object(WP_Query)#3700 (52) { ["query"]=> array(6) { ["posts_per_page"]=> int(3) ["meta_key"]=> string(23) "alagen_post_views_count" ["orderby"]=> string(14) "meta_value_num" ["order"]=> string(4) "DESC" ["post_type"]=> string(4) "post" ["post_status"]=> string(9) "published" } ["query_vars"]=> array(65) { ["posts_per_page"]=> int(3) ["meta_key"]=> string(23) "alagen_post_views_count" ["orderby"]=> string(14) "meta_value_num" ["order"]=> string(4) "DESC" ["post_type"]=> string(4) "post" ["post_status"]=> string(9) "published" ["error"]=> string(0) "" ["m"]=> string(0) "" ["p"]=> int(0) ["post_parent"]=> string(0) "" ["subpost"]=> string(0) "" ["subpost_id"]=> string(0) "" ["attachment"]=> string(0) "" ["attachment_id"]=> int(0) ["name"]=> string(0) "" ["pagename"]=> string(0) "" ["page_id"]=> int(0) ["second"]=> string(0) "" ["minute"]=> string(0) "" ["hour"]=> string(0) "" ["day"]=> int(0) ["monthnum"]=> int(0) ["year"]=> int(0) ["w"]=> int(0) ["category_name"]=> string(0) "" ["tag"]=> string(0) "" ["cat"]=> string(0) "" ["tag_id"]=> string(0) "" ["author"]=> string(0) "" ["author_name"]=> string(0) "" ["feed"]=> string(0) "" ["tb"]=> string(0) "" ["paged"]=> int(0) ["meta_value"]=> string(0) "" ["preview"]=> string(0) "" ["s"]=> string(0) "" ["sentence"]=> string(0) "" ["title"]=> string(0) "" ["fields"]=> string(0) "" ["menu_order"]=> string(0) "" ["embed"]=> string(0) "" ["category__in"]=> array(0) { } ["category__not_in"]=> array(0) { } ["category__and"]=> array(0) { } ["post__in"]=> array(0) { } ["post__not_in"]=> array(0) { } ["post_name__in"]=> array(0) { } ["tag__in"]=> array(0) { } ["tag__not_in"]=> array(0) { } ["tag__and"]=> array(0) { } ["tag_slug__in"]=> array(0) { } ["tag_slug__and"]=> array(0) { } ["post_parent__in"]=> array(0) { } ["post_parent__not_in"]=> array(0) { } ["author__in"]=> array(0) { } ["author__not_in"]=> array(0) { } ["ignore_sticky_posts"]=> bool(false) ["suppress_filters"]=> bool(false) ["cache_results"]=> bool(true) ["update_post_term_cache"]=> bool(true) ["lazy_load_term_meta"]=> bool(true) ["update_post_meta_cache"]=> bool(true) ["nopaging"]=> bool(false) ["comments_per_page"]=> string(2) "20" ["no_found_rows"]=> bool(false) } ["tax_query"]=> object(WP_Tax_Query)#2787 (6) { ["queries"]=> array(0) { } ["relation"]=> string(3) "AND" ["table_aliases":protected]=> array(0) { } ["queried_terms"]=> array(0) { } ["primary_table"]=> string(8) "wp_posts" ["primary_id_column"]=> string(2) "ID" } ["meta_query"]=> object(WP_Meta_Query)#3699 (9) { ["queries"]=> array(2) { [0]=> array(1) { ["key"]=> string(23) "alagen_post_views_count" } ["relation"]=> string(2) "OR" } ["relation"]=> string(3) "AND" ["meta_table"]=> string(11) "wp_postmeta" ["meta_id_column"]=> string(7) "post_id" ["primary_table"]=> string(8) "wp_posts" ["primary_id_column"]=> string(2) "ID" ["table_aliases":protected]=> array(1) { [0]=> string(11) "wp_postmeta" } ["clauses":protected]=> array(1) { ["wp_postmeta"]=> array(5) { ["key"]=> string(23) "alagen_post_views_count" ["compare"]=> string(1) "=" ["compare_key"]=> string(1) "=" ["alias"]=> string(11) "wp_postmeta" ["cast"]=> string(4) "CHAR" } } ["has_or_relation":protected]=> bool(false) } ["date_query"]=> bool(false) ["request"]=> string(292) "SELECT SQL_CALC_FOUND_ROWS wp_posts.ID FROM wp_posts INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1 AND ( wp_postmeta.meta_key = 'alagen_post_views_count' ) AND wp_posts.post_type = 'post' GROUP BY wp_posts.ID ORDER BY wp_postmeta.meta_value+0 DESC LIMIT 0, 3" ["posts"]=> array(3) { [0]=> object(WP_Post)#3197 (24) { ["ID"]=> int(702) ["post_author"]=> string(1) "9" ["post_date"]=> string(19) "2018-11-12 19:22:17" ["post_date_gmt"]=> string(19) "2018-11-12 19:22:17" ["post_content"]=> string(4647) "With ever increasing security threats, new protocols and responsive solutions, we frequently come across gaps in network access control. These often-overlooked gaps are significant. Eliminating them could reduce the need for damage control by 50% or greater. Our suggestion: follow the basic and critical IEEE standard for port-based Network Access Control, IEEE 802.1X. Where should you start? Addressing these top three gaps will make the biggest difference in creating a secure environment.

Wired Network

Give your wired network as much attention as your wireless one. Wired networks can be extremely vulnerable jumping off points for hackers. All it takes is one unauthenticated device to connect to the network and launch a full-scale attack. It’s more than possible, it happens all the time. Employee personal devices are a big problem. You can deflect the “insider threat” by preventing employees from connecting their personal devices to the company network, and instead, connect their devices to the wireless guest network. 802.1X – standard for authenticating devices to a network – is your north star here. When this protocol is in place, anyone who attempts to connect a device to a wired network that fails to successfully authenticate will get a splash page to authenticate the device and log into a guest network, which is isolated from the corporate network. This two-step standard of authentication and segmentation provides an enormous amount of security and is one of the easiest protocols to implement.

Rogue Device Detection

I’ve personally seen rogue device detection take hours, sometimes even days. This is far too slow. The difference between identifying and shutting down a rogue device in minutes versus hours could mean the difference between your business not being disrupted and being totally crippled. You may have heard the story of Maersk, a shipping company destroyed by a ransomware attack that came in from a rogue device. Hackers count on device detection being slow, and all they need are a few minutes to penetrate your network and launch an attack. When you enable 802.1X, it gives you exceptional visibility into devices that shouldn’t be on your network. Despite that many companies have implemented solutions and systems to support 802.1X, it’s surprisingly one of the standards that often gets overlooked or not fully deployed.

Endpoint Reporting

This has become a huge issue for enterprises as they expand the prevalence of IoT devices on their networks. We’re seeing IoT environments with all assets connected to both wired and wireless networks. These devices are busy gathering data and in some cases, actuating and reporting on that data. This makes these devices honeypots for hackers. Seemingly innocuous things like printers are extremely easy points to exploit and use as a jumping off point to launch an attack inside the organization. Take regular inventory lists of all devices and make sure they are secured both on wired and wireless networks. Here’s a shocker: many of these assets can be configured to support 802.1X authentication. It is a tremendous amount of work to do this, which is why many organizations don’t go through the trouble to secure them. If this sounds like your org, call in for reinforcements. In another blog post, we talked about how to secure IoT environments in more detail. Closing these gaps yields a big return on security, and can save your company thousands of man-hours and expenditures by preventing breaches from happening. Yes, 802.1X can be complex and tedious to configure in some instances, but it’s critical. It should be a priority in any security plan, in any size company. Again, if it’s not something your security has the bandwidth to manage, call in for reinforcements.  " ["post_title"]=> string(53) "How to Close the Top 3 Gaps in Network Access Control" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(22) "network-access-control" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:51" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:51" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=702" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } [1]=> object(WP_Post)#3222 (24) { ["ID"]=> int(728) ["post_author"]=> string(1) "5" ["post_date"]=> string(19) "2019-02-07 16:37:01" ["post_date_gmt"]=> string(19) "2019-02-07 16:37:01" ["post_content"]=> string(7936) "Many businesses find Alagen when looking for a specific piece of technology to purchase. Perhaps you’re looking for the latest in firewall solutions or email security tools. The security consulting industry has done a good job of training businesses to start with the tech and build out from there. We do the exact opposite. From where we’re sitting, every business we see is unique. Just because a certain technology is the best in its class, doesn’t necessarily mean it’s the best for your organization. That’s why we don’t exist to sell best-in-class technology. In fact, we aren’t even a reseller — largely because not every problem even needs a technology. We start with your business, your security challenges, and from there, build out a customized solution that’s just right FOR YOU. Then, we follow through with a thoughtfully implemented and tested enforcement plan. Visibility tools and other control technology almost identify themselves once the hard work has been done. It’s a philosophy that has helped us grow (without any sales or marketing) from a couple of clients in 2010 to successfully serving companies all over the world. Our approach works. Here’s how we do it.

