this is the archive page

Cloud helps schools secure data infrastructure

Today’s educational industry, both in the public and private sector, face a number of unique challenges when it comes to provisioning and securing data infrastructure.

Educational institutions are continuously confronted with the same explosion of data and mounting demands for faster, more intuitive service offerings as other sectors of the economy. They are also operating with even tighter budgets and less in-house technical expertise. At the same time, regulatory burdens continue to highlight the conflict of maintaining privacy while fostering an open, equally distributed learning experience.

For most organizations, three critical data security issues arise when provisioning and securing data infrastructure:

1. Data value and use

Most modern educational programs rely on data to identify and promote effective teaching and learning strategies. But these programs are highly dependent upon secure infrastructure, both on the physical and virtual levels, to guard against breaches or misuse of data by legitimate users. At the same time, both educators and administrators require better training to ensure the integrity of systems and data, both of which are evolving at a rapid pace.

2. Data governance

Governance policies should encompass both privacy and transparency along the entire data lifecycle, from creation to collection, use, sharing, and archiving. This is the only viable way to build trust among students, parents, faculty, and other stakeholders that data is both accurate and protected, all while ensuring that it is being used to improve the educational experience.

3. Security and privacy

The enormous amount of data being generated these days is only part of the challenge. Equally important are the myriad systems that data traverses throughout the lifecycle. These can range from student information systems, enterprise resource solutions, learning management platforms, library systems, and a wide range of vendor-managed tools. These tools and systems must all be hardened against intrusion and monitored for misuse.

Securing data infrastructure the right way

Educational policymakers play a key role in resolving the educational industry’s challenge with provisioning and securing their data infrastructures. For one thing, they need to recognize the numerous support functions and systems that foster the twin goals of making data systems usable and secure. They also need to recognize that adequate funding is necessary, not just for the various systems and tools but for proper IT staffing and training for the entire knowledge workforce.

To accomplish these goals in an effective manner, it helps to concentrate on the following key elements:

  • A comprehensive implementation plan for effective data use and new systems. A project coordinator should be appointed to oversee execution of the plan throughout institutions and districts.
  • A regular maintenance and upgrade program. To confront the continuously evolving security environment.
  • A streamlined process for staff turnover. Role and permission setups, access to appropriate data systems, training on effective use, troubleshooting, and general technical support for data systems should be included.
  • Mechanisms to address constant changes in technology and regulatory compliance. Particular attention should be paid to the frequent upskilling of IT staff.

Cloud solutions offer multiple benefits

It should be noted that many of these issues can be addressed quickly and at less cost by converting legacy infrastructure to modern cloud resources and services. In the cloud, maintenance and upgrades are done by the provider, while security is often better than in most legacy deployments. At the same time, workloads can scale dynamically in the cloud, so you only pay for what you need. And with adequate mirroring and replication, backup data is better preserved even if primary systems are lost completely, as in a natural disaster.

Education is one of the most important social functions within a modern society, but it is also one of the most expensive and complicated. The cloud can ease much of this burden, allowing schools to concentrate more fully on what they do best: teaching.

Learn how CBTS partnered with a private university to create a comprehensive plan for upgrading wireless and wired network access in residence halls, setting the stage for campus-wide WiFi connectivity.

Learn more about the CBTS partnership with the Dayton Public School District here.

Discover more about how CBTS delivers state-of-the-art technology for today’s schools and universities to keep up with the ever-increasing demands of students, parents, faculty members, administrators, and community stakeholders.

Continuous Penetration Testing critical for security

The rise of sophisticated new hacking tools has presented the modern enterprise with unpredictable and unprecedented security risks. While major attacks from highly sophisticated and sometimes even state-sponsored actors and organized cyber criminals garner most of the headlines, equally disturbing is the prevalence of ready-made hacking code, which can be downloaded and launched against unsuspecting targets with little or no coding skills.

To counter this, today’s enterprise must remain ever-vigilant to emerging threats, which means not only deploying the latest security measures but constantly testing them against real-world conditions.

CBTS helps you defend critical infrastructure

CBTS Penetration Testing (Pen Testing) provides the enterprise with the first step in defending critical infrastructure against malicious attacks. Our top security experts carry out what is commonly referred to as “ethical hacking”; that is, they try to break your security framework through a series of simulated attacks to identify vulnerabilities.

