How to Perform a Cyber Security Risk Assessment in Five Steps

How safe is your organization from cyberthreats? The best way to answer that question is by performing a thorough cyber security risk assessment. A cyber security risk assessment—the process of identifying, analyzing and evaluating risk­s—is the only way to know which cybersecurity controls you need, and how to prioritize them. Without such an assessment you could waste time, money and resources on events which might have minimal impact, and be ill-prepared for events that might have significant ones.

These Are the Steps You Need to Perform Your Own Cyber Security Risk Assessment:

  1. Review Your Resources

Before you can assess risk, you should review all the resources you need to protect.  Don’t just audit the resources you think might be at risk. Assess everything that connects to your network. Hackers will.

For example, did you know smart watches can be hacked to steal ATM PIN numbers and passwords, merely based on your hand movements? Or that someone can take control of a presenter’s screen and screen controls by hacking into video conferencing technology? In your cyber security review include IoT devices, unused desktops, and everything you use on a daily basis including telephones (landline and smart phones), applications and routers. A cybersecurity risk assessment will identify not only hardware but customer data and software.

  1. Identify Threats

Threat identification should include anything that can damage your infrastructure, cost you money from lost revenue, threaten intellectual secrets or infringe customer (or employee, or student or family) privacy. While a professional will be able to identify those threats more thoroughly than you can yourself, you can still perform a cursory review of them. For example, malware and viruses are obvious network risks.

The hardest part, and why a professional cyber security risk assessment is important, is identifying those lesser known risks, such as from your printer or voice mail. A professional will check to see if firmware updates have been made, as well as the status of your firewall and antivirus software.

Don’t forget to consider threat assessment from an internal standpoint as well. As

Jorge Rey, chief information security officer for accounting firm Kaufman Rossin recently said, “I think small businesses [are] worried about threats that [aren’t] even affecting them. They’re all freaking out about hackers, but they’re not even looking at their own employees and their access to systems and … data.”

  1. Rate Risks

Not every risk listed in your cyber security risk assessment is a high priority, and determining the risks, and impact of those risks, will help you determine where to focus your security attention and dollars. You should rate each risk on a scale of low to high. This will help you prioritize your initial and longer term efforts. For example, you could rate your risks according to this scale:

  • High – Substantial, possible crippling and unrecoverable impact
  • Medium – Damaging, but recoverable or inconvenient
  • Low – Impact is minimal and easily worked around

An example of a high-risk resource would be your perimeter routers. A router with outdated firmware could let hackers run rampant. Conversely, a low risk resource might be data or documents that do not have sensitive information, or that is publicly available.

  1. Analyze Protection

You likely have basic protocols in place, but how much protection do they really provide, and where are you the weakest? Hiring a professional (like Single Path) may be critical in completely understanding how well you are protected from each possible threat. DDoS security, adequate cyber security monitoring services, and employee training are basic proactive protection measures you should be taking (and which we have written about many times before on this site).

  1. Calculate Risk

Calculating risk will also help you determine what areas to prioritize, and what threats need immediate financial support in order to implement. Two questions to ask are: What is the chance of each incident occurring, and what amount of risk, if any, am I willing to accept? Your type of organization, such as whether you are a business or school, or a public or private entity, will no doubt greatly influence that decision.

When determining the likelihood of each event, you will need to list every breach point and possible point of origin for an attack, both external and internal. Depending on network complexity, this could involve dozens of breach/source pairings.

Single Path Can Help

Creating a cyber security risk assessment is not an undertaking that can be finished in an afternoon. It takes careful analysis, and quite a bit of experience. After you finish your initial steps, and have a basic grasp of your potential risks and vulnerabilities, you will want an outside expert to fill the gaps and take an unbiased, knowing look. At Single Path, we’re well-versed at doing exactly this. Single Path can help identify trouble spots, give advice on how to prevent problems, and also provide guidance if problems do happen. Our impressive menu of security solutions will go a long way to protect your valuable assets, and your organization from risk. A cyber security risk assessment is a critical step in protecting your organization. Ask us how to get started.

The Newest Cyberthreat: Cryptojacking

Cryptocurrency, and in particular Bitcoin, has been in and out of the news recently as the volatility in its value elevates investment fortunes one week and then sinks back down to earth the next. With the rise of this unregulated currency has also come a new, and unexpected threat: cryptomining hacking, also known as cryptojacking.