Start with Needs, Not Security Solutions

We always recommend clients approach their program and technology journey by bringing the business into focus. After all, your business — the reputation, assets, IP, data, and people — is what’s being protected. You wouldn’t purchase a home security system before considering how it fits your house. You’d likely end up with too many motion detectors or not enough window contacts. Surprisingly, that’s how we see many security departments build out their programs. As a technical community, we’re very good at buying technology and chasing the latest trends. However, we are not very good at making sure that technology aligns with business needs and security frameworks. As a consultancy, we apply the phrase “technical debt” to these situations — a stack of minimally deployed technology that was chosen as the easy path instead of a better approach that would’ve taken slightly longer. Plans and purchases need to be sized to the business’ risk profile, budget, maturity level, organizational capabilities and threat landscape. Otherwise, they end up misconfigured and leaving the company vulnerable.

Identify Critical Data

The security needs across your assets are not always equal: they vary in associated risk and value. Some data is more critical than other data. Some data might need to be in compliance with a regulatory body, such as PCI, HIPPA, or FedRAMP. And chances are, your data lives across many different assets, locations, and layers, which can make your protection plan that much more complex. Understanding these factors will drive better decision making when it comes to controlling access to these assets.

Define Who Needs What Access

Another often overlooked factor is understanding the landscape of connectivity methods and potential sources that can reach these assets. Do you have guest WIFI or student networks; 3^rd party connections through internet or VPN; uncontrolled port access in corporate and visitor spaces; web-based applications or mobile platforms? Knowing the access methods available gives your team far greater decision-making power to understand and secure them using appropriate policy and control technology. Closing any gaps in network access control is critical. By taking inventory of assets, you can better organize them, apply targeted technology and controls, focus penetration testing, and not waste resources on things that aren’t a priority.

Don’t Confuse Compliance with Security

So often we see this false sense of security. Compliance requirements are there for good reason and need to be met. Failure to do so comes with repercussions including resultant fines, massively distracting scrambles to fix the issues, reputational damage, and potentially nullifying cybersecurity insurance coverage. But, as a security risk assessment would show, meeting compliance alone generally falls short of your needs. A tight-fitting security program tailored for your business better protects your organization, and often requires only slightly more effort and planning than simply being compliant.

Consider People, Process, Technology

It’s not just a buzz-phrase that you’ve heard a hundred times. Okay, maybe it is. But it’s a critically important 3-legged stool when it comes to security. All are needed and each significantly contribute to your effective security plan. The common danger here is to think a technology solution alone is enough.

                  People

• Are they enabled and do they have the skills to adequately monitor and operate needed technology solutions?
• Can they be proactive or are they overwhelmed by reactive work? Do you need to staff up, augment or bring in SMEs?
• Are they familiar with your organizational policies and processes that govern the organization?

                  Process

• Do processes support the business-aligned security governance or framework in place so there is continuity throughout the organization?
• Do you have proactive procedures in place, or do you rely on reactive response?
• Is visibility given to all necessary parties, or do you suffer from siloed operations?
• Are there tools in place monitoring effectiveness and feeding back successes or failures to promote continuous adaptation and innovation?

                   Technology

• Is your network properly configured to balance access and security?
• Are your security solutions optimized to deliver promised and needed capabilities?
• Do you have the right tools to achieve your security program’s goals?
• Not every organization can support all technologies — are yours too advanced/expensive/operationally intensive?
• Do gaps exist between your point solutions that leave vulnerabilities?

By building your security program the right way, you will greatly reduce security risk and improve posture. Additionally, spending the extra time in building out a program may even tell you that the existing technology footprint is enough to build on without making big purchases.

Alagen Makes Security Accessible

We are 100% security-focused, open-minded to all technology solutions, broadly-experienced, and fully in our client’s corner — we are not resellers. Our services and approach enable companies to get leadership assistance, tap both strategic and implementation expertise, and execute a security program that conforms to their specific needs. Want to discuss your security program and how we might help? Please contact us today." ["post_title"]=> string(36) "Choosing the Best Security Solutions" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(32) "choosing-best-security-solutions" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:26" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:26" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=728" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } [2]=> object(WP_Post)#3684 (24) { ["ID"]=> int(710) ["post_author"]=> string(1) "8" ["post_date"]=> string(19) "2018-11-27 00:16:51" ["post_date_gmt"]=> string(19) "2018-11-27 00:16:51" ["post_content"]=> string(6519) "In September, the National Institute of Standards and Technologies released NIST IR 8228. The report overviews unique risks organizations face from the proliferation of IoT (Internet of Things). Essentially, it’s one of the first detailed approaches to securing IoT environments. NIST IR 8228 advocates for three high-level risk mitigation goals. Here’s a breakdown of those goals and how businesses can achieve them.

IoT Device Security Challenges

A critical first step is to ensure that IoT devices are safeguarded and can’t be used as a jumping off point for attacks on other devices or networks. This isn’t new. Device security is already a must requiring proper configuration, patch and vulnerability management, as well as Incident Response, among other things. It’s now also critical for an IoT environment. Unlike other devices, IoT devices, due to their newness, may pose additional challenges. They may lack the functionality required for centralized asset management systems, have heterogenous administrative responsibility, and are often located in environments segmented from traditional IT operations. All of these factors make them more difficult to both track and secure. And because of this, they are heavily targeted by hackers. Additionally, IoT environments are often excluded from many organizations’ standard vulnerability management process. In some cases, updates or changes on these devices to remediate known vulnerabilities are not available. Companies often take the position that vulnerability management of these environments is not necessary because they reside on an air-gapped network. But, as we learned with Stuxnet, the virus used to infiltrate Iran’s nuclear facility, security through segmentation alone is insufficient. Despite being completely off the grid, the US and two other countries were able to compromise the facility by infecting an out-of-network device that had been brought into the environment. Even when your environment isn’t connected to the internet, you can still be compromised. Adding to the complexity of securing IoT devices, many do not support the common logical access norms in place in most enterprises today. The inability to integrate into established directories, as an example, lends itself to a lack of control in the password complexity, aging, and role-based capabilities mandated by even a rudimentary security program. Security visibility rounds out the top concerns of possible IoT security pitfalls. IoT devices are not always included in traditional security logging and monitoring solutions. The reasons range from segmentation constraints to the devices being unable to produce security events. Organizations should consider developing or maturing processes that integrate risk management into procurement. At minimum, the information security and IT organizations should be involved. With IoT environments often procured by lines of business and outside the visibility of traditional IT operations, engaging the appropriate internal teams should ensure that risks are understood and appropriately mitigated prior to the introduction of new devices into the corporate network.

IoT Data Security Challenges

Protecting the confidentiality, availability, and integrity of stored, transmitted, or processed data can also be extra challenging in an IoT environment. The theme remains the same. There can be incompatibility issues between IoT and conventional IT management standards, processes, and technology. Encryption, data sanitization, and backup and restoral features may not be available in IoT devices. In addition, the pre-market capabilities around secure network communications can be lacking as well. When configuring and updating IoT devices, security needs to be front of mind. Especially if the purpose of the device is to collect data, as with sensory and actuary enabled devices. These assets store and report on the data they are collecting. Ask yourself, if a bad guy were to breach or take down these devices, is the data secured, backed up, and safe? This is fundamentally no different than any other device and data management system. So be prepared to apply the same security management to IoT data as you do to everything else.

Protect Individuals’ Privacy

With emergent new laws like the General Data Protection Regulation (GDPR) and an onslaught of consumer data breaches, privacy is a hot topic in every consumer-facing industry. A recent breach to Facebook is a great example of a large-scale attack waking people up to what privacy means. Business NEED to be current on how consumer data is being collected, stored, and used. The premise behind GDPR is that privacy is a fundamental right of the individual. As such, organizations must take measures like ensuring that personal data is protected, capture explicit consent for the use of that data, and provide to consumers upon request a report on how that data is used. In the case of IoT, devices may not provide the ability to interface with its’ functionality. This can impact the ability of a user to consent to the processing of collected PII, and to access privacy notices. The compliance framework also mandates an individual’s “right to be forgotten.” This indicates that an organization must know where a user’s data resides and has a way to remove it in a timely manner. The dynamic nature of IoT and the indiscriminate nature in which it can collect PII can make compliance with this standard much more difficult. This is further complicated by IoTs inherent decentralized data processing and heterogenous ownership inside an organization. It’s clear that IoT is exciting and also risky in its relatively young state. By NIST taking notice and beginning the discussion on securing IoT environments, expect to see IoT security become a mainstream topic, one that results in a series of new security protocols. In the meantime, understand that the benefits of IoT adoption also come with significant security challenges and risks. The first step, as they say, is being aware. To learn more about security challenges that come with an IoT environment, check out the first part of this IoT series. To discuss how we can help with your security management, contact us.  " ["post_title"]=> string(77) "Embracing IoT? Here Are The Security Challenges You’ll Likely Face: Part II" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(25) "iot-security-challenges-2" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:34" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:34" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=710" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } } ["post_count"]=> int(3) ["current_post"]=> int(0) ["in_the_loop"]=> bool(true) ["post"]=> object(WP_Post)#3197 (24) { ["ID"]=> int(702) ["post_author"]=> string(1) "9" ["post_date"]=> string(19) "2018-11-12 19:22:17" ["post_date_gmt"]=> string(19) "2018-11-12 19:22:17" ["post_content"]=> string(4647) "With ever increasing security threats, new protocols and responsive solutions, we frequently come across gaps in network access control. These often-overlooked gaps are significant. Eliminating them could reduce the need for damage control by 50% or greater. Our suggestion: follow the basic and critical IEEE standard for port-based Network Access Control, IEEE 802.1X. Where should you start? Addressing these top three gaps will make the biggest difference in creating a secure environment.