These attacks target key elements, such as:

  • Network infrastructure: Plugging gaps here can prevent intrusions that may cascade throughout the entire IT environment.
  • Critical assets: Facilities, systems, and equipment that can cripple operations if brought down by a cyberattack.
  • Wireless networks: Wi-Fi can often be used as a back door to critical infrastructure.
  • Web applications: 90 percent of all vulnerabilities lie on the application layer.
  • Physical assets: Hardware, software, data, and even personnel are vulnerable to attacks that can do serious damage to operations.

In addition, we conduct research into public vulnerabilities, followed by a staged breach to gauge your response capabilities. Afterward, we provide a detailed vulnerability analysis that includes recommendations for strengthening your security posture.

All of this is designed to find the holes in your data environment and correct them before hackers go rogue within your vital IT infrastructure. Our goal is to test multiple attack pathways without creating unnecessary risk to your network environment. We also work with each client to conduct an expansive assessment of operational processes, documented policies, and existing security controls to create a highly refined security posture, right down to the needs of individual business units, based on the industry-leading NIST Cyber Security Framework.

Deploy cutting-edge solutions with CBTS

CBTS also has the expertise to deploy cutting-edge security solutions for every major business sector. We have established strategic partnerships with leading network and information security vendors to provide exceptional technology and technical support to our clients. Our engineers maintain the highest levels of certification, including CISSP, CISM, CCIE, and many others.

In this day and age, security is not something to be taken lightly. The distributed nature of modern IT infrastructure means that the enterprise can no longer wall itself off behind a firewall and hope for the best. Modern security requires a continuous, proactive approach that strives to keep you one step ahead of those who seek to compromise your IT infrastructure, whether it be to steal your data or shut your systems down.

After all, it is far easier to protect yourself ahead of time than it is to recover after the fact.

Learn more by reading our Penetration Testing infosheet.

 

Related Articles:

Backups vital part of Cybersecurity plan

2018’s Top 5 Enterprise Security Problems

2018’s Top 5 Enterprise Security Problems

It’s the most wonderful time of the year! No, we’re not breaking into song and dragging out the holiday lights …  it’s National Cybersecurity Awareness Month, my favorite month-long holiday where I don’t have to buy gifts.

I hear from customers every day who are concerned about all of the ways attackers might get into their networks and onto their assets. Effectively protecting your organization certainly can feel like a moving target, and yet, when I consider the threat landscape from the past 20 years, some of the same weaknesses are still just as prevalent today as they were in 1998.

So what should keep security leaders and practitioners up at night today?

In assembling this list, my team and I considered the last few years of notable breaches. What are the bad guys grabbing from their toolbox when they start planning an attack? What’s most reliable for them? What can they count on finding when they evaluate a target’s environment?

I hope you’re ready for some acronyms and buzzwords as you read our thoughts on this set of questions:

5. Weak configuration on endpoint systems

We’ve grown a lot as an industry – and so when a modern enterprise operating system rolls out today, it’s had more effort put into ensuring a minimal attack surface than ever before. But your network probably still has legacy operating systems, network devices, and applications. And they’re often less hardened – running older protocols like SMBv1, allowing authentication using older suites like NTLMv1 or even LANMAN, or using services that send credentials, files, and session data in cleartext like SNMP or telnet.

I’ve seen customers embark on a ‘network modernization’ project to resolve some of these issues. They retire older applications and services; update their operational processes; and go through a hardening exercise using benchmarks from the platform vendor or from the Center for Internet Security.

4. Unrestricted cloud storage

In a rush to migrate applications and workloads to hosted infrastructure, we find many developers and architects overlooking basic access controls that restrict the public internet from downloading sensitive data. As a result, we’ve seen millions of records of PII exposed in the last few years.

Often, the culprit isn’t even the organization itself. Many times, a third-party marketing, analytics, or development group was given the data and left it out in the open. This oversight is most certainly what regulatory standards like GDPR are meant to address.

So, check the restrictions on your cloud storage – as well as the practices of the partners to whom you’re giving your data!

