Hensley / Elam Partners with PSI to Provide Professional Testing Services in Kentucky

Hensley / Elam announced today the opening of Lexington Testing Center, an authorized PSI testing site in the heart of downtown Lexington. 

The Lexington Testing Center will provide a secure on-line location for a variety of computer based professional testing for Federal agencies including TSA, CBP, and FBI.  State license testing will including real estate broker/agents, appraisers and corporate exams including Microsoft among others.

“A testing center of this level  aligns with our level of service we already provide our customers and excited to offer to our existing clients and new ones”, said Russ Hensley, CEO of Hensley / Elam.

Hensley / Elam is now in its 23rd year of operation has been providing information technology services including cybersecurity, managed IT services, managed security services, computer support for networks and servers, business telephone systems as well as off-site backup and IT consulting to businesses in the Central and Southeastern Kentucky area.

Release distribution here: https://www.einpresswire.com/article/544960998/hensley-elam-partners-with-psi-to-provide-professional-testing-services-in-kentucky

Patching computers is very important for modern cybersecurity.

By: Russ Hensley, CEO CISSP
Lexington, KY

Day in and day out we’re asked about operating system patching and it’s role in managed services or managed cybersecurity.

What is patching? What happens to cause patching? Do I need patching? Why is patching important to cybersecurity or normal operations? Why did the patch break my computer? Who’s fault is it when the patch break the machine?

How did it start?

Starting in 2003 Microsoft started to get structured about patching because honestly, it broke a lot of things and random sporadic chaotic patching was not efficient to say the least. Since then the patching process has evolved into a tier of patching from security, critical, emergency and application, workstation and server patching to name a common groups.

Cybersecurity firms and software developers produce a list of “holes” in software called vulnerabilities through intentional or unintentional discovery. The process of the vulnerability identification is a double edged sword. Once confirmed, it can alert the developer, Microsoft or Adobe for example, that there is in fact a confirmed hole, the nature of the hole and give it an entry in a database for identification. The downside, is well now not only does the developer know and the user, but also the threat actor who might look it over and choose to figure out how to exploit this vulnerability to use it for a hack.

Now a days with ransomware and the internet, these patches are often and plentiful and come very fast some times when there are really bad vulnerabilities. Just last week patch Tuesday alone (May 11 2021) contained 55 vulnerability patches, 4 were Critical and 50 Important and 1 Moderate just from Microsoft’s resources. The break down is here from the CompTIA ISAO weekly update video.

Surface devices get firmware updates for example now on the the Third Tuesday and non-security patches for Office are on the First Tuesday.

Patching in general is developed with the white box and tested as best as it can to not nuke your machine and create Crash Wednesday when the patch actually might get applied to your system and a reboot if you’re not on a managed patch plan. Sometimes, the patches are just not compatible or fail and if you’re in a patch management system then you might see a scenario where bad patches are Blacklisted and will not get applied to other machines once they fail in either testing or deployment. Microsoft delivers the best product they can but the customers environment can vary dramatically from a testing scenario.

How much is enough?

I personally believe in aggressive patching where they’re downloaded and workstations are rebooted frequently and servers as needed based on the patch level no less than once a week in some cases. When businesses have users with internet access and email access involved it patching is critical to address security issues and in fact in environments where consumer data is held should be taken very seriously but anywhere that production is based around technology working should be managed.   These environments are typically the best suited for managed services and managed cybersecurity services.

What drives cost?

Some customers opt to not patch or be on a patch management process for various reasons. Perhaps conflicts with software applications, or budgetary constraints. However, with the interconnected tissues of virtual machines, hardware firmware levels and so on it’s almost impossible to not have to catch up patching at some point for security reasons. All of this of course is not talking about software versions that have been end-of-support marked and not receiving any patches, but current production operating systems. Even the End-point-detection and response engines require the operating systems to be patched in order to provide the security levels necessary for them to operate successfully. Otherwise, it’s like sailing a leaking boat.

Our clients who aren’t in a patch management or managed services process opt to pay for exorbitant service fees for patching rather than our fixed managed services fees. Our NOC team tests, blacklists, deploys and remediates any server operating system patches and some applications in our fixed fees in the long run saving thousands of dollars through continuously patching and keeping the operating systems up to date.

It is a complex discussion and some times there are complex answers, but for the most part, managed services addresses the huge amount of patching that is going on for the best value.

Cybersecurity is broken because of the loose approach by business management

By: Russ Hensley, CEO CISSP
Lexington, KY

The current approach to cybersecurity is broken.   In general, the public has embraced the “it won’t happen to me” mentality.  In the end, the safety net is that the IT service provider or in-house IT admin is “taking care of that.”

