Spam is decreasing. Is it the beginning of the end for e-mail?

By Siân John | May 1, 2012 | Leave a Comment 

Siân John

When was the last time that you received an e-mail offering you a discount on pharmaceutical products? If you are using a corporate e-mail system or one of the larger Internet e-mail providers, the chances are it was a while ago. And yet until recently over 90% of e-mail sent was spam.

This is something that changed last year with spam dropping to only 75% by the end of 2011.

So where did those spammers go? Did they get an attack of social conscience? The evidence would seem to say not. We still saw an increase in the number of attacks and malware variants last year.

What seems to have changed is the mechanism that is being used to distribute spam and malicious software. There has been a rise in the use of social media to distribute these attacks as spammers exploit the web of trust that individuals have in social media. After spam awareness campaigns, we are much more likely to click on a link posted by a friend to a social network than to open an attachment in an e-mail.  It was inevitable that spammers would target the greater level of trust we have in social networks but is this shift actually the sign of something greater?

Look at the way a teenager communicates. They rarely use e-mail, instead choosing to communicate through more immediate channels such as instant messaging and social networks. So are we seeing the beginning of the end for e-mail? Is the move of spammers to social media not just to exploit an easier target but a move to a  new dominant communication mechanism? It’s certainly going to be interesting to watch this develop over the coming years.

Taming the tablet

By Siân John | April 16, 2012 | Leave a Comment 

Siân John

Without question, the iPad has been the most disruptive piece of technology released within the last decade for businesses.  The speed of its uptake has surprised everybody, and its uptake in boardrooms and amongst senior executives has dramatically changed the workplace. In business meetings and conferences across the world an exec will turn up with an iPad, which prompts others attending to feel they should have one as well, and they then take their newly acquired iPad to their next meeting, creating an unstoppable purchase cycle.

However, with the recent launch of the new iPad triggering another huge surge in sales, perhaps now is the time to stop and think about the challenges this rapid adoption brings.

Executives no longer just want an iPad as a fashion accessory. They want it to be a practical and functional device, enabling them to work on the move and share this work with colleagues, and clients alike. To do this, however, the iPad must connect to a corporate email and carry around potentially sensitive documents.

I have been speaking with a number of Information Security departments about the challenges that come with this trend. Many of them said they initially responded to their executive’s request that, as the iPad is not a supported platform, they simply cannot connect it to the corporate network. But this is not a popular response and they are often asked to “find a way”.

Consumerisation of tablets

This is not to undermine the great achievements of the iPad. Along with other tablets, it has undoubtedly delivered on the promise to provide a portable device which users can annotate without carrying around bulky paper, or even more bulky laptops. It has also delivered on consumerisation, a key element being that users must be self supporting which is much easier with tablets than with full desktop systems.

This is why it’s not surprising that time and time again I have the same conversation with companies around the challenges of mobile devices, mobility and ‘bring your own device’.  This concern tends to be closely followed by discussions around cloud adoption, as users increasingly turn to backdoor cloud adoption, using file-sharing services to put documents on their unsupported tablet devices.

Is there a solution?

There is now a desperate need for businesses to overhaul the approach they are taking to managing corporate IT and Information Security. Instead of having a standard build and a limited set of supported platforms, we now need to look at minimum standards of connection and security controls across multiple platforms.

A primary focus of information security should be how to enable mobile devices and tablets access to the network.  Combining the policy enforcement and control requirements that are required, whilst providing the usability and performance experience that attracted users to the tablet in the first place, will be a careful balancing act for Information Security departments.

The key to this is Information centric security. It is possible to enable access by developing an understanding around what information can go on a device, based upon the user, and also assessing the location and whether it is a personal or managed device. These are the first step in preventing sensitive information from risk.

Nobody can deny that the rapid adoption of tablets has created an interesting challenge.  But, I believe, that with right balance and a can-do outlook businesses and users alike will reap the benefits that today’s devices can deliver.

Free Wifi: Why do we trust it?

By Siân John | April 3, 2012 | Leave a Comment 

Siân John

Imagine walking along a street on a sunny day. You’re thirsty and, sitting on a table outside a cafe, there is an ice cold, open bottle of beer. Would you pick it up and drink it? Probably not. Most of us would resist the temptation because we don’t know where it’s been or who’s already drunk from the bottle.

