Taking Care of Business: The FTC Guidelines Part Two

20699620022_47e832b2ee_oThis post is a follow up to Part 1 of Taking Care of Business: Information Retention & Responsibility.  Here, we will be covering items six through ten, with a wrap-up of what this document means and what we can do to help you stay secure, ethically responsible, and on the right side of the FTC’s standards.

Item six on their list is, “Secure Remote Access to Your Network.”  Their bulletin points under this heading are Ensure End Point Security, meaning that you must control who can log on remotely and determining that they are doing it safely.  One way is to require two factor authentication for logins.  This demands that each user have the ability to generate a token on a separate device (a cell phone) and use that in combination with a token created by a key fob.  Biometrics and PINS are also considered types two-factor authentication.

The FTC would also prefer that businesses limit the amount of access that users have when away from the office.  This is the part where it is useful to discuss third party access.  By restricting the amount of data and the type of data that a third party or an off site worker can get to means that the truly important data has a better chance of staying safe.  Offering limited, one-time access is a great way to approach giving accessibility to a third party user.

Item seven on the list is, “Apply Sound Security Practices When Developing New Products” and the first subheading asks that you “train your engineers in secure coding.”  This is something tackled at the pre-design stage. It is up to your software developers to create code that is secure and will not unnecessarily put your business and clients at risk.  For that to happen, they must be trained effectively on how to do so.  A lack of education and foresight at this stage could be fatal before your product or service even launches.

The FTC’s second sub-heading involves following platform guidelines for security.  Secure development practice guidelines are out there, and available for use.  Failing to follow these can allow you to open your business up to man-in-the-middle attacks through mobile applications and other dangers.  It is not a requirement that one reinvent the wheel, but instead use resources that are already available in regards to creating secure software.

The last two bullet points are closely linked, “Verify that privacy and security features work” and “Test for common vulnerabilities.”  This is something that even the big guys miss, much less the smaller companies out there.  Often, it is smart to invest in an individual or company that provides penetration testing (pen testing).  It is their job to try to get into your network in as many ways as possible.  They will evaluate any weaknesses that exist within your code, and review the results with you.  Large companies such as Microsoft and others, offer Bug Bounties, meaning that if a hacker (with their permission and under their conditions) finds a bug or security issue with their software, that hacker is rewarded and the bug can be fixed.  Adobe, after some major security gaffs, has enlisted the help of the Bug Bounty program to help tighten up their software.

Issue eight of the last ten states, “Make Sure Your Service Providers Implement Reasonable Security Measures.”  Since points six and seven warn you to get your software and users in line, the natural progression leads to the idea that you should evaluate anyone that you do business with.  They advise that you “put it in writing” and “verify compliance.”  Your security measures matter as much as the security measures of the individuals that provide you with valuable services such as connectivity and cloud computing, just to name a few.  Taking someone’s word or accepting a hand-shake with the assumption that any promises they make outside of writing will be upheld is inadvisable at best.  Any company’s website should list their regulatory compliance information, which is easy to verify.  This is ours.

In point nine, “Put Your Procedures in Place to Keep Your Security Current and Address Vulnerabilities That May Arise,” they put their focus on not only how you go about maintaining your security practices, but also those of any third-party vendors you may work with.  This is where documentation is essential, to prove that should you be summoned to court that you have been maintaining a good-faith relationship in regards to your security.  Also, even after the pen-test phase, it is vital to keep on top of any perforations in your company’s defense against adversaries. If six months or nine years after a product is released, one you are responsible for, you must act upon any reports warning of a security risk with your product.  Put together a way of collecting these issues and a mechanism in place to address them.  Do not let them get lost in the shuffle and ignore them at your peril.  This of course, also requires that you stay on top of any third-party services or vendors you may use to make sure that they are making good on their promise of security to you.

Last but not least, the FTC advises that you, “Secure Paper, Physical Media, and Devices.”  Everything that was already recommended in regards to your network and digital data also applies to any hard copies.  The FTC asks that you, “securely store sensitive files,” “protect devices that process personal information,” “keep safety standards in place when data is en route,” “dispose of sensitive data securely.”  All of this may seem like common sense and somewhat of a no-brainer but it is worth remembering that if enterprises, both small and large, did these things the FTC would have never had to address gaffs in data containment by Rite Aid, CVS Caremark, and many unfortunate others.

We decided to use this precious blog space to bring these ten items to your attention, as it is our goal to keep you and your data safe. The MetaFlows MSS is continually evolving to help you better protect your enterprise from adversaries and the potential legal fallout from any success that they might have not had otherwise.  A tired truth is that a best defense is actually a good offense and in the world of business and information security, having the right service in place can make all the difference.

