• Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Posts Tagged :

Data

Guest Blog, Ian Taylor: Public Cloud Migration – what you should know about shared security responsibility…

800 450 Jack Wynn

Migrating from a traditional data centre and embracing popular public cloud platforms such as Amazon Web Services (AWS) or Microsoft Azure is a growing trend for many businesses. In fact, according to Gartner, the worldwide public cloud services market is expected to reach $204 billion in 2016. There is a misconception, however, that making this move translates to a “hands-off” approach with no need to be an active participant in IT management.

This is especially the case when it comes to security and compliance. While public cloud platforms provide protection for computing processes, storage, database operations, networking and physical security of servers, users are expected to fulfill a “shared responsibility” for protecting data. They are obligated to secure a number of important elements including data, platforms, applications, identity and access management, operating systems, networks and firewalls.

It is important to understand that fulfilling compliance requirements such as the Payment Card Industry Data Security Standard (PCI DSS) does not equate to sound security. Instead, a reliable and repeatable security strategy must be in place to serve as the foundation for compliance that can consistently withstand the scrutiny of audits. Fortunately, the cloud offers an ideal forum to manage these processes.

While fulfilling compliance and security in the cloud can potentially be more demanding than one would expect, it can yield significant dividends in terms of flexibility and scalability. Despite this, many industries struggle to address the required technical and cultural shift to secure data and intellectual properly in the cloud. The primary challenge is a lack of resources and in-house expertise to assume this additional oversight.

In some cases, organisational goals for this endeavor are unclear. As a result, unqualified security personnel could be recruited, inappropriate security tools purchased, or the wrong cloud hosting provider selected.

Keys to success

Prioritisation for security and compliance is essential. It is impractical and cost-prohibitive to secure all data. For a successful security strategy, data needs to be classified according to low, medium and high-risk. And this breakdown has to align with organisational objectives.

Due diligence is required to identify security solutions that offer both comprehensive compliance and reliable security tools that match business operations. The ideal scenario is to choose a security expert, partner or service provider that will not only clearly define the lines of responsibility in correlation with compliance standards, but also offer counsel and guidance in terms of data protection.

Setting the course

A detailed “Responsibilities Matrix” that correlates with compliance and security standards is a recommended approach. There should be ongoing dialogue between business leaders and IT teams to ensure that appropriate resources are in place. After alignment is achieved internally, organisations will be better suited to engage security providers that can execute on these goals.

Companies should seek advice that lays out best practices for security and compliance, as well as documentation and data classification reviews, complete with access to expertise that can help identify aspects of a shared security that are most important. These components are fundamentally important to increasing the confidence level of both an organisation and its customers.

Security is absolutely a shared responsibility for using public cloud platforms and it is mistake to shy away from it. But it’s not just about who’s responsibility it is to do what.  A knowledgeable security provider should be expected to take a partnership approach to this critical task, communicate clearly, and take overall responsibility for the quality of service that is ultimately delivered.

Without a comprehensive strategy that executes sound shared security in concert with compliance adherence, the true ROI of public cloud platforms cannot be realised.

 

Ian Taylor is the EMEA service manager for Armor, a cyber security company that keeps sensitive, regulated data safe and compliant in the cloud. He possesses more than 12 years’ experience in the UK payment services sector with a focus on compliance adherence.

Guest Blog – Dr. Alex Vovk, Ph.D: 3 ways to improve hospitality data security…

800 450 Jack Wynn

The hospitality industry is a magnet for cyber criminals. Hotel chains have global networks, large workforces, as well as complex and often decentralised IT infrastructures. On top of all this, they regularly store and process high volumes of personal and financial data. This data can include customer credit card details, names, driving license numbers, addresses, passport numbers, phone numbers and other personally identifiable information (PII).

When these documents end up in the wrong hands, the regulatory, financial and legal consequences can be crippling; not to mention the reputational damage that you simply cannot afford in such a competitive industry.

This is why securing the integrity of customer and other business-critical data is a top priority in the hospitality trade.

Although the hospitality industry is similar to retail in many ways, it has been slower to adopt advanced security solutions.