Now imagine you walk into a hotel or conference centre. You’re running close to your internet usage limit on your smartphone, but you want to connect your laptop to catch up on emails or carry out some research ahead of a meeting. All is not lost, as you notice there’s a number of free and open wifi networks available. Do you connect? Why would you trust this wifi more than the bottle of beer? Do you know where it’s been and who has been using it with any more certainty?

Yet many of us still connect to wifi networks every day. We’re seemingly happy to connect to a friendly or “safe” sounding wifi network, such as a hotel or conference centre name, and work online without ensuring that our communication is protected or encrypted.

This was the exact analogy made by Paul Vissidis at a conference I attended recently. Hackers have always been known to exploit trust, and our willingness to connect to unverified wifi networks is giving them the opportunity to steal passwords and monitor people’s online activity.

Wifi is the easiest, fastest and often the cheapest way to keep ourselves online in a world where we are scared of becoming disconnected. Perhaps, because it’s impersonal and online we simple don’t make the same connection. And everyone does it, so surely it can’t be that dangerous?

We are now demanding internet access everywhere, especially as we use mobile devices that constantly need to connect. As we pursue the anywhere, anytime, anyplace drive of cloud based services, we can only expect these threats to increase.

The solution is simple. Users need to be educated that they either mustn’t connect to these networks or ensure they are protected by connecting to a corporate VPN.  By following this policy before accessing any sensitive information, browsing the network from corporate devices or checking that any web pages or applications that we access run over encrypted links, we can feel more at ease.

So next time you see a free wireless network in a hotel, coffee shop or bar, stop and think before you link.

The true cost of a data breach

By Mike Jones | March 20, 2012 | Leave a Comment 

Mike Jones

Mike Jones, Symantec, warns organisations about the significant costs associated with data breaches for businesses

Experts predict that by 2020 the UK will have over 25 million new apps, 31 billion connected devices and over 50 trillion gigabytes of data. This means that by 2020 the amount of data we use will have grown to over 35 trillion gigabytes, a 44-fold rise on 2009 figures.

Predicting the future of data growth is relatively easy, but proposing ways of making that data secure is the complicated bit.

Data is extremely valuable to businesses and a data breach or a loss can be very costly.  In fact recent Symantec research into the cost of a data breach found that the average data or system failure costs UK organisations £1.9 million or £71 per record.

At a time when businesses in the UK remain economically cautious, data and IP protection is critical, not only if a business wants to remain competitive, but also if they want to avoid potentially large fines as a result of not complying with data regulation.

It’s important to note that the vast majority of data breaches are preventable, but securing information clearly continues to challenge organisations at all levels.

Symantec’s recent cost of a data breach study shows how companies with information protection best practices in place can greatly lower their potential data breach costs.

Here are some of the key findings from Symantec’s cost of a data breach study:

  • System failures overtook employees as the most common threat to a business’s data. In this year’s study, 37 percent of all data breach cases involved a system failure, up 7 per cent on 2009 and accounts for the biggest rise of any cause of a data breach attribute. It replaced negligence, which at 34 percent dropped 11 points. Lost or stolen devices and third-party mistakes each fell slightly. Malicious or criminal attacks rose 5 points to 29 percent.
  • Recognition of the risk of insecure mobile devices connecting to company networks jumps to 64 per cent. The likelihood of insecure mobile devices including smartphones and tablet computers causing a data breach is 84 percent – an increase of 9 percent on 2009. Organisations are recognising this risk with 64 percent stating mobile device encryption was very important or important, an increase of 13 points from 2009.
  • Lost business ranked as the biggest contributor to overall data breach costs. Recovering customers, profits and business opportunities after data breaches posed the greatest cost hurdles for companies in 2010. Lost business accounted for 48 percent of the total, an increase of 2 percent from 2009. Other contributing factors were costs sustained in the immediate aftermath of the event, such as resetting accounts and communicating with customers (known as ex-post response) at 23 percent and costs related to detection / escalation at 20 percent.

