Fighting Cyber-Threats With Innovative Tech

by Samuel Greengard, business & technology reporter, Baseline, Oct. 24, 2017

Increasingly sophisticated and dangerous cyber-threats require more innovative security approaches, including advanced automation tools, AI and blockchain.

The complexities of today’s cyber-security environment aren’t lost on anyone. It’s increasingly difficult to spot threats, detect intrusions, and thwart hackers and cyber-thieves.

“A cruise through the latest headlines about breaches is sobering,” says Lisa O’Connor, managing director and leader of Accenture Cybersecurity Research. “The sophistication level and the amount of data that folks are going after is frightening. Many of these events are concerted efforts to steal data, undermine organizations, and monetize information and intellectual capital.”

To be sure, it’s a critical time for businesses, government, educational institutions and others. Despite years of ratcheting up security and plugging holes, cyber-crooks continue to break into systems and steal data. A list of recent breaches includes prominent companies such as Equifax, Hyatt, Deloitte, Whole Foods and Pizza Hut.

Ponemon Institute reports that the average cost of a data breach now stands at $3.62 million. In 2017, the average number of lost or stolen records resulting from data breaches rose by 1.8 percent over the previous year. The mean time to identify and contain a breach now stands at 191 days.

Studies show that about 80 percent of organizations are affected by cyber-attacks. The takeaway? Cyber-security isn’t only the job of a chief security officer (CSO) or chief information security officer (CISO). It’s something that must span all corners of the enterprise—and beyond its walls.

While it’s important to focus on fundamental security tools and solutions—as well as practices and processes that protect digital assets—it’s also vital to tap next-generation technologies, such as blockchain, artificial intelligence (AI), automation and security-as-a-service solutions.

Automating Activities and Tasks

How can an organization adopt a more advanced and innovative approach to cyber-security? How can security teams mitigate threats in a world where there are no borders for data and connectivity? Basic firewalls, malware protection, intrusion detection and packet filtering are no longer adequate.

“You have to look for ways to automate activities and tasks,” explains Paul Hill, a senior consultant at SystemExperts, an independent security consulting firm. “You can’t shut down a set of IP addresses every time an attack occurs without interfering with the business or completely shutting it down. You can’t depend on whitelisting and blacklisting when the same attacks stream in from different machines and IP addresses.”

Various automation tools, solutions and technologies—along with well-conceived processes—can help security teams move beyond a reactive mode. Organizations are suddenly able to collect and correlate data rapidly, and from a wide variety of sources, while maintaining confidentiality of data, Hills explains.

These automation systems can rapidly identify the source of an attack and can aid in deploying critical patches, updates and other remediation tactics faster than attacks can spread. Likewise, they detect infections or intrusions faster than attackers can exfiltrate data.

AI is a crucial piece of the automation puzzle, Hill adds. Emerging deep learning and machine learning tools can spot abnormal or suspicious behavior in log information and network flow data. This typically includes firewall logs, load balancer logs, operating system logs, application logs, and other data that often wind up in a traditional System for Cross-domain Identity Management (SCIM) system.

In addition, Accenture’s O’Conner advises keeping an eye on an emerging area of machine learning that revolves around data classifications. “Many organizations have no idea what value their structured and unstructured data have, and yet they have to apply the right security to the data.” Other emerging areas for AI include penetration testing and spotting social engineering attacks.

The quest for more innovative and holistic cyber-security is also leading organizations to blockchain technology. A growing number of enterprises are using the technology internally, O’Conner points out. The next step is expanding blockchain to business partnerships and across supply chains.

SystemExperts’ Hills says that the technology is particularly valuable for managing distributed ledgers, tracking goods in transit and collaborative editing. In addition, vendors are introducing products that use blockchain to secure sensitive records, replace PKI with keyless signature infrastructure, and use KSI to reduce reliance on passwords. Organizations are also turning to blockchain to develop secure, decentralized messaging systems.

Balancing Technology and Processes

A growing number of organizations are also turning to security-as-a-service (SECaaS) solutions. This can further aid in the quest for greater automation.

One of the problems with a conventional security framework, Accenture’s O’Connor says, is that organizations too often approach tasks in an uncoordinated and haphazard way. An ad hoc method may lead to gaps, glitches and breakdowns.

The fallout, according to SystemExperts’ Hill, is inconsistent patching, firmware updates, and the use of tools ranging from encryption to multifactor authentication. In addition, organizations are more susceptible to staff misusing administrator accounts.

