Assessing Cyber Security Risk: You Can’t Secure It If…

The Business View – June 2017 / Small Business Corner

Editor’s Note: The Business View asked local cyber security expert Glenda Snodgrass, president and lead consultant at the Net Effect, to pen a series of columns. In the next several issues, she will use case studies to help businesses address their cyber security risks.

At The Net Effect, in the course of working with our clients to improve their security posture, we have come across several common themes that often limit a business’s ability to assess and mitigate cyber security risk. Here’s a look at some of these themes and real world examples of how they apply.

You can’t secure it if…

You don’t know it’s there.

As wireless technology has become more ubiquitous, manufacturers are adding wireless capabilities into devices we don’t typically think of as “computers.” As the price of consumer goods steadily decreases, employees are more likely to provide software or a device on their own, so they won’t have to “bother” the IT staff for something small. If you haven’t already set policies for this in approved situations, then security is often the loser, with rogue devices on the network.

While inspecting a branch office for one client, we discovered a wireless access point that was not previously known to anyone in IT. The device required no password to connect, and encryption was not turned on. We learned that this device had been installed by a sales manager who worked from this office periodically, and wanted wi-fi internet access for his tablet.

He had followed the instructions for configuring it without exposing the local network, but he did not realize that other offices on the corporate Wide Area Network (WAN) would look like Internet addresses to this device. So, while the local PCs weren’t visible to the wi-fi connection, every PC and server at corporate headquarters was exposed, as well as every device at every other branch office.

Another client was surprised recently when we discovered an unknown device on her wireless network – a thermostat. When the vendor was called to explain why this was installed without the owner’s knowledge, he replied that he could no longer purchase commercial-grade thermostats without wireless capability. The wireless option on the thermostat should have been either secured or disabled entirely, but no one knew it was there.

Did you know that snack/drink vending machines often use internet access to track inventory and schedule deliveries? Not long ago, we discovered a soft drink machine on a client’s network. It was installed in a customer waiting area that had been office space prior to a remodel, but the data jack was still connected to a switch on the network, and the vendor’s technician simply plugged in the machine and got a working network address.

Our perception of “computer network” and how to secure it must adapt to these ever-changing circumstances.

There’s a reason that the very first of the 20 CIS controls for effective cyber defense is “inventory of authorized and unauthorized devices.” You can’t secure it if you don’t know it’s there. Device inventory and network diagrams are foundation documents required for compliance with standard security regulations of any industry.

Read more about the CIS controls and how to apply them to your business at www.cisecurity.org/critical-controls.

Snodgrass can be reached at grs@theneteffect.com.

Click here to read The Business View – June 2017