The Ultimate Combination – Information Protection with Visibility and Audit

By Siân John | March 19, 2012 | Leave a Comment 

Siân John

 

With access control now covered, it’s time to consider another big issue with regards the adoption of cloud – controlling the information that is sent to the organisation. This can create a particular problem when users are dealing with the challenge of mobile devices as well. If an organisation doesn’t approve personal mobile devices then users who wish to view personal documents will often use cloud-based file sharing services, such as Dropbox, then enabling them to download these documents to their mobile device. This can lead to sensitive data sitting on public cloud services.

With O3 users accessing the Internet via a gateway, it will be possible for Symantec to look at the traffic being sent to and from cloud services, enabling us to develop the next release of O3 and give the ability to protect information being sent to the cloud.

Symantec is planning a new release of O3 at the end of the year which will make it possible to plug this gap. As the traffic passes through O3 we will enable organisations to monitor against their Symantec DLP policies and if this breaks company policy either block the file being uploaded or call PGP encryption.  If this call is made then it will seamlessly encrypt the document as it is passed to the cloud service and then decrypt it when it is being downloaded. This will ultimately allow the information to be protected when being stored in the cloud service  but for it to be invisible to the user and not affect their experience.

We will then look at an app for the iOS to allow these sensitive files to be downloaded to a secure area of the mobile device where it will remain encrypted and protected. This zone will also be used to facilitate the O3 single sign on and allow access to this from mobile applications.

Finally, visibility into cloud access is an area which many have been keen to see developed. With the introduction of the O3 gateway, we will be able to audit which cloud services users are accessing, as well as, tracking the policy decisions and configuration made by admins. It will then be possible to feed this information into security incident and event management tools to allow organisations to see their cloud logs alongside their policy and access logs for internal information. This will be continuously expanded to address the compliance challenges that many have with accessing cloud based applications.

In conclusion, the cloud is ripe and with O3 it is now possible to take a layered approach. It has been developed to provide an easy to implement and manage cloud gateway that gives organisation the control of access to the cloud – directly addressing the biggest adoption of cloud services.

Gaining Access Control

By Siân John | March 15, 2012 | Leave a Comment 

Siân John

One of the biggest issues with adopting cloud provision is the lack of control over which users have access to remote cloud solutions. With enterprise directories for example, when an employee leaves or changes roles updating the server-based directory is easily achieved using the enterprise tools available. However, extend that function to the cloud and suddenly the number of user identities to manage increases exponentially often requiring different IDs and passwords for different services. In some cases, worryingly, this can lead to escrow problems with employees leaving an organisation but continuing to have access to sensitive applications and data held and accessed in the cloud.

On the flip-side, users themselves faced with multiple credentials and needing to remember vast numbers of passwords to login to all their cloud services can often find themselves effectively “locked-out”.   To overcome the issue employees, unwittingly commit the mortal sin of setting the same password across multiple systems.  The result? It’s simple – if someone gains access to their password they are exposed in multiple places.

Symantec again took its lead from the enterprise end user in developing O3 to address this very problem.  By providing single sign on from the organisation to the cloud, it allows organisations’ IT provisioning teams to connect to existing directories enabling these to be mapped to policy controlling access to a cloud service. For example, only those in the sales group can access Salesforce and only those in Finance group can access NetSuite.  However, they won’t be able to do this from mobile devices.

Similarly employees will be able to login to the O3 gateway with their corporate credentials and then use this to access the cloud services they need, rather than having to set and remember multiple account details to access many systems. 

03 will fundamentally not only reduce today’s password burden but also counteract the possible exposures businesses are all too often lending themselves to.

Next week: 03 – The Ultimate Combination.

O3 –Control in the cloud

By Siân John | March 13, 2012 | Leave a Comment 

Siân John

Cloud computing has presented both the biggest hype and promised the biggest business opportunities organisations have had in a long time; certainly in the past few years. Now that businesses better understand the benefits of this new technology, they are increasingly looking to cloud services for the business agility and efficiency they now know it to offer.  You could say, cloud is coming of age and can no longer be ignored.

Likewise the iPad has presented us with the most disruptive piece of hardware technology released in the last ten years. It has driven the explosion of devices adding to the list of business tools that boost employee productivity as well as delivering on the consumerisation promise.   The adoption of mobility is also driving the move to cloud services as more and more information compels companies to consider storing, processing and provisioning workloads in the cloud.

