Tag Archive for Security

| July 3, 2012
Comments Off on BYOD Notes

BYOD Notes

90% of Employees Use Personal Devices for Work

90% of Employees Use Personal Devices for WorkA survey by DELL Kace (DELL) found IT managers feel they lack the necessary tools to properly manage BTOD personal devices. In the study, IT managers revealed they are unable to effectively protect corporate data and intellectual property as well as ensure compliance. Help Net Security says key survey findings include:

  • 87% of companies have employees that use a personal device for work including laptops, smartphones and tablet computers.
  • 82% citing their concerns about the use of personal devices for business use
  • 64% revealed they are not confident that they know of all personal devices being used for business purposes
  • 62% specifically concerned about network security breaches
  • 60% reported a greater demand for support of Mac OS X since the introduction of the Apple (AAPL) iPad and iPhone
  • 59% reported their personal devices have created the need to support multiple operating systems (OS’s).
  • 32% revealed employees use unauthorized personal devices and applications to connect to their network

On the governance side:

  • 88% said they believe it is important to have a policy in place to support personal devices, and another 62 percent revealed their organization lacks the necessary tools to manage personal devices.

It’s absolutely essential that IT teams deploy a strategy that provides end-to-end management capabilities on a variety of operating systems to effectively protect networks and address the consumerization and personalization of IT,” said Rob Meinhardt, general manager and co-founder for Dell KACE.

Related articles

Security Monitoring for BYOD Environments

Security Monitoring for BYOD EnvironmentsUnlike other BYOD security solutions that force organizations to install software on every new device, Lancope’s StealthWatch System provides security for any device entering the network, without having to install more software on the device or deploy expensive probes. Help Net Security reports that StealthWatch performs behavioral analysis on flow data from existing infrastructure to deliver end-to-end visibility and security across an organization’s entire network.

Net flow data already exists in network infrastructure devices to monitor network and host activity. Since net flow is already in most network equipment, it provides a cost-effective tool for monitoring mobile devices. The article says flow-based monitoring can uncover external attacks like botnets, worms, viruses or APTs, as well as internal risks such as network misuse, policy violations and data leakage. It can also be leveraged for other efforts including regulatory compliance and capacity planning, and for ensuring high levels of network and mobile device performance.

Related articles

IT is Embracing BYOD

IT is Embracing BYODIT is Embracing BYODCisco says that IT is accepting, and in some cases embracing, “bring your own device” (BYOD). Help Net Security reports that the networking giant found that some of the pros and cons associated with allowing employees to use their own mobile devices on their employers’ networks has become a reality in the enterprise.

The Cisco (CSCO) study BYOD and Virtualization (PDF) found most enterprises are now enabling BYOD.

  • 95% of responding firms permit employee-owned devices in some way in the workplace.
  • The average number of connected devices per knowledge worker will grow from 2.8 in 2012 to 3.3 by 2014.
  • 76% of IT leaders surveyed categorized BYOD as a positive for their companies and challenging for IT.

The survey says employees are turning to BYOD because they want more control of their work experience:

  • 40% of respondents cited “device choice” as employees’ top BYOD priority (the ability to use their favorite device anywhere).
  • Employees’ second BYOD priority is the wish to do personal activities at work, and work activities during personal time.
  • Staff wants to bring their own applications to work: 69% of respondents said that unapproved applications, especially social networks, cloud-based email, and instant messaging, are more prevalent today than two years ago.
  • Employees are willing to invest to improve their work experience. Cisco employees pay an average of $600 out-of-pocket for devices that will give them more control over their work experience the report says.

The article says these findings underscore that BYOD is here to stay, and managers are now acknowledging the need for a more holistic approach, one that is scalable and addresses mobility, security, virtualization, and network policy management, to keep management costs in line while simultaneously providing optimal experiences where savings can be realized.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Tablet computing | Tags: , , , , , , , , , ,
| June 26, 2012
Comments Off on Credit Agency Trawls Facebook

Credit Agency Trawls Facebook

GigaOm has an article that documents the efforts by Schufa, the largest credit rating firm in Germany to mine data from the Facebook (FB), LinkedIn (LNKD), and Twitter accounts of its customers. David Meyer cites documents leaked to German media, that the firm whose slogan is “We Build Confidence” would use the information “to identify and evaluate opportunities for and threats to the company.

