WHAT IS A PENETRATION TEST?
Sensei recommends that all companies perform some form of a penetration test at least annually. This test is a security exercise in which a certified ethical hacker attempts to find and exploit vulnerabilities and weaknesses in defenses within a company’s information systems. The purpose of this simulated and controlled exercise is to identify any weaknesses in a company’s security defenses which attackers could use to gain access to the firm’s internal systems and information. If weaknesses are discovered, this test allows us to provide recommendations on how to remediate those weaknesses, making the company’s security stronger.
WHAT IS A VULNERABILITY ASSESSMENT?
Sensei’s vulnerability assessments scan all of your network-based devices to identify any possible vulnerability that may exist in your system, regardless of the operating system platform. The flexibility of these assessments allows the focus to be as wide as the client’s requirements demand, and can be targeted to identify any vulnerability that exists within your web server, database program or email server.
HOW DO I PROTECT MY COMPUTER FROM THE NSA?
If the NSA wants to snoop into your computer, it will find a way. To protect yourself as much as possible, make sure you have all the basic security precautions enabled (strong passwords, turn computer off when not in use, turn off Bluetooth, etc.) and use an encryption product that utilizes the PGP encryption algorithm – or another strong encryption product.
HOW DO I PREVENT A DATA BREACH LIKE THE ONE THAT OCCURRED AT TARGET OR NEIMAN MARCUS?
The short answer is you can’t. When you trust third-party providers with your account information, you trust them to protect that data. Sometimes, they fail in that mission. Hopefully you can tie the account to a credit card and not a debit card, which would give someone direct access to your funds. Also, you should refuse to provide the vendor with an e-mail address and phone number if asked. Having this information makes it easier for the bad guys to steal your identity.
WHAT SHOULD I DO IF I BELIEVE A DATA BREACH HAS OCCURRED?
If possible, disconnect all of your computer(s) and server(s) from the internet by disconnecting your router from the Internet Service Provider’s network. This helps to preserve any evidence or information that may be useful to an investigation. Immediately contact a security professional prior to powering down the equipment. Depending on the methods used to facilitate the breach, attempting to capture the contents of the running memory may be extremely important. Document the facts surrounding any known incidents or abnormalities, and discuss them with your security provider. If you don’t have a security provider, make sure you know who you would call if you have a data breach so you are prepared.
HOW DO I PROTECT MY IPHONE, ANDROID, SAMSUNG GALAXY OR OTHER MOBILE DEVICE?
First, you should enable encryption on the device. Usually, encryption is turned on when a password or passphrase is applied to the device. Make sure that this is the case for your make and model. Secondly, make sure to turn on the feature that will wipe data off of the device upon a certain number of invalid password attempts – in most cases, 7 is the preferred number. If operating in a business environment, mobile device managers can be used to control these security settings on your company’s mobile devices.
ARE THERE ANY LAWS THAT GOVERN WHAT HAPPENS AFTER A DATA BREACH?
At the moment, there is no federal data breach law. But almost all states have them, so you need to be aware of your legal responsibilities if a data breach occurs.
DO I NEED TO CONTACT OR SEE AN ATTORNEY IF A DATA BREACH OCCURS?
Yes, you should contact an attorney knowledgeable about data breaches immediately so he or she can advise you of your legal duties. You do not want to find yourself inadvertently on the wrong side of the law.
HOW CAN I ENCRYPT MY LAPTOP AND USB FLASH DRIVE?
Encryption is truly the only way to protect your sensitive and confidential information on laptops and USB drives. Encryption, once set up, can run seamlessly without causing computer disruption or annoyances to the user.
There are a number of third-party products that can encrypt your laptop hard drive or USB flash drive such as Symantec PGP. You may also be able to take advantage of built-in hardware encryption if your system or device offers it. For USB flash drives, hardware encryption is the preferred method. Some USB flash drives offer built-in hardware encryption, while others rely on software to encrypt the files on your device.
HOW DO I ENCRYPT MY IPHONE OR IPAD?
Just as it is important to encrypt your laptop or USB flash drive, the same holds true for your iPhones or iPads. As the number of users of these devices continues to increase, along with the implementation of these devices in business environments, the need to protect the data stored on these devices also increases.
Encrypting the data on these devices is simple – just enable the PIN or PassPhrase option. By enabling this security option, your device will automatically encrypt the contents. We recommend that you enable the PassPhrase option and use a pass phrase of at least 12 characters. If you’re groaning about the length, be aware that ANY 8 character, no matter how strong, can now be cracked in about two hours. A 12-character password or passphrase will take more than 17 years to crack. You enable a PassPhrase by turning Simple Passcode ‘off’ by going to Settings, Passcode.
WHAT ARE THE ELEMENTS OF A GOOD EMPLOYEE TERMINATION POLICY AND CHECKLIST?
Losing an employee, whether through termination or voluntary resignation, is never easy. There are a lot of technical aspects to take into consideration when an employee leaves.