Wired Network

Give your wired network as much attention as your wireless one. Wired networks can be extremely vulnerable jumping off points for hackers. All it takes is one unauthenticated device to connect to the network and launch a full-scale attack. It’s more than possible, it happens all the time. Employee personal devices are a big problem. You can deflect the “insider threat” by preventing employees from connecting their personal devices to the company network, and instead, connect their devices to the wireless guest network. 802.1X – standard for authenticating devices to a network – is your north star here. When this protocol is in place, anyone who attempts to connect a device to a wired network that fails to successfully authenticate will get a splash page to authenticate the device and log into a guest network, which is isolated from the corporate network. This two-step standard of authentication and segmentation provides an enormous amount of security and is one of the easiest protocols to implement.

Rogue Device Detection

I’ve personally seen rogue device detection take hours, sometimes even days. This is far too slow. The difference between identifying and shutting down a rogue device in minutes versus hours could mean the difference between your business not being disrupted and being totally crippled. You may have heard the story of Maersk, a shipping company destroyed by a ransomware attack that came in from a rogue device. Hackers count on device detection being slow, and all they need are a few minutes to penetrate your network and launch an attack. When you enable 802.1X, it gives you exceptional visibility into devices that shouldn’t be on your network. Despite that many companies have implemented solutions and systems to support 802.1X, it’s surprisingly one of the standards that often gets overlooked or not fully deployed.

Endpoint Reporting

This has become a huge issue for enterprises as they expand the prevalence of IoT devices on their networks. We’re seeing IoT environments with all assets connected to both wired and wireless networks. These devices are busy gathering data and in some cases, actuating and reporting on that data. This makes these devices honeypots for hackers. Seemingly innocuous things like printers are extremely easy points to exploit and use as a jumping off point to launch an attack inside the organization. Take regular inventory lists of all devices and make sure they are secured both on wired and wireless networks. Here’s a shocker: many of these assets can be configured to support 802.1X authentication. It is a tremendous amount of work to do this, which is why many organizations don’t go through the trouble to secure them. If this sounds like your org, call in for reinforcements. In another blog post, we talked about how to secure IoT environments in more detail. Closing these gaps yields a big return on security, and can save your company thousands of man-hours and expenditures by preventing breaches from happening. Yes, 802.1X can be complex and tedious to configure in some instances, but it’s critical. It should be a priority in any security plan, in any size company. Again, if it’s not something your security has the bandwidth to manage, call in for reinforcements.  " ["post_title"]=> string(53) "How to Close the Top 3 Gaps in Network Access Control" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(22) "network-access-control" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:51" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:51" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=702" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } ["comment_count"]=> int(0) ["current_comment"]=> int(-1) ["found_posts"]=> int(25) ["max_num_pages"]=> float(9) ["max_num_comment_pages"]=> int(0) ["is_single"]=> bool(false) ["is_preview"]=> bool(false) ["is_page"]=> bool(false) ["is_archive"]=> bool(false) ["is_date"]=> bool(false) ["is_year"]=> bool(false) ["is_month"]=> bool(false) ["is_day"]=> bool(false) ["is_time"]=> bool(false) ["is_author"]=> bool(false) ["is_category"]=> bool(false) ["is_tag"]=> bool(false) ["is_tax"]=> bool(false) ["is_search"]=> bool(false) ["is_feed"]=> bool(false) ["is_comment_feed"]=> bool(false) ["is_trackback"]=> bool(false) ["is_home"]=> bool(true) ["is_privacy_policy"]=> bool(false) ["is_404"]=> bool(false) ["is_embed"]=> bool(false) ["is_paged"]=> bool(false) ["is_admin"]=> bool(false) ["is_attachment"]=> bool(false) ["is_singular"]=> bool(false) ["is_robots"]=> bool(false) ["is_favicon"]=> bool(false) ["is_posts_page"]=> bool(false) ["is_post_type_archive"]=> bool(false) ["query_vars_hash":"WP_Query":private]=> string(32) "f947b758e5ae01f47c5ab2e409030420" ["query_vars_changed":"WP_Query":private]=> bool(false) ["thumbnails_cached"]=> bool(false) ["allow_query_attachment_by_filename":protected]=> bool(false) ["stopwords":"WP_Query":private]=> NULL ["compat_fields":"WP_Query":private]=> array(2) { [0]=> string(15) "query_vars_hash" [1]=> string(18) "query_vars_changed" } ["compat_methods":"WP_Query":private]=> array(2) { [0]=> string(16) "init_query_flags" [1]=> string(15) "parse_tax_query" } }

object(WP_Query)#3700 (52) { ["query"]=> array(6) { ["posts_per_page"]=> int(3) ["meta_key"]=> string(23) "alagen_post_views_count" ["orderby"]=> string(14) "meta_value_num" ["order"]=> string(4) "DESC" ["post_type"]=> string(4) "post" ["post_status"]=> string(9) "published" } ["query_vars"]=> array(65) { ["posts_per_page"]=> int(3) ["meta_key"]=> string(23) "alagen_post_views_count" ["orderby"]=> string(14) "meta_value_num" ["order"]=> string(4) "DESC" ["post_type"]=> string(4) "post" ["post_status"]=> string(9) "published" ["error"]=> string(0) "" ["m"]=> string(0) "" ["p"]=> int(0) ["post_parent"]=> string(0) "" ["subpost"]=> string(0) "" ["subpost_id"]=> string(0) "" ["attachment"]=> string(0) "" ["attachment_id"]=> int(0) ["name"]=> string(0) "" ["pagename"]=> string(0) "" ["page_id"]=> int(0) ["second"]=> string(0) "" ["minute"]=> string(0) "" ["hour"]=> string(0) "" ["day"]=> int(0) ["monthnum"]=> int(0) ["year"]=> int(0) ["w"]=> int(0) ["category_name"]=> string(0) "" ["tag"]=> string(0) "" ["cat"]=> string(0) "" ["tag_id"]=> string(0) "" ["author"]=> string(0) "" ["author_name"]=> string(0) "" ["feed"]=> string(0) "" ["tb"]=> string(0) "" ["paged"]=> int(0) ["meta_value"]=> string(0) "" ["preview"]=> string(0) "" ["s"]=> string(0) "" ["sentence"]=> string(0) "" ["title"]=> string(0) "" ["fields"]=> string(0) "" ["menu_order"]=> string(0) "" ["embed"]=> string(0) "" ["category__in"]=> array(0) { } ["category__not_in"]=> array(0) { } ["category__and"]=> array(0) { } ["post__in"]=> array(0) { } ["post__not_in"]=> array(0) { } ["post_name__in"]=> array(0) { } ["tag__in"]=> array(0) { } ["tag__not_in"]=> array(0) { } ["tag__and"]=> array(0) { } ["tag_slug__in"]=> array(0) { } ["tag_slug__and"]=> array(0) { } ["post_parent__in"]=> array(0) { } ["post_parent__not_in"]=> array(0) { } ["author__in"]=> array(0) { } ["author__not_in"]=> array(0) { } ["ignore_sticky_posts"]=> bool(false) ["suppress_filters"]=> bool(false) ["cache_results"]=> bool(true) ["update_post_term_cache"]=> bool(true) ["lazy_load_term_meta"]=> bool(true) ["update_post_meta_cache"]=> bool(true) ["nopaging"]=> bool(false) ["comments_per_page"]=> string(2) "20" ["no_found_rows"]=> bool(false) } ["tax_query"]=> object(WP_Tax_Query)#2787 (6) { ["queries"]=> array(0) { } ["relation"]=> string(3) "AND" ["table_aliases":protected]=> array(0) { } ["queried_terms"]=> array(0) { } ["primary_table"]=> string(8) "wp_posts" ["primary_id_column"]=> string(2) "ID" } ["meta_query"]=> object(WP_Meta_Query)#3699 (9) { ["queries"]=> array(2) { [0]=> array(1) { ["key"]=> string(23) "alagen_post_views_count" } ["relation"]=> string(2) "OR" } ["relation"]=> string(3) "AND" ["meta_table"]=> string(11) "wp_postmeta" ["meta_id_column"]=> string(7) "post_id" ["primary_table"]=> string(8) "wp_posts" ["primary_id_column"]=> string(2) "ID" ["table_aliases":protected]=> array(1) { [0]=> string(11) "wp_postmeta" } ["clauses":protected]=> array(1) { ["wp_postmeta"]=> array(5) { ["key"]=> string(23) "alagen_post_views_count" ["compare"]=> string(1) "=" ["compare_key"]=> string(1) "=" ["alias"]=> string(11) "wp_postmeta" ["cast"]=> string(4) "CHAR" } } ["has_or_relation":protected]=> bool(false) } ["date_query"]=> bool(false) ["request"]=> string(292) "SELECT SQL_CALC_FOUND_ROWS wp_posts.ID FROM wp_posts INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1 AND ( wp_postmeta.meta_key = 'alagen_post_views_count' ) AND wp_posts.post_type = 'post' GROUP BY wp_posts.ID ORDER BY wp_postmeta.meta_value+0 DESC LIMIT 0, 3" ["posts"]=> array(3) { [0]=> object(WP_Post)#3197 (24) { ["ID"]=> int(702) ["post_author"]=> string(1) "9" ["post_date"]=> string(19) "2018-11-12 19:22:17" ["post_date_gmt"]=> string(19) "2018-11-12 19:22:17" ["post_content"]=> string(4647) "With ever increasing security threats, new protocols and responsive solutions, we frequently come across gaps in network access control. These often-overlooked gaps are significant. Eliminating them could reduce the need for damage control by 50% or greater. Our suggestion: follow the basic and critical IEEE standard for port-based Network Access Control, IEEE 802.1X. Where should you start? Addressing these top three gaps will make the biggest difference in creating a secure environment.