But the growth of multiple device types such as smart phones and tablets at work indicate an increased acceptance of this new reality by management.  The rapid evolution of all these factors however have left information security officers with challenges over how to control the security, risk and compliance across the new platforms.  The traditional security approach of “Just Say No” doesn’t work for this new world where the business wishes to make these steps for valid business and user problems. For this reason we need to find a way to allow information technology and information security to gain more control over this brave new world whilst still allowing for its adoption. Companies at a high level now understand too that a new work order of this kind needs a more encompassing IT support infrastructure.

Taking its lead from the needs of industry, Symantec developed 03 – a new layer of security control for the cloud. It aims to address the issues via a new layer that doesn’t depend upon agents within the device.

Over a series of two View from the Bunker blog’s, I will consider the key objectives of O3 and how by providing and increasing access control, information protection and visibility of traffic to and from the cloud, a layered approach is now required approach.

Check back on March 16th to read my next instalment!

Mobile adoption has reached the tipping point, but businesses accept it’s time for a security reality check

By Greg Day, EMEA Security CTO for Symantec | February 23, 2012 | Leave a Comment 

Greg Day, EMEA Security CTO for Symantec

Mobile is redefining the network perimeter. Instead of a barbed-wire ring of defence at the edge of the network, the boundary of an organisation’s infrastructure is now a fluid zone where endpoints come and go. One thing that’s for sure is that the mobile device is now a mainstream business tool but it’s difficult to know with any certainty what websites those devices are accessing when they’re not attached to the corporate network.

Symantec’s State of Mobile survey, which polled over 6,000 C-suite level executives, shows that 59 per cent of enterprises are now making business applications accessible from mobile devices. With figures like these you would assume the corresponding IT department is making sure that each endpoint has the correct protection in place.

However, the reality is at odds with this sentiment. The report sees IT admitting its hands are full managing mobile, with 48 per cent saying it is somewhat to extremely challenging and that an increasing number of staff are involved in mobility IT.

What we do have at our disposal is the benefit of hindsight. Our experiences in the PC world have shown us the importance of building a scaleable security framework that can embrace all future requirements. Mobile should, essentially, be seen as just another asset and part of the overall IT strategy. Responding to each challenge in a piecemeal approach is unsustainable.

At the end of the day, IT organisations need to balance the security of the endpoint device with the security of the actual information. The challenge is finding an enlightened approach to applying policies and their associated layers of security technologies.

What is interesting is that the report uncovers a subtle shift to businesses providing more smart devices in the coming year that are for business purposes only. Perhaps this is the inevitable evolution from BYOD (where the challenges of managing this outweigh the value to the business) to CYOD – choose your own device.

It seems that the lean is to keep our business and personal world separate. The report predicted an expected drop in the number of personally owned devices being bought into businesses over the next 12 months, as well as reining in the use of social networking services on them, so they are more specifically business focused.

In light of this, it’s likely that the biggest challenge for businesses will be keeping pace with the demand to have the latest and greatest new smart toy. When I spoke to a group of CSO’s recently they mentioned the correlation they are seeing between a new version of a device being released and lost and broken devices being reported to the business (i.e. the user is looking for the upgrade).

What is clear is that we cannot ignore these trends otherwise we drive the use underground, in this case – under the desk computing. Such a task may be a lot easier said than done, but the alternative is the inevitable security breach that at best consumes valuable IT time and at worst results in major financial loss.

Top Enterprise tips:

