Mobile Security: Crunchy on the Outside, Soft on the Inside

May 10, 2013

When we hear of mobile malware (especially on Android) growing 163 percent or infecting 32.8 million devices in 2012, it’s easy to understand why having a security strategy and solution for employee-owned devices is essential. However, what can sometimes get lost, especially for organizations looking to bolster their security posture, is how to prioritize security across your environment.

To be clear: establishing a perimeter defense in your network is important – very important. But if you’re a company that hasn’t already covered the basics, where should you begin? Many companies are now realizing that security is not just about holding the enemy at the gates, it’s also important to understand when the enemy is already within them. A good security posture starts by assuming you are compromised and then asking the hard questions: “Would I even know if I were compromised? What is the enemy doing? How can I stop them once they are inside?”

Security doesn’t start with BYOD – that’s just one aspect of a much larger picture. Should you really be focused on the doors to your house when the foundation is crumbling? Enterprise security shouldn’t be built like an M&M – crunchy on the outside, soft on the inside – it should be crafted more like a jawbreaker – hardened from the inside out. Of course, you want everything hardened, but you can’t tackle all aspects of your infrastructure at once. You need to prioritize based on risk and value. Attackers are after intellectual property and they have a particular appetite for credentials to help them come and go as they please. Build concentric circles of defense starting with your critical infrastructure, then extend to your application and database servers, and then encompass other sensitive systems like finance and your highest risk end-user systems (e.g., remote users, publicly accessible systems, etc.).

Also, what is a perimeter these days? When it comes to securing mobile devices and cloud computing, your corporate assets are being accessed from around the world, in Internet Cafes and homes, and by devices that don’t travel through any “known” perimeter (3G/LTE networks, etc.). Authors of advanced malware are currently targeting endpoints and servers with more regularity than mobile devices. Mobile attacks tend to be focused on small financial gains, not stealing intellectual property. So what we saw in the past with hackers changing dial-up modem settings to expensive toll lines and pocketing the cash, we now see with mobile hacking and expensive premium SMS messages; cybercrime – not cyberespionage.

Mobile devices still represent security vulnerabilities because of the unprotected credentials and company documents they store. The data on these mobile devices could always be used in more advanced attacks on desktops or servers in the future. So it should be part of your strategy to secure employee-owned devices that are not under your primary control. All I’m saying is start at the center where the data and systems are easily identifiable and there are proven technologies that exist to stop advanced threats from executing in your environment. As you extend your security layers, you will be left with a security posture that’s more sour than sweet for cyberattackers.

via Mobile Security: Crunchy on the Outside, Soft on the Inside | Bit9 Blog.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Dealing with Mobility and BYOD Security Challenges? Start with The Network

April 18, 2013

The topic of mobility and BYOD has become a fairly divisive subject, because of the differing perspectives on how to resolve security challenges for the mobile user. Perspective on this ranges from the complexities of dealing with BYOD to a recommendation to keep personal and business devices separate. The fact is, we all have strong affinities for our favorite mobile devices, and just as organizations had to embrace the desire for users to use Macs in the office (remember that controversy?), users are now making their own choices about the mobile devices they use at work. When employees are given the resources to do their jobs in more places, they find better and more productive ways to work.

The challenge is how to give users the full advantage of their mobility platform of choice without introducing risks to the business. A key part of that challenge is enabling flexible mobile security options depending on the device and use case. For example, an employee on an unmanaged device may just require access to the Internet, while another employee on a managed device may require full access to specific data center applications. Your mobile security solution should support both use cases.

While there are multiple considerations to secure mobile traffic, it’s the network where you must start. This means maintaining a secure connection, keeping the traffic across it safe, and extending it to all users. By retaining control of the network, organizations can embrace mobility by making it safe for all users in all locations, regardless of the device. Starting from this premise, it becomes much easier to think in terms of how to make mobility work for your organization by providing the security to enable safe usage rather than trying to prevent it.

If you’d like to learn more about mobility and BYOD security challenges, check out my latestSecurityWeek article.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Bring Your Own Demise [INFOGRAPHIC]

March 6, 2013

Bring Your Own Device (BYOD) is certainly not new, but its effects on security and employee behavior are still largely undetermined.  To quantify the impact of personal devices in corporate settings, Varonis conducted a short survey and compiled the results in a new research report.

The results may surprise you — more than half of respondents reported someone in their companylost a device with important company data on it, and 22% of lost devices had security implications for the company.  Moreover, 86% of employees admit to being “device obsessed,” working on their mobile device around the clock.

Enjoy, share, embed our infographic and download the full report to learn which data protection activities truly matter.

Bring Your Own Demise: A Report of the Impact of BYOD

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

The growing threat of insider fraud not a top security priority for organizations

March 5, 2013

An Attachmate sponsored Ponemon Survey indicates the growing threat of insider fraud is not a top security priority for organizations which is proving to be a costly mistake.

On average, organisations experience approximately one fraud event per week, according to information from the second annual Attachmate and Ponemon Institute survey, “The Risk of Insider Fraud

However, only 44% of respondents say their organisation views insider fraud prevention as a top security priority, a perception which has declined since 2011.

