Security Risks Created by Emerging Technologies

In a recent Q&A session, Joe Clapp and I were asked to address the security risks that the continuing technological change in cloud data center poses. Following are our responses to the most common risks associated with cloud data center change and our recommendations how to safeguard data given these considerations.

Data and data handling needs created by emerging technologies

I would encourage IT managers and executives not to shy away from emerging big data technologies as long as their organization adheres to basic data handling tenants such as:

  • Keep up-to-date inventories of the data they are responsible for. Know where the data exists, who owns the data, who has access and what type of data it is stored (Financial, Health, or Corporate Confidential).
  • Follow regulations regarding data disposal. If no regulatory requirement exists, make a corporate policy and follow it. By disposing of the data you no longer need you will lower your corporate exposure.
  • Mandate access controls to all data and keep access logs in a separate data warehouse.

Big data growth itself, which makes data centers an ever more attractive target

As evidenced by the Office of Personnel Management (OPM) breach, large data aggregations are an attractive target for both state sponsored attackers and cybercriminals. High profile breaches are helping to drive organizations to encrypt data at rest.

As organizations develop an understanding of how easy it can be to re-identify data when someone has access to multiple disparate data sets, it is clear that it is important to encrypt not only critical ID numbers, but data that has been traditionally been considered less sensitive.

On the other hand, big data analysts would like to avoid encrypting data at rest. The decryption required to perform analysis becomes a big performance impact when dealing with very large data sets. To optimize performance it is also important to understand how the data will be queried in order to understand what data has to be indexed. That requirement is counter to some big data projects that are trying to discover new correlations.

The Agile Data Center

The biggest security challenge for organizations adopting the agile data center approach is to establish and maintain good IT governance. While delivering an elastic infrastructure, or more despairingly known as instant gratification, organizations still need to maintain good security controls. The controls are not new.  For example, organizations need to have governance in place to decide when changes warrant additional penetration testing before deploying to production.

There are also challenges in establishing proper baselines to ensure SIEMs, IDS, and IPS systems are functioning correctly. Ensuring that all real incidents are reported and that false positive are kept to a minimum is a challenge when resources can be dialed-up and down on demand.

Adapting to IoT

Many IoT devices are typically designed initially for the consumer market, but IT departments need to be prepared for users demanding or deploying the devices in the enterprise. So far, IoT has a poor security record. Few companies creating the devices appear to have thought through all the threats or considered the risks to customers faced with determined attackers.

For IT departments, IoT devices can’t be required to conform to existing secure build standards. IT departments are unable to install inventory agents on the devices, and have difficulty in learning what known vulnerabilities may be present on the device. For example, does the device contain a bash vulnerability? Does it contain an outdated version of OpenSSL?

IoT should cause more organizations to deploy Network Access Control (NAC), and will also likely motivate more organizations to perform frequent internal vulnerability scans using products like Nessus and QualysGuard.

Securing Data Backups – On-site and in the Cloud

The security of backups is multifaceted. Factors to be considered include encryption at rest, encryption during transmission if applicable, security of shipping if applicable, physical security, environmental controls to prevent damage, and record keeping in order to prevent loss, and to ensure that data is destroyed once the retention period has expired.

In situations where confidentiality is of importance, backups should be protected by means of encryption to prevent information disclosure. Encryption schemes also provide a level of integrity protection. This means that if someone attempts to modify the backup files it will be immediately obvious when the backup file is checked, because an error will occur when an attempt is made to decrypt the file. The best policy is to encrypt all backups, and require that exceptions have a documented, approved justification.

The encryption of backups should use well established algorithms such as AES-256. Backup products that do not disclose what encryption algorithm is being used should be avoided.

By their very nature, passwords used to protect backups tend to be used for a long time. If you force the passwords to be changed frequently, the backups would have to be decrypted at the time of each password change and re-encrypted using the new password. Hence organizations will often use a backup password for at least a year.  Because of this, backup passwords or passphrases should be long enough and complex enough to prevent brute force or rainbow table attacks. Ten characters or more are recommended.

