It seems that not a week goes by without the media reporting another instance of a data breach. More often than not it is of user’s passwords becoming compromised. Given that a password is very often the last line of defence against an intrusion into our personal data, the risk that this presents cannot be underestimated.
If it’s not organisations being hacked or inadvertently giving up peoples’ passwords, it is individuals themselves that are at fault. It was only recently that U.S. Presidential candidate, Mitt Romney had his email account breached by someone who simply guessed his favourite pet to access his account.
Hackers are always looking to develop new and innovative means of breaking into our personal data. Therefore, it is up to us as individuals to make this task as difficult as possible for them. We all ultimately have the responsibility of providing a worthwhile deterrent to those who would attempt to gain unauthorised access into our accounts, with a view to exploiting our information. At its heart, this is a battle between them and us, and it is our job to outmanoeuvre them, ensuring they do not gain access to our personal accounts.
Having a weak password is making life easy for them and essentially freeing up their time to go on intruding on many more accounts. So it’s important that we give serious thought to the passwords we use, veering away from the more obvious choices such as birthdays, pets, favourite sports teams and other topics close to our hearts. The more obscure and unrelated to us that a password is, and the more unusual, the harder it will be for a hacker to break. Combining numbers and letters provides additional complexity, as does changing the case of the characters. Avoiding writing down passwords and changing them at regular intervals will also bolster our protection from cyber criminals.
At best, a weak password is tempting fate, and at worst, it is providing a welcome sign to criminals looking for easy access into our personal information. Make sure you do all you can in protecting yourself from this threat.
The sports sections of newspapers are a must read for many people. Keeping up to date with the latest results is very important for some; and during major sporting events something in which almost everyone takes an interest. The internet has dramatically increased the desire for the latest news and commentary, allowing individuals unprecedented and timely access to such information wherever they are able to connect to websites.
Today’s hyper connected world presents a widely discussed concern to businesses – the challenge of maintaining business productivity as employees spend their working time reading sports pages or checking the latest scores. However, I believe, a greater risk to businesses is the amount of bandwidth that may consumed by watching live video streaming of sporting events on corporate networks, possibly by connecting a personal, mobile devices to a corporate network.
This may be enough to consume the entire internet connection and interfere with legitimate network activity. With a summer of sport imminent, companies need to consider just how much bandwidth may be consumed by high definition video streaming websites, and how employee behaviour may change during the event.
The provision of video streaming has changed massively over the past 4 years, so previous experience may not be comparable with what we can expect this summer. The Rugby World Cup of October and November 2011, may have less mass appeal than the forthcoming events, but as an international sporting event, may provide an indication of the demand for sports information and the use of streaming video.
The Symantec Web Security.cloud service blocks classes of websites according to the acceptable use policies of corporate customers. The logs of refused access of users attempting to visit blocked categories of web sites can be thought of as a measure of how employees in general use the internet.
The number of logged refused attempts to visit video streaming websites during the opening week of the Rugby World Cup provides some interesting clues regarding employee web usage. There is a clear periodicity with the number of blocks higher during the working week of Monday to Friday, compared to the weekends. There is also a clear peak in the number of blocked attempts to access video streaming websites on Friday 9th September, the opening match of the World Cup.
Figure 1 . Relative increase in recorded web blocks for video streaming websites, 1 Sep 2011 – 16 Sep 2011.
The number of refused attempts at video streaming access on Friday, 9th September are 53% higher than the preceding Friday. Although some of this increase may be due to single individuals repeatedly trying to access video streaming in frustration, it only takes six people watching streaming video to saturate a 8 mega bit internet connection. If we consider that each user watching streamed video consumes 1.5 mega bits per second of internet bandwidth, a 90 minute football match represents 1 Gigabyte of data!
Sport related websites also show a clear increase in the number of blocks over the opening weekend of the Rugby World Cup on September 9th.
Figure 2. Relative increase in recorded web blocks for sport websites, 1 Sep 2011 – 16 Sep 2011.
