Tag Archives: Security

Avoid Ransomware Attacks with IT Asset Management

When installing a home security system, it is important to perform a discovery so that you can document all vulnerabilities around the property you wish to secure. Why? Because a security system is worthless if you do not secure every window and door. When implementing an IT security solution to protect your data, it is important to perform a discovery so that you can identify all IT assets that need to be secured.

Unfortunately, many organizations continue to struggle with IT asset management and as a result, assets are often misplaced or lost. Why? Because IT assets are often misplaced or lost when they are changed, updated, relocated, or refreshed. Assets that are misplaced or lost can put an organization at risk because it is not possible to keep an IT asset up-to-date when you don’t see it.

It is no secret that many organizations have recently been hit with ransomware attacks such as WannaCry. On March 14, 2017, Microsoft released a critical patch that protected IT assets from WannaCry ransomware; however, on May 12, 2017, at least 230,000 computers in more than 150 countries were paralyzed by the ransomware.

Why? Because these organizations were not current with their patch and security updates. Many organizations that were hit with the ransomware were running unsupported operating systems like Windows XP and Windows 2003, which Microsoft no longer supports.

The Importance of an IT Asset Database

Maps are critical to generals and commanders who are at war because they provide a complete view of the battlefield. Maps provide details about the landscape along with all its obstacles. When fighting a war, it is important not to be surprised by the enemy. Without maps, generals and commanders would find it very difficult to identify and secure vulnerable areas on the battlefield.

IT asset databases are much like maps that provide a view of the battlefield. When IT can see everything, they are able to see obstacles that are putting the organization at risk. Organizations that want to protect themselves from ransomware attacks need to have reliable IT asset reports so they can see all assets that are vulnerable to a ransomware attack, such as older outdated operating systems and applications.

Organizations that do not have reliable asset reports are at risk. In other words, they are fighting a battle without a reliable map.

To avoid the cost and stress experienced by people who have been impacted by ransomware attacks, get a reliable map, i.e., build an accurate and complete IT asset database using a reliable IT asset management solution. Then build processes and procedures to track the assets throughout their lifecycle.

Security Starts with Discovery

To apply security policies to IT assets, security solutions must see the asset. Historically, organizations have not given much attention to the importance of discovery services and the IT asset database. They view it as a necessity to their security solution instead of a critical component to the business.

If you left one window unlocked in your home, it would not matter that the rest of the windows and doors were locked. Everything must be discovered for complete security. Be sure to choose reliable discovery solutions if you want to ensure your network is secure. An undiscovered device is like an unlocked window.

Summary

Organizations need to implement IT asset management to ensure security is applied to every IT asset on the network. Organizations that are not managing IT assets using ITAM principles do not have a complete security solution. Don’t let your data be compromised by an IT asset that you did not see.

-follow me on Twitter @marcelshaw

Five Future Technologies to Watch for IT Service Management

As technology advances at such a rapid pace, many IT solutions become outdated very quickly. If organizations want to stay competitive and up-to-date with current technology, they need to stay informed about future technologies or their current solutions become quickly outdated . With regards to IT service management (ITSM), here are five technologies to watch that impact ITSM solutions in the future:

    1. Internet of Things (IoT)
    2. Security and Compliance
    3. Security Broker Authentication
    4. Predictive Analysis
    5. Virtual Reality

 

Internet of Things (IoT)

We will see an impact to ITSM solutions from IoT in two areas, CMDB and ITAM. To support IoT, ITSM processes and tools need the ability to integrate into IoT APIs.

Network systems and applications are typically provided access with Identity and Access Management (IAM) technology; however, IAM would be overwhelmed with the relationship and access demands required by IoT. Therefore, the Identity of Things (IDoT), which is an extension of IAM applies a unique identifier (UID) to IoT devices. This allows you to control relationships and access between the IoT and other entities inside and outside of your organization.