3. Unpatched software

Strong vulnerability management is still a challenge, and with more organizations allowing employees to use personal devices to handle company data, ensuring that all assets stay patched is a constant battle.

Patching effectively doesn’t happen by accident – it will take a concerted effort by security and operations staff to make sure patches are identified, tested, and distributed within 30 days of release, and that stragglers are identified and corrected through vulnerability assessments. Missing just one server can make all the difference!

Key to this effort: Know the assets that store and process sensitive data, and that run business-critical applications, and start your rigorous patching cycles there. Then expand to the entire environment in a phased approach. Or, have us do it for you.

2. Weak passwords

Yes, we’re still talking about passwords, despite tech media calling for their death for at least a decade. Face it, we’re stuck with passwords for the time being, and that’s why we still see attackers stealing them, guessing them, and cracking them.

If you’re a security practitioner, you should worry that your employees’ AD passwords are the same as the one that they set on their LinkedIn account that was stolen years ago. Or, that your network admins remembered to change the default password on the Cisco switch in the closet, or the Liebert power unit controlling the power in the datacenter.

Password reuse, easily guessable passwords, and unchanged vendor-default passwords are still juicy opportunities for attackers. Good vulnerability management means auditing enterprise passwords, setting a strong password policy, and for goodness’ sake, using multi-factor authentication for critical applications, privileged accounts, and remote access.

1. Phishing and Social Engineering

You have to try really hard to work in a modern office environment and not know that phishing is a problem. So why do users keep falling for the scams? Because it’s still trivial for the bad guys to recon their targets, cook up an extremely convincing pretext, and slip it past your defenses.

You’ve probably heard of at least one successful phishing attack that led to someone installing ransomware in their environment in the last year. Or, one successful e-mail scheme that had a hapless junior financial staffer wire-transferring emergency funds to someone they thought was the CFO.

A series of controls are required to effectively protect against these kinds of attacks. People must be trained regularly, and you should use a variety of methods to teach them how to spot an attack. Processes and policies must enforce good behavior and hygiene to ensure employees know the consequences of a breach. And technology must protect the business, its data, and customers from ourselves – restricting access to malicious websites and email, stopping malware, and detecting attacker movements inside the network.

Thanks for reading, and enjoy this lovely month of October!

To learn more about CBTS security strategies, read our Ebook on Why your backup solution is crucial to defending your organization from ransomware.

 

Related Articles

Three steps to enhancing security solutions

Understanding the “attacker mindset” in security

Security experts leverage offensive, defensive tools

Three steps to enhancing security solutions

For enterprise organizations, security transcends the day-to-day defenses against attacks.

Large companies often have to simplify, unify, and modernize security systems and security solutions that have grown complex and ineffective. In a merger, corporate security teams must reconcile a range of competing hardware and software configurations. At some point, most enterprises bring in security consultants to help make sense of their challenges and manage the most complex security tasks.

CBTS recently helped a global corporation grapple with these challenges. Here’s a look at three things we had to accomplish so that our client can manage the security threats coming at them from all directions.

1. Streamline your security solution.

Our client has factories, offices, and other facilities in the United States and overseas. Over the years, individual business units acquired a vast array of security technologies that became increasingly difficult to manage.

When the company merged with another global enterprise, it faced a major challenge in hardware and software complexity, which left the company vulnerable. Meanwhile, persistent intrusions and malware attacks exposed weaknesses in the client’s ability to identify intruders and neutralize them before they reached sensitive data.

The company contacted CBTS to help them bring all of their security solutions under the umbrella of a unified security platform. We partnered with a top Silicon Valley security technology provider to implement next-generation firewall hardware and intrusion-detection software.

These new tools allow security experts to sandbox malware code, fend off zero-day attacks, and detect evidence of advanced persistent threats.

2. Centralize security management.

A company with locations around the world needs a central platform for all of its security operations. The Panorama platform from Palo Alto Networks helped us ensure every site views their security status through a single pane of glass that provides in-depth insights on network activity and security threats.

Panorama helps IT admins:

  • Manage multiple devices and data sources through a common interface.
  • Create a common rule base for firewalls, IPS, URL filtering, and other functions.
  • Set group hierarchies to separate devices into subgroups that match the company’s organizational structure.
  • Create templates to automate security configurations.

