4 Data Loss Prevention Strategies. Which one is right for your Organisation?

, , ,

Data loss is a scary word for any organisation that has a responsibility of storing any sensitive, especially customer Personal Identifiable Information (PII). Losses or accidental leaks of PII can result in hefty fines, loss of reputation and more importantly customer trust and in some cases, it could make or break an organisation. But it is not just the loss of data that is the biggest danger, but rather it’s the big three – Data loss, misuse of data, and unauthorised access of data.

To ensure an organisation does not breach the customer trust and to protect their own internal security, they need to focus on Data Loss Prevention (DLP). DLP tools are a key piece for anyone that needs to protect PII for compliance & regulatory reasons, for the protection of their own intellectual property or just want to gain better visibility of their sensitive data.

4 DLP Strategies from emt Distribution

 

4 Types of Data Loss Prevention

Endpoint DLP: Endpoint DLP monitors the discovery of information that resides on the endpoint, this can include web browsers, removable storage, etc. This type of prevention ensures that the information residing on the endpoint cannot be exfiltrated or compromised in the event of the device being lost or stolen or even just a careless mistake. Once the endpoint has been analysed, protection controls can be put in place such as local and remote file quarantining, file encryption or sharing permissions added to the file.

 

Network DLP: Network DLP protects data in motion. This is accomplished by analysing outbound network traffic on the corporate network and make informed decisions on what is seen. If correct tools are implemented, then the information can be controlled by alerting security staff during a non-permitted upload or for file-transfer, this can be to websites or data sent in emails.

 

Storage DLP: Storage DLP ensures that by identifying what sensitive information is stored and where it is stored, organisations can discover and secure sensitive data at rest. This data can often be stored on file servers, cloud storage, endpoints, network file shares, SharePoint and other data repositories. Once the sensitive data is located organisations can begin to identify and monitor who has access to the data and restrict where necessary.

 

Cloud DLP: As organisations move to a cloud centric model, more and more cloud-based applications are beginning to accumulate sensitive data. This information often resides in places like O365 exchange, O365 OneDrive, Dropbox and other file shares. The right Cloud DLP tools inspect the content and web traffic and automatically enforces the policies developed by the organisation to protect the sensitive data.

 

Summary

When it comes to Data Loss Protection it’s important to pay heed to the security standards, protecting data at rest, data in motion and data in use. Unfortunately, without proper data security measures in place, organisations can leave themselves vulnerable to potential losses of sensitive data, which can result in them incurring hefty fines and loss of customer trust. When implementing any type of cybersecurity strategy, it’s important to remember that prevention is often the best way to further protect what is important.

 

To learn more about the Data Loss Prevention solutions at emt visit EndPoint Protector, OPSWAT, and VIPRE AV  

 

About the author: Alexander Duffy is the Chief Security Officer for emt Distribution. He is passionate about implementation of the ASD Essential Eight framework and its role in improving the security posture of organisations in ANZ.  For more security updates follow him on LinkedIn

 

Is your Organisation Ready for Remote Workers?   5 Strategies to create a cyber resilient Remote worker Policy 

,

 

By Alexander Duffy

 

The World Head Organisation (WHO) has officially declared COVID-19 a pandemic. With multiple countries in quarantine, the global work force is becoming increasingly confined to work from their homesOrganisations who were previously not prepared for this shift in the workforce are now left with a need to support remote workers while maintaining business as usual.  

Some organisations especially in finance and government who may have been slow to adopt work from home policies now find themselves scrambling to implement adequate measures in place to accommodate a trend that is here to stay. While it may be tempting to rush in and assemble a quick fix or a band aid solution, it is best to proceed with a plan that can be sustained in the long-term  

Ramifications of a quick fix or  implementing a plan without a clear strategy could lead to sloppy security standards and holes that may put the organisation at risk. However, it is now undeniable that every organisation should pay attention to the many benefits and risks associated with a remote work force and develop a data based strategy immediately.  

 

Benefits of a Remote Workforce  

 Before current world events came into play, working remotely was proving to be beneficial for many workplaces. A PGI report conducted in 2014 showed that 82% of people experienced less stress, 80% experienced improved morale and 70% stated it improved their productivity. However, for organisations, the biggest perk of working remotely is the ability to hire people regionally dispersed, allowing a broader pool of talent without the associated cost.  