First, your business should make sure that the employee’s user account is disabled or deleted immediately upon departure. Too many times we see former employees’ user accounts still active after termination, presenting an unnecessary security risk. Second, create a checklist or form that you will use for each employee documenting the equipment returned such as laptops, mobile devices, keys, access cards and any software. Also, include statements documenting that the former employee has not taken any company information with them and that they will not attempt to access your systems once they leave. Make sure the employee signs a statement acknowledging that taking your data or having unauthorized access to your network after leaving your employment would be illegal.
WHAT ARE THE BASIC INFORMATION SECURITY TIPS ANY BUSINESS CAN TAKE?
There are a number of security steps any business can take to improve the security posture of its network.
First, having written policies and procedures that outline what your employees can and cannot do with your equipment lays the foundation of a good security plan. Second, implement a strong password policy – using 12-character passwords which change monthly, prohibit employees from using personal devices such as mobile phones and tablets on the network, and make sure your computers and servers are staying up to do with the latest security patches and releases. If you do determine that you want personal devices to connect to your network, you’re going to need a first-class mobile device manager.
Lastly, using a good endpoint security product will help to keep your systems protected from the latest malware threats.
WHAT SECURITY STEPS CAN I TAKE TO PROTECT MY COMPUTER?
There are a number of security steps that a user can take to protect their computer from malware, hackers, identity theft and data breaches.
First, it’s imperative that all computers have some sort of security protection suite installed, configured and running properly. Be sure to calendar when the license is up for renewal so that the subscription doesn’t lapse causing the definition database that the program uses to protect the computer from becoming outdated.
Second, be sure to set up a strong password requiring users to log into the system, including a secondary power-on password if necessary. Encryption will also help depending on the type of data stored on the computer system. Passwords should be at least 12 characters long and alphanumeric, and they should change monthly – and not be reused.
Finally, be sure to keep the system updated with Microsoft Windows Updates, as well as any third-party applications such as Adobe Reader.
HOW DO I SECURE MY SMARTPHONE?
Securing a smartphone is just as important as securing your computer, given how much employees use their smartphones for e-mail correspondence, texting, pick up voicemail messages, and document editing and review. These days, smartphones are really computers that happen to be able to make a phone call. There are a number of steps that can be taken to protect and secure a smartphone.
First, regardless of the type of smartphone, you should always enable a PIN or passphrase. We recommend that if your phone has the ability for passphrases – use them – as the longer the password is, the harder it is to guess it or crack it.
Second, you should look into security software for your phone. iPhone users may not have much luck in this category given how locked down the iPhone kernel is, but for Android and BlackBerry users, there are security solutions available for your phone. As a minimum, iPhone users should install a scanning security app such as VirusBarrier. For those business users, your current security solution protecting your computer systems may have additional support for mobile devices as many of the major vendors are now offering add-on licensing for mobile device protection. In the event that a smartphone is lost or stolen, if centrally managed using Microsoft ActiveSync, third-party tool or even your security solution, you may have the ability to remotely wipe the data off of the missing device.
HOW DO I KNOW IF THERE IS SPYWARE ON MY SMARTPHONE?
Spyware for smartphones exists. Although not seen as often as we find it on computer systems, it can be installed just as easily. Most of the spyware that we have come across has been found on Android and BlackBerry mobile devices, capturing a user’s SMS/Text messages, Messenger chats, email activity, call logs and call recordings. Spyware does exist for iPhones, but the phone has to be jailbroken in order to install it. Still, be aware that the attacks on all Apple products are increasing in number, so don’t assume your iPhone is safe.
All of the commercial spyware that we have researched and analyzed requires physical access to the mobile device for installation, which cannot be done or performed remotely. If you have an Android device, you may want to view your running processes to see what programs or processes are currently loaded into the phone’s memory. If you have an iPhone, you will want to look for signs that your device has been jailbroken, such as the presence of the Cydia app. Never accept a smartphone as a gift – you have no way of knowing what other gifts, namely spyware, may have been installed prior to receiving your smartphone.
To be clear, most users cannot effectively do this type of investigation themselves, and will need to retain experts to scan their devices for them.
WHAT IS SECURITY MONITORING AND HOW CAN IT PROTECT MY DATA?
Most businesses have the appropriate security measures in place to effectively protect their confidential information. However, security is not effective using the “set it and forget it” mindset.
How do you know your security solutions are effective? How do you know when you’ve successfully thwarted an attack or breach attempt? The short answer is you won’t unless you’re actively monitoring the performance and logs of your computer devices.
Security monitoring is simply the real-time monitoring of all of the output the security solutions in place generate. Even with all of the technology available to us today, it still requires a human to compile and correlate information from various, distinct devices to determine if a reaction measure is needed, such as a configuration update to block an open port, any steps that need to be taken if unusual patterns in network traffic are occurring, or in the worst case scenario, whether or not the incident response plan needs to be activated due to a data breach.
Questions? Need Help?
Please contact Director of Cybersecurity Mike Maschke at firstname.lastname@example.org or at 703.359.0700.