NCMS Society Holds Quarterly Business Meeting at Cisco Systems

Posted on 29, May | Posted by RMA

The NCMS Society of Industrial Security Professionals Carolina Chapter held is quarterly business meeting at Cisco Systems in Research Triangle Park on May 29, 2015. Christine Peterson, CPP, ISP and founding member of the chapter, attended the meeting which focused on Information Systems Security.

Mark Whitteker, MSIA, CISSP, ISP the Manager of Government Security & IT Services was the lead speaker at the daylong event. Utilizing his vast experience in IT infrastructure, security, and classified environments, Mark spoke to the attending members about IT security awareness, building a comprehensive security architecture framework, NIS and DFARS compliance, and lessons learned. The program was geared to companies with facility security clearances but many of the concepts were applicable to all security professionals and especially IT security professionals.

Continue reading

Data Security: Where there is data, there should be policy

Posted on 30, Mar | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

locked computerThe recent report by the Wall Street Journal about the Morgan Stanley breach scares me as an employee. Reportedly Galen Marsh, a financial adviser for Morgan Stanley, was fired for allegedly stealing account information from about 350,000 wealth management clients and posting some of it online. The part that concerns me are the reports that federal law enforcement officials are focusing their probe on the possibility that Marsh’s computer was hacked. (Full story here.)

I have not reviewed the full report nor have I looked deeply into the incident. My attention was drawn to the consequences that befell Mr. Marsh and the slim possibility that he did nothing wrong. It seems that in this day of BYOD – Bring Your Own Device – and the use of laptops and mobile devices by employees, it is time for there to be a clear understanding about the company’s responsibilities and the individual employee’s responsibilities. This is not to suggest that an employee’s first question should be “Will I get fired if this laptop is hacked and company data is stolen?” when presented with a company laptop. There should be a clear understanding between the company and the employee what is expected of each as it relates to the security and control of any electronic device that contains company data.

The foundation of this understanding begins with a good company policy. A policy should be specific regarding the proper use of electronic devices. A policy should also indicate who is responsible for areas such as email security, data security, acceptable use, and physical security of the device. A policy should be a living document. An electronic device policy that covers laptops should be reviewed at a minimum once a year. Policies should be flexible. Some employees may take a laptop home and some may not.

Companies should give employees a chance to review policy before they sign it and allow them to ask questions. I suspect Morgan Stanley utilizes policies that cover the use of laptops by employees for work purposes. I doubt the employee thought he would get fired if the laptop was hacked and client data was exposed. What if the employee were a CFO or CEO?

There is most likely a lot more to this story than has been made public, but the heart of the matter is, as an employee, make sure you are fully aware of what the company expects as it relates to the use of company data and company provided electronic devices.

Continue reading

Rusty Gilmore Speaks at the ASIS Monthly meeting

Posted on 28, Jan | Posted by RMA

On Wednesday January 21, 2015, the local Chapter of ASIS International, Chapter 119 held their monthly meeting at the PNC Center in Raleigh, NC. Rusty Gilmore was the guest speaker. Rusty gave a presentation on Computer and Network Vulnerabilities: Steps to Protecting Your Systems and Data.

Continue reading

Rusty Gilmore presents at the ProNet Systems Executive Briefing 2014

Posted on 17, Dec | Posted by RMA

ProNet Systems hosted their annual Executive Briefing on December 9th, at the City Club in Raleigh, NC. The event was titled, “Keeping up with Security Trends and Technologies. Some of the key speakers included:

  • Alan Jelley, ProNet Systems, Inc. – New Technology Advancements and Trends
  • Nathan Schroeder, Focus Sales; Ryan Bach, Avigilon – Totally Integrated Access & High Resolution Video
  • Rusty Gilmore, Computer Forensic Consultant, Risk Management Consultants – Hacking and Computer Security 101
  • Lou Tunno, HID – Latest Credential And Biometric Development The Smart Phone as a Credential
  • Nathan Schroeder, Focus Sales; Ryan Bach, Avigilon – Advances in High Definition Video and Video Analytics

Dana Frentz and Emily Liner of RMA attended the ProNet Systems seminar.

