher level of confidence about the identity of a person or entity attempting to access your system.

Why does a business professional need to know this?

Many data breaches start with the theft of user credentials. At the 2017 Black Hat Conference, a survey question asked: Which of the following is most responsible for security breaches? The choices were: humans, not enough security software, unpatched software, or other. Eighty-five percent (85%) of the hackers surveyed said humans.(blackhat 2017)

When the same group was asked what was the strongest barrier to stealing credentials, sixty-eight percent (68%) said it was the combination of multi-factor authentication and data encryption.

Business professionals need to know about multi-factor authentication so they can adapt authentication to meet their needs while balancing expense with security.

Authentication factors include the following:

  • Physical things such as key cards
  • Biometric factors such as fingerprints/iris scans
  • Knowledge such as a password or PIN that the user knows

MFA happens when a combination of two or more of these methods is presented at the same time. What makes MFA more secure than single-factor authentication is that the odds of a hacker possessing two or more of the authentication factors at the same time are very low.

One factor alone is weak authentication. Cards can be cloned, passwords cracked, biometrics fooled, and smartphones stolen. The combination of two or more of the same factor (like two cards, two passwords, or two biometrics) is not true multi-factor authentication. While stronger than having only a single factor, combining two of the same factor is double single-factor authentication.

The first step to hacking into many networks is to bypass the logon authentication by stealing a legitimate user credential. Cybersecurity starts by first knowing who is knocking on the virtual front door. That knowing begins with multi-factor authentication.

References

About Dovell Bonnett

Photo of Dovell Bonnett

Dovell Bonnett has been creating computer security solutions for over 20 years. In 2005, he founded Access Smart to provide cyber-access control solutions to government and small-to-medium-sized businesses in areas such as healthcare. His premier product, Power LogOn, is a multi-factor authentication, enterprise password manager.

Dovell is a frequent speaker and consultant on the topic of passwords, cybersecurity, and multi-factor authentication. His most recent book is Making Passwords Secure: How to Fix the Weakest Link in Cybersecurity.

Term: Multi-factor Authentication

Email: Dovell@access-smart.com

Website: access-smart.com

Twitter: @AccessSmart

LinkedIn: linkedin.com/in/accesssmart

Facebook: facebook.com/AccessSmart

What is it?

A subset of cybersecurity that protects networked devices, such as smartphones and medical equipment, that are usually accessed by an individual user or group.

Why is it important?

Endpoints are a vulnerable point of entry for breaches. Because of the large number of connected devices available and the wide diversity of types, endpoints are difficult to manage and keep vulnerabilities patched.

...continue reading "Term of the Week: Endpoint Security"

What is it?

The implementation of policies, practices, and technology to enable positive identification of people, devices, and applications.

Why is it important?

Understanding authentication is critical for establishing a secure environment because you must reliably know the identity of the people, devices, and applications accessing your resources in order to properly govern access and permissions.

...continue reading "Term of the Week: Authentication"

What is it?

An attack that targets the buffer memory of a device or program by sending more data than the program can handle, thereby writing the extra data into a nearby memory location, which could allow an attacker to run a piece of malicious code.

Why is it important?

If software is not properly patched or designed with secure coding principles from the start, these types of malicious attacks can cause great harm by allowing programs or external parties to access protected nodes or information.

Why does a business professional need to know this?

A buffer overflow can be explained by the old adage that you can’t put 10 pounds of potatoes in a 5-pound bag. When too much data is written to a block, it can overwrite adjacent memory leading to data corruption. A program or device can crash or an attacker can insert malicious code into the overwritten memory and try to execute it.

Because buffer overflow attacks exploit weaknesses in the design of hardware or firmware, defending against such attacks must begin in the early design stages of product development. Because such attacks can potentially give attackers the ability to gain administrator privileges, damage databases, or steal data, mitigating the threat of buffer overflow attacks should have a high priority.

Correctly patching devices, including updating firmware on network equipment, is essential to protect against these types of attacks. When developing products, your best defense is to follow industry best practices for design, development, testing, and code review. Reviewing a program or website for security vulnerabilities before it is placed into production may take a few extra steps, but it will save money if it prevents your system from being exploited. An ounce of prevention is worth a gallon of protection.

A simple buffer overflow attack can take down a web page, a database server, a content management system, or a mail server. The recent Meltdown and Spectre vulnerabilities have shown that buffer overflow attacks have the potential to open up systems to devastating attacks(Claburn 2017)(Newman 2018). These vulnerabilities have been identified in processors manufactured by Intel, AMD, and ARM, which are in a considerable number of computers and devices, including phones, tablets, laptops, and servers.

References

About Shawn Connelly

Photo of Shawn Connelly

Shawn Connelly holds two master’s degrees, one in cybersecurity and information assurance and another in IT management. He holds his Certified Information Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), VCP-NSX, and six Microsoft Certified Solutions Expert (MCSE) certifications. Shawn has worked for more than 20 years in IT, including the last five years as a director of security.

Term: Buffer Overflow Attack

Email: shawnconnelly1@gmail.com

Twitter: @VirtualizationG

LinkedIn: linkedin.com/in/virtualizationg