Staying Secure While Working from Home

When your employees begin working from a remote workplace, there’s a number of new security threats they can face. While you may already have thorough information security policies and procedures implemented in the workplace, these detailed security controls don’t always transfer to remote work. To mitigate vulnerabilities and protect your remote employees from malicious attacks, make sure you’re following these five tips for remote employees and remote workplaces.

5 Work from Home Security Tips

  1. Provide training on security and technology – The first secure work from home practice is to train your employees on security protocols, technology use, and basic communication tools. Include instructions on securing WiFi routers, using MFA, deploying a VPN, and any other relevant security processes in your training. You should also encourage or require your employees to complete training that is specific to work from home environments. KirkpatrickPrice provides Security Awareness Training that can provide you with the tools to equip your remote employees with secure, up-to-date practices.
  2. Reset default passwords and implement MFA – Default passwords on home routers, passwords that don’t meet industry best practice guidelines, and insecure storage of passwords are major security threats. By performing a password audit and implementing MFA for all devices, you’re increasing the security of the information your remote employees store.
  3. Backup data on the cloud – The beauty of the cloud is its ability to provide a space for remote employees to regularly back up their work in secure ways. Automatic backups can be initiated so that you don’t have to rely on employees to initiate the backup process in their remote workplace on their own. Don’t forget to focus on cloud security best practices to ensure the data you’re storing in the cloud isn’t vulnerable to threats.
  4. Update all software and patch vulnerabilities regularly – The latest antivirus, firewall, web filtering, and encryption updates need to be implemented regularly to ensure your remote employees’ devices and applications are secure. The same guidelines should be followed for a remote workplace as are written in your company-wide security policy regarding the schedule of software updates and patch management. Keep your eye out for vulnerabilities in the new tools you’re using.  For example, with so many new users on Zoom, it’s lucky that security researchers discovered an unpatched Zoom bug that could lead to UNC path injection.
  5. Engage in penetration testing to assess your remote securityPenetration testing is beneficial to your organization because it gives you the opportunity to find gaps in your network, applications, and code before an attacker does. For remote work, IT staff will often opt for quick solutions rather than the most secure. Penetration testing can check their work and help you ensure your remote employees are operating securely.

Policies You Need to Implement for a Secure Remote Workplace

With the increase of remote workplaces comes a number of policies that need to be updated to encourage productivity, security, and efficiency. The information security policy that you’ve developed for your company should be adjusted to fit the needs of your remote employees, although there needs to be a deeper focus on remote security. Take a look at this list of relevant policies you should develop for remote employees:

  • Equipment Access Policy
  • Physical Security Policy (Remote Office)
  • Acceptable Use Policy
  • Password Protocols
  • Remote Access Policy
  • Network Security Policy
  • Hours of Availability Policy
  • Response Rate/Communication Policy
  • Confidentiality Policy
  • Encryption Policy

If you need help developing a set of information security policies to address issues you may find in a remote workplace and other helpful work from home procedures, KirkpatrickPrice is here to help. Our information security experts are available to discuss your organizational needs and help you develop policies and procedures that will help keep you secure. Contact us, today, to learn more.

More Resources

Are Your Remote Employees Working Securely?

Security Awareness Training Compliance Requirements: SOC 2, PCI, HIPAA, and More

15 Must-Have Information Security Policies

5 Common Cloud Security Misconfigurations for AWS

Security incidents caused by misconfigurations in the cloud happen every single day. In fact, DivvyCloud reports that over the last two years, 33 billion records have been exposed because enterprises struggle to implement proper cloud security. When you take that number and consider Ponemon’s research, which estimates the average cost per compromised record is $150, that means cloud security misconfigurations have cost companies worldwide nearly $5 trillion since 2018.

Misconfigurations in AWS can have serious consequences, but they’re completely avoidable when you have the right resources to guide you. Let’s discuss five misconfigurations that our auditors see over and over again in AWS environments: IAM policy errors, incorrect security group attachments, deployment pipeline misconfigurations, backup storage location misconfigurations, and S3 bucket misconfigurations.

