Sage InfoSec

Sage was formed to help our clients protect their information assets. The partners met several years ago, and realized we all were interested in security. 2005 was a crisis year in information security, and we decided it was time to form a company. We have expertise in computing and networks, as well as policies and procedures. We help our clients meet the threats that accompany being online. We're located at the Small Business Center in Enka. We were pleased to be recently named Small Business of the Month by the Executive Association of Greater Asheville.

What is information security?

There are really three parts: you want to keep your secrets secret, you want to prevent anyone from modifying sensitive information, and you want to make sure you can access your data when you need it. It doesn't matter if the information is on a computer, on paper like payroll records, or in your employee's heads.

Why aren't area companies doing anything about information security?

Some companies are doing a good job, but more often, security is neglected because it is an expense. Decision makers don't understand the risks involved. The IT staff doesn't understand polcies and procedures, and HR staff doesn't understand the solutions available. So security often falls between the cracks of different parts of the organization. We specialize in bridging the gap between the human side and the technology side.

What is the best thing you can do to protect your ID?

ID theft is a big issue. There are books at the library, and a lot of sites online that talk about reducing your risk. ID theft is a problem that is going to be with us for a while. I think the single biggest thing you can do is put a Security Freeze on your credit report, so that the bad guys can't take out new credit cards in your name. The bad news is that this costs $30. Beyond that, be very careful giving out information on the Internet, and consider a paper shredder for home use. One big problem is that a lot of the ID theft is happening at the corporate level, where companies aren't taking proper precautions with your information. Companies need to feel pressure from customers and employees to take action to address security issues.

Where are people most vulnerable?

There are some experts that recommend against debit cards, because if the information on your debit card is stolen, criminals can clean out that account. A good friend of mine in Asheville put his card in an ATM that apparently had a skimmer device installed on it. Within a week, people were trying to withdraw money from his account from Russia. At work, a lot of fraud occurs because people get fooled into trusting a criminal on the telephone. These scammers are old-fashioned con men, and they often put together several small pieces of information from different sources to pull off a crime.

Are there any laws to protect us?

There are several new laws. North Carolina has a new law to protect against identity theft that went into effect in 2005 that requires companies to notify people if their information is stolen. There are federal laws that require healthcare organizations, financial institutions, and educational institutions to protect their information. The FTC is interpreting financial institutions very broadly for enforcement. The government is cracking down on the offenders, but it is moving very slowly.

What is the difference in the service you offer versus the service other computer security or network security firms in the area are offering?

The other firms that offer security services in Asheville have a computer-centric view of the world. Security means having anti-virus turned on, and updating it regularly. At Sage, we take a larger view of information security. We learn about your business processes, and what you're trying to protect. We look at information on paper and in people's head as well as on computer. One part is educating our clients about their obligations under law and with the payment card industry. Many of the business leaders we talk to are very vague on just what their responsibilities are. We approach your network like a hacker, looking for any weaknesses. We provide detailed reports to our clients, along with recommendations for addressing any problems we find. We also help our clients develop policies, make recommendations for changes in how they manage their information, and help them train their employees.

What are you doing to educate the public?

At Sage, we really care about security. Sage has several white papers on our website to explain the threats and the regulations. We are teaching a one-day class on business computer security at AB Tech on April 22, and have talked about computer security on local talk radio. Sage regularly provides seminars and employee training on computer security, either at your office or at our facilities. Information security is almost a crisis right now, and we are always looking for ways to get that message out. We will give any business that calls us a free consultation: weâ€™ll come to your business, interview you, and explain what regulations cover your business, and where we think you are falling short in security.

When conducting an information security audit, what are you looking for?

The first thing is to identify what information the company is protecting. Do they have healthcare information, financial information, consumer information, or trade secrets? Once we know that, we look at how the information is used. Are there appropriate policies and access restrictions in place? Looking at the firm's computers is just one part of the entire approach. But it's an important part. It's great being connected to the Internet, and having access to information all over the world. The downside of that is that the bad guys are also connected to you. So we look at our client's computers from a hacker's perspective: what's there, how can we get it, and how can we hide our tracks.

