ebusinessmantra

Business Owners!, What do need to do to be a Cyber leader for your business?

noreply@blogger.com (ebusinessmantra) — Mon, 11 Jul 2022 17:23:00 +0000

Being a cyber leader does not require technical expertise, but rather an ability to change the culture of your organization. Reducing your organization’s cyber risks requires awareness of cybersecurity basics. As a leader, you need to drive your organization’s approach to cybersecurity as you would any other hazard (e.g. how you identify risk, reduce vulnerabilities, and plan for contingencies). This requires an investment of time and money, as well as the collective buy-in of your management team. Your investment drives actions and activities, and these build and sustain a culture of cybersecurity.

Approach cyber as a business risk. Ask yourself what type of impact would be catastrophic to your operations? What information if compromised or breached would cause damage to employees, customers, or business partners? What is your level of risk appetite and risk tolerance? Raising the level of awareness helps reinforce the culture of making informed decisions and understanding the level of risk to the organization.

Determine how much of your organization’s operations are dependent on IT. Consider how much your organization relies on information technology to conduct business and make it a part of your culture to plan for contingencies in the event of a cyber incident. Identify and prioritize your organization’s critical assets and the associated impacts to operations if an incident were to occur. Ask the questions that are necessary to understanding your security planning, operations, and security-related goals. Develop an understanding of how long it would take to restore normal operations. Resist the “it can’t happen here” pattern of thinking. Instead, focus cyber risk discussions on “what-if” scenarios and develop an incident response plan to prepare for various cyber events and scenarios.

Lead investment in basic cybersecurity. Invest in cybersecurity capabilities for your organization and staff. This includes not only investments in technological capabilities, but also a continuous investment in cybersecurity training and awareness capabilities for your organization’s personnel. Use the Cyber Essentials to have conversations with your staff, business partners, vendors, managed service providers, and others within your supply chain. Use risk assessments to identify and prioritize allocation of resources and cyber investment.

Build a network of trusted relationships for access to timely cyber threat information. Maintain situational awareness of cybersecurity threats and explore available communities of interest. These may include sector-specific Information Sharing and Analysis Centers, government agencies, law enforcement, associations, vendors, etc.

Lead development of cybersecurity policies. Business leaders and technical staff should collaborate on policy development and ensure policies are well understood by the organization. Perform a review of all current cybersecurity and risk policies to identify gaps or weaknesses by comparing them against recognized cyber risk management frameworks. Develop a policy roadmap, prioritizing policy creation and updates based on the risk to the organization as determined by business leaders and technical staff.

(Source: CISA)

Ten key cybersecurity tips to protect your small business

noreply@blogger.com (ebusinessmantra) — Wed, 06 Jul 2022 18:32:00 +0000

Information technology and high-speed Internet are great enablers of small business success, but with the benefits comes the need to guard against growing cyber threats. As larger companies take steps to secure their systems, less secure small businesses are easier targets for cyber criminals.

1. Train employees in security principles. Establish basic security practices and policies for employees, such as requiring strong passwords and establish appropriate Internet use guidelines, that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

2. Protect information, computers, and networks from cyber attacks. Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.

3. Provide firewall security for your Internet connection. A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.

4. Create a mobile device action plan. Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

5. Make backup copies of important business data and information. Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.

6. Control physical access to your computers and create user accounts for each employee. Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

7. Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.

8. Employ best practices on payment cards. Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.

9. Limit employee access to data and information, and limit authority to install software. Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

10. Passwords and authentication. Require employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.

Source: FCC

Is your small business compliant with Data Security Regulations?

noreply@blogger.com (ebusinessmantra) — Tue, 14 Sep 2021 14:55:00 +0000

Develop a WISP that helps you be compliant with Massachusetts’s data security regulations

At Compliance+ Security, we help small businesses safeguard their customers', employees', and contractors' Personal Identifiable data. The most helpful safeguard is to comply with the law and to protect data by developing a Written Information Security Program (WISP). A WISP is a document that details an organization’s security controls, processes, and policies, and must be tailor-made to fit business’s needs and to comply with the law.

