In a recent announcement by SAP, they say that they will ‘push all useful data to mobile devices’. Good news… but not entirely unexpected, the smart-phone of today is just as powerful as the laptop of yesteryear and much easier to carry. However, security and usage policies are sorely lacking in enterprises of all sizes.
I wrote previously on keeping up with the user and what they install on their smart-phones, this just emphasises the point further. If all data is available, even that from the heart of the data-centre, then the security should be as strong as that you usually have for the data-centre… policies for appropriate usage, data-loss-prevention and anti-malware to name a few. Remote device management including data wipe should be considered, and even encryption for the device and any removable media (aka memory cards).
The data-centre has arrived in your pocket… but does the CIO/CISO realise it… and if they do, have they done anything to protect it… yet?
With the news that a couple of Android apps have been pulled as they misrepresented their purpose (they were used as research – duping users into downloading and installing them – to see if people would), it raises an(other) interesting question for IT departments around applications, mobile devices and keeping up with the user.
While companies have been getting stricter at what can and cannot be installed on corporate laptops, the same is not true of smartphones. There are now tens of thousands of apps for phones like the iPhone and Android, and while they do have to go through an approval purpose, it won’t be your corporate one.
I have recently been involved in writing security policies for a number of companies and it becomes very apparent as to the need for up-to-date polices coupled with a suitable education programme. Technology is moving rapidly and care needs to be taken to protect corporate data wherever it is and however it is accessed. Updates to policies are worthless if they are not effectively communicated – this is a case in point – updating the policy on downloading apps won’t stop people from doing it if they don’t know about it. If you have technology to prevent inappropriate apps from being installed on smartphones, great – if not, then you need to remind staff of some of the dangers of just downloading and installing apps from the web.
Cyber criminals go after the low hanging fruit and the smartphone is just that – a simple way into a person’s life and potentially the corporate network.
We have been talking about Information Security for a few years now, but with the changes in legislation earlier this year that means you can incur £500K fines, it’s time to look beyond the reactive and towards the proactive. Time to move from Information Security to Information Assurance.
So why Information Assurance rather than just Information Security? Businesses rely on information, and most realise that accurate, available and appropriately shared information is key to growing a business. Conversely, missing or inaccurate information in the wrong hands will damage the business and potentially the business’ reputation.
From a security aspect, it is only the security of the information and systems that is taken into account. Data loss prevention and all the, now commonplace measures to prevent it, coupled with endpoint and datacentre security strategies enable companies to ‘tick the box’. Reporting and auditing are key for this to be provable so that information is kept safe and the newspapers and legislators held at bay. Assurance is all this – and more! Information assurance is about assessing the business’ ability to keep the information safe and that it is accurate and available - to the right people at the right time. It’s about developing a shared understanding across all areas of the business as to how information is used, and its about improving the information available according to business priorities.
As we start to move out of recession, but while the purse strings are still being tightly held it is time to revisit information strategies and look at how information can be used more effectively to drive the business. New rapid assessment services are starting to appear which can build on your information security policies and turn them into information assurance ones.
No, this isn’t a comment on minimum wage… £6 ($8.94) is the cost of a botnet for an hour! The average cost is further reduced if you rent it for 24 hours. Just what can you do with a botnet, well they come with a number of services – most of which are aimed at taking down a legitimate site with various attacks, including ICMP, SYN and HTTP.
So, how many machines are in a botnet? Mariposa had 12.7 million PCs… which is a lot of computing power, no matter how you measure it. Many of them were company machines.
The problems with botnets have not diminished – vigilence is needed across the IT estate, and if you are allowing home/personal PCs to be used to access corporate networks (consumerization of IT) then a strategy should be in place to ensure that none contribute to a botnet and the problems they create.
In Germany this week, a court ruled that wireless routers need to have a password – failure to do so can result in a fine of 100 Euros. In essence, if your wireless network is unprotected, then someone could use it to download and abuse copyrighted materials – and that is your fault for not protecting your network.
The password strength is not defined… and if you really wanted to download stuff using someone else’s wireless network, then a trip to a coffee shop would be much quicker than war-driving down a street.
While I keep my home wireless network secure, Bruce Schneierhas an interesting perspective on keeping it open. The choice in the UK is still up to you…
I was on a train yesterday and couldn’t help but overhear a conversation that went something like this…
“He’s sent me the mortgage details on email… could you get them for me and tell me what it says?”
“Sure, I use XXX, my username is YYY and my password is ZZZ.”
