How to Deploy Open Source Network IDS/IPS in AWS

Open Source Network IDS/IPS in Amazon AWS

The easiest way to deploy a Network IDS to monitor your AWS instances is to setup a Linux security gateway. It does require some amount of IP networking knowledge but it is a very flexible way to manage your cloud assets as if they where in your LAN.

The EC2 security gateway routes IP traffic between the VPC and the Internet and therefore has complete visibility of the full-duplex traffic to and from your protected instances. The Network IDS running on the EC2 gateway instance will then allow you to identify and shut down threats as if it was deployed in a physical network.

Setting up a Linux Security Gateway in AWS

Create a VPC

Launch a VPC (Amazon’s virtual private cloud network) and give it a non-routable network range (ex. 10.0.0.0/8). Your VPC will need a private subnet (ex. 10.1.1.0/24) and a public subnet (ex. 10.1.100.0/24), if you do not already have two subnets then go ahead and create them.

Set up the gateway in AWS:

Launch a Linux EC2 instance on the public subnet of your VPC to be your network gateway, this will probably be the only instance on the public subnet for most deployments. Any Linux OS should be fine, but we prefer and use examples from CentOS.

Your gateway instance will need to be assigned at least one Elastic IP Address (EIP), this will be the public address that people will use to reach your network and the gateway will map that address to the correct instance on the private subnet.

You will need to modify the network adapter for your gateway instance to DISABLE src/dst Checking, this is required for it to properly function as a router.

Configure the gateway as a Router

After it starts, configure the gateway as a router for your private subnet. Execute the following commands assuming your private network subnet is “10.1.1.0/24”:

sudo -s
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

The above commands first give you a root shell (required to make networking changes), second tell the system to forward network packets that are destined for other networks, and third act as the source for all network traffic originating from your private subnet.

Add additional IP addresses on the public subnet (if needed):

EC2 will automatically assign an address to your instance, that is part of the public subnet, once it is launched. Each instance can have additional IP addresses on the public subnet.

For each of these IP addresses you can assign an Elastic IP Address to correspond to it, thus allowing your router to receive traffic for multiple public IP addresses and route it to multiple internal private hosts. Limits may apply depending on the type of instance you choose.

Set up the routing tables:

The public subnet should have a default route (0.0.0.0/0) to an amazon Internet Gateway device. If your VPC doesn’t yet have an internet gateway, you will need to add one for the public subnet.

The private subnet should have a default route (0.0.0.0/0) to the public facing interface id of the gateway instance. Do not add a route for your private subnet to an amazon Internet Gateway Device, otherwise they will route through it instead of your Linux gateway.

Launch the instances to be monitored

If you haven’t already, launch the EC2 instances that you wish to be monitored in the private subnet.

Add port forwarding

For each of the private subnet instances, add port forwarding rules to the iptables on your linux gateway for their publicly accessible services. You can follow these instructions to do that https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s1-firewall-ipt-fwd.html

Add Network IDS software

Once you have the traffic for your Amazon EC2 assets going through your own Linux gateway, you can deploy any traditional IDS systems in order to monitor your traffic. For example, in our example scenario, the gateway interface for the private subnet is “eth1”, and so we can invoke Snort to monitor all of our amazon traffic by pointing it to that interface:

# snort -f -c /nsm/etc/snort.serv.conf -A console -y -i eth0 --daq-dir /usr/local/lib/daq --daq pfring --daq-var clusterid=88
Running in IDS mode

--== Initializing Snort ==--
...
Commencing packet processing (pid=22129)
Decoding Ethernet
12/03/18-14:51:21.844473 [**] [1:2022775:1] ET USER_AGENTS BLEXBot User-Agent [**] [Classification: Misc activity] [Priority: 3] {TCP} 148.251.139.168:52916 -> 10.10.1.253:80
12/03/18-14:52:40.396441 [**] [1:2025534:10000] ET WEB_SPECIFIC_APPS Drupalgeddon2 8.3.9 8.4.6 8.5.1 RCE Through Registration Form (CVE-2018-7600) [**] [Priority: 0] {TCP} 45.37.49.53:35458 -> 10.10.1.253:443
12/03/18-14:52:40.483478 [**] [1:2025534:10000] ET WEB_SPECIFIC_APPS Drupalgeddon2 8.3.9 8.4.6 8.5.1 RCE Through Registration Form (CVE-2018-7600) [**] [Priority: 0] {TCP} 45.37.49.53:35458 -> 10.10.1.253:443
...