The result is much better visibility of the entire network system and all the security tools within it.

3.  Partner with an IT security solutions expert.

Our global manufacturer needed a partner with two kinds of expertise:

  • Direct internet security experience, knowledge, and training across a wide variety of industries and markets.
  • Managed services capabilities in on-premise, hybrid, and public cloud infrastructures.

The company needed an IT security provider with extensive experience. CBTS security experts have comprehensive training and deep expertise in highly sensitive security environments.

We also have a managed-services division specializing in security. This service delivers 24x7x365 monitoring, intrusion detection, and advanced perimeter defense.

Find out more in our free case study

Our combination of deep expertise and partnerships with world-class enterprise security vendors ensures we can match clients with the provider that best solves the client’s unique IT challenges.

Our global manufacturing client now has a robust security apparatus—racks of firewall hardware supported by the most advanced cyber defense software on the market.

Download our free case study to see how we did it.

 

Related Articles:

Security experts leverage offensive, defensive tools

Understanding the “attacker mindset” in security

2018’s Top 5 Enterprise Security Problems

Is SMS-based Multi Factor Authentication Secure?

The latest “religious war” brewing in the information security community seems to center around whether or not SMS text messages should be used to deliver one-time passwords (OTPs) as a method of multi-factor authentication. Oh, for the days of emacs and vi!

Two recent news stories have contributed to the increased chatter around this issue. Google claims that they’ve seen no successful phishing attacks against their 85,000 employees since early 2017 when they migrated away from OTPs as a second authentication factor and switched to physical security keys. And, forum website Reddit recently discovered a breach and claims that the attacker was able to steal administrative credentials by intercepting the administrator’s OTP that was sent via SMS.

Opponents of SMS-based MFA believe that this act – obtaining OTPs sent via SMS – is trivial in 2018. Let’s examine some of the methods that attackers can employ to accomplish this.

How Attackers Steal SMS-Based OTPs

The most common method of attack is called “SIM jacking”. An attacker can contact the target’s cell provider, claiming to be the target, and convince the provider to switch the target’s phone number to a new SIM card, one that’s loaded in a phone the attacker possesses. They are then able to receive the target’s text messages and phone calls. Similarly, a “porting” attack involves contacting a different cell provider than is used by the target, and asking the provider to port the target’s number to that service.

A more complex attack can be conducted against the Signaling System 7 (SS7) infrastructure used by different telcos to interact with each other. An attacker with access to this infrastructure – not an easy feat by any stretch – could intercept text messages and record phone calls.

Finally, malware loaded on a mobile device that can intercept SMS messages, and deliver them to the malware’s operator, has been around for years. Often it is distributed as a part of a legitimate-looking application, as was the case with the Perkele and Pincert malware families.

Should You Be Using SMS For OTPs?

If you’re an individual concerned about protecting access to your accounts, should you be worried?

Somewhat. Certainly, there are ways to intercept SMS messages. Most require concerted effort by a human attacker, though, and while this obviously occurs, it’s far from as likely as the opportunistic attacks that we see most individual home users dealing with. Put simply, most people won’t find themselves targeted specifically for this type of attack, unless there’s a cybercriminal or nation-state dedicated to gaining access to their data and systems.

(For my own personal security, I trust SMS-based OTPs for some websites and applications that don’t handle my financial information or any personal information beyond my email address. For all others, I use stronger controls, such as physical keys and authenticator apps that generate OTPs only I can see.)

How SMS-Based OTPs Affect Enterprise Security

Enterprises have a different set of use cases, though, than individuals. Tasked with protecting access to business-critical applications, sensitive data sources, and privileged accounts, enterprises must make different risk calculations than home users. Deploying MFA in the enterprise requires the rollout and administration of authentication applications, management of keys for individual users, and integration with existing directories and user-facing services like the helpdesk.

Security teams in these circumstances may consider a mix of tools and products. One of our guiding principles in designing security architecture is that the complexity of a given security control is likely to grow in proportion with the criticality of the asset being protected, or the severity of the risk in question (or both). Applied here, the simplicity of using SMS 2FA may not outweigh the risk of a targeted attack that would expose SMS-based OTPs, and therefore would not be sufficient to protect access to critical applications or elevated privileges. While managing hardware keys adds overhead and complexity, it does reduce the risk of compromise of credentials by guaranteeing a more effective second factor.

