Article published by Model D on how Michiganders can help protect themselves from identity theft
Your organization is at great risk for a cyber attack, and chances are, you don’t have the personnel to protect you.
DDoS (distributed denial of service) attacks grew more than 160 percent in the last year with millions of new malware and ransomware variants each day. The growing volume and sophistication of this cybercrime is driving an estimated security workforce shortage of 1.5 million worldwide in the next two years.
While hiring cybersecurity and IT professionals isn’t a “magic bullet,” it can be the first line of defense in protecting your business, your customers and your revenue. How can a hiring manager wade through the myriad certifications and credentials to understand what really matters when hiring security professionals to protect their organization?
The first step is to determine the right level of security professional for your organization.
- Entry level cybersecurity positions, such as risk analysts, typically require less than one year of practical experience. Certifications such as CompTIA’s Security+ or ISC2’s Systems Security Certified Practitioner (SSCP) confirm that the candidate has the knowledge to evaluate risk, understands network and server security and grasps the fundamentals of identity and access management.
- Organizations looking for mid-level security positions, such as secure code developers, penetration testers or cybersecurity engineers, must require a bachelor’s degree in IT or computer science and that the candidate has a minimum of five years of practical experience. Individuals in this career level are responsible for ensuring that the development of applications along with company networks and servers are configured properly. Mid-level employees may also be required to architect and deploy new systems and services, develop policies, standards and procedures and provide higher level support. In addition to a college degree, employers should look for candidates that have obtained engineering or professional level certifications. These could include EC-Council’s Certified Ethical Hacker (CEH), Cisco Certified Network Associate (CCNA) or one of the many Microsoft MCSE certifications. These candidates will not only understand how systems, networks and software are built, they will also understand potential misconfigurations of IT systems, vulnerabilities and risks for exploitation.
- Architectural, managerial or C-level positions require extensive education and on-the-job experience. Those in this type of role will not only drive cybersecurity strategy, they may also be required to architect new solutions, determine risk and demonstrate expertise in regulations which may impact your business. Hiring managers must look for advanced certifications such as ISC2’s Certified Information Systems Security Practitioner (CISSP) and EC-Council’s CCISO certifications both which require a minimum of five years in the cybersecurity field. Management training, certification and experience are also necessary for individuals who will be supervising security teams.
Merit Network helps businesses and nonprofits improve their security posture through network and organization vulnerability assessments, workforce development and certification courses, end user training, security hardware and software solutions and more.
Our seasoned security team can develop custom programs to prevent your organization from falling victim to the millions of U.S. hacking attempts that occur each day. Contact the Merit Security Team today by visiting Merit.edu/custom-training.
The most important asset to a company is its data. In the event of a technical failure or glitch, the loss of data, customer records, business plans and intellectual property can be devastating. Statistics show that without proper backups, two thirds of companies go out of business within six months of a data disaster.
Could your company survive if all was lost and you had to start over from scratch? In a survey performed by the Disaster Recovery Preparedness Council, 20 percent of companies stated losses between $50,000 and $5 million due to downtime after data loss. In addition, more than 40 percent of data recoveries were not successful when plans were executed.
How can a company ensure business continuity in the event of data loss?
- RAID (Redundant Array of Independent Disks)
RAID is a technology that keeps your data safe on a local server by combining multiple physical disk drives into a single logical unit. In a mirrored RAID configuration, data is automatically duplicated from the primary disk to a backup disk. This allows recovery from the backup in the event of a complete drive failure. A striped RAID configuration writes data across three or more discs. If a striped drive fails, the server is able to operate normally while the drive is replaced.
- Secondary System Backup
While using RAID for disk drive redundancy is recommended, this practice will not prevent data loss if an entire system fails. Your organization’s backup strategy should incorporate an enterprise backups solution.There are three methods to choose from in an enterprise backup solution. A full backup copies all of the files and folders of a given system. This is the initial step when performing system backups, to ensure availability of your businesses data. However, relying only on a full backup can lead to increased storage costs. An incremental backup begins with a full backup and then only completes additional backups when changes are made to a file over time. One benefit of an incremental backup is the reduced file size and storage cost of your data, however restoration times may be increased with this method. Finally, differential backups store copies of cumulative changes, which lessens recovery time but places storage costs and file sizes between full and incremental backups.
- The Cloud
Most cloud service providers operate with geographically diverse data centers, which makes it an ideal solution for disaster recovery storage. The cloud can also decrease capital expenditures by eliminating server replacement cycles and costly power and cooling for your data center. Operational costs are also lowered, as fewer employees are required to administer these systems.
The development of policies, standards and procedures are integral to protecting your company’s digital assets. Organizations must calculate acceptable risks and develop policies, standards and procedures to document backup frequency, locations and restoration tests.
- Data Center Redundancy
Offsite data center storage at a colocation facility offers premium data protection. This offers complete recovery in the event of power loss, natural disaster or fire. Business risk can also be reduced by storing IT resources separately from business operations. Geographic diversity, secured access and reliable power failovers are some of the benefits of data center storage.
Merit Network offers data center storage and colocation at multiple facilities throughout Michigan. For more information on using Merit Colocation as a primary data center or as part of your disaster recovery plan, visit merit.edu/gr-colocation today!
Cyber threats are on the rise – putting businesses, dollars and real lives in grave danger. Regardless of an organization’s size, most companies deal with securing personal information, computer networks and connected devices to conduct daily operations. As cyber attacks grow in frequency and sophistication, associated costs to mitigate these attacks skyrocket. According to Gartner, the worldwide security market reached $75 billion in 2015. This spending is expected to increase in 2018 to $101 billion and reach an estimated $170 billion by 2020.
How can businesses with minimal IT and cybersecurity budgets keep up with today’s demands? Fortunately, there are a number of cost-free solutions that organizations can adopt to make a positive impact in their security program.