If you are one of our clients, you have been presented with a set of quotes that we internally call our security stack.  Our stack is built around the National Institutes of Standards and Technology’s Cybersecurity Frameworks (CSF).    The NIST CSF is a derivative of computer security guidance that is woven into healthcare, banking and national security information security policies.    Quite simply, ALL businesses should understand what these frameworks are telling your business to have in place.   If your business is technology driven and if you think that there would be OUTRAGE if the business was off-line for 3 days then you should already have implemented it.

Our job is to work with our clients to provide the technical tools to help prevent intrusion.    With our assistance, our clients must also invest by implementing frameworks and structuring policies.   Security program recommendations for data backup policies, remote worker policies, password policy and security training program for employees are the foundation to protect your business.

Our banking and healthcare clients have lived in overload dealing with these requirements.  However, many businesses in the nation pay little to no attention to the threat.   Often cybersecurity services are viewed as unnecessary overhead UNTIL something happens.    At that point the “overhead” is exorbitant and they realize they do not have insurance that will be needed to pay for the $100,000 or more labor bill to cover recovery, the $30,000 legal bill for their attorney’s, the $80,000 cyber forensics investigators, not to mention the media/pr control and loss of revenue while they are down.     Insurance companies are not shy about letting it be known that they are reducing payouts and increasing premiums because of the lack of implementation and rise in the number of attacks.

Something needs to be done to better prevent and inspect actions that are being taken with incidents like the Colonial Pipeline ransomware attack.   A single attack CAN affect the average American.  “It can’t happen to me” is no longer adequate.

Fixing the approach begins with our legislators starting to understand these issues not from the nerdy intrusion and penetration hacker level, but policies being implemented and educational programs about what it is that is to be dealt with.

Rising Cyber Insecurity

Most executives can estimate their revenue per customer but have difficulty trying to budget the potential costs if their business’ computer systems crash or they are compromised by viruses, other malware or attacked by hackers.

By Frank Goad

Potential dire effects vary by business, the type of computer-reliant operations it has and the nature of its data, and these effects can range from mere irritation to significant financial loss all the way up to a closing of the company doors.

Information technology security issues grow more important and urgent for business and industry week by week. Commerce-critical data today is made with intention at work stations as well as streamed by always-connected apps and devices into the cloud – streams that simultaneously make operations more efficient and more vulnerable.
Managers, accountants, healthcare providers, lawyers, retailers, bankers, public officials and more all are joining IT professionals in spending more of their time and energy on cybersecurity matters.

Anti-virus expert Eugene Kaspersky said at an IT security conference in October 2013 that the cost of data system disruption to business is “many times more than $100 billion.” Since then, data breaches have occurred at Target, Neiman Marcus, JP Morgan Chase, Home Depot, Sony Pictures, Anthem and others. However, while these large events attract news coverage, much of the overall cost of data breaches actually occurs at small- and medium-sized businesses because they are often easy targets.

John Askew

John Askew

“You have to assume that you have already been breached to some extent and determine how to continue running your business with that assumption,” according to John Askew, consulting manager and security team lead for SDGblue, a Lexington-based IT services firm.

“Hacking” into computer systems started three decades ago, largely among young men wanting to impress friends with their technical savvy. Nearly all data breaches today are by criminals looking to make money using an array of methods and powerful tools. The realities of computer security are much different than even just five years ago.

One result is that no one is too small to be a target. Thieves formerly tended to individually target the high-dollar score, like fishing with a large pole for that “big one.” Computer-powered automation today, however, enables thieves to fish with a net – which because of volume targeting creates large cumulative results.

Security experts all estimate the likelihood that a specific business’ computer systems will crash or be compromised at 100 percent – a matter not of if but of when. They also agree that most incidents are either preventable or can be cleaned up quickly with proper preparation. Money-sapping downtime can be averted or recovery expedited, reducing costs across the board. This security has a price, but prevention and planning tend to be far cheaper than curing a system shutdown for which a business is unprepared.

Most businesses today can’t run without computers, which are service platforms for credit card processing, tax filing, business websites and interacting with suppliers and customers.

Another recent computer security issue is that Kentucky and 47 other states along with Puerto Rico, the District of Columbia and the Virgin Islands have laws that punish companies found negligent in handling customer data, or that do not notify customers of a breach in a timely fashion.

Barbarians at the gate – and inside

Think of data security, experts say, in terms similar to doors to your business: The more data connection doors you have, the more security you need since doors are generally the most vulnerable points for unauthorized entry – or exit. Every email account is a potential door.