The period, Friday to Monday, before the opening of the World Cup compared with the same time frame, one week later, coinciding with the opening of the matches, shows a 35% increase in blocked attempts to access sport websites.
These increases in the number of attempts to access websites blocked by local acceptable web use policies show that major sporting events can provide a major distraction for employees. It could also raise the question of whether acceptable use policies are themselves not a deterrent to visiting non-work related websites and a robust means of enforcing such policies needs to be put in place to ensure compliance.
A permanent and total ban on visiting video streaming and sport websites may not be necessary or appropriate. A partial or temporary block during major events may be all that’s required to protect networks and productivity. Employers and security officers need to be aware of the distraction of major sporting events, while keeping front of mind that it’s not just productivity that is impacted. The amount of internet bandwidth that may be consumed by employees watching sport video streams really needs to also be top of a business’ agenda as our nation enters its long anticipated summer of sport.
Our latest Symantec 2012 SMB Disaster Preparedness Survey found that SMBs are increasingly planning and implementing virtualisation, cloud computing and mobility – a strategic IT trend we typically associate with larger enterprise businesses.
It seems that SMBs are becoming more aware of the threat that a break in business could pose to the company and, as a result, are turning to new technologies to help them prepare for unforeseen circumstances which might cause disruption to their business performance.
So what are the threats that SMBs face? Well, they can be hit with any number of incidents which could disrupt operations, ranging from natural disasters like floods or fires, to common theft of damage of computer/mobile hardware. In these circumstances, companies will find themselves desperate to resume normal operations as soon as possible to prevent loss of business, reputational harm, and pertinently, any negative impact on long term prospects.
It is also at this point that those without a plan in place, and just as importantly, concrete measures designed to mitigate any problems occurring, could find themselves in trouble. Smaller organisations simply cannot afford to experience any significant periods of downtime and so the ability to recover quickly, and return to full capacity is of paramount importance.
Cloud computing is proving particularly popular among SMB’s with 40% deploying public clouds, and a similar number (43%) implementing private clouds. Over a third (35%) are taking advantage of mobile devices for business use, and 34 per cent are looking towards virtualisation.
To help you manage your best practise for disaster preparedness, we’ve pin pointed a few key recommendations that should help you to stay in control:
- Businesses should start planning now, preparing now for potential business disruption, rather than waiting and being caught unaware. Now is the time to begin evaluating which technologies would work best with your particular type of business
- Focus on implementing strategic technologies. For instance, adopt integrated cloud backup for offsite storage and disaster recovery, and automated physical to virtual (P2V) backup conversion so you can recover your physical system to a virtual machine in case of a server failure
- Ensure that information is protected by using comprehensive security and backup solutions that protects your physical, virtual and mobile systems. You may also consider backing up data saved to the cloud by working with a trusted cloud vendor to utilise the appropriate technology and expertise
- At least once per quarter you should evaluate your disaster preparedness strategy and test its effectiveness. Can you recover what you need in the timeframe you require? There’s no telling what the future holds, and it’s important to be ready for any event that can result in information loss.
When was the last time that you received an e-mail offering you a discount on pharmaceutical products? If you are using a corporate e-mail system or one of the larger Internet e-mail providers, the chances are it was a while ago. And yet until recently over 90% of e-mail sent was spam.
This is something that changed last year with spam dropping to only 75% by the end of 2011.
So where did those spammers go? Did they get an attack of social conscience? The evidence would seem to say not. We still saw an increase in the number of attacks and malware variants last year.
What seems to have changed is the mechanism that is being used to distribute spam and malicious software. There has been a rise in the use of social media to distribute these attacks as spammers exploit the web of trust that individuals have in social media. After spam awareness campaigns, we are much more likely to click on a link posted by a friend to a social network than to open an attachment in an e-mail. It was inevitable that spammers would target the greater level of trust we have in social networks but is this shift actually the sign of something greater?