The average cost of a data breach in a 2011 study was $194 per lost or stolen record

The survey reveals some alarming data security trends:

  • On average, it takes 87 days to first recognize that insider fraud has occurred and more than three months (105 days) to get at the root cause of the fraud.
  • 79% of respondents say that in their organization a privileged user has or is very likely to alter application controls to access or change sensitive information and then reset the controls.
  • 73% of respondents, an employee’s malfeasance has caused financial loss and possibly brand damage.
  • 81% say they already had an employee use someone else’s credentials to gain elevated rights or to bypass separation-of-duty control
  • 48% of respondents say that BYOD has resulted in a significant increase in fraud risk
  • 77% of respondents say the lack of security protocols over edge devices presents a significant security challenge and risk

This data demonstrates the invisibility of employee actions across an enterprise,” said Larry Ponemon, chairman and founder of Ponemon Institute. “While organizations may have policies and procedures to thwart insider fraud, it doesn’t mean employees will remain compliant, particularly with the rise of Bring Your Own Device (BYOD) practices

Data security and insider threats continue to be a challenge for organizations, particularly as BYOD brings complexity to enterprise risk management,” said Christine Meyers, director of Attachmate’s enterprise fraud management solutions. “Next-generation enterprise fraud management solutions, such as Attachmate Luminet, are able to correlate cross-channel activity, score risk and provide a screen-by-screen replay of what actually occurred. Add to that the proven deterrence factor that arises from being able to see and monitor use and abuse, and you can see why customers choose to deploy this technology for fraud detection

Fraud statistics

  • On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months
  • More than one-third say that employees’ use of personally owned, mobile devices has resulted in malware and virus infections that infiltrated their corporate networks and enterprise systems and another 26% it is very likely to occur
  • 61% rate the threat of insider risk within their organization as very high or high
  • 23% say insider fraud incidents existed six months or longer before being discovered and 9% could not determine when they occurred.
  • 55% of organizations say their organization does not have the ability/intelligence to determine if the off site employee’s non-compliance is due to negligence or fraud

Threats from BYOD, Mobility & Edge Devices

For the first time the study asks questions about the effect Bring Your Own Device (BYOD), mobility and edge devices have on the risk of insider fraud. We define BYOD as the employees’ use of their personally owned mobile devices (typically smart phones, tablets and laptops) for both work and non-work activities.

An edge device is a physical device that can pass packets between a legacy network (like an Ethernet network) and an ATM network, using data link layer and network layer information. An edge device does not have responsibility for gathering network routing information. It simply uses the routing information it finds in the network layer using the route distribution protocol. An edge router is an example of an edge device.

Edge devices and BYOD make it difficult to identify insider fraud

58% agree that BYOD makes it more difficult for the security or compliance department to have complete visibility of employees’ access and computing activities. The majority of respondents (78%) do not agree that employees’ access and possible misuse of edge devices is completely visible to the security or compliance department (100% – 32% of strongly agree/agree responses).

The study defined insider fraud as the malicious or criminal attacks perpetrated upon business or governmental organizations by employees, temporary employees and contractors. Typically, the objective of such attacks is the theft of financial or information assets, which include customer data, trade secrets and intellectual properties. Sometimes, the most dangerous insiders are those who possess strong IT skills or have access to an organization’s critical applications and data.

With this research, we want to reiterate that organizations are not immune,” said Meyers. “The threat of insider fraud is a growing risk that can result in tangible financial loss to businesses. And the longer an organization takes to address it, the more costly it can become

The insider fraud survey includes results from more than 700 individuals at leading global organisations.

 

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

BYOS Takes BYOD to a New Level

February 1, 2013

We’re all familiar with BYOD, but what about BYOS? BYOD has been taken to another level with Bring Your Own Storage (BYOS) also known as Bring Your Own Application (BYOA).

BYOD technology has grown and is continuing to revolutionize the way we work in a modern business environment. BYOD first hit the ground becoming a large trend amongst large corporates strategically looking at the way employees use and work on computers within the workplace. Employees now have their own personal storage cloud allowing them to access their work and data from any device anywhere in the world—changing the way organizations work. Employees can now work from any location around the globe which brings benefits to the company, such as optimizing talent sets and allowing organizations to “cherry pick” its employees from anywhere in the world.

The demands of business have become far more advanced than one could have predicted 10 years ago. Storage systems have developed over the past decade, such as new developments with cloud, drive mapping, peer sharing, team collaborations, and version control.

EMC, the network storage specialist, developed an innovative and unique approach to cloud storage options, called Syncplicity. Syncplicity offers companies the option to use the innovative, cloud-based service while providing data storage in-house. The whole concept that EMC developed could be debated as the current trendsetter completing the whole BYOD and BYOS collaboration; therefore, making way for a new future of the virtual office. This technology is ground-breaking in terms of allowing organizations to provide users the convenience of a cloud-hosted, file-sharing service through which they can share files with anyone both inside and outside the firewall protection.