Taking Care of Business: Information Retention & Responsibility

16666571547_6cc99092d3_o

Every business accrues data about their current patrons and prospective clients.  What information do you collect about your customers?  Do you collect only what is relevant or pursue all of the data you can possibly accumulate?  No matter what your approach to data collection, or the why behind it, the FTC thinks that it is time that you reviewed those policies.  The Federal Trade Commission (FTC) recently released a document entitled “Start with Security:  A Guide for Business.”  This may initially seem both dry and somewhat irrelevant.  However, choosing to ignore or dismiss these guidelines out of hand will ultimately prove to be expensive.  On Monday, a ruling from the United States Court of Appeals for the Third Circuit Court has ruled that the FTC has the ability to take actions on the behalf of consumers against companies that do not follow these guidelines.  Established within this document are “10 practical lessons businesses can learn from the FTC’s 50+ data security settlements” and for the purpose of this blog post, we will take a look at the first five points on the list.

The first of which asks that you start with security in mind.  Until security is breached, companies are often quite confident in their in-house or SaaS security solutions.  The issue with this, of course, is that it is a reactionary strategy to security, not a proactive one.  If an in-house security team is not given the tools that they need to do the job properly, expecting them to stay ahead of cyber threats is more than a bit unrealistic, it is irresponsible.

The FTC also advocates that companies do not collect personal data that they do not need or retain data longer than necessary.  In translation, you are in charge of making decisions regarding exactly what and how much data that you acquire from your customer base and how long you hang on to it.  It is worth keeping in mind that whatever you do choose to collect and store, you are responsible for it.  The more data you have, the stronger the security solution you will need, so as not to be found liable should that data become compromised.

When considering stored data, one must also consider who within the company has access to what and how much.  The FCC recommends creating user accounts for employees based on a need-to-know basis.  (This also includes paper data as well as copies stored on external memory hardware including drives and disks.)  Companies should not only restrict access to sensitive data but also limit the administrative access of each user.  Much of cyberterrorism functions as partially pure code hacking and the rest social engineering.  If an employee is tricked into opening a compromised document or visiting a hijacked web page, they may unleash any number of terrors upon your network.  Certainly, every business should invest in backups but beyond that, by controlling employee access one also controls the amount of potential employee damage.

The third point the FTC has chosen to make revolves around passwords.  It is responsibility of every business to safeguard their data to make sure only the right people can access only the necessary information.  They recommend that businesses “insist on complex and unique passwords,” “store passwords securely,” “guard against brute force attacks,” and “protect against authentication bypass.”  When considering password safety, creating and reinforcing password protocols is an absolute necessity.  Criminals should not be able to guess their way into your system through weak passwords, reveal unencrypted documents that contain sensitive information, take down your network through the use of automated programs that guess at passwords, or be able to discover back doors that allow access.

Information travels and transferring sensitive data is an absolute requirement.  This can be accomplished through cryptography, the use of Transport Layer Security/Secure Sockets Layer (TLS/SSL) and other methods.  If data is not resting securely, or being transferred securely in the span of its life in a business, then that business can be held liable should predators acquire that data.  By using “industry-tested and accepted methods” business owners can take advantage of all the security research that has come before and has been confirmed as functional and safe.  Of course without the proper configuration of all of these elements, businesses become vulnerable to such man-in-the middle attacks that are rather infamous in the world of information security.  They allow priceless data to slip through the business’s poor execution of the standards they have put in place.

The fifth and final point we will cover is the requirement to “segment your network and monitor who’s trying to get in and out.”  This by far, is one of the most vital items on the list.  Firewalls are a very effective tool for regulating access to information by segmenting your network.  While it is tempting to connect everything, doing so puts your data and your reputation at risk.  You are also required to monitor the activity on your network.  This may seem like a daunting task, all of those hackers trying to get in to your system so they can get out with sensitive materials.  However, there are products available to help you perform this necessary task

The best way to address the first five points is to use a multi-part IDS, such as MetaFlows MSS.  Providing your security team with the best software on the market is the only way to make sure that you are in compliance with the most vital of the FTC’s requirements.  If a business’ network is compromised because they did not follow these guidelines to the best of their ability, the FTC can and will take action.  In just the first five bullet points of the PDF businesses such as Twitter, DSW, Fandango, and Credit Karma were all publicly revealed as companies with insecure systems and networks.  It should never be anyone’s goal to join them.

Dear CSO, Do You Know How to Build Security Culture?

Creating a security culture is not easy, but it is definitely beneficial. Click the link for some helpful and interesting points.

Dear CSO, do you know how to build security culture?

With so many points of access to your network, you need manageable visibility and protection, especially if you do not have a strong security culture.