7 more security tips for mobile users (Part II)

Joe Stangarone, writer,  MRCs Cup of Joe Blog, September 9, 2014

Summary: Users have notoriously bad security habits. The problem is, many of these users are now bringing their personal devices–and their poor security habits–into the workplace. Learn how these users can better protect themselves (and your data) with these simple tips.

Every time a list of user passwords gets leaked, we’re reminded of one scary fact: Users have horrible security habits. For example, can you guess the most popular password in 2013?

“123456.”

But wait, it gets worse. The next two most popular passwords: “password” and “12345678.” Yes, user security habits are that bad. Why is this becoming such a problem?

Well, these users–the same ones who feel that “123456” is a good password–are now bringing their personal devices into the workplace. Many even use their personal devices for work-related tasks.

Along with these devices, what else do they bring to your business? Their poor security habits. What happens if they store sensitive data on their devices? What happens if they use unauthorized devices for business? Without proper security habits, this could cause problems for your company. These problems could range from minor inconveniences to major security breaches.

So, how can users improve their security habits, and better protect your company data? As this is such a broad topic, we split it into two articles. In the first article, we outlined 7 important security tips for users. Today, let’s explore 7 more advanced (but still important) security tips that will help protect users and your company data.

1. Encrypt your data

Here’s a great question to ask: What happens WHEN you lose your mobile device? As mentioned in the first article, password protecting your phone is the first line of defense.

But, what happens if an attacker manages to access your device’s memory or SD card? If left unencrypted, your data is free for the taking.

“I’d recommend smartphone users encrypt their data; Android has this by default and you can choose to do the entire phone or just what is stored on an external SD card,” says Brandon Ackroyd, Head of Customer Insight atTigerMobiles.com. “The data is scrambled and only if the right password is entered is it decrypted. Apple allow this too, and emails, texts etc are already encrypted if you have a passcode switched on. You can take it a step further and encrypt the entire phone with use of a third party app.”

2. Back up your data

Most people don’t think about data backups until they need it–when they’ve lost their device or their data. But by then, it’s already too late. Any data that’s only stored on the device itself is at risk if not backed up.

photo credit: FutUndBeidl via photopin cc

“NQ Mobile’s survey showed that the number one thing that frightened people when it came to the valuable data on their phones was losing their contacts – yes, even more than having their photos or videos get posted publicly,” says Gavin Kim, President, International and Chief Commercial Officer of NQ Mobile. “And similar to locking your phone, this is an easy problem to fix. If your device doesn’t come with backup capabilities, download a backup app from a reputable app store or your wireless carrier. This way, if the worst happens, this is one less thing to worry about.”

3. Watch for Vishing and Smishing

By now, most people are familiar with “phishing” scams. Would-be attackers send fake emails hoping to trick their suspects into sharing personal data. While most consumers know not to click on questionable email links, we must now protect ourselves against similar threats: Vishing and Smishing.

“While basically no one falls for email phishing schemes, we all let our guard down when it comes to text messages and phone calls,” says Kim. “And scammers have taken note, responding with vishing (voice phishing) and smishing (SMS Phishing) schemes. Common cons include bogus websites that target travelers through enticing offers for events and attractions and even fake phone calls from your bank where the faux representative collects personal information then uses that to wreak havoc on your financial well-being. Combat these threats by treating your smartphone as you would your computer – don’t open questionable links, verify the url you go to is the url that you think, let poor grammar and misspellings be red flags, and don’t respond to unsolicited requests for personal information no matter what the Caller ID or email address shows.”

4. Double Check the URL field

URL redirects are a common tool for attackers. They display a seemingly harmless URL, which redirects you to a different site once selected. While easily detected on a PC, the small screen size of a mobile device make them prime targets.

“Be sure that the mobile site you are on is in fact the correct mobile site,” says Steve Pao, GM of Security Business at Barracuda. “Mobile phone internet browsers do not display the entirety of the URL, leading users to believe that the first snippet of the URL is taking them to the correct landing page. This isn’t always the case. Targeted spear phishing attacks that look like legit social sites can ask you to enter your user name and passwords as if you were logged out, and now have your sign on information.

