In the world of information security, keeping up with the constantly evolving threats to an organization’s sensitive information is akin to trying to hit a moving target. Rapidly growing and changing technologies inevitably bring about new security risks and vulnerabilities and present information security with a never-ending series of challenges.
Many organizations find that increasing security challenges come hand in hand with increasing costs. It is a vicious cycle that causes frustration and may necessitate a balancing act between security and profitability. A well-balanced information security strategic plan can greatly impact the cost effectiveness of an organization’s information security.
An information security strategic plan gives an organization a clear advantage by ensuring that everyone is on the same team and on the same page. When all the members of an organization know, understand, and follow the plan, the organization can:
- take measures to avoid security breaches;
- rapidly react to infractions so as to minimize damage and loss; and
- lay out infrastructure to support long-term security to accompany growth.
A Defensive Strategy
Well-funded attackers are always in a state of adaptation as they probe security measures for weaknesses, evaluate the results, and revise their strategies. If ignored, they will eventually find the weak spots in any defense. For this reason, it is imperative that cyber defenders and security specialists have a strategy in place to take proactive measures to be aware of hacking trends, watch for emerging discoveries of weaknesses, and anticipate potential exploitation of new technologies and operation platforms.
An Action Strategy
When an attack occurs, even the best static defenses can be circumvented given time. A well-planned strategy for active dynamic defenses allows an organization to implement contingency measures which will isolate the security breach and lock down vulnerable information assets. When a security breach occurs, there is no time to circle the wagons and discuss what to do. Time lost can mean information lost. An adequate information security strategic plan allows for rapid, effective responses to attacks.
A Progressive Strategy
Planning for future information security is a process based on anticipating the needs of an organization’s information system architecture in comparison with developing security systems and adversarial trends. A clear and concise vision of where an organization intends to go allows for the organization’s security measures to be provisioned and implemented with a minimum of unwanted duplication and waste. Knowing what is down the road allows an organization to seek out and build relationships with information security providers who can meet the organization’s future needs in a timely and efficient manner.
Beyond the walls of an organization, an information security strategic plan provides positive visibility within an industry or enterprise. Existing and prospective customers appreciate the reassurance that comes with knowing their business partners treat their information with utmost confidentiality and safeguard it against theft.
In just a few short years, industry experts predict that the Internet of Things (IoT) will have a tremendous growth explosion. By the year 2020, research suggests 30 billion devices will be connected in a $3 trillion marketplace. Assuring that this avalanche of data is protected by layers of security is paramount to the industry’s success.
Soon there will be homes where the front doors unlock with a smartphone, its temperature is controlled remotely, and even the oven is turned on by punching a code. “Smart homes” are already on the technological horizon, but the security features must keep pace for viability.
Consumers own many devices that are not just unencrypted, but with marginal to non-existent security features enabled. Some end users leave the factory-set passwords in place, making illegally accessing a device’s data mere child’s play for the average hacker.
Making IoT Devices Secure
Certain qualities are required in order to make the security on IoT devices effective. The security must:
- Possess cloud capabilities
- Be platform agnostic
- Have the ability to facilitate IoT technological ecosystems
- Be lightweight
The ability to manage security via a cloud platform is a vital component to any implemented system. Cloud management enables manufacturers to patch changes to security configurations once a weak spot is detected – even after consumers purchase the device. The hardware itself can be tethered to private key exchanges to simplify authentication, provisioning, and configuration.
The benefits of utilizing agnostic security platforms are clear. Processing capabilities in IoT devices can enable them to be managed and controlled via the cloud. Transmitting large-scale changes in provisioning, authenticating, and configuring can also be handled at cloud level from a centralized location.
Compact IoT devices with security features embedded at the chip is a practical solution for securing data at the core of the device while still utilizing available space. IoT devices can have private keys already embedded to enhance security. This additional layer of security allows compromised components to be identified as “untrusted” and isolated from the other devices on the network. Default passwords would no longer be necessary once key exchanges are implemented within the hardware to authenticate each device. This also allows them to remain lightweight.