In order to understand this new problem let’s try to first answer the question:

What Is Cryptocurrency Anyway?

Cryptocurrency is a form of money that, instead of existing in physical form, only exists digitally, on computers. Many people once thought the formation and use of digital money was basically impossible. But cryptocurrency proved the naysayers wrong, with a monetary system that allows for an easy and secure way to track spending, keep accounts and balances, and record transactions—making it shareable and secure. Bitcoin was the first and is still the most well-known cryptocurrency—it was created in 2009—but is only one of more than one thousand cryptocurrencies available worldwide (See a list from Investopedia.com that includes the most common Bitcoin alternatives including Litecoin, Ehereum and Zcash).

Bitcoin has reached a fairly impressive level of acceptance. It is accepted by a wide range of merchants, both online and brick-and-mortar, including Overstock.com, Whole Foods (via a purchased gift card), Expedia.com and even a Subway restaurant that immediately converts bitcoin to cash (Check out this list of companies that accept bitcoin).

How Bitcoins are Created —A Very Basic Primer

What makes Cryptocurrency unique is that there is no physical form to it, is not backed by any specific value (it is not backed by gold, for example), and there is no central bank that controls it. Yet is used in hundreds of thousands of transactions a day.

Cryptocurrency is made possible because of peer-to-peer technology plus public and private-key encryption. We described public and private-key encryption in our last post on encryption. As described on the website BlockGeeks.com: “cryptocurrency like Bitcoin consists of a network of peers. Every peer has a record of the complete history of all transactions and thus of the balance of every account. A transaction is a file that says, ‘Bob gives X Bitcoin to Alice’ and is signed by Bob’s private key … After signed, a transaction is broadcasted in the network, sent from one peer to every other peer. This is basic p2p-technology.” In other words, after a transaction is completed, it is made known to the entire network, making it impossible to be changed or manipulated after the fact.

The actual process of creating the cryptocurrency ledger is a little more complex than the description above, and this complexity is extremely important: before the transactions are added to the ‘ledger’ they are sent to a miner, who is someone who decrypts and verifies cryptocurrency transactions, and then publishes them. For this service they get paid in cryptocurrency. In fact, that’s how new cryptocurrency is created—by payment to miners for validating transactions. There are a reported 50,000 to 100,000 active miners.

As Forbes explains, “Some mine to engage in a unique kind of hobby, or for sheer profit. Others do it because they believe in the principles behind a certain coin and in what the developers intend to do with it. The reasons you have are yours.”

Quite a bit of processing power is needed for cryptocurrency mining. This helps reduce the number of people who can effectively mine cryptocurrency, and also how much any single person can mine, and this is what has created a new hacker scheme: crypto-mining malware (or cryptojacking malware). This is malware used to hack into someone else’s hardware in order to use their computer power to mine cryptocurrency.

The Threat of Crypto-Mining Malware

According to an article on the MIT Technology Review, “the practice of surreptitiously mining cryptocurrency on other people’s hardware is becoming pervasive, overtaking ransomware as a tool of choice for extorting money online.” Hackers can use cell phones, individual desktops and laptops, or the networks of an entire organization.

Cybersecurity firm Check Point, in its regular Global Threat Index revealed that Coinhive, a piece of software that uses processing power on someone’s device in order to mine cryptocurrency, has become the most prevalent form of malware on the Internet, and Cryptoloot, another piece of cryptojacking malware, is now the third most prevalent. Check Point also says that cryptojacking has “affected as many as 55 percent of organizations globally.”

By using more computer power, someone can mine more and more data, getting paid with more and more cryptocurrency, which at the same time slows and clogs network processing power, sometimes considerably.

How Can You Prevent Cryptojacking?

Keeping your network safe and free of hackers is a 24-hour job, and you need a partner who can help keep them out, as well as protect your data. Single Path is an IT consultancy and technology provider who can manage your IT needs from top to bottom, beginning to end, including ensuring top security protocols are in place. For example, our Single Path Security offerings include proactive infrastructure patch management, data loss prevention solutions and vulnerability assessments. We’ll help keep your organization safe from hackers, and much more.

Ask how we can keep you protected!

Owt trap, noitneverp ssol atad fo tra eht dna noitpyrcne (Encryption and the Art of Data Loss Prevention, Part Two)

With cyberthreats on the rise, and hackers becoming more sophisticated, strategies to protect your files are critical—and encryption is a tool too important to ignore. In our last post, we explained the basics and importance of data encryption. Now, we will dive a little deeper into the different types of encryption strategies and options.

