Last month, researchers discovered a new weakness found in the WPA2 protocol (Wi-Fi Protected Access 2), the security method which protects all modern Wi-Fi networks, known as the KRACK security flaw. Although there is no evidence at this time that the KRACK vulnerability was maliciously exploited, this still raises many concerns for both personal and enterprise wireless devices.

What is the KRACK Security Flaw?

The KRACK security flaw, which stands for Key Reinstallation Attack, is a vulnerability that allows an attacker to break the encryption between a router and a device, allowing the attacker to eavesdrop on and interfere with network traffic. This means things like passwords, messages, notes, etc., could be intercepted by a malicious attacker, and used to access sensitive information.

The KRACK security weakness exists within what is known as the four-way handshake. This is a network authentication protocol that is used to establish secure wireless authentication. According to information released by the initial researches who discovered the flaw, depending on the type of network connection, an attacker could possibly inject and manipulate data. This could result in injection of malware that could affect both personal and enterprise devices.

What We Know About the KRACK Security Flaw

As previously mentioned, there is no evidence so far suggesting that a malicious attacker has exploited the KRACK security flaw. Additionally, the discovery was withheld from public knowledge until the appropriate vendors were notified and given the opportunity to create new security patches.

Additionally, an attacker attempting to exploit the KRACK security flaw would have to be within physical range of the wireless signal.

According to an article published by Krebs on Security, sensitive information such as email access or bank account information is likely protected with end-to-end SSL encryption (any website using https…) and should not be affected by the KRACK security flaw.

What You Can Do to Protect Against the KRACK Security Flaw

If you or your organization have yet to protect yourself against the KRACK vulnerability, there are a few things you should do today:

  1. Install appropriate vendor patches. Do some research to see what patches have been made available for your devices’ operating systems. Check out the CERT advisory to see if you are affected and if patches are available.
  2. Ensure you are using proper segmentation controls to protect your internal networks from all wireless devices.
  3. If you find there are no available patches for your devices and systems at this time, disable wireless and connect all devices via Ethernet/wired connections.

For more information on how to protect your organization from the KRACK security flaw, contact us today.

More Resources

10 Ways to Conduct Patch Management

Secure Coding Best Practices

Finding and Mitigating Your Vulnerabilities Through OWASP

Independent Audit Verifies COPS Monitoring’s Internal Controls and Processes

KirkpatrickPrice announced today that COPS Monitoring, the largest provider of professional monitoring services in North America, has received its independent Service Organization Control (SOC) 2 Type attestation engagement report. Completion of this certification provides clear evidence of COPS Monitoring’s ongoing commitment to deliver high quality services to its clients by complying with the highest standards.

KirkpatrickPrice’s SOC 2 service audit report demonstrates that COPS Monitoring’s controls and operating effectiveness meet or exceed standards for, security, systems availability, processing integrity, confidentiality, and privacy as set forth in the AICPA’s Trust Services Principles.

“The growing wake of large company data breaches provides strong evidence that it’s more important than ever to have the right controls in place,” said Jim McMullen, president & COO of COPS Monitoring.  “We’ve spent millions on technology and infrastructure and will continue to do so into the future to ensure the security and reliability of our network of central stations. Our independent SOC 2 report underscores our investments and sets us apart by clearly illustrating that we have the security, systems and control procedures in place to reliably safeguard our dealers, subscribers, and their sensitive information.”

“A SOC 2 audit is especially important for companies that handle sensitive information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “COPS Monitoring delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured they’re doing business with a service provider that adheres to high auditing standards set forth by the AICPA.”

About COPS Monitoring

COPS Monitoring is the #1 provider of professional monitoring services in the United States. Its award-winning network of 6 central stations with locations in New Jersey, Florida, Arizona, Tennessee, Texas, and Maryland is the largest in the industry and is trusted by more than 3,500 independent alarm dealers to safeguard over 2.4 million homes and business in the United States, Canada, and Puerto Rico. COPS is UL listed, FM approved, IQ certified, TMA Five Diamond certified, and has been named Central Station of the Year by The Monitoring Association. For more information, visit www.copsmonitoring.com.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Critical Documentation

You hear us repeat it over and over again: if it’s not written down, it’s not happening. Documentation is a critical component of any organization. Policies and procedures are vital to your business operability, business continuity, consistency within your organization, training new employees, controlling risk, meeting regulatory compliance requirements, meeting client requirements, and so much more. Policies and procedures demonstrate how you conduct your business.