Gartner says, “IT asset management (ITAM) and software asset management (SAM) systems have traditionally managed IT and software assets of all types. The IDoT will assume some functional characteristics of ITAM and SAM within or integrated with IAM architecture, or be linked to ITAM as attribute stores.”

Without proper tracking of IoT devices and their configurations, it is difficult to apply security policies. ITAM and a CMDB will be critical for tracking the influx of IoT devices that are expected to hit company networks over the next several years.

Security and Compliance

Security is the number one priority in most organizations; however, not all organizations have integrated their security with IT service management processes. ITIL security management defines best practices when planning, controlling, analyzing, and maintaining security policies and processes to protect sensitive data.

A solid padlock securing the data paths of a circuit board. White Background.

It is important to build processes that integrate security management into change management processes if organizations are looking to minimize risk in the future. Over the next few years, IT organizations should expect to see more integration capabilities from their ITSM solution providers, which will allow them to integrate their security tools.

Security Broker Authentication

As IT solutions move into the cloud, many organizations will implement a cloud access security broker for authentication.

2016-09-16_8-08-31

Cloud Access Security Brokers (CASBs) can be on-premises or cloud-based. CASBs enforce security policies prior to allowing access to cloud resources.

Gartner says, “By 2018, 50 percent of enterprises with more than 1,000 users will use cloud access security broker products to monitor and manage their use of SaaS and other forms of public cloud.”

IT service management need to be prepared to support those having difficulty accessing the organization’s cloud solutions using CASBs

Predictive Analysis

In order to make informed decisions, it is important to understand current network service impact and costs. This is accomplished when current data as well as historical metrics are analyzed in order to predict future behaviors or to understand unknown events.

Predictive Analysis helps IT service organizations distribute workloads based on data from multiple sources.

Many ITSM software solutions are expected to add predictive analytics capabilities to their service management solution; however, these features are not useful if the IT organization does not have the expertise required to understand the data provided by these tools. IT organizations should consider employing a data scientist if they want to take full advantage of all the data and metrics that IT service management tools will soon deliver.

Virtual Reality

Virtual Reality (VR) solutions could soon work their way into the IT business environment. Knowledge management is a challenge for many organizations. In the near future, don’t be surprised to see IT organizations flirt with VR technology as they advance their employee training services.

Double exposure of man wearing virtual reality headset

Research and Markets believes that the industry will see over 60% growth every year for the next five years, transforming it from a fringe technology enjoyed by the techy few into a major medium for gaming, entertainment, and business.

VR could one day become a component of your Knowledge Management offering if the technology is retrofitted and accessible via an ITSM self-service portal.

-follow me on Twitter @marcelshaw

Three Reasons You Need ITAM for the Internet of Things (IoT)

It was 1984, and I was off to the only movie theater in the town where I lived. The movie was called Terminator and although it was science fiction, the story line had an eerie ring of truth. It was about intelligent computers rising up and rebelling against its human progenitors . This movie introduced many of us to the concept of the internet 10 years before it started to become part of our lives.

Soon after we started connecting personal computers and laptops to the internet, smartphone and tablet technology took root and were mainstream by 2010. Today we are witnessing another major shift in technology with the Internet of Things (IoT).

Gartner forecasts that 4.9 billion connected things will be in use in 2015, up 30% from 2014, and is expected to reach 25 billion by 2020.

How do you choose what to manage and what not to manage for IoT?

With the increased amount of smart devices coming online, the question becomes what smart devices do we track and how do we track them? Many organizations are still figuring out how to implement ITAM with BYOD. Therefore, an ITAM solution for IoT might not be on the radar for many organizations; however, a strategy should be considered for the following reasons:

  • To control inventory
  • To control access
  • To provide security

Control Inventory

When assets are tracked, information about purchase dates, warranty, and lifecycle states help to control the inventory of the assets. Organizations have to decide which smart devices should be tracked using an ITAM solution. For example, should the ITAM solution track a smart light bulb? It might not make sense to track just one, but it could make sense to know how many smart light bulbs are owned and where they are installed.

