Atlantic Business Technologies, Inc.

Category: Cloud Security

  • How to Integrate Security into DevOps

    [pull_quote]Good DevOps practices ensure that the same code bundle can be deployed into multiple environments and environment-specific elements can be automatically injected from outside the code bundles themselves.” -Bernard Golden, Author and CEO of Navica[/pull_quote]

    Golden describes just one example of how DevOps delivers significant improvements in development speed and agility. By increasing cooperation between IT engineers and developers, DevOps streamlines workflows across a software project. This has made DevOps a popular approach for many IT leaders.

    However, with all of this increased speed it is easy to view security concerns as inhibitors to DevOps agility. After all, if your developers are nailing their deadlines and your IT engineers are creating rock-solid environments for your software, why would you want worries about security to slow down your incredible progress? As the CommitStrip below amusingly points out, security doesn’t seem like a major concern until something goes wrong. And then, it may be too late to stop the issue from bringing down the entire application or system.

    SecDevOps means you don't make security an afterthought.
    SecDevOps means you don’t make security an afterthought.

    Question: When Should You Integrate Security into DevOps?

    Answer: Yesterday.

    [pull_quote]Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering ‘DevSecOps.’” -Gartner 2016 report  [/pull_quote]

    It is not enough to add on patchwork security protocols or systems just before deployment. Nor can you simply recruit a security expert to check your developers’ code as they work. To truly integrate security throughout your workflows, you need to ensure your developers are a transparent part of the security process. In short, stay true to the collaborative spirit of DevOps.

    This is not easy. Modern security infrastructure has lagged in its ability to become “software defined” and programmable, making it difficult to integrate security controls into DevOps-style workflows in an automated, transparent way. In addition, because developers often download and use open-source components and frameworks, modern applications are largely  “assembled,” rather than developed from scratch. This creates application security issues as many of these open-source additions are vulnerable to cyberattack.

    SecDevOps Training, Tools, and Best Practices

    So how can you stay true to the collaborative vision of DevOps as you weave security into your development processes? Information security architects should take the lead by adopting the following tactics to create a strategic SecDevOps approach:

    • Start with secure development and training. This does not mean you need to force your developers to become security experts or adapt an entirely new set of tools, but introducing the right secure practices can safeguard your software. For example, you should create deployment pipelines that allow for controlled code pushes into the production environment; by using Red/Black deployments, you can transition to the updated code running on the new infrastructure with zero impact to sessions, transactions, or the user experience. When scanning platforms, the Nessus product, from Tenable Security, can improve security without impacting your workflow.
    • Embrace the concept of people-centric security. Beyond training, this means empowering developers to take personal responsibility for security by encouraging a “trust and verify” mindset. Note that monitoring your systems is still important, but you need every team member to take ownership.
    • Require all information security platforms to expose full functionality via APIs for automatability. By automating regular code tests, you help ensure your software will be secure without demanding more effort from your team.
    • Use proven version control practices and tools for all application software and, equally as important, for all scripts, templates and blueprints used in DevOps environments. A GIT branching model is also helpful while writing code.
    • Adopt an immutable infrastructure mindset. Rather than focusing on maintaining and improving, your data center’s individual machine uptime, an immutable infrastructure relies on API-driven infrastructure-as-code. This improves flexibility by letting you lock down and change production systems via development.

    Learn More about SecDevOps Training

    This is only an introduction for how you can integrate a security mindset into your DevOps practices. If you’d like to learn more about best practices and tools to secure your applications and systems during development, contact our security team here at Atlantic BT. We know all of the ins and outs necessary to guide you to confidence and safety. 

    With these best practices and more, you will be well on your way to delivering secure-by-design software that integrates effectively with your chosen platforms.

  • The Best Way to Save Your Company is by Phishing Your Coworkers

    It’s easy to think that an email phishing attack wouldn’t fool us. Or that our friends and coworkers know how to identify a suspicious email.