What is a Policy?

A policy is an executive-level document that defines that something must be done. They are a statement of management intent. Policies are the law at your organization. An effective policy should outline what employees must do or not do, directions, limits, principles, and guides for decision making.

Policies can be rules, acceptable or unacceptable behaviors, limits, approval authorities, consequences for non-compliance, who needs to know, etc. They answer questions like: What? Why?

What is a Procedure?

A procedure is the counterpart to a policy; a policy defines that something must be done, but a procedure defines how you do it. It is the process to fulfill management intent. It is the instruction on how a policy is followed. A policy defines a rule, and the procedure defines who is expected to do it and how they are expected to do it.

Procedures answer questions like: How? When? Where?

Policy and Procedure Creation

Individuals with the appropriate authority need to be involved in drafting policies and procedures. When creating new documentation or amending the existing, there should be a process for checking for conflicts with existing documents, checking for legal requirements, and ensuring the document discusses all necessary topics. A formal review process is also necessary to keep all policies and procedures up-to-date. Policies and procedures should be reviewed at least annually.

Communication is key to putting policies and procedures into action. Even if a policy or procedure is perfectly crafted, if it’s not in effect, then it’s worthless. Policies and procedures should be documented, in use, and known to all affected parties. Your personnel must be living out what the policies and procedures require of them. It is not sufficient that you generate documentation just for the sake of an audit.

If you want to learn more about how to write effective policies and procedures, check out our Style Guide to Creating Good Policies and our Style Guide to Writing Good Procedures.

Documented policies and procedures are critical components of an effective compliance management system. In some ways, if a regulatory agency doesn’t see documentation, then they consider that a policy or procedure isn’t happening at all. Policies and procedures help create consistency and standards within an organization, and are key in training new employees. Policies and procedures are also effective in monitoring and auditing internal company practices. In order for policies and procedures to be effective, they should be reviewed whenever laws or requirements change, or at least annually.

Regardless of the size of your business or the industry you’re in, an information security program is a critical component of any organization.

A good information security program consists of a comprehensive set of information security policies and procedures, which is the cornerstone to any security initiative in your organization. Whether you’re responsible for protected health information (PHI), personally identifiable information (PII), or any other proprietary information, having a fully developed program provides you with a holistic approach for how to safeguard and protect the information for which you are responsible.

What is an Information Security Program?

An information security program is the practices your organization implements to protect critical business processes, data, and IT assets. It identifies the people, processes, and technology that could impact the security, confidentiality, and integrity of your assets.

Building an information security program means designing and implementing security practices to protect critical business processes and IT assets. These security practices that make up this program are meant to mature over time. The process of building a thorough program also helps to define policies and procedures for assessing risk, monitoring threats, and mitigating attacks.

What Does a Strong Information Security Program Look Like?

A good information security program clearly defines how your organization will keep your company’s data secure, how you will assess risk, and how your company will address these risks. Designating an information security officer can be helpful in this endeavor to help organize and execute your information security program.

A great place to start when developing an information security program is to identify the people, processes, and technologies that interact with, or could have an impact on the security, confidentiality, or integrity of your critical assets.

Why Are Information Security Policies Important to an Organization?

As mentioned before, an information security program helps organizations develop a holistic approach to securing their infrastructure, especially if regulations mandate how you must protect sensitive data. In information security, there are what are known as the pillars of information security: Confidentiality, Integrity, and Availability (CIA).

The consequences of the failure to protect the pillars of information security could lead to the loss of business, regulatory fines, and loss of reputation. Applying appropriate administrative, technical, and physical safeguards through an information security program can help you to protect the confidentiality, integrity, and availability of your organization’s critical assets.

Let’s take a look at how to protect the pillars of information security: confidentiality, integrity, and availability of proprietary data.

Confidentiality

Maintaining confidentiality is important to ensure that sensitive information doesn’t end up in the hands of the wrong people. In order to do this, access must be restricted to only authorized individuals. Some methods that could be used to protect confidentiality include encryption, two-factor authentication, unique user IDs, strong passwords, etc.

Integrity

Maintaining the integrity of sensitive data means maintaining its accuracy and authenticity of the data. This means that sensitive data must be protected from accidental or intentional changes that could taint the data. File permissions and access controls are just a couple of things that can be implemented to help protect integrity.