Symmetric vs Asymmetric

If you delve into the world of encryption, the two terms you will commonly find are Symmetric and Asymmetric, which are two different encryption methods. Symmetrical encryption is the older of the two. With symmetrical encryption, both parties need the same code to read the same file. This code can be a word or a series of letters. One party enters a code to encrypt the document, and the second party enters the exact same code to open it. Simple, right? It’s like making a copy of the same key. But what if you don’t know the other party? How do you share the code? Do you email it? Send it in the mail? What if that code is intercepted or falls in the wrong hands?

Asymmetrical encryption on the other hand, uses two different encryption keys—one to lock it, and one to unlock it. This is also referred to as Public-key cryptography. One person has a public key, which encrypts the message or file, while the person on the other ends holds a private key—the only key that can decrypt it. With this approach, since the code does not need to be shared, there’s less risk of the key being swiped by someone else.

One even newer form of encryption that is growing in popularity is Elliptic curve cryptography. This is a form of public-key encryption that is practically unbreakable. It’s a complicated subject, and technology information provider Arstechnica does as good of a job as any in explaining how this works but it’s a bit too complicated to get into here and takes advantage of concepts such as Extended Euclidean algorithms.

How do you want to Encrypt?

Encryption can be simple or complex. It can take very little processing power, or quite a bit. You can encrypt everything or only some things. You can encrypt them only some places or every place. Here are the basic options.

  • Full disk encryption (FDE): An entire hard drive is automatically encrypted. This is particularly useful for a laptop or machine that could be stolen. There are intermediate options for disk encryption, as well—folder encryption, volume encryption, etc.—that aren’t quite full-disk encryption, but in between.
  • File encryption: a way to encrypt data on a file-by-file basis. This is helpful for individual files that have to be shared or protected, while others do not.
  • End-to-end (E2E) encryption: This obscures the content of messages while it is in transit, so only senders and receivers can read it. Such encryption is now embedded into platforms like Facebook Messenger and Apple’s iMessage.
  • Encrypted web connections: The familiar ‘https://’ at the beginning of most URLs (along with the small padlock icon) means your web connection is using Secure Sockets Layer (SSL) or transport layer security (TLS) protocols. This means the data you are sharing on that site, such as credit card numbers, are being encrypted.
  • Encrypted email servers: These are email servers that use S/MIME (Secure/Multipurpose Internet Mail Extensions) so they can send and receive encrypted messages, not just simple text messages.
  • Cloud Encryption: Cloud-Encryption software encrypts all data as it is stored on the cloud. It is still completely accessible (and vulnerable) on a computer, but not on the general network.

Key Management and Other Security Needs

As we detailed in our recent two-part posts on phishing strategies (Phishing Part One and Part Two), there are a great many malicious schemes out there, some more clever than others. So, having a solid encryption strategy will only go so far—you also need a system to keep your encryption keys safe. That’s why key management—the process of storing and keeping encryption keys protected but also accessible—is just as important as keeping the data itself safe.

Computer Weekly suggests the following protocols be kept in place:

  • Have one point of contact for cryptography; don’t spread it among operational users.
  • Ensure the central key repository is well protected.
  • Decide whether your outsourcer will have any role in key management, such as key pair generation, recovery of keys and escrow access.
  • Decide whether information security should manage keys as well as encryption policy.

What you need to know

As the data loss prevention experts at Digital Guardian wrote, “Companies and organizations face the challenge of protecting data and preventing data loss as employees use external devices, removable media, and web applications more often as a part of their daily business procedures. Sensitive data may no longer be under the company’s control and protection as employees copy data to removable devices or upload it to the cloud.”

Fortunately, you don’t need to be an expert on encryption and algorithms—you just need a partner that is. At Single Path, we’re adept at providing security offerings and tools for our clients, so that they are prepared for and protected against malicious attacks. We also provide proactive desktop and network infrastructure patch management, Security Risk Assessment, Managed Firewall Services and more. We’ll keep your data safe, and your organization worry-free.

Ask us how to get started!

Why the Simplest Security May be the Most Important

It’s annoying—an alert to upload the latest operation system because of a security patch? Really? Another one? Is my security really an issue here?

It seems like a waste of time. Except.