Backup media and systems should be regularly tested to ensure that they can be relied upon for emergency use when necessary; this should be combined with a test of the restoration procedures and checked against the  restoration time required. Testing the ability to restore backed-up data should be performed onto dedicated test media, not by overwriting the original media in case the backup or restoration process fails and causes irreparable data damage or loss.

Backups should be stored in a remote location, at a sufficient distance to escape  any damage from a disaster at the main site. This is a strong motivation for using cloud based backup solutions. When using cloud based storage, the transmission channel should be encrypted, to both prevent eavesdroppers from making a copy during transmission, and to ensure integrity protection. Without the integrity protection, a malicious person might be able to damage the data during transmission, resulting in an inability to restore the data.

When storing backup data offsite, companies should perform due diligence to ensure that the storage facility provides appropriate levels of physical security and environmental protections. If physical media is being shipped to a remote site, a bonded courier should be used to ensure safe delivery of the media. 

The frequency and type (e.g. full or differential) should be based on the business requirements of the information. Accurate and complete records of the backup copies and a documented restoration procedure should be maintained and kept up to date. Once data is older than the required retention period it should be deleted.

Addressing BitLocker and PCI-DSS 3.1 Usage

Inquiry: Earlier this month we received an email from Matthew Todd of Financial Engines, Inc. that said, “Back in 2011, Phil Cox (SystemExperts) wrote some guidance on using Windows BitLocker to meet PCI-DSS requirements. PCI-DSS has been updated since then, and I’m curious if SE has updated guidance.”

Response: Section 3.4.1 of PCI-DSS version 3.1, dated April 2015, states, “If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.”

BitLocker has a number of configuration options, so the answer is not entirely simple or obvious.

One of the most common BitLocker modes is often referred to as transparent decryption. The transparent mode requires minimal user interaction. It uses the capabilities of the trusted platform module 1.2 or higher to store encryption keys, thus enabling a transparent system boot, and that the system boots normally to the user. The keys needed to access the data are pulled from the TPM.

In SystemExperts opinion, BitLocker transparent mode should not be used when attempting to be compliant with section 3.4.1 of PCI-DSS.

BitLocker can also be configured to require authentication. By enabling authentication a pin can be set for the machine, and a USB storage device (a memory stick, not a smart card) can be used as a token. When enabling BitLocker authentication there is no link between the user’s Windows credentials and the BitLocker credentials.

Unfortunately, the PIN will apply to the machine, not the user, so if more than one person uses a machine, the PIN would have to be shared with everyone that uses the machine. Sharing the PIN with multiple users would conflict with other PCI-DSS controls.

In our opinion, BitLocker in authenticated mode, on machines that are shared amongst multiple users, should not be used when attempting to be compliant with PCI-DSS version 3.0.

When using a PIN, the PIN has no expiration lifetime and there is no option to force a change of the PIN. This can be interpreted as being non-compliant with the requirements to change passwords or passphrases at least every 90 days. In Windows 8, it is possible to allow non-administrators to change the PIN, in prior versions Administrator or special privileges are needed.

We also believe, if BitLocker is used in authentication mode, and the PIN is not shared amongst multiple users, and the PIN is changed at least every 90 days, then its use may be deemed compliant with PCI-DSS 3.4.1.

Other PCI assessors might disagree with that opinion because BitLocker is included as part of the operating system distribution. However, since the PIN is not part of the local user account databases, nor does it rely on AD credentials, its use may be deemed acceptable with the caveats mentioned.

The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. When using BitLocker in authenticated mode, a PIN greater than 7 characters, plus using TPM is recommended.

9 common enterprise cybersecurity myths

Joe Stangarone, writer,  MRCs Cup of Joe Blog, August 4, 2015

Summary: Cyberattacks are more sophisticated and frequent than ever. The costs to recover from a data breach are now higher than ever. Yet, many companies remain unprepared for an attack. Why? In many cases, they believe some common cybersecurity myths, which can put their data (and their customer’s data) at risk.

Cyberattacks are on the rise. The problem is only growing worse.

How bad is it? The number of U.S. data breaches reached a record high in 2014, with 43% of companies experiencing a data breach. This year, that number is expected to rise.

