Page 2 of 4

What is cloud computing?

Typically, an individual stores computer data or applications on their hard drive or on a shared local server within their organization. Cloud computing is a method of storing, processing and managing data on a remote server hosted through the internet. These remote servers are physically housed at data centers, which can be located and accessed from anywhere in the world. Two types of clouds exist; public clouds and private clouds. Data stored on a public cloud can be comingled with data from multiple organizations or individuals. A dedicated private cloud can be defined as infrastructure provisioned for a single entity, which can be located on or off premise.

How can my organization save money with cloud computing?

One major benefit of cloud computing is a reduction in technology costs. Cloud computing shifts an organization’s investment from capital expenditures to operational expenditures, and that can represent a significant savings. Storing data remotely eliminates many infrastructure purchases and reduces equipment maintenance staffing – businesses access cloud servers, rather than owning their own. In 2013, Forbes reported that the federal government saved an estimated $20.5 billion by adopting cloud computing practices.

Cloud data is accessed similarly to a utility, like electricity, in a pay-as-you-go model. Organizations use the storage space they need – scaling up and down with usage requirements. While burstable costs can be a concern, scaling models remove the guesswork from data storage infrastructure purchases.

What are the security risks?

Data breaches from successful hacking attempts are the biggest security risk with remote storage. Apple’s iCloud service, which allows its users to upload backups of images, calendars and contacts, has had a number of data breaches. In 2014, celebrities such as Jennifer Lawrence, Kirsten Dunst and Kate Upton had their images stolen from the backup located in Apple’s iCloud. The images were then distributed to the public via the internet. In 2016, more than 40 million iCloud accounts were compromised; giving the attacker access to lock and remotely wipe the mobile devices, along with placing a ransom image on their lock screen.

Successful phishing attempts are another example of a data breach caused by end users. Phishing is the criminal activity of attempting to obtain sensitive information, such as account numbers or passwords, by posing as a legitimate organization or interested party. A lack of clarity between businesses and their cloud service providers regarding incident response plans, security controls and responsibilities can also present major risk.

How can I protect my data?

The National Institute for Standards and Technology (NIST) has developed a number of free data security publications for federal agencies and private companies. These documents provide security professionals with step-by-step instructions on conducting risk management evaluations and implementing frameworks to increase data security posture. This solution is an invaluable cost-free resource for organizations that have high-level information security professionals on staff.

Businesses might consider cloud service providers that offer “zero knowledge” encryption. The providers store data without knowledge of the key, leaving only the user of the account the ability to encrypt and decrypt the information. Multifactor authentication, a security measure that requires two or more methods of authentication to verify a user’s identity, adds another layer of data protection.

For companies of any size, training is key in mitigating security threats. Human error is cited as a major contributor to data breaches. Ensuring all staff receives some form of end-user security training will limit the chances of incident.

Cyber threats are on the rise – putting businesses, dollars and real lives in grave danger. Regardless of an organization’s size, most companies deal with securing personal information, computer networks and connected devices to conduct daily operations. As cyber attacks grow in frequency and sophistication, associated costs to mitigate these attacks skyrocket. According to Gartner, the worldwide security market reached $75 billion in 2015. This spending is expected to increase in 2018 to $101 billion and reach an estimated $170 billion by 2020.

microscope photo

Using strong passwords can help protect your online accounts.

How can businesses with minimal IT and cybersecurity budgets keep up with today’s demands? Fortunately, there are a number of cost-free solutions that organizations can adopt to make a positive impact in their security program.

1. Change your password

As much as one-third of all data breaches and cyber attacks can be attributed to weak or out-of-date passwords. These breaches can be accomplished through password cracking programs, phishing attempts, theft and the illegal buying and selling of personal data. It takes more than 200 days, on average, for a victim of cyber attack to notice the breach. According to a 2015 report by TeleSign, 47% of people are using passwords that are more than five years old. Creating a strong password policy and enforcing quarterly password updates is key in defending against credential hacks.