- Change your passwordAs much as one-third of all data breaches and cyber attacks can be attributed to weak or out-of-date passwords. These breaches can be accomplished through password cracking programs, phishing attempts, theft and the illegal buying and selling of personal data. It takes more than 200 days, on average, for a victim of cyber attack to notice the breach. According to a 2015 report by TeleSign, 47% of people are using passwords that are more than five years old. Creating a strong password policy and enforcing quarterly password updates is key in defending against credential hacks.In 2016, Dropbox, LinkedIn and Yahoo were the victims of large-scale breaches (Yahoo’s attack was the largest in history, with more than 1 billion accounts compromised). Unfortunately, many users adopt the same username and password across all of their online accounts. This allows hackers to enter stolen credentials to access additional resources online. In some instances, hackers were able to remotely control the user’s desktop. From there, hackers can purchase goods and services from online retailers, such as Amazon, through the compromised machine.Unsafe passwords, such as ‘123456’ and ‘password’ are among some of the easiest credentials to crack and still heavily used to this day. However, creating unique and long passwords for each account can prove difficult to remember. Password managers, such as LastPass or KeePass, can help users create and safely store credentials that are difficult to breach.An added security measure of multifactor authentication processes should be considered at the organization level. Multifactor authentication (MFA) is a system that prevents data theft by requiring more than one source of credentials from a user or employee before they can access your data. For example, organizations could install a push-notification app, like Duo Security.
- See What the Bad Guys SeeWhat exactly do the “bad guys” know about your network? Search engines like Shodan and Censys gather enormous amounts of information about your company’s network and publish it online. Through sites like this, hackers can locate your organization’s potential vulnerabilities. For example, a hacker could discover that systems on your network use a weak SSL cipher which can be used extract sensitive information. These search engines also identify open internet-based cameras and baby monitors that can be used for spying purposes! Conversely, this information can be used by a business to help identify and patch weaknesses before a breach happens.The website ‘haveibeenpwned.com’ is a great resource to help individuals and organizations identify compromised email accounts. This site will identify which service provider leaked the credentials and the year that it happened. In addition, users can query the results for an entire domain, which allows IT administrators to quickly mitigate the issue.
- Know your users and trust your devicesOver time, some organizations develop what is referred to as “a hard outer shell and soft in the middle.” This refers to instances when companies deploy firewalls and other security services which protect the perimeter of the network, while ignoring the security of internal systems. The proliferation of cloud-based services and BYOD (bring-your-own-device) practices have increased vulnerabilities with the “hard outer shell” security approach.Truly secure organizations have adopted zero trust models – this is when an organization no longer trusts its internal networks or external connections. To implement this practice, companies must migrate from role-based models and move toward attribute-based models for authentication. This can be accomplished by deploying security certificates on corporate end user devices. When users attempt to establish a remote connection, the security system checks the attributes of the certificate installed on the device and login credentials of the user that is attempting to connect. In the event a user attempts a connection without a certificate installed, the connection will be denied.Improving your organization’s security posture does not constitute the adoption of expensive tools and outrageous license fees. Ensuring users follow password management best practices, mitigating threats outlined by search engines and adopting zero trust authentication models will make a large contribution to your overall security strategy.
Learn more about implementing low-cost security solutions, hacking prevention, incident response and more at the Michigan Cyber Range Convention on May 18th. Seating is limited. Visit Merit.edu/MCRcon17 to register today!
Major web based services, including Twitter, Netflix, Amazon Web Services and Spotify were offline for most of the day last week, due to a large-scale Distributed Denial of Service attack. This onslaught targeted the home routers, DVRs and webcams of consumers who had not changed default user names and passwords of these internet connected devices.
Currently, 6.4 billion devices connect to the internet, and that number is projected to grow to 20.8 billion over the next four years. Outages like this past week’s are devastating to businesses, who stand to lose billions during downtime, and to individuals, whose personal data and information is at risk as a consequence of these events.
The Internet of Things has been exploited in recent cyber attacks.
Last week’s incident is one of many infiltrations via the Internet of Things (IoT), the name for the billions of everyday objects which have network connectivity. Last year, hackers were able to retrieve the passwords of connected wireless networks through app-controlled smart kettles. In some instances, smart refrigerators have been breached and used to send three quarters of a million SPAM emails. Startlingly, baby monitors are another popular target – hackers have been known to view camera feeds and communicate through the devices’ speakers.
From hardware and software to configuration and end-user security, there are multiple potential vulnerabilities in IoT electronics. How can manufacturers and consumers improve the security posture of connected everyday devices? The growing demand of new device technology often means that security is a secondary concern. Companies may also hesitate to perform security patches, preferring risk to service interruption. In a recent device survey conducted by ISACA, 78% of consumers stated that security is insufficient. These worries, coupled with the global rise in hacking attempts require the development of IoT security frameworks, secure programming best practices and end-user education.
Manufacturers must take proactive security steps such as encrypting data transfers, following security framework best practices, developing with secure coding techniques and executing penetration testing on hardware and software. In addition, software patching and maintenance must be transparent – relieving the consumer of responsibility. Manufacturers can perform this by patching and updating software on IoT devices in a way that does not require the consumer to perform manual steps. Automated configuration and installation processes of devices offer another level of protection and eliminate security user-error.
Consumers can do their part in keeping connected devices and data safe by following manufacturer recommendations during the configuration and installation process. Exercising good judgment with password selection and protection is a simple, yet often overlooked, security measure. Disconnect your device and report any suspicious activity to your device manufacturer immediately.
Keep current with security news, professional development opportunities, industry analysis and more by signing up for Merit’s FREE monthly Inbox Insider report! Join here: Merit.edu/InboxInsider