Posts

Encrypted Backups: What They Are and How to Use Them

Today’s cyber landscape is riddled with advancing threats. From simple phishing attacks to intricate DoS attacks, businesses must ensure that the data they collect, use, store, and transmit is properly and thoroughly secured. After all, the data that companies hold is one of their greatest asset, so being aware of the consequences associated with losing that data is essential. For this reason, we believe that it’s imperative that organizations encrypt their backups. So, what are encrypted backups? What do you need to know about how to encrypt backups? Let’s discuss.

What is an Encrypted Backup?

To put it simply, an encrypted backup is an extra security measure that is used by entities to protect their data in the event that it is stolen, misplaced, or compromised in some way. Often times, however, many businesses confuse encryption with hashing. Let’s be clear: they are not the same.

Hashing vs. Encryption

The main difference between hashing and encryption is that a hash is not reversible. You cannot take a hash value and derive the original source. In fact, a hash acts somewhat as a fingerpoint, and it’s known to attack (i.e. collisions or rainbow tables). On the other hand, encryption is reversible. It can take the ciphertext and derive the original source if the decryption keys are known.

How to Encrypt Backups

There are various ways to create encrypted backups. If you’re stuck on determining how to encrypt backups, you can start by determining which method is best for your organization by considering factors such as types of data stored, environment types (cloud, hybrid, physical), personnel and technical experience, industry, applicable framework requirements, and more. The most common types of encryption are symmetric and asymmetric.

Common Types of Encryption

  • Symmetric Encryption: Symmetric key algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext.
  • Asymmetric Encryption: Asymmetric encryption is a form of encryption where keys become come in pairs. Frequently, but not necessarily, the keys are interchangeable, in the sense that Key A encrypts a message, then Key B can decrypt it and vice versa. With asymmetric encryption, both the private and public keys make up the key pair, and both are required to encrypt and decrypt the data.

Framework and Legal Requirements for Encryption

While this list is not exhaustive, some of the most common framework and legal requirements for encryption include the following:

  • PCI DSS: Requirement 3.4 says, “Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: one-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), strong cryptography with associated key-management processes and procedures.”
  • HIPAA: According to the HIPAA Security Rule technical safeguards, 45 CFR § 164.312(a)(2)(iv) includes an addressable requirement that covered entities and their business associates, “Implement a mechanism to encrypt and decrypt electronic protected health information.” While this requirement is nebulous, you can learn more about the requirements here.
  • GDPR: Article 32(1)(a) states, “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data.”

Benefits of Encrypted Backups

It’s no secret that data is a highly sought-after asset, and malicious hackers and organizations will stop at nothing to get their hands on your organization’s data. However, internal threats are equally as important to consider. But, if you’re proactive and implement robust encryption practices to protect your backups and data, you can reap many rewards. For example, in IBM’s 2019 Cost of a Data Breach Report it’s explained that “extensive use of encryption, data loss prevention, threat intelligence sharing and integrating security in the software development process (DevSecOps) were all associated with lower-than-average data breach costs. Among these, encryption had the greatest impact, reducing breach costs by an average of $360,000.” Aside from lowering the potential cost of a data breach, encrypted backups can protect your organizations assets, position you organization as a trustworthy and reliable organization, and provide your customers with the peace of mind they deserve.

Still questioning what an encrypted backup is? Need more information on how to encrypt backups? Contact us to talk to one of our Information Security Specialists today, and let KirkpatrickPrice be your expert partner as you navigate how to ensure the security of your data through encrypted backups.

More Information Security Resources

How to Scale Your Information Security Program as You Grow

Is Endpoint Protection a Comprehensive Security Solution?

Are Your Remote Employees Working Securely?

How Your Org Chart Can Reflect a Culture of Cybersecurity at Work

The Need for a Culture of Cybersecurity at Work

According to IBM Security’s 2019 Cost of a Data Breach report, “The average total cost of a data breach in the U.S. has grown from $3.54 million in 2006 to $8.19 million in 2019, a 130 percent increase over 14 years.” What does this mean for organizations looking to prevent data breaches and security incidents? It means that in order for organizations to adequately prepare to deal with today’s cyber risks, avoid costly fines and penalties for non-compliance, and give clients the peace of mind they deserve, their corporate structure should reinforce a culture of compliance – one that is strongly embedded into the organization, clearly visible in the company’s org chart, and focused on cybersecurity.

