Paying Ransomware Could Lead To Fines

Ransomware has become an all too common problem for businesses. The question of whether a company should pay the ransom to get their information back is a complex one. More statistics are showing that using a proactive plan to information security will have better results than paying the ransom. Recent statistics do show that a higher percentage of victims are getting their data recovered, but 1/3 of victims still are not. In addition, statistics show that lost work costs a company several times more than the cost of the ransom.

Please read more on what the U.S. Government is asking the public to do, and why they may start fining individuals, or companies, that negotiate with an entity that is already under economic sanctions. 

https://krebsonsecurity.com/2020/10/ransomware-victims-that-pay-up-could-incur-steep-fines-from-uncle-sam



Owner

Travis Ramsey

“Ransomware has become an all too common problem for businesses.”

RSS Krebs on Security

Any opinions or views in the above RSS Feeds belong solely to the author, and may not represent those of any person(s) related to, or employed with VIP Technology Services LLC. Any views or opinions are not meant to malign any group or individual, but is for news and/or entertainment purposes.

 

 

What is Information Security, and why do you need it?

Information Security (InfoSec) is the protection of data and information.  This protection can be while the data is stored, while being transmitted over any given network, or even while being processed within an application.  In addition, the data should maintain a level of confidentiality, integrity, and availability.  Security threats towards this data can come in many forms.  Here we will talk about some common ones, and some newer threats becoming all too common.

External threats are maybe the most commonly thought of threat, and there are plenty of examples.  The term “hacker(s)” has become the blanket term for anyone that tries to gain unauthorized access to technology.  Theft or destruction is not the only reason for hacking, but whatever attack is launched, the hacker is usually looking for some type of monetary gain.  One of the most recent external threats is ransomware.  This attack uses a software application that encrypts all of the user’s data on a hard drive, and the user then cannot access the data without paying the ransom to get the encryption key.  This type of threat is becoming the new normal, as encryption software is becoming more readily available to end users.  Also, the data on the respective hard drive is a total loss without the encryption key, so this is a great reason to have backups of all data, and even having multiple backups at several locations.

Internal threats are less thought of, as most end users do not understand the cost of data loss, unless it happens to them.  Some internal threats are targeted, and others are unintentional.  Targeted attacks can be done by any employee, or ex-employee, that has access to the data with a legitimate user ID/password.  This user can then steal the data, or erase the data, and thus the attack is successful.  Some unintentional threats are when users are working on files, and the file is accidentally deleted as part of a larger folder clean up, or when a file, or folder, is moved by accident due to a mouse being drug across the screen with errant clicks.  Again, having a good backup system in place can help in these scenarios, but also, having other system functions in place can assist.

Information Security should be an important part of doing business.  Data can be the most valuable part of some businesses.  Having a backup system in place will help in keeping data secure.  In addition, user training should be a part of Information Security, so that employees can understand the importance of the company data, and how attacks can happen.

 

Travis Ramsey

Owner

 

“Information Security is the protection of data and information.”


Any opinions or views in the above RSS Feeds belong solely to the author, and may not represent those of any person(s) related to, or employed with VIP Technology Services LLC. Any views or opinions are not meant to malign any group or individual, but is for news and/or entertainment purposes.

Information Security Policies and Plans

Information Security is important for any business.  Below, I will discuss some of the policies and plans that businesses should implement.

AUP – Acceptable Use Policy – An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet” (techtarget.com).  More and more companies are making this a part of the employee handbook, as making sure current and new employees understand what is acceptable use with regards to the technology and specifically the internet that is available to them is necessary.  There are still employees that abuse the IT resources at their disposal, but having this policy in place allows a company a means to discipline, or prosecute, as needed. 

 

ACP – Access Control Plan – Access control is a security measure which is put in place to regulate the individuals that can view, use, or have access to a restricted environment” (getkisi.com).  The environment can be a physical area, or even a technological area such as a computer, server, or other device that would hold data.  With physical areas, companies can use door locks, keypads, card readers, or biometric pads to allow a user access.  On technology, the use of passwords, key fobs, fingerprint readers, and smartcards can be used.  It should be important for all companies to have a formal plan in place, as this allows for enforcement.  Three important concepts of the access control plan are: identification, authentication, and authorization. 