Mobile users are often times multi-tasking with their phones in one hand and doing something else with their other, not paying attention to what’s going on on screen. In turn, people accidentally click through an in-app purchase or click on a ads that could take them to a compromised site. Best thing is to pay attention to what it is that you do on your phones. Mobile malware is picking up traction and is becoming more advanced. Don’t think because you are on your phone that you are invincible. Proceed with caution.”

5. Understand where your data lives

As cloud-based storage services become integrated into mobile devices, we face a problem. More and more, users don’t know where their data lives. Many unwittingly place sensitive data on the cloud, thinking it’s only stored on their device. Are they storing sensitive corporate data in an insecure cloud service? Does that service meet business security requirements?

photo credit: FutUndBeidl via photopin cc

“It is important for business users to understand where and how their data is being stored,” says Paul Hill, consultant with SystemExperts. “It is important for a business to be able to respond to e-Discovery requests, be able to ensure data is properly retained and destroyed when appropriate, and ensure proper access controls are applied. Many applications are now integrated with a variety of consumer-grade cloud storage services that may not meet all business requirements. It can be difficult for some users to understand where data is being stored, and what data may be available to third parties. If the business doesn’t provide a list of approved software and services, users should consult with their managers or their IT department to learn about the risks and make an informed decision.”

6. Use different passwords across sites

While more of a general security tip, it’s one that you can’t ignore: Avoid universal passwords. Your password must vary from service to service. Why? Well, what happens if hackers access your email password? Can they use that same password for your bank account? How about your social sites? Using different passwords limits your risk in the event of a data breach.

“If you’re using cloud backup services – use different passwords rather than having one universal password that you use for everything,” says Ackroyd. “If hackers or an unscrupulous individual get a password for one service, then they’re going to use it to try access others too.”

7. Use restrictive browser and app settings

Sometimes malware or spyware takes advantage of common browser holes to work their way into your device. If using your device for sensitive business tasks, enable the highest security setting possible. It may limit your abilities, but will help protect you against malware that relies on lax browser settings.

“Use the most restrictive of your phone’s settings for apps and Internet access,” says Kevin D. Murray – CPP, CISM, Director of Murray Associates. “Some phones will even flag the activity and warn you if the program tries to do more than it has been given permission to do.”

Surviving a Breach

The Target breach is making many in the IT security field take a closer look at their company’s information security and compliance practices. I’d like to share here some of the questions and answers from a recent media interview looking at “How to Survive a Breach.”

1. Are most companies prepared for a cyber breach?

We find that many companies are not fully prepared to detect and respond to a breach. The companies who have not implemented a well-thought-out and documented logging and monitoring program cannot detect a breach – and hence will not be able to pro-actively react. This leaves the company in a high risk position, in that it will have to react to notifications from its partners, vendors and customers (not very pro-active).

During the Target breach, a monitoring system detected the breach. However, the monitoring alert was not reacted to because the system was not fully implemented.

For incident response, companies that are highly regulated are better prepared than companies that are not. It should be noted that companies that capture, process and store customer Personally Identifiable Information (PII) are required by most states to have incident management processes in place to notify customers of breaches. Most companies do not appear to be aware of the state requirements, and therefore handle breaches in more of an ad hoc fashion without having any formally documented incident response policies or plans.

2. What can a company do to prepare themselves for a cyber breach?

This first step is to establish and implement the ability to quickly detect a breach, with a strong Logging and Monitoring Program.

The next critical item is to establish and implement a process to react to identified security events, escalate to executive management, and notify customers, media and partners as appropriate.

3. Who should be in charge of managing the Incident Management Program?

There are many types of incidents (e.g., disgruntled worker with a gun, bomb scare, cyber breach) and there are many groups within a company that should be involved with the different required decisions that come up over the course of an incident. The program should define a core cross-functional group responsible for the overall process, generally including:

  • Executive Management
  • Legal
  • Public Relations (for controlling media attention)
  • Information Security
  • Information Technology (for technology-related incidents)
  • Human Resources (for personnel-related incidents)
  • Facilities (for facility-related incidents)

A single group should champion the incident management process to ensure that:

  • General staff are educated about identifying and reporting suspicious events
  • The process is adequately documented and readily available to the members of the incident response team, which may be different for each incident.
  • Staff (that would be selected to address an incident) are trained in the incident response process

4. What are the general compliance requirements associated with an Incident Management Program?

The Payment Card Industry Data Security Standard (PCI-DSS) mandates:

  • Security incident response and escalation procedures
  • An incident response plan
  • Annual testing of the incident response plan
  • Personnel be available 24/7 to respond to alerts
  • Training on breach response responsibilities
  • Linkage from security monitoring systems
  • A process to evolve the incident response process

The Health Insurance Portability and Accountability Act (HIPAA) mandates:

  • That a Security incident process be in place
  • A documented set of procedures to identify, respond to, mitigate, and document security incidents and their outcomes
  • That a breach notification process be in place to notify impacted individuals, the media and the Secretary of DHHS upon the discovery of a breach of Protected Health Information (PHI)
  • That the company enforce a breach notification process over its business associates

For Financial Institutions, that must comply with the Gramm-Leach-Bliley Act (GLBA), the institution must implement response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies

5. What will a breach cost a company, in terms of money, reputation, and continued ability to do business?

I would point to the Ponemon Institute, as they provide numerous studies on the impact of breaches. For example, a couple weeks ago, Ponemon published the Fourth Annual Benchmark Study on Patient Privacy & Data Security.

 

Don’t Forget the Basics to Protect Against Security Threats and Your Online Reputation

Jessica Merritt of Online Reputation Management  recently asked the question —  what are the biggest security threats facing companies today and how do they have the potential to effect reputation? In her article – click here – she identifies 9 tips to protect against security threats and compromised reputations. While one of my tips was included in her article, I’d like to add the following advice to help companies protect  against a cyber attack:

When it comes to information security many organizations, no matter their size, lose sight of the basics. Performing the proper due diligence around the “basics” can provide a solid foundation for advancement in computer resources and protection against the hacks and breaches.

Paraphrasing Kevin Mitnick from his 2000 testimony to the U.S. Senate Committeeon Governmental Affairs (14 years ago), companies spend millions of dollars on the“solution,” to only ignore the weakest link in the security chain – the human factor.

Many of the hacks and breaches (social media, credit card, etc) I would surmise arefrom missing the basics, including security awareness and training for the end-user. It is not uncommon these days to walk into a small shop/office where the employees are surfing the Internet, checking Facebook and their personal email, on the same system that they will swipe your credit card on when you check out. Providing basic user awareness in a fun and positive way can go a long way.

The “basics” – such as requiring strong passwords, monitoring, disabling and filtering unnecessary services, and least privileged account access are still being missed today. How we implement these items is relative to our business.

Implementing these “basics” takes resources and discipline, so it is not an effort to be taken lightly. Often these basics get swept under the rug and forgotten about – a server is built with extraneous services available and/or developer’s administrative credentials are left on that box when it goes into production. It’s these “basic” things that add up and present risk to an organization.

7 Security Tips for Mobile Users

Joe Stangarone, writer,  MRCs Cup of Joe Blog, August 12, 2014

Summary: As smartphone usage grows in the business, many users still don’t understand proper security practices. If not addressed, this problem could put their (and your company’s) sensitive data at risk. Learn how your users can better protect themselves from mobile security threats. 

The rise of smartphone and tablets in the business opens up a new world of opportunity. We’ve seen businesses use them for all sorts of tasks. For instance, we’ve seen businesses use smartphones to:

  • improve productivity,
  • automate manual processes,
  • improve data accessibility,
  • and much more

But, besides all these benefits, smartphones create something else: new security risks.

As more employees adopt smartphones, many still aren’t aware of proper security practices. If not addressed, this problem could put your sensitive corporate data at risk.

Today, let’s uncover some mobile security tips that could help you avoid a security breach. Now, this is a broad topic, so I’m breaking it up into two articles. We’ll cover some security tips now, and the rest in an upcoming article. Sounds good? Alright, here are 7 security tips for mobile users:

1. Be wary of public WiFi (and bluetooth)

Public WiFI hotspots are convenient…but insecure. Here’s a good rule of thumb when using public WiFi: Assume someone is watching.

Does that sound a little paranoid? Consider this: A few years back, researchers created a Firefox plugin called “Firesheep.” They built it to highlight the security risks of public WiFi. What does it do? Firesheep lets anyone watch your activity on an unencrypted network (like public WiFi). No hacking skills needed.

That should make you think twice before pulling up sensitive information on a public network.

2. Use a VPN

So, should you avoid all public WiFi? Not necessarily. If you must use public WiFi, protect yourself with a Virtual Private Network (VPN). As explained below, a VPN installed on the device will help protect you from the risks of public hotspots.

