8 Android security tips for IT, corporate users

By James A. Martin, CIO.com, May 20, 2015

A set of security experts shares actionable tips for IT departments and users to help reduce the risk associated with the popular mobile OS.

The security pros interviewed for our article, “Experts bust Android security myths,” offered up the following eight Android security tips for IT administrators and users:

1) Don’t root that Android device

“To do significant damage in the mobile world, malware needs to act on devices that have been altered at an administrative level,” according to Dionisio Zumerle, principal research analyst atGartner. “The most obvious platform compromises of this nature are ‘jailbreaking’ on iOS or ‘rooting’ on Android devices …

While these methods allow users to access certain device resources that are normally inaccessible … they also put data in danger.”

2) Don’t overlook Android security or focus only on malware

“Perhaps one of the biggest risks of mobile malware is the fact that mobile malware, in itself, is not yet abundant,” says Domingo Guerra, president and cofounder of Appthority. “This creates a false sense of security in government and enterprise organizations.”

Guerra also identified a number of additional Android risks, including “corporate data exfiltration, poor app development practices, mismanagement of user names and passwords, poor implementation of encryption, and data harvesting and sharing for marketing purposes.

“These risks are often overlooked by shortsighted, malware-only security strategies,” Guerra says.

3) Don’t install Android software from unofficial app stores

“Only install apps from the Google Play store that are from known and trusted developers,” says Terry May, an Android developer with Detroit Labs. “It would also be a best practice to take advantage of the multiple users feature in Android and have a user account that is just for enterprise.”

4) Pay attention to Android app permission requests

Reading an app’s access requests is critical, according to Mark Huss, senior consultant at SystemExperts. For example, a flashlight app doesn’t need access to services that cost you money (such as SMS messaging), system tools, your call list or any personal information, network communication or location service, Huss says.

5) Always keep Android software and firmware updated

“Always check for available firmware updates and patches and download the latest version if possible,” says Gleb Sviripa, an Android developer at KeepSolid. “The newer the version is, the fewer the chances that hackers can attack your device.”

6) Install security and VPN apps

It’s simple to find a plethora of security apps for Android. Look for apps that scan for malware and block apps from non-approved sources, according to Geoff Sanders, cofounder and CEO of  LaunchKey. Disk encryption should be enabled, and apps that have “overreaching access to potentially sensitive data” should be denied, he says.

When surfing the Internet, Android devices should be protected with virtual private network (VPN) software such as VPN Unlimited, Sviripa says.

7) Organizations should set and enforce clear access policies

Companies need to be clear about the sensitive materials that users can access via mobile devices and ensure those devices have “the right infrastructure in place to protect against mobile threats,” according Swarup Selvaraman, senior product manager at Dell SonicWALL.

8) The four basic tenets of Android security

Troy Vennon, director of Pulse Secure’s Mobile Threat Center, says enterprise mobile security boils down to following four essential steps: Disallow rooted and jailbroken devices; ensure that devices are protected by passwords; keep devices updated; and require users to connect through a VPN.

 

Data Leak Prevention Tools: Experts Reveal The Biggest Mistake Companies Make Purchasing & Implementing Data Leak Prevention Software

By Nate Lord, Digital Guardian, May 14, 2015

Due to their size, enterprises have many security issues to consider when establishing a comprehensive data security strategy. One security need that is especially critical for larger companies – because they typically have many employees and large volumes of sensitive data – is proper data leak prevention.

As a provider of data loss prevention solutions to many enterprise companies, we wanted to learn more about some of the most common (and avoidable) mistakes companies make when using data leak prevention tools. To do that, we asked a group of data security experts this question:

“What’s the biggest mistake companies make in purchasing and implementing data leak prevention tools?”

See what our experts had to say below:

Paul Hill is a Senior Consultant with SystemExperts, an IT compliance and network security consultancy.

The biggest mistakes that companies often make when purchasing and implementing data leak/loss prevention (DLP) fit into the following categories:

  • inadequate risk analysis prior to product selection
  • inadequate investment of time in configuration and tuning
  • failure to set expectations with business units
  • failure to work closely with business units when tuning the configuration

Selecting the right tool for an environment can be difficult. There are typically many potential egress routes for data. These may include removable media, email, instant messaging, ftp, web applications, and even paper copies.

