Author: David Forrestall

Categories
Research>The Hitlist

The Hitlist: Remote Access

Remote access is often one of the weakest points we find in a customer’s network.  Corporations allow home users, with no real security on their home network, to remotely connect to their corporate network, access, and even download content.  This alone is a breach of security, and could even facilitate a data breach.  We have all known of users who email themselves company files, but what if those files contained Personally Identifiable Information (PII) or Personal Health Information (PHI)?  We have seen it happen.  What if someone is writing a report, and then decides to bring it home to finish it up?  What if that report contains intellectual property?  To avoid these potential disasters, it is important to have proper controls in place.  You should have a secure method of accessing corporate data remotely, and there should be policies and procedures in place to ensure that users are forced to use this to access data.  We have outlined some topics to consider below:

SSL VPN/Remote Desktop Solution (not to be confused with Remote Desktop (RDP) for Windows)

Step one, you must have a secure solution in place to access corporate data remotely.  Ideally, all users with remote access privilege should be using an encrypted VPN connection, period.  If possible, some sort of remote desktop solution should be employed that provides an interface for accessing internal network resources.

Corporate Devices

If you don’t use a remote desktop solution then you should mandate that only corporate devices are allowed to access the internal networks. When employees use personally owned devices for work, they tend to use them however they want. This creates an unneeded vulnerability for your company. Corporate owned devices can help alleviate this gap in security. It will give your IT department increased accountability without taking away the employees productivity.

Policies

Step two, you must have policies in place to enforce the usage of your secure remote access solution.  Tell users what they can and can’t do, and set expectations so that if they do not follow company policy there could be repercussions.

Administrative Access

Admins should not use privileged accounts for remote access.  It is best practice for admins to have two domain accounts, one with privileged access, and a standard user account that does not have any elevated privileges.  The account with administrative access should only be used when administrative duties are required, and should never be used for remote access into your corporate network.

Network Traffic Control

In addition, you need to have tools in place to control the traffic on your network. The resources on your network are not only available at your organizations physical location, but when you add remote access capabilities, it adds an additional increase in the amount of traffic that moves around the network. Look at it like a highway, a highway is made to allow a steady flow of cars to move about from location to location with ease. At any point, there could be a heavy flow of cars that causes the highway to become congested. Depending on the situation, this backup will spread if the cars cannot leave as fast as they are approaching. This is the same for you organization’s network. If you do not have the correct tools or policies and procedures in place to control your network traffic, it could greatly deteriorate the speed of your network. This, in return, could decrease business continuity/productivity?

Application Control

Another essential tool when utilizing remote access is application control. Your network is a combination of different ways to communicate including email, instant messaging, and point to point applications. As more applications are introduced to your network, the number of risks by malicious software also increase. This is why it is very important to have a solid application control policy and assure that it is implemented throughout your organization.

Categories
Computer & Network Security>Microsoft|Computer & Network Security>Microsoft Security Bulletin|Computer & Network Security>Patches

Now It’s Microsoft’s Turn, SSL Vulnerability in SCHANNEL

It’s official, all major SSL stacks are now vulnerable.  There are already a number of detailed blogs written about this new vulnerability, so I am not going to rewrite all of the details.  I am going to sum it up and bottom line it for you.  Here is a good detailed account of the issue if you are interested.

SCHANNEL is to Windows in the same way OpenSSL is to Linux.  It is used in almost all instances where Windows is listening for SSL traffic.

Many people are claiming this is something that needs to be pushed out asap, but as of right now there aren’t any public exploits that are widely available.  Microsoft said there will soon be one and a number of sources also say that is the case.  According to NIST the risk rating for one of the vulnerabilities related to this is a 10 for all categories.  There are a number of vulnerabilities that are related to this exploit.

Do I need to worry about it?

Yes, but it doesn’t mean it has to be an all hands on deck situation.  In fact, this is not a new bug, “this has been remotely exploitable for 18 years,” according to researcher Robert Freeman.  This is a potentially serious vulnerability, but how do the length of time it has been available and the difficulty in exploitation factor into the situation?

What should we do?

Make sure you have a good inventory of your devices.  Any Windows Server listening publically on SSL should get this patch on your next patch cycle(think not only website, but SFTP, RADIUS, etc), even if its not slated for that particular cycle.  You should also double check traveling laptops to make sure they don’t have anything unique on them, but typically they wouldn’t be listening for this traffic.