How much does a breach harm a business? One study finds that the cost of a data breach has increased to $3.8 million–up from $3.5 million a year ago. This includes all aspects of a breach, like hiring experts to fix it, offering help to your customers, repairing your damaged reputation, and more.

The problem: Many companies are easy targets for a cyberattack, but don’t realize it. Some just don’t take security seriously. Others believe common security myths that place their data at risk.

What are these misconceptions? Today, let’s explore some of the most common myths and explain why they’re false.

Myth #1: We can’t get malware because we have antivirus

A common consumer belief, some businesses also place too much faith in anti-virus software. The fact is, it can’t possibly protect your business from every type of malware.

Why not? Antivirus software protects you against KNOWN vulnerabilities. But, security risks constantly evolve. New vulnerabilities emerge all the time. While antivirus software is important, you must understand that it’s a reactive approach that can’t protect you from everything.

Myth #2: We are safe because we have a firewall

On a similar note, many businesses put far too much faith in their firewall. While firewalls are important, it’s only the first line of defense. What happens if an attacker gets past your firewall? What happens if it’s improperly configured or maintained? It could put your entire network at risk.

Myth #3: We’re not a target

Maybe your company doesn’t store sensitive data. Maybe you don’t have data that any hacker might want. Does this mean you’re not a security target? Not at all!

The fact is, every business is a target. Maybe they’re not after your data. Maybe an attacker uses your vulnerabilities to attack the real target. Those who believe they’re aren’t a target are actually better targets for attackers because they have weaker defenses.

Myth #4: If we haven’t yet been breached, our IT systems are secure

Why do some business leaders treat security as an afterthought? It’s usually because they’ve never experienced a data breach. They assume this means their systems are secure.

The problem with this assumption: Security constantly changes. Sure, you may be secure today, but what about tomorrow? As explained below, you must always be on guard.

The other problem with assuming your systems are secured because you haven’t experienced a breach: How can you know for sure? Not all breaches are obvious. In fact, the best attackers know how to enter and leave your systems without a trace.

Myth #5: Technology can fix our security issues

Imagine your business is a castle. You’ve built the strongest walls, added extra fortifications, and even created an alligator-filled moat. Your defense could not possibly get any better. Then, one of your soldiers leaves the drawbridge down and your enemy walks right through your front door.

This is a great analogy for the modern business. Many companies fortify their systems with the best security products. But, they lack a security plan. They don’t educate their users about proper security practices. Or, they give their users too much data access.

Am I saying that security technology is worthless? Not at all. In fact, it’s necessary. But, no amount of technology will protect you from uninformed users with too much access.

“The biggest single myth about cybersescurity is that the organizations will be safer if only they would deploy more security products,” says Jonathan Gossels, CEO of SystemExperts. “The best products in the world can’t keep you safe if you do not have an overall plan, a coherent architecture built on a comprehensive framework like ISO 27002, security policies to ensure appropriate behavior and handling off sensitive data, and a security-knowledgeable workforce. Technology is secondary – a distant second. 3 P’s – People, Policies, and a Plan matter most.​”

Myth #6: Our developers are building secure applications

Let me ask you a question: Are your business applications secure? How do you know?

Many business leaders just assume their developers create secure applications. They check to make sure their applications include the requested features and requirements, without paying thought to its security.

Here’s a statistic that might make you think twice about that approach: 96% of all web applications contain at least one “serious vulnerability.” These vulnerabilities open the door for attackers, and can lead to data loss, complete system takeovers, and much more.

This article sums up the problem nicely: We’re still fighting the same software security battles we fought a decade ago. Despite the importance of security, developers still deliver applications with known vulnerabilities. They’re making the same mistakes that were made 10 years ago.

Why? Why do businesses create insecure applications year after year? The truth is, the blame doesn’t completely fall on developers. In many ways, businesses bring it on themselves. Here are a few ways:

  • They provide no incentive for security: Peter Drucker is famously quoted as saying, “What is measured improves.” The problem for many developers: Security isn’t measured. Rather, they get rewarded for features and development speed…not security.
  • They impose short deadlines: As businesses place greater importance on application development speed, security suffers. Developers rush through the project—ensuring it meets all the business requirements. But, this often comes at the expense of proper security practices.
  • They treat security like a feature: Shortly after the healthcare.gov site went live, a “white hat” hacker testified on Capitol Hill that security was never properly built into the site. Many businesses struggle with this same problem. They treat security like any other feature that they can add to an application. The problem: Security isn’t something a developer can add at the end. You must build security into the application.