You value your data, and so does a hacker

A common misconception that my clients have is that breaches only happen to big businesses. There are notable examples from Equifax, Yahoo!, LinkedIn, Facebook, and others where a single data breach compromised millions of individual’s data at once. But the data reveal a different story. The data show[2] that the vast majority of data breaches affect smaller population of 1-10 individuals at a time. Every business, large and small, is a target for hackers and malicious actors to acquire personal data. Even though attention is paid to the big breaches, there are hundreds of little breaches that happen every day.

Reality of numbers

In 2021 so far,* there have been 2,188 reported data breaches in Massachusetts, affecting over 1 million residents. At this rate, by the end of the year, there could be as many as 1.5 million Massachusetts residents that have had their information compromised, just in this year alone.

Massachusetts’s data security regulations have teeth

Massachusetts has made significant efforts to protect residents from data breaches. These efforts include passing Chapter 93H and pursuant regulations published by the Office of Consumer Affairs and Business Regulation (OCABR)[4]. These regulations apply "to all persons that own or license personal information about a resident of the Commonwealth." Personal information includes: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number [5]

Chapter 93H authorizes the Attorney General to bring action which can include Court-ordered relief such as injunctions, consumer restitution, and civil penalties.[6] Civil penalties can be up to $5,000 for each violation, plus the cost of investigation and litigation. In some cases, the damages could be trebled.

The landmark case of Commonwealth v. Equifax, Inc., No. 1784CV03009BLS2, 2018 WL 3013918 (Mass. Super. Apr. 3, 2018) demonstrates just how deep the teeth can be in this law. In that case, the Attorney General alleged that Equifax "knew or should have known about the data breach by July 29, 2017; and that Equifax waited to provide the required notice until September 7, 2017"[7]. After their motion to dismiss was denied, Equifax settled with the Attorney General for $18.2 million[8].

Don’t be the next Equifax. Equifax could have avoided the whole litigation if they implemented safeguards for their data, reported the breach and followed the rules set forth in Chapter 93H. The good news is that Chapter 93H and supporting rules allow companies to implement safeguards that are appropriate to the size, scope, and type of business, and the amount of resources available. The bad news is that businesses of all sizes need to provide 18 months of credit monitoring to all residents affected by a breach. Assuming a cost of approximately $15 to $25 per affected resident, providing credit monitoring alone adds up quickly for a small business.

Reach out to us to learn more. We offer free consultations to help you develop a WISP that is tailored to your business needs, be compliant with the law, and safeguard your customer’s data.

FOOTNOTES:

*As of September 8, 2021, Data Breach Notification Report

[2] https://www.mass.gov/lists/data-breach-notification-reports

[3] General Laws Chapter 93H

[4] MA Data Security Regulations - 201 CMR 17.0

[5] 201 CMR 17.02.

[6] MGL c. 93H, Section 6; MGL c. 93A, Section 4

[7] Commonwealth v. Equifax, Inc., No. 1784CV03009BLS2, 2018 WL 3013918, at *3 (Mass. Super. Apr. 3, 2018)

The publication contains information about regulations, laws, enforcement, penalties, court cases pertaining to data security regulations, data breach notification laws, and data destruction laws. The information is not legal advice, and should not be treated as such. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This newsletter is intended for general information purposes only, and you should consult an attorney concerning any specific legal questions you may have.

Cybersecurity: Seeking complex solutions to simple problems

noreply@blogger.com (ebusinessmantra) — Wed, 09 Dec 2020 16:57:00 +0000

I recently saw the movie: "The Boy Who Harnessed The Wind" on Netflix. It made me think, that solutions to complex or even existential problems could be very simple . For some of us who are in cyber security field we are quite the opposite. We tend to view cybersecurity strictly from technology viewpoint, ever searching for complex solutions and complex procedures for simple problems.

Take for example, migration to cloud. Before I took upon an in-depth study of cloud paltform, I was led to think of cloud as something very complex requiring very specialized skill sets. Frustrated with this mind-set, I decided to take on the study of Amazon Web Services (AWS) Solutions Architect. As I went through the course, I found that working in the cloud was more simpler than that in on-premise environments. A few clicks and you can have web servers and applications running. I remember spending days building web servers and making applications run on a bare-bone box which IT would hand me over. Perhaps that hands-on experience made it easy to understand the cloud. That hands-on experience taught the fundamentals and a tendency to seek simplicity even in most complex situation.

