In the modern era of digital world, almost everything has become digital – either being stored or processed by electronic devices such computers, laptops, mobiles etc. All data stored on these devices are at great risk of damage or unauthorized access or threat from inside or outside.
Most of these data are Personally Identifiable Information, clients’ business data or business strategic information which might lead to great damage to organization by impacting its reputation or revenue.
In this context, it is extremely vital to protect the organization’s data and data processing facility from these attacks.
CYBER SECURITY AT PERSONIV
Cyber security is the technique and practice designed to safeguard Personiv’s networks, devices and information from external and internal cyber-attacks. Cyber security is also referred to as Information Technology Security or Computer Security.
Cyber security is the approach of defending Personiv’s networks, computers and data from attack, damage or unauthorized access by implementing various techniques and practices.
Cyber attacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Cyber security is not just aiming to prevent cyber-attacks but also minimizing impact of financial losses and retaining brand reputation. Cyber-attacks may arise from inside or outside of the organization
OBJECTIVE OF CYBER SECURITY
Cyber Security approach is aiming to preserve “Confidentiality”, “Integrity” and “Availability” of critical sensitive information that includes IT hardware, software, databases and information so that it remains secured and accessible for processing by authorized personnel when required.
A successful cyber security approach has multiple layers of protection spread across the computers, networks, or data. In an organization, the people, processes, and technology must all complement one another to create an effective security from cyber attacks.
People of an organization are the greatest weakness that an attacker can effortlessly exploit to get access to the network or sensitive information. Hence its extremely important Employees at Personiv must understand and comply with Cyber Security policies and procedures.
To handle cyber-attacks, there must be effective processes & procedures to identify, report and respond to the attacks and recover from the attacks quickly and effectively without affecting Personiv’s reputation.
Advanced technology is essential to protect computers, networks and information from everyday emerging cyber-attack. Common technologies used to protect Personiv systems are Firewall, DNS Filtering, Anti-virus Management and Malware protection system. Personiv is always on top the technology to keep its system secured.
Now-a-days, organizations find themselves attacked either from internal threats or external threats. These attacks are very critical to identify if and when the organization takes necessary actions to find them before they cause severe damage.
POTENTIAL EXTERNAL CYBER THREATS TO PERSONIV
- Social Engineering
- DDoS -Distributed Denial of Service
SOURCES OF EXTERNAL CYBER THREATS
- Terrorist Organizations
- Organized crime groups
Various factors increase an organization’s exposure to Insiders’ threats. There are not many technical controls to prevent such threats. An insider is anyone who has been granted access to information and other assets. Attacks can be accidental, negligent or malicious. Insiders would be considered all employees, current or former, subcontractors, partners or suppliers
Inside threats are hard to identify as well as to protect against. If an employee has access to sensitive information or has privileged access to administrative activities, there is every possibility that the unsatisfied employee can do harm to the organization.
Personiv mitigates such high-risk activities by implementing various practices and procedures:
Enhanced Employee Screening
It is important to do necessary background verification before appointing anyone to sensitive and critical roles in the organization. Background verification includes, previous employment, family, instances of legal action and so on.
Employees should not be given full or excessive privileges to any sensitive information at any point in time. Only role-based access should be provided to employees. These access rights must be closely monitored and verified for the purpose of access provided at all times.
Security Training and Awareness
Regular training on the awareness of cyber security must be provided to all employees. Management oversight is of utmost importance in these instances.
When an employee is terminated, the organization needs to make sure ALL access is removed right away. Ideally, it needs to remove access while the person is getting the bad news.
Human Resource Policies
An organization, as its utmost priority, must define acceptable use and social media policies. At Personiv, we have a detailed social media policy and computer use policy.
CYBER SECURITY MEASURES AT PERSONIV
Information Security Policy
Personiv has established a robust Information Security Policy to secure its Information Systems. It provides framework to protect computers, networks and sensitive information from cyber-attacks. Information security policies also outline the action to be taken in order to preserve Personiv’s critical information and information processing facilities from unknown cyber- attacks from various sources.
Personiv regularly provides awareness to its employees through training and updates on cyber security threats of consequence to Personiv, and how to handle them effectively. Personiv ensures that every employee understands the importance of Cyber Security and complies with the policies, processes and procedures in place. It is Personiv’s culture that every Employee is an Information Security partner.
Top Management Commitment
Security measurements can’t be possible without Top Management’s support and commitment. It should ensure that necessary resources are provided and roles and responsibilities assigned, to ensure the cyber security. At Personiv, Top Management exhibits complete commitment in defending cyber-attacks by providing necessary support and resources. Personiv has assigned responsibility by appointing a Security officer to monitor security activities.
Top Management has setup a committee to oversee Information Security threat mitigation activities and it is headed by the Site head of the facility.
