4 Key ESP Security Areas You Should Be Aware Of In 2015

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.business2community.com/tech-gadgets/4-key-esp-security-areas-aware-2015-01138178

Over the past few years we have not only seen an increase in the number of
cyber-attacks, but also a disturbing upward trend in the sheer amount of
data that has been stolen. The maliciousness of the attacks has also
reached the point where data is not only being stolen, but also deleted.

Just look at these estimated numbers:

- Home Depot – 56 million cardholders affected
- Target – 40 million cardholders and 70 million others affected
- JPMorgan Chase – 76 million households affected
- Sony – 33,000 private files resulting in 47,000 social security numbers,
personal information of employees and contractors, financial data and
feature length movies being stolen

It should go without saying that companies are going to be focused on
security more than ever in 2015. In fact, Gartner has predicted that global
spending on enterprise IT security will reach up to $76 billion this year.

Attempting to prevent attacks by increasing spending on intrusion detection
and data loss prevention is, however, only addressing part of the solution.

4 Key security areas for 2015

1. Vendor Management

If you are using third parties/vendors to manage any part of your IT, then
ensure that their security protocols align with yours. In both the Target
and the Home Depot attacks, hackers gained entry to the core systems via a
third party exploit.

Not only should vendors have security protocols in place, but their staff
and contractors must be educated accordingly.

2. Educating users

Phishing is not only a product of stolen data, but it has been used in at
least one of the recent major hacks. Target’s systems were compromised due
to a third party vendor opening and executing malicious code via a targeted
phishing attack.

It is especially important when running an email program, whether for
eMarketing, transactional or eBilling purposes, that consumers be aware of
the potential of phishing emails.

Educate customers on what emails they can expect to receive, versus what to
look out for when suspecting phishing. This communication needs to happen
often, as the threats themselves mature.

3. Technical Controls

Authentication controls such as DKIM and SPF are no longer optional and
should be accompanied by a DMARC policy to further combat phishing attempts.

Learn more about the technical set up of DKIM and SPF

Read more about DMARC:

- Striata to implement DMARC – a new standard for email authentication
- 10 things you should know about DMARC’s battle against email fraud

4. Response Management

While the aim is to never have a system compromised, there is never a 100%
guarantee of this. Communication to stakeholders, including customers is
imperative after a breach to avoid further attacks. Often in these hacks,
personal data including email addresses are part of the stolen assets.

We’ve learned that cyber criminals are opportunists, for example, when Air
Asia QZ 8501 went missing late last year, it took around 24 hours for
phishing emails and posts on social media linking to malware to be seen in
the wild.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!