A managed services approach typically addresses these issues and helps enforce a unified policy for multiple locations and across physical and cloud infrastructures. It can also help organizations scale security solutions faster, while also reducing overall complexity.

In the end, Accenture’s O’Connor advises, business, IT and security leaders must better balance processes and technology. There’s a greater need to handle the basics, including investing in security and building seamless protections into the fabric of the organization.

That involves educating various groups and constituencies—including both developers and senior executives—to spot and address potential problems and implement best practices. It’s also essential to understand how emerging tools and technologies—AI, blockchain, automation and managed services—can take cyber-security to a higher, more reliable level.

Of course, these tools aren’t a panacea, and no technology by itself will solve today’s cyber-security challenges. Moreover, as the internet of things (IoT) gains adoption and cyber-thieves use AI, cyber-security headaches and battles are likely to grow.

“Organizations must create continuous security that extends to partners and into a supply chain,” O’Connor emphasizes. “They must adopt a data-centric and multi-layered approach. Today, the keys to success are standardization and automation. It’s all about introducing a more orchestrated and holistic framework for security.”

To read the article in Baseline, click here.

 

Tips to Maintain IT Security Equilibrium at a Small Company

Ask where somebody working in IT security at a small company got started, and there is a good chance it had nothing to do with IT security at all.

Considering the management infrastructure of the typical small organization, IT security is usually handed off to somebody who knows little about it, usually somebody from the IT group or even an office administrator.

So, if you are new to the field, how do you measure success? What are you supposed to tell your manager to satisfy concerns that you are effectively doing your job?

What you want to be able to say is this: “We haven’t detected any website or network perimeter attacks recently, our machines are free of viruses and malware, our communications are secure, and our systems and data are available and operating securely.”

How do you maintain this state of IT security equilibrium? More than anything, it requires diligence and discipline:

  1. Don’t let good stuff out – Maintain and actively monitor external communications using Data Loss Prevention tools (i.e., firewalls, web proxies, email content filtering, encryption, etc.) to identify and prevent the external communication of sensitive data.
  2. Protect against user issues – Maintain and actively monitor the deployed anti-virus solutions, by making sure all systems are appropriately patched and running the latest virus engine and definitions in order to quickly identify and quarantine/clean any viruses, malware, and potential ransomware.
  3. Protect the internal systems – Maintain, patch, and actively monitor the configurations of all systems, appliances, servers, desktops, laptops, and applications, so any unauthorized changes can be quickly detected and addressed.

Once you’ve established the baseline and monitoring is in place, start testing/hacking/scanning the environment to see how well you are doing. For example, if you can hack yourself, your systems are not secure. If you can’t detect the hack in a timely manner, your monitoring is insufficient. Keep a careful record of security testing reports so you can keep track of progress and communicate how successful you are to management.

Just remember, a smart way of approaching IT security is to constantly be thinking about how the “bad guys” operate. Identify the weak spots they might be able to take advantage of, and then take corrective measures to protect against them. If you follow these steps, you will be able to effectively maintain an IT security equilibrium for your organization.

No Compromises with the Latest Cybersecurity Threats

by Samuel Greengard, business & technology reporter, ChannelProNetwork, Sept. 8, 2017

Business process compromise attacks represent a growing risk. But channel pros can help their clients address the problem.

AS THE DIGITAL AGE UNFOLDS, it’s increasingly clear that the weakest link in cybersecurity is humans. People click bad links, open infected files, and succumb to an array of other social engineering tricks. As a result, business email compromise attacks have emerged as a significant threat. Indeed, the FBI reports that the crooks behind such schemes have netted $5.3 billion globally since 2013.

To make matters worse, though, hackers are now conducting business process compromise (BPC) attacks as well—and virtually no company is immune. Jonathan G. Gossels, president and CEO of SystemExperts Corp., an independent cybersecurity consulting firm based in Sudbury, Mass., says BPC attacks come in one of two forms: those that impersonate an executive requesting that a user take a particular action, and those that use links or attachments to deliver ransomware.

Protection Schemes

Security vendor Trend Micro Inc., of Irving, Texas, considers BPC exploits a potent threat too. “Attackers leverage either common vulnerabilities or social engineering to gain a presence on the network. Then they use custom code to alter the target business process,” points out Mark Nunnikhoven, the company’s vice president of cloud research. What makes these attacks so dangerous is that intruders typically avoid detection until they have reaped “a significant and direct financial gain,” he adds. “By the time you recognize an attack has taken place, it’s too late.”