The rest of your infrastructure is fairly protected behind other defenses and should be addressed with as much prudence as any critical vulnerability would, but at this point and with the information out there, it does not seem that you should drop everything and immediately push this out to all devices.

Knowing where your devices are and what their patch status should be one of your top priorities for your organization.

We will update this blog as new information surfaces.

Categories
Information Security>Data Breach|Compliance>HIPPA|Research

What every organization should know about HIPAA

What Is The HIPAA Privacy Rule?

Accoprding to HHS.gov, “The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.”

In other words, the privacy rule sets forth standards to protect health related information specifically controlled by organizations that handle electronic forms of medical records.

What is the HIPAA Security Rule?

Also according to HHS.gov, “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. ”

The Security rule sets forth the specific things that an organization is expected to do to protect healthcare data.  It also describes who is expected to protect health data and liable for its loss.

What Is A Covered Entity and Who Qualifies?

A covered entity is any health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form.  However, the application of HIPAA does not end there.  Business Associates are a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.   In other words, any organization who does work for a covered entity and has regular access to health records is responsible for complying with parts of HIPAA. 

What Data Is Protected?

According to the Summary of the HIPAA privacy rule:

HIPAA protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” OCR Privacy Rule Summary 4 Last Revised 05/03 “Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, 

and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

In other words, any data that can be used to identify a person or even closely identify a person.

What Is The Breach Notification Rule?

According to HHS.gov, “The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.”  For the loss of less than 500 records annual notification is required, but more than requires notification within 60 days.

What Are The Risks For Non-Compliance? or in other words Why Is This Important To Me?

There are a number of factors to consider such as the number of records lost and how much neglect is invovled.  None of the specifications in the HIPAA rules are optional, some called addressable, just mean that you have freedom in how you implement them.  The Federal Register provides a wealth of information and estimations for the average costs of breaches.  Penalties are only a portion of the costs.  Costs to consider include:

  • Cost to notify individuals
  • Cost to provide a toll free number and subsequent call charges
  • Cost to investigate the breach
  • Cost to notify individuals with new privacy notices
  • Costs of civil penalties
  • Potential jail time

All of these costs add up to equal the total costs to an organization in the event of a breach.  The civil penalties are outlined in the following table from the Federal Register:

[av_table purpose=’tabular’ caption=’Categories of Violations and Respective Penalty Amounts Available, Source: The Federal Register’ responsive_styling=’avia_responsive_table’] [av_row row_style=”][av_cell col_style=”]Violation Category[/av_cell][av_cell col_style=”]Each Violation[/av_cell][av_cell col_style=”]All such violations of an identical provision in a calendar year[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](A) Did Not Know[/av_cell][av_cell col_style=”]$100-$50,000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](B) Reasonable Cause[/av_cell][av_cell col_style=”]$1,000-$50,000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](C)(i) Willful Neglect-Corrected[/av_cell][av_cell col_style=”]$10000-$50000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](C)(ii) Willful Neglect-Not Corrected[/av_cell][av_cell col_style=”]$50000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [/av_table]

 

As the costs add up, healthcare organizations need to realize that the costs required to become compliant can be well below that of a large breach.  In a previous post we talk about the general areas with which an organization needs to focus in order to become compliant with most standards.  For a detailed breakdown of controls that should be considered for HIPAA here is a good post.  Here are a few of the recent breaches and examples from HHS (these don’t include any Business Associates, but we will probably start seeing those this year or next):