Furthermore, if there is a software package that controls smart light bulbs, a relationship could be created linking the application to the light bulbs and to an associated software entitlement license. For IoT, I believe it is more practical to manage the contracts, licenses, and vendor information in the ITAM database versus tracking each smart device individually.

One could also argue that smart light bulbs are not considered IT assets and should be managed by facilities’ systems. However, the line between facilities and IT becomes blurred when smart light bulbs are controlled by an application that requires a software license.

Gartner states, “the IoT is not only about the introduction of different forms of networked devices into digital business moments; it is a transformational approach to viewing and implementing processing, analytics, storage and communications.”

Control Access

Relationship management is an important part of an ITAM strategy. Relationships are also very important in the context of IoT. Not only does an organization need to know which devices to connect to their systems, they need to control access between IoT devices and other IoT entities, IT assets, applications, and people.

 IOT

Access to systems and applications is provided using Identity and Access Management (IAM). However, traditional IAM solutions are not capable of dealing with the relationship and access requirements that come with IoT. Therefore, the Identity of Things (IDoT) is an extension of IAM that applies a unique identifier (UID) to IoT devices/objects, which allows you to control relationships and access between IoT and other entities inside and outside of your organization.

Gartner says that “IT asset management (ITAM) and software asset management (SAM) systems have traditionally managed IT and software assets of all types. The IDoT will assume some functional characteristics of ITAM and SAM within or integrated with IAM architecture, or be linked to ITAM as attribute stores.

Provide Security

The National Cybersecurity Center of Excellence (NCCoE) is addressing IT asset management for the financial services sector.

“An effective IT asset management (ITAM) solution can tie together physical and virtual assets and provide management with a complete picture of what, where, and how assets are being used. ITAM will enhance visibility for security analysts, which will lead to better asset utilization and security.”

IoT security is an evolving endeavor to provide security to all devices connected to the internet. Security experts have warned of the potential risk of large numbers of unsecured devices connecting to the Internet since the IoT concept was first proposed in the late 1990s

Smart light bulbs in the home are a great way to save energy, and smart vacation settings turn lights on and off in different rooms to make it appear someone is home. Smart criminals, such as organized crime or cyber-criminals, could hack your system and learn your vacation programs, thus alerting them that you are on vacation. They could then sell that information to street criminals informing them of who might be out of town in that criminal’s area. From this example, it is clear that organizations need to apply security to IoT devices so that access is denied to unauthorized users, devices, and malware.

According to Proofpoint, more than 25 percent of the botnet was made up of devices other than computers, including smart TVs, a refrigerator, and other household appliances.

ITAM will provide inventory information to a security system. Without the inventory information, an organization might not be aware of existing connected IoT entities and their potential security risk. If you don’t have an inventory of all devices connected to the internet, then you don’t have a complete security solution. In my opinion, the lines between ITAM and security will continue to disappear; meaning, that one day, complete security solutions will not exist without an ITAM solution in place.

Conclusion

The good news so far is that Skynet is not yet self-aware which, if you are familiar with the movie Terminator, signaled the beginning of the rebellion against humans. We might not be facing a threat from intelligent interconnected computers waging war on the human race; however, we do face threats from other countries, criminals, and terrorist factions. Computer systems as well as all their connected devices could be used against us if compromised by someone with malicious intent. IoT will force a fundamental change in how security is implemented by making inventory control and knowledge about the presence of connected entities a priority security requirement.

 

-follow me on Twitter @marcelshaw

Three Reasons ITAM Should be Part of Your Security Strategy (Part 2 of 2): Government Security Requirements

If you have ever lost your wallet, I am pretty sure you did not worry about the actual wallet. I live about 45 miles away from Washington, D.C. and two miles from my house is a commuter train. I will never forget the first time I took that train into D.C. After boarding, I realized I did not have my wallet. The train was already on its way, so I was stuck.