Wired Network

Give your wired network as much attention as your wireless one. Wired networks can be extremely vulnerable jumping off points for hackers. All it takes is one unauthenticated device to connect to the network and launch a full-scale attack. It’s more than possible, it happens all the time. Employee personal devices are a big problem. You can deflect the “insider threat” by preventing employees from connecting their personal devices to the company network, and instead, connect their devices to the wireless guest network. 802.1X – standard for authenticating devices to a network – is your north star here. When this protocol is in place, anyone who attempts to connect a device to a wired network that fails to successfully authenticate will get a splash page to authenticate the device and log into a guest network, which is isolated from the corporate network. This two-step standard of authentication and segmentation provides an enormous amount of security and is one of the easiest protocols to implement.

Rogue Device Detection

I’ve personally seen rogue device detection take hours, sometimes even days. This is far too slow. The difference between identifying and shutting down a rogue device in minutes versus hours could mean the difference between your business not being disrupted and being totally crippled. You may have heard the story of Maersk, a shipping company destroyed by a ransomware attack that came in from a rogue device. Hackers count on device detection being slow, and all they need are a few minutes to penetrate your network and launch an attack. When you enable 802.1X, it gives you exceptional visibility into devices that shouldn’t be on your network. Despite that many companies have implemented solutions and systems to support 802.1X, it’s surprisingly one of the standards that often gets overlooked or not fully deployed.

Endpoint Reporting

This has become a huge issue for enterprises as they expand the prevalence of IoT devices on their networks. We’re seeing IoT environments with all assets connected to both wired and wireless networks. These devices are busy gathering data and in some cases, actuating and reporting on that data. This makes these devices honeypots for hackers. Seemingly innocuous things like printers are extremely easy points to exploit and use as a jumping off point to launch an attack inside the organization. Take regular inventory lists of all devices and make sure they are secured both on wired and wireless networks. Here’s a shocker: many of these assets can be configured to support 802.1X authentication. It is a tremendous amount of work to do this, which is why many organizations don’t go through the trouble to secure them. If this sounds like your org, call in for reinforcements. In another blog post, we talked about how to secure IoT environments in more detail. Closing these gaps yields a big return on security, and can save your company thousands of man-hours and expenditures by preventing breaches from happening. Yes, 802.1X can be complex and tedious to configure in some instances, but it’s critical. It should be a priority in any security plan, in any size company. Again, if it’s not something your security has the bandwidth to manage, call in for reinforcements.  " ["post_title"]=> string(53) "How to Close the Top 3 Gaps in Network Access Control" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(22) "network-access-control" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:51" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:51" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=702" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } [1]=> object(WP_Post)#3222 (24) { ["ID"]=> int(728) ["post_author"]=> string(1) "5" ["post_date"]=> string(19) "2019-02-07 16:37:01" ["post_date_gmt"]=> string(19) "2019-02-07 16:37:01" ["post_content"]=> string(7936) "Many businesses find Alagen when looking for a specific piece of technology to purchase. Perhaps you’re looking for the latest in firewall solutions or email security tools. The security consulting industry has done a good job of training businesses to start with the tech and build out from there. We do the exact opposite. From where we’re sitting, every business we see is unique. Just because a certain technology is the best in its class, doesn’t necessarily mean it’s the best for your organization. That’s why we don’t exist to sell best-in-class technology. In fact, we aren’t even a reseller — largely because not every problem even needs a technology. We start with your business, your security challenges, and from there, build out a customized solution that’s just right FOR YOU. Then, we follow through with a thoughtfully implemented and tested enforcement plan. Visibility tools and other control technology almost identify themselves once the hard work has been done. It’s a philosophy that has helped us grow (without any sales or marketing) from a couple of clients in 2010 to successfully serving companies all over the world. Our approach works. Here’s how we do it.

Start with Needs, Not Security Solutions

We always recommend clients approach their program and technology journey by bringing the business into focus. After all, your business — the reputation, assets, IP, data, and people — is what’s being protected. You wouldn’t purchase a home security system before considering how it fits your house. You’d likely end up with too many motion detectors or not enough window contacts. Surprisingly, that’s how we see many security departments build out their programs. As a technical community, we’re very good at buying technology and chasing the latest trends. However, we are not very good at making sure that technology aligns with business needs and security frameworks. As a consultancy, we apply the phrase “technical debt” to these situations — a stack of minimally deployed technology that was chosen as the easy path instead of a better approach that would’ve taken slightly longer. Plans and purchases need to be sized to the business’ risk profile, budget, maturity level, organizational capabilities and threat landscape. Otherwise, they end up misconfigured and leaving the company vulnerable.

Identify Critical Data

The security needs across your assets are not always equal: they vary in associated risk and value. Some data is more critical than other data. Some data might need to be in compliance with a regulatory body, such as PCI, HIPPA, or FedRAMP. And chances are, your data lives across many different assets, locations, and layers, which can make your protection plan that much more complex. Understanding these factors will drive better decision making when it comes to controlling access to these assets.

Define Who Needs What Access

Another often overlooked factor is understanding the landscape of connectivity methods and potential sources that can reach these assets. Do you have guest WIFI or student networks; 3^rd party connections through internet or VPN; uncontrolled port access in corporate and visitor spaces; web-based applications or mobile platforms? Knowing the access methods available gives your team far greater decision-making power to understand and secure them using appropriate policy and control technology. Closing any gaps in network access control is critical. By taking inventory of assets, you can better organize them, apply targeted technology and controls, focus penetration testing, and not waste resources on things that aren’t a priority.

Don’t Confuse Compliance with Security

So often we see this false sense of security. Compliance requirements are there for good reason and need to be met. Failure to do so comes with repercussions including resultant fines, massively distracting scrambles to fix the issues, reputational damage, and potentially nullifying cybersecurity insurance coverage. But, as a security risk assessment would show, meeting compliance alone generally falls short of your needs. A tight-fitting security program tailored for your business better protects your organization, and often requires only slightly more effort and planning than simply being compliant.

Consider People, Process, Technology

It’s not just a buzz-phrase that you’ve heard a hundred times. Okay, maybe it is. But it’s a critically important 3-legged stool when it comes to security. All are needed and each significantly contribute to your effective security plan. The common danger here is to think a technology solution alone is enough.

                  People

• Are they enabled and do they have the skills to adequately monitor and operate needed technology solutions?
• Can they be proactive or are they overwhelmed by reactive work? Do you need to staff up, augment or bring in SMEs?
• Are they familiar with your organizational policies and processes that govern the organization?

                  Process

• Do processes support the business-aligned security governance or framework in place so there is continuity throughout the organization?
• Do you have proactive procedures in place, or do you rely on reactive response?
• Is visibility given to all necessary parties, or do you suffer from siloed operations?
• Are there tools in place monitoring effectiveness and feeding back successes or failures to promote continuous adaptation and innovation?

                   Technology

• Is your network properly configured to balance access and security?
• Are your security solutions optimized to deliver promised and needed capabilities?
• Do you have the right tools to achieve your security program’s goals?
• Not every organization can support all technologies — are yours too advanced/expensive/operationally intensive?
• Do gaps exist between your point solutions that leave vulnerabilities?

By building your security program the right way, you will greatly reduce security risk and improve posture. Additionally, spending the extra time in building out a program may even tell you that the existing technology footprint is enough to build on without making big purchases.

Alagen Makes Security Accessible

We are 100% security-focused, open-minded to all technology solutions, broadly-experienced, and fully in our client’s corner — we are not resellers. Our services and approach enable companies to get leadership assistance, tap both strategic and implementation expertise, and execute a security program that conforms to their specific needs. Want to discuss your security program and how we might help? Please contact us today." ["post_title"]=> string(36) "Choosing the Best Security Solutions" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(32) "choosing-best-security-solutions" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:26" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:26" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=728" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } [2]=> object(WP_Post)#3684 (24) { ["ID"]=> int(710) ["post_author"]=> string(1) "8" ["post_date"]=> string(19) "2018-11-27 00:16:51" ["post_date_gmt"]=> string(19) "2018-11-27 00:16:51" ["post_content"]=> string(6519) "In September, the National Institute of Standards and Technologies released NIST IR 8228. The report overviews unique risks organizations face from the proliferation of IoT (Internet of Things). Essentially, it’s one of the first detailed approaches to securing IoT environments. NIST IR 8228 advocates for three high-level risk mitigation goals. Here’s a breakdown of those goals and how businesses can achieve them.