Cybersecurity is a Company-Wide Effort

Establishing a culture of cybersecurity at work is no longer just a best practice – it’s absolutely necessary. But for many organizations, initiatives that emphasize both cybersecurity and compliance haven’t been a major focal point for departments outside of IT. Because IT has traditionally been the sole bearer of cybersecurity and compliance initiatives, cybersecurity and compliance best practices are only seen as a small component of the business strategy instead of being a strategic initiative in itself. In order to make this happen, a culture of cybersecurity should be embedded into every aspect of your organization – even in your org chart. While it will depend on factors like your organization’s size, industry, budget, or personnel experience, there are typically three ways to emphasize cybersecurity through your org chart: top-down, bottom-up, and network. Whichever way you structure it, there needs to be clear lines of communication between personnel vertically and horizontally.

3 Ways an Org Chart Reinforces Cybersecurity

Top-Down Org Chart

Perhaps the most common org chart is the top-down structure; it starts with the Board of Directors and ends with entry- or low-level employees. In order to emphasize a culture of cybersecurity at work in this org chart model, the Board of Directors needs to set the tone for compliance initiatives. This means that in the company’s business strategy, cybersecurity and compliance will be strategic initiatives and not merely a responsibility that IT reports on. A basic rendering of a top-down org chart might look something like this:

Top-Down Org Chart

Bottom-Up Org Chart

Opposite to the top-down org chart model, bottom-up org charts are less common but empower lower-level employees to take part of the culture of cybersecurity at work. In these models, low-level employees often feel like they have a greater role in creating and maintaining a culture that focuses on cybersecurity and compliance because they understand that their day-to-day tasks play a key role in the company’s overall business strategy. This org chart also opens up more lines of communication between upper management and lower-level employees, as employees are likely to feel more empowered to identify and report on issues when they know that their bosses will listen to their concerns and make corrective actions when necessary. A bottom-up org chart typically looks like an inverted pyramid, like the following:

Network Org Chart

More and more businesses are relying on third-parties to supply information security services for their organization, especially those companies who don’t have the time, budget, or personnel resources to meet their growing cybersecurity needs. But when major components of the business are outsourced, maintaining a culture of cybersecurity and compliance becomes more difficult. By developing a network org chart, businesses can clearly see where they’ve outsourced components of the business, where they’re located, who is responsible for overseeing those vendors and their compliance efforts – all while showing where in-house departments are, who oversees them, and what tasks they’re responsible for. A network org chart might look something like this:

 

Regardless of the org chart model your business uses, ensuring that every employee knows who they need to be communicating with is essential, especially in regard to a culture of cybersecurity at work. If you’re looking to revise your company’s org chart, let’s chat so you can find out how KirkpatrickPrice can help!

More Cybersecurity Resources

How to Lead a Cybersecurity Initiative

Auditor Insights: Compliance from the Start

Fact or Fiction: Everything You Need to Know About Leading Compliance Initiatives (Webinar)

Why is Ransomware Successful?

Ransomware is the attack method that you’ve seen over and over again in the headlines and, unfortunately, it’s not going away. Global outbreaks like WannaCrypt, Petya/NotPetya, and BadRabbit have made ransomware a household name. The FBI reports that over 4,000 ransomware attacks occur daily. With its sophistication and frequency of attacks, it makes people think – why is ransomware successful? How can it be stopped? Let’s discuss how company culture, the workforce, malicious outsiders, and proper security configurations contribute to the success of ransomware.

Culture of Apathy

I believe there is a growing apathy in our culture towards confidential data. Honestly, do people even believe data is confidential anymore? According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises. It has become habitual to worry about data breaches, identity theft, and other privacy concerns.