Got MAC?

We recently added the MAC addresses to the event messages. The system gets the MAC addresses in two orthogonal ways:

  • We sniff the MAC headers from the passive tap. If the MSS sees more than 5 IP addresses with the same MAC, it stops recording because it means you are mirroring the connection between the switch and the next routing hop (probably the firewall) where the MAC addresses are not available.
  • We sniff  DHCP lease messages  when the IP is assigned dynamically. In order to do this, you probably need to instruct the switch to specifically mirror DHCP traffic in order for the sensor to process it.  The sensor expects DHCP UDP traffic using the pcap expression udp and (port 68 or port 67).

Please contact us at support@metaflows.com if you need help in setting up DHCP traffic monitoring.

 

 

 

Constant Companions: Giving Passwords and Passphrases Thier Due

“Through 20 years of effort, we’ve successfully rained everyone to use passwords that are hard for humans to remember, but are easy for computers to guess.”  Randall Monroe, XKCD

For users, passwords and passphrases are a way of life.  How else can an individual not only identify themselves to access necessary services but also prove that they are who they say they are without biometrics?  However, the way in which many businesses choose to think about passwords and passphrases is not only wrong, but harmful.  Many financial institutions, as well as work places, require that passwords max out at a short, fixed number of characters (anything between six and twelve), include an uppercase and lowercase letter, as well as at least one digit.  This is, unfortunately, not an ideal solution.  In essence, any organization requiring that users make passwords under such conditions is setting their users up for failure on a multitude of levels.  Not only are these passwords easier to crack than other options but they typically cannot be memorized, requiring the user(s) in question to write them down or store them elsewhere.

Data released in a recent study by Carnegie Mellon University’s CyLab indicates that traditional methods for password and passphrase creation are woefully inadequate and that a great many users have a mistaken idea of the methods in which adversaries employ in the attempt to crack them.

This study reveals that, “Participants, on average, also believed any password with numbers and symbols was a strong password, which is not always true. For example, p@ssw0rd was thought to be more secure than pAsswOrd, but the researchers’ attacker model predicted that it would take 4,000 times more guesses to crack pAsswOrd than p@ssw0rd. In modern day password-cracking tools, replacing letters with numbers or symbols is predictable.”

The question then becomes, what can the user do to avoid this situation?  The engineers at MetaFlows have a very unique way of creating passwords/passphrases that are much more secure.  There is a basic equation for password strength, failing that the password appears in a known dictionary, is:

Complexity^length

Complexity being the number of possible characters the password contains

So a password using only lower case letters has a complexity of 26

A password using lower, upper, and numbers has a complexity of 62

A complex password with a length of eight:

62^8 = 218,340,105,584,896 possibilities

A simple password with a length of twelve:

26^12 = 95,428,956,661,682,176

The longer, but simpler, password in this example has a total search space 437 times greater than a standard “complex” password.  This is not to say that complexity is bad, complexity helps, but length is the dominant factor in determining strength against brute force. It should be able to be memorized, so going ahead and adding a number or a weird character is fine. However, if adding that element makes it too hard to remember then consider tacking on another word instead that is easier to remember to increase the strength exponentially.

What is the difference between a password and a passphrase?

The example password meets all standard complexity requirements: lower case, upper case, number, and special character.  One of our engineers decided to see how long it would take for them to crack this password.  The end result is as follows:

Pa$sw0rd

Search Space 6.70×10^15

Single Machine traditional estimated crack time: 18.62 hours

Cracked during several hours while playing WoW and a good night’s sleep.