Many large hotel chains — Trump, Hilton, Hyatt, Starwood, Mandarin Oriental and others — have recently disclosed problems with cyber-attacks. In many cases, the exact number of records breached has not been made public, nevertheless the overall impact has to be significant.

Despite the breaches, many hospitality businesses keep making the same basic security mistakes. Here are the main steps they can take to reduce the risk:

1: Data security applies across the board

Many smaller hotels operate as franchises or small independent businesses. Often data security is not as high on the agenda as it should be. In some cases, they do not comply with recommended industry security standards, or have IT security teams or even use basic data protection tools.

Actions

  • The reputation of the hospitality trade can only be improved if establishments take responsibility to protect customer PII seriously right across the board. This includes educating employees and adopting the right technology.
  • Compliance with the PCI DSS standard is the bare minimum required. Other essentials are a firewall, regular system updates and patches, encryption, a strong password policy, PCI-compliant applications and POS systems, restricted access to POS computers, and anti-virus, anti-spyware and anti-malware software.
  • IT systems also need to be regularly tested and assessed for vulnerabilities. When vulnerabilities are discovered, they need to be fixed immediately.

2: Insiders can be the biggest cyber security risk

Insider misuse is all too common in the hospitality sector. Contributing factors include high staff turnover rates, lack of appropriate security training, easy access to customer payment data, and lack of adequate controls and user behaviour monitoring.

According to Netwrix’s own 2016 Visibility Report, 65 per cent of organisations across various industries lack visibility into user activities in their corporate networks.

Insider wrongdoing does not always result in a massive data breach. It can take the form of a few individual thefts or many small thefts over long periods of time.

The overall outcome is the same as for external attacks: lasting damage to customer perception and lost trade.
Actions:

  • No matter how much you trust your workforce, make sure access to sensitive data is restricted to individuals who need it to perform their daily duties.
  • Monitor user activity — including privileged users – to see if they have tried to access critical files.
  • Follow up any suspicious activity, such as multiple failed access attempts, because they could be a sign of insider misuse or hacking of user accounts by attackers.
  • Implement a strong password policy.

3: Do not outsource everything

The hospitality industry is a highly competitive one that is always on the lookout for ways to cut costs.

It is hugely tempting to outsource parts of IT to external cloud services, and benefit from reduced hardware/software development costs and eliminating the need to retain a 24/7 in-house IT department.

But organisations who transition their business-critical data to a third party often forget to put strong security controls in place. For example, the 2016 Visibility Report found that as many as 75 per cent of organisations from various industries have no visibility into what is happening to their data in the cloud.

Actions

  • Before outsourcing any sensitive data to the cloud make sure that data will be remain secure in its new environment.
  • Carefully vet the cloud provider, holding them to the same standard as your internal security policies.
  • Also implement user behaviour monitoring, strong multi-factor authentication, remote session monitoring and advanced encryption.
  • Unless you have these security measures, you are not ready to move your critical data to the cloud.

In summary, hospitality businesses are responsible for all of the customer data they collect. Inevitably, this is a challenge, but there is no need to reinvent the wheel; numerous standards, solutions and best practices are available to help.

A lot of security mistakes happen because changes and anomalies in the network have gone unnoticed.

Use tools that help you stay aware of any abnormal or malicious activity in your IT network and in the cloud. Only by having clear insight into what is happening can you detect threats, minimise the risk of data exfiltration and secure your most valuable assets.

 

Dr. Alex Vovk, Ph.D has gained an impressive 15-years’ experience in software expertise, leadership and operational management. Prior to Netwrix, he worked at Aelita Software, where he served as the architect for the company’s key technologies. Dr. Vovk holds a master’s degree and a Ph.D in information security.

Kaspersky Lab: Brit residents ‘top targets’ of ransomware attacks…

800 450 Jack Wynn

New data released by security software company, Kaspersky Lab, claims that British residents are constantly being targeted in a wave of ransomware attacks.