But what exactly constitutes a “strong” password? Strong passwords include numbers, special characters, upper and lowercase letters and are more than eight characters in length. However, strong passwords can be difficult to remember. Particularly when considering that passwords should never be used in more than one place-each should be unique to that instance.

The passphrase technique utilizes an easy to remember sentence, which turns into a difficult-to-crack password. The sentence “Michigan is a great place to live and work,” could be converted into a strong password by inserting numbers and special characters, such as, “[email protected]@[email protected]!” This could be distilled into an even stronger version by shortening it to “MIiaGptl&w1.” The passphrase gives a user a mnemonic device to remember the complicated characters.

An added security measure of multifactor authentication processes should be considered at the organization level. Multifactor authentication (MFA) is a system that prevents data theft by requiring more than one source of credentials from a user or employee before they can access your data. Some of these include texting verification codes to a mobile phone, or the installation of a push-notification app, like Duo Security. Google offers free MFA solutions with their online accounts.

2. Remove administrative rights

With administrator privileges, end users have the ability to do anything they want to their device or workstation, including downloading questionable programs and applications (which may contain malware), ignoring IT policy and removing security features. UK-based Avecto states that 80% of any reported Microsoft vulnerability would be mitigated with the removal of administrative rights.

End users can also ignore needed security patches if they are granted administrative access to their device. Applying security patches through a forced update or download eliminates known vulnerabilities at the earliest possible time. Businesses should permit employees the minimum level of rights required to perform their job functions.

3. Institute IT security frameworks

According to Australia’s intelligence agency, 85% of intrusion techniques can be prevented by instituting the first few controls from their IT security framework called the Australia Signals Directorate. IT security frameworks provide a list of best practices and implementation steps for blocking and defending against the most common and damaging cyber crimes.

Some of these steps include conducting an inventory of authorized and unauthorized devices within your organization, creating secure configurations for mobile devices, workstations and servers and controlling the use of administrative privileges within your network. In addition to the Australia Signals Directorate, another free framework available online is the 20 Critical Security Controls offered by the Centers for Internet Security. This prioritized list of security measures for businesses provides a step-by-step process for effective cyber defense.

Beginning a cybersecurity program does not require an organization to spend thousands of dollars implementing controls and purchasing software. Instituting password policies, utilizing least privilege on network devices and instituting basic security frameworks will have a positive impact for your security program.

Merit Network provides consulting services, cybersecurity training and certification and community security resources. If your nonprofit needs help with your current security posture, Merit CISO Consultant Services is designed to kick-start your program by building the strategy you need to protect your customers and your business.

mel-brooks-spaceballs

In case you hadn’t heard, today is “World Password Day.” This would be a good time to go out and change your passwords. Need help on picking a new password? Head out to https://passwordday.org/ where Betty White provides best practices for cybersecurity. If you do not think Betty provided everything you need, head over to XKCD where they have one of the best comics around for choosing a secure password. https://xkcd.com/936/

Identity. Comprised of everything associated with your physical being: height, weight, hairstyle and color, voice, even where you live. You do everything in your power to protect this identity. From exercising and eating right, using alarm systems to purchasing insurance. Your physical identity has always been the way for others to validate your existence. But what about your other identity? Your online identity.

Cybercriminals and others can often find personal information about you and your family online.

Have you been notified by a family member that your email account has sent out SPAM? Was your credit card used to purchase products online and had them shipped to an unfamiliar location? Did your Facebook account start contacting friends and relatives, asking them to send you money because you are stranded overseas? These are all signs that your online identity has been stolen. Once someone assumes your online existence, they become you in the virtual world. This makes it extremely difficult for your family members, friends and co-workers to tell the difference.

There are many services and techniques which you can use to protect your online identity. I am not talking about the companies that charge a monthly fee for credit monitoring. These techniques and services can be utilized in your daily life. These include proper online account management, privacy and security, and what to watch out for in electronic communications.

