Tag Archive for Security

| May 22, 2014
Comments Off on BYOD: My Phone Your Problem

BYOD: My Phone Your Problem

BYOD: My Phone Your ProblemFujitsu warns that BYOD programs have a lot of hidden costs that IT departments often do not consider according to a recent article on FierceMobileIT. Craig Merrick, the managing consultant for mobile business solutions at Fujitsu (6702), explains the sources of extra costs of the BYOD program.

oftware updates to smartphones could cause problemsThe enterprise can incur significant additional costs if it tries to support all versions of operating systems being used by BYOD employees. Mr. Merrick says software updates to smartphones could cause problems with existing corporate applications. This could lead to the help desk being overwhelmed with calls.

BYOD support costs

He cites a recent survey of 25,000 BYOD end users by Fujitsu found that 80% of users believe that their corporate IT department is responsible for fixing issues with their personal devices.They want to bring their own device but they don’t want to take responsibility for fixing it,” Fujitsu’s Merrick said. Gartner (IT) forecasts that supporting BYOD will cost enterprises $300 per employee annually by 2016, up from a current $100 per employee annually.

storing corporate information on personal devicesAnother area of unforeseen cost, according to the article is a security breach caused by BYOD. A survey (PDF) of 790 IT professionals by Dimensional Research on behalf of security firm Check Point found that 79% of respondents reported they had a mobile security incident within the past year. Many of these incidents stemmed from employees storing corporate information on personal devices.

Mobile security incidents

The report revealed that more than half of large businesses reported mobile security incidents that have cost them more than $500,000. For 45% of SMB, mobile security incidents exceeded $100,000 in the past year, the survey found. Tomer Teller, security evangelist and researcher at Check Point commented;

Without question, the explosion of BYOD, mobile apps, and cloud services has created a herculean task to protect corporate information for businesses both large and small.

protect corporate information for businessesThe article concludes that additional costs for firms contemplating BYOD, can include network infrastructure upgrade, wireless service costs, device management product investment, and application and software investments, explained Forrester (FORR) analyst Michele Pelino.

rb-

Many businesses believe that implementing a BYOD policy will save them both the capital outlay of acquiring devices and the ongoing cost of maintaining them. But the reality does not always match the theory.  Planning and implementing a successful BYOD program requires executives to understand the costs, as well as the benefits.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| May 15, 2014
Comments Off on Is The Perimeter Dead?

Is The Perimeter Dead?

Is The Perimeter Dead?Even while mobile, cloud, and software services are blurring the lines of corporate IT boundaries through deperimeterization, DarkReading recently asked out loud, if the perimeter is dead.

it's very hard to define the perimeter of any organizationThere are those who believe enterprises are wasting their security budget on perimeter protection. In fact, FierceTelecom reports that 57% of enterprises responding to a survey said they plan to spend $500,000 or more in 2014 to upgrade their firewalls to high-speed network interfaces. Security is the chief reason cited.

The perimeter is dead

It is no surprise that the answers varied according to the author. Hardliners have been hammering on the death of the perimeter for a long time now. “Perimeter security is no longer relevant to enterprises. With the mobilization of the workforce, it’s very hard to define the perimeter of any organization because mobile-enabled employees are connecting to the network from all over the world on devices of their choosing,” Thevi Sundaralingam, vice president of product management at Accellion told DarkReading. “Next-gen security needs to focus keeping content safe, not on defining a network perimeter.”

People are giving up on the perimeter

Then there are the cynical abandoners. “In my opinion, perimeter security is not dead — it just has been handled incorrectly for so long people are giving up,” Alex Chaveriat, a consultant at SystemExpert told the blog.

Network perimeterBut others believe perimeter protection still has plenty of relevance for enterprise IT, even if it means rethinking the role of the perimeter and how these defenses are deployed. Corey Nachreiner, director of security strategy for WatchGuard (a firm that sells firewalls) believes the perimeter is different but still relevant.

The perimeter will never die, it will just get more focused … Sure, our workforce is getter (sic) more mobile, which means we need to incorporate new security solutions. But let’s not fool ourselves. The perimeter will never go away.

