IT asset management is a crucial component to the foundation of cybersecurity operations across businesses of all types.
What is IT asset management?
IT asset management is the process of continuously identifying the IT assets that your organization utilizes and the potential security risks that affect each one.
Assets could be traditional devices, like desktops and servers, or they could be specialized IoT, Internet of Medical Things (IoMT), industrial internet of things (IIoT), or software-defined resources, like a company-owned domain or a cloud-based database.
Any device, resource or service that exists within your IT portfolio could be vulnerable in case of a cyber-attack and can lead to a breach of the individual connected device, and probably your entire network, in case attackers use one compromised resource as a starting point to launch a broader attack.
Why is it important?
Asset management will empower your entire organization with the visibility it needs to build a comprehensive IT security strategy that mitigates threats quickly and proactively. Such an approach delivers many benefits:
With a strong IT asset management process in place, businesses can deploy new IT services or resources without letting security become a problem because their cybersecurity asset management process will catch potential vulnerabilities.
Secondly, IT asset management helps ensure that security teams detect threats before they escalate. By continuously monitoring your IT portfolio for new deployments and risks, teams don’t have to wait until they detect an active attack to respond.
Thirdly, if an attack does occur, asset management will provide the security team with an inventory of assets and risks that the team can use to gain context, to understand what went wrong and when. Teams have an up-to-date record that they can refer to immediately.
IT asset management places organizations in a stronger position to identify and quickly react to security risks. Although it is only one component of an effective cybersecurity strategy, it’s impossible, in most cases, to apply a proactive security strategy without asset management in place.
Poor IT asset management
Lack of asset management, or poor implementation of it creates a huge risk for the overall business. When data or systems are made unavailable by a breach, the business may not be able to operate. Not only will such disruptions harm the organization’s reputation, but they also have serious financial consequences: IT downtime costs businesses around $5,600/minute, on average.
Poor IT asset management also makes it difficult to maintain an accurate inventory of IT resources. Without knowing what exists where, your team will have to guess about where the most serious risks lie, which is a poor use of time and money.
Keystones of the process
IT resources and security risks come hand in hand and in so many forms. IT asset management is a process that involves a range of activities that vary from one business to another depending on the types of assets at stake. Following are the keystones of the process.
Vulnerability management: asset management helps detect and address vulnerabilities, as for instance outdated software running on a connected device.
Cloud security: IT asset management includes the identification of cloud resources that are vulnerable due to unpatched software, poor configuration, lack of access control, etc.
Device discovery and protection: identifying network endpoints and assessing each one for vulnerabilities, the cybersecurity team can take the necessary steps to address the issues in a timely manner. As for instance, to isolate the insecure endpoints until the issue is fixed.
Incident response: providing the incident response team with the information it needs to determine the cause of the incident and to quickly remediate.
Cybersecurity policy enforcement: if a resource violates security policies that your IT security team has defined, asset management enables quick discovery and remediation of the issue. When new resources are added to the network that match a particular device profile and security policy, they are automatically protected.
The reality is that all the resources described above change frequently. So, network devices may come and go as application instances spin up and cloud services may change their configurations continuously as they scale. Therefore, IT asset management processes must be performed regularly, in real-time, to keep up to date with evolving environments.
IT asset management is the foundation of a proactive, end-to-end security strategy. It plays a major role in security operations across a variety of verticals. It’s vital not just for software companies, but for any organization that relies on software and hardware to power its daily operations, which almost every business does today, because almost every company is now a technology company.
Protect against credential theft.
Business resources can be compromised by credential theft even if those resources have not been targeted initially. This might happen if a user utilizes a similar username and password (or a slightly different password) across multiple accounts. Even if their login information might be carefully protected at work, these could be stolen from a less secure account (e.g. free email service) and later used in a cyberattack.
Up to a certain point, password complexity does help combat brute force attacks and credential theft techniques in which a series of possible passwords are tested on a list of known usernames. But because modern authentication systems lock the user out after a few incorrect login attempts, attackers can only try a handful of passwords for each account. They usually succeed when they stumble upon an account whose extremely simple and popular password matches their guess.
