If you worry that you’re too pessimistic, wait until a warning sign pops up on your dashboard—whether it’s in your car or on the company network. Those moments make reckless optimists of us all, convinced that the problem will fade away like last night’s heartburn. Even though that approach may not actually work, it’s usually more convenient in the short term than wading into a vague problem with invisible tentacles. But the next time unusual network activity sets your Spidey Sense atinglin’, remember this: Most data breaches get more expensive with each passing day.
Despite that, most companies take days to send up the infosec distress flare. That’s why Pratum’s incident response team keeps its calendar open on Friday afternoons. Nearly every week, we get a distress call as IT teams realize they’d better not let things stretch into the weekend. A typical call to our breach hotline (515-212-6634) sounds like this:
“I saw this suspicious login activity on Tuesday, but I took care of it. Then it happened again on Wednesday, so I fixed it again. But it seems like it’s still going on, so can you take a look at it? Before 5:00 today?”
Pratum’s team stands by 24/7, but, for your sake, they’d rather you make the call sooner. “The problem is a lot less severe if it hasn’t grown for several days,” says Pratum’s Director of Security Operations Megan Soat.
Hopefully, this fact comes to mind the next time you discover a breach “as soon as it happened”: By the time you notice a breach, the hacker has already been at work on your system for some time—probably a long time. An IBM study shows that, on average, American companies take 186 days to detect a data breach and another 51 days to fully contain it. (As you would expect, breaches caused by malicious attackers covering their tracks take longer to detect than glitches or user errors.) A massive breach of Starwood Hotels discovered in 2018 had gone undetected for four years.
And hours count on data breaches like minutes count on ambulance calls. IBM’s study shows that organizations that keep the detection/containment window under 200 days save an average of $1.2 million.
Some of a breach’s costs are clearly measurable (such as the price to restore data), and others may be harder to spot (such as the average 5% stock price drop among breached public companies). Costs that can pile up during a delay include:
Before you face the next suspected breach, consider taking these steps so you’re ready to extinguish problems as soon as you know about them:
To learn more about how Pratum can help minimize the damage and costs the next time a hacker comes calling, contact us today.
Pull up a copy of any security framework published in the last 20 years, and you’ll almost certainly find some mention of asset management. Tracking the hardware and software in your environment is the fundamental step to securing your organization—and that includes planning for mobile device security. You can’t effectively secure what you can’t see, and you can’t patch software on a system that you don’t know is there. That’s why one top standard, the Center for Internet Security Critical Security Controls (CIS CSC or CIS Top 20), gives the top two spots on its priority list to “Inventory and Control of Hardware Assets” and “Inventory and Control of Software Assets.”
Despite the absolutely fundamental nature of asset management, many organizations neglect it. IT managers especially tend to overlook mobile devices and software, even though these assets are some of the most important elements in risk management. The four factors below make mobile devices and software especially likely to get involved in security incidents:
1. Mobile devices are easily physically lost or stolen.
2. They often contain sensitive data.
3. They frequently connect to networks outside the corporate network perimeter.
4. Users' normal impatience with security safeguards is even more limited in mobile settings.
Add all that up, and you have a recipe for security incidents involving mobile devices. And that’s a problem that can spread quickly. It is critical that your organization manage, control, and monitor mobile devices in order to protect them from becoming a beachhead for hackers looking to pivot and access internal organization systems.
There’s no doubt that managing mobile devices properly adds complexity to your security strategy. But you don’t have the option of ignoring the issue. If a breach occurs, your customers and industry partners won’t care about all the reasons you found it too hard to manage and secure your mobile hardware and software assets. If you think it’s too costly or difficult to implement a mobile device or software control, you should reevaluate whether you should use mobile devices as part of your computing environment.
When you do get serious about mobile security, you’ll quickly discover a host of different solution categories (plus a long list of vendors) that could come into play, including Mobile Device Management (MDM), Mobile Application Management (MAM), End Point Protection (EPP) and Data Loss Prevention (DLP). (Plus many others if we bring mobile device network security into scope.)
Most organizations will need to consider a mixture of approaches and solutions to manage mobile device and software risks. One thing you shouldn’t do is determine the best solution first. Before you get to the point of solutioning, you should:
1. Understand all of the risks introduced to your organization by mobile devices and software. (Pratum can assist with thorough risk assessments that include evaluating your mobile posture.)
2. Determine the specific functions or features necessary for your organization to sufficiently manage mobile device and software risk.
3. Evaluate/document whether the solutions your organization already has in place are fully capable of managing your mobile device and software risks.
Below, we summarize first steps toward solutions for the top three mobile device risks listed at the beginning of this post.
When a device physically leaves a legitimate user’s control, it is likely to face several potential threats. Anyone in control of a device can either attempt to access what’s on the device, or they may use it to access restricted networks or applications through the credentials of the device’s approved user. Even if a device doesn’t make it into the hands of a malicious attacker, it could be used in a way that exposes the organization to compliance or reputation risk. (A huge community of enthusiasts on the Internet revolves around rooting/jailbreaking devices). Finally, you must be ready to deal with devices that terminated employees never return.