Issues to Overcome with IoT Devices
However, the lightweight, compact size of IoT devices limits the space available for security. Another drawback is the multiple levels of vulnerability when connecting devices or at the data host site of the chip. In addition, the limitations of the processing capabilities on devices manufactured by different companies creates security challenges. At present, consumers must use devices made by the same company in order to link them. Cloud-based connections reduce the necessity of standardizing the processing capabilities of IoT devices.
Most IoT devices aren’t currently enabled for cloud management, which is a potential security pitfall. When devices are all tethered to the cloud, it is a simple fix to patch security vulnerabilities – even when they are in the hands of end users. Devices can communicate more readily with one another when cloud capabilities have been implemented.
The bottom line is that the success of the IoT industry is dependent upon the security that is provided by the technology. To ensure that data protection remains a primary focus in an expanding market, networks and devices must be safeguarded. Enabling cloud management capabilities and security features embedded at the chip level can achieve these results.
Infrastructure-as-a-Service (IaaS) plans benefit a business by offering access to a cloud-based infrastructure that is tailored to their specific needs. However, many businesses are concerned with keeping their data safe with IaaS.
When subscribing to an IaaS plan, here’s how businesses can protect their sensitive data.
Awareness of What a Business Controls
Business users who subscribe to an IaaS plan should be aware of exactly what their plan entails. This includes the configuration of the infrastructure and how users will be able to access different data. By being aware of what they need to control, businesses will be knowledgeable and informed about the security of their plan.
It’s important to know who owns the data within the infrastructure. Understanding ownership details enables a business to navigate logistical situations and protect the organization against legal factors.
The Service Level Agreement
By understanding the Service Level Agreement (SLA), businesses help protect their data and intellectual property. An SLA is a fluid document and should be treated as such.
Complying With Regulations
In order to keep their IaaS secure, businesses need to be aware of industry regulations. Businesses should ensure that their IaaS provider is willing and able to work with them to fine-tune the management of processes and configuration capabilities.
Cloud hosting plans are completely virtual and not necessarily hosted within an organization, which means end user authentication can present a high security risk. Employees should keep login credentials private and be properly trained in authentication best practices. This doesn’t mean that end users should be inconvenienced or restricted; technology leaders should lead by example when establishing best practices, and businesses should find the balance between security and convenience for their users.
Monitor the Network
Even with the best security in the world, a business may run into issues with their IaaS if network monitoring is lacking. It is important to know and understand the network in order to catch unauthorized activity before it turns into a security breach. Monitoring the wireless infrastructure — especially as many users are now employing mobile devices to connect — will also prevent unauthorized users from accessing the cloud.
Employees aren’t always aware of how security holes can be created. Something as simple as accessing the infrastructure through a public Wi-Fi hotspot can create major security risks. Businesses can easily reduce these risks by training employees to understand how best to keep their connection secure.
Businesses must be aware of how their IaaS provider handles data backups, especially if using a new provider. Understanding the vendor’s redundancy procedures and being able to take action allows a business to protect their assets.
Data in Transit
Data moving between users, the data center, and the location of the IaaS systems can come under attack in different ways. In order to enhance security as much as possible, businesses must understand how this data moves.
Internal Unauthorized Activities
Users with authorization might still perform unauthorized activities. As well as ensuring that employees understand best practices, businesses should also ensure that the IaaS vendor has professional staff members and can control potential internal issues.
IaaS vendors assists with security strategies, but it never hurts for a business to have their own plans in place. By understanding their plan, monitoring their network, and ensuring that all staff members follow best practices, businesses have the ability to data safe.
Although there are better methods for securing communications, like printed newspapers, the password simply won’t concede defeat and pass into oblivion.
Despite the fact that we have become a society of connected users, the password is still the security method of choice as our last line of defense.
Resistance to other methods of personal identity security are fueled by our culture, one in which protecting our anonymity is paramount. We would rather be anonymous than secure, which is the driving reason we cling to a fixed character password – even if that password is as insecure as “password123.”
One method of identity protection available is called a digital cryptographic key. The digital key encrypts communications. However, due to our culture of anonymity, no one wants to use it. In fact, many people don’t employ encrypted e-mails, even in a corporate setting, because they fear an encrypted email will act as a beacon for hackers – a sign broadcasting, “This is an important communication, someone should try to infiltrate it.”