    But like a lot of our work at Atlantic BT, we don’t really know how well we’re prepared until we run some tests. So, how do you test the human side of IT security? You run your own phishing scam on your coworkers and record the results.

    How I Ran My Phishing Test

    Before you call the police, no, this blog post is not a confession that I’ve turned to a life of crime. I used a free tool from PhishMe. Then, I was able to conduct a convincing phishing test. My targets? Every one of my coworkers at ABT, including the CEO and President.

    PhishMe Free allows you to send a fake phishing email to as many as 500 users by importing a list of emails. You can design your phishing email using 18 different templates. Afterwards, you can then schedule when you want to send it. The app will measure how many recipients open the mail and how many click the phishing link inside it. For my test, I sent two different emails more than a month apart. The results were very different.

    The first test sent an email in the middle of the workday. It notified the recipient that their inbox was “over the limit”. The phishing link inside the email was threatening. “Click here to increase your mailbox size or you will lose your account within 24 hours.” Results of this test were encouraging. 65% of my colleagues opened the email, but no one clicked the phishing link. This particular phishing attack wasn’t fooling anyone.

    The second test delivered less positive results. This email arrived at the start of the workday. It referenced a suspicious credit card charge. The email also offered to let the recipient trace the progress of a package, as it made its way to its destination. 67% of my coworkers opened this email, and 21% actually clicked the phishing link. Had this been a real attack, our company could have been in trouble.

    What I Learned from Phishing

    Our main lesson here was that even a tech-savvy company, like ABT, is vulnerable to phishing. Without testing, you won’t know how susceptible you are to a phishing attack until it already happens.

    Here are some other observations from this test:

    • Timing could matter: The first test took place in the middle of the day. But, the second test began before people were arriving for the day and checking their email. The more successful test was a part of all the other morning emails employees deal with first. The lesson here is about timing. It’s especially important to watch our for suspicious emails at peak communication times. Then you can judge each email’s impact and risk on an individual basis.
    • Content matters: This means that the content of the phishing email is a critical clue. It can determine how susceptible your employees are to the scam. The worry over an unauthorized credit card charge struck a deeper nerve. The lesson? Teach your coworkers how phishers target their victims. Manipulating emotions, curiosities, and worries are all part of their attack strategy.
    • Response plans are important: A few users notified IT when they suspected an email attack was underway. But, they were unsure how to proceed after. It’s important to be able to find weak spots in training and policies. Education and regular testing helps us to find those vulnerable points. It also helps to remind employees to be vigilant. It’s a good idea to have protocols for how to respond to this kind of suspicious activity.

    Cybersecurity is necessary in our hacker dwelling world. Being prepared and aware makes all the difference. Our team of experts are ready to help you with the knowledge and experience they’ve gained in the real world and with phishing tricksters, like me.

  • 3 Payment Processing Security Measures You Need to Take Now

    Attacks on our sensitive business and personal information are becoming increasingly common. It seems as though everything is now available online or managed through an app. It is important we do not become complacent, no matter how often these major data breaches happen. We should all be taking every precaution to secure data. This is especially true if our business relies on eCommerce payment processing.

    eCommerce security is complex. Security standards should undergo testing on a regular basis. On top of that, you should also be monitoring user activity and customer behavior. That said, your website could be the online equivalent of Fort Knox. All your vulnerability scans consistently reporting green. But, payment processing best practices for credit card validation (CCV) must be active. Without them, your company is at risk of supporting credit card fraud. This could halt your revenue for months and months. At the same time, you’re trying to recover your losses with credit card companies. It’s a terrifying beast to manage. 

    Paying attention? Let me explain a few of these payment processing best practices you should consider.

    1. Credit Card Validation

    You might think this is a common sense approach, but validation means more than checking the number, expiration date, and CVV of potential customers. In addition to those 3 aspects of validation, incorporating Address Verification System (AVS) is another method of credit card validation. Configuring these validation fields can change based on which payment gateway (PayPal, Authorize.net, Stripe, etc.) and eCommerce platform (Magento, WooCommerce, etc.) you use. Despite these differences, it should be easy to incorporate these validation fields into your payment processing.