“It cannot be that social networks are systematically scoured for sensitive data, resulting in credit ratings of customers,” said consumer protection minister Ilse Aigner.

rb-

Get over it.

Facebook logoI wrote about firms like RapLeaf mining social networks for employers and banks back in 2010. What is surprising to me and Mr. Meyer is that this latest social network mining operation comes out of Europe and especially Germany, a country where most people are very conscious of data protection concerns.

This goes back to the internet-age-old issue of privacy. Where is the line between public and private is it different for some groups than others? Do the NSA, CIA, MI5, and whoever else is listening get different access to data than Rapleaf, Apple (AAPL), Facebook, Twitter?

Just because the info is out there, public by default do they have the right to use it?

Get over itOn the other hand users of Facebook and Foursquare happily tie their credit cards to these accounts, post status updates, and check in to places for the world to see.  

Maybe we are just getting what we deserve.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| June 19, 2012
Comments Off on Attackers Attack Emerging Technologies

Attackers Attack Emerging Technologies

Help Net Security reports that attackers continue to focus on social engineering attacks and circumventing legacy enterprise security systems according to a recent report by Zscaler. The Sunnyvale, CA-based firm reported shifts in the sources of enterprise web traffic, and that some popular sites attempt to improve user security. Here are some of the top findings detailed in the report:

  • Local apps are generating more direct HTTP and HTTPS traffic
  • Not all web traffic comes from browsers, and as this traffic shifts, web threats have a new attack vector
  • Internet Explorer 6 is on the decline in the enterprise. While this mitigates the security risks of the old browser platform, it could lead to a shift in attacks.
  • Google (GOOG) is actively attempting to thwart search engine optimization (SEO) spam and fake AV attacks, the topmost Internet threats today. However, most users remain exposed to these threats.
  • More sites, like Facebook (FB) and Gmail, are moving to HTTPS delivery. This is good for preventing sidejacking, but it allows savvy attackers a way to bypass traditional network-based security controls like IDS/IPS, which cannot decrypt traffic for inspection.

Internet of Things“Attackers know the limits of traditional security solutions,” says Michael Sutton, VP of Security Research at Zscaler. “But they are also very good at taking advantage of emerging technologies and new vectors for attack. Standalone user applications, social engineering attacks, and the move to HTTPS all have the potential to introduce new threats. Now more than ever, enterprise security solutions must inspect traffic in real-time, all the time, regardless of source, to provide true protection.”

RB-

I have covered IOT for a while here and here. I wrote about the big sites moving to HTTPS a while ago here and even wrote about HTTPS Everywhere here. And I am sure I don’t cost as much as an engagement with these firms.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| June 6, 2012
Comments Off on Bad Day at LinkedIn

Bad Day at LinkedIn

Bad Day at LinkedInIt’s been a bad day for LinkedIn (LNKD). LinkedIn users have been the victim of two security and privacy blunders on the same day. First, the LinkedIn mobile app for iOS devices is sending potentially confidential private and business information to the company servers without the users’ knowledge.

LinkedIn logoHelp Net Security reports that security researchers Yair Amit and Adi Sharabani at Skycure Security identified the security hole. According to the researchers, the security flaw involves calendar syncing which collects data from all the calendars (private and corporate) on the iOS device.

“The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes,” the researchers point out in the article. “…this information is collected and transmitted to LinkedIn’s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines.”

The first response from LinkedIn‘s spokeswoman Nicole Perlroth appears to minimize the issue and blame the users for the privacy breach when she told Help Net Security that the feature is opt-in, and said nothing about whether the company will update the app that would stop this privacy snafu from happening in the future. (Looks like LinkedIn updated the App and broke it according to reviews in the Apple AppStore) This was reinforced by Joff Redfern, Mobile Product Head at LinkedIn on the LinkedIn blog where he also pointed out the information harvesting app is an opt-in feature. He claims that the information collected is not stored or shared. LinkedIn did change the LinkedIn app for Google (GOOG) Android so it no longer sends data from Droids to LinkedIn. There was no information in the article if LinkedIn plans to change the Apple iOS app.

