{"id":14908,"date":"2019-10-11T15:02:19","date_gmt":"2019-10-11T19:02:19","guid":{"rendered":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?p=14908"},"modified":"2022-10-14T18:27:42","modified_gmt":"2022-10-14T22:27:42","slug":"devsecops-phishing-api-abusesand-more-a-call-to-action-for-holistic-security-and-privacy","status":"publish","type":"post","link":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/devsecops-phishing-api-abusesand-more-a-call-to-action-for-holistic-security-and-privacy.html","title":{"rendered":"DevSecOps, Phishing, API Abuses\u2026and More! A Call to Action for Holistic Security and Privacy"},"content":{"rendered":"\n<p>Guest post by top IT and business transformation analyst <a href=\"https:\/\/next-curve.com\/\">Akshay Sharma<\/a><\/p>\n\n\n\n<p>As digital transformation permeates the enterprises, with\nIoT, POS systems, mobile payment from smartphones, RFID and NFC-based payment\nsystems, cloud-based solutions, open API\u2019s, software bus middleware solutions,\nand Phishing attacks, we are all exposed to a fast-growing cyber threat\nlandscape that makes personal data increasingly vulnerable to attack due to the\ngenerally insecure state of the back office systems, network infrastructure as\nwell as the connected devices used today.&nbsp;<\/p>\n\n\n\n<p><em>So What Do We Do?<\/em><\/p>\n\n\n\n<p>As Rich Tehrani recently published <a href=\"https:\/\/www.apextechservices.com\/topics\/articles\/442289-cybersecurity-essentials-every-business.htm\">Cybersecurity\nEssentials<\/a>:<\/p>\n\n\n\n<p>Initial Steps with Next Steps include:<\/p>\n\n\n\n<ol><li>Have a business continuity plan. <ol><li>Evaluate your IT disaster recovery and service continuity:<\/li><\/ol><\/li><li>Are geo-diverse, hybrid multi-clouds in use, and in sync?<\/li><li>Are IT service management (ITSM) tools for IT asset management (ITAM) and IT recovery orchestration tools in place?<\/li><li>Is Crisis\/emergency management in place?<\/li><li>Are workflows automated, and if so can manual fallback procedures take over?<\/li><li>Are the networks resilient with hitless failover to diverse networks in place?<\/li><li>Are databases and applications resilient with hitless failover to backup server farms?&nbsp; <\/li><li>Keep computer operating systems and software patched!<ol><li>Ensure Holistic version control of networks and applications<\/li><\/ol><\/li><li>Network Configuration Management with DevOps Applications Source Code Management, with version audits to ensure compliance.<\/li><li>Network Policy Compliance Enforcements with Document Electronic Data Record Compliance, and Workflow\/Process Compliance&nbsp; <\/li><li>Networks Maintenance\/Upgrades Management with DevOps Applications for Requirements Management, Test Management, Issues and Change Management.<\/li><li>Can an IT Release Manager override and overrule a DevOps CI\/CD upgrade ?<\/li><li>If so how? And how quickly, with compliance audits in place?<\/li><li>If not, look to DevOps CI\/CD Compliance and Workflow firms like Kovair.<\/li><li>Understand that every person in an organization is a potential target.<ol><li>Look at Phishing prevention solutions like Knowbe4, as well as vendors like ColorTokens with embedded agents providing WhiteList\/BlackList policy-based controls, as well as potentially the usage Blockchain with it&#8217;s Smart Contracts, Consensus Algorithms and encrypted distributed ledgers, along with behavioral analytics from vendors like Cybraics, to see if rogue employees or those impersonating them can be verified to see the devices they are using, their credentials, their location, their IP address, and the context of what is being accessed.<\/li><\/ol><\/li><li>Ensure social media accounts are private.<\/li><li>According to PhoenixNAP, the following is a useful checklist.<\/li><li>Start by developing a social media policy.<\/li><li>Don\u2019t advertise company vacation time or any events that may have most senior staff being away. This can be announcing the right time to launch a cyber attack.<\/li><li>Be proactive with network security on all devices and networks. This includes cell phones, and it also means keeping social media off the company\u2019s business network.<\/li><li>Teach employees about social media security threats with consistent training and security awareness programs.<\/li><li>Use&nbsp;social media management software to track company accounts.