Many of the vulnerabilities listed on OWASP Top 10 have been there for many number of years. For example, Injection flaws or Cross Site Scripting. One possible explanation could be, rather than addressing the root cause, most security professionals and developers tend to focus on complex coding approach. I have designed the applications at user interactions level and the backend processing level, focusing primarily to eliminate the root cause. And that has worked. Once you address or eliminate the root cause, complex coding would simply be decoration that would enhance the robustness of the application.

Cybersecurity as Value Add to business

noreply@blogger.com (ebusinessmantra) — Sun, 17 May 2020 19:04:00 +0000

Compared to the past practices, every business has been adopting digital technology in how they do business. And now, companies have responded to the coronavirus pandemic by moving as many processes as possible to digital formats. However, the pandemic merely accelerated the ongoing movement of businesses transforming their business processes to a digital format which started decades ago. This process is a digital transformation, and as a result, new risks to the company arise. These new risks from digital transformation comes in the form of cyber risk.

To combat cyber risk, companies should bolster their cyber security efforts. Cybersecurity is fundamental to the digital transformation because it ensures that the new business processes are safe from malicious attacks. Furthermore, the expectation from customers is that new, digital business processes are done safely and securely.

Cybersecurity begins with mindset, being mindful about your fiduciary responsibility towards your customers, their data, their information, their assets–all of which have been entrusted to you. Cybersecurity is not about tools and technology—tools and technology are means to achieve that mindset. Just as securing your physical property begins with accepting the need to secure them and using locks and security systems as tools and technology to meet those objectives.

Cybersecurity is not about technology but it is fundamental capability of the businesses to be adaptive and resilient to changing business processes and ever-changing threat landscape.

NIST Cybersecurity Framework to deliver on the value proposition

I have been studying the NIST Cybersecurity Framework and applying the framework to organizations. The goal is to help businesses incorporate cybersecurity into all aspects of their digital practices.

The framework is outcome driven and provides activities that the organization needs to perform to achieve those outcomes. Since the framework does not mandate how an organization must achieve those outcomes, it enables scalability. A small organization with a low cybersecurity budget is able to approach the outcome in a way that is feasible for them.

Every business already has some host of security practices—for example, passwords on email accounts are ubiquitous. The key however is identifying the gaps between, where they the company is now, current profile, and where it should be, aspirational - target profile. We work with businesses to develop a plan or a roadmap to achieve their target profile, to ensure that cybersecurity is an integral part of all business practices from workflow, external and internal communications and that there is a corporate culture of acceptance of cybersecurity as a value-add business proposition.

All organizations have gaps in their cybersecurity practices. The goal is to identify those gaps by creating and comparing the current profiles with target profiles and to work iteratively to narrow those gaps.

Awareness Education - employees tend to be the weakest link

The threat landscape has evolved over time. In the past, hackers and criminals were looking for vulnerabilities in the systems–networks vulnerabilities. Hackers penetrated the system by attacking the systems. Now, they prey on people and thereby gain access to the systems. People are easier to target. Hackers first introduce malware in the system through phishing emails and gain control over the organization’s assets and then through ransomware, blackmail or extort payments. Therefore, people are the weakest link falling easy prey to phishing, spear phishing, social engineering. Awareness education drives a culture of employees becoming deterrent to cyber-attacks and thereby making organizations, cyber resilient.

Cyber Security Awareness Training

noreply@blogger.com (ebusinessmantra) — Mon, 27 Jan 2020 16:42:00 +0000

ebusinessmantra is excited to announce a new security awareness training service for our clients. Engaging employee security awareness training is an effective way to protect your organization from threats like phishing.

Our new security awareness training solution will teach your employees how to detect and avoid malicious content through attention-grabbing training modules and realistic simulations. We have over 2000 training resources in different lengths, styles and languages to inspire a culture of security at your organization.

As your service provider, we’ll handle all aspects of employee training — including implementation, management and reporting. This helps you:

Prevent data breaches and other security incidents.
Meet and track security awareness compliance requirements.
Save time and money with automated course delivery, management, and reporting.