The experiment was repeated with a passphrase, which is a group of words strung together that act as a password.  The passphrase below meets none of the standard complexity requirements as it is all lower case and contains no digits.  Unlike Pa$sw0rd, it is easy to remember.

mypasswordforgrcisnotamonkey

Search Space 4.33×10^39

Single Machine traditional estimated crack time: 13.76 million trillion centuries

Still not cracked long after the death of our solar system.

In most cases, adding a few words that are related to the site or process in question is helpful to remembering them but we also know that people are surprisingly good at remembering almost any silly combinations of words as a passphrase. The more unrelated the words chosen are, the less likely they will ever end up in a dictionary. Picking one nonsensical word increases the potential strength against dictionaries to a level that is realistically beyond guessable. For example, “mypasswordisnotpassword” may be obvious enough to get added to a dictionary, but “mylongitudinalpasswordisnotamonkey” is arcane.

Another method, advocated by Micha Lee at The Intercept_ is Diceware.  The method for creating a Diceware password is simple and straightforward but the end results may lead to a far more secure passphrase.  The Diceware method is effective because it will provide randomness that the human brain cannot.  The value of using a method that involves randomization is ideal when one considers entropy.  “The amount of uncertainty in a passphrase (or in an encryption key, or in any other type of information) is measured in bits of entropy. You can measure how secure your random passphrase is by how many bits of entropy it contains. Each word from the Diceware list is worth about 12.92 bits of entropy (because 212.92 is about 7,776). So if you choose seven words you’ll end up with a passphrase with about 90.5 bits of entropy (because 12.92 times seven is about 90.5).”

Once a user creates a password, one must have a clear idea of where to store it.  While there are numerous password saving applications available on the web and scraps of paper abound, nothing is more secure than pure memorization.  When considering password creation, always stick to something easy to memorize as well as difficult to crack.  To put it plainly, storing passwords anywhere other than the human mind creates an exploitable vulnerability.  This of course, includes writing them down on a sheet of paper and attempting to hide it. The popularity of password storage books and password applications is no indication as to the level of security they provide, which is limited at best.

No matter how random and entropic a password may be, it is vital that if using the same password for more than one service, that passwords used for social media accounts should in no way resemble those used for online banking and other vital activities.  It cannot be stressed enough that reusing passwords, sharing passwords, recording passwords, and repeatedly recycling through a set of passwords is far from advisable.

 

Taking a Crack at Locky

Since mid-February, security researchers have been encountering Locky, the latest ransomware tool in the adversary’s arsenal. The engineers at MetaFlows observe Locky primarily in email attachments that are processed using the MetaFlows sandbox. On networks being monitored by MetaFlows sensors, the engineers are able to take samples of inbound .zip email attachments and send them to a Cuckoo Sandbox to be processed. The sandbox runs the sample in a virtual machine and is able to detect malicious behavior. Often malware tries to evade detection, but since Locky is trying to get noticed by the user anyway, it is not subtle. Locky typically triggers over a dozen indicators of compromise and IDS signatures on the sandbox and therefore, is almost impossible to miss.

MetaFlows has seen consistent spam campaigns over the last month that deliver zipped JavaScript files that Windows is designed to execute by default with its native wscript.exe. The files, when executed by the user, appear to do nothing at first. This is a bad sign. Within moments a secondary payload is fetched, encryption has begun, and command and control beaconing has been performed in the background. Once it is done, the user will be greeted with the typical ransomware demands webpage, image, and wallpaper.

Selection_010.pngSelection_009.png

The spam campaigns use short, simple subject lines, or they include only “Re:” or “Fw:”. They are often appeals to business or tax related concerns, and the body is usually curt with a reasonable request to review the attachment and respond. These emails frequently include a legitimate appearing signature and use appropriate spelling and grammar. It is easy to see that people who are not constantly on guard about these issues could easily be tricked into opening the file. In the example below, the target could be concerned that they or their business missed a legitimate payment, or knowing that they have no business with “China Information Technology, Inc.,” they may open it to investigate why they have been billed.