A variety of solutions beyond SMS-based OTPs and hardware keys exist, though. CBTS partners with vendors like Duo Security, Microsoft, and RSA to help sort out the right approach for enabling MFA in an enterprise. We’d love to help you figure out the most effective path forward.

 

Related Articles

The Ten KRACK Commandments

The key to strong security programs

Cloud DRaaS solution mitigates hurricane impact

Hurricanes impact everyone from Houston to Miami to Manhattan—especially people running IT operations often times without a disaster recovery as a service (DRaaS) solution.

The push for digital transformation presses this point home during hurricane season which starts in June and runs through November. Organizations depend on constant access to data, networks, sensors, and servers like never before.

There’s plenty to worry about in Hurricane Alley and population-dense areas of the Eastern Seaboard. High winds knock out power lines in the storm’s path. Heavy rains flood cities and towns hundreds of miles inland for days after a hurricane makes landfall. Evacuations clog highways and separate people from their homes, offices, and workplaces.

The hazards became all too evident in 2017. Hurricane Harvey hovered off the coast of Houston in late August, delivering pounding rains that swamped vast swaths of the city and inflicted $125 billion in damages, the worst since Hurricane Katrina. In the days and weeks to come, Hurricane Irma menaced South Florida and Hurricane Maria devastated Puerto Rico.

Moreover, few IT professionals can forget the impact of Hurricane Sandy in 2012, when high winds and flooding punished organizations that lost their data centers and their backups. If your organization requires always-on IT access, you can’t afford to ignore even remote risks of hurricane-related outages.

How DRaaS reduces hurricane risk

One way to mitigate hurricane hazards is to partner with experts in DRaaS, which has four core advantages:

  • Distance: IT operations can be hosted in data centers beyond the reach of powerful storms.
  • Real-time failover: Replication and virtualization technologies allow your DRaaS provider to create a redundant version of your critical systems, holding downtime to a minimum and protecting your business reputation.
  • Cost: You don’t have to invest millions designing, configuring, and managing a redundant data center that goes unused for months or years at a time. Your DRaaS provider takes care of everything. You pay a predictable monthly fee based on usage.
  • Expertise: Replicating all your IT services is an incredibly complex prospect, requiring deft design, careful implementation, precise documentation, and thorough testing. Typically, it’s more efficient to hire experts than it is to spend months learning all the facets of disaster recovery yourself.

At CBTS, we have extensive experience with data centers, replication technologies, and system design. Our DRaaS experts have set up these kinds of systems for a broad range of industries and marketplace requirements. Our expertise arrived just in time for a South Florida company in 2017.

Case study: Wittock CPA

CBTS helped an accounting firm keep its operations online during Hurricane Irma in 2017. Wittock CPA was working with a large volume of data related damage claims from the 2010 Blackwater Horizon oil spill. The company required a 15-fold jump in staff to handle the claims and could not afford the prospect of days or weeks of downtime from a hurricane.

CBTS implemented a cloud-hosted environment with high-availability data centers hosted in the Midwest, far from the hazards of storm-related downtime. When Hurricane Irma made landfall, employees had access to their data, and all critical systems remained online. CBTS support staff helped resolve employees’ questions as they came up.

“I’ve had a long career in the IT industry and know what it takes to protect a rapidly growing firm like Wittock CPA from simple incidents to much larger threats like a hurricane. Irma would put any organization to the test, but because we took the preemptive steps to implement business continuity and cloud hosting with CBTS, it was business as usual from an IT perspective.”

– Craig Turner, Director of IT and Continuity, Wittock CPA

To find out more about how CBTS helped this company dodge a disaster, download our free case study.

 

Related Articles

Azure creates a powerful DRaaS environment

CBTS: We have you cloud covered

Security experts leverage offensive, defensive tools

Justin Hall is Director – Security Services for CBTS. In the last post of this 3-part series, Justin discusses ways to learn the tools used by security practitioners. In Part 1, Justin discussed the process of developing a background in enterprise IT. Part 2 focused on how to better understand the “attacker mindset.”  