There are ways to combat the problem and minimize the risk of a breach though. According to Nunnikhoven, a channel pro should focus on these key areas: ensuring that there’s deep visibility into client networks and infrastructure; mapping systems and workflows in aggregate rather than examining isolated applications, tools, and processes; and using a holistic “start-to-finish” approach that identifies weaknesses. It’s important to ensure that “each phase of the process verifies the input from the previous,” he adds.

Education Counts

While the right IT tools can aid in detecting and filtering forged emails, fake domains, and other risks, they can’t prevent an employee from responding to spear-phishing attacks or accepting a phone call from a criminal masquerading as a senior executive requesting a funds transfer, both of which involve human interaction. As a result, checks and balances are critical.

“You must address the problem through a combination of enhanced filtering capabilities, better business processes, and education,” stresses Gossels. Rethinking authorizations and other tasks is paramount as well.

Make no mistake, though, business process compromise attacks aren’t going to disappear anytime soon. Direct financial losses and ransomware demands can reach into the tens of thousands of dollars—if not more. “We see more and more criminals attempt and succeed at these types of attacks,” says Nunnikhoven. “The good news is that channel pros are well positioned to help clients defend themselves.”

 

The Future of Our Energy Grid: Vulnerabilities as it Shifts from Fossil Fuels to Renewable Sources

Our electric grid is comprised of generation facilities, high voltage transmission networks, substations, renewable point generation sources, and low voltage distribution networks.

Protecting the electric grid from cyber-attacks is complicated by its enormous scale – upwards of 7,000 power plants, more than 150,000 miles of high voltage transmission lines, and more than 50,000 substations. Some are managed by massive regional super utilities and others by small municipal utilities.  Add into this the interconnections among these power systems and the complexity is unimaginable.

Two further complications are the reality of old infrastructure that was designed to be robust against typical weather related events, but not today’s cyber threats and the asymmetrical nature of the threat. Inexpensive small attacks can have crippling impacts on the US economy.

The core large scale generation systems and high voltage transmission networks are better prepared to deal with cyber-attacks than the periphery. The North American Electrical Reliability Corporation (NERC) has developed rules governing Critical Infrastructure Protection (CIP). These rules describe both the physical and electronic controls such as authentication, authorizing actions, and monitoring for attacks.

Background Note: Cyber-attacks on electric grids are usually either Denial of Service (DoS) attacks, which tend to be brute force attacks intended to simply overwhelm the control computers or more sophisticated Business Process (or machine) Compromise attacks (BPC).  These BCP attacks target specific devices in the grid and disable them (think Iranian centrifuges).

The problem with wind and solar generation is that they are generally small scale facilities that connect at the periphery – the least cyber secure part of the grid.

One final problem to ponder is the culture of the US power industry itself; this is an industry that moves at glacial speeds. It is common for technology refresh cycles to be measured in 10 year increments. That is good from a durability perspective, but completely misses the mark from a cyber security perspective.

The Best IT Security Policies Reflect the Value of Simplicity

90 percent of what we do to help people get better security is focusing on straight-forward common sense and having consistent policies and procedures.

To be good at what we do, we always work to make things as simple as possible for our customers because we recognize human behavior, and it is so much easier to remember and do simple things.

People often think of IT security as lots of mathematics and ones and zeroes, but human psychology is an equally important part of the field. Processes and procedures that take human behavior into account are always going to be much more effective.

We often see organizations that have security policies that are very long, intricate documents that need to be read and reread and reread to understand and remember. A shorter, more concise document is better.  Even better, the best policies are ones that are enforced through software or hardware so they do not have to be remembered.  Here are a couple of examples.

Think about security passwords. We all know that complex passwords (case sensitive, allowing special characters, etc.) are more secure and should be changed on a regular basis (depending on the business requirements, perhaps every six months). But who remembers to do that or really wants to do that on their own? Software is available to help employees manage these changes automatically, rather than requiring them to do it by themselves.

USB drives are a leading cause of viruses and malware – but people use them anyway. The solution?  Software that automatically scans all devices prior to use.  The result is the best of both worlds, simplicity and security, a combination of benefits we strive for.

When it comes to IT security, the bottom line is that simple and straight-forward is smart.

Tips to Protect Against Ransomware

Following the Wannacry outbreak, we were reading about another attack, called Adylkuzz. Both cyberthreats rely on a Windows bug that was patched on March 14 and only affect PCs that haven’t installed the latest version of Microsoft’s software updates.