[av_table purpose=’tabular’ caption=’Case Examples and Resolution Agreements, Source: HHS.gov’ responsive_styling=’avia_responsive_table’] [av_row row_style=”][av_cell col_style=”]Organization[/av_cell][av_cell col_style=”]Cause of Breach[/av_cell][av_cell col_style=”]Penalty[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]New York and Presbyterian Hospital[/av_cell][av_cell col_style=”]Web server misconfiguration[/av_cell][av_cell col_style=”]$3,300,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Concentra[/av_cell][av_cell col_style=”]Stolen, unencrypted laptop[/av_cell][av_cell col_style=”]$1,725,220[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Alaska DHSS[/av_cell][av_cell col_style=”]Stolen, unencrypted USB drive, inadequate policies and procedures, failure to complete risk analysis, employee training, device and media controls or encryption[/av_cell][av_cell col_style=”]$1,700,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]WellPoint[/av_cell][av_cell col_style=”]Application database misconfiguration, failure to perform risk analysis, inadequate policies and procedure[/av_cell][av_cell col_style=”]$1,700,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Massachusetts Eye and Ear Infirmary[/av_cell][av_cell col_style=”]Unecrypted personal laptop, management was aware of the Security rule, but failed to take necessary action[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Columbia Univeristy[/av_cell][av_cell col_style=”]Failed to perform risk analysis or provide policies and procedures governing IT[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]BCBST[/av_cell][av_cell col_style=”]Stolen unecrypted hard drives[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Shasta Regional Medical Center[/av_cell][av_cell col_style=”]Failure to attain written authorization to disclose PHI[/av_cell][av_cell col_style=”]$275,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]QCA[/av_cell][av_cell col_style=”]Failed to perform risk analysis and to provide physical safeguards for workstations[/av_cell][av_cell col_style=”]$250,000[/av_cell][/av_row] [/av_table]

 

Categories
Compliance|Information Security|Research

Shellshock, What Does It Mean For Your Organization?

Updated: Added information about Macs and some additional reference links.

This new vulnerability is much easier to exploit than heartbleed and can have a huge negative impact to your organization.  Windows Server environments are not immune either.  We have been waiting for the dust to settle before jumping on the media hype about all of this, and we wanted to make sure that information was gethered from multiple sources, official security organizations had made their opinions public, and that we weren’t just posting information to try and gather web hits.

According to Errata Security

What is ShellShock?

Shellshock is a vulnerability in a shell within Linux called Bash.  This shell is available on much of the web; at least 35% of all web servers are running Apache which doesn’t necessarily mean those servers have Bash installed, but many if not most of them will.

For a comprehensive and technical overview of the bug, visit TroyHunt’s post about it.  We are not going to dig into the details; we want to make sure you have the information you need to make a decision for your organization.

Why should my organization be concerned?

This vulnerability can allow an attacker from the outside without access to anything, but a public facing webpage to gain access to a shell.  In the best case scenario, we don’t anyone gaining a shell on an internal system because they would have the potential to perform any command they want.  Now, there are commands that require elevated priveleges to execute, but I have found more than my fair share of web servers running sites as root or similar.  The attacks also don’t have to come from the web.  Early proofs of concept have shown vulnerabilities from SSH and DHCP as well as other protocols as well.  This vulnerability is a perfect candidate for a wide spread worm.

According to Robert Graham at Errata Security, the issue is much more widespread than we think, and the vulnerability is already being exploited and attacked in the wild.

To summarize, this vulnearbility could potentially provide someone full control of a server with minimal effort(look how easily the vulnearbility was exploited here by just browsing to a web page or here by setting up a DHCP server).   Think about it, if a DHCP server can exploit, and Macs are vulnerable, what is the risk of using a Mac on public wifi now? That is why the CVSS score is as bad as it gets:

CVSS Severity (version 2.0):

CVSS v2 Base Score: 10.0 (HIGH)
Impact Subscore: 10.0
Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
Source: NIST

How do I know if I am vulnerable?

On a linux machine (this can be devices with embedded linux as well such as phones, routers, switches, etc) run the following command:

env x='() { :;}; echo this machine is vulnerable' bash -c "echo testing"

If the output of this command contains ‘this machine is vulnerable’, then it is.

Macs are vulnerable as well, but there is a little more effort to test.  Additionally, users are dependent upon Apple to push out the updates.

What do we do?

That one is tough because not all systems have updates.  For those that do have updates, it can be completed with minimal effort (though standard change control procedures should be used).  Many linux distributions have released updates, but as some researchers have noted not all fixes have worked.

Here is the processes we suggest taking within your network:

  1. Don’t panic, most of your primary systems are not vulnerable.
  2. Identify all systems that may be running bash which includes Macs (giving priority to any with public facing websites or even services such as Telnet, FTP, SSH, etc)
  3. First, if you have public facing Telnet or SSH turn it off. If you have public facing FTP, it should at least be running SFTP or FTPS.
  4. Contact vendor support or vendor resources and determine if patches are available (here is a good starting point for vendor information)
  5. Deploy patches, and retest
  6. For devices where patches are unavailable, consider the risk to the organization, if the risk outweighs the benefit consider options including shutting down the device
    1. Is the device public facing?
    2. Does it have direct access to important information?
    3. What would the impact to the business be if this device went down?
    4. Is this device necessary?

