7 Technical Tips for Keeping Your Company's Data Secure

7 Technical Tips for Keeping Your Company's Data Secure

Every other week there is a new high-profile data breach in the media. From Target to Home Depot to iCloud to JPMorgan to Snapchat to the White House—and most recently the devastating attack on Sony Pictures Entertainment—there's always a headline highlighting the loss of data and breach of trust.

But that doesn't mean your business has to be one of them and suffer the staggering $3.5 million losses resulting from an average data breach.

Here are seven practices and products you can adopt today to stay out of the data breach club.

1. Arm yourself for the threats within.

Data risks today don't solely originate from malicious hackers, even if news headlines suggest otherwise. A recent PwC study found that internal threats and mistakes now constitute a bigger challenge to business security than external ones, meaning that regardless of size, today's businesses must control not just data on storage platforms, but on employee and business partners' devices and accounts.

 2. Get the lay of the land.

Ask yourself: "What is the most sensitive, confidential data that our business holds, how is it handled, and who has access to it?" Create a spreadsheet matching data types and services to the employees and business associates who can access them. Make sure to include the two most sensitive types of data: customer information and intellectual property.

3. Roles and permissions.

Once you've identified your assets, review levels of access and if they can be regulated via policy, or, better yet, programmatically. An important factor to consider is whether your content management platform of choice allows the depth of control administrators need to set roles for each specific use case within the company. It's important that these are refined, limiting access and edit of important data to authorized staff.

4. Learn your weaknesses.

Most people reuse the same password across services, including work-related programs. When a big retailer or service provider is breached, there is a very real chance that corporate emails and passwords are also impacted. A similar vulnerability recently enabled attackers to gain access to millions of Dropbox accounts as third-party services integrated with the product were compromised, laying millions of usernames and passwords vulnerable.

To learn if this has happened before, start by heading over to security experts site or Breach Alarm's free tool and scan employee's email addresses through their tool—their database is often updated with the latest published breaches.

5. Passwords hold the key.

To prevent a similar incident, have a strong password management policy. Educating employees about never reusing passwords across services and creating stronger passwords (aim for length over variety of characters, though) is also key.

Understandably, this requirement results in difficult to remember passwords, straining productivity. If possible, start using a password management application. They're easy to use, automatically generate strong passwords for each service—and, most importantly, they're secure. LastPass is a leader in this field.

6. Anticipate the next Shellshock.

There is another important reason to stay on top of security news. Within the past year alone, two major vulnerabilities were found to be lurking in widely used software—Heartbleed and Shellshock. We can safely assume that it's only a matter of time until the next vulnerability is unearthed, and it's important to pay attention to the news for when they come to light—especially if any of the software your business uses is compromised. Mass exploitation of these vulnerabilities can happen in as little as a week's time after they're disclosed, so your business is at risk if you wait around—or even worse, do nothing.

7. Do your homework.

When choosing services to implement into your business's workflow, it's important not to overlook pure security for productivity benefits, an easy mistake in today's productivity-and-cloud-crazed environment. Do your due diligence, and make sure to go with services that are recommended by security professionals and your industry's relevant associations, which often publish guidelines relevant to your market and regulatory environment. It's also important to make sure the services that you decide to go with include privacy policies and guarantees that will inform you when their systems are breached.

Why we need security testing and how we can do it

When is security testing necessary? There are many instances where this is the case, but listed below are the basic ones. Security testing is necessary when:

    There is a corporate network or web application that was never checked for security issues (or was checked a REALLY long time ago).
  *  The system was successfully attacked or there was an attempt at attack.
  *  New functionality was implemented in a functioning product.
  *  Layout of corporate network underwent a significant change.
  *  The application was migrated from a test environment to a manufacturing environment.
  *  The company follows domain standards (PCI DSS, HIPAA).

There is actually a very simple way to define whether or not you need to perform security testing. If you have "something" and this "something" processes important data and can be accessed via the Internet, then security testing is essential. But what should be defined as important data? Everything that is valuable: user personal data, payment card information, company bills, invoices. Even if application doesn't store or process important information, possible reputation damage should not be underestimated; for example, you wouldn’t want someone to hack your website and change your logo to a competitor`s.

