Top 10 things to know about mobile security

TW_10ThingsMobile

10. Malware is on the rise

The threat of malware on mobile platforms is growing steadily as more and more cyber criminals target mobile devices in increasingly sophisticated ways.

9. Byod is a challenge

There are obvious benefits to the BYOD (Bring Your Own Device) trend, but it also creates IT challenges and exposes your company to new threats.

8. Choose devices carefully

Not all devices and platforms are created equal – some are more secure than others.

7. Choose apps carefully

Don’t blindly trust that third-party apps meet your security standards and requirements. You are responsible for ensuring compliance, so do your homework.

6. Use encryption

Encryption should be mandatory for your data in transit. Consider encrypting in the cloud as well if you want to ensure there’s no exposure risk.

5. Require authentication

Without authentication in place a lost mobile device serves as the keys to your kingdom and anyone who finds it can gain entry to everything.

4. Control connectivity

Your file servers may be safe and secure behind a firewall, but it’s all for nothing if mobile devices share files on unsecure public Wi-Fi networks or via Bluetooth.

3. Maintain an audit trail

Ensure that every point of entry is identified and every action creates a trail which can be clearly followed. You must see the flow of data in order to protect it.

2. Test your defenses

You can spend millions on a mobile security system, but how do you know that it works if you never put it to the test? Get third-party experts without prior knowledge to try and break it.

1. Enforce MDM policy

You can have the best Mobile Device Management policy in the world, but if you don’t monitor, test and enforce it then it’s useless.
 

By Michelle Drolet, founder and CEO, Towerwall
Special to Business Excellence

This article was recently published in Business Excellence

Why wasn’t healthcare.gov security properly tested?

Towerwall, healthcare.gov, healthcare website, obamacare, Why wasn't healthcare.gov security properly tested?

When the healthcare.gov website was launched on Oct. 1 it didn’t take long for technical issues to hit the headlines. Americans trying to register for health care found the website unusable. There were glitches, extremely long loading times, and serious errors, but most worrying of all for anyone entrusting sensitive data to the system was the lack of security testing.

Three white hat hackers, charged with exposing flaws in the security of online systems told a Congress hearing that the healthcare.gov website has serious flaws that could expose sensitive information to determined cyber criminals. David Kennedy, chief executive of TrustedSec, told CNBC that, “It’s really hard to go back and fix the security around it because security wasn’t built into it.” He was able to produce a 17-page dossier of issues, which has not been publicly disclosed, in order to protect users of the website and give the government time to fix it.

Start with security

Anyone designing a new system such as this should take security into account from the beginning. The amount of personal information that could be harvested by any breach is truly alarming and the public must have confidence that their details are safe. It is highly unlikely that a commercial project that had not undergone rigorous testing would have been launched at all. The project should have been delayed.

Retro-fitting security is tough and expensive, especially in a live product. There’s a debate raging about how long this will take to fix and just what the level of risk is to users of the website, but there’s little doubt that proper penetration testing could have exposed problems and given developers a chance to solve them before release.

Where was the application penetration testing?

According to a top official at the Homeland Security Department, talking to CNN, hackers have engaged in more than a dozen cyber attacks, but none were successful. The Department of Health and Human Services CIO, Frank Baitman told a hearing that a white hat hacker or “ethical hacker” had been engaged to expose flaws and that a number of loopholes for potential security breaches were subsequently closed.

You would expect the government to engage in serious penetration testing for a project of this magnitude. It seems that time pressures led to corners being cut. An article in the Washington Examiner suggested that the website wasn’t being properly tested until the week before launch, which is completely unacceptable for such an important system dealing in sensitive data. Generally speaking, the earlier problems are exposed and dealt with, the cheaper they are to solve.

Usability is the focus

The Department of Health and Human Services has released a report on its progress towards improvingthe healthcare.gov site, but it focuses on hundreds of software fixes, improved site capacity, and better site monitoring which reveals a lower incidence of errors, improved stability, and a much improved response time. There hasn’t been much discussion about the potential for security breaches.

Any website with coding errors or bugs is going to be vulnerable to a wide array of possible attacks. Fixing these bugs should, in theory, reduce the potential entry points, but if software fixes are rushed out the door there’s every chance they could introduce new weaknesses.

Exposing security threats

A chain is only as strong as its weakest link and because the healthcare.gov website transmits sensitive data, even if it doesn’t store it, that data could be vulnerable to all sorts of attacks. There’s potential for cross-site scripting or code injection attacks to install malware and run malicious code to steal passwords, cookies, and other data from subsequent visitors. Clickjacking could be used to redirect users to fake websites. The risk is complicated by the fact that many individual states effectively run their own Affordable Care Act sites and they’re independently responsible for the security of those sites.

There are many unanswered questions. How well encrypted is your data during transit? How does the site handle authentication and manage individual sessions? These kinds of threats could be legitimately exposed and reported to HHS with the help of cyber security experts. The government should be employing white hat hackers on an ongoing basis as the system is being continually updated.

