Protecting yourself from data leaks

Leaks of sensitive data were prominent in the news in the summer of 2019 and the months that followed. One after the other, large companies saw their customers’ sensitive data exposed on the Internet. How can you mitigate the threat of data leakage? Solutions are specifically designed to ensure that data stays inside your organization.

If you’ve recently migrated to a cloud computing environment such as Office 365 to adapt to the new reality of remote work, you may be fearful that sensitive data could be disclosed outside your organization. This is when a data loss prevention (DLP) solution comes into play.

Data Loss Prevention (DLP)

There are various products for data loss prevention (DLP), some of which are more effective than others. On the other hand, an effective, properly configured DLP solution will allow you to identify sensitive data in your documents and prevent it from being copied, even on USB sticks. A DLP solution is integrated with Microsoft 365 and offers several features:

• Labelling sensitive information;
• Preventing accidentally sharing confidential information;
• Monitoring and protecting information even on users’ workstations;
• Educating employees by notifying them that they have misused the information;
• Investigating potential data breaches.

Azure Information Protection (DLP) for Microsoft 365

Azure Information Protection (AIP) is software that allows you to categorize information by using labels that are applied (automatically or manually) to your documents and emails. Before labelling the information in AIP, the administrator must define which information is sensitive and how sensitive it is. That way, documents that have a sensitivity label, for example, would only be accessible to the organization’s members, making it impossible for any other person to view them. Moreover, if an email containing confidential information leaves your cloud computing environment through Outlook, it could be automatically encrypted to prevent data leakage. Azure Information Protection also provides the ability to apply retention labels that will help you prevent important documents from being accidentally deleted. Documents that must be kept in archives for a number of years can thus avoid being deleted. Similarly, retention labels can block changes to documents that are considered final, such as signed contracts. This feature therefore guarantees your documents’ long-term integrity. If some documents do not need to be kept for the long term, AIP also makes it possible to delete them automatically when the retention period has expired. The Office 365 DLP solution is limited to Microsoft 365 apps. For an overview of all the information that users send over the Internet, it is necessary to acquire a solution such as a CASB (cloud access security broker).

The CASB

A cloud access security broker (CASB) is software located between cloud computing service users and cloud computing applications. It monitors all activities and applies security policies in the cloud. A CASB can offer various services, such as monitoring user activity, warning administrators of potentially dangerous actions, preventing data leaks, and preventing the operation of malware. Microsoft offers a CASB-type solution: Microsoft Cloud App Security (MCAS). This solution dovetails with Azure Information Protection and provides the following features :

• Visibility: Detect all cloud services used by your organization; assign a risk level to each; identify all third-party users and applications that can log in to your environments.
• Data security: Identify and control sensitive information (DLP); manage data based on classification labels.
• Protection against threats: Provide access control that can be adapted to users and their context; provide an analysis of user and entity behaviour (UEBA); limit the risks of malware.
• Compliance: Provide reports and dashboards to support cloud governance; support efforts to comply with data residency and regulatory compliance requirements.

By making proper use of data categorization and DLP and CASB features, you will achieve a high level of security for your cloud-hosted information.

Is information technology not your cup of tea? Do you get lost in the world of cloud computing? Trust Fortica to put in place all the necessary measures to make your virtual work environment secure.

Secure authentication in Office 365

The Office 365 suite is already in place in many companies. Does everyone use it completely securely? Not necessarily. But be aware that Microsoft’s range of tools offers a host of security options that you and your employees should use to make this environment secure.

 

Multifactor authentication

Multifactor authentication (MFA) is vital when it comes to computer security because compromised usernames and passwords are often the gateway for hackers. You must ensure that, at a minimum, you activate multifactor authentication for the entire organization.

The most common way to use multifactor authentication is a verification code. The way it works is simple: The user signs into Office 365 using his or her username and password, and then a verification code is sent to his or her cellphone by text message or by the authentication application (Microsoft Authenticator). The user enters the code into the login page and accesses the environment.

There are other factors available with Office 365 to ensure strong authentication:

• A physical token
• A phone call
• Due to native vulnerabilities in the phone network, using the authentication app or the physical token as a second authentication factor is recommended.

Conditional access

While authentication factors are an important security measure, they should be used in combination with the conditional access features available in Office 365. Conditional access is used to control access based on criteria, such as the computer used, location, access group (e.g., administrator), and application the user is trying to access

Location
In addition, Office 365 also allows you to enable an additional security check, which only allows logins from certain geographic regions. Only allowing logins from certain regions where your organization operates is recommended. You should at least require a second factor for unusual regions. Similarly, some regions where hackers often attack from should be blocked. For example, if your company operates in Canada and representatives go to the United States for business trips, you allow logins from Canada and ask for an additional factor when they are in the United States. You block all other regions. If necessary, you can change these settings if the company goes global.