Once it is decided security testing should be performed, the type of testing used must be determined. If you are starting from scratch, you have a couple of options:

Option #1: Approach a software testing company, saying "I have a website/network and want to check its security." The downside to this option is that it can take testing specialists several days to define the need, which results in additional costs.

Option #2 (the one I recommend): Work out your security testing needs on your own, taking the following criteria into consideration:

    * Define testing goals.
    * Collect system data to provide analysts with necessary information.
    * System entry point (relevant only for testing local networks).

Defining Testing Goals
There are two types of security testing: penetration testing and vulnerability assessment.

The goal of penetration testing is to enter a web application internal infrastructure, cease control over the internal servers or access the important information. In doing this testing, specialists feign the actions of real hackers. However, the defects detected in the testing process and testing methodology isn't the main goal here. What is truly important is for the testers to determine whether the system, in its current state is accessible for hackers.

Penetration testing takes less time than vulnerability assessment and evaluates the efficiency of your security measures. If your primary goal is to discover whether it is possible to hack your system, penetration testing the best option.

Vulnerability assessment provides a more comprehensive system check. Its main goal is to identify system drawbacks and vulnerabilities that can lead to unauthorized access or unwanted public sharing of data. All the detected defects get qualified according to the level of risk and influence upon the general system security state. Usually, specialists do not exploit the detected vulnerabilities, but it can be done if both parties have agreed to it. Vulnerability assessment does take more time than penetration testing and is often held to comply with standard requirements.

Let's consider a specific case that shows the differences between penetration testing and vulnerability assessment.

Imagine that we have detected a bug: absence of HttpOnly security flag in cookie file with identifier of user session. Flag absence allows stealing of a user cookie, applying cross-site scripting method. In the context of vulnerability assessment this is definitely a defect and should be described in the final report. In using penetration testing, this case will be considered a defect only if it allow a tester to access the authorized user account; if not, the defect won`t be described in the final report.

Collecting Data
Next, you must determine what system data to provide to analysts. The provided data will define which testing method will be chosen. There are three options:

    * Black box testing – testers receive no system information except the list of IP addresses or the website link;
    * Grey box testing – testers receive valid accounts and limited system information;
    * White box testing – testers get full information about the system: accounts, network maps, technological specifications, web applications source code, etc.

As you can see, the "whiter" your "box", the more detailed information about system security you get at the end of the testing process, and the more important information the third party discovers – hence it is also more expensive and time-consuming.

System Entry Point
Finally, you must consider the system entry point. This criterion is valid only for performing penetration testing on a local network level. In this case there are two options:

    * External penetration test – only external company IP addresses accessible from the Internet are tested;
    * Internal penetration test – test is performed inside the corporate network. Testers work inside your team in the company office or work via VPN access.

Typically, the internal penetration test is performed to comply with requirements of domain standards or to check security level against inside attacks (i.e. those executed by company staff).

In combining the above security testing criteria, you should be able to define the best requirements methods for your company. For example, if you need a thorough check of your system, choose a combination of vulnerability assessment and white box penetration testing. If the budget is limited black box penetration testing may make the most sense.

Choose your job accoding to your personality, how you could find out your correct field of work?

Tips To Do Before Every Big Presentation

We suggest a few simple things you can do before any big presentation to ensure that it goes smoothly:

1. Set aside any personal interactions until after you're done.

 For business professionals, telling them to set aside a specific time of the day to deal with personal things, like discussing with a spouse where to get dinner or when to pick up kids from school. If this reserved time happens to fall before an important presentation, need to reschedule it for later so they aren't distracted.

2. Practice "The Positive of Negative Preparation Principle."

Going into a presentation with a purely optimistic attitude could set you up for failure. you should visualize everything that could go wrong in your presentation and have a prepared response.

3. Imagine what will happen at the end of the meeting.

you should think how many ways your presentation could go wrong, you should visualize how you're going to behave as soon as you show the last slide, For example, imagine your audience looking convinced by your argument. This will help you end your presentation gracefully.

4. Keep your presentation's intention at the front of your mind.

Before you walk into the conference room or get up on the stage, remind yourself why you are giving your presentation, Ask yourself what questions your audience needs answered so that you can emphasize those points as clearly as possible.

5. Meditate.

Even 30 seconds of meditation before your presentation can have a noticeable impact. Big breaths through your nose down to your diaphragm and steady exhalation through your mouth slows down your heart rate and oxygenates your blood, reducing anxiety.