That day, all I could think about were the contents of my wallet. My driver’s license, government ID, health ID, and credit cards. If that wallet ended up in the wrong hands, I could have a big mess to cleanup. Although I could cancel my credit cards, my heart was racing at the very thought of someone possibly using my license or health ID to steal my identity.

A computer hard drive is much like a wallet. If it gets lost or stolen, you will probably be more concerned about the contents than the actual hard drive. In 2014, it was reported that 68 percent of all healthcare data breaches since 2010 are due to device theft or loss…not hacking.

Security breaches associated with identity theft reported in the media are typically associated with sophisticated hacking programs. In reality, many security breaches come from computers and laptops that have been misplaced, lost, or stolen. Both the financial and healthcare sectors have been hit hard placing the identity of millions of people at risk.

To protect user identity, government agencies have focused on the financial and healthcare industries with security regulations. Organizations that do not meet security requirements can be fined and even prosecuted.

ITAM processes will help you comply with government security requirements

An important part of security regulations relate to the physical security of the device. The National Cybersecurity Center of Excellence (NCCoE) at the U.S. National Institute of Standards and Technology (NIST) is driven by the cybersecurity needs of American businesses. In an effort to address current security issues in the U.S. financial industry, the group worked with representatives from the private sector to address security problems and to provide solutions to these problems.

The organization created a document called IT ASSET MANAGEMENT: Securing Assets for the Financial Services Sector. The motivation for this document states that an effective ITAM system increases security by providing visibility into what assets are present and what they are doing.

The objective of this document states the following:

“To effectively manage, utilize and secure an asset, you first need to know the asset’s location and function. While many financial sector companies label physical assets with bar codes and track them with a database, this approach does not answer questions such as, “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?” The goal of this project is to provide answers to questions like these by tying existing data systems for physical assets, security systems and IT support into a comprehensive IT asset management (ITAM) system.”

It has become evident to most organizations that IT service management (ITSM) and ITAM solutions play an important role in an organization’s overall security solution. ITAM is not just about tracking a device, it is also about tracking the data on that device.

It is not acceptable for any organization holding private identity information to not know exactly WHERE private information is stored, WHO has access to that information, and WHEN that information is accessed.

To protect the data, it is important to track the location of the asset and maintain a list of who has access to the device. That list should also include physical access and it would not be far-fetched to even add a custodian or cleaning crew to an access list. Furthermore, it important to know if the device is moved, reallocated, serviced or disposed. ITAM solutions should also communicate with ITSM solutions so that change requests to configuration items are properly documented.

ITAM Security Flow Chart

Before a device is secured, it has to be discovered and documented in a database. After security configuration, software, and encryption has been added to the device, the ITAM database needs to have the ability to track the device. Tracking the device would need to include processes that would notify the security team if a device goes missing.

The United States Department of Health & Human Services mandates a security standard called HIPAA.

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

The penalties for healthcare organizations are severe if they are found to be noncompliant with HIPPA requirements. A large component of these requirements addresses the physical devices that contain private patient data which are listed below in this HIPAA checklist:

164.310(a)(1) Facility Access Controls: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

164.310(c) Have you implemented physical safeguards for all workstations that access Electronic Protected Health Information (EPHI) to restrict access to authorized users?

164.310(d)(1) Device and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility.

164.310(d)(2)(i) Have you implemented policies and procedures to address final disposition of EPHI, and/or hardware or electronic media on which it is stored?

164.310(d)(2)(ii) Have you implemented procedures for removal of EPHI from electronic media before the media are available for reuse?

164.310(d)(2)(iii) Do you maintain a record of the movements of hardware and electronic media and the person responsible for its movement?

164.310(d)(2)(iv) Do you create a retrievable, exact copy of EPHI, when needed, before movement of equipment?