VMware is developing BYOS even further. VMware unveiled its Version 5.1 of VMware View, a point release of the VDI platform that promises to lighten the load on shared storage through smarter caching. VMware View 5.1 broadens support for peripherals through a new USB stack and includes updated clients for Mac, Windows, and Linux desktops for thin and zero clients as well as the iPad, Android, and Kindle Fire tablets.

VMware also has injected more security and compliance features into View than EMC. Admins can centrally enforce endpoint security and policy configuration and streamline antivirus processes. Additionally, View 5.1 integrates with RADIUS two-factor authentication, giving organizations an extra layer of security that provides advances over EMC’s technology.

Adding to these enhancements, VMware launched VMware vCenter Operations for VMware View: Cloud Infrastructure Insight. This add-on for View is designed to give admins in VMware vSphere shops a broader insight into desktop performance and the ability to troubleshoot problems and optimize resource utilization from within vSphere’s vCenter console. Such an advanced technology enables customers to have further IT operations, no matter where their staff may be working in the world.

Businesses that want to offer the most the best technological resources to its staff should embrace this change, as OEM’s continue developing BYOS cloud offerings. Moving forward in a contemporary business world means we could possibly see many more virtual workers being based in several different international locations. With the advancements in BYOD and BYOS, proactive companies will embrace the collaboration of these two emerging technologies.

Leave a Comment » | Application Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Here’s how BYOD turns into a monster – Sykes’ Board

December 4, 2012

Click to visit the original post

Here’s just some of the havoc this monster has caused:

71% of businesses surveyed said mobile devices caused an increase in security incidents 51% of organizations experienced data loss from employee use of unsecured mobile devices 67% of Apple iOS devices are running outdated firmware
infographic from Rapid7

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Biggest BYOD challenge: Protecting private data

November 29, 2012

The dirty secret of BYOD is that employees are giving up their personal privacy in exchange for the convenience of choosing their own phone and conducting life on a single device.

It’s all well and good to have that freedom, but there are ways to balance employee personal privacy with the needs of the company says, Apperian’s CTO Carlos Montero-Luque.

Montero-Luque says employees face two main challenges when they accept the BYOD bargain, and they might not even realize it.

New Trend In BYOD Security: Contain The Data, Not The Device.
Sign up for CITEworld’s InCITE newsletter — delivered weekly.

“The first is whether or not they are willing to give the company full control of their device. By allowing the company/IT department full control of their device, they’re giving permission for those departments to view their personal content, access it, delete it, or even become involved in any legal matters (e.g., discovery in a lawsuit),” Montero-Luque explained.

The second and less obvious concern is that the controls the company puts on your device could actually make the experience worse by slowing down the phone or reducing battery life. “Employees want to experience the device they bought in the same way they expect even while they are at work,” Montero-Luque said.

Given these limitations, why do employees even want to bring their own devices? He says it’s not all that complicated, actually.

“Consumers feel the devices they can choose from are better than those enterprises offer to them. Users are more comfortable with the devices they purchased, as they provide an overall better experience with perks such as the ability to upgrade software and apps as they becomes available.”

Employers also face a set of challenges when they allow employees to choose their own devices. Most obviously, there is the issue of how to manage a myriad of devices with different software and operating systems without compromising private information on the device. If you need to remotely wipe enterprise content, for example, there is no reason you should have to wipe out the photos, address book and personal texting history at the same time.

One way to solve this dilemma for both parties is to compartmentalize the enterprise data.

“Compartmentalizing enterprise data tries to solve BYOD issues for both companies and their employees by creating two separate personas. A corporate persona, including all corporate content, and a consumer persona, including all personal content,” Montero-Luque said.

He says it’s while it’s a step in the right direction, this approach creates two separate machines within a single device. He says this division of labor comes with the same issues you have when you carry two phones. You eliminate one of the devices, but you are essentially running two anyway, creating a similar problem by having to switch between the two personas.

He says instead of trying to create two devices in one, the compartmentalization should be done at the individual corporate item, ap,p or document level. This way the compartmentalization is invisible as possible to the user, but still effectively secures access and content.

“Instead of this traditional solution, the goal ought to be to allow employees to access their corporate content in the same way as they would access their personal content, with the same user experience and device capabilities, while at the same time, seamless to the user, providing the full level of security, privacy, access control, and auditing capabilities that remain, more than ever, absolute requirements for IT departments as the guardians of corporate assets and data.”

This approach, which not coincidentally is how Apperian helps manage BYOD devices, provides a single device with one user experience instead of two separate ones. It also enables the company to control the device at the back end and eliminate obsolete documents or to shut off access to enterprise content when an employee leaves the company or loses the device.

More specifically, Apperian uses an enterprise app store where employees can access sanctioned enterprise apps. “Because we enable the delivery of corporate assets to BYOD devices via an enterprise app store, we track every app and content delivered and this enables the administrator to track and erase each specific corporate asset from the device without touching personal apps and data,” Montero-Luque explained.

In the end there are a number of approaches that companies can take to protect data, but both employer and employees should understand the issues that come with BYOD — and should work together to find the best approach for your organization.

 

Thanks to Ron Miller is a freelance technology journalist, blogger, FierceContentManagement editor, and contributing editor at EContent Magazine Read Ron’s bio

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 753 other followers