The risks of each mechanism should be assessed to then determine which tool can best address the particular methods of egress that are deemed the most risky. Few, if any, tools will excel at DLP for all potential egress routes.

DLP tools can be disruptive to a business if not carefully configured and tuned. False positives can disrupt normal or essential business operations. To avoid this, many DLP tools default to a passive mode, simply recording potential leaks. This is done so that customers can tune the product to reduce or eliminate an excessive number of false positives before enabling prevention.

Unfortunately, in some organizations, the tool is bought, deployed, and its configuration is never adjusted. The tool quietly records detections, but it is never configured to prevent data leaks. In more than one case, an organization thinks it has prevented leaks, but is in fact only recording leaks.

DLP can be difficult to deploy successfully. It is not a matter of simply purchasing the product and turning it on. The team responsible for the operation of the DLP product will need to work closely with business units. It requires setting expectations and working with the business units to tune the system so that normal processes are not disrupted.

To read what the other experts say click here.

Security Questions to Ask a Cloud Service Provider

Ericka Chickowski of Dark Reading recently asked security experts to contribute key questions to ask a cloud security provider. While I’m please that two of my questions were included in the article , I have three additional questions you should ask to help you assess the risks of cloud services.

1) What security compliance programs and audits do you perform on at least an annual basis?

Established compliance programs such as ISO 27002, CSA’s CCM, and PCI-DSS examine a broad set of controls and are designed to ensure that companies are following recognized security practices in all aspects of the organization.

2) Do you support two-factor or multi-factor authentication by customers?

There have been many articles published about the death of the password, although it remains the most prevalent form of authentication. Many breaches would be prevented if two-factor or multi-factor authentication were used instead of relying solely on a username/password. In recent years an increasing number of consumer oriented services have started offering additional authentication methods, including the sending of a one-time password to a cell phone associated with the customer’s account.

3) Is all customer data encrypted while stored on disk?

Proper encryption of stored data, in addition to data transmissions, reduces any attacker’s ability to steal customer data. The cost of achieving full encryption of stored data has dropped significantly in recent years, hardware security modules (HSMs) are widely available at affordable prices. And a wide variety of product now integrate easily with third party HSMs, making this a practical solution for the security conscious.

 

10 Security Questions To Ask A Cloud Service Provider

By Erika Chickowski, Contributing Writer, Dark Reading, May 12, 2015

Erika Chickowski of Dark Reading posted a slideshow of the most important security questions companies should ask cloud providers in order to evaluate the risk of using that service. Paul Hill, senior consultant, SystemExperts, contributed two questions for the article:

Do you encrypt all data transmissions, including all server-to-server data transmissions, within data centers?

“Security is only as strong as the weakest link. While it is very common to encrypt the traffic between the customer and the service provider in order to ensure integrity and confidentiality, it is less common for service providers to encrypt intra-server communications within the companies own perimeter. Too often attackers are able to exploit this type of weakness once a single breach in the perimeter has occurred.”

Do you allow customers to perform scheduled penetration tests of either the production environment or a designated testing environment?

“Penetration testing is a common method used by companies to ensure their systems are well defended from attacks. Cloud service providers that allow customers to perform such testing are willing to be transparent about their security practices and also likely to be confident that their systems are well secured.”

To read other questions you should ask click here.

Key Steps Enterprise IT Can Take to Safeguard its Operations

IT systems pervade enterprises.  Systems are increasingly complex; enterprises constantly seek more rapid deployments.  And enterprises are increasing the volume and diversity of the data collected and analyzed. All of these factors mean that enterprises cannot rely on a small set of steps to safeguard its operations. Well established security frameworks such as PCI, HIPAA, ISO 27002 or even newer frameworks such as the CSA’s  CCM don’t look at a narrow range of controls, instead they cover a wide range of controls. However, simply adopting a security framework does not make an Enterprise secure. Just look at the number of  companies that have gone through a PCI DSS compliance program only to suffer a breach a short time later.

A key step is creating a corporate culture that cares about security.