IoT Device Security Challenges

A critical first step is to ensure that IoT devices are safeguarded and can’t be used as a jumping off point for attacks on other devices or networks. This isn’t new. Device security is already a must requiring proper configuration, patch and vulnerability management, as well as Incident Response, among other things. It’s now also critical for an IoT environment. Unlike other devices, IoT devices, due to their newness, may pose additional challenges. They may lack the functionality required for centralized asset management systems, have heterogenous administrative responsibility, and are often located in environments segmented from traditional IT operations. All of these factors make them more difficult to both track and secure. And because of this, they are heavily targeted by hackers. Additionally, IoT environments are often excluded from many organizations’ standard vulnerability management process. In some cases, updates or changes on these devices to remediate known vulnerabilities are not available. Companies often take the position that vulnerability management of these environments is not necessary because they reside on an air-gapped network. But, as we learned with Stuxnet, the virus used to infiltrate Iran’s nuclear facility, security through segmentation alone is insufficient. Despite being completely off the grid, the US and two other countries were able to compromise the facility by infecting an out-of-network device that had been brought into the environment. Even when your environment isn’t connected to the internet, you can still be compromised. Adding to the complexity of securing IoT devices, many do not support the common logical access norms in place in most enterprises today. The inability to integrate into established directories, as an example, lends itself to a lack of control in the password complexity, aging, and role-based capabilities mandated by even a rudimentary security program. Security visibility rounds out the top concerns of possible IoT security pitfalls. IoT devices are not always included in traditional security logging and monitoring solutions. The reasons range from segmentation constraints to the devices being unable to produce security events. Organizations should consider developing or maturing processes that integrate risk management into procurement. At minimum, the information security and IT organizations should be involved. With IoT environments often procured by lines of business and outside the visibility of traditional IT operations, engaging the appropriate internal teams should ensure that risks are understood and appropriately mitigated prior to the introduction of new devices into the corporate network.

IoT Data Security Challenges

Protecting the confidentiality, availability, and integrity of stored, transmitted, or processed data can also be extra challenging in an IoT environment. The theme remains the same. There can be incompatibility issues between IoT and conventional IT management standards, processes, and technology. Encryption, data sanitization, and backup and restoral features may not be available in IoT devices. In addition, the pre-market capabilities around secure network communications can be lacking as well. When configuring and updating IoT devices, security needs to be front of mind. Especially if the purpose of the device is to collect data, as with sensory and actuary enabled devices. These assets store and report on the data they are collecting. Ask yourself, if a bad guy were to breach or take down these devices, is the data secured, backed up, and safe? This is fundamentally no different than any other device and data management system. So be prepared to apply the same security management to IoT data as you do to everything else.

Protect Individuals’ Privacy

With emergent new laws like the General Data Protection Regulation (GDPR) and an onslaught of consumer data breaches, privacy is a hot topic in every consumer-facing industry. A recent breach to Facebook is a great example of a large-scale attack waking people up to what privacy means. Business NEED to be current on how consumer data is being collected, stored, and used. The premise behind GDPR is that privacy is a fundamental right of the individual. As such, organizations must take measures like ensuring that personal data is protected, capture explicit consent for the use of that data, and provide to consumers upon request a report on how that data is used. In the case of IoT, devices may not provide the ability to interface with its’ functionality. This can impact the ability of a user to consent to the processing of collected PII, and to access privacy notices. The compliance framework also mandates an individual’s “right to be forgotten.” This indicates that an organization must know where a user’s data resides and has a way to remove it in a timely manner. The dynamic nature of IoT and the indiscriminate nature in which it can collect PII can make compliance with this standard much more difficult. This is further complicated by IoTs inherent decentralized data processing and heterogenous ownership inside an organization. It’s clear that IoT is exciting and also risky in its relatively young state. By NIST taking notice and beginning the discussion on securing IoT environments, expect to see IoT security become a mainstream topic, one that results in a series of new security protocols. In the meantime, understand that the benefits of IoT adoption also come with significant security challenges and risks. The first step, as they say, is being aware. To learn more about security challenges that come with an IoT environment, check out the first part of this IoT series. To discuss how we can help with your security management, contact us.  " ["post_title"]=> string(77) "Embracing IoT? Here Are The Security Challenges You’ll Likely Face: Part II" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(25) "iot-security-challenges-2" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:34" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:34" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=710" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } } ["post_count"]=> int(3) ["current_post"]=> int(1) ["in_the_loop"]=> bool(true) ["post"]=> object(WP_Post)#3222 (24) { ["ID"]=> int(728) ["post_author"]=> string(1) "5" ["post_date"]=> string(19) "2019-02-07 16:37:01" ["post_date_gmt"]=> string(19) "2019-02-07 16:37:01" ["post_content"]=> string(7936) "Many businesses find Alagen when looking for a specific piece of technology to purchase. Perhaps you’re looking for the latest in firewall solutions or email security tools. The security consulting industry has done a good job of training businesses to start with the tech and build out from there. We do the exact opposite. From where we’re sitting, every business we see is unique. Just because a certain technology is the best in its class, doesn’t necessarily mean it’s the best for your organization. That’s why we don’t exist to sell best-in-class technology. In fact, we aren’t even a reseller — largely because not every problem even needs a technology. We start with your business, your security challenges, and from there, build out a customized solution that’s just right FOR YOU. Then, we follow through with a thoughtfully implemented and tested enforcement plan. Visibility tools and other control technology almost identify themselves once the hard work has been done. It’s a philosophy that has helped us grow (without any sales or marketing) from a couple of clients in 2010 to successfully serving companies all over the world. Our approach works. Here’s how we do it.

Start with Needs, Not Security Solutions

We always recommend clients approach their program and technology journey by bringing the business into focus. After all, your business — the reputation, assets, IP, data, and people — is what’s being protected. You wouldn’t purchase a home security system before considering how it fits your house. You’d likely end up with too many motion detectors or not enough window contacts. Surprisingly, that’s how we see many security departments build out their programs. As a technical community, we’re very good at buying technology and chasing the latest trends. However, we are not very good at making sure that technology aligns with business needs and security frameworks. As a consultancy, we apply the phrase “technical debt” to these situations — a stack of minimally deployed technology that was chosen as the easy path instead of a better approach that would’ve taken slightly longer. Plans and purchases need to be sized to the business’ risk profile, budget, maturity level, organizational capabilities and threat landscape. Otherwise, they end up misconfigured and leaving the company vulnerable.

Identify Critical Data

The security needs across your assets are not always equal: they vary in associated risk and value. Some data is more critical than other data. Some data might need to be in compliance with a regulatory body, such as PCI, HIPPA, or FedRAMP. And chances are, your data lives across many different assets, locations, and layers, which can make your protection plan that much more complex. Understanding these factors will drive better decision making when it comes to controlling access to these assets.

Define Who Needs What Access

Another often overlooked factor is understanding the landscape of connectivity methods and potential sources that can reach these assets. Do you have guest WIFI or student networks; 3^rd party connections through internet or VPN; uncontrolled port access in corporate and visitor spaces; web-based applications or mobile platforms? Knowing the access methods available gives your team far greater decision-making power to understand and secure them using appropriate policy and control technology. Closing any gaps in network access control is critical. By taking inventory of assets, you can better organize them, apply targeted technology and controls, focus penetration testing, and not waste resources on things that aren’t a priority.

Don’t Confuse Compliance with Security

So often we see this false sense of security. Compliance requirements are there for good reason and need to be met. Failure to do so comes with repercussions including resultant fines, massively distracting scrambles to fix the issues, reputational damage, and potentially nullifying cybersecurity insurance coverage. But, as a security risk assessment would show, meeting compliance alone generally falls short of your needs. A tight-fitting security program tailored for your business better protects your organization, and often requires only slightly more effort and planning than simply being compliant.

Consider People, Process, Technology

It’s not just a buzz-phrase that you’ve heard a hundred times. Okay, maybe it is. But it’s a critically important 3-legged stool when it comes to security. All are needed and each significantly contribute to your effective security plan. The common danger here is to think a technology solution alone is enough.

                  People

• Are they enabled and do they have the skills to adequately monitor and operate needed technology solutions?
• Can they be proactive or are they overwhelmed by reactive work? Do you need to staff up, augment or bring in SMEs?
• Are they familiar with your organizational policies and processes that govern the organization?

                  Process

• Do processes support the business-aligned security governance or framework in place so there is continuity throughout the organization?
• Do you have proactive procedures in place, or do you rely on reactive response?
• Is visibility given to all necessary parties, or do you suffer from siloed operations?
• Are there tools in place monitoring effectiveness and feeding back successes or failures to promote continuous adaptation and innovation?

                   Technology

• Is your network properly configured to balance access and security?
• Are your security solutions optimized to deliver promised and needed capabilities?
• Do you have the right tools to achieve your security program’s goals?
• Not every organization can support all technologies — are yours too advanced/expensive/operationally intensive?
• Do gaps exist between your point solutions that leave vulnerabilities?

By building your security program the right way, you will greatly reduce security risk and improve posture. Additionally, spending the extra time in building out a program may even tell you that the existing technology footprint is enough to build on without making big purchases.