Is that expensive?

Different clients have different needs. We can usually help a small merchant meet their obligations to VISA and MasterCard in an hour or two. That's not expensive. But making sure an auto dealership is meeting their obligation under Gramm-Leach-Bliley or a dentist's office is meeting their obligation under the Security Rule of HIPAA will take us several days. That's cheap compared to the penalties for not meeting those obligations. You have to compare the cost of fixing the problem with the cost of ignoring it. The federal laws mandate jail time and harsh fines for not being in compliance. The payment card firms can take away your ability to process credit cards if youâ€™re not in compliance. We will always come in and assess your company's needs for no cost.

Do you work for clients outside of Asheville?

While we focus on Asheville and Greenville, we work with clients as far away as Atlanta and Washington DC.

Who are your clients?

Our client base is medium and small businesses. We have done audits for non-profits as well. The larger and more sophisticated the firm, the more needs they have for information security. So we work with retailers and professionals like doctors, lawyers, and accountants, as well as larger enterprises such as manufacturing firms. Given the sensitive nature of our business, we take our client's confidentiality very seriously, which means that without their permission we don't talk about them. We have some clients that have agreed to be references.

Why don't businesses take their customers security seriously?

I think the problem is that many businesses don't realize that customer information is a target. Their customer information can be used for identity theft and credit card fraud. It takes resources to make changes to protect that information, and because they don't understand the threat, they are not willing to spend those resources. We all hear about the credit card offers in your trash being a big ID theft area what are some others? Are these fears realistic? How big a problem is this? This is a big problem. Most of the identify theft is occurring due to security breaches in corporations. Identify theft is the number one consumer complaint from the Federal Trade Commission the last several years. In 2005 one in six people in the United States had personal information stolen. If your identity is stolen, it can take years to straighten out the mess. Itâ€™s reported that credit card companies send out 2000 pieces of junk mail for every offer they have accepted. So they're very interested in the offers they do get. Just last week someone reported getting a credit card after he tore up the application, taped it back together, and had the card sent to a different address. That's really a breach of security. That company was not taking due care to protect that individualâ€™s information. Itâ€™s going to take a lot of pressure from consumers to improve this situation.

Why would some one steal personal information?

For money. ID theft is a very profitable enterprise. There is a financial crime wave occurring in cyberspace. Thieves rack up thousands of dollars on a credit card in someone elseâ€™s name, and then they disappear. For some types of theft, $50,000 is the average take. One of you is a certified ethical hacker. What is that? What are some other certifications or credentials you hold? CEH is a certification provided by the EC Council. This certification verifies that you have demonstrated training on particular hacking techniques and network auditing tools. It tests your knowledge of auditing standards from the International Standards Organization and the National Institute of Science and Technology. We are committed to legal use of computers. We don't hire or work with "reformed" hackers. We adhere to a strict code of ethics that includes never connecting to anyone's computers without their permission. Our partners also have certifications from Cisco, the Systems Administration and Network Security Institute, and the International System Security Certification Consortium. These are technical certifications, because at heart, we're a very technical company.

Is this about hacking?

Hacking is just one of the threats we address. Protecting against hackers on the Internet is important, but it's just one piece of the puzzle. We work with secure remote access, regulatory compliance, policy development, insider threats, physical security, and employee training as well. Every firm is unique, and has a different mix of assets and threats. We take a comprehensive approach to identifying the threats our clients face, and finding cost effective solutions for them.

Isn't it mostly kids hacking?