I am aware of a hospital in Florida that makes the internal PC hard drive the primary IT asset that is tracked. They use the serial number to track the status of all hard drives for HIPAA compliance. They also have a locked room with spare hard drives. If a production hard drive fails, it is replaced and its status is changed to repair or dispose in the ITAM database. They also have a process to ensure those drives are properly disposed. As part of the disposal verification process, alerts are in place to notify security if the serial number of a disposed hard drive reappears on another device in the future.

Summary

There is no question that ITAM should play an important role in your overall security strategy. Does your organization protect data by properly managing physical IT assets? Take this self-assessment quiz to see how you are doing.

  1. Does your organization track the name of the person receiving, disposing, reassigning, or moving physical IT assets? YES/NO
  2. Does your organization have policies that limit physical access to IT assets containing sensitive company data? YES/NO
  3. Does your organization enforce policies to track the removal of hardware-containing sensitive data in and out of our facility? YES/NO
  4. Does your organization have policies to sanitize and dispose of end-of-life IT assets? YES/NO
  5. Does your organization have policies to VERIFY that IT assets have been properly disposed? YES/NO
  6. Does your organization sanitize and physically secure IT assets that are currently not in use? YES/NO
  7. Does your organization have policies in place to be alerted in a timely fashion if an IT device is stolen or lost? YES/NO

If you said no to any of these questions, it’s time to make ITAM a part of your security strategy.

-follow me on Twitter @marcelshaw

Questions to consider regarding Shadow IT

What is Shadow IT?

Shadow IT refers to IT devices and applications that an organization does not track or manage. In many cases, the organization does not even know these devices or applications exist. Furthermore, they cannot audit and track how these assets are being used.

Is it costing my organization money?

Gartner once estimated that 35% of enterprise IT expenditures will happen outside of the corporate IT budget in 2015.    However, there are organizations that believe shadow IT actually reduces costs.

Projects that use Shadow IT increasingly have the resources and bandwidth to build solutions on their own and can deliver them much faster. Thus reducing the budget that would otherwise be required for overall IT expenses. In other words, some say it is a wash.

Are there many risks created by shadow IT?

Let’s start by looking at the top security breaches in 2014 so far..

eBay

145 million customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. The breach is thought to have affected the majority of the company’s 145 million members.

Michaels Stores

The company said up to 2.6 million payment card numbers and expiration dates at Michaels stores and 400,000 at Aaron Brothers could have been obtained in the attack.

Montana Department of Public Health and Human Services

Names, addresses, dates of birth and Social Security numbers on roughly 1.3 million people

Variable Annuity Life Insurance Co.

A former advisor used a thumb drive to obtain Social Security numbers and other details on 774,723 of the company’s customers.

Spec’s

Texas wine retailer’s network resulted in the loss of information of as many as 550,000 customers. Hackers got away with customer names, debit or credit card details, card expiration dates, card security codes, bank account information from checks and possibly driver’s license numbers.

St. Joseph Health System

Approximately 405,000 former and current patients’ and employees names, Social Security numbers, dates of birth, medical information and, in some cases, addresses and bank account information.

When business processes are not under the control of a centralized IT or IS department, there is an increased risk that shortcuts will be taken, security procedures will be overlooked, and at least one or more of the security standards your organization adheres to will be compromised.

If we embrace Shadow IT, what Security Standards could we break?

  • FISMA (Federal Information Security Management Act of 2002),
  • GAAP (Generally Accepted Accounting Principles),
  • HIPAA (Health Insurance Portability and Accountability Act),
  • IFRS (International Financial Reporting Standards),
  • ITIL (Information Technology Infrastructure Library),
  • PCI DSS (Payment Card Industry Data Security Standard),
  • TQM (Total Quality Management), etc.

How should we approach the problem?

The bottom line is that you can’t secure something you don’t know about. It’s time for organizations to implement IT Asset Management processes. I suggest a three tiered approach which I will discuss in an upcoming blog.