Screen Shot 2016-05-19 at 3.36.44 PM.png

The engineers at MetaFlows also collect statistics on the email subjects used to lure victims into opening the attachments, these are part of the Weekly Statistics page. The subjects vary from scare tactics, to just curiosity, to near gibberish, but they are rarely outlandish or over-the-top as spam quite often is. Not all of these are Locky, but the vast majority those that have made an appearance this week are.

Enterprises can make themselves less of a target by employing a two-layer approach.  Investing in an IDS such as MetaFlows that will detect the inbound file, and recognize the infection behavior of a compromised system is the first layer.  Given the current view on the spam campaigns distributing ransomware, the best solution is user education. Staff members should be approached, reminded regularly of this problem, and ideally possess some healthy paranoia about opening email attachments unless they absolutely know the sender. Also, even though .doc and other common files can be vectors for infection as well. Most users have no reason to ever open a .js with a strange icon.

The next layer consists of getting user files out of the path of Locky and other ransomware. While the campaigns we are seeing are spam based, ransomware has been previously documented coming from drive-by sites and browser exploits, so even a user savvy to email attachments could still get hit. Users should make secondary backups of important files part of the daily work-flow. Options for this can be summed up with three “C”s.

  • Copy files to a remote device. This is probably the best option, as long that remote device is not permanently connected to the user’s machine. Network shares that are mounted when Locky is executed will also be encrypted. Copying files to an ftp server manually (or as a scripted job for the advanced users out there) is probably the best bet.
  • Create a local backup directory. During experiments researching Locky, in which our engineers continuously re-infected virtual-machines (for science), MetaFlows engineers did find that it ignores the C:\Windows directory. Do not bank on this working forever, but for now it seems like users can make a local backup directory under C:\Windows\JustInCase.  If Locky strikes, it will ignore files that are stored there. This is probably the riskiest option since the malware may change its behavior at any time, but it is a clever one to use in the short-term. Of course, it also requires administrator privileges.
  • Consider using USB storage. This a fantastic solution, except that people forget to unplug them once they are done backing up files. Users can plug in an external drive or usb stick, backup all necessary files, then unplug it again and Locky cannot touch it. However, if it is left it plugged in, these backups will all get encrypted just like a mounted network share.

In conclusion, Locky, like all ransomware, is a peril for all users.  However, like all problems, there are solutions.  Employing the MetaFlows IDS, maintaining backups, and investing in education are three of the most important tools one can use to prevent adversaries from succeeding.

Taking Care of Business: The FTC Guidelines Part Two

20699620022_47e832b2ee_oThis post is a follow up to Part 1 of Taking Care of Business: Information Retention & Responsibility.  Here, we will be covering items six through ten, with a wrap-up of what this document means and what we can do to help you stay secure, ethically responsible, and on the right side of the FTC’s standards.

Item six on their list is, “Secure Remote Access to Your Network.”  Their bulletin points under this heading are Ensure End Point Security, meaning that you must control who can log on remotely and determining that they are doing it safely.  One way is to require two factor authentication for logins.  This demands that each user have the ability to generate a token on a separate device (a cell phone) and use that in combination with a token created by a key fob.  Biometrics and PINS are also considered types two-factor authentication.

The FTC would also prefer that businesses limit the amount of access that users have when away from the office.  This is the part where it is useful to discuss third party access.  By restricting the amount of data and the type of data that a third party or an off site worker can get to means that the truly important data has a better chance of staying safe.  Offering limited, one-time access is a great way to approach giving accessibility to a third party user.

Item seven on the list is, “Apply Sound Security Practices When Developing New Products” and the first subheading asks that you “train your engineers in secure coding.”  This is something tackled at the pre-design stage. It is up to your software developers to create code that is secure and will not unnecessarily put your business and clients at risk.  For that to happen, they must be trained effectively on how to do so.  A lack of education and foresight at this stage could be fatal before your product or service even launches.

The FTC’s second sub-heading involves following platform guidelines for security.  Secure development practice guidelines are out there, and available for use.  Failing to follow these can allow you to open your business up to man-in-the-middle attacks through mobile applications and other dangers.  It is not a requirement that one reinvent the wheel, but instead use resources that are already available in regards to creating secure software.