It’s not just about hackers or human error – the apathy in our culture has led to a rise in malicious insiders. Verizon’s 2018 Data Breach Investigations Report includes that 28% of cyberattacks in 2018 involved malicious insiders. When Accenture surveyed 912 healthcare and payer employees in the US and Canada, they found that one in five (18%) would be willing to sell confidential data to unauthorized parties for as little as $500 to $1,000. Even more so, about a quarter of these healthcare and payer employees know someone in their organization who has sold their credentials or access to an unauthorized outsider. One out of five healthcare employees, who are responsible for protecting your data, will give it or give access to it away.

What is your organization’s culture as it relates to information security? Are you building a control environment that will embrace, monitor, and enforce ethical practices?

Workforce Challenges

If your organization, thankfully, hasn’t faced the challenges of malicious insiders and an apathetic culture, you will probably face an ill-prepared workforce. Some things just stay the same, and human error is one of those things.

Phishing is the primary method of attack when it comes to ransomware. In 2017, the Microsoft Office 365 security research team detected approximately 180-200M phishing emails every month. Although more and more organizations are incorporating strong security measures into their strategies, it’s still easy to phish. The Microsoft Security Intelligence Report explains, “An attacker sending a phishing email in bulk to 1,000 individuals just needs to successfully trick one person to obtain access to that person’s credentials…Phishing and other social engineering tactics can be more simple and effective than other methods, and they work most of the time for more human beings. If successful, phishing is an easier way to obtain credentials as compared to exploiting a vulnerability, which is increasingly costly and difficult.” The most successful phishing attempts impersonate popular brands, users, and domains.

You may think that because millennials are becoming a larger portion of our workforce, your organization is better protected. Millennials won’t fall for phishing emails, right? They’ll be wary and spot a social engineering attempt, won’t they? Unfortunately, the data shows that adults aged between 20-29 fall victim to more fraud than adults aged over 70.

Are you providing the necessary training to the newest members of our workforce? Is your workforce your weakest link or your first line of defense?

Malicious Outsiders

Organized criminal groups aren’t stopping; they’re only getting more sophisticated. There’s obviously financial motivation, but malicious outsiders could also be motivated by a political agenda, social cause, convenience, or just for fun. We predict that US cities and the public sector will continue to be a target for malicious attacks, especially nation-states. Nation-states have a goal of disrupting public services. Hospitals, airports, police departments, educational systems, court records, water services, payment portals, technology infrastructure – these cornerstones of the public sector are under attack every day from complex cyber threats and malicious outsiders.

What should the public sector invest in? Cybersecurity awareness to citizens and elected officials, use of forensic services after incidents or breaches, cybersecurity exercises, vulnerability scanning and penetration testing, and competitive compensation for IT personnel.

Proper Security Configurations

Remote Desktop Protocol (RDP) has been called ransomware’s favorite access point – a place that’s commonly unsecure and easily hacked. Even the FBI warned organizations that the use of RDP as an attack vector is on the rise. CrySiS, CryptON, Zenis, and SamSam ransomware have all used RDP to their advantage.

No type of malware completely fades away. Every threat that has ever been classified remains at large. The very first worms and malware ever written still exist and are capable of system infection. Some remain actively developed, maintained, and deployed by proficient black hat hackers. Other older viruses just persist, allowed to continue by poorly maintained systems, old distribution networks, and user complacency. Even when not actively used for data destruction, malware can remain a threat to system stability and continuity.

Do those charged with governance maintain proper security configurations according to best practices? How are your security configurations being tested and validated?

Ransomware continues to be successful because organizations don’t create a culture of defense or a sense of responsibility for data, their workforce isn’t equipped to stand up against cyber threats, the threats from malicious outsider only persist, and proper security configurations are not implemented. How is your organization preparing itself for a ransomware attack? How will you assure your clients that their sensitive data is protected? Contact us today to implement a plan for training your workforce, changing your company culture, and strengthening your cybersecurity practices.