An understanding of the purpose and operation of commonly used security tools not only gives you practical capabilities, but helps to shape that mindset we discussed last time – the attacker’s goals and how they plan to technically accomplish them.

It’s a common theme in security to cut the industry in half and call one side “offense” and one side “defense.” Offense is the practice of compromising a network, while defense is about protecting a network against those efforts.

Every time I speak to a group of students looking to get into the security industry and I ask what excites them about the field, invariably a few of the students respond: “We wanna hack things for a living!” I can’t say I blame them. It’s certainly been one of the more entertaining elements of my career. In that vein, many folks assume that learning the tools used by security practitioners means only the offensive tools.

Offensive tools in security

Learning offensive tools is rewarding on many levels: Gaining practical experience, solving problems when the tools don’t work as expected, and exposing your brain to the approaches taken by an attacker. Probably the most common path is to grab a collection of tools in a package like Kali Linux (built around penetration testing) or SamuraiWTF (built around web application testing) … but then what next? We recommend trying some “capture the flag” (CTF) exercises where you can actually attempt common goal-based attacks in a safe environment. You can also participate in live CTF competitions at security conferences. You might also play around with purpose-built virtual machines and applications that are built solely to practice offensive techniques.

Defensive tools in security

Defensive tools might not be as exciting, but are equally valuable from a learning and career preparation perspective. As they’re typically commercially sold products, we recommend grabbing free versions of some of the more popular tools, such as:

  • Splunk, the log management platform. Splunk also offers a great add-on module (a “Splunk app”) called Security Essentials that’s meant solely for learning how to build, run, and use the product as a security monitoring and incident response tool.
  • OpenDNS, the DNS/web security product. I use this on my home network to filter malicious and adult traffic, and it’s a great, low-impact project to deploy and maintain a fairly simple but incredibly effective security control.
  • Immunet, an endpoint security product. If you use Windows, you can certainly learn a bit about endpoint protection by messing with the configuration of the built-in Defender antivirus product, but Immunet goes a step beyond by leveraging threat intelligence gathered automatically from infections caught by other deployed Immunet clients.
  • Nessus, a vulnerability scanner. Use this to scan your home or lab network for vulnerabilities, and then read up on what it discovered, and fix them. Nessus is free for use in the home for up to 16 hosts.

Understanding common IT applications

Security practitioners don’t just use tools that are designed for security work. It is just as important to learn the role played by common applications that IT professionals sit with every day. Some examples:

  • Active Directory and Group Policy. In a Windows environment, these applications control system configuration, authentication, role-based access, service interoperability … and yet many security practitioners have no fundamental understanding of how these tools work and are used.
  • I love Chris Campbell’s description of Powershell as Microsoft’s post-exploitation language – most security folks think of this tool solely as a mechanism to attack a target system and not get caught, while IT ops folks think of it as a powerful scripting platform that can automate a ton of functions. Either way you see it, if you’re in IT or security in 2018, it’s worth the effort to gain fluency.
  • Prefer Linux? Get to know the shell you use (probably bash) and common GNU command line tools like grep, sed, and awk. The Command Line Kung-Fu blog is an excellent resource. Learn regular expressions and bpf while you’re at it.

I’ll put down the firehose for now and encourage you to start anywhere in this list of topics – any and all of them will be helpful to get you moving in your journey to a security career, and build off the other components as well as your existing knowledge. We’re looking forward to having you. Good luck!

Read more about Security offerings from CBTS.  And read this case study to learn how CBTS helped an enterprise client form  a security strategy to advance their maturity, increase their risk management capabilities, reduce the attack surface for each business line, and improve their overall corporate security posture.

Understanding the “attacker mindset” in security

Justin Hall is Director – Security Services for CBTS. In Part 2 of this 3-part series, Justin discusses how to better understand the “attacker mindset.”  In Part 1, Justin discussed the process of developing a background in enterprise IT.

Practitioners in the security industry are charged with protecting organizations and their assets – their computing environment, data, employees, and customers. Understanding the threats against which you are defending is critical to this protection effort. What are they after? How do they achieve their goals? What can you expect when you face them? What countermeasures and strategies are effective to employ?

The best defenders of a network are used to thinking like an attacker. So how does one develop this mindset?