<\/li><li>Keep personal information private. Hackers are always looking for a way to get personal information that can open the door to gaining account access.<\/li><\/ol>\n\n\n\n<ul><li>Regularly use <a href=\"http:\/\/www.apextechservices.com\/cybersecurity\/default.aspx#cstraining\">Cybersecurity\ntraining<\/a>, and ensure compliance, and passing by employees with on-line\naccreditation being tracked.<ul><li>Ensure the training teaches:<\/li><\/ul><\/li><li>Understanding Security Threats<\/li><li>Practicing Safe Computing<\/li><li>Protecting Data<\/li><li>Practicing Safe Remote And Mobile Computing<\/li><li>Protecting Physical Security<\/li><\/ul>\n\n\n\n<ul><li><a href=\"http:\/\/www.apextechservices.com\/cybersecurity\/default.aspx#csauditing\">Auditing\nand documentation<\/a>&nbsp;must be performed regularly to ensure systems are\nsecure, ideally by trusted 3<sup>rd<\/sup>-party auditors.<\/li><li>Best Practices include:<\/li><li>Establish a Chief Security Officer, with\nBoard-level reporting, ensure security reporting through regular audits.<\/li><li>Choose auditors with &#8220;real&#8221; security\nexperience, not just \u201cchecklists\u201d<\/li><li>Look to Privacy solutions for GDPR and CCPA\ncompliance for not just customer databases but also HR databases, Payroll\nsystems, IVR\/Voicemail systems, and everything where personally identifiable\ninformation is stored. Vendors include Tehama, Call Cabinet as well as others.<\/li><li><a href=\"http:\/\/www.apextechservices.com\/cybersecurity\/default.aspx#anomalydetection\">Anomaly\ndetection<\/a>&nbsp;should be running constantly to detect threats as they\nemerge.<ul><li>Look to vendors like Cybraics, and Darktrace.<\/li><\/ul><\/li><li><a href=\"http:\/\/www.apextechservices.com\/cybersecurity\/default.aspx#cspenetration\">Penetration\ntesting<\/a>&nbsp;shows if systems can easily be reached from the outside.<ul><li>Explore all applications, APIs, and software\nmiddleware bus solutions and ensure policy controls, and encryption is in\nplace.<\/li><\/ul><ul><li>Testing Methods and tools to use include:<\/li><\/ul><\/li><li>Runtime application self-protection (RASP)<\/li><li>Application Security Testing (AST) from vendors\nlike CA: Veracode, IBM.<\/li><li>MicroFocus and others<\/li><li>Next Generation Web Application Firewall\n(NGWAF), from providers like Akamai, F5, A10, and others.<\/li><li>Secure Software middleware bus solutions that\nare resilient and secure like Kovair.<\/li><\/ul>\n\n\n\n<p>Implications for Business Leaders<\/p>\n\n\n\n<p>The C-suite for enterprises have to connect the dots and\nbridge existing and emerging processes, methods, tools, and education into a\nholistic security platform that incorporates behavioral analytics and DPI\/DLP\n(Deep Packet Inspection\/Data Loss Prevention) solutions, with continuous\nmonitoring and reporting in place. &nbsp;<\/p>\n\n\n\n<p>Traditional IT\/CT technology providers will need to venture\noutside of their silos and work together with enterprise CISOs\/CIOs\/CTOs in\ndesigning and deploying innovative new solutions to counter the continuous\nonslaught of cyberattacks and the newer forms of threat vectors that will\naccompany the global digital race.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Guest post by top IT and business transformation analyst Akshay Sharma As digital transformation permeates the enterprises, with IoT, POS systems, mobile payment from smartphones, RFID and NFC-based payment systems, cloud-based solutions, open API\u2019s, software bus middleware solutions, and Phishing attacks, we are all exposed to a fast-growing cyber threat landscape that makes personal data<\/p>\n","protected":false},"author":44,"featured_media":12072,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[156],"tags":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/14908"}],"collection":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/comments?post=14908"}],"version-history":[{"count":2,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/14908\/revisions"}],"predecessor-version":[{"id":14910,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/14908\/revisions\/14910"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media\/12072"}],"wp:attachment":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media?parent=14908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/categories?post=14908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/tags?post=14908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}