Three ways security policies become a recipe for disaster
Are Your Security Policies A Recipe for Disaster?
Here are three ingredients for a recipe spelling compromised. Three recently published articles outline internal network information assurance risks that can be the recipe for a cybersecurity disaster. Each collective person from these stories counts on the other to do his or her job or not do his or her job, depending on the circumstances and motivation.
Recipe for Disaster: Ingredient 1
The FBI just seized a dark web resource site DeepDotWeb, a site that acted as a conduit between bad actors and points of contact looking to launder money or find the cream of the crop cryptocurrencies and other services. Cryptocurrencies are used by ransomware attackers as money to be paid by the victims to get their networks unlocked or data released. Today when someone goes to the site they see a big, bold FBI Warning banner about the site’s activities. 
In the story, Roman Y. Sannikov, director of analyst on demand at Recorded Future, a threat intelligence firm, stated the site served “as a gateway between the two worlds.”
“They help bring new members and customers to the criminal underground by providing them with links to resources that they would otherwise have a hard time finding,” Sannikov elaborated.
Consider that story in conjunction with the next two stories.
Recipe for Disaster: Ingredient 2
In a story published on the Information Security website, blog.knowb4.com, a report titled, over 80% of All Phishing Attacks Targeted US Organizations, revealed that the United States continues to be a gold mine for phishing attacks based on statistical data from 2018. 
The knowbe4 blog post states that the PhishLabs study showed 84 percent of the total volume of phishing attacks targeted US organizations, “…While in 2017 US organizations were hit by 85% of all phishing attacks launched worldwide and detected by PhishLabs, the 1% decrease in share did not translate into a decrease in overall volume. These events happened because, as PhishLabs’ 2019 Phishing Trends and Intelligence Report states, the total phishing volume increased significantly between 2017 and 2018 by 40,9%, rising “steadily during Q1 of 2018, remained high in Q2 and Q3, and declined in Q4.”
So phishing attacks are on the rise, and the bad news is that the United States has a big fat target all over its network infrastructure. This fact links to another IT Security concern. Security professionals engage in a constant battle for employee education, adhering to policies, procedures and compliance standards. The human error or complacent factor is a significant concern.
Recipe for Disaster: Ingredient 3
An article posted on the website securityboulevard.com stated that human error, not ransomware is healthcare’s biggest risk. The article outlined concerns for the healthcare industry for keeping Personal Identifiable Information and Personal Health Information safe and out of the hands of people intent on doing harm. The concerns outlined should be noted by business organizations, government departments, and other companies with large and small network infrastructures. 
The article expresses a problem many Information Technology security professionals face when new network and job-specific hardware devices and software are bought and installed without consulting security or configuring them properly.
The article further explains, “Compounding the problem is the disconnect between onboarding these devices and the security teams’ participation. Security isn’t often included in the device acquisition or implementation. This opens up the risk of human error, which can take many different forms ranging from poor medical system configuration to absence of audit logs, unauthorized access control or even a lack of processes surrounding the device’s use.”
Poorly configured devices can range from default usernames and passwords to leaving ports open that are not used by the organization or have no network traffic. There are free, open source and commercial Black Hat hacking software programs designed to perform reconnaissance by actively or passively footprinting a network and then perform scanning activities before gaining access.
Policies and best practices such as asset classification, network segmentation, risk analysis and audits should be the standard operating procedure. Employee education classes about phishing emails, opening attachments and how to catch a phishing email address when it appears in your email inbox should be mandatory semiannually or annually. 
With all the education, a security breach takes one busy individual to glance at an address and open just one attachment to send a trojan horse, a worm or worse through a network, creating a mess that can cost money and take days to clean up. Don’t be the ingredient for a recipe serving disaster.
Three articles that can make a network go dark, offline if you will. Keeping network operating takes a lot of maintenance and forethought and adherence to policies and practices.
 “FBI seizes dark web resource site, major facilitator of criminal activity” – By Brooke Crothers | Fox News, May 12th. https://www.foxnews.com/tech/fbi-seizes-dark-web-resource-site-major-facilitator-of-criminal-activity
 “Over 80% of All Phishing Attacks Targeted U.S. Organizations” – KnowBe4, Stu Sjouwerma, April 17th. https://blog.knowbe4.com/over-80-of-all-phishing-attacks-targeted-u.s.-organizations
 “Human Error, Not Ransomware, Health Care’s Biggest Security Threat” – Security Boulevard, Sue Poremba on April 30, 2019 https://securityboulevard.com/2019/04/human-error-not-ransomware-health-cares-biggest-security-threat/
 Information Security Policy Templates https://www.sans.org/security-resources/policies
Chief content and technical writer
Rick Bretz possesses comprehensive experience in several subjects including video editing and production, radio/TV and journalism writing, videography, radio broadcasting, IT Management, Information Security and Assurance. He also works as a Senior Cyber Security Engineer for Vulnerability Management, Service/Infrastructure Operations and Platforms Support for the government. Mr. Bretz also is a documentation and technical writer for the Veteran Administration’s Continuous Readiness in Information Security Program. He also served in the US Army beginning in 1979, graduating from leadership schools and from Journalism, Broadcasting, Newspaper Editing and Public Affairs Supervisor courses. He retired from the Army with many writing and broadcasting awards to accept video production and management positions. He holds a BS degree in Information Technology with a Specialization in Security Assurance from Capella University and has a Security + Certification from CompTIA. Mr. Bretz also writes his own blog on topics that interest him that can be reached at pastparallelpaths.com.