IAM Policy Errors

IAM is one of the most complex architectures within AWS. IAM controls who has access to which resource, so it’s an incredibly important aspect of cloud security. IAM policies that cause misconfigurations include:

  • Lack of MFA
  • Not following password best practices
  • Keeping unused credentials instead of disabling them
  • Not understanding role assumption or how it’s logged
  • Attaching IAM policies to users instead of groups or roles
  • Not rotating keys every 90 days
  • EC2 instances do not have proper access to resources
  • Running all privileges to all users instead of utilizing the concept of least privileges
  • Resource-based policies are not attached to a defined resource

Incorrect Security Group Attachments

Do you attach the appropriate AWS security groups to the correct EC2 instances? The functionality of security groups is similar to a firewall and filters inbound and outbound traffic based on rules. This is a misconfiguration that shows up especially when default security groups are involved.

Our auditors see incorrect security group attachments often, especially when defaults are involved. To avoid this common AWS misconfiguration, you must fully understand security groups.

Deployment Pipeline Misconfigurations

In the DevOps model, you live and die by your deployment pipeline. When your developers aren’t aligned with security standards or your CI/CD pipeline isn’t implemented and secured properly, it can lead to critical consequences.

Backup Storage Location Misconfigurations

In terms of backup storage locations, we find that people often forget about the security of backups in some instances. Knowing where your backups are going and what security policies you have in place is critical. Let’s say you have a backup storage bucket – are you checking policies on that bucket? Does the organizations encryption policy extend to backups? Questions like these need to be asked to appropriately secure backups.

S3 Bucket Misconfigurations

Symantec reports that in 2018, S3 buckets had with more than 70 million records stolen or leaked as a result of poor configuration. AWS says that the top five S3 security concerns are:

  • Public access to S3 buckets
  • Not utilizing server-side encryption for S3-managed encryption keys
  • Not encrypting inbound and outbound S3 data traffic
  • No familiarity with how S3 versioning works or S3 lifecycle policies
  • No use or analyzation of S3 access logging

Why We Chose These Misconfigurations

In the AWS Shared Responsibility Model, AWS is responsible for security “of” the cloud and customers are responsible for security “in” the cloud. AWS considers configuration management a shared control, explaining, “AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.” This means you, as the AWS customer, cannot depend on AWS’ security practices alone when it comes to configuration. You can avoid the consequences of misconfigurations when you properly understand and configure IAM security groups, deployment pipelines, backups, and S3 buckets.

At KirkpatrickPrice, we’ve created a framework for cloud security audits based on the CIS Benchmark and other industry standards. We hire technologists, then train them to be auditors – and this increases the value and quality of our AWS audits. Contact us today to begin testing your cloud security measures and discover if your AWS environment has any of these common misconfigurations.

More Cloud Security Resources

AWS Security for S3 and EC2

AWS Security Checklist

AWS Security Best Practices

5 Key Areas of Cloud Security

Data breaches are on the rise worldwide and across cloud platforms – which is why we talk about cloud security within AWS, Azure, and Google Cloud so often. As more and more organizations migrate sensitive information and services to cloud environments, it should drive customers to consider how the cloud will impact their privacy, security, and compliance efforts.

In cloud security audits at KirkpatrickPrice, controls will be tested against our framework that are based on the CIS Benchmarks for AWS, Azure, and Google Cloud. These audits utilize our audit delivery tool, the Online Audit Manager, and the framework assesses five key areas of cloud security:

  1. Identity and Access Management
  2. Securing Data in the Cloud
  3. Securing the Operating System
  4. Protecting the Network Layer
  5. Managing Security Monitoring, Alerting, Audit Trail, and Incident Response

As you work to make your cloud infrastructure as secure as it can be, we encourage you to spend extra time in these five areas so that you can strengthen your overall security posture.