There have been countless opportunities in the past to implement transport protocols that would have encrypted all web traffic. Those methods, however, involved key-based encryptions – the encryption required certifications, which would establish identity. Developers, who understood that the majority of potential users would be too uncomfortable relinquishing online anonymity, did not pursue development.
Viable Options in a Mobile Environment
There are viable authentication systems available now, but these rely on identification. In the past, users could assert their identity through device ownership. However, increased mobility, multiple devices, and the evolution of workspaces into virtual constructs, has basically eliminated the practice of authentication through device ownership.
What it means
Although our culture makes it increasingly hard to discuss, securing communications through a system that identifies the user explicitly is a workable solution to security breaches. However, until our culture is ready to concede online anonymity, exploitations of data and information will continue as is – with security experts struggling to develop solutions as quickly as hackers create new threats.
Toll fraud is a serious security threat for businesses that use VoIP (voice-over Internet protocol), which is especially susceptible to toll fraud. Besides being a type of fraud–which no business wants–toll fraud can cause serious financial damage for businesses.
Yet, some business owners are not aware of what toll fraud is nor of the steps they should take to ensure that it doesn’t happen to their business.
What is Toll Fraud?
Toll fraud is the stealing of minutes from and the tacking on of outrageous charges to both conventional phone systems and VoIP.
In the past, with legacy switches, toll fraud was very lucrative, but it was harder to accomplish, because phone companies relied on switches, and there was no connection to the Internet. Now, hackers target business VoIP systems, which often have more lax security than company computers, and are able to cash in on the toll fraud schemes.
Why Toll Fraud?
Besides stealing minutes, hackers get a cut whenever they commit toll fraud. Toll fraud is big business in some smaller countries that have primitive phone systems with little or no usage. These phone companies charge outrageous rates because very few people use them. Hackers will break into a business’s phone system and use their VoIP to these select countries, racking up huge toll bills. The phone system makes its money from those toll charges, and the hackers get a cut.
Unfortunately, once a company falls victim to toll fraud, the business has little recourse but to pay for it. Most of the charges are paid to the terminating carrier in the country to where the phone calls were made.
Why is VoIP Vulnerable?
Because VoIP is easy to hack, hackers are quick to break into company telephony systems and commit toll fraud.
Even though the amount of money isn’t as big as it once was, the amount of money hackers can make, both for themselves and the countries that initiate the toll fraud schemes, is still sizable. Given that in 2014, the average cost of a VoIP attack was around $36,000, businesses need to be concerned about toll fraud, because most small businesses are unable to absorb that kind of hit.
Because businesses are likely to consider that now that they have VoIP, they simply get free calling and toll fraud shouldn’t concern them, businesses are more likely to become victims of toll fraud. Because toll fraud operates differently, it becomes all that more imperative for businesses to protect their VoIP systems.
When it comes to deploying security in a virtual environment, some industry professionals draw a blank–or, worse, they think that it’s necessary to replace existing physical security protocols with virtual substitutes. This is not true.
In fact, the best approach to use when viewing virtual security is a logical one. Consider this: A jewelry store owner who expands the physical location or who opens a new facility would not try to use his/her current security force to protect the new location, nor would the owner secure the new location by trying to stretch the current security force between two facilities and simply hope that the depleted resources will cover the need. Both sites need to be secure.
Considering the current, overwhelming surge in virtual as-a-service solutions, knowing how and when to apply virtual security measures like firewalls has become a crucial consideration for businesses. This is especially due to the fact that according to industry specialists, over one-fifth of all VPN (virtual private network) security will be deployed in a virtual format by the end of the year.
Companies already understand the flexibility and cost-saving advantages of moving information and even key infrastructure to the cloud (hence, the rapid growth). That said, virtual security protocols should not be an either/or dilemma; they should be employed in a layered defense. The physical systems already in place should be supported with virtual firewalls—not replaced with them—depending on the level of the workload requirements.
The reasons for this layered defense are abundant. Not only does it secure the virtual aspects of the data system, but the same ease of alteration and on-demand access that is available in a virtual environment is accessible with virtual firewalls. Companies can adjust deployment according to specific needs, which allows them to better control financial commitments.
