Pratum Blog

Risk Assessment Value

Whether you’re a small business trying to figure out where to start with your cybersecurity needs, or you’re a larger corporation wanting to make sure the security measures you put in place are working properly, an Information Security Risk Assessment is a great way to get a thorough look inside your organization.

Taking the time to go over possible threats is crucial in preventing issues down the road and giving your business the best chance at long-term success. Here are the basic steps of a Risk Assessment, and why this process can provide so much value to your cybersecurity program.

What is an Information Security Risk Assessment?

A Risk Assessment helps guide an organization in making rational decisions to improve security posture and align risk with acceptable tolerance levels.

What does that really mean?

Cybersecurity experts, such as Pratum Consultants, conduct a comprehensive overview of your current security measures and come up with a list of possible threats. This is based on the issues your company is likely to face. Not all organizations have the same security threats.

The Risk Assessment process helps IT departments and business owners find and evaluate risk while aligning with business objectives.

Why is it Necessary?

A Risk Assessment offers sort of a window into your organization’s security operations. The process reveals exactly where there are flaws, what’s working well, and what might not be necessary. Being able to have a certified expert go over your security posture can help you better understand things that may have been overlooked in the past.

This kind of knowledge is valuable for preventing security breaches, securing sensitive information, and reassuring clients their own data is being protected.

Not only is this important for the function of your company, information security risk assessments are also the first requirement outlined in federal regulations such as Sarbanes-Oxley Act (SOX), Gramm-Leach Bliley Act (GLBA), and Health Insurance Portability and Accountability Act (HIPAA). The Payment Card Industry – Data Security Standards (PCI-DSS) also require merchants of all sizes to perform due diligence in assessing risk in their technology operations.

How Does the Process Work?

These are a few of the key steps during a Information Security Risk Assessment.

1. Prepare

The first step is to determine why the assessment is needed? You’ll want to figure out the information the assessment is intended to produce and the decisions it is intended to support. Knowing the goal of the process will help direct the steps taken.

You will also select a control framework. Pratum bases risk assessments off a subset of controls from NIST 800-53. Other highly regarded frameworks are the Center for Information Security (CIS) Top 20 and NIST 800-171.

2. Conduct

The objective of this step is to create a list of information security threats that can be prioritized by risk level and used to inform risk response decisions. That includes identifying any threat sources, risks, and vulnerabilities. Then the risk levels and likelihood are analyzed.

This step also includes interviews with department managers and key business personnel. The focus is on how sensitive information flows through the systems and/or applications they manage.

Here are some questions that may come up:

  • Are there any concerns with data flow models?
  • Does the information have the potential to be seen by unauthorized individuals?
  • Are there vulnerabilities within these systems that could lead to device compromise?
  • Does management have adequate visibility into the risk management program?

While risk assessments can be conducted internally, it is helpful to bring in a third party to have an independent set of eyes evaluate IT environments.

3. Review

The last step involves reviewing IT controls and using control frameworks as a guide to implement these controls in a secure manner. This is followed by communicating the information discovered and finding out how decision makers within the organization can use the information to address security risks in the future.

The Pratum Consultant will put together a report of risks at different levels for your business’s executive leadership to review.

What are those risk levels?

Low: Finding creates limited exposure for compromise of user accounts, or unauthorized access to data due to configuration issues, outdated patches and/or policy.

Moderate: Finding does not directly lead to a compromise but could be used in conjunction with other techniques to compromise accounts, or to perform unauthorized activity in the environment.

High: Finding creates a large exposure that could result in a loss of system control, access, application control, and/or exposure of customer data via the compromise of administrative accounts and/or other system functions. It could also create an issue with regards to confidentiality and/or integrity, resulting in many user accounts being compromised, or restricted system functions being accessed.

4. Repeat

A Risk Assessment is not a onetime cure-all. This process should be done on an annual basis to keep up with any new threats and potential changes within the organization.

When Should You Pursue an Information Security Risk Assessment?

There really is no wrong time to do a Risk Assessment. While it should be one of the first considerations of new businesses, it should also be part of your continual security evaluation process. Risk assessments provide immense value to organizations of all sizes, as they allow the IT department to communicate control gaps and security concerns in a language and perspective business leaders can understand.

As stated before, it is possible for an organization to conduct their own Risk Assessment. However, there are benefits to hiring a third-party consultant. Pratum has often identified areas of risk our clients were unaware of. If you’d like to find out more about conducting a Risk Assessment for your business, contact Pratum today!

When COVID-19 first started making headlines, there were a few scams being reported from around the world. While many were focused at the Coronavirus-epicenter, China, the virus and scams are spreading throughout the world.

Many of these scams are phishing scams. Meaning, they are ways for criminals to collect your private information or access to your personal devices. Falling victim to these sorts of crimes can be common during a crisis, when people are not thinking clearly. That’s why it’s good to stay informed and aware of what is out there. Here are some online threats making the rounds you should be aware of!