Further data vulnerability exists because businesses have to go through lot of other people’s “doors,” too. Cyber criminals watch that activity with programs designed to sniff out your and their weaknesses.

Many business people are shocked to learn that various studies find from 45 percent to 80 percent of data security issues originate inside the company. Not all are malicious; sometimes an employee password is easily hacked, like the word “password” or “1234567890” or their password is pasted on their desk for anyone passing by to see.

Data security becomes compromised because employees often aren’t trained, or no security guidelines exist and they innocently do something inappropriate. It can be a disgruntled employee or one paid to steal company data. “Drive-by downloads” into business networks can occur when an employee visits a web page with a malware delivery mechanism that is disguised as an ad. Sometimes network anti-virus programs are inadequate (such as free versions) or are not installed at all.

Phishing is most common attack mode

Internal breaches commonly come from “social engineering” attacks, which prey on human behavioral weaknesses. “Phishing,” a common social engineering method, is the most commonly used data assault process seen by those interviewed for this article. And it achieves the most success against users.

Phishing2Phishing criminals, usually using stolen email addresses, “bait” users at a target business with what appears to be an urgent email from a familiar company, such as a bank or retail chain they use. Problems begin if a recipient clicks a link or opens an attached file promising f urther details. The 2013 Target stores holiday shopping season breach that led to 110 million customer credit card records being stolen started with a phishing attack against employees of a subcontractor; Home Depot’s 100-million-customer-records breach in 2014 was a phishing attack.

Phishing messages whose official-looking logos, headquarters information or other content succeed in prompting a click for details instead initiate a download of malware onto the recipient’s device that propagates across the network. The many variations of this trick have worked worldwide millions of times.

“Phishing is the No. 1 problem for us on campus, and that is across faculty, staff and students,” said Brian Purcell, Murray State University’s information security officer and the school’s interim chief information officer. “If we see a phishing attack on campus, we proactively look to see who has responded to it by examining data traffic leading to the offending site. We then change their password and user identification and notify them that we have done so … because data breaches are very expensive to correct.”

A sophisticated variation is “spear phishing” in which attackers research individuals at a company and target them with sometimes surprisingly personal appeals. This technique increases the odds of success so much that spear phishing accounts for 91 percent of attacks. At financial institutions specifically, reported individual losses average $55,000 and some have exceeded $800,000, according to the Washington-based Internet Crime Complaint Center.

Phishing is one of the most common consumer complaints the Kentucky Attorney General’s Office gets, said Daniel Kemp, deputy communication director.

“Many of the calls lately extended from attempts to dupe consumers affected by the recent Anthem (Blue Cross Blue Shied) data breach,” Kemp said. “Getting trained in spotting these threats is one of the most effective defenses a business or consumer has. We have staff who go around the state training consumers in our Scam Jam classes. Face-to-face training is always effective, and every business should consider it for their employees.”

Who are the phishers? They come from around the world. The Chinese and North Korean governments have often been accused (e.g., the Sony Pictures Entertainment hack), as have criminals in former communist bloc countries, South America and in the United States. A town in Romania’s Transylvanian Alps, Râmnicu Vâlcea, population 120,000, is called the cyber-crime capital of the world, but it has only two government agents assigned to combat digital law-breaking. Regardless of their origin or motivation, the criminals are after your system, your data, your customers and your money.

Those illegally harvesting customer data often bundle their stolen info and sell it to others to avoid being caught using it – they let others do the phishing or scamming. It makes arrests and prosecutions difficult, and even if they are caught, restitution for victims’ losses is rare.

Assessing costs, value, safety and savings

Brian Purcell, Information Security Officer, Murray State University

Brian Purcell, Information Security Officer, Murray State University

The good news is that with appropriate measures, a business network can be kept reasonably-to-very safe. Although the due diligence of installing, maintaining and securing computer systems can be costly, security breach costs can be far, far more.
“PCs and computing resources are now a utility, not a luxury. IT security is often regarded as a discretionary cost, but it’s not – it should be fixed in the budget of every business,” Purcell said.

The term “disaster recovery” refers to being able to restore a computer system to the state it was in a short time before a failure. Only very rarely is this the result of a fire, flood, lightning strike or tornado, although those are considerations. Much more commonly it means a single computer’s hard drive fails and ruins all its data, which a business must recover to get back to work; or a server dies, corrupts a wider swath of data and shuts down daily operations.
Business IT disaster recovery plans often mean having off-site backup in case equipment is stolen or offices are too damaged to use. With off-site data storage, operations can be restored in a temporary location and to continue to serve customers and avoid losing revenue also.

