3 Lessons to Learn from the Internet Explorer Vulnerability News
Despite the best efforts of government agencies, corporations, and consumers, it seems that every day there is news of systems hacked, data compromised, and glitches in software and online tools that we rely upon. Last week, a zero-day vulnerability was discovered in Internet Explorer – a weakness that has been present in every version of IE for the last ten years. This, after the recent discovery of the Heartbleed bug that was found deep in the code of the OpenSSL encryption system going back two years. With IT security gaps and vulnerabilities revealed in these popular systems after going undetected for years, how can we protect ourselves and our valuable data? Although the US Computer Emergency Readiness Team (US-CERT) has flatly told users to stay off of Internet Explorer until this problem can be fixed, avoiding the internet and shunning electronic data is simply not an option for any of us now. But there are steps we can all take to greatly reduce the risks to our organizations and even our personal privacy and security.
Stay Vigilant as an Administrator
If you are designated as an Administrator in any system within your organization, realize that your information may be a greater temptation to hackers, because there is an intrinsic value that has been associated to specific types of data. In a case such as the Internet Explorer vulnerability, when a system running as an admin is compromised, whoever manages to gain access can infiltrate not only that desktop but often the entire system. Functioning as an administrator with unfettered access, you assume a greater IT security responsibility whether your system is connected within a small health care provider’s office, a rural hospital, or a major corporation.
Stay Up to Date
If you work within a HIPAA or PCI regulated industry, letting one software or technology device patch release or update slip by you can knock your company out of compliance. Systems that are not current are also at greater risk. The threats are also greater when you continue to use end of life software or systems that are no longer supported with updates or patches. When Microsoft recently ceased support for the Windows XP system, many organizations were faced with the expense of upgrading versus the added risk of running a system that will not be updated to respond to changes in technology or detected threats. While business realities often make it impossible to update every end of life system quickly enough, there are steps that can be taken to continue using a system like Windows XP as safely as possible until updates can be made – this begins with a thorough risk assessment.
Stay Aware of Threats and Have a Plan
When news breaks of a critical vulnerability in a software package or tool that your company uses, it is important to act quickly to secure your systems and your data. Even if a weakness has been buried in the system undetected for years, don’t assume the risk is not great or that it is not urgent. When a problem is discovered, like the Heartbleed bug in OpenSSL or the issue with Internet Explorer, hackers and criminals who were unaware of the weakness yesterday suddenly become very aware and they know there is a small window of time to take advantage of the gap before there is an update or patch released to fix it.
Be aware of the news when it breaks, take the threat seriously, and take the necessary steps (depending on the nature of the threat) immediately to protect your organization. Especially in large facilities or large organizations, taking quick action can be a challenge. There are ways to keep your organization prepared and nimble enough to be able to act.
Have a Process in Place
When a system vulnerability is announced or when a breach actually occurs, there is not time to convene a committee and weigh your options. If you have a process for updates and an incident response plan in place, you can take action immediately. At least taking steps to freeze the affected systems and notify users as quickly as possible buys you time to evaluate the options for correcting the issues. But good planning and wise decision making rarely takes place in the midst of a crisis.
Have a Culture of Security in Place
Everyone in the organization needs to be aware and understand the importance of security within your organization. Building a culture over time that values security will prepare employees to respond appropriately and quickly to react when you put your response plan into action. Training and communication are critical to effectively spurring employees to take action when necessary. Again, without laying the groundwork, the support and buy-in you need will not be there when trouble comes.
Have Proper Documentation
Documentation to support your plan: HIPAA compliance requires Covered Entities and Business Associates to have an incident response plan in place before a security incident occurs and to maintain extensive documentation of the steps taken if there is a breach.
Documentation to support your culture: Training and equipping staff to safeguard the security of your organization’s systems and data requires clear guidelines for them to learn, understand, and refer to when called upon to act. Everyone in the organization should know:
- what steps you expect them to take on a regular basis to maintain security;
- what steps you expect them to take if they suspect or detect a breach or a problem;
- and what steps you expect them to take when you detect a breach or a problem.
Do not assume they know or hope they will listen and understand if you wait until there is a problem to talk about these expectations.
Documentation to support your action: In the event of a data breach, regulatory and government agencies will expect to see detailed documentation of the plans you had in place prior, the immediate steps you took, and the long term plan for security and regaining compliance. Showing preparation and follow-through can save you from costly fines and administrative headaches that only add to the consequences of a security incident. The vulnerabilities discovered in OpenSSL and Internet Explorer – just two recent examples, could be extremely disconcerting for an organization that is not adequately prepared to respond to a security incident.
An organization, administrator, or security officer who stays vigilant, up to date, and aware will still face threats or challenges but will do so much more effectively and confidently. If you do not feel very confident in your ability to respond to a detected vulnerability or an IT security incident on your watch, give us a call before you see another dire news report.