Look at the way a teenager communicates. They rarely use e-mail, instead choosing to communicate through more immediate channels such as instant messaging and social networks. So are we seeing the beginning of the end for e-mail? Is the move of spammers to social media not just to exploit an easier target but a move to a new dominant communication mechanism? It’s certainly going to be interesting to watch this develop over the coming years.
Without question, the iPad has been the most disruptive piece of technology released within the last decade for businesses. The speed of its uptake has surprised everybody, and its uptake in boardrooms and amongst senior executives has dramatically changed the workplace. In business meetings and conferences across the world an exec will turn up with an iPad, which prompts others attending to feel they should have one as well, and they then take their newly acquired iPad to their next meeting, creating an unstoppable purchase cycle.
However, with the recent launch of the new iPad triggering another huge surge in sales, perhaps now is the time to stop and think about the challenges this rapid adoption brings.
Executives no longer just want an iPad as a fashion accessory. They want it to be a practical and functional device, enabling them to work on the move and share this work with colleagues, and clients alike. To do this, however, the iPad must connect to a corporate email and carry around potentially sensitive documents.
I have been speaking with a number of Information Security departments about the challenges that come with this trend. Many of them said they initially responded to their executive’s request that, as the iPad is not a supported platform, they simply cannot connect it to the corporate network. But this is not a popular response and they are often asked to “find a way”.
Consumerisation of tablets
This is not to undermine the great achievements of the iPad. Along with other tablets, it has undoubtedly delivered on the promise to provide a portable device which users can annotate without carrying around bulky paper, or even more bulky laptops. It has also delivered on consumerisation, a key element being that users must be self supporting which is much easier with tablets than with full desktop systems.
This is why it’s not surprising that time and time again I have the same conversation with companies around the challenges of mobile devices, mobility and ‘bring your own device’. This concern tends to be closely followed by discussions around cloud adoption, as users increasingly turn to backdoor cloud adoption, using file-sharing services to put documents on their unsupported tablet devices.
Is there a solution?
There is now a desperate need for businesses to overhaul the approach they are taking to managing corporate IT and Information Security. Instead of having a standard build and a limited set of supported platforms, we now need to look at minimum standards of connection and security controls across multiple platforms.
A primary focus of information security should be how to enable mobile devices and tablets access to the network. Combining the policy enforcement and control requirements that are required, whilst providing the usability and performance experience that attracted users to the tablet in the first place, will be a careful balancing act for Information Security departments.
The key to this is Information centric security. It is possible to enable access by developing an understanding around what information can go on a device, based upon the user, and also assessing the location and whether it is a personal or managed device. These are the first step in preventing sensitive information from risk.
Nobody can deny that the rapid adoption of tablets has created an interesting challenge. But, I believe, that with right balance and a can-do outlook businesses and users alike will reap the benefits that today’s devices can deliver.
Imagine walking along a street on a sunny day. You’re thirsty and, sitting on a table outside a cafe, there is an ice cold, open bottle of beer. Would you pick it up and drink it? Probably not. Most of us would resist the temptation because we don’t know where it’s been or who’s already drunk from the bottle.
Now imagine you walk into a hotel or conference centre. You’re running close to your internet usage limit on your smartphone, but you want to connect your laptop to catch up on emails or carry out some research ahead of a meeting. All is not lost, as you notice there’s a number of free and open wifi networks available. Do you connect? Why would you trust this wifi more than the bottle of beer? Do you know where it’s been and who has been using it with any more certainty?
Yet many of us still connect to wifi networks every day. We’re seemingly happy to connect to a friendly or “safe” sounding wifi network, such as a hotel or conference centre name, and work online without ensuring that our communication is protected or encrypted.
This was the exact analogy made by Paul Vissidis at a conference I attended recently. Hackers have always been known to exploit trust, and our willingness to connect to unverified wifi networks is giving them the opportunity to steal passwords and monitor people’s online activity.