In light of this news, I thought it would be timely to talk about some common sense recommendations for dealing with ransomware.

Most important, if at all possible, you don’t want to react or try to remove ransomware, you want to prevent it from ever happening. It sounds like stating the obvious — and it is!

How do you prevent it from happening? The good news is that like phishing exploits, the vast majority of recommendations are straightforward changes to software or the operating system that you use.

  • Keep your browsers, plug-ins, operating system and anti-virus up to date.
  • Don’t click on links in emails you are not 100% certain of.  Just don’t!  Many ransomware attacks are using the tried and true phishing techniques of spamming you with malicious attachments or URL links.
  • Don’t click on ads: even on sites you trust.  Another common method is when the attackers compromise legitimate sites embedding malware in ads.  Use ad blockers in your browser if you can.
  • Don’t visit suspicious or unreliable web sites.
  • Software or system changes:
    • Show hidden file extensions to make it easier to spot suspicious files
    • Don’t allow emails with .EXE extensions or double extensions (e.g., .PDF.EXE)
    • Scan ZIP archives sent in email
    • Disable the Remote Desktop Protocol (RDP)

Having said all that, just in case you don’t prevent it from happening, the single most important task is to backup all of your important data regularly to an offline source.  Offline can be as simple as a USB drive that you only plug into your system during the backup process and then unplug immediately after it is done (Note: when you do plug this USB drive into your system to do the backup, the very first thing you should always do is scan it for viruses).  By doing regular backups, if you are hit with ransomware, you have a safe copy of all of your data.

 

Disaster Recovery & Cybersecurity

I’d like to share answers to questions recently asked about disaster recovery.

1. What advice would you give to tie cybersecurity protection and IT disaster recovery together for business continuity?

There are a number of activities performed by the IT operational group within an organization that deal with Disaster Recovery. They include performing data backups, using primary/backup datacenters, and replicating data to backup datacenters. In many situations, determining the criticality of systems to determine what gets backed up and how often it gets backed up is done in an ad hoc manner and not driven by a sound set of risk management principles. Developing and implementing a formalized Business Impact Analysis process will allow a company to get inputs from the business departments (as to what’s important) and help justify all the decisions made with respect to the following:

  • Recovery Time Objective (RTO) or how much time before failure of the system hurts business
  • Recovery Point Objectives (RPO) or how much data (in time) can the company afford to lose
  • Redundancy strategies
  • Backup frequencies

The criticality of a given system drives these decisions. So, if a system were to fail or otherwise be impacted by an incident, a sound plan can be established to either:

  • Automatically failover to a redundant system with replicated data
  • Obtain and restore from backup at a backup datacenter location
  • Obtain and restore from backup at the primary datacenter location

2. How can one use Disaster Recovery-as-a-Service to protect against or solve for security incidents?

DRaaS is not necessarily a new thing. Datacenter service providers have other companies have offered DR services like hot sites, warm sites, and even cold sites for years. The problem has always been a balance of the cost of having a hot site or mirrored image of the system and being able to automatically failover versus the cost of having a warm site (location with equipment but the systems and backup data will have to be loaded) or a cold site (building only). Using a DRaaS provider allows a company to utilize a cloud-based virtualized configuration (hot or warm site) with a much less reduced cost. If as particular system were to fail or otherwise be impacted by an incident, the DRaaS provider could be used to bring up the impacted system in a quicker manner than having to go through the manual process to (1) obtain the backup tapes, (2) move them to the backup site, (3) configure the systems, (4) load the backups, (5) test that the backup and system are fully operational, and (6) point all other systems to the backup system.

3. How can IT disaster recovery and a strong cybersecurity plan complement each other to protect sensitive data?

Establishing a formalized Business Continuity and Disaster Recovery process, driven by a well-maintained Business Impact Analysis process, can ensure that all activities associated with a given disaster (i.e., including failed systems, security incidents, or even natural disasters) can be accomplished based on proper planning and sound decision-making.

 

How to secure data across multiple platforms

by Esther Shein, Contributing Writer, enterprise.net, April 24, 2017

When you adopt cloud services, some of your data is inevitably out of your direct control. Here’s what you need to know.

By now, moving at least some business processes to the cloud is not a question of if but when. So how do you keep your information safe while embracing all the benefits cloud computing offers?

Even if the enterprise is using private clouds and virtualization, your data may physically reside in infrastructure that is owned and operated by an external service provider.