The application
You can configure various permissions depending on the application that a user is trying to access. For example, if a user accesses Office 365 through an unmanaged computer, he or she can only access Outlook and cannot download attachments.

Company-managed computers and unmanaged computers
As for device management, you have the option to register certain computers in the corporate network. You can configure different permissions for users with computers that are or are not managed by the company. For example, when employees use workstations that are located on the company’s physical premises, they will have access to all the features of Office 365. This will not be the case when they use their personal computers. This type of security measure can prove very useful if an employee needs to log in to your computer systems from home. He or she will be able to work from his or her personal computer as needed while having restricted access to company data.

Access groups
Access groups are used to manage who accesses which applications and which information based on their role in the company. Access groups composed of privileged users, such as IT administrators, should have more restrictive policies when accessing Office 365. In particular, they should always authenticate using a second factor and logins from unusual countries should be blocked automatically.

Fortica’s experts are available to help you securely configure the Office 365 suite for your business. Securely configuring this solution will allow you to have peace of mind about who is accessing your computer environment.

 

Using SharePoint and OneDrive for secure file sharing

Have you ever taken the time to ask yourself about the choice of collaborative work technology tools that you use in your company? What if we told you that not all software offers the same possibilities when it comes to managing security?

SharePoint and OneDrive, part of the Office 365 suite, are securely configured solutions for internal and external collaborative work and document sharing.

What is SharePoint?
SharePoint is a document management tool developed by Microsoft that is integrated with Teams. Documents shared in Teams automatically end up on a SharePoint site, allowing users to share files with their colleagues and make changes to them collaboratively. This solution can help you centralize document management. As for security options, SharePoint provides features that allow you to control access to the platform, block file downloads, and provide limited access rights. This can be very advantageous if you need to invite external users to collaborate on certain documents.

To use SharePoint securely, there are some best practices that need to be implemented, including the following:

• Disable the creation of Anyone links that give access to the document to anyone with the link.
• Allow only guests registered in the directory (AD) to access a document. Access requests must be approved based on the organizational access management process.
• Allow only a limited group of administrators to create SharePoint sites.
• Restrict access and rights when an employee or guest logs in from a computer that is not managed by the company. The download, sync, and print functions must be blocked.
• Prevent guests from sharing files that are not their property.
• Classify sites and documents according to the sensitivity of the information.
• Configure data loss prevention features to prevent sensitive documents from being disseminated outside your organization.

What about OneDrive?
OneDrive is a file management and backup solution that enables file sharing between employees or with external collaborators. The security controls available in OneDrive are similar to SharePoint, but some differ.

To use OneDrive for business securely, here are some practices that must be implemented:

• Block file synchronization features for computers that are not standardized by the organization.
• Allow file sharing only with internal users. Guests must be registered in the directory (AD) following a formal access request that is approved by administrators.
• Block suspicious files, such as executable files (Exe, MSI, Bat, etc.), from being imported into OneDrive.
• Enable automatic file backup for all users.
• Classify data in OneDrive (sensitivity label) and use data loss prevention features to prevent data exfiltration.

Note that OneDrive has inherited some controls from SharePoint, including the management of sharing links. The configuration of SharePoint, OneDrive, and Teams should be planned according to this particularity.

What are the risks of file sharing?
File sharing is never without risks, especially when using tools available for free without setting them up. However, their use is widespread, even in professional contexts. One of the poor practices in file sharing is giving downloading access from a simple hyperlink, which different solutions allow. Attackers are actively monitoring the Internet to gain access to these insecure links.

Furthermore, if you don’t already have infrastructures in place that make it easier for employees to share documents, employees may turn to what is known as shadow IT, a term that refers to the use of computer systems, software, or applications without the IT department’s explicit approval. Free versions of software such as Dropbox and Google Drive offer few of the security controls that are needed to protect information.

Another source of risk for file sharing is application vulnerabilities. As recently as last August, a major security flaw was discovered in Google Drive. This flaw allows you to share a file of any type and then to change it into malware that embeds itself in the computer of the person to whom you sent it. Be careful if you receive a document to download from someone you do not usually communicate with. Similarly, if you give full control of certain files to people outside your organization, they could modify the document and compromise your security.

That’s why it’s critical to clarify with your work teams that certain software has been chosen for the company because using them ensures its IT security. If you have a file-sharing solution or plan to acquire one, Fortica is a partner who is available to help you set up and use these solutions securely.

Use your cellphone securely

We answer several questions that will allow you to protect yourself against an invaluable tool that is quite possibly the first thing you look at when you get up in the morning: your phone.

Why should I update my operating system?