That is a certainly a cliche, but it's wrong. In the last five years, computer crime has become a staple of organized crime. There are well-organized gangs of professional criminal hacker, both inside the US and overseas. They are making billions of dollars with credit card fraud, identity theft, and other types of online crime. The FBI estimated that the cost of computer crime was over $60 billion in 2005. That's not kid stuff. One interesting report comes from Bill Hancock, the chairman of the FCC's National Reliability & Interoperability Council. Hancock had dinner with a hacker from Eastern Europe last year who said the Russian mafia threatened his family if he didn't work for them. I think that shows how serious the problem has become.

What is the worst violation you have seen around here?

Itâ€™s difficult to single out a single instance. We don't talk about our clients. But I can say that we have found very serious problems that would allow identity theft or outright fraud from local companies. One serious issue we see every day is unsecured wireless access points. This is like inviting all the bad guys in the neighborhood to connect to your computer, and see what kind of useful information they can find. It's an easy thing to fix, but most people just don't take it seriously.

The issues here are much bigger than a single person. Corporations haven't been required to provide good security, and now they're playing catch-up. Your information is already out there in dozens of government and corporate databases. Some of them are taking due care with it, and some of them are not. You have no way to know to tell who has your information. Fixing this requires that citizens demand better protection, both from our government and from the companies they do business with. Businesses need to hear that their customers are demanding good security.

I hear that some of the ID thefts don't use a computer but simply bribe a bank employee. How do you stop that?

You can't stop all crime. As an individual, you need to keep a close eye on your accounts. Fraud may still happen, but at least then you will catch it early.

Corporations absolutely owe consumers accountability. They are legally liable if they lose your information, and they know that. All credit card companies use third party processors. In North Carolina, and 22 other states, companies are required to inform you if your information is disclosed.

Who is most at risk? Why?

Everyone is at risk to some degree. Young adults have the highest risk, because they are most comfortable with technology. They're just starting a credit history, and they don't understand the importance of monitoring their credit. The elderly are most at risk to social engineering fraud, because they tend to be more trusting, and less familiar with technology. But even the poor are at risk, because the fraudsters aren't stealing their money. In some cases, scammers have even worked to improve someone's credit so that they can take out a larger loan, which they then default on.

What can you do if you think some one is hacking into your computer or stealing your identity?

If you think someone is hacking your computer at home, you should disconnect your computer from the network, and sweep it for malware. At work, call in your IT team to investigate the computer. If you suspect identity theft, you should place a fraud alert on your credit reports, and review your credit reports. File an identity theft report with the consumer reporting companies. Close the accounts that you know, or believe, have been tampered with or opened fraudulently. File a report with your local police or the police in the community where the identity theft took place. And finally, file a complaint with the Federal Trade Commission.

What software should I have on my computer? So much of it is confusing: pop-ups, spyware, shareware, virus protections, quarantine is there an easier way?

At work, your company should have a security policy that your IT department manages. If you don't have a policy, you need one. Give us a call. At home, you should have some sort of firewall, an anti-virus program that updates automatically, and some sort of spyware defense that updates automatically. The bad news is that this is the absolute minimum. The good news is that there are several good products available to do this.

So if I hire a computer security company for an audit how do I know that they are giving me what I need?

Choosing a security firm is an important decision. You should ask a lot of questions. Ask about background screening of employees, and who will have access to your network. Does the company hire reformed hackers? How is your information protected after the audit is done? How is this data stored and protected? Does the company provide incident response services? What services does the company provide? Check the company's references, and get a feel for whether they solved the client's problems.

How much does this cost?

That depends on the number of computers at your company, the network design, your industry and your goals. Call us and we will meet with you in order to access your needs and provide you with an estimate. This is a confidential complimentary consultation which puts you under no obligation.

What does our company get when we contract with Sage InfoSec for a Security Audit?

Sage InfoSec will deliver its findings to your IT and executive managers at a presentation given at your offices. We will make all personnel involved in the Security Audit available for a question and answer session at the end of this presentation. Additionally, Sage InfoSec will issue two reports: the first report is designed for the IT manager and will detail all technical aspects of the network intrusion testing, rating the degree of threat each vulnerability presents, and recommending specific solutions to each vulnerability. The second report will summarize the IT report in layman's terms and will make further recommendations regarding physical plant security and security policies.