Identity and Access Management

IAM is central to a secure environment. Role-based access control and the principle of least privilege have been perennial tenants of access control implementation, and with the rise of cloud infrastructure deployments this is even more true. In fact, Azure says that cloud customers should treat identity as the primary security perimeter because it manages who has what access to which resource. IAM security measures include MFA implementation, password management, creating and disabling credentials, role-based access controls, segregation of environments, and privileged account activity. For industry resources about IAM in the cloud, learn more here:

Securing Data in the Cloud

To secure the data in your cloud, you must consider the security of data in all states – at rest, in transit, and in storage – and who is responsible. The shared responsibility model  has become a paradigm that defines interactions with cloud resources and who is responsible for data security. The use of proper encryption and key management solutions within AWS, Azure, and Google Cloud are the two critical areas of data security in the cloud. For industry resources about data security in the cloud, learn more here:

Securing the Operating System

No matter the operating system that your cloud provider supports, maintenance, proper configurations, and patching methods can strengthen the security of that operating system. Scheduling maintenance windows, staying current with system configuration requirements, and establishing a patch baseline are integral components to cloud security and something your organization must be vigilant in implementing, especially given the current cyber climate where malicious individuals and organizations are quick to exploit vulnerabilities. For more industry resources about security operating systems, learn more here:

Protecting the Network Layer

Network security is how you protect resources from unauthorized access. Network security can be a challenging task because it requires an understanding of connectivity between resources. Having a plan of action that identifies where segmentation is required, how connectivity will be implemented, and ongoing hygiene of the network is critical for securing your organizations environments. For industry resources about network security in the cloud, learn more here:

Managing Security Monitoring, Alerting, Audit Trail, and Incident Response

Without a proper monitoring program, you won’t have the insight to recognize security incidents or anything going wrong within your cloud infrastructure. The implementation of monitoring is critical for operational oversight. Ensuring that appropriate data points are being analyzed for security information, event management, and proper correlation algorithms is important for operations in the cloud. No matter the cloud provider you choose, you should utilize the monitoring and logging features, plus enable notifications for things like unexpected configuration changes and authentication failures. For industry resources about monitoring and incident response, learn more here:

More Cloud Security Resources

Who’s Responsible for Cloud Security?

AWS Security for S3 and EC2

Best Practices for Configuring Your AWS Perimeter

Vendor Due Diligence During a Crisis

For years, businesses have relied on third-party vendors to provide critical business functions, and this especially true today as the surge of remote workers continues and third-party vendors work tirelessly to meet the influx in demand. Third-party vendors are also doing what they can to help offset the impact of the health crisis – they’re banding together to offer free products and services. As we all adjust to social distancing and working from home, telecommunication and collaboration services from companies like Microsoft, Google, Slack, Cisco, LogMeIn, and Zoom have tried to make it easier for people to connect by offering part of their services for free. Other software and technology providers are giving free access to premium-level products. However, as remote work becomes the new norm, these “free” services might actually turn out to be more harmful and helpful as you navigate this crisis if you don’t know what to look for when partnering before you partner with them. As businesses across the globe start to take advantage of the waived sign-up fees, longer free trial periods, and suspended payments during this time of uncertainty, they also need to be cautious of who they’re really partnering with.

What Should You Be Looking for When You Partner with Third-Party Vendors?

No matter what is going on in the world, third-party vendors will always introduce additional risks into your environment. With the uncertainty of how long the coronavirus pandemic will last, it’s more important than ever to analyze what those risks are and how they could potentially impact the continuity of your business.  Here’s how you can do it.

  1. Start with the general information. Get to know the business before you sign up for anything! What is their mission statement? Does it align with yours? What are all of the services they offer? What does the company structure look like? Where are they located? How will the services continue during a WFH environment?
  2. Conduct a financial review. As the economy continues to be in distress, can you rely on the vendor to stay in business? Are they stable enough? What would be the impact to your company if they went out of business?
  3. Determine the reputational risk. Is this a well-respected company? How could partnering with them potentially damage your organization in the future?
  4. Verify insurance. A lot is out of our control right now. If you decide to partner with a third-party vendor, insurance is a necessity. You should validate that your vendor has general liability and cybersecurity insurance, as well as insurance related to any specific services.
  5. Perform an information security technical review. Now is not the time to skip steps and lack thoroughness. If you’re trusting a third-party vendor with your critical assets, you need to know what their security hygiene looks like.
  6. Review policies. To ensure you know exactly how your vendor conducts business, be sure to review their policies.