    2. Behavior Monitoring

    For a crook, credit card testing isn’t a one shot and done approach—it takes multiple attempts to verify a card number. To spot these suspicious users, look at the transaction and visitor history for your site. Pay close attention to these red flags:

    • The same IP address has multiple failed transactions.
    • Again, the same IP address has multiple purchases from different credit card numbers.
    • If you see a spike in sales for low price items.

    This last point is indicative of someone testing a card number with a small price item and potentially using that card number for big ticket items elsewhere or increasing the value of that number for other hackers to purchase and use. If you notice this kind of suspicious activity, you would do well to flag that credit card and not process any transactions with it.

    3. Guest Checkout

    If you want to incorporate this feature into your online business, you should weigh the pros and cons. The pros can mostly be summed up as simplifying the purchasing process to drive more sales. This is great for customers who want to buy products without going through the steps of creating an account.

    Cons include significant security considerations. A crook would be able to use guest checkout to test a stolen credit card (purchasing small ticket items to verify a credit card is valid) with minimal amount of information to tie them to that transaction. If you decide to enable guest checkout, in addition to validating the card number and expiration date, be sure to validate the name and address as well.

    Payment Processing Is Only One Part of Security

    eCommerce security is more than just good business practice—it’s also vital to protecting the customers you serve. The basic steps laid out in this post are only part of what you should consider when it comes to ensuring your eCommerce site is secure.

    If you’d like more information regarding eCommerce security, contact our security team. And if you’re thinking of starting a new eCommerce site or modifying an existing eCommerce site, we have the experts you need to guide you through that adventure, as well. 

  • 4 Ways to Know If Your Site Is Safe for eCommerce

    Congratulations! You’re ready to take a big step forward by jumping into eCommerce. You’ve evaluated the market to see how you stack up against the competition. You’ve developed your pricing strategies. You understand how you’re going to handle order fulfillment. And, most importantly, you’ve built out your website to handle all the online transactions.

    But is your site really ready for eCommerce?

    Four Questions to Ask Before You Begin eCommerce Transactions

    1) Do you trust the work of your development partner?

    Most eCommerce websites require significant custom development, so you can connect the site to your Enterprise Resource Planning (ERP) software or integrate it with your marketing tools. This makes it essential that you can trust the company (or individual) that completed your development work. That means asking tough questions: Does your developer have the experience necessary to build sites that meet current standards? How reliable is the code? Has it been tested?

    Because eCommerce asks a lot of your website, you need to feel confident your development partner is trustworthy and knowledgeable about security best practices. The long-term success of your business depends on it.

    2) How secure is your hosting infrastructure?

    Your eCommerce website needs to be in a stable, secure hosting environment. If you’re using a shared hosting environment, you may be at risk. If any website on that shared server gets hacked, your website and all your customer data (including credit cards and personal information) could be compromised.We recommend creating a customized hosting configuration in the Cloud.

    As an Amazon Web Services (AWS) partner, we’ve seen first-hand the scalability and reliability that comes with hosting your website within the Cloud. And since eCommerce requires 24/7/365 operation, you need to minimize downtime as much as possible.

    3) Are you using encryption to protect your data and transactions?

    Today’s eCommerce websites handle more data and larger volumes of transactions than ever. Customers depend on you to keep their data safe and secure. Once you violate that trust, you may never get it back. This makes encryption essential. Installing Transport Layer Security (TLS) encryption is a good starting point. TLS has replaced the older SSL encryption methodology. But has your developer taken the necessary steps to encrypt the transactions? What about the stored data? How about customer histories and personal information?

    Failure to encrypt the personal information and transactional data stored in your site means that once a hacker gains access to your site’s backside, they have access to everything. By using trusted and proven encryption methodologies, you can keep your data safe, even if a hacker were to get inside the site.