The last two bullet points are closely linked, “Verify that privacy and security features work” and “Test for common vulnerabilities.”  This is something that even the big guys miss, much less the smaller companies out there.  Often, it is smart to invest in an individual or company that provides penetration testing (pen testing).  It is their job to try to get into your network in as many ways as possible.  They will evaluate any weaknesses that exist within your code, and review the results with you.  Large companies such as Microsoft and others, offer Bug Bounties, meaning that if a hacker (with their permission and under their conditions) finds a bug or security issue with their software, that hacker is rewarded and the bug can be fixed.  Adobe, after some major security gaffs, has enlisted the help of the Bug Bounty program to help tighten up their software.

Issue eight of the last ten states, “Make Sure Your Service Providers Implement Reasonable Security Measures.”  Since points six and seven warn you to get your software and users in line, the natural progression leads to the idea that you should evaluate anyone that you do business with.  They advise that you “put it in writing” and “verify compliance.”  Your security measures matter as much as the security measures of the individuals that provide you with valuable services such as connectivity and cloud computing, just to name a few.  Taking someone’s word or accepting a hand-shake with the assumption that any promises they make outside of writing will be upheld is inadvisable at best.  Any company’s website should list their regulatory compliance information, which is easy to verify.  This is ours.

In point nine, “Put Your Procedures in Place to Keep Your Security Current and Address Vulnerabilities That May Arise,” they put their focus on not only how you go about maintaining your security practices, but also those of any third-party vendors you may work with.  This is where documentation is essential, to prove that should you be summoned to court that you have been maintaining a good-faith relationship in regards to your security.  Also, even after the pen-test phase, it is vital to keep on top of any perforations in your company’s defense against adversaries. If six months or nine years after a product is released, one you are responsible for, you must act upon any reports warning of a security risk with your product.  Put together a way of collecting these issues and a mechanism in place to address them.  Do not let them get lost in the shuffle and ignore them at your peril.  This of course, also requires that you stay on top of any third-party services or vendors you may use to make sure that they are making good on their promise of security to you.

Last but not least, the FTC advises that you, “Secure Paper, Physical Media, and Devices.”  Everything that was already recommended in regards to your network and digital data also applies to any hard copies.  The FTC asks that you, “securely store sensitive files,” “protect devices that process personal information,” “keep safety standards in place when data is en route,” “dispose of sensitive data securely.”  All of this may seem like common sense and somewhat of a no-brainer but it is worth remembering that if enterprises, both small and large, did these things the FTC would have never had to address gaffs in data containment by Rite Aid, CVS Caremark, and many unfortunate others.

We decided to use this precious blog space to bring these ten items to your attention, as it is our goal to keep you and your data safe. The MetaFlows MSS is continually evolving to help you better protect your enterprise from adversaries and the potential legal fallout from any success that they might have not had otherwise.  A tired truth is that a best defense is actually a good offense and in the world of business and information security, having the right service in place can make all the difference.

InfoSec and the Great Gender Gap: The Revolving Ten Percent

love2d beginner game programming workshop at the Berlin Google office in August 2015 as part of Women Techmakers.That there is a dearth of women in the Information Security (InfoSec) community is not news.  The news would be if that number were to ratchet up to fifteen or twenty percent, in keeping with the growth that other STEM positions are close to hitting. Women make up only 27% of the population in Science, Technology, Engineering and Math (STEM) careers; 12% of the computer science degree holders were women according to a census in 2011.  The number of women currently holding positions in Information Security is a marginal 10-12%.  Even as other areas of STEM show an improvement in numbers, the Information Security field remains stagnant.

It is easy to look at these numbers and agree with InfoSec professionals retort that women just are not suited to this kind of work.  They cite a lack of women in university courses, training events, and conferences as a sign that women do not seem interested and/or incapable of producing the kind of results that the job requires.  Sure, women might start in the industry and if they disappear, the reasoning falls along the lines of imaging they left to start a family or something along those lines.  Looking inward, to assign blame, is often quite difficult and not the most natural, first reaction.