Continue reading

Security Suggestions – The Cloud and Your Data

Posted on 1, Oct | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

The CloudI am often asked to discuss IT and data security as it relates to storing data on the Cloud. Nine out of ten times I am asked two inevitable questions: “What is the Cloud?” and “Where is the Cloud?”. Hopefully I will answer these questions as I discuss ways to keep your data secure on the Cloud.

There are a number of services that allow you to store data on their servers. Examples of these for an individual or a small business are Dropbox, Sharefile, Google Mail, iCloud, Google Drive, Office 365, and many more. These services quite often are automatically connected to you by your smartphone, iPhone, laptop and/or your desktop computer once you initially login. Think about using your phone – you don’t have to type in a password to get your Gmail each time. As long as you can access the email app on your phone, you’re in. This is because you have instructed the app to trust your smartphone as a conduit to get your Gmail. This goes for almost any mail account you access from your device.

Go one step further and consider that you may have an account with Dropbox, Office 365, or Sharefile. The same concept applies – you have instructed the app to trust your smartphone as a conduit. To make matters worse, if you have these accounts available on your laptop or desktop they too are accessible without typing in a password once you have initially logged in. This is most often the case because we have instructed the app to remember our password.

Now that we understand – to just a small degree – what the Cloud is as it relates to most users and what as individuals we may have on the Cloud, let’s discuss how to keep it secure. First, don’t store sensitive information in the Cloud. I am not talking about using the online version of TurboTax, for example. I am referring to storing birth certificates, passports, and other scanned documents with sensitive information. There is nothing wrong with a safe deposit box for items like these.

Don’t use the same password for every account and change passwords regularly. I believe that password security is such an important issue I could write an entire topic on it. By using the same password for email, banking, computer login, online purchases, social media sites, and other activities, you jeopardize the security of all of your accounts if just one gets hacked. Hackers are smart enough to know that if your password to “website.com” is 12345678 and your user name to “website.com” is user@gmail.com, they will try and login to the Gmail account with the password they have uncovered. You should choose a random password and change it at least every 90 days if not sooner.

Consider reading the terms of service or user agreements to find out how the service works. This is very important if you intend to take advantage of a free 30-day trial. It is possible you will not have access to the data after 30 days without paying for the service. Think about encrypting your data or utilizing a service that includes encryption with data storage.

These are just a few suggestions for securing your data on the Cloud, and this is only a starting point.
I am not suggesting that no one should use the Cloud for storing data. For the most part, everyone who uses a computer, smartphone, or tablet is using the Cloud already. The Cloud can be an efficient way to centralize and share data with authorized users. I am suggesting you use it wisely, securely, and with the knowledge that you have done everything possible to protect the data you put on the Cloud.

Continue reading

Security Assessment at Appalachian State University

Posted on 30, May | Posted by RMA

The specific objective of this project was to provide the University with a “snapshot” of the existing security program in place at the BB Dougherty Administration Building, any gaps in the program, and potential responses to the gaps identified. Security policy, procedures, systems and organization were examined for level of technology, appropriate application, and the efficiency and effectiveness of deployment. Consultants prepared specific recommendations to address the deficiencies or gaps identified. Recommendations addressed each threat/vulnerability in a practical and pragmatic manner.

Appalachian State University is nestled in the Blue Ridge Mountains of North Carolina. Appalachian State University offers a challenging academic environment, energetic campus life and breathtaking location. Appalachian combines the best attributes of a small liberal arts college with those of a large research university. Known for its value and affordability, Appalachian enrolls about 17,000 students and offers more than 150 undergraduate and graduate majors. Small classes and close interactions between faculty and students create a strong sense of community, which has become an Appalachian hallmark. Appalachian, located in Boone, N.C., is one of 16 universities in the University of North Carolina system.