Availability

Maintaining availability means that your services, information, or other critical assets are available to your customers when needed.

This doesn’t just apply to lost or destroyed data, but also when access is delayed. Developing a disaster recovery plan and performing regular backups are some ways to help maintain availability of critical assets.

By focusing on the protection of these three pillars of information security, your information security program can better ready your organization to face outside threats. For more information on how to develop your information security program, or for help developing your policies and procedures, contact us today.

More Information Security Resources

Why Bother with an Information Security Program?

Reviewing Your Information Security Program

15 Must-Have Information Security Policies

We find that most organizations tend to focus on becoming compliant rather than being secure. And while meeting client requirements and industry regulations is very important, it does not necessarily guarantee that your organization is secure. If your entire information security program is based on “What must we do to be compliant?”, you’re probably missing some major holes in your security infrastructure. So, what is the key to finding the balance between compliance and security? Let’s look at some recent examples to learn more.

Finding the Balance Between Compliance and Security

If you keep up with the headlines on recent data breaches, you’ll notice that several organizations that have experienced breaches of cardholder data, protected health information, or personally identifiable information have something in common – they were all declared compliant. However, they were lacking the necessary security controls to prevent a major data breach from occurring. So, what else should we be doing when compliance doesn’t seem to be enough?

4 Ways to Ensure Security and Maintain Compliance

When you look at the big picture, you’ll come to understand that compliance is a reporting function and the way in which your organization demonstrates that your information security program meets a specific set of requirements. If you’re simply checking the box for the sake of compliance, there’s a big chance you may miss something. However, if the focus of your organization is security, then the compliance piece will fall into place. Here are four things your organization can do to ensure security and maintain compliance:

1. Secure Software Development

Secure software development is imperative to any information security program. While many industry standards mandate secure software development, they don’t always give clear instructions on how. Maintaining a software development life cycle (SDLC) helps to establish a framework that defines each task that should be performed during each step in the software development process. The purpose of an SDLC is to help maintain a secure environment that supports business needs and is comprised of policies, procedures, and standards that describe how to develop, maintain, and replace specific software. By utilizing an SDLC in your secure software development process, you can ensure security and maintain compliance.

2. Encryption and Key Management

If you are encrypting data, it’s important to evaluate any sensitive data that may be in your environment and ask yourself if you truly need the data. Is it absolutely necessary for your business practices? If not, it needs to be securely purged. This will help to eliminate any unnecessary risk to your organization. Your encryption key management program needs to be fully documented. As part of this program you must be generating strong keys and ensuring secure key distribution. Keys must also be protected during storage with a key-encrypting-key, they must be replaced when they are weakened or suspected of a compromise, and there must be a process in place to prevent unauthorized key substitution. Implementing these practices can help to ensure security and maintain compliance with applicable frameworks.

3. Hardening and System Patching

As auditors, we find that about 75% of the assessments we perform have a finding related to patching. Patch management is only part of an overall program that your organization needs to implement. Your patch management program should include policies and procedures on how updates are deployed, the frequency that items will be reviewed, the timing requirements for deploying a critical patch, and the testing requirements and methods. It should also include any necessary tools that will be used to identify missing patches or vulnerabilities and requires that staff be sufficiently trained to address identified issues, anti-virus, file integrity monitoring (FIM), and log review. Your vulnerability identification program is a great way to ensure security and maintain compliance. Your program should involve monitoring multiple sources for known vulnerabilities, monitoring vendor sites for patches and updates, risk ranking identified vulnerabilities as it would apply to your organization, and finding ways for identifying zero-day attacks.

4. Firewall and Router Management

Organizations today should use data breach examples as motivation to focus on maintaining a secure environment, rather than just focusing on becoming compliant. Firewall and router management are important aspects to focus on when maintaining a secure environment. When thinking about best practices for firewall and router management, it’s important to look at your networking gear as a whole. Managing the security of a device goes much further than the device itself. Three areas to focus on when managing your firewall and router security are the security of physical devices, operating system security, and maintaining secure traffic rules.

Implementing these four practices into your organization’s security posture can help prevent your organization from being the next major headline. Focusing on security rather than compliance will help ensure that your organization can withstand a malicious attack from happening, while the compliance function still falls into place. For more information on enhancing the security posture at your organization, contact us today.

More Resources

What is a Secure Software Development Life Cycle?

10 Ways to Conduct Patch Management

Encrypted Backups: What They Are and How to Use Them