Password managers and the use of multifactor authentication are essential tools for increasing the security of your online identity. Every online service you use normally requires credentials to login. As websites are maintained by different organizations, with different views of security, one must exercise good judgment when entering sensitive information and the passwords used to protect that information. Password managers such as LastPass or KeePass store your credentials separate from the web browser and in an encrypted format. That way you are able to keep track of each unique password and it is protected from hackers. Using a unique password for every website is one way of safeguarding your information. In the event your credentials are compromised on one website, those credentials cannot be used to log into other websites.

Many organizations are beginning to support the use of multifactor authentication. Multifactor authentication is categorized as, “something you have and something you know.” You may use a form of multifactor authentication every day and not realize it. When purchasing goods, or withdrawing money from an ATM, a debit card is used and requires the physical card (something you have) and it’s PIN (something you know). With online accounts, a username and password is paired with a randomized 6-digit code. That way, if your credentials are stolen for a particular website, they still are unable to log in as the attacker does not have the randomized code. Companies have a variety of ways in offering multifactor authentication to their customers. Social media services like Twitter and LinkedIn offer multifactor authentication through text messages to a validated cell phone number. Facebook utilizes its own smartphone application in order to provide this additional step of authentication. Online services such as Google, Amazon and Microsoft provide QR codes, which will configure third-party multifactor authentication services such as Duo Security.

Social media websites such as Facebook, LinkedIn and Twitter are a great way for sharing pictures and keeping in contact with friends and family. They are also a great way for someone to get information on you that you may not want others to know. A mother’s maiden name is one of the most asked questions for password resets on websites. A malicious person only has to look so far as to your online profile to figure out what that name is. Other questions such as a pet’s name, place of employment or your favorite movie can be found through sharing information on social media. Entering incorrect information into the questions for password resets is an additional way of protecting your account. Fake information, when kept secret, is only known by you which makes it difficult for an attacker to find online. Have a hard time remembering how you answered a security question to a particular site? Place that information into your password manager.

With more and more adoption of online services, your online identity is becoming as important, if not more important, than your physical identity. While adding unique per site passwords and multifactor authentication are just a few of the techniques to protect your online identity, there are many additional ways to safeguard yourself online. Take time to read through the company’s privacy and security agreement policies along with their user guides to get more information.

Have you had your online identity stolen? Had your Twitter or Facebook account compromised? Do you use the same username and password across multiple sites on the Internet? Every day, hackers are exposing weak security practices of not only company websites but also attacking online identities putting you at risk.

Having to remember multiple credentials which can require separate usernames, separate passwords, and the websites used for those credentials is a problem for everyone. Some people write them down on a piece of paper, use a text file or spreadsheet stored on their computer, or use the same credentials across all websites. These password management practices greatly increases the risk to your identity. There are a number of ways to simplify the problem by utilizing multifactor authentication or using a password management application.

Multifactor authentication is best described as something you know, something you have, or something you are. When authenticating to an application you need to use two of the three before the application allows access. This is not a new concept and if you use a debit card, you use this type of authentication all the time and may not know it. When you make a purchase or withdraw money out of an ATM you first insert your card (something you have) and then type in your pin (something you know).

The difference between your debit card and using multifactor authentication online is the pin changes at a particular interval, usually 60 seconds. Once that pin has been used, and authentication is successful, that pin cannot be re-used. This prevents someone who may have seen your username, password, and pin, so they cannot use it themselves.

Banks, social media, cloud storage companies, even Microsoft and Google have integrated multifactor authentication to their applications as they understand how important it is. Some send out text messages to a registered cellular phone while others provide the second factor through a smart phone app. There are other companies which will consolidate all the applications into one, saving you from having multiple smart apps which all do the same thing.

In the event a particular service does not provide multifactor authentication, there are password management applications that can help. These tools not only remember the username and password for a service, they will also generate secure passwords for you. These applications are independent of password managers which are part of a particular web browser and are encrypted. Some password management services sync passwords to the cloud so they are available on any device. There are password management services which provide “zero knowledge” to your information so only you have access to your credentials and allow multifactor authentication when accessing your passwords from an untrusted device.

Though these services are either free or have a low monthly cost, utilizing these tools will increase the security of your online identity.