LEAP MOTION WANTS TO MAKE MOTION CONTROL YOUR NEXT MOUSE. HERE’S A LOOK AT WHAT THE DEVELOPERS OF THE TO-DO APP CLEAR HAVE DONE WITH THE SDK.
Even though Microsoft SharePoint is widely deployed throughout enterprises and SMBs as a collaboration platform, a shocking two-thirds of SharePoint-using companies in a recent survey have admitted to having ‘no active security policy’ in place for the application.
The situation translates to a smorgasbord of opportunity for a hungry information-hijacker, but one which could soon turn into an all-you-can-eat buffet. The study, carried out by Emedia and provided to Infosecurity on an exclusive basis, investigated a wide range of businesses from 25 through to 5000+ PC users. The study found that while about half (52%) of those surveyed were currently using SharePoint, the other half planned to adopt the application once its social networking enhancements were live.
“This is a data leakage time bomb,” said security specialist and UK Accounting Standards Board member Steve Bailey. “SharePoint is a very widely-used medium, and it’s growing fast, so it is remarkable that IT-savvy users are disregarding the security implications. This could be down to complacency, confusion as to where the responsibility for developing such a policy lies, or simply lack of awareness.”
Whatever the root cause, he noted that in many organizations, SharePoint use has grown organically to “become part of the fabric of the business without being subject to mainstream security controls.”
The employees themselves are part of the problem, but how to implement an IT policy that makes sense is a conundrum for many IT professionals – contributing to the lack of IT policy.
“Banning data sharing is not the solution – that’s both impractical and undesirable,” said Martin Sugden, CEO at Boldon James, which sponsored the study. “In fact, refusing to share data is inefficient and potentially dangerous. What’s important is striking the balance between the need to protect information and the need to share it.”
The survey concluded that a protective marking solution for labeling the data’s level of sensitivity needs to be implemented. Many government agencies use protective marking to minimize inadvertent disclosure of confidential information, while commercial organizations employ protective marking to control intellectual property or information containing customer data.
By clearly identifying sensitive information using a classification solution, it becomes easier to ensure that access control methodology is correctly connecting the right users to the right data, Sugden noted.
Yet the study discovered that 65% of respondents are not yet marking any of their data. A very low 9% of respondents said they protectively mark all emails, and the same percentage said they do the same for all documents. Only 17% of respondents said they mark all email and documents.
“When you consider that hundreds – and even thousands – of users could be accessing your SharePoint server, it makes sense to have a solid SharePoint security policy in place,” added Sugden. “[SharePoint] is a superb tool for creating routes into your data, but you can’t let your user group have unfettered access to data without giving them some method of understanding how sensitive it is – that’s why you have to label.
Steve Bailey warned, “Any business that relies on SharePoint to store sensitive or confidential data should always ensure that its users understand their responsibilities for the safe handling of that information. With the advent of BYOD this extends to employees and associates.”
He cautioned that recent high-profile breaches should serve as object lessons. “Otherwise we’ll have more examples such as the Police email that, according to the [UK's] Information Commissioner’s Office (ICO) ‘contained 863 pieces of personal information’. Police accidentally sent the email containing the results of 10,000 checks with the Criminal Records Bureau (CRB) to a reporter when a staff member copied the wrong person into a message.”
Thanks to http://www.thethreatvector.wordpress.com
In his recent New York Times article, “That Daily Shower Can Be a Killer,” renowned geographer Jared Diamond observes how Americans tend to greatly exaggerate risks that are sensational and beyond our control—like plane crashes and nuclear radiation—yet underestimate the mundane, but more common risks that we can control—like slipping in the shower or falling from a ladder.
In my geek-centric mind, I immediately drew a corollary to computer security. We’ve all met the engineer who will spend weeks obsessing over which password hashing algorithm to use, but fail to implement a solid password policy.
If you find yourself being hyper-paranoid about dangerous, but implausible attacks…stop! Do a quick risk/frequency gut-check to determine whether you’re wasting time. You shouldn’t be debating the strength of SHA-256 while your employees are emailing trade secrets to a Nigerian Prince.