The perimeter is different

WatchGuard’s Nachreiner believes that the new perimeter needs to focus on server infrastructure and data centers, and not endpoint users. He believes firms will have to work in a hybrid environment that bolsters the perimeter not replacing it. “Just because people are using mobile devices and cloud services doesn’t mean they won’t still have local servers and assets behind a relatively static perimeter.

Another argument for perimeter defenses, according to the author is network egress monitoring. Michael Patterson, CEO of Plixer International told the author that egress visibility is crucial to pinpoint large-scale breaches.

Ultimately, the bad guys need to pass through the perimeter in order to complete the exfiltration of the data they are trying to steal … Monitoring behaviors is playing a significant role in this area as is the reputation of the site being connected to. 

The perimeter is growing

exfiltration of dataCEO Patterson also explains that perimeter defense doesn’t necessarily have to be placed at the edge. He told DarkReading it may have more relevance inside the network to watch and block threats within the organization. It’s for this reason that Mike Lloyd, CTO of RedSeal Networks, says that rather than dying, the perimeter has actually grown in recent years. In the article he says;

Companies have more and more perimeters that are getting smaller and smaller … Regulation drives it: PCI demands internal “zones” of segregation. BYOD drives it: Once you let zany uncontrolled endpoint devices onto your network, you have to build zones to keep them away from internal assets. Security drives it: We’ve talked about defense in-depth for years, but people are finally doing it.

As a result, RedSeal’s Lloyd says, security practitioners, have more opportunities for controls. This, though, can be a blessing and a curse. The downside is complexity, more controls in more places … The aspirin for that headache is automation. Make sure that all the enclaves you designed are actually set up and maintained properly as change happens.

rb-
The last time I re-designed a network, we put a Checkpoint (CHKP) firewall in front the of server segment. We dropped it in, in transparent mode to collect the who, what, when, and why of people accessing data you should have heard the howls of protest.

Despite naysayers, many security experts believe perimeter defenses have relevance when deployed as a part of defense-in-depth.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| May 6, 2014
Comments Off on Security From the Heart

Security From the Heart

Security From the HeartWe have all heard the horror stories of password management. Users choose the same weak passwords, trade them for chocolate bars. They keep track of them on post-it notes. Firms are negligent in managing weak passwords. Help Net Security wrote about the latest innovation in passwords from Canadian security start-up Bionym.

Bionym logoBionym created Nymi, a bracelet/wristband containing an ECG (electrocardiogram) sensor that “reads” the unique heartbeat pattern of the wearer. The bracelet will use the ECG to authenticate into electronic devices; cars, computers, smartphones, TVs, etc.

“It was actually observed over 40 years ago that ECGs had unique characteristics,” Bionym CEO Karl Martin pointed out to Tech Hive. “What we do is ultimately look for the unique features in the shape of the wave that will also be permanent over time. The big breakthrough was a set of signal-processing and machine-learning algorithms that find those features reliably and to turn them into a biometric template.”

When you clasp the Nymi around your wrist it powers on. By placing a finger on the topside sensor while your wrist is in contact with the bottom sensor, you complete an electrical circuit. After you feel a vibration and see the LEDs illuminate, your Nymi knows you are you and your devices will too. You will stay authenticated until your Nymi is taken off,” it’s explained on the firm’s website.

3-factor security

Nymi knows you are youThe Nymi functions on a 3-factor security system. To take control of your identity you must have your Nymi, your unique heartbeat, and an Authorized Authentication Device (AAD). The AAD could be a smartphone or device registered with their app.

No details about the bracelet’s security have been share on the site. Ars Technica’s Dan Goodin has pumped Martin for information and, so far, the news is good. Elliptic curve cryptography is used to ensure data traveling between the bracelet and the device is not monitored or intercepted by attackers. ECC also encrypts the handshake performed between the bracelet and the devices being unlocked.

perform remote, gesture-specific commandsThe Nymi also has motion sensing and proximity detection that allows users to perform remote, gesture-specific commands, creating a dynamic and interactive environment,” it is explained. “A simple twist of the wrist can unlock your car door.”