Even if they take some time and deprive you of the use of your phone for several minutes, updates to your operating system are crucial because they correct security flaws in addition to giving you access to new features. Keeping your phone up to date is a good way to protect yourself.

What if I lose my device?

First, your screen should always be locked using a password, fingerprint lock, or facial recognition. This will save you time going forward. With apps that allow you to access your bank’s online services or pay for your purchases directly with your phone, when your device is lost, your banking data is part of the valuable information that ends up greatly compromised. You must act quickly to prevent fraud.

If you’re using an iPhone and the Find My iPhone feature is turned on, you’ll be able to find out exactly where it is thanks to Apple’s online services. You can also do this with applications for the Android operating system. If your phone remains unfound, you will need to quickly contact your cellphone provider to have it deactivated and have the unique identification number (IMEI) added to a blacklist that makes your device unusable.

Does Bluetooth technology put my cybersecurity at risk?

Before we go any further, what is Bluetooth? It’s a wireless connection that uses radio waves at a reduced range and allows data to be exchanged between electronic devices. In particular, it allows replacing many connection cables. However, this technology is in a way the weakest link in cybersecurity. Permanently enabling this feature on your device makes you more vulnerable to certain attacks. This is all the more true if your phone hasn’t been updated for a long time. In 2017, a major security flaw allowing a phone to be hacked in just a few seconds was discovered in the Bluetooth protocol. Our best advice? Activate it only when necessary.

What about geolocation?

Geolocation makes many smartphone users fearful, though it makes it so much easier to use many apps. Are there risks associated with it? Undoubtedly. Ill-intentioned people can know your position at any time. That’s very helpful information if your Facebook page informs them that you live alone with your cat and that you have gone out to explore Quebec for the weekend. Any information you share publicly makes you more vulnerable.

What kind of text messages should I be wary of?

Text messaging phishing attempts are becoming more frequent and are sometimes misunderstood. You should be aware that your financial institution, government, or cellphone provider will never contact you by text message to ask you to confirm personal information or to notify you that your account has been suspended or that you are entitled to a refund. When in doubt, always call the company in question to make sure it is not an attempt at fraud. Never open the links offered to you in these messages and go directly through the provider’s website if you wish to validate certain information. In short, owning a cellphone carries risks, but by adopting safe behaviours, you will be able to minimize them.

Fortica was among the speakers at the In-Sec-M Workshop held in Montréal on October 4, 2019, on the topic of cyber resilience in the financial sector.

A number of Quebec cybersecurity companies were able to present their services and solutions to address the specific cybersecurity concerns related to the financial sector.

Fortica President Samuel Bonneau explained the McAfee report’s finding that “99% of incidents due to misconfiguration in public cloud environments go unnoticed, exposing companies to data loss.”

In fact, you should know that cloud cybersecurity is not set up by default. There are more than twenty-five types of controls to evaluate and deploy if necessary, and each cloud provider has its own solutions and settings.

Samuel Bonneau presented the advantages of the Fortica Cloud Shield, a product developed by Fortica that continuously checks the integrity of the company’s cloud infrastructure configurations, meeting the specific needs of the demanding finance industry and its stringent regulations.

In addition, Fortica offers a 360-degree approach:

DESIGNING

Fortica selects cloud providers and solutions, and then designs their overall architecture and identifies the necessary features.

IMPLEMENTING

Fortica implements and configures security and integrates defined systems.

CHECKING

Fortica ensures that best practices, internal standards, legal, and contractual obligations are properly heeded.

OPERATING

The Fortica Cloud Shield maintains configurations and the security level, fixes vulnerabilities, and monitors the security roadmap. It also monitors malicious activities.

 

That means you can count on the Fortica Cloud Shield being a product that meets the financial sector’s cyber resilience challenges by ensuring that cloud environments are protected.

To go further, Fortica and its partner, Hitachi Systems Security Inc., have joined forces to offer tailored security and privacy protection in the cloud with their Security and Privacy by Design service.

In addition to making the cloud reliable and secure, the personal data of customers in the financial sector is also protected.

3 Takeaways From The First AWS Conference Dedicated to Cloud Security

The first Amazon Web Services (AWS) event dedicated to security, AWS Re:Inforce, was held in Boston on June 25 and 26, 2019.

Fortica, partner of Hitachi Systems Security (read full press release here), was among the 5,000 cloud security experts who attended this important conference. These two days were an opportunity to discuss the challenges of cloud security, well beyond the specific contexts of AWS.

For those of you who couldn’t attend but are interested in the topics of cloud security or AWS, we’ve put together a summary in three points, as if you were there.

 

1. AWS Can Meet Strict Security Requirements

Opportunities to comply with and align with the most demanding security practices in the AWS public cloud have been widely promoted. Several major players in the North American financial industry, including CapitalOne, outlined their approach.