Alagen Makes Security Accessible

We are 100% security-focused, open-minded to all technology solutions, broadly-experienced, and fully in our client’s corner — we are not resellers. Our services and approach enable companies to get leadership assistance, tap both strategic and implementation expertise, and execute a security program that conforms to their specific needs. Want to discuss your security program and how we might help? Please contact us today." ["post_title"]=> string(36) "Choosing the Best Security Solutions" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(32) "choosing-best-security-solutions" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:26" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:26" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=728" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } ["comment_count"]=> int(0) ["current_comment"]=> int(-1) ["found_posts"]=> int(25) ["max_num_pages"]=> float(9) ["max_num_comment_pages"]=> int(0) ["is_single"]=> bool(false) ["is_preview"]=> bool(false) ["is_page"]=> bool(false) ["is_archive"]=> bool(false) ["is_date"]=> bool(false) ["is_year"]=> bool(false) ["is_month"]=> bool(false) ["is_day"]=> bool(false) ["is_time"]=> bool(false) ["is_author"]=> bool(false) ["is_category"]=> bool(false) ["is_tag"]=> bool(false) ["is_tax"]=> bool(false) ["is_search"]=> bool(false) ["is_feed"]=> bool(false) ["is_comment_feed"]=> bool(false) ["is_trackback"]=> bool(false) ["is_home"]=> bool(true) ["is_privacy_policy"]=> bool(false) ["is_404"]=> bool(false) ["is_embed"]=> bool(false) ["is_paged"]=> bool(false) ["is_admin"]=> bool(false) ["is_attachment"]=> bool(false) ["is_singular"]=> bool(false) ["is_robots"]=> bool(false) ["is_favicon"]=> bool(false) ["is_posts_page"]=> bool(false) ["is_post_type_archive"]=> bool(false) ["query_vars_hash":"WP_Query":private]=> string(32) "f947b758e5ae01f47c5ab2e409030420" ["query_vars_changed":"WP_Query":private]=> bool(false) ["thumbnails_cached"]=> bool(false) ["allow_query_attachment_by_filename":protected]=> bool(false) ["stopwords":"WP_Query":private]=> NULL ["compat_fields":"WP_Query":private]=> array(2) { [0]=> string(15) "query_vars_hash" [1]=> string(18) "query_vars_changed" } ["compat_methods":"WP_Query":private]=> array(2) { [0]=> string(16) "init_query_flags" [1]=> string(15) "parse_tax_query" } }

object(WP_Query)#3700 (52) { ["query"]=> array(6) { ["posts_per_page"]=> int(3) ["meta_key"]=> string(23) "alagen_post_views_count" ["orderby"]=> string(14) "meta_value_num" ["order"]=> string(4) "DESC" ["post_type"]=> string(4) "post" ["post_status"]=> string(9) "published" } ["query_vars"]=> array(65) { ["posts_per_page"]=> int(3) ["meta_key"]=> string(23) "alagen_post_views_count" ["orderby"]=> string(14) "meta_value_num" ["order"]=> string(4) "DESC" ["post_type"]=> string(4) "post" ["post_status"]=> string(9) "published" ["error"]=> string(0) "" ["m"]=> string(0) "" ["p"]=> int(0) ["post_parent"]=> string(0) "" ["subpost"]=> string(0) "" ["subpost_id"]=> string(0) "" ["attachment"]=> string(0) "" ["attachment_id"]=> int(0) ["name"]=> string(0) "" ["pagename"]=> string(0) "" ["page_id"]=> int(0) ["second"]=> string(0) "" ["minute"]=> string(0) "" ["hour"]=> string(0) "" ["day"]=> int(0) ["monthnum"]=> int(0) ["year"]=> int(0) ["w"]=> int(0) ["category_name"]=> string(0) "" ["tag"]=> string(0) "" ["cat"]=> string(0) "" ["tag_id"]=> string(0) "" ["author"]=> string(0) "" ["author_name"]=> string(0) "" ["feed"]=> string(0) "" ["tb"]=> string(0) "" ["paged"]=> int(0) ["meta_value"]=> string(0) "" ["preview"]=> string(0) "" ["s"]=> string(0) "" ["sentence"]=> string(0) "" ["title"]=> string(0) "" ["fields"]=> string(0) "" ["menu_order"]=> string(0) "" ["embed"]=> string(0) "" ["category__in"]=> array(0) { } ["category__not_in"]=> array(0) { } ["category__and"]=> array(0) { } ["post__in"]=> array(0) { } ["post__not_in"]=> array(0) { } ["post_name__in"]=> array(0) { } ["tag__in"]=> array(0) { } ["tag__not_in"]=> array(0) { } ["tag__and"]=> array(0) { } ["tag_slug__in"]=> array(0) { } ["tag_slug__and"]=> array(0) { } ["post_parent__in"]=> array(0) { } ["post_parent__not_in"]=> array(0) { } ["author__in"]=> array(0) { } ["author__not_in"]=> array(0) { } ["ignore_sticky_posts"]=> bool(false) ["suppress_filters"]=> bool(false) ["cache_results"]=> bool(true) ["update_post_term_cache"]=> bool(true) ["lazy_load_term_meta"]=> bool(true) ["update_post_meta_cache"]=> bool(true) ["nopaging"]=> bool(false) ["comments_per_page"]=> string(2) "20" ["no_found_rows"]=> bool(false) } ["tax_query"]=> object(WP_Tax_Query)#2787 (6) { ["queries"]=> array(0) { } ["relation"]=> string(3) "AND" ["table_aliases":protected]=> array(0) { } ["queried_terms"]=> array(0) { } ["primary_table"]=> string(8) "wp_posts" ["primary_id_column"]=> string(2) "ID" } ["meta_query"]=> object(WP_Meta_Query)#3699 (9) { ["queries"]=> array(2) { [0]=> array(1) { ["key"]=> string(23) "alagen_post_views_count" } ["relation"]=> string(2) "OR" } ["relation"]=> string(3) "AND" ["meta_table"]=> string(11) "wp_postmeta" ["meta_id_column"]=> string(7) "post_id" ["primary_table"]=> string(8) "wp_posts" ["primary_id_column"]=> string(2) "ID" ["table_aliases":protected]=> array(1) { [0]=> string(11) "wp_postmeta" } ["clauses":protected]=> array(1) { ["wp_postmeta"]=> array(5) { ["key"]=> string(23) "alagen_post_views_count" ["compare"]=> string(1) "=" ["compare_key"]=> string(1) "=" ["alias"]=> string(11) "wp_postmeta" ["cast"]=> string(4) "CHAR" } } ["has_or_relation":protected]=> bool(false) } ["date_query"]=> bool(false) ["request"]=> string(292) "SELECT SQL_CALC_FOUND_ROWS wp_posts.ID FROM wp_posts INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1 AND ( wp_postmeta.meta_key = 'alagen_post_views_count' ) AND wp_posts.post_type = 'post' GROUP BY wp_posts.ID ORDER BY wp_postmeta.meta_value+0 DESC LIMIT 0, 3" ["posts"]=> array(3) { [0]=> object(WP_Post)#3197 (24) { ["ID"]=> int(702) ["post_author"]=> string(1) "9" ["post_date"]=> string(19) "2018-11-12 19:22:17" ["post_date_gmt"]=> string(19) "2018-11-12 19:22:17" ["post_content"]=> string(4647) "With ever increasing security threats, new protocols and responsive solutions, we frequently come across gaps in network access control. These often-overlooked gaps are significant. Eliminating them could reduce the need for damage control by 50% or greater. Our suggestion: follow the basic and critical IEEE standard for port-based Network Access Control, IEEE 802.1X. Where should you start? Addressing these top three gaps will make the biggest difference in creating a secure environment.

Wired Network

Give your wired network as much attention as your wireless one. Wired networks can be extremely vulnerable jumping off points for hackers. All it takes is one unauthenticated device to connect to the network and launch a full-scale attack. It’s more than possible, it happens all the time. Employee personal devices are a big problem. You can deflect the “insider threat” by preventing employees from connecting their personal devices to the company network, and instead, connect their devices to the wireless guest network. 802.1X – standard for authenticating devices to a network – is your north star here. When this protocol is in place, anyone who attempts to connect a device to a wired network that fails to successfully authenticate will get a splash page to authenticate the device and log into a guest network, which is isolated from the corporate network. This two-step standard of authentication and segmentation provides an enormous amount of security and is one of the easiest protocols to implement.

Rogue Device Detection

I’ve personally seen rogue device detection take hours, sometimes even days. This is far too slow. The difference between identifying and shutting down a rogue device in minutes versus hours could mean the difference between your business not being disrupted and being totally crippled. You may have heard the story of Maersk, a shipping company destroyed by a ransomware attack that came in from a rogue device. Hackers count on device detection being slow, and all they need are a few minutes to penetrate your network and launch an attack. When you enable 802.1X, it gives you exceptional visibility into devices that shouldn’t be on your network. Despite that many companies have implemented solutions and systems to support 802.1X, it’s surprisingly one of the standards that often gets overlooked or not fully deployed.