When it arrives, Nymi will offer three-factor authentication. The wristband itself, your unique cardiac rhythm, and a mobile device, like a smartphone or tablet. The Nymi hardware acts as a secure token that ties into the biometric. The wristband will need to check in with your smartphone or tablet at the beginning of the day.

rb-

The thing that excites me most about Nymi is its potential to get rid of passwords. I think the password has a limited shelf-life. Once wearable computing takes off, payment processing will be integrated with biometrics on the wearable devices, there will be no need for passwords.

Nymi will be compatible with the FIDO AllianceBionym’s Martin stated,   “[Killing the password] is one of our goals,” noting that the Nymi will be compatible with the FIDO Alliance.

FIDO, which stands for Fast IDentity Online, was created by PayPal and Lenovo (LNVGY) and now counts Google (GOOG) and Microsoft (MSFT) among its members. The alliance has set out to create the next-generation standard for identity verification. 

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| April 29, 2014
Comments Off on Social Engineering Terms

Social Engineering Terms

Social Engineering Terms Social engineering means manipulating a person to get access without authorization. Practically speaking, it’s a blanket term for non-technical hacking. FierceITSecurity gives the classic example: Hacker calls target and pretends to be “from the IT department,” getting the target to divulge a password or other sensitive corporate information.

non-technical means.Derek C. Slater at FierceITSecurity discusses a short-list of social engineering terms with Chris Hadnagy, author of the book “Unmasking the Social Engineer: The Human Element of Security.” The author explained that some of the terms below aren’t social engineering per se, but they are related to the same goal: Gaining unauthorized access to information, systems, and facilities through deception and other non-technical means.

In his Social Engineering course, Mr. Hadnagy tells participants that one goal is that every target “will be glad to see them” because the social engineering methods covered seem friendly, not antagonistic. “It’s amazing how much information people will give you if you’re just nice to them,” he says. “Con men don’t look malicious–they’re the guys with the biggest smiles.

Social Engineering terms

Confidence manConfidence trick: The ‘con’ in “con man” refers to gaining the confidence of the target before attempting to exploit him. Examples: The movie Grifters with John Cusack, and every Ponzi scheme from Charles Ponzi himself on through to Bernie Madoff and whoever’s doing it now. And somebody’s doing it now warns the article.

Amygdala hijacking: Your amygdala is the part of your brain that manages decision-making and emotional responses. “Amygdala hijacking” in the social engineering context means putting the target emotionally off-balance by causing stress, or contacting the person during an unusually stressful time, according to Hadnagy. That means the target is less rational and more vulnerable to exploitation.

Amygdala hijackingExample: Friday at 4:30 pm, or the day before holiday vacation starts, many employees–not you or me, obviously–are anxious to get out of the office. That’s a perfect time for a pretexting call (see below) or a hacker-simulated crisis, putting the target further off-balance and making them more likely to do whatever is expedient–giving information over the phone or via email to make the “crisis” go away.

Elicitation: means getting information without asking for it directly.

Influencing:  Mr. Hadnagy says influencing means provoking a desired response from the target “while getting them to think it’s their idea.”

Manipulation: involves getting the target to perform the desired action, regardless of whose idea they think it is. Unlike influence, manipulation could involve a direct or implied threat, for example.

Pretexting: Mr. Hadnagy’s definition, is equal to method acting. The social engineer doesn’t just say “I’m Bob”–he becomes Bob.

Example: Contracted to test one company’s defenses, Hadnagy gained access to various facilities by posing as Paul the Pest Inspector. “I had the uniform with the name patch, I had Paul’s business cards, and for a day before the event, my team was calling me ‘Paul’,” he says.

Phishing: is the use of email as a conduit for social engineering attacks.

PhishingExample: Know those emails that start “I’m Prince Phillip and I need help transferring my royal fortune to an American bank”–the venerable so-called 419 or Nigerian scam? People still fall for those. It’s a phishing attack and an example of a confidence scam.