Good grief… I thought everyone knew that you were supposed to keep usernames and passwords ‘secret’. Evidently not. Of course this is the basic problem… people are trying to do something important to them - and are not thinking about security.
There are instances where sharing confidential information is required, and when in ‘work’ mode, people (sometimes) think twice about who can overhear but move into a non-work mindset and common sense disappears. In this instance, it would have been better to have waited until they could check their email themselves, or wait until they could find somewhere more private to speak, or even to have SMS’d the details (ideally in more than one text). In fact anything would have been better than shouting the details on a crowded train.
Oh well… it serves as a good reminder to us all that you should think twice when dealing with confidential information, especially when in public places. Cyber-criminals are not fussy how they obtain the information they need… the easier, the better.
PS A quiet word to the person on the train as I left suggesting that changing their password would be a good idea as everyone in the whole carriage now knew it – seemed a reasonable thing to do. Of course whether they do it or not… time will tell.
Football star David Beckham is the latest victim of a worrying scam by online fraudsters using the popular social networking phenomenon, Twitter, as a vehicle for spam advertising.
According to Candid Wueest, senior threat researcher at Symantec, the fraudsters create a fake Twitter account, often in the name of a celebrity, and then attempt to become followers of legitimate Twitter account holders.
“In this case, the false David – an online Chinese retailer – followed over a thousand accounts with a single common link – the account name contains the word ‘candid’.
“The credibility of the fake account is bolstered by other fraudulent accounts linking back to it and by cross-following legitimate Twitter accounts, which have been hacked,” he says.
Wueest confirms that this type of malicious activity is fast becoming common practice and adds that the rogue tweets often include short links pointing to infected websites.
“This proves that spammers are keeping abreast of new technologies. Twitter users are advised to carefully check out the details of all prospective followers and never to respond to ‘suspicious’ direct messages,” he says.
Peter G Rae
InfoSec closed yesterday and it has been an interesting show. There were as predicted quite a few iPads being given away as prizes – I didn’t manage to win one… next time maybe?
Mobile was the hot topic, lots of products out there to deal with the issues around securing these pesky devices which are as powerful as laptops but easier to lose than a wallet. I have a feeling that it will take a specific breach event to drive the buying cycle – time will tell.
Also there was a whole load of disk crunchers, a couple of years ago I wrote of one company Secure I.T. Disposals Limited who crunched disks, it was good to see them still there – but there were a whole load or others as well. From ones that crunch out the centre spindle to degaussing systems. ‘Hard’ data disposal is a big issue – and there are an increasing number of solutions to hand.
It was also good to see that ‘security’ now means more things to more people – smaller network companies were there along with large numbers of secure storage vendors intermingled with the security vendors. Universities seemed to be back to having a bigger presence as well as a number of small innovative companies displaying their new ideas and products. The one thing that seems to have taken a bit of a back seat was ‘the cloud’. Last year you couldn’t move for cloud stuff, this year, while it was around, the emphasis had changed and so mobile dominated.
I wonder what the buzz will be next year…
The keynotes and education program are looking as strong as ever and mobile seems to be the top topic. Since moving to Earls Court last year the space for the exhibitors is much improved – and with 300+ companies there, there will be plenty to think about. Security is as old as the hills, but there are new ways to approach old problems and as businesses turn to ‘the cloud’ and mobile devices proliferate (I wonder how many iPad’s will be stand draw prizes?) so new solutions need to be found.
See you there.
So, I was one of the tens of thousands who were stuck overseas due to the now infamous volcanic ash cloud. I got back at the weekend after an uneventful trip – ok, so it was a week later than expected, but it all worked out. However… while away I started to receive interesting SMS messages from my bank – but from different numbers! In essence they were offering to increase overdraft limits to help me cover any potential costs while being stranded. Or were they…
As with the post on credit card companies – the problem is not who you are (hopefully you know), but on who is purporting to be on the other end of the phone. Was it really my bank, or some enterprising cyber-criminals who were making the most of a bad situation? In this case, it could well have been both – one genuine message and then several copycat ones. There was no indication that they even knew who I was – no personalization in any way.
So… the moral of the story remains the same, if someone contacts you and says they are from the bank or a credit card company a little healthy paranoia is a good thing – take their name and department and say you will call them back on a number you have. Take your bank’s main number on holiday - preferably not the ‘freephone’ one as that probably won’t work abroad. And of course don’t use numbers given in text messages or any they may give you…