Plenty of folks in our industry started as so-called “black hats” – those who attack, disrupt, or compromise computer systems for financial gain, to back a political or social cause, or to cause havoc. While this is certainly an effective approach, it’s usually not legal.

I’ve found that listening to industry veterans and seasoned practitioners, as well as former black hats, is a much better option. In that vein, try attending security conferences and events where you can listen to these folks speak and provide formal training. There’s also a good opportunity to learn about the ever-changing threat landscape, new attack techniques, and new tools.

Hundreds of security conferences take place all across the United States and other countries – look at a list and find one in your area. A way to meet local practitioners, especially ones that might be interested in providing you guidance and mentoring, is to find a Security BSides conference, which are assembled and executed by volunteers. And if you can’t make it to a security conference, most nowadays are recorded and posted online.

We can also learn to stop attackers by looking at the best practices agreed upon by experts from the security community, regulatory bodies, and technology vendors. Dozens of these standards have been used by practitioners for years and make excellent reading material if you’re looking to get ready for the industry:

  • The NIST Cyber Security Framework. As mentioned in a previous post, the CSF is a guide to developing a formal security program. Their publication 800-53r4 is also the “gold standard,” as it were, for security controls – the fundamental people, processes, and technologies you need to have in place to protect your organization.
  • The Center for Internet Security’s Top 20 Critical Security Controls. If NIST 800-53r4 is too wordy, the Top 20 is a consolidated and far more approachable standard. It’s also much more frequently updated and is shaped by feedback from the security community at large (and not just NIST).
  • The MITRE ATT&CK Framework. MITRE’s goal with this resource is to document common attacker actions and tactics, along with methods of detection on a variety of popular computing platforms.
  • The Open Web Application Security Project. A group that oversees many community-based application security standards-development projects. One of their most popular is the Top 10 Common Web Application Security Risks, an often-referenced list of the issues in web applications that developers need to consider when writing secure code.

Lots to read and watch! Come on back soon for part 3.

Read more about Security offerings from CBTS.  And read this case study to learn how CBTS helped an enterprise client form  a security strategy to advance their maturity, increase their risk management capabilities, reduce the attack surface for each business line, and improve their overall corporate security posture.

Security starts with enterprise IT knowledge

Justin Hall is Director – Security Services for CBTS. In Part 1 of this 3-part series, Justin discusses how  a core knowledge of enterprise IT is critical in order to effectively protect networks.

For several years I’ve been going back to my alma mater, the University of Cincinnati, to speak to groups of undergrad and graduate students about the information security industry. My goal is to demystify security and inspire them to consider a career in one of a dozen security disciplines.

Invariably during these talks I am asked a very common question: “How do I get a job in the security industry?” In response, I’ll share my own 20-year story, starting in PC repair and sales, moving to tech support, systems administration, and running an IT department, before jumping into a security career – first as an engineer, architect, and consultant, and then running a security team.

I’ll also share three essentials to successfully landing a security job, which I’m going to cover in this blog series. There’s no single path to the industry, to be sure. In order to develop a foundation that can land an entry-level job and provide an arc to a long-term career, it’s worth looking into these fundamentals.

Core knowledge of enterprise IT

Today, we’ll cover number one: a core knowledge of enterprise IT. This is perhaps a bit obvious – certainly someone needs to be technical and understand how a computer works to survive in security, right?

The depth required goes beyond CPU, RAM, and a hard disk. To effectively protect any company network, one needs to recognize the critical components – servers, workstations, network devices, applications, and security defenses. How do they interact? In what network segments do they typically sit? What products or solutions are commonly used in each of these categories? At a high level, what are the essential configuration best practices for each?

For example: Imagine a network used by a physician’s office. Think about the variety of computing devices in use there: Beyond traditional workstations, multi-function printers, and laptops, you might see connected medical devices, credit-card processing machines, and surveillance cameras. Servers would run authentication systems, file management, accounting and finance, ERP, messaging, and electronic medical record apps. Some may be running from local servers, and some may sit in the cloud. Network devices will include switches, routers, wireless access points, and firewalls.