Case Study: Zoom’s Mishap

Zoom offers a variety of collaboration tools, but over the last few weeks, the company has seen a demand for their services like never before as after they announced that many of their services would be free. By scaling from 10 million users per day to 200 million users, it seemed quite likely that Zoom would become an instant target for data breaches. And they were. Over the last few weeks, it seems like Zoom has faced a new security challenge every day, from “Zoombombing” to lawsuits to a ban for Google employees. This has left Zoom hurrying to remediate the exploited vulnerabilities and millions of users’ security compromised.

There is a silver lining in all of this, though. The security incidents coming from Zoom have exposed the heightened need for consumers and businesses to analyze – or even scrutinize – any third-party vendor they work with.

Don’t let this time of fear of the unknown keep you from being vigilant when it comes to protecting your business and employees against cyber attacks. Make sure you do your due diligence when partnering with third-party vendors, no matter what’s going on in the world. Contact us now to find out how we can help.

More Vendor Due Diligence Resources

What to Look for in a Quality Vendor

How to Read Your Vendor’s SOC 1 or SOC 2 Report

Vendor Compliance Checklist

Common Gaps in Vendor Compliance Management

Security Awareness Training Tools You Need

Security awareness is important. That’s not a new concept to anyone in IT or even employees who have had to complete some level of security awareness training. But, how can you ensure your security awareness training program is meeting industry standards? How can you get the most of out the training your employees complete? In a time where many people are transitioning to remote workplaces and work from home setups, how can you conduct security awareness training for remote employees? Let’s talk about the tools you need and how they can give your organization the upper hand it needs to combat security threats.

Why Security Awareness Training is Important

Shred-It’s 2019 Data Protection Report claims 47% of c-suite executives who reported a breach cited human error, employees, or insiders as the main cause. The realization that nearly half of these reported breaches were caused simply by error on the part of employees should encourage all organizations to implement effective security awareness training – especially with the looming threats that come with remote workplaces.

Additionally, to comply with PCI, SOC 2, HIPAA, and other regulations, security awareness training is required. The training you conduct should touch on topics like a clean desk policy, BYOD policy, data management, removable media, safe internet tips, physical security controls, phishing, social network threats, password security, social engineering, and malware.

4 Accessible Security Awareness Training Tools

You know you need to implement quality security awareness training, but how can your employees complete the training? Luckily, there are a number of great online resources you can use to ensure a high level of training. Without the need to have a physical training, you can conduct the annual online training for your remote employees conveniently. We’ve put together a list of 4 accessible security awareness tools you can use to conduct your own security training.

  1. Inspired eLearning: KirkpatrickPrice uses the capabilities of Inspired eLearning’s Cybersecurity Awareness Training to train our own employees, but also to help our clients. When you share a desire to engage in security awareness training with KirkpatrickPrice, you can expect us to utilize this thorough and effective online tool.
  2. Proofpoint: The interactive tools Proofpoint’s Security Awareness Training uses in its program allow for hands-on training that should prepare your employees to recognize various common security attacks.
  3. Enterprise Integration: EI’s Security Awareness Training is personalized to meet your training needs, whether you’re a small institute or a large company. This training tool could be the resource your organizational needs.
  4. KnowBe4: KnowBe4’s ASAP tool is an automated security awareness program builder which builds a customized training program for your organization. To develop a program that is built according to your specific requirements, KnowBe4’s tool provides actionable tasks, helpful tips, coursework suggestions, and a management calendar.

The online access to these security training resources makes the task of implementing regular security awareness training simple. While many of your employees are in a work from home atmosphere, now is the perfect time to focus on accessible security awareness training. Make sure your remote employees have the right tools to keep your organization secure.

How KirkpatrickPrice Can Help

KirkpatrickPrice offers various courses that touch on healthcare, privacy, security awareness, PCI, and general security training. These resources provide your organization with valuable tools to conduct thorough security awareness training for all employees, including those in remote workplaces. The value in purchasing these resources through KirkpatrickPrice is that you receive quality training tools from someone you trust. Whether you’re already in the process of completing an audit or just starting your compliance journey, security awareness training is a necessary step. Let us help you as you make sure your employees are up-to-date on security best practices. Contact us, today, to learn more about our security awareness training services.

More Resources

Staying Secure While Working from Home

Reviewing Your Information Security Program for 2020