• Webcheck Security

A US economy ushered in 2020 with high hopes for a productive new year. No one foresaw that before the end of the first quarter the world would head into lockdown. Companies that had the ability, moved to work-from-home models. Many businesses slowed and yet Zoom and other technologies and industries surged as demand for video calls, toilet paper, and managed service providers (MSPs) skyrocketed.

In this shifted paradigm, how do we protect and secure our system? How do we navigate what is becoming our new normal? Let's take a quick look at the cyber landscape now and then delve into what we need to do to be prepared.

What is happening?

"Any type of world event is used by bad actors as a distraction" - Greg Johnson, CEO Webcheck Security

In this age of coronavirus Hackers have seen multiple avenues in which to direct their attacks. For example, when Italy began spiking in virus cases, the cybercrime spiked as well. Hackers saw a weakness and didn’t care that we were sick. No, they will go after us especially when we are vulnerable. Warnings from the FBI tell us that health-related domains are being bought or heisted by hackers at an alarming rate. Covid 19-themed emails have become a norm as bad actors tempt you to visit sites claiming to have information, but all they really have is malware. "Zoom bombing" has become a new trend with pornographic content being displayed to embarrass but also as way to gain credentials. Awareness is a critical issue here. As everyone moves online from remote locations, more attack surfaces open up now that the employees aren’t all behind the same managed firewall.

What to do about it

So with these new remote working conditions, how do we ensure a modicum of security? Implementing best practices in regards to cyber security for remote workers, along with frameworks such as CIS 20 should be a priority. Here are four simple things we can do to keep our companies safe:

  1. VPN. Have all employees working from home use a VPN. A VPN, or Virtual Private Network, encrypts the data stream from the private user to the company network. This ensures that your company's data is encrypted in transit. These can be employed easily at a relatively low cost.

  2. Password Policy. Have and enforce an adequate password policy. For example, NIST recommends pass phrases of more than 7 characters.

  3. Phishing Simulations. Regular Phishing exercises or training should be conducted. While the majority of the workforce is now unsupervised at home they should have the basic knowledge of phishing so as to avoid malware and protect the company's data. Remember if it's an email you don't recognize, or aren't expecting, DO NOT CLICK. Should you require training click here for more info.

  4. Vulnerability Scanning. Employ a quarterly vulnerability scan - hackers employ these so why shouldn't you? Vulnerability scans automatically scan over your site to find the "Low hanging fruit"- those vulnerabilities that could easily exploited. Once these vulnerabilities are found you can fix them up before a bad actor can use it against you. Even better to run a penetration test.

Vulnerability Scanning and Penetration testing

The very best way to ensure you are secure is to run a penetration test. Service providers especially need to employ full penetration tests. While a vulnerability scan sweeps over the first layer, penetration tests are a deep dive into every layer. An ethical hacker uses multiple tools to find weaknesses and then delivers a report carefully documenting the findings. A key part of penetration testing services from Webcheck Security is that is can all be done remotely. There is no need to be onsite for pen tests, and when our engineers need to get behind the firewall a box can be shipped to the site and simply plugged in, or a VM downloaded from our AWS build site.

Other remote services we offer include PCI and NIST cyber assessments, cyber maturity assessments, fractional information security officer (FISO) services, cyber consulting, social engineering, and more. For a full list of our services, all of which can be done remotely, please visit our services page.

In conclusion the main focus in these unprecedented times should be to remain aware. As more of our workforce moves online more attack surfaces are created. Employing best practices and penetration testing can keep your company secure as you navigate a new normal.

To learn more visit the corresponding podcast Remote Cybersecurity in Unprecedented times by Blog Talk Radio.

Larger companies easily engage companies like Webcheck Security for >$20-$60k regularly to perform cyber control gap or maturity assessments, usually against frameworks such as CIS 20, ISO 27001, NIST, or against limited scope surrounding PCI, HIPAA, or other privacy standards.

