Identity and Access Management – All access pass

An SC Magazine eBook Publication – Identity Access Management, by Karen Epper Hoffman, October 2015

Security executives are looking beyond basic user name and password to secure access to the enterprise, which is becoming more complicated with remote access, cloud services and personal devices.

Knowing who is on your network and able to access your information and resources is arguably the basic foundation on which good enterprise security is built. Conversely, if that foundation starts to crack, the whole enterprise security structure comes crashing down.

While identity management has come a long way in recent years, the challenge of detecting and protecting identity and authenticating users is becoming increasingly complex as informational assets are moved into the cloud and employees become more dispersed. There is little doubt that password hygiene and user awareness around security issues among user groups of all kinds is incomplete and insufficient. And, with so many ways to crack the code designed to keep them out, cyberthieves have grown adept at finding what they need to gain access without the victim recognizing the compromise.

Paul Hill, a senior consultant at SystemExperts a Sudbury, Mass.-based IT security consulting firm, says that the heart of many of these transitions is moving away from the dependence on passwords and toward using multifactor authentication through biometrics, cards, tokens or other means of identification. This often flies in the face of what is most convenient, familiar and frictionless for the user, he says, and can lead to pushback or frustration from employees who do not understand the depth of the security issues and who may be concerned about the privacy implications of biometrics.

To download and read the full report on Managing IAM, click here.



Data Loss Prevention (DLP) Technology is Maturing along with Customer Expectations

The following post on DLP is the combined effort of Joe Clapp and Paul Hill in response to a media query asking experts to weigh in on where they see the data loss prevention market going in 2016 and beyond.

The July 2015 Gartner Hype Cycle for Data Security indicates that Data Loss Prevention (DLP) has passed the “Trough of Disillusionment” after being over-hyped and has entered the “Slope of Enlightenment.”  This indicates that the technology is maturing and customer expectations are maturing as well.

In 2016, businesses should expect to see underwriters which provided data loss insurance to require covered entities have DLP in place in order to maintain coverage. A successful implementation of DLP requires organizations to know where protected data resides.  Commonly, organizations know where data “should” be but rarely know to a certainty. There is software available to aid organizations in identifying rouge data and rouge data types. Examples of this include BeyondTrust Retina, Identity Finder, and Encase CyberSecurity, each of which actively audit your environment to identify structured data. With the data identified, it can be disposed of or appropriate controls can be  put in place.

For customers handling structured regulated data such as SSNs and credit card numbers, DLP can be an important tool, if existing processes and technologies allow potential mishandling.  For example, if users have the ability to store such data to local disks or USB drives, even though policies prohibit that behavior, utilizing DLP tools to identify where such data is being stored is a recommended practice.

Similarly, if employees have the ability to copy such data into email messages, implementing DLP to scan outgoing messages is recommended.

Microsoft’s Outlook 365 offers DLP for outgoing email, however, that option is only available under some subscription plans that are more expensive than the most basic offering.

Potential customers should expect more SaaS providers to offer DLP options as service plan options during the next year.
Unfortunately, DLP tools remain more effective when identifying structured data. Identifying rogue data and improper disclosure remains a difficult problem when dealing with unstructured data. To be effective human resources with insight into the data, business processes, and the tools will need to expend time tuning detection rules no matter what tool is selected.

Hacking your back pocket

by Sue Poremba, security and technology writer, Central Desktop, a PGi company, October 27, 2015

Convenient, but vulnerable

There are two primary reasons why your smartphone is more likely to be hacked than other devices, according to Paul Hill, senior consultant with SystemExperts: the physical security of the devices and the use of untrustworthy networks.

“Mobile devices are more likely to be physically accessible to an attacker because the devices are not always within the security perimeter of company offices or data centers,” Hill explained. “Since the devices are taken out of the office, they are more likely to be stolen, lost, or accessed by an unauthorized individual if left unattended.”­

As for the problem with untrustworthy networks, users tend to forget how easy it is for hackers to eavesdrop unencrypted traffic. “If a user of mobile devices uses any unsecure protocols while the network is being monitored by a third party, account names, passwords, or any confidential data will be revealed to the eavesdropper,” said Hill.

In addition, Hill added, a compromised or hostile host on an untrustworthy network could send packets to devices on the local network and seek to discover known vulnerabilities on the mobile device, and then exploit the discovered vulnerability by sending the correct packets.

The cost of free WiFi

The very nature of mobile computing exposes more vulnerabilities than it hides, which increases the risk of an attack. There has been an increase in attack vectors that are unique to mobile devices, all of which are susceptible because users aren’t thinking about security in the same way they would on a traditional computer.

Take the problem of rogue infrastructure, for instance. Rogue infrastructure is unique to mobile devices and did not previously threaten the enterprise because end users stayed within the confines of the protected network, said Michael J. Covington, Senior Director of Product Management for Wandera, which develops mobile security solutions. As users began to connect to corporate resources from outside that perimeter, threats had more direct access to the network and its data, largely because users aren’t taking the precautions to avoid untrustworthy situations. They continue to use open WiFi sources with zero authentication.

Apps have become so ubiquitous that it easy to overlook basic security protocols before downloading. Also, because users have been repeatedly told that apps downloaded from the App Store or Google Play or a similar trusted source, they are safe. However, we’re beginning to see that that isn’t always the case.

To read the full article click here.

Exciting Opportunities at SystemExperts

This is not a typical blog from us where we discuss security issues and solutions, but rather a post letting you know about two exciting positions now available on our team. If you are interested in applying, please contact us at SystemExperts.

Information Security Compliance Consultant

We are looking for an IT security/compliance consultant to assist in the performance of a wide variety of IT security compliance engagements, including but not limited to those using ISO 27001/2, HIPAA, and the Payment Card Industry Data Security Standard. Key skills include the ability to:

Understand enterprise environments, ranging from Small-Medium Businesses (SMB) to large complex environments

  • Analyze administrative, physical, and technical security controls, based on risk
  • Speak English at an advanced level
  • Develop size-appropriate recommendations for identified security gaps, based on industry best practices
  • Produce well written and highly detailed reports
  • Write comprehensive information security documentation (i.e., policies, standards, guidelines, procedures)
  • Perform other security-related engagements, including security architecture reviews, network/web application vulnerability testing, and other ad hoc security consulting services

The ideal candidate will have at least 3 years of security experience, a relevant college degree, a pertinent professional credentials (i.e., CISSP), be comfortable writing documents and capturing the details of interactive technical discussions with security professionals in Fortune 500 companies. The ideal candidate will be self-motivated and:

  • Comfortable with up to 40% travel
  • Capable of working independently from a home office

Application Security Penetration Tester

We are looking for an application security penetration tester to perform application vulnerability testing and security source code reviews. Key skills include knowledge of (and ideally penetration testing experience with) JavaScript, Java, JSP, Objective C, Oracle, MS SQL Server, and Web Services including RESTful services, as well as familiarity with Windows, OS/X and Linux environments.  Proficiency in mobile testing is a strong plus, in both the iOS and Android environments, including use of the appropriate developer tools. The applicant must also be knowledgeable of network oriented issues in TCP/IP environments as well as database concepts. Familiarity with common testing tools such as Burp and Wireshark is a requirement; knowledge of other tools such as those made by HP WebInspect and IBM Rational is a plus.

We require that the candidate have 1 to 3 years of security experience, a relevant college degree, and be comfortable writing documents and having interactive technical discussions with security professionals in Fortune 500 companies. The ideal candidate will be self-motivated, capable of working productively and independently at a client site or home office, and be located near Philadelphia.