In April 2007, Jason Spaltro, then executive director of information security at Sony Pictures Entertainment and now the senior vice president of information security, was featured in an article published by CIO magazine titled “Good Enough Compliance.” The lead into the article says, “Noncompliance is a fact of life as the list of security and privacy regulations grows.  The key is knowing how to comply just enough so that you don’t waste your time or bankrupt your company.”

The article discussed Spaltro’s experience during a Sarbanes-Oxley audit. The auditor told Spaltro that Sony had several security weaknesses, including insufficiently strong access controls. One of the findings indicated the passwords Sony employees were using did not meet best practice standards that called for combinations of random letters, numbers and symbols. Sony employees were using proper nouns.

The article discloses that Spaltro argued against requirements to use complex passwords and the auditor eventually agreed not to note the use of “weak passwords” as a finding and Sox failure.

Clearly, Sony had a compliance program in place, and it certainly had the financial resources to implement the latest security technologies, but it suffered one of the most publicized breaches in history.

A fundamental problem is that simply implementing a compliance program does not change the corporate culture. If security is not part of the corporate culture, adopting new policies and deploying new technologies to achieve compliance may be counter productive.  Instead, the rest of enterprise may view IT as an obstacle and seek unapproved methods to get their work done.

If we look back to the 1980s, this is how the PC made an entry in large corporations. Business units were frustrated with the timelines dictated by IT staffs dominated by mainframe programmers. Individual business units could suddenly afford to purchase their own computing resources and try things at their own pace. We see a similar phenomenon with rapid adoption of cloud technologies and BYOD strategies at many companies in recent years. Business units may be finding faster lower cost methods of doing business, but too often they are radically changing the security landscape and creating new, poorly understood risks.

However, when we look at enterprises where security is part of the corporate culture, introductions of new technologies is much better managed. Consider an enterprise where security is part of the culture. In adopting BYOD such an enterprise will have human resources focusing on how accessing or responding to work email will impact the status of non-exempt employees. Audit teams will focus on assuring  regulations are being followed and enforced. Legal will focus on the protection of confidential material and how to address the subpoena of a personal device. And IT can focus on managing configurations, integration, monitoring, metrics, and support.

Following a security framework in an enterprise that doesn’t have a culture of security will likely lead to tensions and unnecessary spending on technology that is under utilized. But using a security framework as a guideline or roadmap in an enterprise that has a strong culture of security can lead to efficiencies because the enterprise is leveraging the knowledge and experience of organizations from around the world.  Such an enterprise is much more likely to adopt new technologies much more efficiently and more cost effectively.

What Happens After the Breach — Especially for SMBs

SMBs are the least likely to survive the costs associated with a breach that involves data that fall under the Payment Card Industry umbrella. There are several types of cost including those associated with reputation damage, the time and efforts required to repair the breach and return to normal operations, the time and expense of collecting forensic data, the time and expense of coordinating with law enforcement and the PCI stakeholders, potential fines, potential litigation, and subsequent increased spending on PCI compliance.

The best way to reduce these liabilities is to outsource as much as possible of the PCI operations as possible, and have a strong practical defense that does not result in a breach.

Detecting a breach and rapidly closing it sounds like a very desirable goal, but an analysis of well publicized breaches indicates that most breaches exist for an extended period of time, and too often, the company experiencing the breach is informed of the problem by a third party. The third parties doing the informing include, law enforcement, customers, the cyber criminals, and fraud detection departments at the merchant banks. Although the later seems to take its time about informing companies about apparent breaches.

Most of publicity surrounding PCI DSS 3.2 and the move to chip & pin technology by card issuing companies is aimed at fraud prevention. There are more specifics about penetration testing, and the improved security offered by chip & pin. Unfortunately, there are already articles discussing how chip & pin can be done wrong. There are cases where fraudulent data has been transmitted, but marked as using  the chip & pin technology when the data is being transmitted.

SMBs and everyone else in the industry should assume that the rate of breaches will not be dropping in the foreseeable future. SMBs should be testing their incident response plans. These tests really should include a well managed scenario that requires end-to-end testing of the plans. For example, if a breach occurs, what is criteria for hiring a third party to gather  forensic data? Who is responsible for approving the purchase of the service, and were quotations from any firms obtained? Testing should also include some discussions with outside counsel. What legal services will be needed? What are some of the initial cost estimates. In other words, a good test of the incident response plan should go into enough detail to generate an estimated cost of the incident.

