Risk management quantifies and qualitatively describes the risk of Information Security, allowing companies to prioritize risks according to their severity and thus ensure business continuity. 

Risk management determines the value of an information asset, identifies the applicable threats and vulnerabilities that exist (or could exist), identifies the existing controls and their effects on the identified risks, determines the potential consequences, and finally prioritizes them.

After this definition, how is it possible to develop a strategy for risk management within a company? What are the main risks associated with Information Security? Also, find out what High Availability and Contingency has to do with risk management and what are their main differences in keeping your system secure.

Keep reading this article and learn how risk management in information security can contribute to your business continuity.

How does Information Security Risk Management work?

Risk management in information security is the process associated with the use of information technology. It involves identifying, assessing, and addressing risks to the confidentiality, integrity, and availability of a company’s assets.

The ultimate goal of this process is to address risks according to a company’s risk tolerance. Companies should not expect to eliminate all risks. Instead, they should seek to identify and achieve an acceptable level of risk for business continuity.

How to develop an Information Security Risk Management strategy?

Managing risks is an ongoing task, and your success will depend on how they are assessed, plans are communicated, and functions are maintained. Identifying the people, processes, and technologies required to help you deal with the steps below will develop a solid foundation for a risk management strategy and program in your company, which can be developed over time.

Identification

This stage is the process of identifying your digital assets that can include a wide variety of information: confidential company information, such as product development and trade secrets; Personal data that can expose employees to cybersecurity risks, such as identity theft regulations. Another example is those companies that handle credit card transactions and need PCI-DSS compliance.

Assessment

This is the process of combining the information you have gathered about assets, vulnerabilities, and controls to define risks. There are many structures and approaches to this.

Treatment

Once a risk has been assessed and analyzed, the company will need to select the risk treatment options. In this scenario, companies can accept the risk or prevent it.

Communication

Regardless of how risk is handled, the decision needs to be communicated within the company. Stakeholders need to understand the costs of whether or not to address risk and the reason behind such a decision. Responsibility and accountability need to be clearly defined and associated with individuals and teams in the company to ensure that the right people are engaged at the right times in the process.

Main risks associated with Information Security

Security risks are inevitable, so the ability to understand and manage risks for systems and data is essential to a company’s success. 

If you are able to address the risks below and respond effectively to security incidents, you can find out how to better resist cyber threats and reduce potential risks in the future.

Privilege Abuse

In most technology environments, the principle of least privilege is not valid. There are many reasons why privileges greater than necessary have been granted to a user.

Granting excessive permissions is problematic for two reasons: approximately 80% of attacks on corporate data are actually performed by active or dismissed employees. Privileges excessively granted or not revoked at the right time make it simple for someone to perform malicious actions.

Third-party Access

A number of third parties, including suppliers, contractors, consultants, and service providers have access to network resources, which allows them to modify, replace, or impact your company’s operational service. This access is considered privileged and needs to be even more protected than the access by an employee.

Companies apply efforts to protect their networks, but forget about third-party access security controls. These controls can protect third-party access to privileged credentials, as well as strengthen security aspects that are normally exploited by attackers to gain access to the corporate network.

Insider Threats

When it comes to data breaches, employees themselves can be one of the biggest risks to an organization. These threats can be: accidental, when personnel is only poorly trained; negligent, when employees try to bypass implemented policies; or malicious (the most dangerous), when an employee is motivated by financial gains, espionage, or revenge.

HA (High Availability) and DR (Disaster Recovery / Contingency) as metrics for Risk Management

Any good system these days must be built to expect the unexpected. No system is perfect and, at some point, something will happen that will cause a system to malfunction (a fire, a hurricane, an earthquake, human error – the list goes on). Since systems can fail in different ways, they need to be designed with the expectation that a failure will occur.

Thus, there are two related, but generally confusing, topics that work on the system architecture that mitigate failures: high availability (HA) and disaster recovery (DR).

High availability simply eliminates single points of failure, and disaster recovery is the process of putting a system back into an operational state when it goes down. In essence, disaster recovery is triggered when high availability fails.