Anti-Virus Software

One scam being reported is for anti-virus software, but it’s not the kind you probably think of right away. This particular scam is preying on individuals who may not understand what the Coronavirus is or how it works. The website actually makes this absurd claim:

“Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running.” (Source Malwarebytes)

Not only is this scientifically inaccurate, it’s a dangerous site to pursue. Once you download the advertised software, a fake app would be installed and infect your device; allowing the threat actors full access and control.

Free Stuff

Another scam preying on people’s fears right now offers a free “Corona mask” in exchange for the download of an app on your smartphone. The app then demands the right to read your contacts and send SMS messages. After the app is downloaded, you are asked to fill out personal information to be sent the free mask.

While the security experts who discovered and tested this app were not able to submit information, there is reason to believe that personal data would be used for further scams.

Nonetheless, the app accessing contacts and sending out messages was able to spread the virus even more.

Another popular scam claims to be from Netflix and promises free subscriptions to help people get through social isolation/distancing time. The site will ask visitors some questions and then tell the “winner” of the free subscription to share the fraudulent site with 10 friends.

This sort of scam can lead to the scammers requesting more personal information down the road and then using that information to infiltrate your device or private accounts online. If you get this scam from a friend, let them know their account has been hacked!

Census Form

There have been several scams surrounding the U.S. Census this year. One in particular is directed at those looking for federal funds. A news station in Ohio, WOIO, was alerted of a scam in which a man received a Facebook message from a relative telling him to fill out his Census form with a special link in order to get the COVID-19 stimulus money directly deposited into his account. This was reportedly the same money already promised to be coming from the U.S. government in the coming weeks.

These scammers had actually hacked into the other person’s account to send out this dangerous message. The big red flag here is, there is no connection between the stimulus funds and the Census. This is also another good reminder for people to change their passwords frequently, so their accounts are not used to scam loved ones online.

Threats of Infection

Not only are these scams a risk to your online security; some go so far as to threaten your physical health. Barracuda discovered one scam in which the threat actor requested ransom payments, or else the scammer would infect the recipient and their family with Coronavirus.

According to Barracuda researchers, there are three main types of phishing scams related to the Coronavirus: 54 percent were scams, 34 percent were brand impersonation attacks, 11 percent were blackmail, and 1 percent are business email compromise.

Ways to Stay Safe

Some of these scams may seem so obvious, you may not believe anyone would fall victim to them. However, when fear and unprecedented events are occurring it can be difficult for people to think clearly. That’s why it’s so important to stay vigilant during this time with your cybersecurity.

1. Check the source. While you may think the email or website is legitimate because it has a similar name as the original, you need to be sure to read all the fine print. With the Netflix scam mentioned above, the scam website had “Netflix” in the title but was a .net address. Details like this can make a huge difference.

2. Question strangers. If an email or message comes from a source you normally do not communicate with, be leery of them. If you have concerns about ignoring something potentially legitimate, try finding the contact information for who they claim to be somewhere else.

3. Stay educated. Be aware of what scams are making the rounds right now. Having a good knowledge of threats helps keep them at the front of your mind. The more aware you are, the less likely you’ll fall victim to a scam!

If you’d like to learn about more COVID-19 scams making the rounds right now, head over to the links listed below!

(Sources: https://www.tripwire.com/state-of-security/security-awareness/covid-19-scam-roundup-week-of-3-23-20

https://blog.barracuda.com/2020/03/26/threat-spotlight-coronavirus-related-phishing})

Zoom Security

Zoom is one of the largest, and currently most popular, video meeting apps for business and personal use. However, popularity is drawing more attention to what some consider security flaws and privacy concerns in the system.

Zoom’s Rapid Growth and Security Shortfalls

Eric Yuan, Zoom founder and CEO, recently stated the company was not expecting the mass expansion that came after the Coronavirus hit. According to Yuan, at the end of 2019 there were about 20 million users on Zoom. In March of 2020, they reached 200 million.

There have been several features of the Zoom software raising concerns for employees, business owners, and government officials. These concerns are causing Yuan to now issue an apology, saying Zoom had:

“…fallen short of the community’s – and our own- privacy and security expectations. For that, I am deeply sorry.”

Now, Yuan says they are working “around the clock” to address these concerns.

What to be aware of in the meantime?

1. Zoombombing

One popular Zoom act right now is called “Zoom-bombing”. While it may be innocent pranking for some, it raises privacy concerns for others. This act of bombing someone’s Zoom is where uninvited attendees break into and disrupt meetings around the world. This is causing some concerns for businesses trying to hold conference calls over confidential information.

Zoom-bombing is made possible because all meetings started by the same host automatically share the same, default meeting ID. Another default feature is that all meetings can be joined without the need for a password. While hosts have the ability to use new meeting IDs and set passwords for each new call, these settings are not enabled by default.