 Dave Sevigny, President, DMD Data Systems

Dave Sevigny, President, DMD Data Systems

“A company with six PCs that has no regular service vendor for support, and that hasn’t been getting regular system evaluations, is usually down two or three days,” according to Dave Sevigny, president of Frankfort-based DMD Data Systems, a regional IT services provider. “A company that has an established relationship is usually down about a half day. There is no substitute for qualified help.”

Sevigny and others advise considering the question: How would being without computers for two or three days affect your company?

“Today’s technology is more robust, more resilient and has more ‘call home’ properties that alert us, often before the customer knows they have a problem,” he said. Clients “have fewer problems if they make an effort to keep up their systems and allow us to help them. That’s what IT professionals do.”

An office technology policy can avert some of the latest threats to business. Sevigny advises caution regarding “the bring-your-own-device (BYOD) trend of letting employees bring smart phones and tablets into the office with no supervision, and even letting them do (company) work with them.

“While an employer might think he’s saving money by having employees use their own equipment to perform tasks for which the business formerly provided the equipment,” he said, “they are also opening themselves up to some real security problems. Giving someone open access to a business network when you can’t control what happens with that device after work is a very risky proposition.”

Lack of knowledge, lack of preparation
Investing in IT security and disaster recovery is less costly than restoring data from bits and pieces, or going back to printed records. Data breaches mean lost customers and tarnished business reputations, especially when customers must be contacted to inform them sensitive personal data is now “in the wild” and in the hands of criminals.

In calculating a budget for IT security and disaster recovery, managers are advised to consider their company’s average revenue or profit per hour or per customer, then assess the potential cost of lost operating hours or customers. At what point would losses become critical? At what point would the business be fatally crippled?

Many businesses lack security and data recovery plans.

Russ Hensley, CEO,  Hensley Elam Associates

Russ Hensley, CEO, Hensley Elam Associates

“Kentucky lags the national averages for a variety of reasons,” said Russ Hensley, CEO of Hensley Elam Associates, a regional data services firm with headquarters in Lexington. “Despite the routinely quoted (estimate that there are only) 30 percent of businesses with adequate protection, we may be as low as 10 percent for companies with appropriate backup and disaster recovery plans.”

Lack of knowledge is thought to be the main reason why. “Most of them simply don’t know the risks, or they think it won’t happen to them because it hasn’t happened yet,” Hensley said. “They don’t realize their employees are usually their biggest threat. They often see the backups and IT security as something being sold to them versus being a real asset. Since they have never had an incident – despite some of them already being infected with malware and they don’t know it – they either balk at the cost or don’t see the need.”

Studies estimate the cost of repairing a data breach at $185-$195 per customer. That’s $18,500 for 100 customers or $185,000 in losses for 1,000 customers. Repairs can take months as little issues continue to present themselves. It’s fairly common for some data to be lost forever, complicating making financial books whole again. Damage to reputation and trust can mean a loss of current customers and future business.

Studies show preventive measures do reduce per-customer losses for data breaches: $14 less for companies with comprehensive security policies and procedures; $13 less when the company has an incident response or disaster recovery plan; another $7 less if a well-trained staff person serves as the chief information security officer. Those steps lower average losses to $151 per customer.

Mitigation but no 100% guarantee
Locks“There’s a saying in our industry that computer security always seems to cost too much, but still is never enough,” said Jerry Bell, a computer security consultant and founder of the DefensiveSecurity.org website and blog in Atlanta. “Computer security is something like what they say about those who fight terrorism: We have to be right all the time, but they only have to be right once.

“There is no 100 percent guarantee against hacks or data loss,” Bell said. “Everyone is a target, too. There are breaches and attacks going on at all levels – from giant financial firms all the way down to parking garages. Statistics don’t tell the whole story because many breaches are not reported to authorities. The fear of damage to a company’s reputation is pretty powerful.”

One product that can mitigate the cost of data breaches, he said, is cyber-security insurance, which many companies now offer. Data breach coverage can mitigate costs in any case, and especially when the policyholder is not to blame.
“When a breach happens and a claim is paid, the insurance companies are looking for those responsible for the breach,” said Bell. “If (the insurance company) pays a claim, then someone else is likely to wind up paying the insurance company.

“Take some of the big, well-known, national companies whose data breaches made headlines in 2014. There are lawsuits against some of them by their vendors, like credit card processing companies, and those vendors’ insurers to cover the costs of cleaning up the mess,” he said. “They lay the blame at the feet of the big company, and that mess includes new cards, reimbursements, credit monitoring and many other charges.”