The issue of deployment confusion has been discussed at length by industry experts. Keeping pace with the rapidly expanding network services available in a virtual environment means finding ways to secure that activity from threats.
Therefore, deployment should depend on the same workload and accessibility requirements that have determined the current physical security measures.
Notably, there are two basic types of virtual firewalls:
- Introspective: This type resides within the hypervisor side of each virtual NIC (network interface card). Although it offers a well-managed way to keep virtual machines protected, it is limited in availability at this time.
- Edge: This is the most common form of virtual firewalls. These reside between two or more virtual portgroups or switches. The beneficial aspect of this type of virtual security is that companies can deploy them at the “edge” of their data center or between trust zones in a cloud environment, depending on their workload and throughput activity.
Rules of the Game
In general, there are three fundamental rules when it comes to adding virtual security services to a network:
- Deploy virtual firewalls to enhance the depth of network safety in conjunction with the physical securities already in place.
- Know the specifications of a virtual firewall. (The specs for physical firewalls are outlined; virtual ones should be outlined, too.)
- Don’t limit virtual security to one type (or breed) of firewall. (Requirements play an essential role in the types and amount of firewall protection needed for a network.)
With the changing environment of virtual services, companies can discover the best means of keeping their networks secure by incorporating virtual security protocols. The investment is well worth it when the risks are considered, and the faster, more adaptive role that these protocols play can make a huge difference in security compliance.
Managing business operations in today’s virtual environment is an ongoing challenge. As more and more customers rely on the global access created through internet options, Voice over Internet Protocol (VoIP) has become a standard technology for many companies due to its incredible features and cost-effective benefits. But the emergence of new technologies also often means an increase in new ways of criminal hacking. Though hackers cannot be prevented 100 percent of the time, companies can certainly neutralize the threat to a great extent.
As so much sensitive information is transposed through Dual-tone Multi-frequency (DTMF) tones, a security breach over a VoIP system can spell disaster in more ways than one.
In fact, almost any business that performs operations through Time-division Multiplexing (TDM) and Internet Protocol (IP)-based voice frameworks through VoIP are susceptible to phone hackers (sometimes referred to as toll fraud). Not only are payments and financial information at risk, but confidential data collected from healthcare providers, engineering companies, and corporate structuring plans (like downsizing or mergers) are also in danger from phone hackers.
Simple. There is just no substitute for the cost-effective benefits of VoIP. And the eruption of VoIP usage has shown up on hacker radar because previously IP-based communication was centralized on local networks, which were typically protected from the public internet. However, that’s ancient history as more and more of VoIP traffic is routed through un-encrypted, public internet services by telephony providers.
It is hardly surprising, therefore, that there are many tools available now which make it simple, easy, and untraceable for hackers to infiltrate confidential phone conversations. Practically anyone with a little bit of tech savvy and basic research can start collecting and storing voice information from external IP networks overnight.
The Best Offense Is a Great Defense
Because of these increased risks, companies must rethink their supplier’s encryption protocols and safety measures. What may have been adequate when the VoIP was incorporated is most likely now out of date.
Here are the top five things to consider when questioning a VoIP supplier about the systems they have in place to combat phone-based cyber-crimes:
- Ask providers about their Session Initiation Protocol (SIP) trunking services. The system should feature automatic deactivation of any components that aren’t secure, as well as encryption capability for all calls.
- Companies that routinely record calls (a necessary quality control procedure for many businesses) must ensure that their telephony system conforms to ISO protection requirements outlined for storing sensitive information.
- For any payments conducted over the phone, companies must adhere to the Payment Card Industry Data Security Standards (PCI DSS). Also, it is vital that the VoIP provider allocates encrypted connections for payment data.
- Find out about Transport Layer Security (TLS) protocols. Protecting client/server applications from tampering or spying between transports is crucial for secure communications.
- Depending on the risk of remote access susceptibility, consider a Distributed Denial of Service (DDOS). This creates a direct access circuit that is only available for designated voice traffic.
The incredible cost benefits of VoIP through external IP networks are great. But knowing the heightened risk of phone hacking through open (or public) network VoIP can help companies prevent devastating breaches in data security by neutralizing the threat of confidential information from being intercepted.