Identity theft

The level of personal information that must be submitted includes a full name, address, phone number, email address, income details, employer details, and Social Security numbers. This is easily enough for cyber criminals to create fake accounts. Identity theft affects around 15 million Americans every year and this kind of fraudulent activity is responsible for financial losses in the billions.

Spending a bit more on penetration testing at the outset, and delaying the launch when it became clear that it wasn’t ready for prime time, would have been a lot wiser, less damaging and healthier on the cost side in every sense.

 

By Michelle Drolet, founder and CEO, Towerwall
Special to SC Magazine

This article was recently published in SC Magazine

Introducing our Quarterly Newsletter: the Data Security Review

blog_newsletter01-humanrisk

I am excited to announce the launch of our quarterly newsletter, the Data Security Review.

Each quarter I will be sharing with you what I am hearing from customers, colleagues and data security experts to keep you aware and protected.

As we enter 2014, human risk is on everyone’s mind. Even with the most sophisticated security products, it is the congenial receptionist who is going to give unauthorized access to the crown jewels. How are you addressing this problem? Let me know and I can tell you what has worked for Towerwall and our customers. Until next quarter, thank you.

– Michelle Drolet, CEO

 

Read Issue 01 – The Human Risk Factor

 

 

Please join us at the Information Security Summit 2014

Please save the date and plan to  join us for this timely forum on what you need to know about the latest security issues, threats, and technologies that will help you protect your business!

 

May 29, 2014  8:00AM – 1:00PM

MassBay Community College

50 Oakland Street  | Wellesley Hills, MA 02481

Early Bird Special: $35 (before March 1, 2014)

After March 1st: $45

Pre-registration required.

 
SecSumm_2014

Join us for the 2nd Annual Information Security Summit and discover new ways to lead the creation of the secure digital enterprise!

Featured Topics:

  • User awareness and Training / Social Engineering
  • Cloud and security
  • APT’s (advanced persistent threats)
  • Secure mobile applications and BYOD
  • Risk management and compliance
  • Identity management

Click here for more information & to register!

 

 

Towerwall Security Patch Alert Vol 13.63

Patch Tuesday January 2014 – Microsoft, Adobe and Oracle

by Chester Wisniewski

As expected Microsoft delivered four patches on patch Tuesday covering Windows XP, 2003, 7, 2008 R2, Word and Dynamics. All four patches are rated important, the first time in memory that none of the fixes were critical.

The Word fix applies to all Windows versions and could result in remote code execution. (What does this mean?) The operating system fixes will require a reboot.

Adobe also released fixes today for Acrobat and Reader X and XI. This first update of 2014 for Adobe fixes three remote code execution vulnerabilities and should be considered a critical update.

You can get the updates from the integrated updater tool or from http://get.adobe.com/reader.

The big one today is Oracle’s quarterly update which it calls Critical Patch Update January 2014. As Duck commented, it is a bundle of fixes covering 144 different vulnerabilities.

Many Oracle products are covered, I am only going to highlight the most common ones here. You can view the complete list on Oracle’s security page.

Java has been updated, as expected, fixing 36 vulnerabilities, 34 of which are remotely exploitable without authentication.

If you don’t need Java, please turn if off in your browser. If you aren’t sure, turn if off in your browser… You can always reinstall. If you must have it installed, be sure to apply this update immediately.

Oracle also patched 18 vulnerabilities in MySQL, three remotely exploitable and 9 vulnerabilities in VirtualBox, four of which are remotely exploitable.

(Note: only older supported branches of VirtualBox get updates, namely versions 3.2, 4.0, 4.1 and 4.2. If you are already on the most recent branch, namely 4.3, you should already have 4.3.6, which remains the latest version.)

As always, we advise you to update as soon as you are able.

Towerwall Security/Vulnerability Alert Vol 13.62

Recent vulnerabilities for which exploits are available compiled by the Qualys Vulnerability Research Team.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

 

ID:     CVE-2013-0074

Title:      Microsoft Silverlight Double Dereference Vulnerability
Vendor: Microsoft
Description: Microsoft Silverlight 5, and 5 Developer Runtime, before
5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka “Silverlight Double Dereference Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

 

ID:     CVE-2013-3346

Title:      Adobe Reader and Acrobat “ToolButton” Use-after-Free Vulnerability
Vendor: Adobe
Description: Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

 

ID:     CVE-2013-2068

Title:      Red Hat CloudForms Management Engine Path Traversal
Vendor: Red Hat
Description: Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.
CVSS v2 Base Score: 9.4 (AV:N/AC:L/Au:N/C:N/I:C/A:C)

 

ID:     CVE-2013-5331

Title:  Adobe Flash Player Memory Corruption Code Execution Vulnerability (APSB13-28)
Vendor: Adobe
Description:  Remote exploitation of a memory corruption vulnerability in Adobe System Inc.’s Flash Player versions 11.9.900.152 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.327 and earlier versions for Linux. This could allow an attacker to execute arbitrary code. Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf).
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

 

ID:     CVE-2013-5065

Title:  Microsoft Windows Kernel “NDProxy.sys Driver” Input Validation Code Execution Vulnerability
Vendor: Microsoft
Description: NDProxy.sys in the kernel in Microsoft Windows XP SP2 and
SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

 