More Ransomware and Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

Horror Stories – 5 Cities Victimized by Cyber Threats

Ransomware Alert: Lessons Learned from the City of Atlanta

The Importance of a Culture of Compliance: CompuMail’s Insights

The Need for Security

CompuMail began pursuing comprehensive audits in 2009 to ensure efficient, compliant business operations and to maintain a strong multi-industry reputation. Since then, they’ve achieved many compliance goals and excelled to greater levels of assurance. In 2010, they achieved PCI and HIPAA compliance, and soon after, became compliant with FISMA, GLBA, and ISO 27002. Most recently, CompuMail completed further auditing and achieved SOC 1 and SOC 2 attestations. The time, financial investments, and company-wide dedication that CompuMail gives to security shows their perspective on how important security and compliance is.

CompuMail has gained invaluable insight while undergoing the audit process. CompuMail has gained invaluable insight while undergoing the audit process. CompuMail’s Chief Security Officer tells us, “We believe that undergoing annual internal and third-party audits is crucial to our business. Simply stating that you have the controls in place is unacceptable for the industries we focus on and the clients we serve.”

How to Create a Culture of Compliance

Creating a positive culture of compliance and driving cultural change within your organization requires strong leadership skills and a clear strategy. Does your organization have a person or team directly responsible for security and compliance management system (CMS)? Having this in place can make a significant difference for your organization. CompuMail’s strategy for involves an internal team dedicated to creating a culture of compliance.

Christine Fribley, CompuMail’s Chief Security Officer, is responsible for managing all data and physical security efforts across the organization. Her duties include, but are not limited to: management of CompuMail’s security certifications, conducting internal risk assessments and auditing, facilitation of vendor management function, and ensuring that security training requirements are met. The information security component of CompuMail’s CMS program is extremely vital to protecting the integrity and reputation of the organization and its clients. Leona Augerlavoie, CompuMail’s Compliance Officer, is responsible for establishing and maintaining CompuMail’s CMS. Her duties include, but are not limited to: oversight of the development, implementation and success of all required CMS elements, promotion of compliance activities in accordance with both internal and client core values, maximizing organizational integrity and quality of service, coordination of onsite audits, and maintaining current knowledge of regulatory/legal updates specific to the financial, healthcare and collection industries. This team allows CompuMail to continuously evaluate and add to their list of externally-validated certifications and standards to ensure ongoing compliance with the highest industry standards.

In addition to the above roles and responsibilities,CompuMail’s culture of compliance is reinforced through documentation. The Chief Security Officer and Compliance Officer continuously assess compliance needs and plan for risk mitigation, but they also create, modify, and uphold policies and procedures. This comprehensive documentation standard across the organization reinforces CompuMail’s culture of compliance and has allowed the establishment of strong continuous quality improvement practices.

When establishing your organization’s culture of compliance, communication and training is crucial for employee engagement. CompuMail’s Compliance Officer tell us, “CompuMail employees understand that their commitment to and cooperation with security and compliance, as well as established controls, is a critical component to their job and to our business. All CompuMail employees receive data security and compliance training immediately upon hiring and then on a annual mandatory basis. Security and compliance tips and updates are shared in monthly internal newsletters and in emails to keep compliance at the forefront.”

How Can Security and Compliance Benefit Your Clients?

Every organization wants their clients to be satisfied with the services they receive and confident that their sensitive data is secure. By achieving compliance with so many standards and frameworks, CompuMail demonstrates that they are accountable for upholding high standards of confidentiality and integrity while hosting, processing and printing clients’ data.

CompuMail’s Chief Security Officer states, “Without a doubt, the greatest security risks that we face are data breaches and identity theft. In this day and age, data security is not optional, as data breaches have become front page news stories, and identity theft and phishing scams are constant threats. CompuMail recognizes that there are numerous factors that can impact an organization’s risks, including but not limited to: culture, technology, innovation, new services, laws, rules, and regulations, as well as the existence and sufficiency of policies covering all areas of risks. Our security and compliance team is dedicated to protecting our assets and the assets of our clients, and our compliance achievements attest to the high standards that we have committed to upholding.”

More About CompuMail

CompuMail Official LogoSince 1994, CompuMail has been delivering innovative communication solutions and print and mail services to clients that span across multiple industries. They offer a robust list of solutions with unique platforms for service delivery that can meet all of your business essentials; physical and digital communications, data protection and secure portals, coupled with superior customer service and support. CompuMail cultivates lasting partnerships with their valued customers to ensure that they see the best possible results under the highest level of data security, at the most competitive price.  Technology changes and business changes, but CompuMail’s commitment to service does not.