International Management systems such as ISO 27001 provides guidelines for Information Security. Personiv has implemented ISO 27001 for its facility by aiming to preserve the “Confidentiality”, “Integrity” and “Availability” of its critical and sensitive information and information processing facilities.
On other hand, ISO 9001:2015 provides Standards & Guidelines for managing documented standard operating procedures for all activities within Personiv.
Regular Internal Audits are conducted by certified internal auditors to verify the system in order to be in conformance with management system requirements as well as, Personiv’s security requirements. Internal Audits provide enormous information about the effectiveness of the current processes, procedures as well as implementation and maintenance of the system.
Personiv conducts Vulnerability Scans/System audits to evaluate the system’s weaknesses and implements controls accordingly.
Personiv has a unique Talent acquisition policy and procedure to select employees to suit its requirements. This policy outlines clear expectations and rules to be followed while choosing candidates which includes screening and background verification.
PROCESSES & TECHNOLOGIES DEPLOYED
Subsequent to obtaining good knowledge on the dangers and responses, the next step is to incorporate actions, tasks and rules into the daily running of the business, to limit both security bargains from happening, and the degree to which they influence our business. Below are some of the tips and possibilities that make our organization cyber secured:
Personiv has appropriate network architecture that supports business requirements. It supports the organization to mitigate the risk arising from various threats.
Backups are used to recover lost, damaged or compromised information and the more up-to-date the backup, the quicker you can recover from the glitch. Backing up the assets and information protects us from losing information caused by accidental deletion, system failures, data corruption or theft.
For performing a backup, we either utilize closed storage or an external storage center.
Our Operating systems are programmed to backup data at frequent intervals. Full system backups are used to restore computers when the operating system is compromised and you can’t get onto the system.
We conduct backups of all the files and folders daily using the RHA (Replication High Availability) Process. This is considered a good benchmark for all backups by international standards.
A well-established Backup & Recovery Policy and procedure is implemented at Personiv to ensure that backup activities are carried out as per the policy and schedule.
Patch the Applications
Patching of Applications is one among many activities we do to reduce cyber risk, be it the patching of security vulnerabilities in security software, applications, and operating systems. As there are millions of attacks directed at businesses daily, as Hackers try to exploit vulnerabilities in the existing software, it helps us to keep software secured. New methods to exploit are being discovered daily. To battle against this, we recommend to regularly apply patches to all the applications that are used at Personiv.
Monitor Remote Internet usage
When personal internet usage of the employees start choking the bandwidth meant for business purposes, employee internet monitoring functionality will help find out the user(s) responsible, the websites visited as well as the websites which consumed the bandwidth. Not visiting unintended sites for any personal use or clicking on any unintended links or sources is considered to be one of the most educated modes by the employees to not let any viruses or hackers steal our company data or get information on our data
Management of Removable Media
Removable media device is a key medium for any malware that will be injected into Personiv systems. Hence, it is completely restricted in all systems and controlled by Antivirus application. Any activities related to use of these removable media can be easily identified and reported by the system administrator.
There is no set mechanism for ensuring a secure system on the network since any security framework can be subverted or compromised, if not from outside then surely from within. Eventually to secure a system is to implement distinctive layers of security so an attacker must compromise two or more systems to gain access to critical assets. The initial phase enforcing policies is to define the policies that will be enforced or implemented. Safety efforts often limits employees in their working practice and makes some activities less convenient which results in a compulsion to increase security regulations. Network policies, along these lines, administer how a system ought to be implemented and configured to streamline employees’ task in ordinary conditions and also controls how to respond amid the event of abnormalities.
It is done by identifying different network segments with different security requirements while designing security for the network. Some, on the other hand, will be openly accessible. Hence, to implement security for different divisions or subdivisions, there are erect perimeters that can only be crossed by certain types of traffic in the form of Public network, Private network, and Semi-private network.
The limitations of such network segments are founded by devices such as a router, gateway, bridge, and switch which are capable of regulating and controlling the stream of packets into and out of the segment. Communication and monitoring devices are typically deployed in the network for various purposes, and are being configured appropriately according to requirement and accessed on the ground of given privilege and profile of users. Also, there is an NDA signed by each employee to not disclose the details inside the perimeter. This merely takes care of the legal angle of any threat.
Internet access policies include automatically blocking of all sites recognized as inappropriate (particularly social media websites) for every employee. In addition, web access is provided based on the requirement or nature of the process the employee is into. The Internet builds a system topology in itself and interfaces different significant resources of the organization for instance, server, account sections, etc., are filtered and monitored appropriately.