Continue reading

Dana Frentz Attends IAHSS Annual General Meeting

Posted on 23, May | Posted by RMA

Dana Frentz attended the 46th IAHSS Annual General Meeting in San Diego, CA, May 18, 2014, through May 21, 2014. The meeting was held at The Hyatt La Jolla.

Speakers and topics included:

• Keynote Chris Van Gorder – Security Officer to Present Day CEO
• Russell Jones, PhD, CPP, CHPA – If Disney Ran Your Security Department
• William Koffel, P.E., FSEPE – What Is The Impact of NFPA 101-2012?
• Donna Palomba – Jane Doe No More
• Ben Scaglione, CPP, CHPA – How The Affordable Care Act Has Changed Security
• Howard Adams, PhD – Building High Performing Work Teams
• Howard Adams, PhD – Strategic Project Planning: Vision to Execution
• William Richter, RN – Active Shooters in Healthcare Setting
• Martin Williams – Conducted Electrical Weapons (CEWs) Within a Comprehensive Use of Force Model
• Kevin Tuohey – Facility Design and the Security Role
• Jeffery Young, CHPA – Consolidation: Security’s Contribution to Sustainable Healthcare Costs
• Roger Sheets, CHPA and Rocky Prosser – Managing Prisoners in a Healthcare Environment

The International Association for Healthcare Security and Safety, or IAHSS for short, is the only organization solely dedicated to professionals involved in managing and directing security and safety programs in healthcare institutions. IAHSS is comprised of security, law enforcement and safety individuals dedicated to the protection of healthcare facilities worldwide. IAHSS strives to combine public safety officer training with staff training, policies and technology to achieve the most secure hospital environments possible. Additionally, the IAHSS partners with government agencies and other organizations representing risk managers, emergency managers, engineers, architects, nurses, doctors and other healthcare stakeholders to further patient security and safety.

Continue reading

Held Hostage by a Dishonest Employee

Posted on 16, Sep | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

power shiftI recently was involved in a case in which a company employee was discovered using a company credit card for personal reasons. This happens occasionally, and one would think that immediately terminating the employee would resolve the issue. But what happens when the employee is the one and only IT person for the company?

Many companies have only one person to manage all of their IT needs. There is nothing wrong with this. Considering that 99.7 percent of U.S. employer firms are a small business (http://www.sba.gov/sites/default/files/FAQ_Sept_2012.pdf), having a sole IT person may be very common. The problem with this situation is the lack of oversight and management of the IT person by company executives and owners. What are the consequences caused by this scenario? How can companies and organizations prevent the backlash experienced when a single person has the “keys to the kingdom”?

This issue can occur in any business with a small IT staff. This particular case involved an employee who had been with the company for eight years. In that time, the employee came to be the only person who dealt with all IT issues. He managed the website, the phone system, the internet service, all servers, all workstation, the data connections for multiple facilities – you get the point. The employee could have brought the company to a standstill for several days if not several weeks, if he had wanted to do so. It was not until deciding that he needed to be fired that someone finally asked the question “What does he do and can we do it without him?” The answer was, “No.”

In this case, the employee was being terminated for cause. What if he had been hit by a bus? The company would still be in the same position. The only option left for the company was to hire someone to come in and inventory the network to help them prepare for the employee’s termination. This involved hundreds of man hours. Fortunately, the transition was successful and the company lost no production time.

