Category: Defenses

Why does a business professional need to know this?

Giving your house key to a neighbor so they can water your plants does not mean you want to allow them to look through your closets or bedroom drawers. However, most of us do not have the technical means to restrict access in this way; we either give access to the entire house, or we don’t give access at all. Giving your key to a neighbor relies on implicit trust. You trust that your neighbor will not try on your underwear or eat all your cookies.

To put it mildly, this is not an ideal trust model for your IT infrastructure; you need a model that relies on least privilege, which gives each user only the privileges needed to perform their job duties and nothing more.

In many organizations, the highest possible access rights are given to system administrators. Companies that blindly trust system administrators open themselves to unnecessary risk. It is safer to have fine-grained control over privileges and give each administrator only the privileges needed to carry out their assigned tasks. For example, an administrator responsible for the payroll database probably doesn’t need access to the customer database.

To do this you need to implement an access-level classification scheme and have procedures that support your daily operations. This approach eliminates the need to give users higher levels of access than they need. This would be the equivalent of putting a password on your underwear drawer, making it inaccessible to your neighbor who has only the front door key.

Why does a business professional need to know this?

Business professionals need to be able to verify that actions, such as bank transfers, contracts, and credit card purchases, can be linked with a specific actor (person or entity). Non-repudiation methods help ensure the following:

• The action was not taken by a hacker impersonating someone.
• The actor cannot claim to have not taken the action.

In today’s digital world, it is becoming increasingly important to verify that specific actions were taken by specific individuals. For transactions, such as financial transfers, that require greater integrity, organizations need to implement and enforce security measures that ensure the authenticity and intent of each transaction. For transactions, such as product surveys, where there is little or no business need to reliably identify a specific actor, it is less important to take such measures.

Measures to ensure non-repudiation include: notarization, multi-factor authentication, audit trails, digital signatures, and forensic analysis (e.g., handwriting analysis)(Spacey 2016).

There are multiple technologies available to implement and enforce non-repudiation. Measures to authenticate identity play an important part in ensuring that individuals are, in fact, who they assert themselves to be. Digital certificates and encryption can secure a message and ensure that its contents are not altered during transmission.

In an expanding digital economy, the integrity of your business depends on your ability to prove that each critical transaction was verifiably executed by a specific, identifiable person or process.

Why does a business professional need to know this?

Behavioral monitoring is an increasingly important tool for identifying and defending against cyberattacks that is becoming a larger part of security budgets. Gartner predicts that 60% of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020, up from less than 10% in 2014(Moore 2016).

A behavioral monitoring system collects and uses data to build profiles for particular types of users based on role or location. Once profiles are built and activated, significant deviations from the profiles alert security analysts to the need for further review.

Here are some examples:

A remote employee usually accesses the virtual private network (VPN) from her home and from a nearby coffee shop. In the space of 30 minutes her login credentials are used from two different cities on different continents. Behavioral monitoring tools can detect the credentials being used from two places thousands of miles apart and raise an alert.

An accounts payable clerk usually works in the corporate office between 8 AM and 6 PM, Monday through Friday. As part of his usual work, he accesses the accounting system, a shared finance folder, the company intranet, and the inventory system. On his lunch break, he usually reads political news websites and occasionally listens to streaming news broadcasts during the day. Behavioral monitoring would flag these actions:

• Logging in from a different location
• Attempting to access different systems or files (source code, human resources files, or mergers and acquisitions information)
• Logging in at 1 AM
• Connecting to servers in China or Russia

Any of these activities taken alone could be legitimate user behavior that a security analyst could verify by talking to the user. Taken together, these events could indicate a security compromise. Behavioral analysis allows companies to move quickly to respond to threats and stop attackers before they can exfiltrate data or cause damage to the company’s systems and data.

Why does a business professional need to know this?

The success of any cybersecurity risk management program depends on the ability of an organization to protect information and digital assets. In order to define a cybersecurity risk strategy, business professionals and cybersecurity specialists must understand the environment their organization operates in. In other words, they must have good situational awareness of their environment.

The situational awareness process considers all aspects of an organization from supply chain to information technology in relation to potential cybersecurity vulnerabilities and threats. For example, what would be the impact on your organization if you lost critical privacy or intellectual property? Would such a loss require operations to cease for a period of time or even permanently? Can you manage the operational impact?

If you attempt to define a risk management program without good situational awareness, you are likely to waste resources on strategies and safeguards that either do not achieve an optimal Return on Investment (ROI) or are ineffective.

2013, the danger of losing situational awareness became clear to the department store chain Target when the company’s vendor system was breached, costing the retailer millions of dollars and damaging its reputation(Abrams 2017)(Kassner 2015). Vendors often have access rights to intellectual property, privacy data, and information systems across multiple business units and functions. Understanding their role in your environment is key to developing an effective strategy to manage cybersecurity risks.

Why does a business professional need to know this?

Every business today needs to combat cybersecurity risks and, as such, must educate their employees and customers about the risks associated with their business.

Employees are primary targets for cybercriminals, and they need to understand how their actions can expose the business to a loss. Whether it is the risk of financial loss, loss of data, loss of privacy, or loss of confidential customer information, security awareness helps employees understand how to protect data.

Because employees are the first line of defense, they need to have a basic understanding of security risks. If employees have a baseline understanding of security issues, the business can be more agile combatting threats.

You can raise employee security awareness through effective training, but your efforts should not stop at training. Security awareness training is just one component of an overall security awareness program. Other components in such a program include newsletters, blogs, posters, teachable moments, computer-based training, security portals, and more.

Together, all of these elements can be the ingredients for a successful security awareness program. Although security specialists can create and deliver some aspects of a security awareness program, all business professionals are responsible for maintaining an awareness of potential vulnerabilities and the steps they can take to mitigate risk.

In addition to being a best practice, security awareness training is required to be in compliance with industry and governmental standards, including the Payment Card Industry Data Security Standard (PCI DSS), which is a global standard, and the Health Insurance Portability and Accountability Act (HIPAA)(HIPAA) in the US.