3. Secure your device with a password

Here’s a shocking statistic: 3.1 million American consumers were victims of smartphone theft last year. That number will rise this year.

What’s worse: Most consumers still do not lock their phones. They don’t use passwords, pass codes, unlock patterns, etc… What does that mean? If their phones are ever stolen, the thief has instant access to everything on the device.

4. Use Lock/locate/wipe software

The best security advice: Assume your phone will get lost or stolen. How will you get it back? How will you ensure that your (or the company’s) sensitive data isn’t compromised? As explained below, you must be able to remotely locate or wipe your phone if necessary.

“Devices should be configured so that they can be remotely locked, located and wiped in the event of loss or theft,” says Paul Hill, Consultant with SystemExperts. “All staff should be taught to promptly report a loss or theft so that the device can be remotely locked, wiped, or located, in a timely manner.”

5. Don’t store sensitive corporate data on the device

Even if you take the above precautions, a determined thief could still access data on a phone with the right tools. The best defense: Don’t store sensitive corporate data on your device in the first place.

What does this mean for the business? How do you give employees access to the data they need while maintaining security?

6. Be cautious with apps

Going one step further, you should approach every app download with caution–even those from reputable app stores. Why? Once installed on your phone, apps can access most everything on the device. Carefully inspect how much access an app requires before installing it. The app’s access requirements might surprise you.

7. Use anti-malware software

As smartphones become more popular, the amount of smartphone-specific malware grows. We’ve reached a point where our phones need malware protection almost as much as our PCs.

Expert Recommendations for Protecting Your Company from a Cyber Attack — and a Compromised Reputation

Online Reputation Management — Jessica Merritt, August 2014

With such serious security risks threatening every organization’s reputation, it’s clear that companies can benefit from tight security. And we’ve seen that even companies like Target that may think they have security under control still have serious room for improvement. How do security experts recommend that companies protect against security threats and compromised reputations? Read on for their recommendations: 

  • Give security the attention it deserves: “When a company’s reputation is at stake, it’s a grave error to treat security as a mere compliance checkbox,” says Maler. Perhaps the most important step to better security is realizing that it’s likely you can always do better.
  • Get help from customers: Maler recommends instilling confidence and better security simultaneously by getting customers involved. “Better security doesn’t have to impose new inconveniences on customers if you weave contextual factors into user interactions, such as treating the use of previously unseen devices or surprising combinations of time, place, and task as more suspicious,” she says. “You can even ally with your legitimate customers to be on the lookout for bad actors by letting them configure the ability to receive notifications of account activity as it happens.”
  • Secure networks, no matter what: “Whether you’re 500 employees strong or just a two-man operation, it is always important to work over a secure network,” insists Vysk Communications CEO and cofounder Victor Cocchia. “In the office, Wi-Fi connections should be placed behind the company firewall. When mobile, always use a Virtual Private Network (VPN) connection when signing in to any outside or unknown Wi-Fi system. You can setup your own VPN for as little as $199.” He recommends that instead of using public cloud services like Dropbox or Google Drive, companies should utilize VPN and private servers.
  • Make customer privacy a priority: Cocchia recommends that companies implement and enforce robust privacy policies and practices. This includes Secure Sockets Layer (SSL) certificates, and policies against discussing or transferring data like passwords, company financials, and credit card numbers over non-secure channels such as email, text, or Skype.
  • Add multiple layers of authentication: Missouri University of Science and Technology professor of computer science Dr. Sanjay Madria encourages organizations to think beyond login and password access. He points out that many companies still use only one level of authentication, and while many are now adding multiple levels, they still have a long way to go.
  • Boost employee security training: Employees are often the first line of defense (or access) for hackers. Roth shares that businesses need to educate employees. After all, security tools are only as good as the people using them. “Tell employees to not open up shady e-mails, or to hover over any links to make sure they are going to the right place,” says Roth. “Don’t download attachments and files from e-mails you are not aware of. When you are online, be sure to only visit safe sites and always have your antivirus and firewalls up to date.”
  • Insist that company devices remain secureSystemExperts consultant Jason Rhykert points out, “It is not uncommon these days to walk into a small shop/office where the employees are surfing the Internet, checking Facebook and their personal email, on the same system that they will swipe your credit card on when you check out.” This is clearly a security risk — and one that must be contained.
  • Use adequate firewalls to protect sites: Roth warns that a free software firewall is not enough. Major firewall protection should be used, and it’s important that patches are installed and up to date on all of your servers. Roth also encourages companies to keep as much information disconnected from the Internet as possible.
  • Don’t overlook the basics: Rhykert encourages companies to not forget about basic security protocols. He insists that companies need to cover basic but essential issues like end user awareness, strong passwords, how to spot phishing/vishing attacks, disabling/filtering unnecessary services, patches, the concept of least privileged, and change control.