Multi-factor authentication (“MFA”) helps make stolen credentials useless because MFA requires a user to enter a second form of identification for access, usually a temporary code sent securely to a separate device like the user’s smartphone, so under those circumstances a stolen password on its own is not enough to break an account.
Enabling MFA whenever possible is probably the most effective action IT departments can take to combat credential theft.
Achieve regulatory compliance.
The use of MFA is not yet mandatory for every industry. However, two-factor authentication (“2FA”) is a needed security measure to comply with restrictions in some key industries such as healthcare, finance, defense, government, and few other sectors.
The Health Insurance Portability and Accountability Act (HIPAA) was created to protect the privacy of individual healthcare information. According to HIPAA, healthcare organizations need to implement measures to enforce password security. The act does not dictate the implementation of 2FA but requires organizations to implement password security best practices.
The finance industry is using the 2FA technology for years. Each time you use an ATM, you are using 2FA – you need both your PIN and your credit/debit card to access your bank account. As more financial services are now online, financial organizations need this layer of security to protect their customers and their sensitive information.
Any organization that processes and stores card payment information also must comply with PCI-DSS. This means they may have to go a step further and provide more than just two authentication factors to ensure their security.
The US Military uses 2FA authentication via the Common Access Card (CAC) issued to active-duty military personnel, selected reserve, US Department of Defense (DoD) civilian employees and contractor personnel.
US Law Enforcement agencies who utilize the Criminal Justice Information Services (CJIS) require MFA to access the National Crime Information Center (NCIC). These examples further demonstrate the real-world application of MFA.
NOTE: Single-factor authentication systems are no longer able to provide the level of security needed to keep vital data safe and secure.
Reduce risk of data breaches.
MFA helps prevent some of the most common and successful types of cyberattacks, including phishing, credential stuffing, keyloggers, brute force and reverse brute force attacks, man-in-the-middle (MITM) attacks, etc.
Here are a few reasons why you should secure your VPN with MFA to ensure trusted access:
-for protection against credential theft
-for achieving regulatory compliance
-for enabling consistent access security for both on-premises and cloud applications
-for gaining visibility into all devices
-for enforcing granular access security policies.
Major breaches always make the headlines, but there are increasingly more breaches that won’t make the headlines, and those are cyberattacks that target small and medium organizations.
Expectedly, large companies have the resources to implement complex IT security solutions, monitoring systems and high-tech equipment. Unfortunately for SMBs, the consequences of a breach can be severe because they are less able to handle the costs and damage.
Small businesses are vulnerable because they often do not have the budget for security measures and sometimes don’t understand the risk they face. Also, many small businesses overlook the value of the information they store, wrongly believing it to be of little interest to anyone.
Here are the main reasons why hackers prefer small organizations even more in 2021:
This is the most vulnerable and overlooked area for SMBs, especially in the pandemic when some industries were deeply affected, budgets were cut, people were laid off, etc.
However, some of the biggest hacks we have ever seen were not the result of expert hackers infiltrating complex security systems. Surprisingly, the cybercriminals simply tricked employees into handing over their sensitive information.
There are often signs of social engineering and phishing attempts, but many people are not prepared to spot them. A little cybersecurity training can go a long way in keeping your organization safe.
At StratusPoinIT, we provide access to training videos and newsletters focused on numerous IT areas, we create and run phishing simulations to test your employees’ awareness to potentially harmful emails, from who opened, clicked, entered credentials, etc.
Lack of Cybersecurity Systems
Since the pandemic started, transactions, communications, data storage, etc. have taken an even more drastic shift into the cyber world, and hackers have taken notice.
It is time for businesses to react accordingly. Every small business should invest in a secure cyber environment. Without one, you expose your business to a huge risk.
So, consider improving the security of all the vulnerable connected elements such as: workstations, mobile devices, servers, and networks.
At StratusPointIT, we scan, analyze, and remediate network vulnerabilities. We ensure you have leading business-class firewalls installed with proper security controls, log-based intrusion detection supported by a Security Operations Center (SOC), active-device monitoring and alerting, etc.