Find CompuMail on LinkedIn, Twitter, and Facebook.

More About Cultures of Compliance

Chief Compliance Officer Webinar Series

Creating a Culture of Compliance Within Your Organization

The Keys to a Successful Audit

4 Ways to Ensure Security and Maintain Compliance

We find that most organizations tend to focus on becoming compliant rather than being secure.  And while meeting client requirements and industry regulations is very important, it does not necessarily guarantee that your organization is secure. If your entire information security program is based on “What must we do to be compliant?”, you’re probably missing some major holes in your security infrastructure. So, what is the key to finding the balance between compliance and security? Let’s look at some recent examples to learn more.

Finding the Balance Between Compliance and Security

If you keep up with the headlines on recent data breaches, you’ll notice that several organizations that have experienced breaches of cardholder data, protected health information, or personally identifiable information have something in common – they were all declared compliant. However, they were lacking the necessary security controls to prevent a major data breach from occurring. So, what else should we be doing when compliance doesn’t seem to be enough?

4 Ways to Ensure Security and Maintain Compliance

When you look at the big picture, you’ll come to understand that compliance is a reporting function and the way in which your organization demonstrates that your information security program meets a specific set of requirements. If you’re simply checking the box for the sake of compliance, there’s a big chance you may miss something. However, if the focus of your organization is security, then the compliance piece will fall into place. Here are four things your organization can do to ensure security and maintain compliance:

1. Secure Software Development

Secure software development is imperative to any information security program. While many industry standards mandate secure software development, they don’t always give clear instructions on how. Maintaining a software development life cycle (SDLC) helps to establish a framework that defines each task that should be performed during each step in the software development process. The purpose of an SDLC is to help maintain a secure environment that supports business needs and is comprised of policies, procedures, and standards that describe how to develop, maintain, and replace specific software. By utilizing an SDLC in your secure software development process, you can ensure security and maintain compliance.

2. Encryption and Key Management

If you are encrypting data, it’s important to evaluate any sensitive data that may be in your environment and ask yourself if you truly need the data. Is it absolutely necessary for your business practices? If not, it needs to be securely purged. This will help to eliminate any unnecessary risk to your organization. Your encryption key management program needs to be fully documented. As part of this program you must be generating strong keys and ensuring secure key distribution. Keys must also be protected during storage with a key-encrypting-key, they must be replaced when they are weakened or suspected of a compromise, and there must be a process in place to prevent unauthorized key substitution. Implementing these practices can help to ensure security and maintain compliance with applicable frameworks.

3. Hardening and System Patching

As auditors, we find that about 75% of the assessments we perform have a finding related to patching. Patch management is only part of an overall program that your organization needs to implement. Your patch management program should include policies and procedures on how updates are deployed, the frequency that items will be reviewed, the timing requirements for deploying a critical patch, and the testing requirements and methods. It should also include any necessary tools that will be used to identify missing patches or vulnerabilities and requires that staff be sufficiently trained to address identified issues, anti-virus, file integrity monitoring (FIM), and log review. Your vulnerability identification program is a great way to ensure security and maintain compliance. Your program should involve monitoring multiple sources for known vulnerabilities, monitoring vendor sites for patches and updates, risk ranking identified vulnerabilities as it would apply to your organization, and finding ways for identifying zero-day attacks.

4. Firewall and Router Management

Organizations today should use data breach examples as motivation to focus on maintaining a secure environment, rather than just focusing on becoming compliant. Firewall and router management are important aspects to focus on when maintaining a secure environment. When thinking about best practices for firewall and router management, it’s important to look at your networking gear as a whole. Managing the security of a device goes much further than the device itself. Three areas to focus on when managing your firewall and router security are the security of physical devices, operating system security, and maintaining secure traffic rules.

Implementing these four practices into your organization’s security posture can help prevent your organization from being the next major headline. Focusing on security rather than compliance will help ensure that your organization can withstand a malicious attack from happening, while the compliance function still falls into place. For more information on enhancing the security posture at your organization, contact us today.