What are some of the fall-in-the-shower type risks when it comes to data protection? Our State of Data Protection Report from last year highlights a few:
- Only 26% of companies are very confident their data is protected
- 18% weren’t confident at all
- 23% of companies were not confident or unsure where their critical business data resides
- 27% of companies did not monitor any access activity on file servers and SharePoint sites
- 13% of companies never revoke access to data when an employee leaves the organization
- 61% do not scan their environment for sensitive data
Based on our results, there’s clearly a lot of room to tighten up these fundamental areas of day-to-day risk. Just as Mr. Diamond’s goal is to reduce life’s common accidents to 1 in 1,000, we should strive to minimize common data security risks, like insider theft, by implementing soundsecurity programs.
Want to learn more about risk analysis?
Here are some good resources:
- W. Krag Brotby’s book Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement
- Factor Analysis of Information Risk (FAIR) is a quantitative framework that helps you objectively compare risks
- NIST.gov’s Risk Management Framework (RMF) is a framework to help you select the appropriate security controls for your organization
- The GAIT methodology provides a qualitative approach to risk assessment
The latest and greatest in mobile technology is on display this week at the Mobile World Congress (and you can see my colleagues’ coverage of that here). But so are the applications of that technology. Health care, education, urban planning and other sectors stand to benefit from mobile technology and a report out Monday from the GSMA and PricewaterhouseCoopers gives a snapshot of how mobile technology could save money, increase opportunities and enhance health and safety in the coming years.
In Sub-Saharan Africa, one million lives could be saved over the next five years with mobile health initiatives that help patients stick to their treatment plans and access information, as well as aid workers in monitoring the available of medication and follow treatment guidelines, according to the report. For example the Mobile Alliance for Maternal Action (MAMA) enables health care workers and pregnant women to share health information via SMS; TxtAlert in South Africa helps HIV patients and healthcare workers comply with Anti Retroviral Therapy programs, cutting missed appointment rates from 27 percent to 4 percent, the report says.
The article can be found at http://gigaom.com/2013/02/25/4-ways-mobile-health-could-save-400b-in-health-costs/
It’s no surprise that in the wake of the rapid increase in cyber attacks, governments around the world are moving towards strengthening their cyber security, and even taking steps to mandate better collaboration on security issues between the private and public sectors. Here is a sample of the most recent initiatives:
- US – Feb-2013: Obama Orders Cybersecurity Standards for Infrastructure
- European Union – Feb-2013: EU Unveils New Cybersecurity Policy
- Italy – Jan-2013: Italian Government Approves Cybersecurity Measures to beef up strengthen online security and protect critical infrastructure from increasing cyber assaults
- India – Jan-2013: India Developing National Cybersecurity Architecture. India is in the midst of developing a national cybersecurity architecture aimed at preventing sabotage and espionage of its core IT systems and networks
- Australia – Jan-2013: Australia toughens stance on cybersecurity
- Russia – Jan-2013: The Russian Federal Security Service gets empowered to create a state system for the detection, prevention and liquidation of the effects of computer attacks on the information resources of the Russian Federation
There are important common factors in all the above:
First, a global appeal for stronger collaboration between the public and private sectors to share intelligence on cyber attacks. Under existing EU rules, telecommunication companies are already required to report significant security incidents. Wade Williamson, one of our in-house experts on cyber threats recently wrote in this blog about “Combating Emerging Threats Through Security Collaboration”
Secondly, a shared understanding that the global economy is highly dependent on critical infrastructure that might not be as secure as initially thought. For example, the U.S. executive order specifically mentions power grids, pipelines and water systems.
Finally, full awareness that much of the critical infrastructure supporting a thriving, modern economy relies on a set of interconnected networks and systems that must be closely monitored and protected. The proposed European directive calls out the need for resilient, safe, and stable networks and systems.
One takeaway for our customers is that network security is being more systematically called out in cybersecurity discussions worldwide and is even taking center stage. Some analysts have commented that network security will remain the largest cybersecurity submarket for the next 10 years.
Why? Even as SaaS applications, social networking, mobile devices, or cloud-based computing become mainstream and push the limit of the traditional enterprise perimeter, the network and the firewalls remain the one place where organizations in both the public and private sectors can see all traffic and actually enforce security policy.