“The shortage of women in the field creates a vicious cycle. The profession is seen as unwelcoming by women first choosing a career. And women who are already in the profession can find themselves singled out and stereotyped. That, in turn, makes women feel devalued and passed over for promotions, and means that they are more likely to leave their companies”, according to a recent report from the Anita Borg Institute.

The misogyny is not necessarily entirely mean-spirited and the perpetrators may firmly believe that there is nothing wrong with their behavior.  However, after attending Beyond The Gender Gap: Empowering Women In Security at Black Hat 2015, and talking to the four women at my table, it became clear that this is an ongoing/recurring issue. The offenses listed by my table companions, women employed at such companies as Microsoft and IGX, range from what some call passive misogyny which includes:

  • companies sponsoring competitions offering prizes that are only suitable for male contestants,
  • assuming that if a woman is present at an interview/meeting she must be the project manager, or human resources liaison or quite possibly even the secretary duty bound to fetch refreshments,
  • not addressing sexist language/objectionable materials in the work place,
  • and using gendered language in their job proposals.

They also cited more active forms of misogyny that include but are not limited to:

  • being passed over for advancement,
  • and actively denied mentorship.

All of these issues seem to occur as a default to the expectations of former societal norms with outdated expectations, and a focus on exclusivity rather inclusivity.  Why bother promoting or investing in a woman, as she will doubtless leave to start a family and default on the investment of on-boarding her in the first place?

If a woman does manage to brave the obstacles against her, the path does not become easier, but presents only new difficulties.  Recently, the #ILookLikeAnEngineer campaign highlighted some of the key issues of women in tech.  When Isis Wenger started the Twitter hashtag, it was because she fell under heavy criticism for an advertisement campaign run by her employer.  “People generating discussions about whether or not I really was a platform engineer for OneLogin were also rather shocking,” she said.  The reason behind questioning the legitimacy of the ad is simple yet profoundly disturbing; Wenger was considered too attractive to be an actual platform engineer.

She is an engineer.
She is an engineer.

When one openly acknowledges that they are a minority and comes to the startling conclusion that if they are not willing to plow the way ahead for the next one, well, no one will.  However, the acceptance of this path comes at a steep personal cost and the numbers reveal that women, when it comes to working in the InfoSec profession, have decided that it is not worth it.  As more women enter STEM, one would imagine that the number of female InfoSec professionals would grow but that is not the case.  Women entering the profession are only doing so at a rate that replaces the number of women leaving the profession.  The reasons for this can be intensely personal, as well as professional.

According to Marsha Wilson in her article, A Woman’s Journey to Cyber Security, “Being a woman in infosec requires you re-demonstrate your chops with every new IS dude gang. It gets exhausting but I find it is just part of the culture. If you don’t like it, you better build a thick skin or go elsewhere.”  In short, a woman in the InfoSec community had best accommodate herself to an environment created exclusively by men, for men.  This environment certainly does not come across as an inviting atmosphere; her use of the words “exhausting” and “dude gang,” indicates exactly what is likely preventing women from staying in the field once they gain employment.

While the answers to the quandary regarding women in the InfoSec community will likely not be solved tomorrow, all statistics prove that the sooner the gender gap is closed, the better.  This blog post barely scratches the surface of what appears to be a complex and ever-evolving problem.  However, it behooves us to conclude on a positive note.  There are people who have made it their goal to help women join the InfoSec community and their visibility on the web is growing. All of the groups and communities listed below contain inspirational articles, information on classes/workshops, and links to even more resources.  The InfoSec community is one of growth and in truth, it needs more women.

