Follow us

Your Cybersecurity and ITSM Questions – Answered!

By | October 10, 2017 in ITSM

Here are the 16 questions posed during a recent “Ask the Experts” webinar about cybersecurity challenges, and a summary of our answers. You can learn more by listening to the webinar.

Cybersecurity & ITSM

On September 27th 2017 I took part in a webinar titled Your Cybersecurity Challenges in ITSM. Ask the Experts. The webinar was hosted by Oded Moshe, VP Product at SysAid and we were also joined by Ian Bugeja, Director of Product Management at GFI Software.

Cybersecurity & ITSM experts

We asked people to send in their cybersecurity questions during the two weeks leading up to the webinar, and then answered them during the event. We also encouraged participants to add more questions during the webinar, and answered those at the end.

The questions that we answered during this webinar varied widely. Some were strategic, others more tactical; some were about people and processes, others were about technology. Overall, I think the webinar offers a great overview of the security issues that IT people are concerned about.

Here are the questions that were asked, and a summary of the answers we gave. If you want to hear more detail, then please listen to the webinar.

Q1. Who should be in charge of IT security?

This was the first question that we answered, and like many of the other questions it does not have a single definitive answer. We discussed the fact that the board of management (or equivalent in public bodies) is ultimately accountable for the security of business assets, but that they will usually delegate the work to many different people in the organization.

Q2. What can we do to protect ourselves from ransomware?

This question gave me an opportunity to introduce the idea of Prevent, Detect and Correct. When you are thinking about security, you need to think in terms of preventing incidents from happening where you can, but you also need to be good at detecting incidents and recovering from them. For ransomware, this means that you need to:

  • Keep all your security patches up to date. The time from when a patch is released to when you are likely to be attacked using that vulnerability keeps getting shorter, so you can’t afford to wait weeks before installing security patches.
  • Use end-point security software to protect your devices and to detect breaches
  • Train your people to be part of your defenses
  • Keep regular offline backups so you can recover when you need to

Q3. How can we keep patches up to date when we have so many applications that need testing?

What’s important here is to remember that while you do need to think about the risk that the patch will introduce, you also need to think about the risk from running unpatched software. It may be better to put the patch in with little or no testing than to risk being breached through a known vulnerability. There may be a small number of critical business applications that need thorough testing, but for most systems it is probably better to patch first, and fix any issues afterwards.

Q4. Locking down Industrial Control Systems, are data diodes the way to go?

This question surprised me. A data diode is a network component that only allows data to flow one way, and their use is so uncommon that many IT people will not have heard of them. We talked about how data diodes might, for example, be an appropriate technical control for organizations trying to monitor an industrial control system remotely. However, they would not provide all the security required.

Q5. Our production systems aren’t connected to the internet, so we don’t worry too much about patches and anti-virus. Is there anything we need to be concerned about?

This question followed on from the previous one. Many people mistakenly believe that malware only comes from a direct internet connection, but they are wrong. Malware can propagate on your internal network to systems that have no direct internet connection, and even via USB sticks and other media that involve no network connectivity at all. You need to install patches and end-point protection on all computers.

Q6. I’ve heard about GDPR, but since we’re not in Europe I assume that it doesn’t affect me. Is that right?

GDPR is a huge topic, much more than we could cover in a general security webinar, or one short blog. The simple answer to this question is YES, you do need to be concerned about GDPR if you store or process any personal data about any EU citizen. You have until May 2018 to get ready, and it could take a lot of work. If you haven’t started yet, then it is now urgent.

Q7. What is the best way to begin implementation of a disaster response plan?

I talked about the importance of story-telling. You need to think about your business, and what it depends on, and what could go wrong. Discuss potential failure scenarios with all the different stakeholders and think about what you could do to recover from them. Turn the results into plans, and once you have the plans in place rehearse them. During a real crisis, people will do the wrong things unless they have rehearsed often enough to do the right things automatically. That’s why most offices run regular fire drills, so that people can practice leaving the building in an emergency.