If you think about it, developers are placed in a no-win situation. They’re tasked with developing modern applications. They must keep up with ever-evolving application trends. They’re faced with tight deadlines. Unless the business can afford a dedicated security engineer, the developer is in charge of security as well. Are we at all surprised that application development security is suffering?

So, how can you fix it this issue? As a business leader, you must make security a top-down effort. It must be something that is measured constantly. You must instill a “security culture.” Only then will it improve.

Myth #7: We passed our audit, so we are secure

Now, security audits are one way to measure security. But, many companies make the mistake of assuming a passed security audit equals security. As explained below, while audits are helpful, they don’t guarantee security.

The other myth companies believe about audits: It will give you better security. Some businesses believe that an auditor will come in and fix their broken systems or security habits.

Myth #8: Credit card compliant vendors make you PCI compliant

PCI compliance must always be an in-house priority. Unfortunately, many businesses wrongly believe that having a merchant services provider handle your credit card processing is all you need to be compliant. As explained below, you’ll still be held liable if customer data is stolen from your business.

Myth #9: Encryption is the key to security

Encryption is the process of encoding data in such a way that only authorized parties can read it. In plain terms, encryption scrambles the contents of a message or file. Only those with the encryption key can unscramble the contents and access the data.

However, some make the mistake of believing that implementing strong encryption is all they need to protect their data. The problem is, they focus so much on the encryption, but not on protecting the key.

To see what all the experts have to say go to: mrc’s Cup of Joe Blog.

Communicating the Data Security Risks of File Sharing & Cloud Storage

by Nate Lord, Digital Guardian, July 23, 2015

With more enterprises moving to the cloud and more employees using file sharing and cloud storage services in the course of conducting business, effective communication regarding the inherent security risks associated with cloud computing is imperative. Cloud applications enable employees to create, store, and control more data than ever before, but with these new capabilities comes increased risk to sensitive enterprise data. As a result, cloud adoption must be met with a heightened focus on extending data security measures to the cloud.

Effective cloud data protection begins with educating employees on the risks of sharing and storing information in the cloud. But how can companies best communicate these risks along with the appropriate security measures to mitigate them to employees in the modern cloud landscape? To find out how today’s security leaders are handling employee education surrounding data protection in the cloud, we asked business and security leaders to answer this question:

“How can companies effectively communicate the data security risks of cloud storage and file sharing to employees?”

Paul Hill

Paul Hill is a Senior Consultant at SystemExperts, an IT compliance and security consultancy, and works to provide clients with both strategic and practical guidance to build effective security organizations.

The best way to communicate the security risks of file sharing and cloud storage is…

All companies should have a security awareness training program in place to provide ongoing and recurring training of security-related issues to all employees. Some companies perform this by sending monthly emails, others require physical attendance at presentations, while the rest provide online video with post presentation evaluations.

All companies should also have an acceptable use policy (AUP) that covers a wide range of topics. Traditionally, AUPs have covered acceptable use of email and personal use of company computer systems. In recent years, most companies have updated AUPs to address such topics as social media, use of personally owned smart phones, tablets, the use of cloud storage, and file sharing services.

While all companies should also have a data classification and data handling policy, the reality is that fewer companies have such a policy in place. A data handling policy should tell users where they are allowed to store different types of company data, what protections are required, and what authorizations are necessary to use unlisted alternatives.

Good security awareness programs usually leverage recent incidents from around the world that have attracted media coverage. In 2014, a number of private images of celebrities were posted to the 4chan site. In at least one case, a celebrity had deleted the image from the phone before the image was stolen, but the image did not get automatically deleted from the cloud. It was determined that the photos had been stolen from the Apple iCloud system. Apple later confirmed that the images had come from iCloud, but that user accounts had been compromised rather than due to any specific security vulnerability in the iCloud service itself.

