12 things every IT security professional should know

Fighting the good fight takes specialized knowledge. Here’s the baseline of what all security pros should know.

Basic common defenses

Almost every computer has common basic defenses, which good IT pros consider and apply. These are the “standards” of computer security. They include:

  • Patch Management
  • End-User Training
  • Firewalls
  • Antivirus
  • Secure Configurations
  • Encryption/Cryptography
  • Authentication
  • Intrusion Detection
  • Logging

Understanding and using the basic common IT security defenses is a must for every IT security professional. But don’t stop at simply knowing about them. Know, too, what they are good at stopping and what they fail to do. If you want to know which two defenses help decrease the most risk, read this.

Cloud security

What four factors make cloud security more complex than traditional networks?

  • Lack of control
  • Always available on the internet
  • Multi-tenancy (shared services/servers)
  • Virtualization/containerization/microservices

The joke is (and isn’t) that cloud really means “other people’s computers” and all the risk that entails. Traditional corporate administrators no longer control the servers, services, and infrastructure used to store sensitive data and service users in the cloud. You have to trust that the cloud vendor’s security team is doing its job. Cloud infrastructures are almost always multi-tenant architectures, where keeping different customers’ data separate can be complicated by virtualization and the recent containerization and development of microservices. Heralded by some as a way to help make security easier to do, each development usually makes the infrastructure more complex. And complexity and security do not usually go hand-in-hand. Want to dig deeper into this topic? I recommend starting with this article on cloud security.

Threat education and communication

Most threats are well known and re-occur frequently. Every stakeholder from end-users to senior management and the board of directors needs to know the current top threats against your company and what you are doing to stop them. Some of the threats you face, like social engineering, can only be stopped by educating the people in your company.  So the ability to communicate is often the thing that separates a great IT pro from a mediocre one.

Communication is an essential IT security professional skill. But you can’t simply rely on your charming personality because communication happens through a variety of methods including: face-to-face conversation, written documentation, emails, online learning modules, newsletters, tests, and simulated phishing.

Every good IT pro needs to be able to clearly and effectively communicate using verbal and written methods. When appropriate, she knows how to create or purchase the needed education and communication vehicles. No matter what technical controls you deploy, every year something will make it past them. So, make sure your stakeholders are prepared. At the very least, the following items should be covered in your education program:

  • The most likely, significant, threats and risks against the organization
  • Acceptable use
  • Security policy
  • How to authenticate and what to avoid
  • Data protection
  • Social engineering awareness
  • How and when to report suspicious security incidents

Looking for some hands-on, practical information security education advice? Check out “Ways to improve security education in the New Year” at CSO Online.

-/-

Follow the link to find all twelve;

https://www.itworld.com/article/3297944/it-careers/12-things-every-it-security-professional-should-know.html

Globally, just under 23 percent of organizations are likely to suffer at least one breach over the next 24 months

According to the IBM report, it now takes 197 days to identify a breach and 69 days to contain it. <…> Entertainment and healthcare organizations take the longest time to discover and contain a breach – averaging more than 300 days – while financial services and energy sectors were quickest at discovery and remediation.

Time is money and being slow to detect and contain a breach can be costly. Taking more than 100 days to discover a breach could add as much as $1 million to the final bill. Likewise taking longer than 30 days to contain the breach once discovered can also add over $1 million to costs. Investment in monitoring and forensics capabilities could be valuable in the long run.

The size of your average data breach is now 24,615 records; an increase of 2.2 percent compared to 2017. Each record lost costs around $148 on average globally, while in the US that figure rises to $233. The final cost per record can be impacted by a number of factors relating to how well-prepared an organization is and how well it reacts to a breach.

Given the highly sensitive and regulated nature of the data they manage it should come as little surprise that the health and financial sectors face the largest costs per record; up to $400 each.

A significant outlay organizations are faced with post-breach is notification costs. These include the creation of contact databases, determining regulatory requirement, consultancy fees, postal expenditures, email bounce-backs, and more. India has the lowest notification costs at just $20,000, while the U.S. has the highest at $740,000 per breach, largely due to data breach notification regulations.

However, now that the European Union’s regulation is in effect, companies are likely to see “huge increases throughout the world” in the future when it comes to notification costs. One key thing with GDPR is you have that 72-hour disclosure window. And that time can go by very, very fast. Folks really need to understand the need for preparation.”

Mega breaches can incur large indirect costs

According to IBM a ”mega-breach” of 1 million records could cost a company $40 million, while the loss of 50 million records might lose a company $350 million.

“If you’re a company who loses fifty million records, first and foremost there’s an expectation that you’re likely a very large company who certainly has the financial means to be able to put an adequate level of protection in place. Folks will look at that and say that is a catastrophic failure, and clients are going to make an alternative choice of who they do business with as a result.”

https://www.itworld.com/article/3304358/data-breach/what-is-the-cost-of-a-data-breach.html

How To Protect Your Privacy On iPhone

Follow these easy steps to protect the personal data on your iPhone or iPad. (details and how to if you follow the link in the bottom)

You might also be interested in our privacy tips for Android.

