There are many posts throughout this blog that use the word security in different ways:
See what I mean? There are many more...
The security of the benefit our members have earned over a career in public service is of the highest importance to us, and we strive to maintain not only excellence but to be the absolute best at protecting your data and your benefit. Today we're talking data security. Every year LAGERS participates in an external security assessment, and for the 6th year straight we've come out on top with a perfect 4/4 rating. Our director of technology Jamie Houk explains how we stay on top of our game and maintain the highest standards in the Data Security space.
Why does LAGERS participate in an external security assessment?
The goal of an external security assessment is to identify vulnerabilities and weaknesses a company may have on its network, system devices, or websites. These findings may expose the organization to hackers, malware, and other malicious threats. Performing routine security assessments allows the company to strengthen their cybersecurity efforts to protect against data breaches and other harmful events. Imagine hiring a professional burglar to assist you with securing your home from break-ins. It’s very similar, however, our home is all digital and can be accessed from anywhere in the world.
Who performs the assessment?
LAGERS partners with a 3rd party cybersecurity firm that specializes with performing external penetration and security assessments. The firm is made up of highly skilled individuals who are experts in the field of information security and cyber forensics. These individuals are required to hold and maintain a wide range of security certifications that are similar or equal to what our national intelligence agencies require for their own staff. Most of these professionals must obtain between 15 to 20 different certifications to be considered as a Certified Ethical Hacker and be Department of Defense compliant. Along with their education, they perform these assessments by utilizing the same tools and programs real life hackers and our defense industry uses. In a nutshell, they can truly simulate an attempt to breach an organization’s network.
What is the overall process and what makes up the grading scale?
The overall process is pretty massive actually. They start by performing a full network reconnaissance on all of our external facing websites and applications, such as myLAGERS for our members, and ECLIPSE for our employers. Once they have the targets, they use tools and programs to gain unauthorized access into the system. One tool, for example, attempts to guess a username and password for entry into a member’s account. This tool alone can simulate millions of guesses in a matter of minutes by using common passwords and every word in the dictionary. This is sometimes referred to as a brute force method. Other tools they have at their disposal help identify any vulnerabilities and weaknesses such as missing security patches, coding errors, and other security misconfigurations. If a weakness is found, they will then attempt to exploit it further to gain access into our network. These are only a couple of the actual 60,000 different types of tests they perform for our assessment.
Similar to a G.P.A., their grading scale is from 1 to 4, with 4 being the highest in terms of strength of security and utilization of industry best practices.
How difficult is it to achieve a 4/4 grade?
It can be very difficult, especially with so much stuff being online these days. There’s a lot to think about in terms of security for each website and application we have. They all have different types of settings and configurations that we have to be experts in so we can keep them secure. If and when a vulnerability is found, it’s given a rating based on how severe it can be to a network. Obviously some can be small and easy to fix while others pose the greatest danger to an organization. Once these findings and ratings are totaled, the final grade is determined. We are pleased that we have achieved a 4 out of 4 rating for over 6 years now!
What is LAGERS “secret” for maintaining such high standards in terms of the security of the system?
Our secret is we work really hard at keeping our organization secure from the external threats we face. Every day, we research what the latest exploits are and how to guard against them. It’s really amazing how many new and unique threats there are on a daily basis.
Another secret is a couple of members on our team have a few of the same security certifications as the cybersecurity firm we partner with have. This really helps us to think like a hacker and strengthen our own security knowledge.
What is the biggest challenge LAGERS and other pension systems face in terms of internet security?
The biggest challenge for any company or organization is the ability to adapt to change. Security, along with technology in general is changing at a very rapid pace. The companies you hear or read about that have been breached are usually the ones who are slow or failed to adapt to new security requirements. It wasn’t all that long ago that only a general username or password was needed for security. Now, an increase in password complexity that utilizes more letters, numbers, and special characters are required to meet basic security. Additional authentication factors are becoming the norm such as pin or access codes being sent to your smart device for identity verification. Although some may see this as a hassle, it really shows how important security has become in our everyday lives.
Another challenge many of us face is social engineering. Similar to spam in your inbox, social engineering is a new form of tricking people into opening dangerous attachments, clicking on unsafe links, or providing personal and/or confidential information to a hacker. This new form is now the number one reason for today’s security breaches. For most companies, the best way to defend against social engineering is user training. We always encourage our staff to be on the lookout for impersonators and never click on or open questionable links or attachments. They understand that a single wrong click could be devastating to our organization and members.
What do you see as the future of keeping the system safe?
It’s only going to get harder and more complex to defend against all of the threats. Having things like a security plan in place and continued testing is vital for any company going forward. I like to joke with our staff and tell them that the only way to be 100% secure is to disconnect from the internet. We obviously couldn’t do that in today’s world. Our only other options are to remain informed and keep working hard by listening to the security experts and applying their recommendations.