Tag Archives: mobile

Security Challenges and Strategies with the Use of Mobile Devices

Recently, I have been reading about the security challenges many organizations are facing with regards to the use of mobile devices in their networks, and the various security strategies they can implement.  

Use of mobile devices for business is growing at an exponential rate. This also increases the need for wirelessly-accessible peripherals, and exposure to new mobile applications. This is forcing IT departments to reassess their entire mobile security strategy and architecture. 

As more mobile devices access the corporate network, the risk of data loss, leakage of valuable intellectual property, and exposure to vulnerabilities (viruses/malware) increases significantly.

So how do you plan a successful mobile security strategy?  Below are some points to consider:

  1. Determine your mobility requirements. Who are the mobile employees and what IT resources do they need access to when they are mobile (i.e. corporate emails, calendars/contacts, corporate applications etc..)
  2. Establish corporate rules to give appropriate employees access to the necessary data and resources on their devices (crucial for productivity), and at the same  time to ensure that this data is restricted on the device and can be wiped when required (crucial for security).
  3. With the constant influx of new mobile devices and platforms in the market, it is very important to decide on what devices and operating systems should be supported based on the security capabilities of these platforms.
  4. Decide whether these devices will be owned by the company or if employees will pay for their own devices (BYOD), while taking privacy and legal implications into account.
  5. Define acceptable use policies and identify security control requirements (i.e. password complexities, encryption, application control).
  6. Identify additional technology requirements to enforce these security policies. (i.e. MDM, DLP, Encryption, Authentication)
  7. Create a training & awareness program for the employees, and ensure your support staff is prepared.

If you have any questions or require assistance in planning and designing your mobile security strategy, please contact your NCI rep today.

Ravish Shah

Pay Attention!

Preying on quick decisions…pay attention!

I was travelling recently to our nation’s capital for a security conference (there’ll be another article on this topic) and most of my means of communications was through my mobile device.  I was quickly scanning my emails when the following LinkedIn invitation came through:

Most enterprise organizations have fairly sophisticated email filters today but the odd phishing, malware-link infested message does find its way through. When I receive a suspicious email, I typically look at the telltale signs of a fraudulent email – do I know the sender, who is it being sent to, do I recognize the organization.   As you can see from the screenshot above, all of the basic checks passed.  Our security awareness training teaches people to hover over the links to see where you’re actually connecting to.  However, on a mobile device, it’s not quite as easy – with all our fancy touch screens it’s sometimes difficult to select a hyperlink and browse the final destination.  I was able to determine the final destination of the hyperlink via my handheld but it made me wonder, would other people be so diligent? 

Remember the good old days when some prince in Africa wanted to transfer funds and the email body was written in horrible English and the sender would be some bizarre fellow with a name you’d never heard of.  Today’s email phishing attacks and malware link laden emails are getting quite sophisticated – pay attention…you never know when an email such as this finds itself in your inbox.

Eugene Ng 

 

(ISC)² Security Congress 2011

The congress was held Sept 19-22 at the Orange Country Convention Center in Orlando. This was (ISC)²’s first annual Security Congress, hopefully not the last! It was co-located with the ASIS International’s 57th annual seminar and exhibits, a move that recognizes the convergence of physical and information security.

After attending this congress, I realized how big the physical security world is. To give you the numbers, there were 280 attendees from (ISC)² versus 20,000 from ASIS, and enough exhibitors for this crowd to visit: 700.

There were 3 hour-long educational sessions per day, with about 25 topics to choose from for each session.

What were they talking about?

The 3 topics that was heard and discussed and debated on in almost every session (among the 10 or so (ISC)² sessions that I attended) were:

  1. Cloud Security
  2. Mobile Device Security
  3. Social Media

The trend and the focus for the information security industry in the next couple of years will be on addressing the above 3 topics with policies, regulations, products, and services. Below I’ll expand a little bit on why each area is attractive, and what are the security risks. 

1. Cloud Security

Why cloud? – Flexibility and scalability, cost savings, availability and disaster recovery

Threats? – Data loss/leakage, abuse of cloud, account/service hijacking, shared technology

What to do? – Like any other technology, cloud has risks associated with its benefits. All the classic principals of information security should be applied to it, having it in mind from the design/architecture phase. Have an incident response plan. Consider private/community/public/hybrid cloud options. 

2. Mobile Device Security

Why mobile devices? – Business rewards (response time, availability, flexibility), employee experience (ubiquitous mobile devices, employee owned), executive adoption

Threats? – Data loss/leakage, employee privacy concerns, compromise of corporate network from mobile device

What to do? – Look into device ownership (= liability) issues, have a corporate and a personal mobile device use policy, provide training to go along with that policy, harden mobile devices 

3. Social Media

Why social media? – It’s ubiquitous and unavoidable, it is the basis for Web 2.0, it has great potential to be used as a marketing and customer communication tool for the enterprise

Threats? – Faster spread of malware through the ‘trust’ factor, phishing attacks, worms, shortened URL’s, Evil Twin attack, session hijacking, identity theft, all leading to information leak and corporate liability issues

What to do? – Social media use policy (AUP), education and awareness, use of content filtering and DLP products to control traffic to and from social media sites

Some interesting notes:

  • Security is not about security, it’s about risk management
  • What is the perimeter of your network? It’s the end user!
  • A smartphone on your network should not be treated ANY differently from any other computer on your network
  • 1 out of 5 tweets names a product brand
  • Facebook mobile users are 50% more active than other users of the site
  • Sources of social media risk include: clients, employees, vendors, competitors, activists, and cyber criminals

Some interesting links:

Some interesting speakers:

  • Jeb Bush, Former Governor of Florida
  • Vicente Fox, former president of Mexico
  • Burt Rutan, designer of SpaceShipOne
  • Janet Napolitano, US DHS Secretary
  • Winn Schwartau, celebrity and power thinker on security/privacy/infowar/cyber-terrorism
  • Charlie Blanchard, Manager of Security & Privacy Services, Deloitte & Touche LLP
  • Simon Hunt, VP and CTO, Endpoint Security, McAfee
  • Shayne Bates, Director Security Cloud Strategy, Microsoft Global Security
  • James Hewitt, Director of Security Governance, CGI Federal

Vahid A.

 

Mobile Revolution – It’s here!!!

I read an article called “Quest for 50 billion connections” from the CNS magazine dated January/February 2011 by Paul Barker.

The article focused on what’s referred to as LTE (Long Term Evolution). The article talked about Ericsson’s acquisition of Nortel’s Code Division Multi-Access and LTE business. Which was very positive since Ericsson kept the people from Nortel to continue to drive this innovation. It was nice to hear something good from the unfortunate circumstances of Nortel and its employees.

I wanted to focus on LTE and what kind of impact it would have in our daily life. Continue reading