Using the Right Tool: Web Application Scanner vs. Web Application Firewall

noreply@blogger.com (ebusinessmantra) — Sat, 06 Aug 2011 15:06:00 +0000

Web application or vulnerability scanner scans a website or web application to determine vulnerability in the application as snapshot in time. If the application is not altered and the scanner is not updated, you would get the same results every time the scan is run. In other words, a scanner’s nature is to be static in that it does not react to changing dynamics that is typical in live envrionment. From that viewpoint, scanners tend to be a good assessment tool for testing during development and pre-production or pre-release of an application.

It is important to note that scanning of production sites should be avoided at all cost, not only from the viewpoint of performance degradation but also as a potential to corrupt live database. This is an important distinction which I will refer back when comparing with web application firewall.

Commercial scanners such as Acunetix bring with it lot of additional out-of-the-box features and functionalities. They also provide tools for advanced testing and penetration testing. Thus, scanners fall under the realm of testing and would better utilized during the testing and development phases of a project.

Web Application Firewalls (WAF), on the other hand, provide real time, live monitoring of the application. They monitor every request coming to the web server, while the application is in the production environment. It guards the application by auditing against the security rules and configurations set manually and learnt by itself. Furthermore, WAF, such as one from Imperva, can block, alert, and apply virtual patch while the development team works on the real fix. This makes them extremely powerful in protecting live web application and live data. Contrast this with web application scanner which is not intended for production site and cannot provide protection in real time.

If the attack vector changes, the same application which was tested secure using scanner can be vulnerable to new forms of attacks. I have read many articles where the author has shown examples of websites that were hacked in spite of scanners finding them invulnerable. Again, remember, the intended time of the scanner use should be during development and testing - because of its snapshot nature. In the production environment, the dynamics are different, from configurations to network management to ever changing attack vectors.

Is are web application scanners necessary if the web application firewalls can provide the ultimate safety net?

Absolutely yes, in fact they are needed more so. First, scanning during development and testing ensures that the application is robust. A robust application is more secure with web application firewall to enhance security than a weak or vulnerable application. If web application firewall was icing, you want it on the cake not the soup.

Therefore organizations must include both the web application scanners and web application firewall.

ebusinessmantra offers web application or vulnerability scanners from Acunetix and web application firewall from Imperva. In addition, we have the right solutions and products for small to mid- size businesses.

Can site audit replace need for secure coding practices?

noreply@blogger.com (ebusinessmantra) — Wed, 08 Jun 2011 08:06:00 +0000

A web application developmental company, rather than employing data validation and sanitization, chooses to audit an eCommerce site for PCI compliance and agrees to remediate vulnerabilities found during the audit. Is this a clever way of doing the bare minimum and at the same time deflecting the liability to the auditing company?

Data validation is like diet and exercise, general and non-targeted whereas an audit is like tests, specific and targeted. The former is preventive whereas latter is diagnostic.

Like everything else in life, you can live with one, both, or none, depending on your risk tolerance. For developmental? organizations, which contract to build web application for their customers, secure coding adds to the cost of the project, in terms of training, hiring developers experienced in secure coding, and added time.

Of course, there is another consideration - standard coding practices - whether written in the contract or not, there is an understanding that a serious organization and matured developers would be expected to follow standard coding practices. But here's the caveat: who defines the standards? The same organization who is trying to duck their responsibilities defines their corporate coding standards by excluding secure coding practices. This is important when writing contracts - web site owners must include standards as an addendum to the contract.

Reliance on web development organization to implement secure coding is a false sense of security. Rather than stating general requirements in the contract to adhere to standards, specifics must be included. For example, value of each variable received from another system or user must first be validated to check for expected length and non-numeric or numeric or alpha-numeric, as the case may be.

Wait a minute, are web site owners expected to know what secure coding is in order to demand secure coding? The answer is yes when dealing with development organizations which have no scruples. Unfortunately not many businesses are security savvy and very rarely would have someone on staff who is technically skilled in web application security. Before hiring a contractor for web site development, a security consultant needs to be hired. It is just like having an architect on-board before hiring a building contractor.

Web Application Security

noreply@blogger.com (ebusinessmantra) — Sun, 29 Aug 2010 10:04:00 +0000

Web Application Security should be key consideration for any business who owns a web site, even if the web site is intended for presenting brochure like information.

Web Application Security

View more documents from ebusinessmantra.

