Are You Protected Against Insider Threats?

Insider Threats: The Enemy Within

The Hollywood portrayal of a hacker is a mysterious hooded figure sitting in a dark room, furiously tapping away at a keyboard in search of a back door into an organization’s system. However, the real enemy may be sitting in a brightly lit cubicle right outside the CEO’s office. Insider threats pose just as much danger to organizations as outside hackers. According to a research study by Intel, 43% of data losses happen due to the actions of “internal actors.” About half are unintentional accidents or carelessness, while the other half comprise purposeful malicious activity.Are You Protected Against Insider Threats? Insider threats pose just as much danger to organizations as outside hackers.

Security researcher Brian Krebs reports that some organizations are paying security firms or partnering with law enforcement to monitor the Darknet, a hidden online underworld that can only be accessed using special software that hides users’ identities and locations, in an attempt to stop disgruntled employees from selling privileged company information such as high-level system credentials. However, by the time an inside actor is snagged trying to strike a deal on the Darknet, the damage has already been done. Additionally, this monitoring does nothing to address the insider threats from carelessness, negligence, or a simple lack of cyber security awareness.

Continuum GRC recommends that organizations take the following proactive measures to protect themselves against insider threats:

Have a written acceptable use policy.

A written acceptable use policy is a very basic step that many organizations overlook. It is imperative that specific rules are established regarding the acceptable use of company hardware, software, and network access. The policy should be in writing and signed by every employee. While a written policy won’t stop insider threats due to malicious acts, it will provide leverage for a company to take disciplinary action against an employee who violates the policy.

Establish user behavior baselines and monitor your network for deviations.

The “human factor” in preventing insider threats only goes so far. Technical defenses are also necessary, including 24/7 monitoring of your organization’s system. Baseline patterns should be established for each user, and any changes in user behavior, such as a user logging into the system from an unusual location or attempting to access a part of the system they don’t need to do their job, should be flagged and investigated.

Restrict system access as appropriate.

No employee should have a higher level of access to the organization’s system than they need to do their job. A salesperson has no need to access employee tax and salary data. Employees in the human resources department wouldn’t normally need to access the billing system. Limiting system access not only protects against malicious insiders but also prevents hackers from obtaining the “keys to the kingdom” should they manage to steal credentials from a lower-access employee.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect against insider threats.

[bpscheduler_booking_form]

Where’s the Data Security? Wendy’s Data Breach Bigger than Originally Thought

Wendy’s Data Breach: Forget the beef, where’s the data security?

The Wendy’s data security breach, news of which first broke in January, is much worse than the fast-food company originally thought. Wendy’s first reported that the POS system breach impacted only about 5% — or approximately 300 – of its franchise-owned restaurants. However, after allegations by security investigator Brian Krebs that “a number of sources in the fraud and banking community” had told him that “there was no way the Wendy’s breach only affected five percent of stores — given the volume of fraud that the banks have traced back to Wendy’s customers,” Wendy’s finally admitted that its original figures were incorrect, and the number of locations compromised in the Wendy’s data breach is anticipated to be “considerably higher.”

Wendy's Data Breach: Forget the beef, where's the data security?

In its statement to Brian Krebs, Wendy’s takes great pains to point out that the data breach impacted only franchised locations, not company-owned restaurants, and involved hackers stealing legitimate login credentials from third-party vendors who service the POS systems at those locations. However, that hasn’t stopped First Choice Federal Credit Union from filing a class-action lawsuit against the Wendy’s corporation, alleging inadequate information security practices and demanding that the chain improve data security at all 6,000 of its locations, both franchised and company-owned.

Human Hacking May Be Behind Wendy’s Data Breach

Wendy’s alleges that its POS systems were breached after hackers stole legitimate login credentials from third-party service providers, which allowed the hackers to remotely access the POS systems. The majority of data breaches, including the notorious Anthem breach, can be traced back to stolen login credentials. Usually, these credentials are acquired using human hacking (aka social engineering) techniques such as phishing emails. This illustrates the importance of companies ensuring that all third-party vendors adhere to cyber security best practices, including training their employees to spot phishing emails and other social engineering techniques.

Restaurants and retailers do not have to stand by helplessly while their POS systems are compromised; there are numerous proactive measures that can be taken to secure POS systems. These include monitoring the system for suspicious activity, including login credentials being used in an unusual manner or the POS system communicating with unknown external sources. If Wendy’s had taken its cyber and data security seriously, this data breach could have been prevented. However, the company chose to place the responsibility for POS system security on the backs of its franchisees, then, when a breach occurred, point fingers at those franchisees and their service providers.

The restaurant industry, which is planning to switch from human order clerks to automated touch screens and kiosks, cannot afford to repeat the mistakes made by the healthcare industry when it transitioned to electronic records. It is imperative that the industry realize that customer data security is just as important as food contamination prevention and take proactive steps to protect its POS systems.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your POS system from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your restaurant protect its POS data and ensure compliance with PCI DSS.

[bpscheduler_booking_form]

Continuum Clarifies What SSAE 16 Compliance Means

When contracting with a service provider, such as a data center, it is important for companies to ensure that their provider possesses the cyber security-related certifications and compliance standards that are applicable to the company’s industry. Data centers, as well as service providers who contract with data centers, sometimes claim to be “SSAE 16” certified. In an effort to cut through the noise and clear up some of the confusion regarding SSAE 16 compliance, Continuum would like to clarify what SSAE 16 compliance is—and isn’t.

What is SSAE 16?

Continuum GRC Clarifies What SSAE 16 Compliance Means

SSAE 16 is an internationally recognized auditing standard for service organizations. It was developed by the American Institute of Certified Public Accountants (AICPA) and replaces the previous standard, SAS 70. SSAE 16 reporting helps service organizations comply with the requirements of Sarbanes Oxley (section 404) to demonstrate effective internal controls covering financial reporting. SSAE 16 applies to data centers that host systems that are involved in their clients’ financial reporting, as well as web hosting providers, ASPs, and ISPs who perform services that are relevant to their clients’ financial reporting.

There are three types of reports that can be issued: an SOC 1, an SOC 2, or an SOC 3, all of which address different controls. Performing an SSAE 16 audit and issuing an SOC report demonstrates a service provider’s commitment to maintaining a sound control environment that protects their clients’ data and confidential information.

Some service providers who use SSAE 16-compliant data centers imply that they are, somehow, SSAE 16 compliant by proxy. This is not the case; just because you use a provider who is SSAE 16 compliant does not mean that your company is SSAE compliant, and to imply such is black-hat marketing.

There is No Such Thing as SSAE 16 “Certification”

A Google search on “SSAE 16” reveals numerous instances of companies claiming to be “SSAE 16 Certified.” Organizations are compliant with SSAE 16; there is no such thing as becoming “SSAE certified.” SSAE 16 has to do with issuing SOC reports; no “certification” is awarded to anyone. Beware of any service provider that claims to possess an SSAE 16 “certification” or purports to be working towards getting one.

Need SSAE 16 Compliance Auditing Services?

If you have questions about SSAE 16 compliance, or if your company needs SSAE 16 auditing services, Continuum can help! Continuum provides both do-it-yourself and Cybervisor®-supported SSAE 16 modules to support SOC 1, SOC 2, and SOC 3 audit reports.

Continuum’s primary purpose is to help organizations attain, maintain, and demonstrate compliance and information security excellence, in any jurisdiction. Continuum GRC specializes in IT security, risk, privacy, governance, cyberspace law and compliance leadership solutions and is fully dedicated to global success in these disciplines. Learn more about Continuum GRC and why Continuum is Proactive Cyber Security™!

[bpscheduler_booking_form]