That's wonderful - but what about smaller companies? Verizon's annual data breach report has now indicated that for years, more than 43% of the businesses being attacked are in the SMB category. You hear about the large breaches, but not the small ones (which are equally as devastating to SMB.)

Small businesses tend to say, "But we have no servers or infrastructure internally (or very little) and we're not a target." Until they have a security incident which rattles the owners. Suddenly they get it - that cyber security cannot be an afterthought.

So what is it that Webcheck Security would do for a small business with limited infrastructure? What is the value of paying for an annual assessment and "renting" an information security officer for a few hours every month? Does it cost $20k?

Answering the last question first - no, a small business won't pay $20k for an effective assessment. What then is the actual value of shelling out a few thousand dollars to have a cyber maturity assessment performed?

First, it is important to remember that the in-depth analysis performed in a maturity assessment has less to do with copious infrastructure than systems of operation, procedures and policies. For example, as our experts proceed, he or she will be both doing an analysis of and asking questions about:

  • Disaster Recovery Policy

  • Incident Response

  • Business Continuity (intertwined with the former but distinct in purpose)

  • Password management and procedures

  • Storage of PII/PHI/PCI and other critical data and/or intellectual property/proprietary operational data

  • Cyber insurance

  • Security Awareness Training policies

  • Email defense mechanisms

  • Endpoint schema

  • Data Exfiltration possibilities

  • Corporate SaaS access, configuration, including Multi-Factor Authentication

  • Acceptable Use Policies

  • VPN and remote usage

  • Shadow IT

  • Vulnerability scanning - internally and externally

These are just some of the things that would be reviewed for gaps and effectiveness. In many cases a small company may be doing some things right but there will be many recommendations for “moving the needle” and in other cases there will be significant exploitable policy/procedure gaps which our practitioners will identify and document in a prioritized manner.

Part of the trick with cyber security is the recognizance that it’s not an IT problem and IT controls, but a combination of policy, procedure, best practices controls as well as the application of the right controls in a way that makes sense for your business.

For example, for most small businesses, the practitioner won’t be recommending expensive SIEM software and monitoring on a limited budget and infrastructure, rather many of the improvements or recommendations will be based on a dozen small things that if done properly can make a monumental difference in the business' overall cyber hygiene!

Then post-assessment, the small business can choose to move forward with monthly information security "rental", in which it will have the advisement to move forward in the right order and right way in addition to actual policy writing assistance. Having a prioritized roadmap to move forward and improve cyber hygiene - which is really about mitigating risk - is a critical exercise for small business.

In summary, cyber maturity assessments for small and medium businesses are a critical component of risk mitigation. It won't cost an arm and a leg, and the risk mitigation ROI for budget freed to have a prioritized roadmap can be critical to successful business continuity in the face of ever-increasing cyber threats!

  • Webcheck Security

Updated: Apr 21

Our Free Guide to Validating PCI

You may have heard PCI compliance is important, but have been putting it off due to confusion. Now, you're noticing monthly charges on your provider statement from 25-60 dollars a month. Following hours of phone calls, you find out you're being charged a non-compliance fee. In fact they've been charging you for months. Additionally, they may have told you that, if hacked while non-compliant, fines can be hefty! There is a simple way to fix that. We are here to help!

There are literally thousands of businesses in America – merchants and service providers alike – who have no clue how to really succeed in validating PCI, so you aren't alone. Penetration testing and IP vulnerability scanning are often part of that compliance. You may need guidance in understanding of which Self-Assessment Questionnaire (SAQ) to pick, how to approach the requirements, and where to go for the services. That's why Webcheck Security exists!

Navigating the world of PCI Compliance can be seem daunting, but thanks to our helpful guide, we hope it will be much easier to understand. It will give you a brief summary of PCI and how you can begin.

Download this guide HERE for free.

Please contact us as we would love to help you on your journey.

Fill out this form and tell us how we may serve you!