 

ISP – Information Security Policy – Information Security Policy (ISP) is a set of rules enacted by an organization to ensure that all users or networks of the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority” (infosecinstitute.com).  This policy should be what all of the other policies and procedures create.  There should be an overlying statement that explains what an organization wishes to accomplish in regards to information security.  Then each policy under this should define its respective policy, but still focus on how it will also support the main ISP.  The ISP should use the CIA Triad for Information Security to help guide its creation.  The characteristics of the CIA Triad of Information Security are: Confidentiality, Integrity, and Availability. 

 

IRP – Incident Response Plan – “Incident Response Planning includes the identification of, classification of, and response to an incident” (Whitman “Guide to Firewalls & VPNs” 56).  There are four phases to incident response: planning, detection, reaction, and recovery.  Incident response is reactive, but because of the planning phase, there should be some part that is proactive.  Enough different scenarios should be considered and planned for, that a company should have answers for future problems.  Reacting to and recovering from an incident is as important because a company will need to implement the plan, and recover from any damage done to data, or another asset. 

 

RAP – Risk Assessment Plan – Risk Assessment is “an approach to combining risk identification, risk analysis, and risk evaluation into a single strategy (Whitman “Management of Information Security” 305).  This plan tries to be proactive as it asks questions to identify any risk that could occur; what the current level of risk is; and what level of risk is acceptable.  Managing the risk is an important part of this plan. 

 

E/CP – Electronic Communication Policy – The Electronic Communications Policy “provides guidelines for the appropriate use of electronic communications. It covers privacy, confidentiality, and security and is intended to ensure that electronic communications resources are used for appropriate purposes only” (techrepublic.com).  This is similar to the Acceptable Use Policy in that they both guide the usage of IT resources.  This policy is more of an overview for the company’s use of any form of communication: email, phone calls, and instant messaging.  And it further explains what can be done with the communication media by any representative of the company. 

 

DRP – Disaster Recovery Plan – “Disaster Recovery Planning (DRP) entails the preparation for and recovery from a disaster, whether natural or man-made” (Whitman “Management of Information Security” 538).  I would have thought that disaster recovery was a recent development, but after some research, it started in the 1970s.  With the increase in media coverage, whether news stations, or through social media, the major natural disasters that have struck around the world, and the increase in terrorist attacks have made this planning important to companies.  This is more of an overview of all policies that will assist in recovering from a disaster.  One part of this is the BCP, which will be explained in the next part.  A company should create a plan to lay out the steps agreed upon across all departments that will help recover from any disaster. 

 

BCP – Business Continuity Plan – “Business Continuity Planning ensures that critical business functions can continue if a disaster occurs” (Whitman “Management of Information Security” 549).  This planning is part of the bigger Disaster Recovery Plan.  The plan is specific to make sure that data is protected before a disaster occurs, so that business can continue after a disaster, or incident.  One way that this is done is by keeping a backup server off site, or have a warm site that has a full backup of all servers and data. 

 

Works Cited 

Techtarget.com. https://whatis.techtarget.com/definition/acceptable-use-policy-AUPAcceptable Use Policy. 

Getkisi.com. https://www.getkisi.com/guides/access-control-planning-examplesPlanning Access Control? Here Are Some Examples. 

Infosecinstitute.com. https://resources.infosecinstitute.com/key-elements-information-security-policyKey Elements of an Information Security Policy. 

Whitman, Michael E., Herbert J. Mattord, and Andrew Green. “Guide To Firewalls & VPNs.” Pg 56. Course Technology. 

Whitman, Michael E., Herbert J. Mattord. “Management of Information Security”. Pg 305. Cengage. 

Techrepublic.com. https://www.techrepublic.com/resource-library/whitepapers/electronic-communication-policy/Electronic Communications Policy. 

Whitman, Michael E., Herbert J. Mattord. “Management of Information Security”. Pg 538. Cengage. 

Whitman, Michael E., Herbert J. Mattord. “Management of Information Security”. Pg 549. Cengage. 

 

Owner

Travis Ramsey

 

The [Business Continuity Plan] is specific to make sure that data is protected before a disaster occurs, so that business can continue after a disaster, or incident.”


Any opinions or views in the above RSS Feeds belong solely to the author, and may not represent those of any person(s) related to, or employed with VIP Technology Services LLC. Any views or opinions are not meant to malign any group or individual, but is for news and/or entertainment purposes.