If you need assistance performing any of the services please contact us at info@securit360.com or call us at 205-202-4233.

Categories
Information Security>Data Breach|Compliance>HIPPA

HHS Enforces Penalties for Losing Less Than 500 Patient Records

The Hospice of Northern Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.html

HONI reported that an unencrypted laptop was stolen in 2010 and that it contained 441 patient records.  HHS began an investigation and discovered that HONI had not performed a risk analysis to safeguard their PHI nor did it have any policies or procedures in place regarding mobile device security which is required by HIPAA.

The HITECH breach notification rule requires covered entities to report loss of 500 or more records to HHS and the media within 60 days, but also requires that smaller breaches be reported on an annual basis.

According to the agreement between HHS and HONI the official reasons for the fine were:

  • HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process.
  • HONI did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level.

In a recent blog post we discussed how many health care organizations are still focused on protecting their organization from themselves, and they are not prepared to face the threat of malicious attacks from the outside.  This is another example of where basic and simple information security practices (encrypting a laptop) would have prevented significant fines and court costs.  Has your organization reviewed your standard security practices?  Would you be protected if someone lost a laptop?  What if someone actively targeted your records?

Categories
Compliance > HIPPA | Information Security

Is the healthcare industry a target?

Many of the clients we work with are either a medical service provider or a vendor to medical service providers.  If they are creating, transmitting or storing patient data, then they are a covered entity and therefore liable for compliance to HIPAA.  What we often find is that clients are under the impression that HIPAA provides a set of specific instructions for how to secure a network and protect data.  What they find out is there isn’t a yellow brick road leading to compliance.  HIPAA lays out the results of information security efforts that are expected, but the clients are required to build the road to those results.

Many times the mindset is, we aren’t really a target like the financial industry or retailers, so we just need to make sure we don’t do something stupid and lose our data.  This can no longer be the mindset.  A recent CNN article sheds some light on why the healthcare industry and specifically medical records may become much more lucrative for data exfiltration.  According to many sources, credit card numbers typically fetch about a $1-$2 but sometimes up to $100 on the black market depending on the metadata that is included.  Many times they are unreliable and it can take hundreds or thousands of them in order to see any profits.  On the other hand, medical records are fetching around $50 per record, according to Med Page Today.  To put it in perspective, Target lost approximately 40 million credit card records in the initial breach.  Based on the price on the black market, the data stolen could be worth up to $40 million.  It won’t be quite that much because there will be duplicate records, expired credit cards, fraud protections in place and other factors that would reduce the total value of the data.  Additionally, there are many systems in place to protect the use of that data as well as track down anyone who attempts to use it.

Why are medical records worth so much?  What information can you gain from them?  According to CNN and other sources, they can be used to maliciously bill organizations like medicare, and they can be used to impersonate patients so that attackers can obtain prescriptions to sell.

Let’s take a fictitious scenario where medical records are stolen from an exchange of hospitals.  It would only take 800,000 records (compared to 40 million) to reach a potential $40 million in value.  Additionally, those records will be more reliable because they can be used to exploit an industry that has yet to fully utilize modern security practices or checks.  Not only can those records be used to defraud the government, according to the CNN article, they can be used to make patients liable for charges.  Where credit card companies will forgive debts for fraudulent charges, there are not protections like this in place for patients and these situations could get quite complicated.

Time and time again, we find that healthcare organizations are behind on even using standard security practices.  Gone are the days when the healthcare industry only needs protection from itself;  the healthcare industry is seeing a real threat from malicious actors.  They now have very valuable information, and if controls aren’t put into place to protect it, organizations could quickly see themselves becoming further and further behind the curve of protecting their information and their patients.  Do you know where your organization stands when it comes to IT security and compliance?

Categories
Compliance|Information Security|Research

Budgeting For Security

Security budgeting is a layered approach

Security is important, for an organization, and its customers. However, there is often a misconception that security costs are included in the IT budget. Security best practices follow a layered approach, and budgeting is no different. There is no such thing as being 100% secure and mistakes can happen anywhere. Where should you focus your efforts?