1. Lock your device with a passcode longer than 4 digits.
2. Enable “Erase Data” to delete data after 10 failed passcode attempts.
3. Don’t show notifications in the lock screen for sensitive apps.
4. Turn off “Share My Location.”
5. Turn off location services for things that don’t need them.
6. Turn off access to sensitive data for apps that don’t need it.
7. Review your installed apps.
8. Turn off read receipts so people are not notified when you see their messages.
9. Turn on “Limit ad tracking”.
10.From time-to-time, reset your advertising identifier.
11. Set DuckDuckGo as your default search engine.
12. Install the DuckDuckGo Privacy Browser.

https://spreadprivacy.com/iphone-privacy-tips/

A Guide to Common Types of Two-Factor Authentication on the Web

In addition to requesting something you know to log in (in this case, your password), an account protected with 2FA will also request information from something you have (usually your phone or a special USB security key).

Two-factor authentication (or 2FA) is one of the biggest-bang-for-your-buck ways to improve the security of your online accounts. Luckily, it’s becoming much more common across the web. With often just a few clicks in a given account’s settings, 2FA adds an extra layer of security to your online accounts on top of your password.

https://www.eff.org/deeplinks/2017/09/guide-common-types-two-factor-authentication-web

US, UK, and other governments asks tech companies to build backdoors into encrypted devices

The US, UK, and three other governments have called on tech companies to build backdoors into their encrypted products, so that law enforcement will always be able to obtain access. If companies don’t, the governments say they “may pursue technological, enforcement, legislative, or other measures” in order to get into locked devices and services.

Tech companies have (also) been wary to comply. Adding a backdoor into their products would inherently mean that their promise of data privacy is broken. It would also open them up to similar requests from other countries, which could use the backdoor access for spying in inappropriate circumstances.

https://www.theverge.com/2018/9/3/17815196/five-eyes-encryption-backdoors-us-uk-australia-nz-canada

Måste rusta cyberförsvaret! Vilket cyberförsvar?

Internet är ett skyttegravskrig idag. Sveriges infrastruktur, svenska företag och myndigheter attackeras kontinuerligt. Sverige har knappt något säkerhetsmedvetande och inget cyberförsvar heller. Det är fel att tro att Försvarsmakten sitter med kamouflagemålade apparater i ett bergrum och skyddar dig mot cyberbrottslingar. Det är du som är cyberförsvaret och det är du som är det främsta målet för attacker. Och det är dina gelikar som struntar i det.

http://www.teknikaliteter.se/2018/09/04/maste-rusta-cyberforsvaret-vilket-cyberforsvar/

Handboken Personlig säkerhet (2018)

Genom riskanalyser, aktiva val och medvetna förhållningssätt kan du värna om din personliga säkerhet. I handboken ges exempel på förebyggande åtgärder och skyddsåtgärder som kan användas för att förhindra eller avstyra hotfulla situationer om de skulle uppstå.

Här behandlas allt från hur du kan tänka kring sociala medier till hur du ska agera vid ett eventuellt terrorattentat. Boken är primärt skriven för politiskt aktiva, men råden fungerar lika väl för andra utsatta yrkesgrupper.

http://www.sakerhetspolisen.se/publikationer/personskydd/personlig-sakerhet.html

Dark Patterns: When Companies Use Design to Manipulate You

“Dark patterns” are designs that deliberately trick you into doing what a company wants. This can take all kinds of forms, from MoviePass not canceling people’s accounts to installers putting crapware on your machine.

-/-

at one point even closing the window offering the update would prompt the installation. A lot of people ended up accidentally installing Windows 10 because of this one, which makes sense: it was almost impossible to tell how to opt out.

https://www.howtogeek.com/363484/dark-patterns-when-companies-use-design-to-manipulate-you/

’People You May Know:’ A Controversial Facebook Feature’s 10-Year History

In May 2008, Facebook announced what initially seemed like a fun, whimsical addition to its platform: People You May Know.

“We built this feature with the intention of helping you connect to more of your friends, especially ones you might not have known were on Facebook,” said the post.

In an investigation last year, we detailed the ways People You May Know, or PYMK, as it’s referred to internally, can prove detrimental to Facebook users. It mines information users don’t have control over to make connections they may not want it to make.

https://gizmodo.com/people-you-may-know-a-controversial-facebook-features-1827981959

Kashmir Hill’s posts

Kashmir Hill is a senior reporter for the Special Projects Desk, which produces investigative work across all of Gizmodo Media Group’s web sites. She writes about privacy and technology.

https://kinja.com/kashmirhill