When control is shifted to a third party that owns, operates, and manages infrastructure and computational resources, it is incumbent upon security professionals to put measures in place to maintain the safety of their data. It comes down to doing your research and due diligence, figuring out your threshold for risk, and not giving up all of the keys to the castle.

Ask questions, conduct audits

There is no single measure or technique that can keep a company’s data secure, regardless of whether you use an on-premises data center or the cloud, notes Paul Hill, senior consultant at System Experts. “When using the cloud, an organization has to understand what responsibilities are outsourced to the cloud vendor and what will remain the responsibility of the organization,” he says.

First and foremost, ask for credentials when evaluating a cloud service provider (CSP). What level of trust and reputation does the provider have in the market? How will it protect valuable data and personal information? “It’s important to ask these questions and have the CSP describe their security operational controls, such as how they handle security breaches and how threats are addressed, as well as how certain insider threats are identified and countered,” advises Thomas Hogan, sales specialist for BT Cloud Compute. Additionally, organizations should deploy identity access management to control the security credentials in the cloud and manage who has access to what information.

Hill agrees: “Without careful oversight, it is all too easy for someone in an organization to misunderstand the responsibilities and assume that the cloud provider is doing more than they really are.” For example, if a CSP states that it has achieved PCI compliance, does that mean that your applications are automatically PCI compliant? Or is the scope of the compliance limited to the payments made by customers to the CSP? “Strong IT governance by knowledgeable individuals is essential, or the organization should engage a third party with the expertise to review the issues,” he says.

“If your organization is required to keep its data within a geo-location due to regulatory issues, you should make the CSP describe how it will ring-fence or guarantee data will not cross borders,” adds Hogan, “It should also address access methods, encryption techniques, and all authentication processes needed to access data.”

In terms of the responsibilities the CSP is willing to provide, the organization needs a mechanism to determine how well the service provider is implementing the security controls, Hill says. “This is typically done by a combination of testing and relying on independent security audits under a compliance program,” he notes. “In some cases, an organization may not be satisfied by a compliance statement, and it may require that it perform its own audit.”

This tends to be more practical when using a small cloud provider. Amazon, Microsoft, and Google generally don’t allow customers to perform their own audits, he points out: “Customers of those providers usually have to be satisfied by compliance certifications and some form of testing that they can perform.”

In some cases, depending on the sensitivity of the data and the nature of the customer relationship, an organization may want or even need to assume some of the responsibilities the CSP is willing to provide, says Hill. For example, an organization might determine that it needs to encrypt its data at rest. Many cloud services provide some level of cryptographic key management. But an organization might decide that the cloud provider should not be able to decrypt the data.

“In that case, the organization will need to assume all aspects of key management or use a third party to perform the key management,” he says. “If an organization wants the ability to see any subpoenas served and control the response to them, then encrypting the data with keys under its own control is a critical control.”

To read more about securing data across multiple platforms, click here.

 

 

Tips to Prevent Online Identity Theft

There are few new trends in online identity theft, although some attacks are becoming more sophisticated, the basic steps to prevent exploits remains the same.

Be on the lookout for attacks that use broken English in the message body. While most now use proper English and use the same style and logos that are used by the companies the message purports to be from, many attacks can be detected through awkward and incorrect use of grammar.

Phishing attacks are also becoming more focused. Businesses that frequently use FedEx to ship packages often see forged emails that appear to be a warning about shipping delays or undeliverable packages.  Law firms are seeing emails that ask employees if they remember working on a specific case. And just this week the US-CERT issued a warning about email-based phishing campaigns targeting airline consumers. 

There are several steps that people should take to reduce the likelihood they will succumb to an online attack, easily identify when their online identity has been compromised, and recover from an infection.

If a service that you use offers multi factor authentication or two-factor authentication, enable it and use it.

Do not reuse your work passwords for any non-work services. Use a unique password for each service.  Use a good password manager that includes a password generator (as long as the use of a password manager does not conflict with your employer’s policies).

Consider using an obfuscated unique username for any financial management, banking, or healthcare related sites that do not use an email address as your username. If the system’s list of usernames is stolen, this can help prevent attackers from using the information from multiple sites to craft a well targeted phishing attack. For example, if my typical username is John_Smith, I might use 77JMS_47 as a banking username. If I receive an email from my bank that contains the username John_Smith I know to delete it.