Web Application Scanners - Open source vs. commercial scanners

noreply@blogger.com (ebusinessmantra) — Wed, 17 Feb 2010 01:25:00 +0000

There is this ongoing debate within the web application security community relative to selection of web application scanners. With some good commercial scanners in the market and promising open source scanners, it is quite confusing for many developers and IT professionals to select one. If price alone was the consideration, it would be an easy choice, but what makes it harder is which product does the intended job. I have seen that in selecting one product, there is a tendency to feel like you are missing out on what the other product offers. It is like buying a car: regardless of how hard you negotiate to get the best deal, you always feel that the salesman got away with the better deal.

Let me begin with my thoughts on open source scanners. Two names that are frequently mentioned are WebScarab (OWASP) and Burp Suite (PortSwigger). Those who have worked with these products for some time firmly stand by them. To learn more about the products, I downloaded both them; of course, the free offer was not too bad, either. After few attempts, I quickly learnt that there is a steep learning curve associated with both of these products. Lack of a good set of documentation made it rather challenging to learn their usage and appreciate their effectiveness. As is the case with all open source products, support is provided by community in open forum. That may be of concern if your inquiry involves disclosing confidential information. Furthermore, if your questions are time sensitive, you can expect to be disappointed waiting for an answer.

Turning to commercial products, the one I have used extensively is Acunetix Web Vulnerability Scanner (http://www.ebusinessmantra.com/buywebsecurityscanner.aspx). Right "out of the box", the product is easy to install, comes with detailed documentation, and support from the vendor. That's a big check plus for commercial products. Literally within few minutes after download, I had a list of vulnerabilities in the application I tested. I certainly cannot say that for the open source products. What value do you put to your time? Do you have time to learn use of open source products by yourself, especially in face of deadlines? Can you afford to remain vulnerable while you figure out how to use them? Can you afford to remain vulnerable while you wait for someone to answer your question? These are the questions you have to ask yourself.

Also of note: all products, open source and commercial, come with their faults in that they all report false positives and false negatives. So, the results of each application, open source or commercial, have to be evaluated for its correctness. Some may ask, why spend money if the outcome is not assuring? As we saw earlier, it is the time you save to get to the outcome, not just the outcome. The other advantage of a commercial product is that one product contains features that tests for various parameters whereas open source products are typically test for specific vulnerabilities. With open source you have to have multiple products to tests for a variety of parameters, for example, having a product for port scanning and another for scanning, file checks, directory checks, perhaps Google Hacking Database (GHDB), and so on. Now for the learning curve associated with each product, I think I would prefer commercial product and that should be true for all who are serious about vulnerabilities in their application.

Lastly, updates and bug fixes - how often are updates, fixes, and patches issued for open source products compared to commercial products? My first hand experience with Acunetix is that updates are issued at least once every two weeks. Can we say the same for WebScarab and Burp Suite?

So factors to consider when comparing open source and commercial scanner are:
• time to learn effective use of the product,
• features,
• customer support,
• product maintenance
• and one factor to ponder: can you wait to remain vulnerable while considering the other factors?

Now don't get me wrong that open source scanners don't have its place, so next time, I will talk about when and where an open source products can be effective.

Document Management

noreply@blogger.com (ebusinessmantra) — Thu, 10 Sep 2009 12:23:00 +0000

Is managing paper in your office driving up your overhead expenses? Are you spending too much time processing, searching, storing, retrieving documents, invoices, forms, statements, memo?

Document Management solutions does not mean scanning documents to PDF format and saving it on a CD. An effective document management solutions leads to transactional data management where documents in any format and information on any media are captured, validated, and stored for archival and retrieval. Append workflow and associated business rules to your document management solution information management that can be compliant to applicable laws.

Whether you have a paper flow problem, a home-grown document system or just want to increase your efficiency, we have solutions that can help your business.

Learn More

Web Application Security

noreply@blogger.com (ebusinessmantra) — Thu, 10 Sep 2009 12:05:00 +0000

Businesses cannot afford to compromise business data. Customer information, Product and Service data, all form the core of any business. If a business process credit card on their web site then they are required to be PCI-compliant.

A web site can be used as a condiut to access data and compromise company's vital resources. Businesses must prevent that from happening, ebusinessmantra has solutions that can help your business.

Learn More