Virtual Private Network
VPN provides a means to secure information while it goes over an untrusted network. VPN is entitled to be used for employees using organization owned systems only. All types of remote access are directed through VPN with a corporate-endorsement, and standard operating systems along with suitable security patches. Access to the company PC from home by means of the web is not be permitted. To secure the system when VPN are utilized for remote access, the IT manager has to guarantee that sufficient assurance is executed over endpoints by applying L2TP with IPSec. Additionally, VPN vendors incorporate firewalling functionality in their client to filter traffic.
Communication ports either inbound or outbound at the workstation for pointless services is entirely in the blocked state apart from important services, for example, HTTP, HTTPS, etc. as it is being generally seen that ports open for few administrative activities are opened unnecessarily, that normally initiates the hacker to breach the system with ease. Such safety efforts are to be connected by the system administrator at Firewall end as the primary line of guard. Henceforth, a workstation that does straightforwardly convey to the web is limited to use and only authorized communication services or ports should be used in inbound connection.
When a user connects to an insecure, open network, such as the Internet, and opens a large doorway for potential attacks, one of the best ways to defend against exploitation is to use firewalls. There are enforcement policies that are set and it varies by the type of firewall and resource deployment on the network as well. In the case of dedicated server access, an application proxy firewall is placed between the remote user and dedicated server to hide the identity of the server.
Secondly, if the requirement of traffic filtering based on source and destination IP/Port address, packet-filtering firewall placement is quite useful which augments the speed of transmission too. On the other hand, when speed is not a concern, state table (stateful inspection firewall) filters configuration at the network is made as an appropriate choice that dynamically validates the connection and forwards the packet. Moreover, NAT (Network Address Translation) is also employed as it complements the use of firewalls in providing an extra measure of security for the organization’s internal network, especially preventing DDOS or many SYN flooding attacks. Adding to the previous controls, a higher level of control is available by preventing an IP address from communicating with your server, IP packet filtering is being used.
Intrusion Detection System
Intrusion Detection System is housed for anomaly detection and monitoring of unauthorized access, with respect to the extraordinary line of safeguard where firewall or antivirus are not adequate.
IT Administrator continuously checks system and security log files for something suspicious. Additionally, use of Advance Antivirus which has inbuilt IDS/IPS capability, for inappropriate auditing rights, elevated privileges, incorrect groups, altered permission, registry change, inactive users and much more. In particular, IDS programming is designed on the highest point of an OS, yet organized capturing IDSs are growingly being deployed as hardware application because of performance perspective.
Data that passes through many channels including a switch, routers on the network in decoded form, is vulnerable to many attacks such as spoofing, SYN flooding, sniffing, Data alteration, and session hijacking. Although, there is no control of the devices that the data might pass over, securing the sensitive data or communication channel from being data accessible to some extent is ensured. If we have some data that needs to transmit data over a network securely, then there are some security initiatives that is a need to be taken to mitigate the risk of an attack:
- Authenticate the identity of people (and/or computers) who send packets
- Ensure that there is no data tampering
- Strictly limit data so it will not be read by any unauthorized individual between the user and the source.
The strength of a secret key or password is determined by a few limitations – like least length, password age, usage of special characters and reuse confinements – which decides the normal number of guesses an attacker or hacker must attempt to figure the secret key and simplicity with which the attacker or hacker can test the validity of the guessed password.
Instead of a traditional password, use a passphrase. While a standard password is 8 to 10 characters in length, a passphrase can be twice as long. A passphrase is generally stronger because it is more memorable than passwords thus reducing the need to write them down, since they are longer than a password, they make a phrase or quote dictionary attack almost impossible if the passphrase is all well-constructed.
Personiv has established a robust password management policy to regulate passwords used for logins and authentication. This will help users assign strong passwords that can’t be hacked easily.
- All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least once every three months which is the recommended change interval
- User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user and will be managed centrally
Password Protection Standards
- Personiv employees are not allowed to use the same passwords as Personiv accounts for other non-Personiv access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, Personiv employees are restricted to use the same password for various Personiv access needs.
- Personiv employees are restricted to share their passwords with anyone, including administrators and supervisors under any circumstances. All passwords created must be treated as sensitive, Confidential Personiv information
- Vendor-supplied defaults must be changed before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts
- Personiv IT Operations must verify user identity before performing password resets with prior approval from supervisor
- Personiv employees are restricted to use group, shared, or generic accounts and passwords, or other authentication methods
- Personiv employees are restricted to submit a new password that is the same as any of the last three passwords he or she has used.
- Personiv has limited repeated access attempts by locking out the user ID after five attempts
Together with well-established Information security policies, procedures and technologies, Personiv demonstrates that Cyber Security is the primary focus in it’s culture in order to protect against any kind of cyber threats.
Continual improvement is in our DNA, and as an organization, we believe that anything can be improved. Management has shown tremendous support by providing necessary resources and financial support to protect Personiv’s brand, resources and employees at any given point in time.