See more at Online Reputation Management. 

 

Tips for Minimizing IT Security Risks at Work

The unfortunate reality is that you are at the same risk level at work as you are anyplace else. In other words, you should protect yourself at work as if you are using a public Wi-Fi at the local coffee shop. Why is that? Email phishing and infected websites (e.g., with ransomware) are two of the most prevalent types of Internet security risks.

Most of the things that you can do to protect yourself are simple, common sense actions that you can easily control: Internet security is not really about complex, expensive or pervasive technology. Unfortunately, the bad guys prey on the fact that most people won’t follow these simple rules.

Here are some basic yet effective tips on helping to protect both you and your employer:

  • Keep your browser up to date with the latest installations
  • Don’t click on links in emails that you are not absolutely sure are safe
  • Use antivirus products that have URL safe lists and block known harmful sites
  • If you are making an online purchase, never enter your credit card unless you see that the site uses SSL (i.e., HTTPS) to keep your credit card secure while the data transits the Internet
  • An up to date browser has everything you will need to browse the Internet. If a web site asks you to download something, the general rule is DON’T
  • In email remember the most basic principle of all: no business or organization that you already have a relationship with is going to ask you for sensitive or private information. If an email is asking you for anything like that, it is likely an attempt to steal your identity
  • This one will make your eyes roll, but it’s true: use strong passwords and change them periodically

Safety First: Cyber Security Facts Every Business Owner Should Know!

It seems almost every week we hear about another hack affecting a large retailer or online service. Why are these happening more and more often, even with the heightened focus on security we should be seeing? It turns out there are a number of causes, and not all are under our control. This is a short introduction to the world of online attack and defense for the uninitiated.

Follow the Money
The primary reason online crime exists is — of course — money. Organized crime syndicates around the world have discovered that not only is cybercrime very profitable, but it is also much easier and less risky than running the standard drug and prostitution trades. You can pay a handful of young, bright individuals a lot of money to find ways to attack online businesses and still come out far ahead compared to the cost of running traditional rackets.

In addition, there are no geographical limitations. There are a large number of very sharp but unemployed computer science engineers in Eastern Europe or Southeast Asia, and they are typically underpaid compared to a lot of the Western world. All one has to do is recruit a number of these people, pay them fabulously (by local standards) to ease any ethical hesitation on their part, and go to work.

Once attacks have been created and planned, you need servers to work from. Unfortunately, it is trivial to find server hosting firms willing to look the other way in countries with little or no Internet regulation or oversight. Now, the world is your oyster. No matter where the attacks originate, they can reach anywhere in the world.

The Attacker Always Has the Advantage
Software is complex, and there are billions of lines of code running the world’s computers, networks and infrastructure. Statistically speaking, this means there are more bugs and vulnerabilities then you can imagine hidden in the software you and your vendors and e-commerce sites and credit card processors (and so on) are using every day. The attackers are typically not on any hard time schedule; they can take all the time they need to find the next major bug that you or your software vendor has yet to discover.

There are tools called fuzzers that send hundreds of thousands of different malformed input into applications looking for an unhandled error or evidence of a new vulnerability and password crackers that can try millions of combinations every second.

Even if you patch regularly, use Microsoft/Apple/Red Hat update, run antivirus, use firewalls and detectors, somewhere there will always be another vulnerability that no one has planned for. That’s not to say that these measures are useless – like locks on the door, they will at least keep the casual criminal at bay. But like the locks, they only decrease risk, they do not eliminate it.

Many recent big compromises have come from perhaps unexpected angles – an electronic cash register running Windows XP, or a network login used by the HVAC vendor to check the status of the AC system.