In 2021, the email service remains a common way of spreading malware, and with more of us working from home, the risks are higher now. Therefore, you should implement an email protection solution to help your business and employees defend against the latest threats, from spear-phishing, ransomware, impersonation, and other targeted attacks.
Passwords should not be the only line of defense especially for key accounts. Always enable multi-factor authentication (MFA) when possible. Even if your password is compromised, cybercriminals will have another, much more difficult defense line to breach.
No Action Plan
While hackers might not know whether you have a cybersecurity plan in place or not, they will find out soon enough.
Here are just a few of the questions you should ask yourself in the unfortunate event of a cyberattack:
How will you know your organization is being hacked?
How will you respond to your customers if their information is compromised?
Will you shut down your entire network if you discover a breach?
How will you mitigate the impact of a cyberattack?
Therefore, it is crucial to consult with a managed IT provider that bridges infrastructure and security services to provide you a complete solution and get your cybersecurity plan in place.
Even if you install the latest and most effective cybersecurity system and train all your employees to spot phishing attempts, you are only covered for a limited amount of time.
Hackers are constantly discovering new vulnerabilities. Therefore, organizations should constantly train their staff and keep their hardware and software up to date.
Small businesses can be easy targets for cybercriminals in 2021. Any personably identifiable information like phone numbers, email addresses, or credit card details is valuable to hackers who can use it to commit frauds or sell it on the dark web. Don’t let that happen and make sure your business is protected.
CEO fraud is a type of cyberattack in which the attacker impersonates a CEO or other executive. Hackers will most often use the CEO’s email account, or an email address that looks very similar to the CEO’s to trick a targeted employee into transferring them sensitive information or money.
Like other types of Business Email Compromise (BEC) attacks, CEO fraud attacks are very difficult for employees and legacy solutions to catch.
However, there are ways to prevent those sneaky attacks. The best plan is to combine training, cybersecurity policies, and technology.
Raise employee awareness.
Security is everyone’s responsibility. This means everyone regardless of department or role must understand how CEO frauds are pulled off by providing real-world examples to point out common red flags.
It is important to point out the lack of spelling errors. Poor spelling is usually a phishing indicator, but nowadays hackers pay more attention to details. They do a better job alluring their victims and hiding their tracks, so it is unlikely to make any spelling or grammar errors in the process.
Also, you may notice personal touches. Attackers go to great efforts to research their targets through hacking or simply by using publicly available information.
The following persuasive elements should always make you take a closer look.
The sender’s email address
Domain impersonation is a common tactic for CEO fraudsters. They shall use a very similar domain name. For instance, if the original is rsmbank.com, the one they will use is rsnbank.com in order to create confusion. Changing just one letter will be even harder to spot on mobile increasing their success rate.
The sense of urgency
The subject line, the ongoing meeting, the late invoice. Creating a sense of urgency is the general rule in social engineering attacks. Panicked people almost always will make poor decisions.
The authoritative tone
Expressions like “please send/pay immediately” are commonly used. There is a reason hackers prefer to impersonate CEOs. They are in a position of power, and people tend to do what they say without any prior check.
Playing on the target’s trust
“I am counting on you”. Everyone wants to be chosen to do a favor for a manager, director, etc.
Check the sender’s email address for inconsistencies and remember that corporate email addresses can also be hacked or spoofed.
Take a step back and think: is this really something the CEO is likely to request so urgently?
While these are important lessons for your staff, training your employees regularly is paramount. Educating your staff on how to recognize CEO frauds and what to do in case they detect such attacks is therefore crucial.
Humans are often led by emotions, and they are not good at spotting the small clues that might reveal a fraudulent email. Sometimes, even security specialists can’t.
Implement best cybersecurity practice.
Beyond staff training, every thriving organization takes an all-round approach to cybersecurity that minimizes the risk of a serious impact from an attack.
Here are few very important security measures that will help protect company data from CEO frauds:
Create a system where employees can easily verify wire transfers, especially the large ones, ideally via phone.
Buy domains that are like your company’s brand name to prevent domain impersonation.