Security researchers have also developed a new, automated tool, which is capable of finding ~100 Zoom meeting IDs within an hour. This tool specifically looks for meeting IDs that are not password protected, meaning that anyone with this 9 or 11-digit code could listen in on sensitive or private calls. While malicious individuals would likely be caught on small group discussions, they could easily listen in on calls involving 20+ people without being detected.

2. Cloud Recording

Another serious concern is something called “cloud recording” for paid subscribers. This feature in Zoom allows a host to record a meeting, along with a text transcript or a text file of any active chats in the meeting. This is then saved to the cloud, where it can be accessed by other users within your company. Even people who never attended that meeting. Zoom does allow users to narrow the audience to only pre-approved IP addresses.

3. Data Sharing

Being able to setup an account using your Facebook account is a common practice for many online systems. However, this is typically laid out in fine print, readily available when you agree to the terms of the service. Zoom is being accused of not being transparent about the fact they may share your data with Facebook, even if you don’t have a Facebook account.

4. Webcam Control

One of the most recent concerns brought up was discovered by a former NSA (National Security Agency) hacker. He discovered bugs that would allow hackers to take control of webcams and microphones on Mac computers using Zoom. He also found a vulnerability that enabled an attacker to gain root access to the host computer. This brings up several concerns for people’s personal privacy and safety. Patches for these vulnerabilities are now available and it’s recommended to patch immediately.

5. Attention-Tracking

Another issue people have the with app is something called “attention-tracking”. This feature is built into Zoom and allows the host of the Zoom call to see whether attendees are using the app or window in the foreground. That means if students or employees don’t have the video chat front and center, their professor or manager will be able to tell. While this may seem appealing to some meeting hosts, it does cause distrust for many users who feel they are being monitored unnecessarily.

Demands for Change

On Monday March 30th, New York’s Attorney General Letitia James sent Zoom a letter outlining privacy vulnerability concerns and asking what steps the company had in place to keep users safe.

In the United Kingdom, government officials have been using Zoom for cabinet meetings. That is now being debated after these concerns were brought up.

Reportedly, Elon Musk is banning the use of Zoom for any work being done on Space-X projects. One of Space X’s biggest customers is NASA, who also prevents their employees from using it.

How You Can Stay Safe

There are a few ways to lessen the risk of using Zoom. · Review your Zoom security settings.

  • Configure Zoom to:

    - Generate new meeting IDs for each call.

    - Don’t make your meetings or classrooms public – make the meetings private by requiring a password for entry or use the waiting room feature to control who joins. Use secure, alternate forms of communication to distribute passwords as necessary.

    - Disable cloud-recording features or restrict that capability to only the meeting host.

    - Restrict screensharing to only the meeting host.

  • Minimize Zoom permissions to only what you find necessary.
  • Update anti-tracking software on your Zoom account. If you do not want Zoom, or other sites, sending your data to third-parties you can look into anti-tracking software to mitigate this potential.
  • Make sure your WIFI network is secure and restricted to authorized users.
  • Don’t share a link to your meeting in social media posts or otherwise publicly available mediums – send meeting invites directly to participants only.
  • Zoom made a security change back in January to turn on password requirements by default so users should make sure they are using latest versions of Zoom software.
  • Ensure your remote work policies/IT policies outline how to configure/use Zoom if your organization allows the use of it.
  • Zoom also has a number of other suggestions on a blog post: https://blog.zoom.us/wordpress/2020/03/20/keep-uninvited-guests-out-of-your-zoom-event/

While all of these steps can help, many cybersecurity experts are advising anyone with especially sensitive data or conversations to find a more secure alternative.

Zoom Alternatives:

Microsoft Teams: This service is included in all Office 365 subscriptions. If you haven’t taken advantage of this new chat and video conferencing software from Microsoft, it may already be included in the licenses you already pay for.

Apple FaceTime: If security is paramount for your discussion, Apple’s FaceTime service offers video conferencing for up to 32 individuals, with all communication feat. end-to-end encryption. Not even Apple has access to the data communicated through its service. However, all employees must have an Apple device (Mac, iPad, or iPhone).

Google Duo or Google Hangouts: This service is included with all G-Suite business licenses. While it may not feature end-to-end encryption, it offers (via a transparent user interface) many of the privacy features users are looking for Zoom currently lacks.

Cisco Webex and GoToMeeting: These video chat applications have been around for many years and each offer a different set of robust features similar to those offered by Zoom.

(Sources: https://www.bbc.com/news/technology-52133349

https://www.cnet.com/news/using-zoom-while-working-from-home-here-are-the-privacy-risks-to-watch-out-for/

https://objective-see.com/blog/blog_0x56.html}

https://www.theverge.com/2020/4/2/21206061/zoom-meeting-id-zwardial-automated-tool })

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.