Fundamentally, high availability and disaster recovery have the same goal: to keep systems up and running in an operational state. The main difference is that high availability is designed to deal with problems when a system is running, while disaster recovery must deal with problems after a system failure.

Regardless of a system’s high availability, any system in production, no matter how trivial, needs to have some kind of disaster recovery plan in place. And this should be included in your information security risk management strategy.

According to a report recently published by Kaspersky, the number of users who have experienced some type of cyberattack in the first half of 2020 increased by 20,000%.

Also, the company BBOViz points out that Brazil is the second country that suffers the most threats from ransomware in the world, just behind India.

Alarming statistics show that protecting a corporation’s confidential data goes beyond mandatory legislation, as data leaks can generate financial and reputational losses as great as penalties for breaching data protection laws.

There are several reports from large companies that have been affected by some type of malware, significantly impacting their business goals. Braskem, for example, was affected by ransomware that had a major impact on its financial health, reducing its revenue by about 45%.

Another recent case occurred in a Chilean public bank, which suffered a ransomware attack that forced them to keep all their branches closed for a day and part of the branches for two days, strongly impacting their reputation – both in terms of image and finances.

Even though there are many reports of cyberattacks around the world, there have never been so many solutions to protect a corporation from them, such as the implementation of the principle of least privilege.

What is the principle of least privilege?

The principle of least privilege is one of the bases for information security. Its main goal is to grant users access to environments that are required for them to perform their tasks. In other words, with the principle of least privilege, users do not access environments they do not require, avoiding internal threats, data leaks, and hacker infiltration in critical environments of a company.

Risks of not using the principle of least privilege

By allowing users to have privileged access to environments that are not required, several security holes are opened in a company, such as the release of Windows administrator privileges for employees, which allows them to install any malicious software, with or without malicious intent, or for a hacker to break into a machine and install this malicious software, increasing business risks and the attack surface.

In addition, allowing users to have excessive privilege in cloud environments also leaves the company’s data vulnerable to attacks and internal threats.

How to implement the principle of least privilege 

Through the senhasegura solution, you have several security locks that ensure users access only the environments required by them. Besides monitoring the way the user is performing privileged access, the senhasegura solution registers, records, and notifies those responsible for information security about any malicious activity within the privileged session.

Through this simple practice, they significantly minimize the chances of a cybercriminal accessing sensitive company data and extracting information.

Request a free demo of the senhasegura solution and learn how the principle of least privilege will change your company’s cybersecurity situation.

With the increase in phishing attacks all over the world due to the outbreak of COVID-19, companies are reassessing the efficiency of their information security systems, since the home office opens loopholes for a company’s security and such type of malware.

One of the first steps for you to ensure your company is secure is by protecting user identities so that in the event of a cyberattack on your corporation, the databases containing personal, sensitive, and financial information are protected by a PAM solution.

In addition to preventing leaks of personal data, privacy abuse, loss of reputation, and financial disasters, your company complies with data protection laws, such as the LGPD (General Data Protection Law) and GDPR (General Data Protection Regulation).

Even though it is a fundamental practice for information security, many companies ignore good practices for PAM and do not protect user identities as they should, opening loopholes for information security.

The importance of protecting your user identities

From the use of a PAM solution, all the company’s critical data is protected, since the access to this data needs one of the privileged credentials, also known as user identities.

The only people who must use these identities are those who need to access the environments to perform their tasks, so the number of people with this type of access is limited.

There are reports of hackers being able to steal these user identities through malware, such as phishing.

Typically, the goal of this type of attack is to target someone at the top of a company, such as directors and coordinators, and collect sensitive information from the corporation, such as the high-privilege credential of these people. 

According to Gartner, 95% of these attacks happen via email, which makes it difficult to detect their installation on a machine or network infrastructure, leaving the entire corporation vulnerable.

How to protect your user identities

Some practices are critical to maintaining the security of corporate user identities, such as managing privileged credentials.

Discovering compromised identities quickly is not an easy task, but using a complete PAM solution that detects suspicious actions within the privileged session quickly is the best way to keep your company secure.

Besides recording all actions taken, your PAM solution must notify you in real-time when any suspicious activity occurs, so that the person responsible for managing this can take appropriate measures, allowing a quick response to incidents and reducing operational costs.