All the experts in this article concur that, on average, only about 30 percent of businesses today have adequate security and a disaster recovery plans – not elaborate security, but decent protection and enough to help with recovery.

“The one thing that keeps me awake the most at night is how our data is handled,” said Purcell at Murray State. “We’ve been collecting people’s personal data since the late ’80s, and the standards for security were different then. We’re like any other business in that regard. That legacy data is very valuable, and we have the responsibility for protecting it.” Most businesses are in the same boat.

The most common lament among the IT security professionals interviewed is that customers reel when told the cost to adequately protect their systems but don’t understand the value of that investment.

For example, initiating recommended system security measures might cost a small to medium-sized business $10,000 up front and another $300 in costs per month to monitor the system security, perform maintenance and pay for regular professional services ($3,600 per year). Under this scenario, first year expenses are $13,600; subsequent years might total $5,000 when software upgrades, checkups, equipment replacements, etc., are included. This is a five-year cost of $33,600, or $6,720 per year. It’s a considerable budget line.

If this business has 300 customers, however, using the $185-per-customer cost for a breach that studies found, a data system problem could cost $55,500. That’s about $22,000 more than the cost of IT system security.

Compliance does not mean security

Michael Gilliam, Security Team Lead, SDGblue

Michael Gilliam, Security Team Lead, SDGblue

In managing costs, businesses generally opt for meeting legal or regulatory obligations as an expense baseline.
“Compliance does not equal security,” warns Michael Gilliam, consulting manager and security team lead for SDGblue. “Security is a very complex issue to tackle (and) it becomes harder to defend the individual information systems and the organization as a whole as it grows.”

A lack of dedicated resources to implement an effective security program is the biggest issue SDGblue sees, Gilliam said.
“Security (is) often viewed as a cost center that needs to be minimized,” he said.

That anemic approach is further weakened when “combined with a confusion with regulatory compliance,” The word Compliance in blue 3d letters surrounded by related terGilliam said. A managerial view that data security resources are “dedicated to avoiding fines stemming from violations makes security often nothing more than an afterthought, prioritized only when it is too late.”

State and federal government requirements to notify customers of a breach are considered burdensome and complicating factors. However, the cost of doing so is small compared to the fines and penalties for not doing it in a timely fashion, and far less than criminal or civil charges, or lawsuits by customers.

There are major additional compliance issues in the medical field, which also must comply with complicated federal HIPAA and HITECH regulations.

The Health Insurance Portability and Accountability Act of 1996 mandates the confidentiality and security of healthcare information. Health Information Technology for Economic and Clinical Health Act of 2009 anticipates a massive expansion in the exchange of electronic protected health information.

“The cost of a breach to medical clinics can be staggering,” Hensley said. “One doctor had a laptop stolen with 2,000 patient records, and none of the data was encrypted (to make it unreadable to the thieves). They were fined $150,000 by the government for non-compliance – un-encrypted laptops are the No. 1 cause of fines. It used to be that large clinics were the ones fined, but now smaller offices are seeing fines, and they are never cheap. For the largest companies, there have been fines of $12-14 million. It’s quite serious.”

Breaches trigger legal obligations
Hensley holds the advanced Certified Information Systems Security Professional credential, which in addition to technical expertise requires knowledge of IT’s legal and financial issues. The CISSP credential is valued especially in the healthcare sector and other operations with high-stakes compliance obligations. Hensley said it improves his ability to advise clients about avoiding potentially expensive situations.

“For instance, I’ve seen cases where attorneys took a patient’s medical records into their office for a case. This puts the lawyers at tremendous risk because they think the attorney-client privilege protects them, but that’s not entirely true,” he said. “By assuming responsibility for those records, they are now under HIPAA laws and subject to penalties.”

Meanwhile, state legislatures are enacting new cybersecurity laws and reporting requirements, creating legal obligations sometimes to notify customers and staff about a data breach – or to not notify them because the breach is under a criminal investigation.

In Kentucky, HB5 and HB232 cybersecurity laws passed in the General Assembly in 2014 are now in effect. They changed the way the commonwealth’s businesses are required to store customer data and protect confidentiality. Depending on who is potentially affected, businesses and other entities that experience a data breach must contact the Kentucky State Police, state auditor of public accounts, state attorney general, Kentucky Department of Education or the Council on Postsecondary Education.

HB 232 defines what businesses must know about an electronic security breach, sets deadlines for informing customers and staff and whether to notify law enforcement.

Frank Goad is digital editor of The Lane Report. He can be reached at frankg@lanereport.com.

Source: Lane Report