Towerwall Security Alert 2013

As the year draws to a close, it’s time for us to take a step back, absorb the lessons of 2012, and look at what 2013 and beyond will bring for users, the security industry, and even cybercriminals. We know this time of year is incredibly busy and as a trusted advisor, you expect Towerwall to stay on the cutting edge of security information and share our findings. To help you understand the impacts of threats to your business, we would like to share Trend Micro’s 2013 forecast report, “Security Threats to Business, the Digital Lifestyle, and the Cloud: Trend Micro Predictions for 2013 and Beyond”.

In 2013, managing the security of devices, small business systems, and large enterprise networks will be more complex than ever before. Users are breaking down the PC monoculture by embracing a wider variety of platforms, each with its own user interface, OS, and security model. Businesses, meanwhile, are grappling with protecting intellectual property and business information as they tackle consumerization, virtualization, and cloud platforms head-on. This divergence in computing experience will further expand opportunities for cybercriminals and other threat actors to gain profit, steal information, and sabotage their targets’ operations.

Top 4 findings:

  1. The most serious threat during 2013 may be malicious and high-risk Android apps. we predict they will reach 1 million in 2013, up from 350,000 at the end of 2012.
  2. While traditional PC malware may recede a bit next year, threats to devices running the Android operating system will more than replace it.
  3. The emergence of more digital lifestyle devices means that threats could appear in new and unexpected places, such as television sets and home appliances.
  4. Africa appears on its way to becoming the next safe harbor for cybercriminals on the run.

Other predictions include:

  1. Slow adoption of Windows 8 by business means consumers will be the leading beneficiaries from its security enhancements during the coming year.
  2. Cybercriminals will target legitimate cloud services and data breaches will remain a serious threat in 2013, in part because existing security tools do not protect cloud data as well as traditional storage.
  3. Consumers will increasingly use multiple computing platforms and devices, making securing them a difficult challenge.
  4. Politically motivated attacks will become more destructive during 2013.
  5. Conventional malware threats will evolve gradually, with few, if any, significant new attacks. Still, attacks that do occur will become more sophisticated and harder to detect.
  6. Efforts to address global cybercrime are gaining traction, but will take two or three more years to reach full implementation.

Download the report today for the complete details and learn how these predictions will affect your business, customers and end users.

The BYOD dilemma is putting undue strain on employer-employee relations, shaking up how organizations approach IT security, posing new risks and challenges.

Download our new eBook Beware of BYOD

Beware of BYOD trend wreaking havoc

Bringing mobile devices to work? Not so fast.

Like it or not, the line between the workplace and the home is blurring. Work-at-home arrangements are becoming more common and cloud services make it easier to co-ordinate teams online. People are constantly on call, with the ability to check their emails and stay in touch wherever they are. The days of having a personal mobile and a work device are fast disappearing as the BYOD (Bring Your Own Device) trend continues to grow.

A recent SkyDox survey found that 77% of information workers use their personal smartphones or tablets for work. A whopping 88% report that they need the ability to access work related documents outside the office. Allowing employees to use their own mobile devices for work can prove to be a real boost for productivity and it can also save companies a lot of money.

The downside to the BYOD movement is the difficulty of maintaining security. How do IT departments provide easy access to documents and files for a host of different devices and still ensure that sensitive material remains safe and workplace systems are not exposed to dangerous threats? How do they cope with lost or stolen devices? How can they safeguard company servers?

There is a clear need for the enterprise to establish a set of guidelines for the BYOD trend but it’s not clear how much control employees will accept when they are using their own devices. If a worker is issued with a company smartphone or tablet, then they are unlikely to question the company policy with regards to installing other applications or personal use of the device. When the device belongs to them they will obviously expect to be able to use it any way they like and to be able to install whatever they choose.

Security concerns have been serious enough that a Cisco survey found that 48% of companies would not authorize BYOD. The problem is that “57% agreed that some employees use personal devices without consent.”

Even if you don’t condone BYOD in the workplace you should still have a security policy in place. The risk of employees connecting to your networks and accessing sensitive materials is there and a draconian crackdown on personal devices is not going to be well received.

The good news is that you can circumvent the threat by allocating the right resources in your IT department. Ensuring security and providing support for a multitude of devices is going to represent a hefty cost but you can offset by embracing the BYOD trend because you’ll no longer have to buy the hardware.

Protecting your sensitive data has to be the key aim and so you’ll need to monitor the flow of data in and out. You also need a policy for when employees leave because they’ll be taking the device with them. The ability to remotely wipe data is supported on all platforms with the right apps so it’s simply a matter of arming your IT staff with the right tools.

There are a lot of different ways to approach the problem. Combine a sensible approach to monitoring and support with some education on risks for your staff and you can reduce the impact on your business dramatically. You may also consider mobile application management which focusses on securing the app or the data regardless of the device. This approach makes a lot of sense in the face of an increasingly mobile workforce.

The BYOD trend is universal and it represents a threat for businesses of all sizes. Since there is no wonder pill guaranteed to alleviate this headache each company should assess the risks and decide on a strategy that works for them. By embracing the movement and pre-empting any problems you can increase employee productivity and job satisfaction. The key thing is to act because failing to spend a little time and effort on this now could cost you a great deal further down the line.

In brief, some best practices might entail:

  • Answer what happens to data when employee leaves?
  • Deploy centralized remote wipe of data from devices
  • Centralized storage options
  • Deploy data leakage prevention
  • Monitor use of BYOD
  • Educate users to the inherent risks

 Download our free eBook “Beware of BYOD”.