But wait it gets worse…

LinkedIn also lost 6.5 million accounts today. They were however found on a Russian forum. LinkedIn has confirmed on their blog that there are “compromised accounts.” Cameron Camp, Security Researcher at ESET, commented on the leak for Help Net Security:

“The difference with this hack … is that people put their REAL information about themselves professionally on the site not just what party they plan on attending, ala Facebook and others …  mess with somebody’s professional profile, and you’re messing with their life, and their contacts know about it.”

rb-

I wrote about the value of different credentials here and here.

I am wondering about the timing of the two security problems for LinkedIn. Could they be related? Were attackers using the Apple iOS app as an attack vector? After all, we know that Apple loves to collect personal info on its customers.

Mitt Romney

What happened here?

Action Items:

  • Toggle off the “Add Your Calendar” option in the Sync Calendar feature of the LinkedIn app on your Apple iOS devices
  • Immediately change your LinkedIn password and any accounts that share the same password.
  • Be on the lookout for phishing campaigns that might leverage the incident.
Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| May 29, 2012
Comments Off on Securely Shred Unnecessary Files

Securely Shred Unnecessary Files

Securely Shred Unnecessary FilesOrganizations often hold on to files that are no longer needed. Help Net Security points out that these records take up valuable storage space and cost money that could otherwise be saved. Adhering to a retention schedule helps businesses run more efficiently to save time, money, and space.

expedite the destruction of out-dated records“While it may seem easier to keep everything, this is actually a losing strategy,” Sarah Koucky, Senior Director of Security and Compliance for Cintas Document Management told the blog. “Saving unnecessary records costs both time and money. By setting retention schedules and policies, organizations will remain compliant with government regulations and can expedite the destruction of outdated records to ensure a clutter-free system.”

The author provided the following retention schedule as a general recommended guideline for certain files and documents. Consult your legal advisor for specific retention schedules for your business and records.

  • Accounts payable – 7 years
  • Accounts receivable – 7 years
  • Audit reports – Permanent
  • Bank reconciliations – 3 years
  • Bank statements – 7 years
  • Canceled checks – 7 years
  • Electronic payment records – 7 years
  • Employee files (ex-employees) – 7 years
  • Employment applications – 3 years
  • Employment taxes – 7 years
  • Expense reports – 7 years
  • Financial statements (annual) – Permanent
  • Insurance policies– Permanent
  • Leases/Mortgages – Permanent
  • Loan payment schedules – 7 years
  • Payroll/Labor records – 7 years
  • Purchase orders– 7 years
  • Sales records – 7 years
  • Tax returns – Permanent

It is important to safely and securely dispose of all documents that are no longer needed. With identity theft and data breaches on the rise, doing so will protect confidential information from falling into the wrong hands according to the article.

use a secure shredding serviceMany organizations use a secure shredding service that destroys business documents on-site on a scheduled basis. The author says these companies place secure storage containers in an accessible and identifiable location to make it safe and convenient for all employees to properly shred documents.

In addition, Help Net Security indicates businesses that have a large volume of records with long retention rates but limited space can consider an off-site storage and imaging provider. This will free up space and make sure all electronic and physical records live in a secure environment. All documents can be retrieved on-demand and properly destroyed if required.

rb-

I had a conversation with a client the other day about electronic and physical document retention. The client was blase about a policy until we started to talk about FOIA and eDiscovery and the fact that if they had the documents they would have to produce it for the courts. While I am not a lawyer, I have been told that if there is a policy in place and enforced prior a request to produce a document, the courts will recognize the fact that a document is not available.

Now if you look at what the State of Michigan requires K-12 to keep (PDF), some documents have to be kept for 30-50 years and others have to be permanently retained. This can certainly create real-estate as well as technical challenges.

Can these required documents be stored electronically? What happens when technologies change? In case you didn’t notice the floppy drive is dead. I noted its passing here. The UK’s National Archives says (PDF) that USB drives and CD-Rs are the least reliable long-term storage media. They recommend LTO, but what versions 1, 2,3, 4, 5? This locks you into a single backup server software.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
« Older Entries   Recent Entries »