Protect all corporate email accounts and devices using multi-factor authentication (MFA).
Regularly test and patch all your software.
Ensure employees maintain strong passwords and change them frequently.
Closely monitor corporate financial accounts for any irregularities such as missing deposits, external payments, etc.
Deploy an email security solution.
All the above are extremely important cybersecurity controls, but let’s take a closer look at the final suggestion: email security solutions.
Deploy an intelligent email security solution.
Because CEO fraud attacks usually take place via email (about 90% of all phishing attacks follow this model), installing email security software is one of the most effective steps you can take to prevent this type of cybercrime.
Our solution provides real-time protection against social engineering attacks like whaling, CEO frauds, or W-2 frauds. Contact us today for more relevant information.
In 2020, organizations faced some of the most drastic challenges to a business environment in the digital age. Companies were forced to quickly adapt, cultivate resiliency and creativity, beside focusing on meeting their customers’ expectations.
According to a study conducted by Gartner, just 12% of more than 1,500 respondents believe their businesses were prepared to face the disruption last year, but with tech adoption accelerating as a result, more businesses will turn to digital operations, products, and ecosystems to stay profitable and relevant.
Data privacy has become the #1 expectation for every consumer across the globe, growing into something more than a set of rules and regulations driven by compliance standards, but rather one of the main pillars of brand recognition and customer loyalty.
With digital adoption, more and more sensitive customer and business data are being generated, as a result, so the ramifications for data privacy can only rise.
The COVID-19 pandemic has had a major impact on data privacy and cybersecurity mainly because of the social distancing that has changed both our personal and professional lives.
One of the consequences of this pandemic was that more and more consumers opted out of in-person shopping, relying heavily on the digital marketplace. So, organizations will have everything to gain by ensuring proper data protection to maintain customer loyalty.
Nowadays, more healthcare data is being collected than before, in many cases by organizations who never have previously collected this type of information. Organizations are collecting health data to support public health outcomes, causing growing concerns in how this data is being used and hold.
More Privacy Laws
Most websites these days, and this is one of the first things you are likely to see when loading a website, will notify you about data cookies, aspects like how the website is collecting your data, what it intends to do with it, for how long your data is hold, etc. Also, you are given the option to accept or reject these data usage terms.
Those terms are a direct consequence of the EU’s General Data Protection Regulation (GDPR), which although drafted in the European Union, it imposes obligations to every organization in case it targets or collects data from people residing in EU countries.
So, expect far-reaching data privacy legislation like the GDPR and the California Consumer Privacy Act (CCPA) to come into force in more regions this year, responding to an ever-greater need of privacy protection.
Data Privacy Automation
With new privacy laws coming into force, different legislation, and compliance procedures in different territories, will make it difficult for companies to keep track of which laws they must adhere to.
This has led developers to create software to automate data privacy. These can range from management platforms to handle privacy requests to filters and preference settings tools.
In 2021, we can only expect the trend of data privacy automation to become more widespread, with more software solutions being developed and more organizations purchasing automated data privacy and management solutions.
Better User Awareness
Cyber hygiene advocates have repeatedly highlighted how end users are often the weakest link in the chain allowing, either by accident or with intent, data security breaches at their organizations. This has further aggravated in 2020 as employees became familiar with the work-from-home processes.
Notorious cyberattacks such as the ones against SolarWinds and FireEye, also the Cambridge Analytica – Facebook scandal have brought the issue of data privacy to the public’s attention on a scale that has not been seen before.
Users are now actively concerned about how their data is being captured, how it is used and have even shown that they are willing to leave extremely popular platforms like WhatsApp if they feel their data is not safe.
Such data awareness is good for the user, but it could be bad for some organizations that are not transparent about which third parties are able to access sensitive data or refuse to give clients full control over what cookies they can enable.
Users are constantly discovering how much information is collected about them (spending habits, IPs, usernames, emails, etc.) how that data is used, and how cyberattacks put that information at risk.
More Data Security & Privacy Jobs
With the long-term changes brought on by the Covid-19 pandemic, along with new data privacy regulations, organizations will probably face several security challenges, driving the demand for cybersecurity talent even more.