In addition, it is important to check the expiration of the digital certificates of your company’s access environments. Being unaware of the expiration of a certification opens many security holes in a company.

The senhasegura solution ensures these and other measures to protect user identities, eliminating every security hole in your company when it comes to PAM.

Request a demo and find out why senhasegura has the best score (4.9/5) among competitors on Gartner Peer-insights.

Due to COVID-19, the attention of CISOs had to be reinforced to plan an efficient information security strategy, and to help in this task, Gartner has published a very interesting report, which pointed out some security trends and risks for information security in 2020.

According to Peter Firstbrook, VP Analyst at Gartner, “The pandemic and the resulting changes in the business world have accelerated the digitization of business processes, endpoint mobility, and the expansion of cloud computing in most organizations.”

As a result, many companies have revised their remote access policies and migrated to cloud systems, increasing productivity and information security risks. Check out the main trends that Gartner has listed:

XDR

Through XDR (External Data Representation) solutions, the detection of threats becomes faster and more accurate in emails, endpoints, servers, networks, etc.

Task Automation

Through automation tools, tasks that are performed repeatedly are done in a faster, scalable way, without errors and risks to a company’s information security.

It is recommended that this automation be done in repetitive tasks so that professionals focus on functions that demand more time and will have a greater impact on the company’s security.

Artificial Intelligence

Through the use of artificial intelligence in your company’s information security, it is possible to protect digital business systems, combine it with packaged security products to enhance security defense capabilities, and prevent the improper use of artificial intelligence by attackers.

Enterprise-level CSOs

With the significant increase in cyber-physical attacks, hiring CSOs is becoming a trend across companies.

In addition to adding to IT security, these professionals also work in OT security, physical security, supply chain security, product management security, etc. This significantly reduces the risks to information security.

Privacy

From the sanction of data protection laws such as LGPD and GDPR, data privacy has become an obligation to be followed, and this affects the entire corporation, which requires collaboration from all areas, such as IT, HR, legal, management, etc.

Digital Security and Trust

The importance of maintaining consumer security at points of contact has become an advantage for companies.

Having a team focused on the administration of all points of contact makes the exchange of information both secure and complete, regardless of the means of contact chosen by the customer, which reduces the risks to information security.

Zero-trust Network Access Technology

Access to environments through VPNs tends to decrease. Through Zero-trust Network Access (ZTNA), companies have greater control over remote access.

ZTNA only communicates with the ZTNA service provider and can only be accessed through the ZTNA provider’s cloud service, which avoids information security risks.

Managing privileged access to a corporation has become an obligation almost everywhere in the world. Laws such as the LGPD (General Data Protection Law) and GDPR (General Data Protection Regulation) oblige companies to maintain the integrity and security of the data providers’ personal information.

Also, companies operating in countries that do not have data protection laws yet are subject to great pressure from the market to adopt certifications that guarantee the integrity and security of personal data, such as ISO 27001, NIST’s Cyber Security Framework, and PCI DSS.

One way that companies have found to comply with these standards is by adopting an efficient privileged access management solution, but when implementing this type of solution, companies face a great difficulty in integrating the 3 phases of privileged access management to cover the complete cycle of these accesses.

To help you in this task, we have separated the 3 fundamental phases for you to see if your privileged access management solution performs accesses in a broad and efficient way. Check them out:

Before

In order to have a broad and efficient privileged access management, it is necessary to pay special attention to the initial phase of managing privileged credentials.

This phase is responsible for provisioning and guaranteeing access to certified machines and privileged credentials through digital certificates, passwords, SSH keys. Therefore, it is really important.

During

This is the part where privileged access management actually takes place, making it possible to track all user activities in the privileged session in real time, monitor, and analyze suspicious behaviors from users and machines, etc.

Having a solution that can define and limit the tasks that a privileged session will be allowed to perform is essential for your company’s information security to succeed.

After 

After performing the two previous phases, it is important that your privileged access management solution records every action taken in the privileged session. Through this audit, your company ensures that, during the sessions, there are no security breaches, can record all actions performed by users and machines, and allow viewing the privileged session recording.