Here are key tips to remember:

  • Do not click on embedded links in an email message unless you explicitly trust the source of the email.
  • Do not download any software that you are offered from the Internet. If you think you need a software package, ask your corporate IT department for advice or authorization.
  • Make sure your antivirus is installed, current, active, and is configured to automatically update at least once a day.
  • Make sure you have an automatic backup process and that backups are being performed successfully. Take the time to learn how to perform a restoration from backup before you need to do it in an emergency.
  • Do not send information that an attacker might be able to use to steal your identity in clear text. This includes passwords, account numbers, personally identifying information. (This advice also extends to any information that you would prefer never to appear on a public web page and associated with your name.)
  • Be cautious about visiting websites. In the physical world, people are cautious about visiting neighborhoods known to have a high crime rate. The same judgment  should be used when surfing the web.
  • Segregate all of your online purchases on a single credit card and your offline purchases to a different card so you will able to more easily recognize fraud.
  • When getting rid of an old computer, physically remove the hard disk and destroy it, or securely store it, so that nobody can read any data that might remain on the disk.

 

US Border Policy Shifts May Drive Changes in Laptop Security

by Ericka Chickowski, Contributing Writer, Dark Reading, March 31, 2017

In-cabin laptop ban and requirements to unlock devices for border patrol could have enterprises revisiting their on-device data policies.

The new travel ban enacted by the U.S. Department of Homeland Security for laptops in the cabin of flights from certain countries may have corporate risk managers revisiting policies about how road warriors handle data on laptops and mobile devices.

Enterprise employees may find that government actions won’t just put a crimp on convenience but could also have heavy implications – from a regulatory and intellectual property protection perspective – when combined with growing powers of US Border Control to demand travelers unlock their devices for inspection. As things develop, large organizations doing international business may be facing a new minefield when it comes to device-based data portability in and out of U.S. soil.

At the bare minimum, experts believe this latest decree by the feds will bolster resolve for existing policies on endpoint security as worries about devices disappearing from checked luggage grows.

“It’s going to force people to actually implement and enforce the policies they have on paper,” says George Wrenn, CEO and founder of CyberSaint Security, and a research affiliate MIT’s (IC3) Critical Infrastructure Protection Program. He explains that most large organizations already have policies on device encryption, authentication and data storage to plan for loss or theft. “They’re just not enforced,” he says, “because people will carry their laptops and they’re considered to be using other compensatory strategies to prevent the loss of intellectual property and data.”

The question now becomes how to effectively enforce policies that have long been ignored, says Jonathan Gossels, president and CEO of SystemExperts.

“This is not rocket science.  We are talking whole disk encryption, good quality passwords or two factor authentication, and key management,” he says.  “Blocking and tackling, but it has to be enforced by each company to be effective.”

Nevertheless, even with the basic blocking and tackling in place, many organizations may still be squirrely about laptops with corporate secrets or customer data sets being parted from their caretakers into aircraft holds.

“Most organizations won’t feel comfortable with employees packing away their company-owned laptops and other IT equipment into their luggage, even if they are properly secured with encryption and passwords,” says Richard Steinnon, Chief Strategy Officer of Blancco Technology Group. “So, I imagine that employees traveling to the countries included in this ban will likely be asked by their employers to not carry these devices with them. If they have to, they will likely be told to remove all non-essential data before they check in their IT assets in their baggage.”

In some instances, simply leaving a corporate laptop unattended may already be against company policy. For example, warns Eric O’Neill, national security strategist for Carbon Black and a former FBI counter-terrorism operative, military contractors likely wouldn’t be able to bring their laptops on affected legs.

“When traveling internationally, the rule of thumb is to keep all critical devices on your person – especially phones, laptops and tablets that have important information on them, or access to important or sensitive information,” he says.

The travel ban is just one part of the equation. Even more troubling are the inspection rights that border patrol have increasingly been asserting with regard to devices, even those locked by their possessors.

“The long-term substantial impact is that key information may be exposed, unpredictably, and for no substantive reason, to inspectors who have no right to that access,” says Mark Graff, CEO of Tellagraff and former CISO for Nasdaq. “This development may well open these companies to litigation exposure any inadvertent violation of data security regulations. It is only a matter of time before companies fined for violating federal standards take the federal government to court for forcing that violation with the new order inspection practices.”

Both the laptop ban and the requirement of unlocking devices for inspectors throw up data confidentiality and integrity issues, explains Phillip Hallam-Baker, vice president and principal scientist at Comodo. However, the latter is a lot more difficult because there are few compensating controls.

To read what other experts have to say, click here.