Wifi is the easiest, fastest and often the cheapest way to keep ourselves online in a world where we are scared of becoming disconnected. Perhaps, because it’s impersonal and online we simple don’t make the same connection. And everyone does it, so surely it can’t be that dangerous?
We are now demanding internet access everywhere, especially as we use mobile devices that constantly need to connect. As we pursue the anywhere, anytime, anyplace drive of cloud based services, we can only expect these threats to increase.
The solution is simple. Users need to be educated that they either mustn’t connect to these networks or ensure they are protected by connecting to a corporate VPN. By following this policy before accessing any sensitive information, browsing the network from corporate devices or checking that any web pages or applications that we access run over encrypted links, we can feel more at ease.
So next time you see a free wireless network in a hotel, coffee shop or bar, stop and think before you link.
Experts predict that by 2020 the UK will have over 25 million new apps, 31 billion connected devices and over 50 trillion gigabytes of data. This means that by 2020 the amount of data we use will have grown to over 35 trillion gigabytes, a 44-fold rise on 2009 figures.
Predicting the future of data growth is relatively easy, but proposing ways of making that data secure is the complicated bit.
Data is extremely valuable to businesses and a data breach or a loss can be very costly. In fact recent Symantec research into the cost of a data breach found that the average data or system failure costs UK organisations £1.9 million or £71 per record.
At a time when businesses in the UK remain economically cautious, data and IP protection is critical, not only if a business wants to remain competitive, but also if they want to avoid potentially large fines as a result of not complying with data regulation.
It’s important to note that the vast majority of data breaches are preventable, but securing information clearly continues to challenge organisations at all levels.
Symantec’s recent cost of a data breach study shows how companies with information protection best practices in place can greatly lower their potential data breach costs.
Here are some of the key findings from Symantec’s cost of a data breach study:
- System failures overtook employees as the most common threat to a business’s data. In this year’s study, 37 percent of all data breach cases involved a system failure, up 7 per cent on 2009 and accounts for the biggest rise of any cause of a data breach attribute. It replaced negligence, which at 34 percent dropped 11 points. Lost or stolen devices and third-party mistakes each fell slightly. Malicious or criminal attacks rose 5 points to 29 percent.
- Recognition of the risk of insecure mobile devices connecting to company networks jumps to 64 per cent. The likelihood of insecure mobile devices including smartphones and tablet computers causing a data breach is 84 percent – an increase of 9 percent on 2009. Organisations are recognising this risk with 64 percent stating mobile device encryption was very important or important, an increase of 13 points from 2009.
- Lost business ranked as the biggest contributor to overall data breach costs. Recovering customers, profits and business opportunities after data breaches posed the greatest cost hurdles for companies in 2010. Lost business accounted for 48 percent of the total, an increase of 2 percent from 2009. Other contributing factors were costs sustained in the immediate aftermath of the event, such as resetting accounts and communicating with customers (known as ex-post response) at 23 percent and costs related to detection / escalation at 20 percent.
With access control now covered, it’s time to consider another big issue with regards the adoption of cloud – controlling the information that is sent to the organisation. This can create a particular problem when users are dealing with the challenge of mobile devices as well. If an organisation doesn’t approve personal mobile devices then users who wish to view personal documents will often use cloud-based file sharing services, such as Dropbox, then enabling them to download these documents to their mobile device. This can lead to sensitive data sitting on public cloud services.
With O3 users accessing the Internet via a gateway, it will be possible for Symantec to look at the traffic being sent to and from cloud services, enabling us to develop the next release of O3 and give the ability to protect information being sent to the cloud.
Symantec is planning a new release of O3 at the end of the year which will make it possible to plug this gap. As the traffic passes through O3 we will enable organisations to monitor against their Symantec DLP policies and if this breaks company policy either block the file being uploaded or call PGP encryption. If this call is made then it will seamlessly encrypt the document as it is passed to the cloud service and then decrypt it when it is being downloaded. This will ultimately allow the information to be protected when being stored in the cloud service but for it to be invisible to the user and not affect their experience.