Points that require attention

There is a great difficulty for companies to implement this type of technology, since most suppliers do not offer an integrated support, in which the 3 phases of the management of privileged credentials are interconnected, and that makes the companies end up opting for hiring more than one solution, so that each one performs a different part of the task.

Unlike other solutions, senhasegura offers the market an integrated solution, through which it performs the 3 phases effectively in just one environment, facilitating the management of privileged credentials and keeping your company secure, free from fines and leaks of sensitive data.

Click here and see in detail how the 3 phases of senhasegura’s privileged access management work. 

According to Gartner – an Institute with a focus on researching, executing programs, and consulting and recommending efficient technologies for its customers, such as digital security – there are some fundamental projects for a company to ensure information security in its environment. 

According to senior analyst director at Gartner, Brian Reed, people spend a lot of time analyzing the choices we make about security, wanting to achieve perfect protection that does not exist. For him, companies should look beyond basic protection decisions and also improve the organizational methodology through innovative approaches in order to detect and respond to a possible security incident.

Gartner has recently released some information security projects focused on risk management and detecting flaws in the execution of a company’s activities.

Today, we will simply and clearly show you what they are and how to implement these points to reduce the risk of data leaks, cyberattacks, and abuse of privilege in your company, without decreasing the productivity of your business. Check it out:

Remote Work Protection 

After the outbreak of COVID-19, many companies have rooted the home office in their business models and faced several issues in ensuring data protection efficiently. 

You probably already know how your employees access workplaces remotely, but now it is time to analyze whether the privilege level is right for your employee to perform all of their tasks or if there is any unnecessary privilege granted.

Learn more: Cybersecurity and the Covid-19

Vulnerability Management

Assess what the points of your company are and focus on the most vulnerable. The ideal is that you do not perform this task alone. Employees who use a certain environment daily can help in carrying out this task with a broader view.

Cloud Security Management

It is of utmost importance that cloud applications allow automated protection so as not to lose the dynamics that tasks normally require.

DMARC

Through DMARC email authentication, organizations that use their emails as a source of verification will be more secure against falsification. The system implements another layer of security in the verification of the sender, identifying and preventing a fake domain from having access to an environment, further increasing the efficiency of your information security project.

Importance Classification 

Your information security project must be classified by importance, after all, sensitive data such as reports, forecasts, agreements, and databases must have a greater layer of protection than any other environment.

From these definitions, you can prioritize the areas that should be protected the most.

It is undeniable that the use of a privileged access management solution (PAM) considerably improves a company’s information security. But what many do not know is that there are some essential features or recommendations for a PAM solution to guarantee information security efficiently.

Today, we list the 09 essential features or good practices that a privileged access management solution must have to ensure its success as a PAM.

Learn more: Quick Guide – PAM Best Practices

1 – Privileged Session Recording

It is essential that your privileged access management solution has the privileged session recording feature to record, in video and text, the actions performed by the user within the system while using a privileged credential.

This is one of the main tools to check if users are performing actions relevant to their tasks, ensuring the confidentiality of the company’s sensitive data and that all actions are tracked and audited.

For a good privileged session recording, check with the PAM solution provider if the tool allows the storage of session record files and audit logs to prevent users from editing their activity histories and damaging your entire monitoring system.

2 – Review of Privileged Credentials 

In order to ensure good information security, one needs to perform recurrent preventive practices, such as managing their company’s privileged accounts.

A solution that does not have this feature – or has a flawed one – leaves many security holes, allowing a possible cyberattack.

With this features, it is possible to gather all active privileged credentials and check the privilege level of each one, reviewing whether it makes sense for users to have access to such environments, in addition to removing credentials that are no longer used, such as those of employees who were dismissed from the company.

3 – Credential Management

In order to mitigate the risks of data leaks, in addition to reviewing access to privileged credentials, it is necessary to manage them through an automatic password change feature, be it by predetermined use, period, or time.

This prevents users from sharing passwords or improperly accessing anything outside the solution.