Cover the Basics first

Before you look at some of the newest security solutions, it is important to make sure the basics are covered. Here are a few items to consider:

  1. Review your security policy
  2. Ensure security patches are up to date, for all hardware/software
  3. Make sure all of your devices are running AV software and are up to date
  4. Review your password policy for weak passwords
  5. Encrypt all portable devices
  6. Provide security training for end users, and IT staff
  7. Regularly review your Firewall/IDS rules
  8. Follow best practices for remote access/VPN solutions
  9. A monitoring/logging solution should be in place

Budget Considerations

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses. If you do not have the in-house expertise available, you may need to rely on outside assistance. Some items to consider:

  1. Formalized development of security policies and procedures
  2. Security monitoring or outsourced assistance
  3. Vulnerability and penetration testing
  4. Third party inspection
  5. Multifactor Authentication
  6. Mobile Device Security/Management
  7. Internet controls/restrictions
  8. Secure Large File transfer methods
  9. NAC
  10. Wireless security
  11. Data Loss Prevention
  12. Incident response/tracking
  13. Backups/DR/Business Continuity

Studies have shown that a good overall security posture will reduce the overall cost of a security breach.

Categories
Compliance|Research

Ebola: Is Your Organization Prepared?

All organizations should have a business continuity plan.  I know that many do not.  How will your business respond if:

  • Your building burns down
  • A flood destroys facilities
  • A tornado takes out a primary distributor and disrupts a supply chain
  • A pandemic infection affects any key component of your business

A pandemic plan addresses this specific scenario within a business continuity plan.  Do we have remote access capabilities that allow everyone to perform their job?  What happens if the whole IT department is sick?  If accounting is sick, who will send invoices and pay bills?  If our distributor’s source in a foreign country is shut down, where will our supplies come from (this is an indirect affect)?  If sea ports are closed, and the US taps oil reserves, and gas prices quadruple, how will that impact business?  These are things your organization should be considering already, but if not, now is a good time.

UPDATE 10/3/2014: Ebola has now spread officiall to the United States.  A patient in Dallas, according to news sources, has had contact with many people while being infected with Ebola.

Today, based on publicly available news sources, the Ebola virus has spread from west Africa north to Morocco, possibly east to Nigeria and even further to Saudi Arabia.  Additionally, the US has admitted the two Americans infected with the virus.  This could easily fizzle out in a few days and have zero impact on US day to day operations.  But what if it doesn’t, will your business survive interruptions to daily services?

The impact of a potential pandemic infection would be severe.  What if the US declares some sort of martial law and quarantines people to their homes?  This will disrupt shipping and supply chains, and will require all employees to work from home.  Does your organization have the remote access infrastructure in place for this?

Organizations should not panic over this news, but rather use it to push for completing or developing their business continuity plans in preparation for any disaster.  Make sure you have the policies and procedures in place to continue business even if critical pieces of your infrastructure are impacted.  Here is a checklist made available by the CDC for flu pandemic preparedness.  Obviously Ebola is not the same as the flu, but the checklist can work for both.

Categories
Information Security|Social Engineering>Phishing|Compliance>Privacy

Phishing and FIFA

Classic soccer ball

I have some friends staying with me right now from Brazil.  They arrived a few days ago, and said that, due to the world cup, the level of excitement in Brazil is very high, and that there are many foreigners that have arrived in the country to see the games.  The World Cup is all over everything in the country right now.  Apparel, food, merchandise, etc. is all branded with the World Cup (similar to how the U.S. advertises items for the World Series or the Super Bowl).  The World Cup is one of the largest sporting events in the world, and encompasses a much larger audience than any single country.

The World Cup began a few days ago, and will last for about a month.  Network teams will see their bandwidth spike in unison with the matches, and organizations will see hours lost as employees sneak peeks at the games.  The World Cup Final alone can draw 100s of millions of viewers.  In other words, much of the world is not only expecting, but anticipating news about the World Cup.  This frenzy is ripe for phishing attacks and spam.  Some of the most popular, by FIFA’s own admission, are lotteries, or requests for money, and competitions.  Now, these aren’t really different from average spam/phishing attacks, but they can play on a relaxed defense and awareness for scams.

Each game also brings additional risk.  Consider the opening game where Brazil beat Croatia, scammers could easily pray off the excitement that Brazil won, but also that there were referee controversies.  These types of events provide great leverage for newsworthy stories to the pique the interest people, all too willing to watch a video or read an article.