 

By Michelle Drolet, founder and CEO, Towerwall
Special to BostInno

This article was recently published in BostInno

Compliance Combines with Vulnerability Scanning to Create Aegify

Two security firms, the established Rapid7 vulnerability manager and eGestalt, a cloud-based compliance management provider, have signed an OEM deal that will do something for the IT security industry that hasn’t been done before: a combination security and compliance posture management offering called Aegify SPM.

The SPM stands for Security Posture Management, and eGestalt of Santa Clara defines SPM as “the art and science of monitoring and managing business security status by orchestrating process, people, and technological resources to achieve security objectives.”

SPM is about identifying IT assets, evaluating their risks based on known vulnerabilities, then calculating the impact of these threats. These threats are then mapped directly to a set of regulatory compliance frameworks, whether for PCI or HIPAA, where the final output can be used to initiate appropriate countermeasures, eventually bringing the company into compliance.

Inside the Aegify SPM power train is the Rapid7 Nexpose vulnerability technology. Nexpose has a long history with 2,000 enterprises and government agencies using their wares. It must be doing something right. It can sniff out 31,800 vulnerabilities and it conducts more than 92,000 vulnerability checks that comprise

discovery, detection, verification, risk classification and mitigation. Impact analysis and reporting, like most of these security tools, are par for the course.

Riding on top of Nexpose and serving as the interface and compliance imperative is eGestalt’s own SaaS software called SecureGRC, which as the name implies, does governance and risk management by applying a compliance imperative on 400 regulations such as PCI, HIPAA/HITECH, SOX, FISMA, and GLBA.

The integration of these two programs has created a patent-pending system designed by eGestalt that can automatically map security vulnerabilities to popular compliance mandates, thereby automating the task of security posture management and compliance management. The tool can import data from other scanners as well.

A cool feature is how it provides a sequenced remediation roadmap with time estimates for each task.

Who among us likes to deal with government regulatory pressure?  Most companies do nothing but stand in the middle of the shooting range and “hope it won’t happen to me.” They hope no auditor will come knocking. It should be pointed out that ignorance is no excuse.

eGestalt President Anupam Sahai, who holds two master’s degrees from MIT’s Sloan School, claims the combination of Nexpose with his compliance driver eliminates manual work and is “10 to 20 times more cost-effective than any other competing solution.” He thanks the beauty of SaaS for those kind of savings.

Going to the cloud with this “all hands on deck” threat management approach can be a smart way to isolate trouble brewingacross physical and virtual networks, operating systems, databases and Web applications.

Whatever peace of mind you get out of this will be high, knowing that the Feds can’t disrupt your business with their eager probing.

That alone is worth something.

 

By Michelle Drolet, founder and CEO, Towerwall
Special to Infosec Island

This article was recently published in Infosec Island

Mobile Devices Get Means for Tamper-evident Forensic Auditing

Providing early evidence of tampering can shorten investigation times for breaches and audits.

The convenience of mobile devices has led to their rapid proliferation in the workplace. But along with that convenience comes security and compliance issues contributing to the degeneration of trust.

Risk management for mobile devices is of rising concern, particularly in highly regulated industries such as healthcare and finance. In order to detect security breaches and guarantee compliance, tamper ‘proofing’ has not been sufficient. When it comes time for a forensic audit, the ability to detect unauthorized changes to digital files becomes invaluable in an investigation.

In an article published by Enterprise Mobile Solutions, Mike Gault of Guardtime admitted how “Enterprises and government agencies don’t want to rely on trust authorities when it comes to ensuring transaction trails are secure. They’re looking for proof – an independent verifiable audit trail.”

The Institute of Internal Auditors says that internal audits are the leading method of detecting fraud among all industries. Compliance policies have, of course, requirements to provide clear audit traces, but that is not always sufficient. Having a means to more easily recognize tampering can improve audits by flagging digital files that have been altered or deleted in the time since they were created. Using tools to provide evidence of tampering rather than simply attempting to stop it can simplify and shorten investigation times for security breaches. These applications also shore up trust of mobile devices and the data they access or carry by validating it.

Keyless signature technology has been tapped to provide the best tamper-evident applications for mobile devices, cloud computing, and any other less-than-secure means of disseminating information. This method, rather than relying on keys, secrets, or other third-party information, uses hash functions for data verification. It creates a signature indicating the time, integrity, and origin (business, computer, or user) of the information against which to compare the received file.

The method of keyless signature is highly scalable and benefits from the simplification of the validation method. Certification-based validation schemes are often very complex and have management issues such as the revocation or expiration of the validating instrument. In addition, keyless signatures can be appended to almost any type of file or file format and the signature stored separately from the file, embedded into the file, or as a separate file alongside the original if needed.

By integrating keyless signature technology with mobile risk management, governments and enterprises can more easily comply with auditing policies. The forensic logs and audit records provided by these types of solutions are extremely transparent. Not only is the data and device validated, the audit trail itself is secured.

Says Rick Segal, CEO of mobile risk management provider Fixmo, “When it comes to proving compliance, the ability to verify a document’s integrity before and after a transfer is just as important as ensuring the data it contains is accurate and verified. The integration of keyless signatures and mobile risk management ensures our customers can confidently prove compliance in an auditable fashion across all corporate-liable and employee-owned (BYOD) devices on their network.”

Gartner announced that for 2012 cloud computing will become more mainstream with a 10X increase in deployments. Tamper-evident forensic auditing is not only a requirement for compliance of mobile devices; it will also serve to enhance cloud computing security and trust as well.

By lessening dependence on third-party trust instruments and easily integrating with almost any file system, keyless signatures improve data integrity and provide a means of showing proof of authenticity for each mobile device in use.

 

By Michelle Drolet, founder and CEO, Towerwall
Special to Info-Security Magazine

This article was recently published in Info-Security Magazine