Learn More: Machine Identity and Digital Certificate Management

4 – Two-Factor Authentication

The main solutions on the market require two-factor authentication from the user, usually through an OTP (One-Time Password). It is also possible to send an SMS or an email with a confirmation code for someone to be able to use the privileged credential.

This type of feature makes it difficult for unauthorized people to use the privileged user’s credential.

5 – Backup

One of the most important parts of a PAM solution is to have the feature of automatic backups. Even with all the security locks, the backup appears as one of the last information security features.

This ensures that even with leaked and/or deleted data, the company is able to have access to all data protected by the privileged access management solution.

6 – Strong Passwords

This practice is very simple and essential. Through a company, it is possible to implement a PAM password vault and make privileged credentials available to users. However, there must be some kind of guarantee that all privileged credentials have strong passwords that are difficult to be broken with the use of malicious software.

The ideal is to guide the user to create a password that mixes upper and lower case letters, numbers, and special characters, with at least 8 characters.

Learn more: Best Practices Manual for PAM

7 – Emergency Access 

In the event of any abuse of privilege in your company, it is important to have a last-security feature through the break-the-glass functionality in case any type of system unavailability occurs, be it a product or an infrastructure failure, even a cyberattack. The person responsible for information security has the autonomy to take their privileged credential through a segregated backup file.

This type of feature prevents technological lock-in, and there is no way for the user to resort to the occurrence.

8 – Notification of Suspicious Actions

Whenever there is a suspicious action within a privileged session, in addition to having several security locks, your PAM solution must notify those responsible for information security to take appropriate measures.

9 – Access Reporting

Finally, access reporting is important so that the responsible person has a complete view of the actions performed through privileged sessions, allowing the identification of security breaches and points for improvement. A complete set of reports optimizes time and work, as there is no need to conduct audits from session to session.

Another cyberattack with devastating consequences for financial institutions. The target now was BancoEstado, one of the three largest Chilean banks, which was affected by ransomware on September 6. According to a statement to Chile’s Cybersecurity Incident Response Team (CSIRT), the cyberattack is believed to have involved the Sodinokibi ransomware, also known as Revil.

On the 6th, the bank informed through a statement that it had detected malicious software in its operating systems and that their platforms could have some kind of unavailability due to the incident. However, ATMs and Internet Banking were not affected, nor were the resources of its customers or the institution itself. It is believed that the attack, again, was orchestrated through Social Engineering, when one of the bank’s employees opened an Office document infected with the virus.

By compromising the employee’s machine, the attacker was able, through lateral movement, to infect more than 12,000 endpoints and affect the operations of all 416 branches of the Chilean bank.

After detecting the cyberattack on the 5th, Saturday, BancoEstado reported the incident to the Comisión para el Mercado Financiero (CMF), the equivalent of our Securities and Exchange Commission (CVM), which soon issued an alert to the Chilean banking system.

Long lines formed in the days following the cyberattack in front of BancoEstado branches. Account holders have complained on Twitter about various anomalies in their accounts, such as uncredited transfers to destination accounts, as well as lack of access to investment accounts, and inconsistent data in the amount totals. At the same time, there are reports that cybercriminals have started spam campaigns on behalf of the bank to capture customer credentials.

An attack of this magnitude indicates major flaws in the control of access to internal networks, including an efficient monitoring and response system. This involves the lack of computational and human resources for adequate response to incidents.

Another organization victim of the same ransomware that hit BancoEstado, in July this year, was Telecom Argentina, the country’s largest telephone operator. In this specific case, the required amount was US $ 7.5 million.

Learn more: How to protect your company from insiders threats?

But, what is the Sodinokibi ransomware and how does it work?

Sodinokibi is a family of ransomware that affects Windows systems and encrypts important files, requesting a cash amount to decrypt them. The ransomware creators are also associated with other malicious software, GandCrab, which was already linked to approximately 40% of global ransomware infections before being retired by its creators in June 2019. Thus, one can already have an idea of the potential for Sodinokibi infection.

The first difference noticed by users when having their device infected by ransomware is an infection warning, when the files are already encrypted. The ransom instructions are also visible on the user’s Desktop.

