Security training works best if participation is mandated and the training itself is monitored for effectiveness. Quality Assurance/Quality Improvement programs should include required monitoring of security procedures.
An Introduction to Cybersecurity 20166 | P a g e Version 1.0 – August 2016 Target Hack via Subcontractor’s Credentials “Last week, Krebs said the hackers snatched the data using credentials stolen from Fazio Mechanical Services Inc., a refrigeration, heating and air conditioning subcontractor that has worked at a number of Target stores… According to multiple sources close to the investigation, “those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers,” Krebs said… Krebs also points out that Fazio did not completely have their guard up against an attack. The company said last week that its security measures are in full compliance with industry practices. But Krebs says Fazio was using a free version of an anti-malware software, which is not intended for corporate useand does not offer real-time protection against threats”2,11Perform Security Audits Periodic security audits provide the means to ensure that systems, policies, and procedures devoted to security are effective and that no gaps exist. Security audits may include: •Attempts to gain network or server access (penetration testing) •Evaluation of past breaches to determine if potential for exploitation has been eliminated •Attempts to acquire passwords from users •Checks to verify that security procedures are being followed and security systems are not being bypassed •Assessment of protection against new types of threats. An effective audit provides a comprehensive assessment of an organization’s security and informs an ongoing process of improvement •At a minimum, quarterly audits of key card access Vendor Access In today’s environment, virtually all organizations have networks, systems and facilities that rely on outside vendors for service. Vendors might require physical access, dedicated remote network access, network cloud access, or any combination of the three. When using a vendor, a level of risk is inherent in the relationship. Vendors can be a service division of the product manufacturing company (e.g. Cisco Corporate Support Team supporting Cisco Networks and Hardware). Vendors can also be Third Party equipment agnostic, supporting multiple platforms. Prior to granting system access to a vendor, a thorough screening and contract process should be completed. Policies are normally contained within vendor contracts. Risk Management should be employed to negate as much risk as possible. A fine line exists between risk to the agency and the level of access required for the vendor to complete their assigned tasks. Remote access to the network can be accomplished through either a Secure Shell (SSH) Tunnel, a Virtual Private Network (VPN) or dedicated