Except it only takes one hack to leave all your accounts vulnerable. It just takes one piece of malware to leave information exposed and your business or personal accounts devastated.

Plugging security holes is a constant battle, and one being fought in the trenches every day. You don’t see most of these threats. Most viruses and cyber attacks are thwarted before they come near your system.

Most viruses and attacks. But not all.

Ignoring security patches is risky and irresponsible at best. At worst it’s the end of your business.

We related the details of the infamous Equifax breach in a recent blog post. As we wrote, Equifax was aware of a hole in their system and given the security patch to fix it, yet did nothing. The result? 143 million Americans put at risk and the company in deep water.

The Never Ending Quest For Security

According to an article on the site TopTenReviews.com, “When you browse the internet, your computer is at the mercy of its current protective measures. Viruses, malware and rootkits are always on the search for security holes to exploit and gain entry to your personal data. While the best antivirus software would prevent this from ever happening, in order to accomplish such a goal you need to perform recommended updates.”

Just like medical viruses, software viruses are always evolving. Like a flu shot must change every year, a security patch for one attack is likely ineffective toward a new, and potentially more devastating one. Your operating system, antivirus and other applications must keep up. Updates serve to:

  • Fix security holes
  • Optimize the existing operating system resources
  • Add newer and more secure features
  • Remove clutter by deleting old and unused security features
  • Update drivers to increase software efficiency

The Experts Say …

Internet security company Heimdal Security recently interviewed a number of cyber security experts. Their agreement was unanimous: patching is not optional. The days of putting antivirus software on your computer, and then calling it a day, is long gone. That’s because, back then, computers were mostly individualized with little contact from the outside world. Networks didn’t share open data.

Times have changed.

Why is software so vulnerable? Per the above article, Mathew Pascucci Cyber Security Specialist & Privacy Advocate at Front Line Sentinel relates, “Software is vulnerable because it’s being pushed to market quickly without proper vulnerability testing, either statically or dynamically. Users of the software should have automatic updates for all software enabled and verify that it’s as up to date as possible.”

From the same article, Ivanti Principal Security Engineer & Evangelist Duncan McAlynn says, “Software, like everything else in life, isn’t perfect. Unfortunately, we can’t patch humans. Whether software developers or end users, they’re both flawed. We live in an imperfect world. Adjust, adapt and overcome!”

Be Ready for The Worst

As long as there is code and valuable information others want, there will be risks and vulnerabilities. Security innovation is not optional.

A recent blog post by the Principal Program Manager for Office 365 Customer Experience, Ross Smith IV, addresses this. Says Mr. Smith, “Microsoft recommends adopting a software update strategy that ensures all software follows N to N-1 policy.” In others words, back-up everything. Mr. Smith recommends this for all products, including operating systems, software and applications, hardware drivers, and firmware.

No matter how diligent there is no way to assure 100% protection. Employees will have lapses. Short cuts may be exposed. That’s why redundancy is perhaps a business’s most valuable defense. Can malware be removed without deleting data? Does ransomware need to be paid to access your files? A significant, repetitive and continual backup plan is vital to ensure your business continues to run regardless of outside forces.

Do Anything But Ignore The Problem

If you close your eyes, the problem won’t go away. Only by being proactive can you assure the best defense. Ross Smith IV says, “Another concerning trend I witnessed is that customers repeatedly ignored recommendations from their product vendors. There are many reasons I’ve heard to explain away why a vendor’s advice about configuring or managing their own product was ignored, but it’s rare to see a case where a customer honestly knows more about how a vendor’s product works than does the vendor. If the vendor tells you to configure X or update to version Y, chances are they are telling you for a reason, and you would be wise to follow that advice and not ignore it.”

So when that annoying security patch comes along, don’t ignore it or put it in your “I’ll take care of it later” pile. Perhaps a bug has already been discovered. Or, more likely, the possibility of a vulnerability has been defined and changes need to be made to assure nothing infiltrates your system.

A security patch may be a nuisance, but the alternative is far worse.

A Partner Can Help

If you are uncertain how best to protect your business from cyberattacks, Single Path has your back. Our security specialists know the ins and outs of network security, offering security offerings from data loss protection to infrastructure patch management. We can dig deep and look at your entire technology structure, providing expert advice, ongoing analysis of your needs, and the certainty your information is protected. We know that the best solutions are those that involve minimal effort and maximum peace of mind.

Ask us how to get started!