Thanks to http://www.thethreatvector.wordpress.com
While Apple iWatch rumors continue to slog their way through the blog-o-sphere, Google has upped the ante. Google’s Glass is not a rumor, it’s real. In addition (according to Google) you can get one by the end of 2013 by entering and winning a special contest.
At least, Google calls it a contest. There are some unique rules. First, you have to pay $1,500 for your Glass, if you win. Also, you have to travel to New York, San Francisco or Los Angeles to pick your prize up. (UPS is not available.)
If that isn’t enough, you have to come up with a really creative idea about how you will use your Glass. If you need help coming up with ideas, Google has released a video entitled How it Feels [through Glass] that provides a behind-the-lens view of the Glass experience.
Google hasn’t specified how many “winners” there will be – supposedly, that will depend on the number of “really creative ideas.”
CNET reported that Glass will be able to connect via Bluetooth to both Android phones and the iPhone, while pulling data from Wi-Fi and using the 3G/4G feeds from the connected phone. Glass will not have its own cellular radio.
The most important thing you can identify is re-think the way you look at data and security. You must understand what is really at risk and then protect it. Below are five key principles that you must remember when it comes to protecting your data:
Fit your PC with “Lock” to protect your privacy now!
1. ALL data has value.
No matter how harmless or insignificant a bit of information may seem, it can probably be used by someone and they are willing to pay for it.
3. You must assume all data sent in the clear can be easily collected, mined replicated and stored.
Over time, mass amounts of data can be collected and sifted through to gain a pretty good view of an organization.
4. Once stolen, data can be sold and used repeatedly by multiple people or groups.
Just because your data is stolen once, doesn’t mean it will only be used once.
5. Security measures should focus on protecting “the thing of value” rather than preventing “events”.
You can’t predict how, when or where an event will take place. This type of defense is always reactionary. Sometimes the event is undetected.
Posted by Bioslimdisk
Last week the Payment Card Industry Security Standards Council (PCI SSC) released an important document on best-practices for mobile payment security. Merchants have been rapidly adopting mobile devices—tablets, smartphones, notebooks, and other consumer gadgetry—as point-of-sale (POS) systems instead of using proprietary solutions. The trend will continue with experts predicting a $1 trillion mobile payment market by 2017. Unfortunately, this new breed of mobile software and hardware is not yet up to PCI-DSS compliance, so the PCI folks came up with a series of guidelines to help merchants and service providers reduce security risks.
For the IT savvy, PCI’s best-practices for mobile will be second nature. Non-tech savvy merchants, though, may mistakenly assume that off-the-shelf payment solutions based around IOS or Android will provide the same level of security and trust as purpose-built environments. That’s not the case. In 2011, PCI SSC agreed not to certify mobile payments until the appropriate standards are developed.
So what can merchants do in the mean time? One of the most important measures they can take is to use approved scanners and readers that encrypt the PAN or credit card information at the point of interaction, so even if the mobile device acting as a reader/scanner is stolen, the personal transaction data won’t be compromised.
In any case, the new guidelines are a good starting point for those looking to secure their systems and reduce the risks of a breach. I’ve listed some of the key points below:
Secure the device
Simply put: make sure the mobile device is in a physically secured location when not in use. As a consumer-level gadget, it’s more open to hacking threats, and one of the easiest is for unauthorized users to get actual access to the device and install malware.
Employ a PIN, pattern, or password that authorized users must enter to gain device access. Enforce re-authentication after a period of time.
Scan for malware
A key thing for merchants and vendors to remember is that a general purpose mobile computer can run more than just payment software. The PCI SSC guidelines not only recommend that merchants remove non-essential applications, but that they also install anti-malware and anti-virus software, as well as keeping it all up to date!
Prefer online transactions
Don’t store transactions on the mobile device for later transmission. This opens a potential security hole if the device is hacked or stolen.
Monitor logs and reports
Even if a merchant has taken all the steps in the guidelines, it’s still critical to detect for intrusions or other hacking exploits by scanning logs for unusual activity. This would typically be the responsibility of a service provider doing the back-end transaction processing. Merchants should make sure to ask their processors for activity reports or even, if available, real-time alerts.