Endpoint Reporting

This has become a huge issue for enterprises as they expand the prevalence of IoT devices on their networks. We’re seeing IoT environments with all assets connected to both wired and wireless networks. These devices are busy gathering data and in some cases, actuating and reporting on that data. This makes these devices honeypots for hackers. Seemingly innocuous things like printers are extremely easy points to exploit and use as a jumping off point to launch an attack inside the organization. Take regular inventory lists of all devices and make sure they are secured both on wired and wireless networks. Here’s a shocker: many of these assets can be configured to support 802.1X authentication. It is a tremendous amount of work to do this, which is why many organizations don’t go through the trouble to secure them. If this sounds like your org, call in for reinforcements. In another blog post, we talked about how to secure IoT environments in more detail. Closing these gaps yields a big return on security, and can save your company thousands of man-hours and expenditures by preventing breaches from happening. Yes, 802.1X can be complex and tedious to configure in some instances, but it’s critical. It should be a priority in any security plan, in any size company. Again, if it’s not something your security has the bandwidth to manage, call in for reinforcements.  " ["post_title"]=> string(53) "How to Close the Top 3 Gaps in Network Access Control" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(22) "network-access-control" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:51" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:51" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=702" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } [1]=> object(WP_Post)#3222 (24) { ["ID"]=> int(728) ["post_author"]=> string(1) "5" ["post_date"]=> string(19) "2019-02-07 16:37:01" ["post_date_gmt"]=> string(19) "2019-02-07 16:37:01" ["post_content"]=> string(7936) "Many businesses find Alagen when looking for a specific piece of technology to purchase. Perhaps you’re looking for the latest in firewall solutions or email security tools. The security consulting industry has done a good job of training businesses to start with the tech and build out from there. We do the exact opposite. From where we’re sitting, every business we see is unique. Just because a certain technology is the best in its class, doesn’t necessarily mean it’s the best for your organization. That’s why we don’t exist to sell best-in-class technology. In fact, we aren’t even a reseller — largely because not every problem even needs a technology. We start with your business, your security challenges, and from there, build out a customized solution that’s just right FOR YOU. Then, we follow through with a thoughtfully implemented and tested enforcement plan. Visibility tools and other control technology almost identify themselves once the hard work has been done. It’s a philosophy that has helped us grow (without any sales or marketing) from a couple of clients in 2010 to successfully serving companies all over the world. Our approach works. Here’s how we do it.

Start with Needs, Not Security Solutions

We always recommend clients approach their program and technology journey by bringing the business into focus. After all, your business — the reputation, assets, IP, data, and people — is what’s being protected. You wouldn’t purchase a home security system before considering how it fits your house. You’d likely end up with too many motion detectors or not enough window contacts. Surprisingly, that’s how we see many security departments build out their programs. As a technical community, we’re very good at buying technology and chasing the latest trends. However, we are not very good at making sure that technology aligns with business needs and security frameworks. As a consultancy, we apply the phrase “technical debt” to these situations — a stack of minimally deployed technology that was chosen as the easy path instead of a better approach that would’ve taken slightly longer. Plans and purchases need to be sized to the business’ risk profile, budget, maturity level, organizational capabilities and threat landscape. Otherwise, they end up misconfigured and leaving the company vulnerable.

Identify Critical Data

The security needs across your assets are not always equal: they vary in associated risk and value. Some data is more critical than other data. Some data might need to be in compliance with a regulatory body, such as PCI, HIPPA, or FedRAMP. And chances are, your data lives across many different assets, locations, and layers, which can make your protection plan that much more complex. Understanding these factors will drive better decision making when it comes to controlling access to these assets.

Define Who Needs What Access

Another often overlooked factor is understanding the landscape of connectivity methods and potential sources that can reach these assets. Do you have guest WIFI or student networks; 3^rd party connections through internet or VPN; uncontrolled port access in corporate and visitor spaces; web-based applications or mobile platforms? Knowing the access methods available gives your team far greater decision-making power to understand and secure them using appropriate policy and control technology. Closing any gaps in network access control is critical. By taking inventory of assets, you can better organize them, apply targeted technology and controls, focus penetration testing, and not waste resources on things that aren’t a priority.

Don’t Confuse Compliance with Security

So often we see this false sense of security. Compliance requirements are there for good reason and need to be met. Failure to do so comes with repercussions including resultant fines, massively distracting scrambles to fix the issues, reputational damage, and potentially nullifying cybersecurity insurance coverage. But, as a security risk assessment would show, meeting compliance alone generally falls short of your needs. A tight-fitting security program tailored for your business better protects your organization, and often requires only slightly more effort and planning than simply being compliant.

Consider People, Process, Technology

It’s not just a buzz-phrase that you’ve heard a hundred times. Okay, maybe it is. But it’s a critically important 3-legged stool when it comes to security. All are needed and each significantly contribute to your effective security plan. The common danger here is to think a technology solution alone is enough.

                  People

• Are they enabled and do they have the skills to adequately monitor and operate needed technology solutions?
• Can they be proactive or are they overwhelmed by reactive work? Do you need to staff up, augment or bring in SMEs?
• Are they familiar with your organizational policies and processes that govern the organization?

                  Process

• Do processes support the business-aligned security governance or framework in place so there is continuity throughout the organization?
• Do you have proactive procedures in place, or do you rely on reactive response?
• Is visibility given to all necessary parties, or do you suffer from siloed operations?
• Are there tools in place monitoring effectiveness and feeding back successes or failures to promote continuous adaptation and innovation?

                   Technology

• Is your network properly configured to balance access and security?
• Are your security solutions optimized to deliver promised and needed capabilities?
• Do you have the right tools to achieve your security program’s goals?
• Not every organization can support all technologies — are yours too advanced/expensive/operationally intensive?
• Do gaps exist between your point solutions that leave vulnerabilities?

By building your security program the right way, you will greatly reduce security risk and improve posture. Additionally, spending the extra time in building out a program may even tell you that the existing technology footprint is enough to build on without making big purchases.

Alagen Makes Security Accessible

We are 100% security-focused, open-minded to all technology solutions, broadly-experienced, and fully in our client’s corner — we are not resellers. Our services and approach enable companies to get leadership assistance, tap both strategic and implementation expertise, and execute a security program that conforms to their specific needs. Want to discuss your security program and how we might help? Please contact us today." ["post_title"]=> string(36) "Choosing the Best Security Solutions" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(32) "choosing-best-security-solutions" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:26" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:26" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=728" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } [2]=> object(WP_Post)#3684 (24) { ["ID"]=> int(710) ["post_author"]=> string(1) "8" ["post_date"]=> string(19) "2018-11-27 00:16:51" ["post_date_gmt"]=> string(19) "2018-11-27 00:16:51" ["post_content"]=> string(6519) "In September, the National Institute of Standards and Technologies released NIST IR 8228. The report overviews unique risks organizations face from the proliferation of IoT (Internet of Things). Essentially, it’s one of the first detailed approaches to securing IoT environments. NIST IR 8228 advocates for three high-level risk mitigation goals. Here’s a breakdown of those goals and how businesses can achieve them.

IoT Device Security Challenges

A critical first step is to ensure that IoT devices are safeguarded and can’t be used as a jumping off point for attacks on other devices or networks. This isn’t new. Device security is already a must requiring proper configuration, patch and vulnerability management, as well as Incident Response, among other things. It’s now also critical for an IoT environment. Unlike other devices, IoT devices, due to their newness, may pose additional challenges. They may lack the functionality required for centralized asset management systems, have heterogenous administrative responsibility, and are often located in environments segmented from traditional IT operations. All of these factors make them more difficult to both track and secure. And because of this, they are heavily targeted by hackers. Additionally, IoT environments are often excluded from many organizations’ standard vulnerability management process. In some cases, updates or changes on these devices to remediate known vulnerabilities are not available. Companies often take the position that vulnerability management of these environments is not necessary because they reside on an air-gapped network. But, as we learned with Stuxnet, the virus used to infiltrate Iran’s nuclear facility, security through segmentation alone is insufficient. Despite being completely off the grid, the US and two other countries were able to compromise the facility by infecting an out-of-network device that had been brought into the environment. Even when your environment isn’t connected to the internet, you can still be compromised. Adding to the complexity of securing IoT devices, many do not support the common logical access norms in place in most enterprises today. The inability to integrate into established directories, as an example, lends itself to a lack of control in the password complexity, aging, and role-based capabilities mandated by even a rudimentary security program. Security visibility rounds out the top concerns of possible IoT security pitfalls. IoT devices are not always included in traditional security logging and monitoring solutions. The reasons range from segmentation constraints to the devices being unable to produce security events. Organizations should consider developing or maturing processes that integrate risk management into procurement. At minimum, the information security and IT organizations should be involved. With IoT environments often procured by lines of business and outside the visibility of traditional IT operations, engaging the appropriate internal teams should ensure that risks are understood and appropriately mitigated prior to the introduction of new devices into the corporate network.

IoT Data Security Challenges

Protecting the confidentiality, availability, and integrity of stored, transmitted, or processed data can also be extra challenging in an IoT environment. The theme remains the same. There can be incompatibility issues between IoT and conventional IT management standards, processes, and technology. Encryption, data sanitization, and backup and restoral features may not be available in IoT devices. In addition, the pre-market capabilities around secure network communications can be lacking as well. When configuring and updating IoT devices, security needs to be front of mind. Especially if the purpose of the device is to collect data, as with sensory and actuary enabled devices. These assets store and report on the data they are collecting. Ask yourself, if a bad guy were to breach or take down these devices, is the data secured, backed up, and safe? This is fundamentally no different than any other device and data management system. So be prepared to apply the same security management to IoT data as you do to everything else.