Q8. How to deflect DDOS?

We discussed some recent attacks where Internet of Things (IoT) devices have been involved in DDoS attacks, which I summarized by saying, “Once the light bulbs and the toasters are attacking the server, you know you’re in trouble.” The short answer to the question is that if you don’t already know how to deflect DDOS then you almost certainly don’t have the capability. You have to buy a DDoS protection service from a network service provider.

Q9. Is my data safe in the cloud, or should I keep everything in my own data center?

Everyone on the panel agreed that cloud service providers are generally much better at providing secure infrastructure than most internal data centers. You need to select a reputable service provider, and then build up a trust relationship with them. There are still risks, but there are risks with internal data centers and staff too. We also discussed the fact that your data may not all need the same protection; you need to classify your data and think about the best way to manage each category of data you hold.

If you watch the webinar you will see that this is a very brief summary of a much longer question about VPN services and cloud service providers.

Q10. Any tips about how to leverage SysAid for accomplishing a robust Patch Management strategy?

Oded answered this question, explaining how SysAid Patch Management uses policies to control the release of patches so that they can be rolled out to various categories of computers in a controlled way. Ian talked about the importance of patching applications, as well as operating systems.

Q11. In the event of a security breach where the potential for confidential data is accessed, what are your best practices for mitigation and putting your customers minds at ease?

This brought us back to GDPR, which requires organizations to report a significant breach within 72 hours of detection, with failure to do this attracting punitive fines. This means that you must understand what happened, who might be affected, how serious it is, and what you are doing about it; and be able to communicate this to the regulator and to any other affected people very quickly. I told a story about one organization where the head of the crisis management team was a marketing manager who understood the power of honesty and transparency. Because of this, the organization suffered very little loss after a significant data breach.

Q12. What kind of virus could be detected and the "shield" will detect the way in which generated this attack?

We weren’t completely sure what the person asking this question wanted to know, but Ian discussed polymorphic viruses, and how modern anti-virus software can detect and block these, even though the virus code keeps changing.

Q13. We host an RDS based solution. How concerned should we be about the strength or vulnerabilities of SSL?

Oded talked about the specifics of the SysAid Remote Discovery Service (RDS), and described some of the many security features built into this. I talked about the SSL protocol and suggested that TLS 1.2 is much more secure than SSL, and people should migrate where they can.

Q14. How GFI Languard can protect from DDOS? Ransomware?

Ian explained that protection from DDoS requires a network service, rather than GFI software, but a good patching utility can help to ensure that patches are up to date, which limits the risk of ransomware, and a good AV solution can help to detect ransomware attacks and block them.

Q15. My company is undergoing to migrate some mails to Office 365 (Cloud) - how secure and robust is it?

Office 365 is probably more secure than what you can provide out of your own data center, but that depends on the nature of your organization.

Q16. Is there a template, guideline so I can get process (risk management) in place? Guidelines? Something to get this task in place?

Indeed there is, and I was a bit cheeky answering this question, as I suggested that people read RESILIA™: Cyber Resilience Best Practice, for which I was the lead author.

In Conclusion

Information security covers a huge range of topics, and people clearly need a forum where they can ask questions and get helpful answers. I was very pleased that SysAid invited me to help out on this webinar, and I think that we provided a lot of helpful information.

For me the most important thing is to maintain a balance. Don’t let information security stop you from working, but do think about the risks and how you can best manage them.

Please do listen to the webinar and see what you can learn from it, and let us know what you think in the comments section below.

Stuart Rance

About Stuart Rance

Stuart is an ITSM and security consultant, trainer, and author who has worked with clients in many countries, helping them create business value for themselves and their customers. He was the author of the 2011 edition of ITIL® Service Transition and lead author of RESILIA™ Cyber Resilience best practice published in June 2015. Now that his children have all left home, he has plenty of time on his hands for contributing to our blog - lucky us!

Leave a Reply

Your email address will not be published.


Subscribe now