ID:     CVE-2013-3906

Title:      Microsoft Graphics Component Could Allow Remote Code Execution
Vendor: Microsoft
Description: GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

 

=========================================================

 

MOST PREVALENT MALWARE FILES 1/5/2014 – 1/8/2014:

COMPILED BY SOURCEFIRE

 

SHA 256: 180C6035CA44C270B8E1556A7B2E9FAF442D1B4323EF6D8E93B7E759AF169C96

MD5: 44e5b5dc6a27ea109b8a234e640bb5fd
VirusTotal: https://www.virustotal.com/en/file/180C6035CA44C270B8E1556A7B2E9FAF442D1B4323EF6D8E93B7E759AF169C96/analysis/
Typical Filename: BitGuard.exe
Claimed Product: BitGuard.exe
Detection Name: W32.Agent:Generic.16no.dk

 

SHA 256: EBCB88F48912E1D915F4DE0C16211DB90201B1991636214E7C59CDE0E95E14DA

MD5: 5875746aac710d1f3101a665300e793f
VirusTotal: https://www.virustotal.com/en/file/EBCB88F48912E1D915F4DE0C16211DB90201B1991636214E7C59CDE0E95E14DA/analysis/
Typical Filename:  CltMngSvc.exe
Claimed Product: Conduit
Detection Name: W32.EBCB88F489-100.SBX.VIOC

 

SHA 256: 03eee4bc04af3c72a6a0740b8870fa7239cd5f60ad91fecc20f531b026ff63ef

MD5: 0c0d9a079675e93dee6be74e237cc697
VirusTotal: https://www.virustotal.com/en/file/03EEE4BC04AF3C72A6A0740B8870FA7239CD5F60AD91FECC20F531B026FF63EF/analysis/
Typical Filename:  CltMngSvc.exe
Claimed Product: Conduit
Detection Name:  W32.03EEE4BC04-100.SBX.VIOC

 

SHA 256: c0caec53e9b87483c25d5d6211940f2616bc56124bbc094d126f08bd0825f81b

MD5: c695ae18bd7b47fe944f483d9c1b4ac1
VirusTotal: https://www.virustotal.com/en/file/C0CAEC53E9B87483C25D5D6211940F2616BC56124BBC094D126F08BD0825F81B/analysis/
Typical Filename:  CltMngSvc.exe
Claimed Product: Conduit
Detection Name: W32.C0CAEC53E9-100.SBX.VIOC

Establishing Security Goals

TW_EstablsihSecurityGoals

Implementing security practices in your organization’s employees’ daily work habits, and ensuring the integrity and confidentiality of information security, the goals of the Security Awareness Program are:

  • Put information security and its importance into the forefront of your staff’s minds.
  • Spread information security policy and awareness throughout corporate ranks.
  • Build security awareness into the technical and development teams.
  • Think differently. Create a paradigm shift in the way your employees view your organization’s business process and how it should be protected.
  • Have Fun. Make security awareness fun for everyone. Get significant ‘buy-in’ from the entire corporate target audience.
  • Build Cyber Security, Physical Security and People Security into a coherent whole, where the goal is to teach behavior and environmental awareness according to your organization’s goals and policies.

10 Things I Know About … Passwords

TW_10ThingsPasswords

10. Be clever

Create passwords from easy-to-remember sentences, such as < Patriots Win the Super Bowl>, using the first letter of each word and adding numbers and special characters at the beginning or end. (e.g., <12=PwtSB!>)

9. Create a management system

Consider creating one, very strong password and appending it with identifiers, such as <!Kr0y-W3n$TOM> and <!Kr0y-W3n$ANN>. This will help you recall passwords across many accounts.

8. Utilize special characters

The many special characters on your keyboard give you endless combination possibilities. As an example, you can easily turn into <!Kr0y-W3n$>.

7. Play with the characters

Spell something backwards, such as turning <New York> into <kroywen> or substituting numbers for letters, such as converting <kroywen> into <kr0yw3n>. Also use random capitals such as <Kr0yW3n>.

6. Make them hard to guess

Go for longer and more complex. This complex password <d!y!ktwtsj?> is derived from the simple phrase: Do you know the way to San Jose?

5. Never share with anyone

Relationships with people you trust can change, and someone you trust may inadvertently reveal your password or perhaps get hacked if you let them use your password on their system.

4. Don’t use terms reflecting things people know about you

Passwords should not include easy-to-guess personal information, such as the names of family members. Also apply this approach to the security answers you give for retrieving forgotten passwords.

3. Avoid things hackers can guess

Stay away from using the same character more than three times and don’t include more than three sequential characters as they appear on keyboards. Also, avoid actual words and slang/jargon terms.

2. Change them periodically

Change each password as often as the value of what you’re protecting dictates. Set up reminders to change regularly.

1. Go beyond the minimum

Be sure all your passwords are at least eight alphanumeric characters long, using a combination of upper- and lowercase letters, numbers and punctuation, e.g. !@#$%^&()_~-`{}”.’)

 

By Michelle Drolet, founder and CEO, Towerwall
Special to Worcester Business Journal

This article was recently published in Worcester Business Journal