 

Risks Associated with a Remote Workforce  

 Unfortunately, with all the benefits come the increased cyber security risk. OpenVPN conducted a survey in which respondents stated that 36% of them have had a security incident that was due to unsecured remote workers. Furthermore, 90% also believe that remote workers are not secure and pose a major security risk to their organisation.  

 

How to Implement a Work from Home Strategy? 

 While, there is no one size fits all solution when it comes to remote work, there are some essential elements that is needed in developing a work from home strategy.  

 

Risk Assessment:  Rigorous risk assessment conducted with key business leaders and executives is the first step in developing a remote worker strategy. This step is essential because it drives the protections needed and the budget required to achieve the correct security posture.  

 

Implement Formal Policies Organisations should create and formalise a remote working policy. Policies need to include a device policy that describes in detail, what technology and tools are appropriate and comply with the organisation’s standards.  This policy should also include regulations around the used of BYOD devices and any additional security measures needed on these devices for compliance. An important factor of policy making needs to be the ability to enforce it from the top down by making executives and team leaders accountable for violations of said policy.  

 

Encryption Data encryption should be the next thought, protecting data at rest is important for preventing data theft from stolen or lost devices. It should be applied to all corporate laptops and mobiles.  

 

Secure and Accessible Infrastructure Many corporate connections were never designed, or stress tested to support the number of remote workers trying to connect into the organisation on VPNs. Changing the way workers access and use the data needs to be monitored and mapped. Access anywhere methods such as SharePoint online and cloud storage like OneDrive are powerful but require extra considerations. Measures need to be put in place to ensure that only corporate approved devices can access those resources. One way to achieve this is by using Cloud Access Security Brokers or corporate VPNs and connecting those to cloud private gateways, and then applying restrictions on the SaaS services to only allow access from protected IP ranges or devices.  

 

User Training Last but not least is user training. Ensuring users are aware of their obligations and responsibilities when working remotely is critical to address the human factor in security risk management. Training for staff in all areas of the organisation that covers topics such as password polices and how to securely access and store corporate data can help organisations succeed in keeping a remote work force and an organisation’s security safe.  

 

Conclusion 

 Whether it is due to virus pandemics and other external factors outside of an organisations control or just through the many other benefits associated with it, remote working is here to stay. Organisations need to actively plan and implement solutions to securely extend their network perimeter. It’s a big world out there and it’s only getting bigger.  

 

About the author
Alexander Duffy is the Chief Security Officer for emt Distribution. He is passionate about implementation of the ASD Essential Eight framework and its role in improving the security posture of organisations in ANZ.  For more security updates follow him on LinkedIn

The 3 Types of Cyber Threat Intelligence – Which one are you using?

, , ,

 

By Alex Duffy, CSO emt Distribution 

CYBERTHREAT INTELLIGENCE (CTI) is not a buzz-phrase; it’s an essential pillar of a mature cybersecurity strategy. When used and applied correctly, CTI can help security teams prepare for, and defend against, the evolving threat landscape. CTI gives organisations evidence-based, mature and effective cybersecurity strategies. 

There are levels of maturity to using and understanding CTI. With each level of maturity, the context and analysis of threat intelligence becomes deeper and more sophisticated, caters to different audiences, and requires more investment. 

CTI comes in three levels: tactical intelligence, operational intelligence and strategic intelligence. 

Tactical intelligence is the level most commonly used by organisations and represents first level maturity of cyber threat intelligence. It is based on real-time events, investigations and/or activities and provides day-to-day support to operations. Many may use it in their security information and event management (SIEM) tools or on perimeter firewalls, and it consists of indicators of compromise, and files hashes, malicious IPs and domains. These usually have a short life span, as IPs and domains can be repurposed or taken down in days or even hours. 

Operational intelligence is data that is designed to drive your day-to-day decision making, resource allocation and task prioritisation. It contains the technical direction of threat actors, indicators of targets and can contain the threats malicious tactics, techniques and procedures (TTPs).  Operational intelligence has a longer shelf life because adversaries can’t change their TTPs as easily as they can change their tools like types of malware they use.  