    4) Do you have a dedicated budget for website maintenance?

    Many eCommerce projects tend to focus on the task of developing and launching the eCommerce site. However, websites and hosting environments are a lot like buildings—if you don’t maintain them, they will break down over time.

    At a minimum, you will need to plan on updating your website’s core code, the encryption technologies, the integration with your external systems, and the structure of the hosting environment. A dedicated maintenance budget will help you extend the life of your eCommerce website and provide the peace of mind your customers need.

    Launch with Security, Launch with Confidence

    A secure foundation for your new eCommerce store will relieve any worries in the back of your mind. If the questions asked above have you concerned that your online store might not be ready, my colleagues in eCommerce will be happy to set you at ease.

  • How to Balance Data Security and Accessibility

    In a fast-evolving world, data is essential to good decision making. This makes accessibility paramount AND the utmost security is the universal expectation. What a paradox we’ve created.

    Data is valuable because of the insights we can derive from it. But, we must also make sure data stays secure to protect privacy. A flexible governance approach maximizes data across an organization.

    What does this approach look like? It’s the incorporation of proper user access control and/or role-based access to data. Vital to this data access is its classification.

    Being an agency, ABT employees have access to many sources of data. We work with all types of clients and industries. Once we have access, we are usually held accountable for what happens to this data while it’s in our possession.

    In our case, data is only accessible by the relevant department. For instance, the passwords for client WordPress sites are only given to developers and marketers. This isn’t the case for all data in our organization. Data with a high risk potential is more strictly guarded. Our data governance process is one that is reliable and effective.

    Defining Data Governance

    Data governance is not a ‘one size fits all’ system. Your organization will need its own unique strategy. Small organizations can afford to grant data access to users faster, due to size. Bigger organizations should follow a more rigid process.

    The Data Governance Framework laid out by the Data Governance Institute is a good place to start. They describe this framework as a “logical structure” for data organization and activities. This is especially true with regards to “making decisions and taking action on…data.”

    Applying this framework assigns rigorous accountability. It also provides a clear process for making decisions. But, it does have a drawback. This kind of strict governance leaves little room for flexibility.

    Unfortunately, rigidity slows down decision making. Strict processes can have a monetary impact on an organization in the short term.

    Better Governance through Data Classification

    To strike the right balance, consider the classification of your data. Not all data is equal, so not all data needs to adhere to the strictest of controls. How do you know the difference? What data needs high levels of governance vs standard governance?

    At Atlantic BT, we refer to the Federal Information Processing Standards. This document covers the categorization of information. It also covers information systems as seen in this chart: 

    An informal governance framework will be best for data that is low risk. The odds of it compromising confidentiality and integrity are small. This kind of data does not need to follow strict governance for user access. Stakeholders can then access this data with ease. As a result, faster and better decisions can occur with minimal risk.

    Who has access to what data?

    A subset of governance is security through user access controls. User access controls are like role-based access. There are restrictions to data with regards to who actually needs to use/see it. For example: marketer 1 works for client A but not client B, so she has access to analytics data for A’s campaign but not B’s. Likewise, marketer 2 works for client B but not A and so he doesn’t have access to client A’s data.

    One way to achieve this level of security is through a data access policy engine. These tools allow you to give users access to the exact data needed to do a specific job and nothing else. You can grant access to more information as projects get transferred or the team adds a new member. Even better, you can do all this faster. Granting access can be as informal as sending an instant message to a data steward. There is a caveat. The data steward has a tough spot to fill. They must have a general understanding of every employee’s role. It’s the only way they can determine if an employee needs the information to complete a job.

    A more specific aspect of user access controls are role-based access controls. These are specific to an employee of an organization where access to data is dependent on a combination of department, location, and job title. Just like with user access controls, you can govern these through an informal structure to decrease the steps someone might have to go through to access data. Again, this should only be applied to data that has a low potential impact for an organization in case that data is compromised.