Why Securing Only the Network Perimeter is the Wrong Approach

Every time I encounter an organization that focuses on perimeter security while ignoring best practices on the internal network I think of Gary Larson’s Far Side cartoon where two polar bears are on either side of an igloo and one says to the other, “Oh hey! I just love these things!…Crunchy on the outside and a chewy center!”

Perimeters have become very complicated. Employees may need to work from remote locations. Companies may allow employees to use personally owned mobile devices to access the internal network. Companies often operate guest networks to accommodate visitors. A perimeter may include a DMZ that permits access by customers, but may also permit access to vendors and external partners that have more privileges than customers.   All of these practical realities lead to somewhat porous perimeters.

Too often companies trust the internal network and the people using it.  Companies may terminate encrypted traffic at its perimeter but transmit sensitive data, in clear text on the internal network.  This means that if a single attacker can somehow breach the perimeter, it can be trivial for the attacker to gain access to all data and systems on the internal network.

A better set of practices results from assuming  that all network segments are always compromised.  In response to such an assumption, all sensitive data should always be encrypted during transmission.  Passwords should never be sent as clear text.  There should not be a single perimeter, instead every host should have a local firewall.  There should be clear segregation of duties and all transactions should require review and approvals.

A more recent trend is to also ensure that data is encrypted while stored on any hard disk, database, or media. Secure management of the encryption keys needed to protect data at rest has become more viable in recent years.  Many products now support the use of third party hardware security modules (HSMs)  to facilitate secure management of encryption keys.

Many well publicized breaches that occurred in the past two years had a duration of months. Often organizations were informed of the breach by third parties, including law enforcement, instead of detecting the breach on their own.  The organizations in these well publicized breaches never noticed that large quantities of sensitive data was being transmitted to unauthorized destinations.  Careful monitoring of access to data, copying of data, or attempts to transmit data to unapproved destinations can lead to earlier breach detection and prevention.  These same practices are needed to protect intellectual property.

Is your business data really secure?

Joe Stangarone, writer,  MRCs Cup of Joe Blog, March 24, 2015

Summary: With data breaches on the rise, security becomes more important than ever. Is your company (unwittingly) putting your data at risk? Are you following best practices for data security? Learn 7 ways to better secure your data.

They say that “any press is good press.” But, I’d guess that any of those companies who suffered widely publicized data breaches recently would argue with that.

Does it feel like data breaches are becoming more frequent? It’s true. A recent IBM report finds a 12% year-to-year increase in security incidents. What’s worse: These breaches lead to reputation damage, lost productivity, and lost revenue.

With that in mind, let me ask you a question: Is your business data secure?

What steps are you taking to ensure that your company doesn’t make the news for a security incident? Today, let’s focus on that topic. How can you keep your business data secure? While the list could be much longer, here are 7 important tips:

1. Avoid spreadsheet overuse
Let’s start off with one of the biggest threats to data security: Spreadsheets. Many businesses put their data at risk because they rely too heavily on spreadsheets. They store critical business data in spreadsheets. Or, they export data from their business systems into spreadsheets for reporting.

Why is this such a problem? Once your data is in a spreadsheet, it’s vulnerable. What happens when a user shares that spreadsheet with other users? What happens when those users edit the data and share it with others? Soon, you have multiple versions of the same data floating around, beyond your control.

Which version is accurate? How many different spreadsheets exist? Where are they stored? Did any users make a data entry mistake, or somehow tarnish the data? There’s no way to know. How bad is this problem? Studies have found that over 80% of spreadsheets contain critical errors. User groups now exist to warn businesses about the dangers of spreadsheets. If your company still relies heavily on spreadsheets, your data is already at risk.

2. Create password policies
End users have notoriously bad password habits. How bad? According to this annual list of the most popular passwords over the last year, “123456”, “password”, and “12345” top the charts. That’s right. It’s that bad. Without a strict password policy, your employees can unwittingly put your data at risk with weak passwords.