Cybersecurity professionals that manage vulnerability management, incident response and threat monitoring are the biggest consumers of operational intelligence as it can help them focus and prioritise their work.  

Strategic intelligence is high-level cyber intelligence, usually containing information about foreign policy, global events and internet-based risks against organisations. This intelligence is vital for C-suite executives to allocate budget and align their cyber goals towards real-world objectives. For example, a mining company can review the analysis that the mining sector is under increasing attacks, and can then react appropriately by investing resources into strategic cyber defences. 

Strategic intelligence tends to be the hardest form of intelligence to collect. It requires human collection and analysis to understand both cyber security and the worlds geopolitical situation. Strategic intelligence is usually consumed through the use of reports.  

CTI increases your organisation’s ability to not only defend itself against current attacks and threats, but also to predict future attacks. The trick is to choose the right intelligence for your needs, and to make the sheer volume of intelligence actionable, whether it be reactive, proactive or futureproofing. 

 

See how Flashpoint and ThreatConnect  can help you incorporate all three levels of cyber threat intelligence

_________________________

This is an extended post from our original article which was first published in AISA.org’s Cyber Cyber Conference Magazine.

 

10 Cybersecurity Tactics Everyone should Implement Now!

,

By Alex Duffy

In life there are a set of rules that apply to certain scenarios. When you are driving and want to change lanes, you check your mirror, indicate, check your mirror again, safely switch lanes, and finish up by turning off the indicator. These rules are in place in order for everyone to have a safe driving experience. The same practise can be applied to your online security, which is critical considering almost everything is completed online these days. In some cases an 8-16 character password is all that’s protecting your finances – that should be reason enough to want to protect yourself.

So, how do you make sure to keep yourself safe? Follow these 10 steps:

ONE – Look for browser warnings and the green lock before entering credentials.

Whenever you access a website, your browser runs background checks to make sure that the site you are visiting is indeed who they claim to be. When the websites fail these checks, your browser will warn you. These warnings are there for a reason! So make sure to listen to those warnings and respect them.

TWO – Maintain Unique passwords for every account and website.

Too often people will use the same email and password for their bank, as they do for any odd website out there that has asked them to create an account. The issue with this is that once that website becomes compromised and your account details are stolen, threat actors will often use those same credentials against a variety of services like PayPal, large banks and more, and will be end up being successful in stealing your information.

THREE – Use Random Generated or pass phrases as your password.

Regarding passwords, you are looking for length and complexity. Complexity does not mean take your name and replace an ‘A’ with an ‘@’. Complexity means that you couldn’t break a password just by changing characters. Remembering truly random passwords is tough, so passphrases are the next best thing. Simply take a saying or a line from your favourite song, poem or book, and use that as your password, spaces and all. You could also take the first letter of each word to create a new passphrase. Generally speaking, if you add a number or two that should satisfy password complexity standards.

 FOUR – Do not click links that arrive in unsolicited email.

Phishing is a scamming method that uses fear and urgency to get you to act irrationally. If you are not expecting to be contacted by the sender, and a link urges you to ‘click here’, and they are threatening that something bad will happen, like your email account getting shutdown or blocked, it is generally fake. If you are still unsure, you can hover over the link to gain more information. If Microsoft claims they sent you the email, the link should be Microsoft’s. In the end, if you are ever in doubt, then contact the company directly and see if they sent you the email.

An example:

Microsoftpasswordreset.suvlaki.co – FAKE

login.microsoftonline.com – GOOD

FIVE – Where possible enable multi-factor authentication

Multi-factor authentication is a second way of verifying your identity. This can be achieved using methods such as a text, phone call, or a generated token. This should be enabled because in the event of your password being stolen, the threat actors  are still unable to access your account. When multi-factor is set up, you should always be aware that if you receive an authentication code without trying to log in, then it could mean that someone has your password and is trying to log in.

 SIX – Change passwords regularly

Your job is to make stolen passwords redundant. You can do this by changing your passwords often which heavily reduces the impact of a stolen password

 SEVEN – Try not to write down your passwords, if you do, do not store them in plain sight.