Successful attackers are creative, and like the thief, do not usually attack via the front door. As a defender, it is difficult or impossible to think of every possible avenue of attack. Even if these weaknesses are known, it may not be possible to update software provided by a third-party vendor and it is not realistic to cut off all access to the world.

Speaking of Money
Companies can and should implement a defense in depth strategy, implementing an aggressive update and patching policy, deploying network and application firewalls, reviewing code from a security as well as functional point of view during the development process, and ensure that security testing is performed on external and internal websites and networks. However, like everything else, this costs money.

Security is not sexy, and does not in and of itself attract customers. When budget dollars are being allocated, it is always tempting to spend money developing the next release or feature. These days, money is always tight, and security (hardware, software, and personnel) is always a tempting target for benign neglect. In one recent hack, the internal sensors deployed had been alarming for weeks, but no one was paying attention! In certain large corporations, data hacks are just another form of business and reputational risk, and are sorted and prioritized along with everything else.

What Can One Do?
We are all at the mercy of companies we have no control over and no visibility into. Businesses such as large banks and online retailers have a high reputational risk and tend to be conscientious about their security. Smaller sites and businesses are largely an unknown. In addition, many large businesses do not do their own credit card processing, but rather delegate it to a third party processor that you know nothing about.

1. As a consumer, deal with large, reputable companies online whenever possible. Visible third party payment services such as PayPal are generally safe to use even from small business sites.

Use a credit card for online transactions – do not use a debit card as these have weaker consumer protections in the case of fraud. Check your credit card statement regularly and carefully. Fortunately, credit card companies are amazingly good at detecting fraud and will usually contact you if they notice anything funny.

2. As a smaller online presence, update, update, update! This includes server processors such as PHP and blogging or other software you may use. Regularly monitor the server logs for any sign of unusual or unexpected activity.

3. As a company with a website see (B) above. Deploy firewalls and network sensors to detect suspicious activity (or ensure your hosting vendor does). Make sure your website gets audited and tested regularly for security issues by a firm that specializes in this.

After Being Hacked
Computer forensics is a deep and complicated subject, and next steps depend on the systems involved and the nature of the hack. For all but trivial installations, it is best to contract the services of specialists for this. The only 100% safe solution is to wipe out everything and reinstall from the operating system on up, but this will not reveal how the attackers got in in the first place. You may well still be vulnerable.

Depressing Prospects?
The Internet is a gateway to the world, and to all the good and evil in it. If one is going to be on the Internet, one has to expect bad things may happen. Unlike a geographical “bad neighborhood,” any address on the Internet is easily reachable from any other place, so your Internet site is always just around the corner from bad actors. Just like a business in a bad neighborhood, if one is going to do a business in this environment, one has to erect reasonable defenses, knowing full well that these defenses are not impregnable. However, the store with no bars and a glass door will certainly get broken into a lot quicker than the one next store that is properly defended.

Make your best efforts at digital defense in depth, patch as often as possible, monitor continuously. Get audited by professionals and implement their recommendations. These steps will not make you bulletproof, but will minimize the chances of successful attack, and will ensure any attack that does get through will be detected as soon as possible.

What Happens When You Click on a Bad Link

When you click on link to open a web page you are inviting the server on the
other end of the connection to make queries of your machine and executing code
on your machine. While it is true that not every web page makes queries about
your machine or downloads code to your machine the potential is always there.

Nearly every month there are new revelations about security flaws in browsers,
or browser plugins, that a new method of compromising a machine by getting a
user to visit a malicious web page has been found. Often the public
announcement comes at the same time that a security patch or update is
available. But sometimes the public announcement comes before a patch is
available, sometimes with the caution that exploits are already being observed
on the Internet. And of course, we all have to worry about what hasn’t been
announced yet.

As recently as June 10, 2014 there were announcements from both Microsoft and
Adobe about recently discovered flaws that could lead to attackers being able
to remotely execute code when a user opens a malicious web page or opens a
file sent to the user. The flaws appeared in Adobe Flash, Adobe Air, Internet
Explorer, Windows, and Microsoft Office including Word. Some of the Adobe
issue affect Macintosh, Android, and Linux as well.

Every time a user visits a web page an agent string is sent by the user’s
browser to the web server. An example user agent string is “User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0.”
This reveals to the web server information about the operating system being
used, the web browser, and the versions.