    Finding the Right Governance Fit

    In conclusion, a minor sacrifice in governance (not security) can help resolve the tension of having your data be as secure as possible while also maximizing the accessibility of that data.

    However, this fix can’t work for everyone. Larger organizations might have trouble incorporating a system like this, since a data administrator or data steward does not work closely with everybody, making it difficult to have a general understanding of every employee’s role. Additionally, multinational organizations might have to adhere to country-specific requirements that impede them from sharing data across offices or countries.

    Start a conversation with us. We can answer any questions you may have on data governance or access.

  • Why the EU GDPR is Important to You and Your Security

    On April 8, 2016, the EU adopted its General Data Protection Regulation (GDPR). These new rules went into effect on May 25, 2018. They are applicable in all EU member states and do not call for national legislation to make them valid. What does this mean for you and why is it important?


    The GDPR rules will have a strong impact on how other companies interact with EU members. The key component of these regulations is that they apply to companies outside of the EU. Anyone who is advertising or selling goods and services to an EU member must comply. Companies that accept currency from an EU member must comply. And anyone who asks for any kind of personal information, to gain consumer insights or use as a lead, must comply. A company outside the EU that is targeting customers within the EU is subject to GDPR.

    That’s intense. 92% of United States organizations see GDPR compliance as their top data-protection priority. And no wonder. Again, any company that interacts with EU citizens or businesses fall under GDPR. Failure to meet the requirements will result in serious fines. How serious? Over $23 million serious. And don’t forget the damage it could inflict on a company’s reputation.

    So, the big question is this: are you currently following the rules?

    What Does GDPR Require?

    Any organization which processes data has direct and significant obligations under GDPR. These data processor rules include (but are not limited to) the following requirements:

    • Keep a written record of processing activities carried out. There must be one record maintained on behalf of each controller of data collected.
    • Name a data protection officer where required.
    • Appoint a representative (when not established in the EU) in certain circumstances.
    • Notify the data controller immediately when becoming aware of a personal data breach.

    Data processors now have a new status. This will impact the handling of data protection matters in other commercial agreements.

    Data controllers must continue to provide transparent information to data subjects. For example, if the information gathered is going to be used for marketing purposes, the subject should have the right to object. So, the data controller must immediately share this when gathering the data. Of course, no one can take personal data without permission. Consent must be freely given, specific, informed, and unambiguous. It must also be as easy to withdraw as it is to give. If the data subject has no genuine and free choice, that is not consent. Or, if they are unable to withdraw or refuse consent without repercussions? Fun fact: not consent. (Valuable life lesson, folks). Consent must be explicit for sensitive data. The data controller must also be able to prove that the subject did, indeed, give consent.

    What Do I Need to Do to Comply with GDPR?

    Given the complexity of GDPR, your response plan needs to be multi-dimensional. The first step is asking yourself the classic trio of data security questions:

    • Do you know all the personal data you have? This includes your customers, employees, contractors, patients, suppliers, and the like.
    • Where is this data stored and used? You need to have a deep understanding of where your data lives in transit and at rest. Be aware of whether it’s in the cloud, on separate hard drives, or backup tapes. And do not forget the mandate to have user consent on sharing that data!
    • How will you protect this data? Your applications, databases, and networks are complex. They all need multi-layer security measures in place to safeguard personal data. Knowing exactly what your organization needs is an in-depth discovery process. It can’t be a one size fits all fix. But, it is very important.

    Answering these questions will give you a high-level view of what you need to do to comply with GDPR. Conduct assessments on the potential impact of implementing these necessary changes. Also, include a consent management strategy and a plan to handle data access requests. Unfortunately, you should also prepare for the worst. Assess the possible impact of privacy violation. Better yet, include your legal team in the loop. Better still, make strong choices that ensure you never need them.

     Atlantic BT is well versed in the various regulations throughout the tech world. We develop functional, compliant websites that work for everyone. Contact us for more information on GDRP and for a free consultation to make sure your site is up to date.