More than ever, cyberattacks through ransomware are among the biggest risks for organizations of all sizes and industries. According to the Mid-Year Threat Landscape Report 2020, there was a 750% increase in attack attempts through malicious software involving ransoms. And not only is the number of these attacks increasing but so is their sophistication.

In many cases, malicious attackers use threats against their victims to leak encrypted data, something that can compel them to pay the high amounts required as a ransom. One of the causes is the heavy sanctions that organizations are subject to in case of data leaks. If the leak involves personal data of European citizens and the organization is subject to GDPR, the fine could reach up to 50 million euros. If it takes place in Brazil and the LGPD is applied, this amount can reach up to 50 million reais.

One of the ways to mitigate the risks associated with a ransomware infection is to ensure that security updates are applied as soon as they are released by developers. By doing this, one can prevent malicious attackers from exploiting vulnerabilities to infect the environment. The implementation of features such as Multifactor Authentication is another strategy that prevents hackers from moving laterally through the environment and infecting even more endpoints.

Cybersecurity teams must also perform backups of their systems, as well as periodic testing as part of their disaster recovery and incident response plans. Thus, it is possible to guarantee that the systems are recovered without the need to pay a ransom.

Deploying a PAM solution such as senhasegura is also an excellent way to mitigate cybersecurity (and business) risks associated with ransomware infection.

Through our Privilege Elevation and Delegation Management solution, senhasegura.go, one can segregate access to sensitive information, isolating critical environments, and correlating events to identify any suspicious behavior. By controlling lists of authorized, notified, and blocked actions with different permissions for each user, senhasegura.go allows reducing the risks linked to the installation of malicious software and abuse of privilege, which can compromise the environment. Finally, through senhasegura, one can overcome the challenges of implementing controls for data protection legislation such as GDPR and LGPD, as well as PCI, ISO, SOX, and NIST regulations, with the automation of privileged access controls to achieve maturity in the audited processes.

Any corporation is subject to some type of cyberattack, and it is essential to have a system that defends and maintains data integrity.

According to a report by Fortinet Threat Intelligence, Brazil has suffered more than 24 billion cyberattack attempts in 2019, a fact that reinforces the need to have efficient solutions against this type of threat.

Preventing external attacks is already very common within companies, and according to the Verizon Data Risk Report, 34% of data breaches involve internal agents and 17% of all confidential files were accessible to all employees, which turns on a big alert for companies to protect themselves from insiders threats as well as external ones.

For this, it is recommended that some technology be implemented to efficiently monitor privileged access by employees. In order to help you with this task, we have separated 3 practices on how to protect your company from insiders threats, check them out:

1- Know who has access to privileged accounts

One of the biggest mistakes of companies is making privileged credentials available to many users, which directly affects data breaches and the risk of leaks through insiders threats.

You need to find out which people have access to protected environments, and ensure that people who do not need to access such environments have some kind of administrative credential, limiting the number of privileged users.

Ideally, credentials with a higher level of privilege should be controlled by those responsible for IT, so that there is no type of breach.

Learn More: So, what does Privileged Access Management mean?

2- Ensure user traceability

With the use of some technologies, you can know who, when, where, and what actions were taken by the user to perform a privileged session, in addition to limiting the actions that can be performed in the environment.

Some solutions alert and block the user who performs any improper action and provide session recording for analysis.

3- Third-party access

If any type of service provided to your company is outsourced, there must be some kind of protection.

Ideally, any type of access to company environments should be monitored through a VPN dedicated to a specific application for a predetermined time.

The best way to ensure that there are no loopholes for insiders threats in your company is by having a complete PAM password vault, which ensures protection from possible threats, monitors privileged sessions, and automates tasks.

senhasegura is one of the largest PAM solutions in the world according to Gartner. In addition to preventing data leaks and abuse of privilege and avoiding insiders threats, the solution is complete to guarantee protection against external threats. Moreover, the senhasegura implementation helps your organization to:

• Apply the Security aspect in your DevOps pipeline, ensuring DevSecOps;
• Perform the proper management of digital certificates;
• Comply with LGPD and GDPR;
• Ensure security in your Cloud environment.

If you want to know how our solution works and stop insiders threats in your company, fill out the form below and request a demo of the solution.