More so today than in many years past, a number of World Cup apps are being released into mobile device app stores.  This is a new attack vector that could provide legitimate news information, but can also harvest information such as passwords, network access, documents, etc.  Organizations need to closely examine their BYOD policies and make sure their corporate data is secure on mobile devices.

There are many people in the United States who are not interested in the World Cup and are often oblivious to the popularity around the world.  I have heard people say they don’t expect it to impact their networks that much because they don’t think many people will watch it.  We tend to forget that America is a very diverse workforce, and many organizations are global in their operations.  What other countries, where the World Cup may be a very big deal, may have access to your networks?  Does your organization have any global contractors who are in the United States?  Has your organization considered the impact the World Cup could have to the information security of these, often overlooked, back doors into your network?  At the very least, organizations should have information security awareness notifications sent to their employees.

Why the World Cup?

The World Cup is not unique to these types of information security risks.  Security risks tend follow many major sporting events, natural disasters, or trending global news headlines.  However, the World Cup is unique in the size of the global audience, the anticipation of the event, and the often overlooked security risks to a network in today’s global landscape.

What can my organization do?

First take a look at our recent article, How to Spot a Phishing Email.  As we mention in the article you can ask yourself some of these questions:

  • Do I know the sender?
  • Is this an email I expected?
  • Does my system think this email is suspicious?
  • Is a file attached to the email?
  • Does the email ask for personal information?
  • Are there links in the email and are they from trusted sources?

As organizations continue to expand their global footprint, even indirectly as many organizations utilize the cloud more and more, they must start taking a global perspective on information security and the effects world events, trends and entertainment can have on their networks.

 

 

 

Categories
Research>The Hitlist

The Hitlist: BYOD

“Bring Your Own Device” or BYOD is becoming an ever increasing topic among CIOs and other executives.  We are not here to argue the merits of BYOD, but we do want to mention a few key topics to think about if you consider implementing it.

1. Policy

The first thing an organization should have before implementing BYOD are policies that govern it.  They should cover topics such as: What is acceptable use, what types of devices can be used, what should I do if my device is lost or stolen, is MDM required, etc.

2. Corporate MDM (Mobile Device Management)

If personal devices will be on your corporate network, you must know where they are have some degree of control over them.  Most MDM solutions will enable you to require specific security features, lock or wipe lost/stolen devices, and require or prevent specific types of software from being installed.  Enterprise level MDM is a must.

3. Screen Lock Password

All mobile devices should be required to have a screen lock with a minimum of 5 alphanumeric characters in the passcode.  Anything less than 5 characters can quickly and easily be hacked.  This feature can be enforced through most MDM solutions.

4. Device Encryption

Again, this is another control which can be enforced through a MDM solution, and is a must have.  All mobile devices should be encrypted, without exception, ideally using a corporate encryption management system.  This is a straight forward way to reduce the impact of a lost or stolen device.

5. Jailbroken/Rooted Devices

No jailbroken or rooted devices should be allowed on your network, bottom line.  Even though these hacked devices can have many enticing features, they can also bypass many of the built-in security features on the devices.  This is another control which can be enforced though most mobile device management solutions.

6. Regular Updates

For mobile devices, you are at the mercy of the carriers for the latest updates, unfortunately.  For laptops and desktops, however, you have much more control.  As a matter of policy and enforcement, all devices should be running the latest updates available.

7. Separate Business and Personal Data

Ideally, you should put all corporate data into a separate container on mobile devices (also known as containerization).  Many times this is not practical from a user experience perspective.  Many containerization applications do not have all of the features that users want or need.  Without containerization, it is much more difficult to track corporate data.  How this is accomplished is something that should be addressed.

8. Know Where Your Data Resides

If you don’t know where your data is, how can you protect it?  Make sure data you thought was secure, doesn’t walk out of your walls on a mobile device.

9. Data Loss Prevention

DLP allows an organization to track its data and to prevent it from leaving its walls.  This first requires know where your data is, who can access it, how it can be accessed, and having control over the devices on your network.

BYOD is not something that should start over night.  This should be well thought out and considered and weighed against the risk and benefit.  Compliance, Remote Access, Network Security, Wireless Configuration and many other facets of the enterprise should be considered before allowing users to bring their own devices.