The research suggests that mobile ransomware is becoming more commonplace, and reveals that the company put a stop to 136,532 ransomware attacks between March 2015 and March 2016; an almost four-fold increase on the 35,413 attacks in the previous 12 months.

In addition, Kaspersky’s data shows that UK citizens are among the most likely to be targeted by mobile ransomware; with an estimated 16 per cent of all mobile ransomware attacks hitting users in this country.

Read more on the research here

Guest Blog, Cesare Garlati: Securing the smart home – taking control of your mini-data centre…

800 450 Jack Wynn

Smart technology has made it easier for people to explore what’s happening inside their homes and take control of things such as heating and cooling, electricity consumption and entertainment options. But before we knew it, the population turned their homes into mini data centres — ones that don’t have system administrators to worry about the configurations and security controls. There is one appliance at the forefront of smart home technology and that is the home gateway device – generally, a Wi-Fi router. 

The router acts as a central hub connecting most of a consumer’s devices, yet what many don’t realise is that the hub is the first, last and only line of defence to every appliance in the home. The router is a door to a consumer’s financial data and personal information. As such, it needs to be secured, just as an individual would lock their front door to prevent burglars.

While most are aware of protecting their laptops and even mobile phones with anti-virus software, it must also be stressed that digital security in the home doesn’t end with these devices alone. Because of the way all electronics can be connected through a home gateway device, it is important for security efforts to limit lateral movement that invites attackers to jump from one to the next.

When it comes to securing internet of things (IoT) in the home, consumers and security professionals can adopt and share the following resources to improve safety practices:

Update the software of the home gateway device at least once per quarter:  As soon as vulnerabilities are publicised, hackers will be scanning these devices almost instantly to take advantage of them. If a user has purchased their own router, they are responsible for making sure the software is up-to-date, and for those who subscribe as part of a service, the provider will push these updates.

Make sure the admin console on a home router is password protected: Many people will have a password protecting access to their Wi-Fi networks, but this is a separate password for the admin console. Make sure the password is unique and not the same as any others used for devices.

Ensure you use the WPA2 protocol and protect it with a strong password: This is extremely important for consumers using legacy devices, as older protocols including wired equivalent privacy (WEP) was found to be an insecure method.

Activate media access control (MAC) filtering: A consumer can set up devices on their router using this unique identifier so that rogue devices will not be able to connect. The router will then tell the consumer what is connected to it to allow restricted access to any unknown devices.

Turn off Wi-Fi protected set-up (WPS): After initial set-up of the gateway, WPS is no longer required nor is it robust or reliable.

Do not open any ports on the router firewall: The firewall is the main security feature built into a home gateway device and acts as a filter for traffic entering and leaving the device. However, there is no good reason for it to ever allow for a household to be reached by the outside. Service providers may request a port to be opened, but users should know that it is only for their convenience so they can offload and speed up service delivery.

Never enable the Universal Plug and Play (UPnP) feature on a device: UPnP is a consumer device feature that can be seen as ‘horrific’ by some for security as it opens a port which can enable malware and attackers to get in. Although vendors have the right to ask users to enable it for a better experience, for example in gaming, but in reality it does not need to be enabled.

Don’t bother hiding the Service Set Identifier (SSID): The SSID for a Wi-Fi router isn’t the best method of security anyway, so don’t bother hiding it as it is a misconception that it will make things more secure. If you do hide it, all that will happen is that our end points will have to work harder and therefore consume more power.

Practice security by separation and take full advantage of the ‘guest network’ feature on modern routers: The guest network on modern routers will allow lower trust users to access Wi-Fi, for example, but not have the same level of privileges. It is secured by a separate password and isolates devices connected to it from the main unit. A consumer can use this for people coming into their homes and, going a step further – why not act on the assumption that all devices are compromised and put all of them that leave the home network on it, for example; tablets, mobile phones, laptops, etc.

 

Cesare Garlati is the chief security strategist at prpl Foundation. He is an internationally renowned leader in mobile and cloud security and the former vice president of mobile security at Trend Micro and co-chair of the Mobile Working Group at Cloud Security Alliance.

  • 1
  • 2