Using this type of example in a timely manner, as part of security awareness, training can be very effective. It may get employees asking questions and checking their configurations. When using these types of examples, they should serve as a starting point. The training should lead employees through thinking about the potential impact if corporate data was stored on the same or similar system.

Another example that could be used during security awareness training is Dropbox, a very popular file sharing service. More than 2 years ago, Dropbox had a brief period of time during which anyone could access any file stored by Dropbox just by knowing the correct URL. That was a temporary situation, but it could have had devastating impact on companies if employees had stored sensitive data on Dropbox and it had been disclosed. It demonstrates the loss of user control when using these services. Users of these services are entirely dependent on the capabilities, competencies, and corporate goals of the third-party provider.

One of the biggest problems is that without training, employees often may not know where their data is being stored. Many mobile phone apps provide tight integration with a variety of cloud-based storage systems. In many cases, the app vendor, or phone vendor, may not provide adequate information to the users to make them aware of where the data is stored, who may access the data, how long it may be retained, or the security controls in place to protect the information.

Making employees aware of the risks and getting them to ask relevant questions is a critical component of good security.

To see what all the experts have to say go to Digital Guardian.

How to Avoid Bug Management Mistakes

I was recently asked to comment on some of the most common bug management mistakes enterprises make and how to avoid these issues. I have found that one of the most common mistakes is the failure to track vulnerabilities that have been deemed an acceptable risk and left unpatched.

There are many reasons why an organization may decide to postpone or prevent the deployment of a particular patch. It might be determined that the patch is not applicable to the current environment. The organization might have compensating controls already in place.  In some cases, a patch might adversely impact the business functionality of applications. In the later case, the organization may need to postpone deployment of a patch until the application vendor is also able to provide an update or a workaround.

When an organization decides to postpone the deployment of an update, it should track the decision as part of its overall risk assessment strategy. The tracking should include the overall risk rating, the reason for the delay, all compensating controls, and a schedule for when the risk will be reassessed.

There are several reasons for periodically revisiting the risk assessment of patches previously deemed acceptable. Network topologies change over time, it is important to determine if the compensating controls are still in place and effective. Also, the exploitability of vulnerabilities changes over time. When the vulnerability was first disclosed, there may have been no known exploit, but over time an exploit might be discovered and incorporated into malware.

When organizations fail to track the risk of un-deployed patches over time, a large number of vulnerabilities may accrue, increasing the overall risk to the organization, and also creating a technological debt that can take a great deal of time and effort to reduce.

When breaches have been analyzed, too often it has been found that a system that was missing a security patch that was multiple years old had been exploited to initiate the breach.

A slightly less common mistake occurs when an organization defines how quickly it will deploy patches deemed to have a high severity, but does not define how quickly lower severity patches must be deployed.  In such  organizations, over time, the number of un-deployed patches addressing low severity vulnerabilities grows to a large number making it nearly impossible for a staff to catch up without impacting unrelated tasks.

Device Settings that Help Prevent Unauthorized Information Disclosure

Following up on my recent post (“Always-on access, brings always threatening security risks”) I’d like to continue the conversation and discuss other device settings that help prevent unauthorized information disclosure.

Many organizations overlook the risks posed by Bluetooth. The security of Bluetooth has been slowly increasing over the years.  When it first appeared many devices had a hardcoded PIN of 000. The situation is slightly better now, but still few users change the vendor provider defaults.  At the same time the capabilities and varieties of Bluetooth profiles have greatly increased leading to a number of potential risks that include using Bluetooth enabled devices as remote listening devices, for file transfers, and even for remote control of other functions. Companies should cover Bluetooth risks and acceptable profiles in security awareness training as well as AUPs.

One of the attractions of BYOD is that users often hope to escape the constraints of software provide by central IT departments and install a variety of applications that appear useful. Unfortunately, few users are likely to properly evaluate the risk of many popular phone or tablet apps. Increasingly apps for mobile devices are integrated with consumer grade cloud services. This integration provides convenience to the user because data may be seamlessly synchronized to various cloud storage services. But, the security controls may be inadequate to protect confidential information. As a side effect, companies may not be able to definitively determine where their data resides, or even delete the data if that becomes necessary.