Double Union

Executive Women’s Forum (EWF)

Girl Develop It (GDI)

Girls Who Code (GWC)

Women in Cyber Security (WiCyS)

Women in Technology MeetUp

Women Who Code (WWC)

Taking Care of Business: Information Retention & Responsibility

16666571547_6cc99092d3_o

Every business accrues data about their current patrons and prospective clients.  What information do you collect about your customers?  Do you collect only what is relevant or pursue all of the data you can possibly accumulate?  No matter what your approach to data collection, or the why behind it, the FTC thinks that it is time that you reviewed those policies.  The Federal Trade Commission (FTC) recently released a document entitled “Start with Security:  A Guide for Business.”  This may initially seem both dry and somewhat irrelevant.  However, choosing to ignore or dismiss these guidelines out of hand will ultimately prove to be expensive.  On Monday, a ruling from the United States Court of Appeals for the Third Circuit Court has ruled that the FTC has the ability to take actions on the behalf of consumers against companies that do not follow these guidelines.  Established within this document are “10 practical lessons businesses can learn from the FTC’s 50+ data security settlements” and for the purpose of this blog post, we will take a look at the first five points on the list.

The first of which asks that you start with security in mind.  Until security is breached, companies are often quite confident in their in-house or SaaS security solutions.  The issue with this, of course, is that it is a reactionary strategy to security, not a proactive one.  If an in-house security team is not given the tools that they need to do the job properly, expecting them to stay ahead of cyber threats is more than a bit unrealistic, it is irresponsible.

The FTC also advocates that companies do not collect personal data that they do not need or retain data longer than necessary.  In translation, you are in charge of making decisions regarding exactly what and how much data that you acquire from your customer base and how long you hang on to it.  It is worth keeping in mind that whatever you do choose to collect and store, you are responsible for it.  The more data you have, the stronger the security solution you will need, so as not to be found liable should that data become compromised.

When considering stored data, one must also consider who within the company has access to what and how much.  The FCC recommends creating user accounts for employees based on a need-to-know basis.  (This also includes paper data as well as copies stored on external memory hardware including drives and disks.)  Companies should not only restrict access to sensitive data but also limit the administrative access of each user.  Much of cyberterrorism functions as partially pure code hacking and the rest social engineering.  If an employee is tricked into opening a compromised document or visiting a hijacked web page, they may unleash any number of terrors upon your network.  Certainly, every business should invest in backups but beyond that, by controlling employee access one also controls the amount of potential employee damage.

The third point the FTC has chosen to make revolves around passwords.  It is responsibility of every business to safeguard their data to make sure only the right people can access only the necessary information.  They recommend that businesses “insist on complex and unique passwords,” “store passwords securely,” “guard against brute force attacks,” and “protect against authentication bypass.”  When considering password safety, creating and reinforcing password protocols is an absolute necessity.  Criminals should not be able to guess their way into your system through weak passwords, reveal unencrypted documents that contain sensitive information, take down your network through the use of automated programs that guess at passwords, or be able to discover back doors that allow access.

Information travels and transferring sensitive data is an absolute requirement.  This can be accomplished through cryptography, the use of Transport Layer Security/Secure Sockets Layer (TLS/SSL) and other methods.  If data is not resting securely, or being transferred securely in the span of its life in a business, then that business can be held liable should predators acquire that data.  By using “industry-tested and accepted methods” business owners can take advantage of all the security research that has come before and has been confirmed as functional and safe.  Of course without the proper configuration of all of these elements, businesses become vulnerable to such man-in-the middle attacks that are rather infamous in the world of information security.  They allow priceless data to slip through the business’s poor execution of the standards they have put in place.

The fifth and final point we will cover is the requirement to “segment your network and monitor who’s trying to get in and out.”  This by far, is one of the most vital items on the list.  Firewalls are a very effective tool for regulating access to information by segmenting your network.  While it is tempting to connect everything, doing so puts your data and your reputation at risk.  You are also required to monitor the activity on your network.  This may seem like a daunting task, all of those hackers trying to get in to your system so they can get out with sensitive materials.  However, there are products available to help you perform this necessary task

The best way to address the first five points is to use a multi-part IDS, such as MetaFlows MSS.  Providing your security team with the best software on the market is the only way to make sure that you are in compliance with the most vital of the FTC’s requirements.  If a business’ network is compromised because they did not follow these guidelines to the best of their ability, the FTC can and will take action.  In just the first five bullet points of the PDF businesses such as Twitter, DSW, Fandango, and Credit Karma were all publicly revealed as companies with insecure systems and networks.  It should never be anyone’s goal to join them.