Now imagine a software company. What types of assets would be the same as the physician’s office? What would be different? How would their IT needs be similar/different? What about a retailer or bank? What happens when you add multiple sites/locations? Imagine scaling up to the size of a multinational conglomerate. Think about the pieces and parts that need to change, duplicate, or scale.

Enterprise IT involves depth and breadth

This scope of understanding is what I mean by “knowing enterprise IT.” There’s a level of depth in addition to the breadth, though. Defending an environment with Windows workstations and servers, for example, means understanding the fundamentals of what makes Windows tick – the filesystem, registry, Group Policy, configuration, and the like.

How does one acquire this knowledge?

  • Build it yourself! A home lab is a great place to get hands-on experience with enterprise IT. You could grab an old PC and install free versions of VMware’s vSphere or Microsoft’s HyperV, and deploy eval copies of Windows Server and workstation OS’s, Linux, or a variety of prebuilt VM appliances. Tons of great tutorials exist – I like this one from Paul Braren on building a VMware ESX lab.
  • You could also use free or inexpensive tiers of service offered by IaaS providers like AWS, Azure, or DigitalOcean to build VMs quickly, install and configure applications, and build virtual networks.
  • If you’re serious about improving your enterprise IT knowledge, and want to invest your time and money, find a local university or online school that offers IT courses or degree programs.
  • Finally, take the plunge and find a systems or network administration job. Without a formal education in security, it’s rare to be able to jump right in without doing the so-called “grunt work” needed to acquire real-world experience. A few years building, breaking, and fixing some enterprise networks is sure to cement your ability to operate with comfort in the industry.

Thanks for reading! Stay tuned for part two.

Read more about Security offerings from CBTS.  And read this case study to learn how CBTS helped an enterprise client form  a security strategy to advance their maturity, increase their risk management capabilities, reduce the attack surface for each business line, and improve their overall corporate security posture.

The key to strong security programs

Congrats are in order for the folks over at the National Institute of Standards and Technology! A few weeks ago, a new version of their Framework for Improving Critical Infrastructure Cybersecurity (which we call the Cyber Security Framework, or CSF) was released.

The CSF, as with most other NIST Special Publications around security, receives regular updates to keep pace with the changes in the threat landscape, the security product market, and new regulatory compliance requirements in a variety of industries. I talk often to customers who are facing the challenge of protecting their data and systems, but find it hard to adjust as those factors change year to year, and they feel there isn’t sufficient organizational focus on practicing good security.

What is a security program?

You may have heard the term “security program” before – you’d certainly hear me mention it in these conversations with customers. Maybe it’s why you clicked on this article. What is a security program? What’s so magical about it that I need it in my organization?

When I describe a security program, I’m talking about the collection of individuals, teams, and their efforts to protect their organization from a variety of threats. I’m talking about the policies, standards, and guidelines they enact to formally document roles, responsibilities, actions, and behaviors of employees, users, third-parties, and anyone else that might have a role in this protection effort. I’m talking about the management efforts to advance the maturity of the organization’s protection effort, and to mitigate risks to the business.

It’s a team, led by a leader or group of leaders, much like many other teams in your organization. Yours will look similar to other teams … and also very different. There’s no one right way to build a security program (but certainly plenty of wrong ways). What helps is a guide – and the NIST CSF is a fantastic, free guide built just for that purpose.

It defines five Functions for which the security program is responsible: Identify, Protect, Detect, Respond, and Recover. It details how to build a security program, and grow it over time, to achieve this goal. And it provides a way to measure your capability and the success of the program and how to tell if it is meeting its goals.

JD Rogers, the CISO of Great American Insurance, did a fantastic talk last year on how he and his team used the CSF to develop a strategy to grow and measure the success of their security program. The slides from the talk are here.

CBTS will help you with security

If your organization doesn’t have a security program today, and you might be a person considered responsible for security in that organization, the NIST CSF is absolutely worth a read. It may seem daunting, but Rome (and its security program) wasn’t built in a day. You may be able to look back a few years later, after beginning these efforts, and see real change that’s been affected because of this practice. You might even sleep better at night!

If you’re interested in seeing how you stack up to the NIST CSF, or if you’d like help with those critical first steps of building your security program, come and talk to us. We’ve helped many businesses in many industries with this process and we’d love to help you.

Read more about Security offerings from CBTS