Spear-phishing: Spear-phishing is a more targeted form of phishing. Instead of blasting that “I’m a Prince” email to everyone with an email address, a spear-phishing attack is personalized to reach a small group or individual.

Example: A hacker identifies a target, Fred, and finds personal details, professional connections, and current project information via Fred’s LinkedIn profile. He then sends the target an email that is correctly addressed to Fred, appears to come from a real colleague, and references specific project details. Fred is much more likely to click on malicious links or open attachments in this email than he is likely to respond to Prince Phillip spam.

These next four terms don’t involve deception. However, they’re all important non-technical information attacks and can work in concert with social engineering efforts.

Harvesting – is using publicly available sources–particularly on social media, these days–to gather information about a target for later use in social engineering.

Dumpster diving – means what it sounds like: rooting through the trash to find discarded papers or items with valuable information. This is less glamorous than social engineering, but it’s also a useful form of harvesting and doesn’t need human interaction. (rb- I have covered the dangers of dumpster diving on Bach Seat since 2010.)

Shoulder surfing – means reading sensitive information on-screen and over the shoulder of a legitimate user.

Tailgating – is the ancient practice of going through a physical access point on the heels of someone who has an access card, key, or entry code. Catching the door before it shuts behind them, as it were.

rb-

Whether it is your home or corporate email account, social engineering is dangerous. Being educated about the risks of social engineering is critical. The next time someone reaches out via email or the phone, take a second and ask a few questions before you give away your digital identity unless of course they also have a candy bar

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| April 1, 2014
Comments Off on Limit Admin Rights to Close Microsoft Holes

Limit Admin Rights to Close Microsoft Holes

Limit Admin Rights to Close MSFT HolesIt’s been best practice for a very long time: all users and processes should run with the fewest privileges necessary. That means no Admin rights for users. This limits the damage that can be done by an attacker if the user or process is compromised.

Avecto logoZDNet says that running users without admin rights on Microsoft (MSFT) Windows XP was generally impractical. It is a much more reasonable and manageable approach on Windows Vista, Windows 7, and Windows 8, but many organizations still run users as administrators because it makes things easier in the short term.

Impact of running with “least privilege”

ZDNet cites a new study from UK software company Avecto which demonstrates the real-world impact of running with “least privilege”. In 2013, Microsoft released 106 security bulletins and updates to address the 333 vulnerabilities identified in them. 200 of the 333 total vulnerabilities would be mitigated if the user were not running as administrator. 147 of the vulnerabilities were designated critical; 92 percent (135) of these would be mitigated.

Dark Reading says that the Avecto results also revealed that removing admin rights would also mitigate:

  • running with "least privilege"91% critical vulnerabilities affecting Microsoft Office,
  • 96% of critical vulnerabilities affecting Windows operating systems,
  • 100% of vulnerabilities in Internet Explorer and
  • 100% of critical remote code execution vulnerabilities.

Breakdown of Microsoft V\vulnerability Impact in 2013

Avecto told ZDNet that non-administrator users can still be compromised, but it’s much less likely that they would be and, if they were, the impact would likely be greatly limited. Least privilege is most effective as part of a more comprehensive security architecture including the prompt application of updates to patch vulnerabilities.

Paul Kenyon, co-founder, and EVP of Avecto told Dark Reading, “This analysis focuses purely on known vulnerabilities, and cybercriminals will be quick to take advantage of bugs that are unknown to vendors. Defending against these unknown threats is difficult, but removing admin rights is the most effective way to do so.”

rb-

Employees with admin rights can install, modify and delete software and files as well as change system settings making more work for the help desk folks. The report demonstrates that many companies are still not fully aware of how many admin users they have and consequently face an unknown and unquantified security threat. It is also conceivable that privilege management would have made high-profile attacks such as the recent one on Target if not impossible then much harder, by reducing the potential for the abuse of partner access, believed to have been at the heart of the breach.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
« Older Entries   Recent Entries »