A best practice that appears to be overlooked in many organizations is that of reducing your attack footprint.  During recent audits, we’ve discovered that organizations large and small are leaving themselves unnecessarily open to a security breach.  Hackers are like rock climbers.  They only need a series of small cracks within reach of the each other in order to make it to the summit.

Leaving unnecessary services running on a server, not locking down internal resources and allowing egress traffic with no filtering all increase your attack footprint.  It makes you easier to find, grab hold of and allows for a hacker to continually climb your infrastructure without falling off or having no other way to advance.

Read more: Reducing Your Attack Footprint

While NSA Director Admiral Rogers was providing the keynote at the ISSA International Conference last month, he made a comment that I found interesting.  He said that we can’t expect US companies to be able to continue to defend against hacking and espionage attacks from nation states.  I agree. 

Many of you may disagree and think corporate espionage is just a myth.  It is not.  It is real and costly.  For countries who rely on nationalized industries for the revenue to fund their government and military, the incentive to gain the upper hand is unparalleled.

Read more: NSA Chief Says Corporate America Shouldn’t Have To Defend Against Foreign Governments

The US Postal Service announced that a breach discovered in mid-September may have compromised the SSN and other personal information of more than 800,000 employees.  It also states that information on callers to the USPS call center may have been compromised as well. 

The government of China is currently the prime suspect in the hack.  At some point these hacks are going to escalate into a full blown cyberwar.  It’s only a matter of time before the cyberwar division of a foreign government hits pay dirt.  The president is in China this week. How will we respond?  Will it be addressed?  Guess we’ll have to wait and see.

One of the most overlooked information security practices is the shredding of handwritten notes.  Part of our ethical hacking engagements, also known as penetration testing, is trying to discover information about the organization or system through its users.  This practice of social engineering is a core component to an ethical hacking exercise.

Many organizations have trained their employees to shred PHI, PII, PCI and other P – whatever-I that gets printed out.  What we find though is that many organizations have tons of valuable information that is handwritten but never destroyed.  During social engineering tests, these handwritten notes can often be found in various trash or recycling bins.

Read more: Social Engineering Tip #43 - Shred All Handwritten Notes

October is National Cyber Security Awareness Month.  We at Integrity partner with the National Cyber Security Alliance to help promote information security awareness both at work and at home.  Take a minute to check out the Stop. Think. Connect campaign and the Stay Safe Online campaigns put together by NSCA.

http://www.stopthinkconnect.org/

http://www.staysafeonline.org/

Do your part in keeping our children safe online.  Teach them how to protect their identity and data by using smart tips that kids as young as 5 can learn.  Cyber security education works best when parents help their children learn about cyber security.  There are multitudes of resources available.  If you need help, just contact us and we’ll provide free resources you can use to help teach your child about safe online habits. 

The Des Moines Chapter of the Information Systems Security Association (ISSA) hosted the 3rd Annual Secure Iowa Conference on Tuesday, October 7th.  There were more than a hundred information security, risk management, audit and compliance professionals on hand for the event.  It continues to grow each year.  As the chapter president, I’m proud to say our chapter is helping to build a strong and vibrant information security community in Iowa with this conference.  Integrity is a proud sponsor of this event each year and we believe it is an important step to helping Iowa become a leader in providing a quality information security workforce.

The ISSA chapter started this conference in order to provide much needed networking and educational opportunities to information security professionals across the state of Iowa.  While Integrity has sponsored this event each year, there are many others such as Varonis, Rapid7, OneNeck, Lightedge, Palo Alto Networks, Torus Technologies, Shazam, Fishnet Security and Alliance Technologies whose sponsorships made this year’s event a success.  Many thanks to all involved and we’re already looking to reaching great heights in 2015!

 

I started my career in the network engineering and network administration field.  I held lots of those technical certifications from the likes of Microsoft, Novell and Cisco.  I thought I was pretty smart.  And in truth, I was.  I knew how to build a stable and reliable network that could support thousands of users across large geographic regions.  I could implement access control lists on firewalls, routers and switches.  I could provide access to resources with Active Directory or Novell Directory Services and restrict access like nobody’s business.

Problem was, I was too close to it.  I missed some of the security details because I had the same view every day.  Once I started to focus on security, I quickly realized that I was missing some design principles that could enhance the security of the system.  That’s when I decided to focus on just security.

Read more: Application Developers and Network Admins Need to Stop Pretending to Be Security Experts

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724