AWS offers a secure default configuration with a large number of security services to meet a multitude of needs and scenarios.

 

2. Standardize Security Rules and Give Teams Autonomy

The standardization of security policies through the installation of guardrails was a major theme that was discussed both during sessions and during sponsors' demonstrations. It is about defining the security and context-specific boundaries within which development teams can be autonomous.

Ideally, security policies can be reused through the use of labels (for example, a developer can modify the roles of its hosted application in an environment labeled "Test" but not in "Production").

Steve Schmidt, AWS CISO, announced the launch of Control Tower, a service that enables uniform security and cloud compliance policies across multiple accounts within the same organization.

 

3. Evaluate and Correct Your Security Posture Proactively

Cloud visibility and cloud security posture assessments was one of the other big themes that were very much discussed but also widely represented among the sponsors grouped at the Security Hub.

Multi-cloud information systems, the autonomy of DevOps teams, the simplicity of deploying resources in the cloud create configuration problems and inevitable vulnerabilities that expose data.

There are solutions for detecting anomalies as early as possible, even before planning the resources by analyzing CloudFormation templates, which can be used to raise alerts or automatically correct configuration discrepancies.

Equivalent solutions that are natively offered by AWS, are effective in meeting basic but limited to AWS needs. In a more complex, more demanding or in a multi-cloud environment, a Cloud Security Posture Management (CSPM) solution will be a must.

 

In Closing

This first AWS event dedicated to cloud security has kept all its promises by highlighting emerging security practices and innovative solutions. The AWS Re:Inforce conference becomes a must-attend event for all cloud security experts. The next edition is already announced – it will take place in Houston, TX, in 2020.

In the meantime, Hitachi Systems Security and Fortica are keeping up-to-date with innovations and trends in cloud security and our its practices to benefit our customers.

If you have questions about the security of your cloud, either for an audit or a deployment coaching, we have the expertise and services to meet your needs to secure your critical assets along your path towards the cloud. Our cloud security experts take all the necessary efforts to keep up with this fast-changing industry in order to offer you the most relevant recommendations and to ensure that you can maximize the return on your cloud security investments.

See Fortica's services

The first AWS Conference dedicated to cloud security

The first Amazon Web Services (AWS) security event, AWS re:Inforce, was held in Boston on June 25–26, 2019. Fortica, a cloud security specialist in Quebec and partner of Hitachi Systems Security, was among the 5,000 cloud security experts who attended this major conference. These two days were an opportunity to discuss the challenges of cloud security far beyond contexts specific to AWS.

Here is a three-point summary that will make you feel as if you were there:

 

 

1. AWS can meet stringent security requirements.

The possibilities for complying and aligning with the most demanding security practices in the AWS Public Cloud were broadly highlighted. A number of major players in the financial industry in North America, including CapitalOne, presented their approach.
AWS offers a secure default configuration with a large number of security services to respond to many different needs and scenarios.

 

2. Standardize safety rules and give teams autonomy.

Standardizing security policies by putting in place guardrails was a major topic discussed during the sessions and sponsor demonstrations. It is a matter of defining secure boundaries—based on the context—within which development teams can be autonomous. Ideally, security policies can be reused through labels (for example, a developer will be able to change the roles of their hosted application in an environment labelled “Test” but not in one labelled “Production”).
AWS CISO Steve Schmidt announced the launch of Control Tower, a service that enables applying uniform cloud security and compliance policies across multiple accounts within a single organization.

 

3. Proactively assess and correct your security posture.

Visibility in the cloud and assessing the security posture of the cloud were other major discussion topics. They were also widely represented among the sponsors gathered at the Security Hub. Multicloud information systems, the autonomy of DevOps teams, and the ease of deploying resources in the cloud make configuration issues and vulnerabilities that expose data inevitable.
There are solutions to detect anomalies as soon as possible, even before resources forecasting, by analyzing CloudFormation templates, which allows triggering alerts or automatically correcting configuration deviations. AWS natively offers equivalent solutions that are effective in meeting basic needs limited to AWS. In a more complex, demanding, or multicloud environment, a CSPM (Cloud Security Posture Management) solution is crucial.

 

This first AWS cloud security event delivered on all its promises by highlighting emerging security practices and innovative solutions. The AWS re:Inforce conference has become a can’t-miss event for all cloud security experts. The next conference has already been announced. It will take place in Houston in 2020.

In the meantime, Fortica will be staying up to date on innovations and trends in cloud security and adapting its practices to benefit its customers. If you have questions about your cloud’s security, whether for an audit or support in deployment, Fortica has the expertise and services to meet your needs.

See Fortica’s services.

The Fortica team