Protect Individuals’ Privacy

With emergent new laws like the General Data Protection Regulation (GDPR) and an onslaught of consumer data breaches, privacy is a hot topic in every consumer-facing industry. A recent breach to Facebook is a great example of a large-scale attack waking people up to what privacy means. Business NEED to be current on how consumer data is being collected, stored, and used. The premise behind GDPR is that privacy is a fundamental right of the individual. As such, organizations must take measures like ensuring that personal data is protected, capture explicit consent for the use of that data, and provide to consumers upon request a report on how that data is used. In the case of IoT, devices may not provide the ability to interface with its’ functionality. This can impact the ability of a user to consent to the processing of collected PII, and to access privacy notices. The compliance framework also mandates an individual’s “right to be forgotten.” This indicates that an organization must know where a user’s data resides and has a way to remove it in a timely manner. The dynamic nature of IoT and the indiscriminate nature in which it can collect PII can make compliance with this standard much more difficult. This is further complicated by IoTs inherent decentralized data processing and heterogenous ownership inside an organization. It’s clear that IoT is exciting and also risky in its relatively young state. By NIST taking notice and beginning the discussion on securing IoT environments, expect to see IoT security become a mainstream topic, one that results in a series of new security protocols. In the meantime, understand that the benefits of IoT adoption also come with significant security challenges and risks. The first step, as they say, is being aware. To learn more about security challenges that come with an IoT environment, check out the first part of this IoT series. To discuss how we can help with your security management, contact us.  " ["post_title"]=> string(77) "Embracing IoT? Here Are The Security Challenges You’ll Likely Face: Part II" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(25) "iot-security-challenges-2" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:34" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:34" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=710" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } } ["post_count"]=> int(3) ["current_post"]=> int(2) ["in_the_loop"]=> bool(true) ["post"]=> object(WP_Post)#3684 (24) { ["ID"]=> int(710) ["post_author"]=> string(1) "8" ["post_date"]=> string(19) "2018-11-27 00:16:51" ["post_date_gmt"]=> string(19) "2018-11-27 00:16:51" ["post_content"]=> string(6519) "In September, the National Institute of Standards and Technologies released NIST IR 8228. The report overviews unique risks organizations face from the proliferation of IoT (Internet of Things). Essentially, it’s one of the first detailed approaches to securing IoT environments. NIST IR 8228 advocates for three high-level risk mitigation goals. Here’s a breakdown of those goals and how businesses can achieve them.

IoT Device Security Challenges

A critical first step is to ensure that IoT devices are safeguarded and can’t be used as a jumping off point for attacks on other devices or networks. This isn’t new. Device security is already a must requiring proper configuration, patch and vulnerability management, as well as Incident Response, among other things. It’s now also critical for an IoT environment. Unlike other devices, IoT devices, due to their newness, may pose additional challenges. They may lack the functionality required for centralized asset management systems, have heterogenous administrative responsibility, and are often located in environments segmented from traditional IT operations. All of these factors make them more difficult to both track and secure. And because of this, they are heavily targeted by hackers. Additionally, IoT environments are often excluded from many organizations’ standard vulnerability management process. In some cases, updates or changes on these devices to remediate known vulnerabilities are not available. Companies often take the position that vulnerability management of these environments is not necessary because they reside on an air-gapped network. But, as we learned with Stuxnet, the virus used to infiltrate Iran’s nuclear facility, security through segmentation alone is insufficient. Despite being completely off the grid, the US and two other countries were able to compromise the facility by infecting an out-of-network device that had been brought into the environment. Even when your environment isn’t connected to the internet, you can still be compromised. Adding to the complexity of securing IoT devices, many do not support the common logical access norms in place in most enterprises today. The inability to integrate into established directories, as an example, lends itself to a lack of control in the password complexity, aging, and role-based capabilities mandated by even a rudimentary security program. Security visibility rounds out the top concerns of possible IoT security pitfalls. IoT devices are not always included in traditional security logging and monitoring solutions. The reasons range from segmentation constraints to the devices being unable to produce security events. Organizations should consider developing or maturing processes that integrate risk management into procurement. At minimum, the information security and IT organizations should be involved. With IoT environments often procured by lines of business and outside the visibility of traditional IT operations, engaging the appropriate internal teams should ensure that risks are understood and appropriately mitigated prior to the introduction of new devices into the corporate network.

IoT Data Security Challenges

Protecting the confidentiality, availability, and integrity of stored, transmitted, or processed data can also be extra challenging in an IoT environment. The theme remains the same. There can be incompatibility issues between IoT and conventional IT management standards, processes, and technology. Encryption, data sanitization, and backup and restoral features may not be available in IoT devices. In addition, the pre-market capabilities around secure network communications can be lacking as well. When configuring and updating IoT devices, security needs to be front of mind. Especially if the purpose of the device is to collect data, as with sensory and actuary enabled devices. These assets store and report on the data they are collecting. Ask yourself, if a bad guy were to breach or take down these devices, is the data secured, backed up, and safe? This is fundamentally no different than any other device and data management system. So be prepared to apply the same security management to IoT data as you do to everything else.

Protect Individuals’ Privacy

With emergent new laws like the General Data Protection Regulation (GDPR) and an onslaught of consumer data breaches, privacy is a hot topic in every consumer-facing industry. A recent breach to Facebook is a great example of a large-scale attack waking people up to what privacy means. Business NEED to be current on how consumer data is being collected, stored, and used. The premise behind GDPR is that privacy is a fundamental right of the individual. As such, organizations must take measures like ensuring that personal data is protected, capture explicit consent for the use of that data, and provide to consumers upon request a report on how that data is used. In the case of IoT, devices may not provide the ability to interface with its’ functionality. This can impact the ability of a user to consent to the processing of collected PII, and to access privacy notices. The compliance framework also mandates an individual’s “right to be forgotten.” This indicates that an organization must know where a user’s data resides and has a way to remove it in a timely manner. The dynamic nature of IoT and the indiscriminate nature in which it can collect PII can make compliance with this standard much more difficult. This is further complicated by IoTs inherent decentralized data processing and heterogenous ownership inside an organization. It’s clear that IoT is exciting and also risky in its relatively young state. By NIST taking notice and beginning the discussion on securing IoT environments, expect to see IoT security become a mainstream topic, one that results in a series of new security protocols. In the meantime, understand that the benefits of IoT adoption also come with significant security challenges and risks. The first step, as they say, is being aware. To learn more about security challenges that come with an IoT environment, check out the first part of this IoT series. To discuss how we can help with your security management, contact us.  " ["post_title"]=> string(77) "Embracing IoT? Here Are The Security Challenges You’ll Likely Face: Part II" ["post_excerpt"]=> string(0) "" ["post_status"]=> string(7) "publish" ["comment_status"]=> string(4) "open" ["ping_status"]=> string(4) "open" ["post_password"]=> string(0) "" ["post_name"]=> string(25) "iot-security-challenges-2" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-07-08 17:11:34" ["post_modified_gmt"]=> string(19) "2020-07-08 17:11:34" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(28) "http://www.alagen.com/?p=710" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } ["comment_count"]=> int(0) ["current_comment"]=> int(-1) ["found_posts"]=> int(25) ["max_num_pages"]=> float(9) ["max_num_comment_pages"]=> int(0) ["is_single"]=> bool(false) ["is_preview"]=> bool(false) ["is_page"]=> bool(false) ["is_archive"]=> bool(false) ["is_date"]=> bool(false) ["is_year"]=> bool(false) ["is_month"]=> bool(false) ["is_day"]=> bool(false) ["is_time"]=> bool(false) ["is_author"]=> bool(false) ["is_category"]=> bool(false) ["is_tag"]=> bool(false) ["is_tax"]=> bool(false) ["is_search"]=> bool(false) ["is_feed"]=> bool(false) ["is_comment_feed"]=> bool(false) ["is_trackback"]=> bool(false) ["is_home"]=> bool(true) ["is_privacy_policy"]=> bool(false) ["is_404"]=> bool(false) ["is_embed"]=> bool(false) ["is_paged"]=> bool(false) ["is_admin"]=> bool(false) ["is_attachment"]=> bool(false) ["is_singular"]=> bool(false) ["is_robots"]=> bool(false) ["is_favicon"]=> bool(false) ["is_posts_page"]=> bool(false) ["is_post_type_archive"]=> bool(false) ["query_vars_hash":"WP_Query":private]=> string(32) "f947b758e5ae01f47c5ab2e409030420" ["query_vars_changed":"WP_Query":private]=> bool(false) ["thumbnails_cached"]=> bool(false) ["allow_query_attachment_by_filename":protected]=> bool(false) ["stopwords":"WP_Query":private]=> NULL ["compat_fields":"WP_Query":private]=> array(2) { [0]=> string(15) "query_vars_hash" [1]=> string(18) "query_vars_changed" } ["compat_methods":"WP_Query":private]=> array(2) { [0]=> string(16) "init_query_flags" [1]=> string(15) "parse_tax_query" } }