To deal with each of the threats above, consider the following security controls:
– Enforce password/pin length/complexity standards.
– Enforce password/pin rotation, reset, and history standards.
– Enforce screen lock/timeout policies for devices.
– Use login banners and warnings.
Ultimately, data is what most organizations really want to secure on their mobile devices. Before you go down the path of choosing a security approach, consider whether the best approach is simply keeping sensitive data off the mobile device in the first place.
If you do need to allow data to go mobile, you can secure it with a combination of encryption and remote wipe capabilities:
Taking devices outside the traditional security perimeter usually strips them of several layers of network security controls that come along with an organization’s firewall and Internet traffic filtering infrastructure. While endpoint network controls enabled by DNS are not strictly an asset management function, you should strongly consider using them. As mentioned above, a compromised mobile device often becomes a doorway that hackers use to breach broader company systems.
Here are some best practices for managing devices using outside networks:
If you are an IT or security practitioner, remember that deciding whether to accept a risk or to manage it by implementing a control in any given scenario is ultimately a business decision enabled by your expert opinion. Pratum specializes in helping leaders assess risk in light of their specific business needs and develop appropriate solutions. Contact us to learn more about how we can work together to secure your organization.
In 1990, the world contained exactly one Internet of Things (IoT) device: a toaster connected to the Internet by a guy named John Romkey acting on a trade-show dare. Now, experts predict we’re on track to have 41 billion IoT devices in the world by 2027.
That means the security risks of IoT devices must be a key part of the security plan in every business and home-office setting. These devices make us smarter and more efficient by disseminating a staggering amount of data from every corner of our daily experience. One popular statistic estimates the daily data stream adds up to 2.5 quintillion bytes (that’s 18 zeroes). The nationwide arrival of 5G wireless technology will only increase that number.
All that data collection introduces an entirely new realm of risk where the key concept is “attack surface.” A few years ago, “only” computers and servers presented exposure to the internet, but modern hackers can now find doorways into networks through watches; cars; smart thermostats; medical devices; wearable safety devices; Programmable Logic Controllers (PLCs) in valves and switches; and more. Even your kid’s adorable electronic teddy bear could go all Chucky on you if it has an Internet connection and spy-ready features like a camera and speakers. With exponentially more devices connected to the Internet, the attack surface now looks like the Pacific Ocean.
An obvious solution is to keep all these devices offline. In other words, reduce the attack surface. But as we’ll see below, IoT’s tremendous business advantages require you to find a way to safely implement these devices in a way consist with your business’ risk tolerance.
Along with the obvious convenience of having data wherever you need it (remember that your smart phone once seemed like a revolutionary IoT device), the technology lets businesses monitor equipment and personnel in real-time, even in remote settings. A continuous data stream, whether it’s from a weather station in a far-off location or a machine across the shop floor, allows more current, informed decisions. It also produces efficiencies, as information can flow back to a central location for tracking and administration.
Cell towers provide one common use case. In that space, effective monitoring is fundamental to proper maintenance, tower uptime, energy consumption tracking, adherence to stringent service level agreements (SLAs), etc. However, monitoring cell sites remotely keeps getting more challenging because of expanding networks, rising operational costs and security issues. IoT solutions enable 24/7 monitoring of passive assets across multiple remote locations. These devices can now communicate and feed data into a cloud-analytics engine, leading to increased tower uptime and better power management.
Routine patches help keep computers secure, but the core design of IoT devices allows for minimal, if any, software and firmware updates. Because this space is growing at a rapid pace, devices are only supported for short periods of time before manufacturers allocate more time and resources to the development and support of new products. In a related challenge, many vendors are rushing products into this seeming gold rush of a market, giving security less attention than it deserves.
Plus, many IoT devices suffer from basic security flaws that are routinely addressed on servers and endpoint computers in organizations that have solid security policies. For example, many IoT devices use unencrypted communications, use default passwords and don’t implement multifactor authentication.
You should be particularly wary of certain high-risk IoT devices, such as off-brand devices (which rarely have the same security protection as higher-priced versions) and Internet-enabled toys, which often lack sufficient security features. These devices can sometimes be used in second-order attacks on a home network, which could quickly lead back to business data in today’s work-from-home environment.
Your unique situation will determine which threats you should focus on. For example, a Department of Defense employee who frequently deals with information requiring certain levels of security clearance probably won’t have a Google or Amazon virtual assistant in the office or use remotely controlled security systems. Your business needs may not require quite that level of security.
The following list covers some of the most common ways hackers go after IoT devices:
In late 2020, the National Institute of Standards and Technology (NIST) issued four new publications that offer recommendations to the government and manufacturers for effective IoT security. These publications fulfill requirements outlined in the IoT Cybersecurity Improvement Act of 2020, which became law in December 2020. For a business, NIST’s new documents provide insight on what you should consider when purchasing and integrating IoT devices. You can read the guidelines here.
We also recommend implementing the following best practices as part of your IoT strategy:
For a full assessment of your IoT risks and consulting on how to control the risks for your organization, contact us.Editor's Note: This post was originally published in November 2020 and has been updated to reflect new legal developments.