Another problem associated with many mobile device apps is the geolocation and other user data collected that may be inadvertently shared with third parties. Many large financial service companies have detailed policies about what information may shared via social media, because too much information disclosure may create a security risk, or even create regulatory violations. Apps that seamless collect data and post it may cause unauthorized information disclosures without an employee even realizing the information has been shared with third parties.

Mobile devices and especially BYOD can potentially greatly increase the costs and risks associated with eDiscovery. Mobile device eDiscovery may include a variety of services and data. The services or data may include:  email, text messages, call records, locations visited, locally stored data, data stored in the cloud, photos, web sites visited, and recorded conversations.

Lacking sufficient policies and signed forms, employees could seek damages for loss of personal data if the company deletes personal data stored on the device, or due to claims of repetitive stress injuries.

Companies should educate employees about the risks associated with and the acceptable uses of mobile devices, including BYOD devices. To address the risks SMBs should create policies, and where possible implement technical controls.

Companies should require employees to sign forms that acknowledge documented acceptable use practices, absolve the company of liabilities, and require the employee to notify the company in the event of device loss or disposal.

Companies should prohibit the use of:
– Jailbroken or rooted devices
– Operating systems and applications with known unpatched security vulnerabilities
– Public wireless networks without using a VPN
– Devices that do not require the use of a PIN or passphrase to gain access to applications
– Apps that require too broad a set of permissions
– Unapproved apps or app sources
– Devices that cannot be remotely wiped by the business
– Sharing of the device
– Unapproved cloud storage of company data
– Unapproved Bluetooth profiles

Companies should implement technical controls that provide:
– The requirement to use a PIN or passphrase to use the device
– The ability to remotely wipe the device
– Mobile Device Management that provides virtualization or sandboxing of corporate data and apps
– The ability to blacklist or whitelist specific applications
– The ability to prevent the use of a jailbroken or rooted device
– VPN access if access to the corporate network will be provided
– Network segregation of on-premise wireless networks

Always-on Access Brings Always-Threatening Security Risks

Always-on access to work for employees comes with always-threatening security risks

One of the controls that appears in ISO 27002, titled Information technology – Security techniques – Code of practice for information security management, suggests  that limiting the period during which connections to computer services are allowed reduces the window of opportunity for unauthorized access.  However, the current practice of BYOD, the always connected employee, and wide availability of laptops, means that few organizations currently limit when employees may access systems or services.

The risks of associated with mobile devices and BYOD can be categorized at a high level into a small number of buckets.  These include:

  •    Information disclosure
  •    Malware vectors
  •    The cost of eDiscovery
  •    Liabilities due to damages to employees

Information disclosures can happen for a variety of reasons:

Email is one of the most common avenues for information disclosure.  It is a very convenient method for people to share information either within the body of the message or as an attachment. Some people use email as an ever growing file cabinet for documents. Without Data Leak/Loss Prevention (DLP) controls people can send confidential or sensitive information outside the company perimeter, either to a personal account or the account of someone at another company. DLP features may prevent certain types of information being sent via email, or limit the volume of information that may be sent.

The ubiquity of cameras embedded in phones, tablets, and many laptops also means that employees or visitors may easily copy any information sitting in plain sight. Many of the devices may be configured to automatically upload photos or videos to consumer cloud storage or social media sites. For this reason, “clean desk” policies are more important than ever. Companies with higher security requirements may even resort to mobile device management (MDM) systems limit the use of cameras by employees in specific buildings or locations.

ISO-27002 also suggests that equipment, information or software should not be taken off-site without prior authorization. However, most organizations grant de facto authorization to remove equipment when issuing laptops or other mobile devices, supporting BYOD. The unfortunate side effect of mobile devices is that they become lost or stolen much more frequently than the traditional desktop or server.