o Enable broadly: Mobility offers tremendous opportunities for organisations of all sizes. Explore how you can take advantage of mobility and develop a phased approach to build an ecosystem that supports your plan. To get the most from mobile advances, plan for line-of-business mobile applications that have mainstream use. Employees will use mobile devices for business one way or another – make it on your terms.
o Think strategically: Build a realistic assessment of the ultimate scale of your mobile business plan and its impact on your infrastructure. Think beyond email. Explore all of the mobile opportunities that can be introduced and understand the risks and threats that need to be mitigated. As you plan, take a cross-functional approach to securing sensitive data no matter where it might end up.
o Manage efficiently: Mobile devices are legitimate endpoints that require the same attention given to traditional PCs. Many of the processes, policies, education and technologies that are leveraged for desktops and laptops are also applicable to mobile platforms. So the management of mobile devices should be integrated into the overall IT management framework and administered in the same way – ideally using compatible solutions and unified policies. This creates operational efficiencies and lowers the total cost of ownership.
o Enforce appropriately: As more employees connect their personal devices to the corporate network, organizations need to modify their acceptable usage policies to accommodate both corporate-owned and personally-owned devices. Management and security levers will need to differ based on ownership of the device and the associated controls that the organization requires. Employees will continue to add devices to the corporate network to make their jobs more efficient and enjoyable so organizations must plan for this legally, operationally and culturally.
o Secure comprehensively: Look beyond basic password, wipe and application blocking policies. Focus on the information and where it is viewed, transmitted and stored. Integrating with existing data loss prevention, encryption and authentication policies will ensure consistent corporate and regulatory compliance.

The internet explodes with gTLDs

By Siân John | February 10, 2012 | Leave a Comment 

Siân John

On 12 January the internet made history. The Internet Corporation for Assigned Names and Numbers (ICAAN) – which controls how urls are managed – launched new generic Top Level Domain (gTLD) names.

This represents an explosion in the size of the internet. We will no longer be limited to the likes of .com, .net and .org – soon all types of words and languages will be able to form the end part of domain names. This could be anything from a corporate brand name such as .symantec, to an interest such as .football. The opportunities are endless and this is, undoubtedly, an exciting time for the internet.

However, as the internet grows, so do the potential security threats that need to be addressed. The explosion of domain names could open the door to ‘cybersquatters’ who have managed to register a company’s brand name against a gTLD. This could lead to an increased chance of phishing attacks from what may appear to be bona fide websites, putting both businesses and consumers at risk. Fraudsters may also seize this as an opportunity to avoid law enforcement agencies, by hopping from registry to registry as scam websites are shut down.

To avoid increased online incidents in relation to their brands, organisations may have to resort to strategically registering their brand with multiple gTLDs to try to cover all possible scenarios.

While choice is always good, the huge growth in internet websites could result in security challenges for both businesses and consumers, and reinforces the need to be aware of the risks and of safe online practices.

Common Criteria EAL +3 Security Certification – What’s all the fuss about?

By Guido Sanchidrian | February 3, 2012 | Leave a Comment 

Guido Sanchidrian

Companies have for some time understood they need to safeguard their IT systems from infiltration and viruses. But in today’s sophisticated cyber environment, the protection of data and data integrity needs not only to match the skill and cunning of the cybercriminal; it also has to be in accordance with strict security rules and regulations. Organisations need look no further than the few months leading up to the end of 2011 to see that cyber threats are becoming more frequent and more complex. The Duqu worm discovered in September 2011 is just one high profile danger facing organisations.

In this sense it is true to say that Governments and enterprise businesses face unprecedented challenges in ensuring the confidentiality of data as it is processed and exchanged across data centres. The use of cryptography in the form of encryption offers the most convenient way to protect sensitive data in transit over high-speed backhaul and backbone connections and that is why we went to the trouble of attaining Common Criteria certification EAL +3 for our automated policy management solution, Control Compliance Suite.

Provision of this worldwide standard verifies that the software has completed a rigorous independent testing process of specification, implementation and evaluation, and conforms to standards sanctioned by the International Standards Organisation.

But why should this matter?

Perhaps a good person to weigh in on this is Jane Doorly, Vice President European Research, IDC who commented on the importance of compliance today: “In recent years, there has been a higher level of adoption and spending in technologies and services that enable companies to meet their compliance objectives. As a result of this trend, we have seen the importance and relevance of independent testing and Common Criteria certification increase, making it a vital element of an organisation’s purchasing process.”

To our mind, being awarded a security accolade of this kind is not just a testament to the hard work and commitment that goes into making products good, it’s about meeting today’s security needs for the customer and industry. In an uncertain world where assets are being stolen for profit, intellectual property infiltrated just to prove it can be done and data integrity tampered with, it is crucial that customers have a high level of confidence and trust in their security solutions. What stronger confirmation is there that a product is up to the job than having an international standard stamp of approval?

Next Page »