There are several steps that can be taken to prevent this from occurring in your business. The person responsible for a company’s IT needs should document everything and provide this documentation to management or ownership in a reviewable format on a regular basis. This document should be considered a living document, and any time there is a network change or system change, the document should be edited to reflect the change. The document should include but not be limited to:

  • A list of service providers and all information needed to contact this service provider for support or changes. This includes the Internet service provider, phone service provider, web hosting company, cell phone provider, cloud services, or any other service provider used by the company.
  • Administrator passwords. These can be sealed in an envelope and/or put in a safe.
  • Device passwords and configuration. Think about firewalls, switches, wireless routers, and other equipment.
  • Software passwords and configurations. The IT administrator may be the only person aware of specialized software used in the office that requires specialized configuration or passwords. Make sure this information is documented and available to company executives.
  • Procedures for backing up and restoring systems.
  • A “What if…” document. This document would include instructions on how to deal with and recover from system outages, power outages, or other unique IT failures.

Depending on your network, the information needed in this document will differ. The best way to determine what you may need to document is to sit back and think of the problems created if your IT person were gone. What questions would you have? The document should answer all of these questions. It is also important to make the person responsible aware that this document is a “Continuity of Operations” document. There are many reasons why an IT employee may not be able to come to work, but their absence should not disable any part of the IT infrastructure.

It is also critical to make sure there are two people on the point-of-contact list with all service providers. The second person on the list should be an owner or executive of the company. If the IT person should be unable to perform his or her duties for any reason, the executive or owner of the company can call the service provider and make necessary changes without jumping through a lot of hoops to gain ownership of the service.

Finally, have a third party review this information at least once a year. That third party could be an outside consultant or even a current employee with knowledge of the network and need for business continuity. An outside consultant has the advantage of being objective when looking at an environment and utilizing their experience to help direct and drive a “Continuity Plan” that will protect the company in the event of any number of unexpected events.

Continue reading

RMA Presents Bring-Your-Own-Device Policies at RTP CFO Forum

Posted on 6, Sep | Posted by RMA

Chris Peterson and http://www.rmasecurity.com/about-rma/team-profiles/russell-w-gilmore/ presented BYOD (Bring Your Own Device): Issues and Implications for Companies at the September RTP CFO Forum. The program discussed security issues and considerations for companies when employees connect personal devices to the company network. What issues need to be considered to accommodate lawsuits, audits, and records requests? How can companies prepare for lost or stolen devices? What steps can and should be taken when terminating employees?

The RTP CFO Forum serves the greater Raleigh, Durham and Chapel Hill region, supporting over 200 senior financial executives. The Forum is designed to provide interactive networking and discussion of technical and strategic topics in an environment created exclusively for senior-level peers. CPE is provided on select topics.

The RTP CFO FORUM is scheduled for the first Friday of every month, from 7:30AM – 9:00AM. Attendance is limited to CFOs or senior financial professionals in similar positions. The RTP CFO Forum is sponsored by Hughes Pittman & Gupton, LLP.

Continue reading

Stealing on the Way Out

Posted on 12, Aug | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

Having to terminate an employee is never easy. To make the process even more difficult, consider the recent survey conducted by Harris Interactive on behalf of Courion which stated that 19% of employees age 18 to 34 would take company data with them if they knew they were about to be fired. Read the full story here.

Depending on the employee’s position at the company, the termination process could be quite cumbersome. Before terminating an employee, it is good to think about their role in the company and what they have access to or control over. Each situation is different and should not be handled in a cookie-cutter fashion. Terminating the IT manager will involve different issues than terminating a sales person.

What steps can you take to minimize risk? Strong policies and procedures are a good starting point. If an employee knows that severe repercussions may result for data theft, he or she may decide against the theft.

As we’ve said before, there are opportunities for companies to preserve data and protect themselves prior to the termination process or as part of the termination procedure itself (When Employees Leave Data Should Stay). When it is evident that an employee must be terminated, steps should be taken to image the computer or devices used by the employee, even if a future computer forensic analysis is not needed. It may even be beneficial to image the computer prior to termination and again after termination. I have often been called to recover data deleted by an employee after they have learned of their impending termination.

As a consultant, I have assisted in a number of terminations, and they are all different. Proper preparation and forethought will not only benefit the company but protect the employee as well.

Continue reading