3. Use 2 factor authentication
Now, a strict password policy helps, but it’s just one step in the process. What happens if a hacker gains access to one of your employee’s passwords? How can you protect your data?

Two-factor authentication (2FA) is a great way to combat this risk. It adds a second layer of security to your applications. Rather than identifying users with a single factor (user/password), it adds another identification factor–usually a pin number delivered via sms. This is a great method to add extra protection to your most sensitive data.

4. Monitor user workstations
Here’s another password-related problem: How will employees remember multiple, complex passwords? If you impose strict password policies, users need a way to remember their passwords.

What do they do? Many write their passwords on sticky notes and leave them on their desks–defeating the point of a password in the first place. To combat this, perform periodic security checks on your employee’s workstations.

5. Hold security and awareness training
Hackers aren’t usually the biggest threat to your data security. The fact is, uninformed employees are often your biggest threat. Many don’t understand proper security habits. They don’t realize their actions put the company at risk. It will stay that way unless businesses ensure that their users understand best security practices.

6. Create a good rapport with end users
In some companies, there’s a disconnect between the IT department and the end users. Both sides have an “us vs. them” mentality. The users feel like IT gets in their way, and the IT department feels like users can’t be trusted. The problem is, this disconnect puts your business data at risk.

If end users don’t respect the IT department (or vice-versa), do you really think they’ll respect their security policies? No.

7. Limit data access
Allowing too much data access is another critical security mistake businesses make. They give users access to all of their data. This opens the business up to all sorts of security risks. For instance, what happens if a user decides to copy data to a personal device and bring it home? What happens when a user accidentally deletes data, or enters new data incorrectly?

“One of the most important steps in keeping business data safe is to tightly control access to any sensitive data, and that includes administrators, says Jon Gossels, President of SystemExperts.

Nobody should have access without oversight and logging.

Make sure that every user has the least privileges necessary to perform their job and that every user has his own unique login credentials so that actions can be traced.

If you have computers on-site, make sure they are used only for business (e.g., don’t allow anything to be downloaded or for people to browse the Internet), and make sure you have constantly updated anti-virus software running at all times – and keep those computers isolated/segregated from any other networks or computers you may have.”

Data Leak Prevention Tools: Biggest Mistakes Companies Make

I was recently asked to comment on mistakes companies make in purchasing and implementing data leak prevention tools (DLP). Although we have been talking about DLP for quite some time,  it continues to be a challenging issue for many companies. In my experience, the mistakes companies make fall into the following categories:

  •  inadequate risk analysis prior to product selection
  • inadequate investment of time in configuration and tuning
  • failure to set expectations with business units
  • failure to work closely with business units when tuning the configuration

Selecting the right tool for an environment can be difficult. There are typically many potential egress routes for data. These may include removable media, email, instant messaging, ftp, web application, and even paper copies.

The risks of each mechanism should be assessed and then determine which tool can best address the particular methods of egress that are deemed the most risky. Few, if any, tools will excel at DLP for all potential egress routes.

DLP tools can be disruptive to a business if not carefully configured and tuned. False positives can disrupt normal or essential business operations. To avoid this many DLP tools default to a passive mode, simply recording potential leaks. This is done so that customers can tune the product to reduce or eliminate an excessive number of false positives before enabling prevention.

Unfortunately, in some organizations, the tool is bought, deployed, and its configuration is never adjusted. The tool quietly records detections, but it is never configured to prevent data leaks. In more than one case, an organization thinks it has prevented leaks, but is in fact only recording leaks.

DLP can be difficult to deploy successfully. It is not a matter of simply purchasing the product and turning it on. The team responsible for the operation of the DLP product will need to work closely with business units. It requires setting  expectations and working with the business units to tune the system so that normal processes are not disrupted.

SMB Awareness of Breach Notification Laws IndustryView | 2015

by Daniel Humphries, Managing Editor for IT Security research firmSoftware Advice, February, 2015

Currently, 47 U.S. states have security breach notification laws, which require organizations that store sensitive information to notify customers and clients if their personal data is breached. In this report, we investigate how aware decision-makers at small and midsize businesses (SMBs) are of the laws that apply to their firms, and examine the contents of those laws. We also provide advice from leading cybersecurity experts on how best to avoid breaches, fines, lawsuits and reputational

Key Findings:

  1. Only 33 percent of SMB decision-makers we surveyed are “very confident” they understand their state’s data breach notification laws.
  2. Less than half of our survey respondents (49 percent) say their company already has a breach response plan in place.
  3. The vast majority of SMB decision-makers in our sample (82 percent) say that their business encrypts customers’ personal information.