In order to mitigate the risk of lost or stolen devices there are several controls that should be mandated by policy. All devices, including smartphones should require a PIN or passphrase in order to gain access to the system or its applications. All mobile devices, including laptops, should encrypt data stored on the device. All mobile devices, including laptops, should be configured so that they can be remotely locked, wiped, and tracked if reported lost or stolen.

ISO-27002 has long advocated that companies have through policies and procedures regarding the disposal and reuse of computers and other systems that contain persistent data storage. Once again, BYOD trends make this an important issue. The number of devices has greatly increased, storage capacities are constantly increasing, and it often seems like some people are getting a new phone or tablet every year, or even more often. At the same time with personally owned devices the phones and tablets may be handed off to other family members, re-sold online, or traded in for new devices. Deleting all company information from devices being replaced is critical to prevent unauthorized disclosures. Acceptable Use Policies (AUPs) and security awareness training should remind employee to not only report lost or stolen equipment, but to also report any personally owned equipment that is being replaced.

BYOD Security: Expert Tips on Policy, Mitigating Risks, & Preventing a Breach

by Nate Lord, Digital Guardian, June 3, 2015

Despite all of the security risks BYOD poses to an IT environment, the trend of businesses embracing bring your own device in the workplace continues to grow at a rapid pace.

Some of the main reasons companies of today are so accepting of BYOD in the workplace usually relates to employee satisfaction and increased productivity: employees who are permitted to use their own devices in the office are generally more satisfied and some 43% of employees connect to their emails on their smartphones in order to get ahead and ease their workload.

Since it seems that BYOD is quickly becoming the new standard in workplace technology rather than an exception, we wanted find out how companies who are already investing in a BYOD workplace, or are planning to do so in the near future, are keeping their data secure. To do this, we asked 30 data security experts to answer this question:

“How can companies keep data secure in a BYOD environment?”

Paul Hill @SyExperts

Paul Hill is a Senior Consultant at SystemExperts, an IT compliance and security consultancy, and works to provide clients with both strategic and practical guidance to build effective security organizations.

To have a successful BYOD program, companies must…

Maintain the security of their systems and the confidentiality of data. The four most basic BYOD technical controls that a company must implement are:

  • The company must know what devices are being used legitimately, so each device should be registered and authorized.
  • A PIN or pass phrase must be used to access the device.
  • The ability to remotely lock and wipe the device must be enabled.
  • Employees must report lost or stolen devices in a timely manner so that they can be locked and wiped.

Additionally, a successful BYOD program should include policies and training to protect both the company and the employee:

  • Do have policies that require employees to waive all liabilities in the event that the company remotely locks or wipes a device.
  • Do have relevant acceptable use policies that also describe what is prohibited, such as using jailbroken devices.
  • Do provide security awareness training about the risks associated with mobile devices and the importance of timely reporting of lost or stolen devices.

To see what all the experts have to say go to Digital Guardian.

Steps Enterprises Should Take to Eliminate Website Vulnerabilities

It’s understood that security is not an endpoint. It is a process that requires constant vigilance, reassessment and evolutionary change.

The security of a website is no exception. Most websites continue to have security vulnerabilities because the primary focus tends to be on application functionality and not security. Application developers are incented to finish updates quickly and often don’t understand the security risks the changes may have introduced.

There are two separate responsibilities to addressing website security that enterprises need to embrace: First, you need to find the problems; second, you need to resolve them. It certainly sounds obvious but it often turns out to be more complicated than anticipated.

Too often, companies treat website testing like it is a onetime event instead of having it be part of a security program. Websites need periodic (in most cases, at least yearly) independent vulnerability assessments. Also, if there has been a major change in the application or backend servers and services, or the webserver or host, the website has to be checked again for vulnerabilities.

After the assessment is performed, it is quite likely there will be vulnerabilities that need to be addressed by the group that manages the host it runs on (e.g., open ports and services), the people who configure the webserver it runs on (e.g., SSL certificates, supported HTTP methods) and the application developers (e.g., XSS, injections, input validation, file upload, clickjacking, CSRF). In other words, improving website security usually requires assistance and coordination from many different groups.

The companies that are successful in minimizing website security risks have instituted an ongoing independent security testing program that identifies risks and have established clear responsibilities for remediating the issues that are discovered.