The browser will also tell the web server what types of content and encoding
it will accept, for example:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate

If the browser allows Javascript to run, and most configurations allow this by
default, the web server can also learn about installed plugins, installed
fonts, the screen resolution, color depth, and timezone. This information may
enable a web site to determine what code it could send to your browser that
would lead to a successful exploit. You may not think that a list of installed
fonts reveals much, but in some cases a combination of installed fonts might
reveal that a specific application has previously been installed on the
system.

The EFF Panopticlick web site <https://panopticlick.eff.org/> focuses on the
issues privacy and how web sites can identify users and track them even if the
user has limited or disabled cookies. Links provided on the provide some
information about what information the site gathers and the techniques it
uses.

Keeping your system up to date with all of the most recent security patches is
a good practice. However, keep in mind that your system is still susceptible
to vulnerabilities that vendors have not yet patched, or may not even be aware
of yet.

How to know your software vendor is serious about security

by Sue Poremba, Central Desktop, June 2014

According to a recent survey by Bitglass, more than half of large companies and a third of SMBs are avoiding cloud adoption. The reason is simple: companies of all sizes are not convinced the cloud is secure.

“Concerns about security are not only not decreasing; they’re increasing. A previous report from October 2011 indicated 25 percent of businesses expressed some concern over cloud security, but that figure increased to 42 percent in July 2013,” Chris Talbot wrote in a Talkin’ Cloud article.

Searching for cloud security

No matter how users feel about security, cloud computing is only going to grow. Gartner predicts that cloud computing will be the bulk of new IT-related spending by 2016, which follows the growth of mobile technologies and the rise of the global workforce. Cloud adoption will be inevitable for most companies, so the time has come to face the security questions head on.

Nothing connected to the Internet will ever be 100 percent secure. However, when IT departments and management work closely with software vendors, they can develop solutions that add layers of protection for data stored in cloud formats. That starts with knowing whether or not your software vendor is on the same page as you when it comes to cloud security.

Establishing an evaluation process

Businesses should have an established process for evaluating risk, evaluating vendors, and performing due diligence before signing a contract with a cloud vendor, says Paul Hill, senior consultant with SystemExperts, a network security consulting firm specializing in IT security and compliance. “If the business does not have experience doing this, it should consider engaging an experienced third party to assist in the process.”

There needs to be transparency in the process, Hill adds. The vendor needs to forthcoming when it comes to its security practices and procedures. That includes how often it conducts security audits.

“Some vendors will only provide a copy of an annual certification or compliance letter, while other vendors are willing to share detailed reports performed by a third party assessor,” Hill says. “Unfortunately, a willingness to share details is not always an indicator of how secure the vendor actually is. It can also reveal overconfidence, or a lack of understanding how sensitive the information contained in an assessment may actually be.”

Questions to ask

Software vendors who take security seriously want clients to ask questions about security practices. But not everyone is familiar enough with security basics to know what those questions should be. According to Peter Lipa, regional director for Sticky Password, an encrypted password management company, here are some concerns that should be addressed:

  • Encryption: What algorithms are used for backend data storage?
  • Does the vendor have access to my data? If so, which vendor employees have access? What is the vendor’s screening policy for those employees?
  • How will my data be stored and protected?
  • Authentication: what type of authentication is required (i.e., single factor or two factor)? If the authentication system involves passwords, then how does the vendor handle passwords (are passwords sent to users in plain text, etc.)?
  • Access control: How are the various levels of access granted and controlled?
  • Basic vendor network security, such as firewalls and antivirus software
  • Data center physical security
  • Compliance with various regulations if needed – Sarbanes-Oxley Act (SOX), Health Insurance Portability. If your company uses credit cards, is the vendor PCI compliant?

Multiple vendors may give similar answers. If that’s the case, Lipa suggests asking a few more questions:

  • Do the vendors have experience in providing the specific solution they are proposing? Can the SMB afford to be the test case?
  • Is the vendor able to provide the support plan that you need? Even an SMB can have requirements for 24/7 support for five 9s reliability. For others, a next business day response is more than enough.
  • Does the vendor meet any/all necessary regulations, compliance or certifications the customer needs?
  • Is the vendor able to provide multiple services, thereby saving the SMB from the trouble of having to contract with various providers?

Finally, don’t be afraid to ask for recommendations from other business owners and IT professionals. In the end, you have to be able to trust the vendor to provide a level of cloud security your company needs.