In January 2015, President Obama proposed new federal legislation that would require organizations to alert customers within 30 days of discovering that their personal information had been exposed in a data breach. For now, however, no such law exists; instead, businesses must comply with a patchwork of state laws governing breach disclosure.

Since California passed the first such law in 2002, a total of 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government organizations to notify individuals of security breaches involving Personally Identifiable Information (PII). Definitions of PII vary, but usually involve a combination of the individual’s name plus sensitive data such as their social security number (SSN), credit card number or bank personal identification numbers (PINs).

While large firms may have lawyers on tap who are experts in these laws, we wanted to gauge SMBs’ awareness of their legal obligations in the event of a breach—so we polled SMB owners and decision-makers at businesses that store customer PII. We then spoke to legal, compliance and cybersecurity experts to gain insight into these laws and learn how businesses should prepare for, and respond to, a breach.

One-Third of SMBs Not Confident They Know the Rules on Breach Disclosure

After a successful hack, cybercriminals act quickly to cash in on their ill-gotten gains.

“Most of the time, when [valuable] information leaks out of a company, it is instantly being monetized on underground forums,” says Bogdan Botezatu, senior e-threat analyst for antivirus firm Bitdefender. In these situations, he says, businesses should alert their clients and customers as quickly as possible so they can minimize the aggravation and inconvenience that results when sensitive data goes missing.

In addition to an ethical responsibility, however, most U.S. businesses storing sensitive data also have a legal responsibility to inform customers of lost PII. Thus, even if a business owner concerned about reputational damage is tempted to conceal or suppress a breach of PII—as experts believe often happened before these laws were adopted—today, this is illegal in every state but Alabama, New Mexico and South Dakota.

So, how confident are SMB owners and decision-makers that they understand the security breach notification laws of their state?

Only one-third (33 percent) of respondents are “very confident,” while 34 percent describe themselves as “moderately confident.” Another one-third, combined, are largely (19 percent) or completely (14 percent) unaware of their state’s breach disclosure requirements.

This suggests many businesses are highly likely to be caught off-guard if a breach occurs—and according to the most recent security report from Symantec, targeted attacks on SMBs accounted for 30 percent of all “spear phishing” attacks in 2013 (the most up to date figures from 2014 are still pending). In these attacks criminals craft fake emails to dupe individuals into surrendering their credentials, or into downloading malware.

Heather Buchta, partner at legal firm Quarles & Brady and an expert in e-commerce, software and technology law, says that although state laws vary, they do share common features. When defining PII, the statutes “almost always” include a combination of an individual’s name together with any “sensitive data elements,” such as SSN, driver’s license numbers, credit card PINs and account passwords, for instance.

However, the definition of a “sensitive data element” may be broader.

“For instance, some states, such as Missouri, include various types of health information, while Nebraska’s law covers biometric data [e.g., retina or fingerprint scans],” Buchta says. “North Carolina considers an individual’s parent’s surnames prior to marriage to be sensitive, while Puerto Rico includes labor evaluations and the Wisconsin law covers DNA.”

Clearly, the laws are complicated. Jeff VanSickel, compliance lead at security consultancy SystemExperts, has conducted a comparative analysis of all 47 laws. He says he’s often surprised at which states are the most stringent in their definitions of sensitive data.

For instance, VanSickel believes that Montana has the “most rigorous” laws in the nation—there, the mere combination of name and address is defined as PII. Not a problem if you’re not based in Montana? Think again, says VanSickel: Businesses must also know the laws where their customers are located.

He uses the example of a company that is based in Florida but has clients in Hawaii to illustrate his point. If that company lost the PII of its Hawaiian customer base, then it would face legal issues in Hawaii, VanSickel says.

To read the full report on SMB Awareness of Breach Notification Laws, click here.