We will then look at an app for the iOS to allow these sensitive files to be downloaded to a secure area of the mobile device where it will remain encrypted and protected. This zone will also be used to facilitate the O3 single sign on and allow access to this from mobile applications.
Finally, visibility into cloud access is an area which many have been keen to see developed. With the introduction of the O3 gateway, we will be able to audit which cloud services users are accessing, as well as, tracking the policy decisions and configuration made by admins. It will then be possible to feed this information into security incident and event management tools to allow organisations to see their cloud logs alongside their policy and access logs for internal information. This will be continuously expanded to address the compliance challenges that many have with accessing cloud based applications.
In conclusion, the cloud is ripe and with O3 it is now possible to take a layered approach. It has been developed to provide an easy to implement and manage cloud gateway that gives organisation the control of access to the cloud – directly addressing the biggest adoption of cloud services.
One of the biggest issues with adopting cloud provision is the lack of control over which users have access to remote cloud solutions. With enterprise directories for example, when an employee leaves or changes roles updating the server-based directory is easily achieved using the enterprise tools available. However, extend that function to the cloud and suddenly the number of user identities to manage increases exponentially often requiring different IDs and passwords for different services. In some cases, worryingly, this can lead to escrow problems with employees leaving an organisation but continuing to have access to sensitive applications and data held and accessed in the cloud.
On the flip-side, users themselves faced with multiple credentials and needing to remember vast numbers of passwords to login to all their cloud services can often find themselves effectively “locked-out”. To overcome the issue employees, unwittingly commit the mortal sin of setting the same password across multiple systems. The result? It’s simple – if someone gains access to their password they are exposed in multiple places.
Symantec again took its lead from the enterprise end user in developing O3 to address this very problem. By providing single sign on from the organisation to the cloud, it allows organisations’ IT provisioning teams to connect to existing directories enabling these to be mapped to policy controlling access to a cloud service. For example, only those in the sales group can access Salesforce and only those in Finance group can access NetSuite. However, they won’t be able to do this from mobile devices.
Similarly employees will be able to login to the O3 gateway with their corporate credentials and then use this to access the cloud services they need, rather than having to set and remember multiple account details to access many systems.
03 will fundamentally not only reduce today’s password burden but also counteract the possible exposures businesses are all too often lending themselves to.
Next week: 03 – The Ultimate Combination.
Cloud computing has presented both the biggest hype and promised the biggest business opportunities organisations have had in a long time; certainly in the past few years. Now that businesses better understand the benefits of this new technology, they are increasingly looking to cloud services for the business agility and efficiency they now know it to offer. You could say, cloud is coming of age and can no longer be ignored.
Likewise the iPad has presented us with the most disruptive piece of hardware technology released in the last ten years. It has driven the explosion of devices adding to the list of business tools that boost employee productivity as well as delivering on the consumerisation promise. The adoption of mobility is also driving the move to cloud services as more and more information compels companies to consider storing, processing and provisioning workloads in the cloud.
But the growth of multiple device types such as smart phones and tablets at work indicate an increased acceptance of this new reality by management. The rapid evolution of all these factors however have left information security officers with challenges over how to control the security, risk and compliance across the new platforms. The traditional security approach of “Just Say No” doesn’t work for this new world where the business wishes to make these steps for valid business and user problems. For this reason we need to find a way to allow information technology and information security to gain more control over this brave new world whilst still allowing for its adoption. Companies at a high level now understand too that a new work order of this kind needs a more encompassing IT support infrastructure.
Taking its lead from the needs of industry, Symantec developed 03 – a new layer of security control for the cloud. It aims to address the issues via a new layer that doesn’t depend upon agents within the device.
Over a series of two View from the Bunker blog’s, I will consider the key objectives of O3 and how by providing and increasing access control, information protection and visibility of traffic to and from the cloud, a layered approach is now required approach.
Check back on March 16th to read my next instalment!