Why can't our IT department perform the security audit?

Security Audits need to be performed by an outside contractor for many of the same reasons that a financial audit is performed by an outside company:

To determine the extent of system vulnerability not detected through in-house audits.
To show customers how safely they can perform e-commerce transactions over the World Wide Web. Marketing departments frequently drive such demonstrations.
As a prelude to restructuring the security system and enhancing the perceived value of institutional integrity for customers.
As a means of demonstrating that your company has made a strong effort towards achieving a secure network, and thereby limiting your corporate liability.

What are OSSTMM, NIST, and ISO?

OSSTMM: Open Source Security Testing Methodology Manual, THE standard in security audits nationally and internationally, maintained by the ISECOM (Institute for Security and Open Methodologies). NIST: National Institute of Standards and Technology, U.S. government body designed to set various standards for American private industry. NIST has accepted OSSTMM as being compliant with their requirements. ISO: International Standards Organization, ISO creates standards for all aspects of commerce. OSSTMM is compliant with ISO 17799-2000 (BS 7799)

Who does Sage InfoSec employ?
Sage InfoSec employs personnel who have been in the IT network industry for a total of 26 years. In addition Sage InfoSec requires that all employees pass an exhaustive background check which includes investigation into credit and criminal histories. Sage InfoSec employees hold the following certifications:

CEH (Certified Ethical Hacker)
GCFW (SANS Institute Firewall Analyst)
GCIA (SANS Institute Intrusion Analyst)
CISSP (Certified Information Systems Security Professional)

We don't seem to have had any security problems so far. Why should we concern ourselves now?

The odds are very high that your company has already had network break-ins.
The problem with information theft is that once data have been stolen from a network those data are also still right where they belong on your network. This makes it very difficult to know whether someone has stolen your information. As recent headlines in the media are now making clear, the extent of information theft is massive and hackers are taking client, personnel, financial and other data from companies large and small; often without the victims even knowing it.
The simple fact is that virtually any network can be broken if the hacker involved is skilled and determined. For example, the following is a quote from the results of a security audit commissioned by the state of North Carolina:

"In early May 2001, the Office of the State Auditor used a private contractor to attempt to penetrate the network security systems at 22 of the state’s computer systems in the Executive, Judicial and Legislative branches of state government. These penetration tests were performed in the presence of the Agency Head and Information Systems Director. Using a “Pass-Fail” grading formula, 21 of the 22 systems were rated as “Failed” because access to a computer or device identified as owned by the agency was achieved. The contractor employed by the Office of the State Auditor was able to take control of computers on the 21 systems, using programs that are readily available to hackers and the public. One system was not successfully attacked because the vulnerability identified was actually on a computer hosted by a different agency."

Sadly, these results are typical of both government and private industry. So, if you think that no one has broken into your network or stolen your data, it is important to ask yourself why you think this is true.

So our information is vulnerable to attack. That still does not seem to be doing us any harm.
No, information theft has only recently become a problem for most sectors of private industry. While companies trying to protect research and development, financial, and other forms of proprietary information are well familiar with the struggle to maintain network security, most companies are new to this problem. Two important factors are contributing to this new reality:

Hackers are more plentiful and more skillful
State and Federal governments have now legislated that private companies must take strong efforts to protect personal data stored on their networks and must inform anyone involved if their personal information is stolen from the company.

Some examples of these laws are:

U.S. Government Information Security Reform Act of 2000 Section 3534(a)(1)(A)
U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
California law AB 1386-Peace/CHAPTER 915, Stats of 2002., which states that notice must be given to all citizens effected by a security breach immediately following discovery of the breach. Any person injured by a violation of the law may file civil suit to recover damages.
Additional laws are now before congress to further protect individuals and provide recourse through the court system to those injured due to information theft.