You should not have your passwords written down, makes it easy to gain access to your devices. But if you really insist on it, which again, please don’t. Then PLEASE, hide them – and no, NOT UNDER THE KEYBOARD!

 EIGHT – Use a password manager to help you remember your unique passwords.

No alt text provided for this image

A strong password is one that is long and can’t be remembered. No one is asking you to remember them all, instead securely store them in a password vault. Password vaults are invaluable at keeping your everyday passwords safe, and then ensure that access to your vault is protected by a strong passphrase and multi-factor (Step three and five).

 NINE – keep ALL software up to date.

Updating your operating system or antivirus is only half the battle against protecting your device. Any out of date applications, such as Adobe, Zoom etc, can allow a threat actors to gain full access to your system and everything within.

 Ten – With emails, ensure that the send and the senders email address are correct.

It is incredibly easy to change your display name for an email address to appear as someone else. Your job is to make sure the person emailing you is actually the person they claim to be. You can work this out by comparing their display name to the actual email address.

An example:

John Harry <[email protected]> – BAD

John Harry <[email protected]> – GOOD

 

About the author
Alexander Duffy is Security Solutions Architect for emt Distribution, working in the Threat Intelligence space on a full  range of  emt’s cybersecurity portfolio like ThreatConnect, Flashpoint, etc. For more security updates follow him on LinkedIn

Threat Intelligence Platforms 101

, ,

By Alex Duffy, Security Solutions Architect, emt Distribution 

Threat Intelligence is quickly becoming one of the most powerful ideas in our current IT security landscape. Threat Intelligence allows you context for your data and helps empower your organisation to develop a proactive cyber security posture and strengthen overall risk management policies. It also helps security teams make more informed decisions during and in the aftermath of cyber-attacks.

So, you may already have a plethora of security products in place like Firewalls, Proxys and endpoint security, but are you able to see the big picture? With all of these security products logging back to your Security Information and Event Management (SIEM) it can come across as just noise. How can you evaluate if that IP address or domain is important to you?

Your trusty SIEM is collecting data, but do you know what it’s collecting or how important it is?  Maybe, you may have the SIEM using a lookup list so when it detects a bad IP it will alert you. Great, that’s a good start, but WHY is it a bad IP? Is it part of a larger attack? Is it just the beginning stages in the cyber kill chain? This is where context becomes key, linking into why Threat Intelligence is critical.

Rudimentary threat Intelligence can be achieved manually. An example being identifying an IP address you want to find out more information from, and then using the internet and your security sources to build a picture around it. But what if you want more comprehensive analytics, then you will need automation, which brings me onto my next point;

What is a Threat Intelligence Platform (TIP) and why do you need one?

 The human element is the slow part in threat intelligence. The human brain, although magnificent can often not compete with the ease and functionality of an automated system. Besides, why waste your Security Analyst’s precious hours when you can have half the cumbersome work done for you. Threat Intelligence Platforms (TIP) allow you to pass off key information like IPs and URLs that are important to you and build context on them using a large number of open source threat feeds and open source blocklists. A TIP becomes your single pane of glass to the security of your organisation. For example, you have seen a URL come through the proxy, and you have identified through the TIP that it is related to a malware campaign that re-uses their infrastructure and domain names for the command and control (C2) portion of their attack. By using this information, you now know that a device in your network is infected and you can begin the process to clean it up. TIPs make

Great, you now have a TIP, so what are your next steps? Automation. This will allow you to leverage the TIP to help make better informed decisions and then take action. In the above example I said that we saw a C2 URL in the proxy, and by using the TIP we have determined that it is malicious. Following this, and using automation, we can block said URL, either with or without human interaction.

But most importantly a TIP can parse through massive amounts of your data, provide context for your security logs, and focus your efforts in stopping real world threats. Last but not the least, A TIP optimises response time and improves remediation, and reports strategic, operational and tactical intelligence to stakeholders.

This all sounds cool right? Learn more about Threat Intelligence at our live webinar on April 17th. This interactive webinar is perfect for a security professional who wants to quickly identify real threats to their organisation, even if they don’t have the budget to build out a dedicated threat intelligence team.Register Here