The pandemic has changed the workplace, forcing companies to quickly adapt. The rush to support a remote workforce has led many organizations to take a leap of faith into the cloud and are now facing new security challenges having to support hybrid work environments.
While not all organizations are required to comply to certain data protection standards such as HIPAA, or data privacy laws like the CCPA, they should still follow data protection competencies as it is essential for them to build and maintain an environment of trust.
The massive SolarWinds breach made it crystal clear that the cybersecurity threat only gets worse with time because the tools are more sophisticated, and the stakes are higher.
NOTE! According to Forrester, businesses are taking cybersecurity more seriously as enterprises are predicted to spend $12.6B on cloud security tools only, by 2023, up from $5.6B in 2018. The global cybersecurity market is estimated to grow to $270B by 2026, up from $173B in 2020.
Here is what to expect for the future of cybersecurity in the next 3-5 years.
Deep Fakes & CEO Frauds
We already know that complex voice generators can trick security software used to verify identity. A slow but steady rise in audio deep fakes that are being used in subversive activities (like CEO frauds) have also been reported. Given enough material, AI programs can learn and generate convincing fake pictures and videos that can be used to compromise organizations or individuals.
Over the next three to five years, we can expect for this to expand to video deep fakes. These tampered videos can be extremely disruptive to organizations especially from a PR angle. For instance, imagine your CEO saying something controversial that might impact how your organization is perceived.
By the time you make public that the video is fake, the damage done to your company’s reputation could be irreversible.
Protection from these fraudulent attempts will require security software to embrace AI and Machine Learning to help analyze and identify what is real and prevent leaking what is fake before it becomes an external threat.
Supply Chain Attacks
In the SolarWinds breach, the attackers were able to compromise the update process of a widely used piece of software: the Orion Platform. This was a supply chain attack – a devastating type of cyber aggression. Basically, by compromising the vendor, hackers may get access to all the vendor’s customers.
Any software company is a potential target. When it comes to hackers, especially state actors, they have the resources and skill sets necessary to orchestrate supply chain attacks, being able to penetrate even the most resourceful organizations.
Cybersecurity vendors can fall victim to such complex attacks too. In the SolarWinds case, beside about 100 organizations and 9 government agencies, another targeted company was FireEye, one of the most popular cybersecurity vendors in the industry. FireEye representatives said the attackers did not get into customer-facing systems, as they only got access to penetration tools used for security testing. But the fact that a company like FireEye got hit is disturbing because if these vendors are potentially vulnerable, most likely every vendor is.
In November 2020, another leading cyber security company, Sophos, suffered a data breach that exposed private customer information.
NOTE! Last year, security vendor ImmuniWeb revealed that 97% of the world’s top 400 cybersecurity companies had data leaks or other security incidents exposed on the dark web – and that 91 companies had exploitable website security vulnerabilities.
Supply chain attacks do not represent a new method. In 2011, RSA Security admitted that its SecurID tokens were hacked, exposing some of their customers including aerospace, arms, defense, security, and advanced technologies company – Lockheed Martin.
5G networks will take connectivity to the next level by increasing workforce mobility, enabling more robust automation, improving existing applications and unlocking others.
However, 5G technology will introduce advances throughout the network architecture, allowing new capabilities, but also expanding the threat surface opening the door to cyber criminals attempting to infiltrate the network. It also challenges cybersecurity teams with the issue of having to quickly learn how to identify and mitigate threats faster and without impacting the latency or user experience.
More Regulatory Complexity
As businesses are becoming increasingly digitized and more innovations come to market, regulators are going to have to respond and try to understand the impact of these technology innovations on both customer and business sides, and this will likely be expressed as laws.
Preparing for these types of trends is therefore crucial to gaining an advantage over hackers.
While 2020 has proved that we cannot predict the future, there are, however, strategic areas where organizations need to start looking at and preparing defenses. Use these trends as starting point to create a cybersecurity plan to best protect your organization. If you are not sure where to start, contact us today for professional IT security services.