- iPhone « Secure Thinking

Posts tagged - iPhone

Wednesday, January 4, 2012

BYOD: Why Bring Your Own Device Doesn’t Spell Disaster for Your Network’s Security

by Tara Savage, Senior Marketing Manager, BT Global Services

This holiday season was brought to you by the letters B.Y.O and D. Those four letters spell a major shift in the technology world, one which is going to have a big impact on businesses this month.

It goes without saying that the number one holiday gift this year will be tablet computers and smart phones and that the vast majority of people will want to bring their new device to work with them when they come back to work. In other words, they’ll be bringing their own devices through your business’s front door and wanting to log on to the corporate network.

Before panic sets in at the thought of hundreds of unsecured devices wreaking havoc on your well managed network, take a step back and have a look at the big picture.

BT’s Ray Stanton and Jeff Schmidt have been talking to the media about why the panic over BYOD is much ado about nothing and that the benefits of enabling workers to use mobile devices far outweighs the risks that are commonly associated with them.

From Jeff’s perspective tablets enable worker productivity and enhance customer satisfaction. As long as strong authentication is enabled and device-wipe capability is part of the tablet’s set up, data is likely more secure than if it was sitting on a desk-top computer in an office park.

In a recent article on searchsecurity.com Ray pointed out that securing mobile devices is very similar to securing lap tops, something that companies have been doing successfully for many years now. He says: “[i]f the policy is to allow tablet use, then introduce the same security policies and enforcement as you would on a laptop computer”. It’s irrelevant if it is your own device. If users are accessing corporate data, the rules revert to the corporate policies, irrespective of what they have accessed it from.”

Ray points out that the other keys to success are user education to make sure employees are aware of policies and understand both why they are in place and how to comply with them. Ray is particularly impressed with Good Technology from Good Dynamics which have some excellent platforms for multi-end user environments to manage and secure mobile devices.

And, as Martin Brown, another of BT’s security experts has said in his Twelve Tips for Christmas: “Make sure you enable a password set-up immediately and run security updates until there are no more flashing icons. Just because it’s new doesn’t mean it’s secure!”

Monday, December 12, 2011

The 12 Days of Christmas for Security Geeks

by Martin Brown, General Manager, Security Technology & Strategy

Twas the night before Christmas, and all through the house, not a peripheral was stirring, not even a (bluetooth) mouse…

So, it is that time of year again where everyone is filled with holiday spirit and glee (not the singing school version) yet don’t forget that it is during this time of year that the Grinch is scanning the horizon, trying to phish the joys of Christmas away from you.

Here is a friendly reminder to keep your spirits up and keep the Grinch away by considering the following 12 steps:

1) Don’t tell the world via social networks that your crib (or office), is empty over the holiday period. When you leave your stable unprotected anyone can come in and wreak havoc with your donkey and asses!

2) Make sure you keep your Anti-Virus and security tools updated. The holiday season brings gremlins out of the shadows who will eat after midnight and exfiltrate your holiday cheer!

3) Take your company back-ups offsite to a secure storage facility just in case Rudolph comes crashing through the roof due to that glowing nose actually being a single point of failure!

4) Make sure your remote access is working as planned and you can get online if required over the holidays, but keep it secured so the trolls don’t get in.

5) Have some company letterhead available so you can write official documents if needed. It can also come in handy to make a last minute list if you partner mentions any ‘wouldn’t it be good if’ wishes for presents. Failing that, paper darts to change channel on the TV when you have lost the control under a mountain of wrapping paper.

6) Don’t be scammed. If it seems too good to be true, it probably is. ‘Tis the Season for pop-ups and alerts promising great deals and holiday freebies. THINK before you click.

7) Advise your alarm company that the building will be unattended and that if a fat man in any color suit gets stuck in the ventilation, it’s not going to be Father Christmas and it’s going to be more “Heave Ho” than “Ho Ho”!

8) Be careful with your decorations around the office and make sure it’s electrically safe. When you leave, turn off all devices not needed over Christmas as well as the Christmas lights, but remember to turn the networking equipment back on before anyone returns to work! Hung-over or not, people will still need a building to return to, and access to the network.

9) Check your systems daily to make sure they are operational for emergencies and those unable to digest yet another Christmas musical and who instead prefer to catch-up on the reams of photos from that Office Christmas party before HR intervenes…

10) Don’t stand that glass of ‘Holiday Cheer’ next to your keyboard! Keyboards do not appreciate mulled wine, and nor will they appreciate a mince pie… When mixed, the two create a Christmas Keyboard Concrete which only the ghost of Christmas Future can fix with the aid of a small jackhammer.

11) If you get a new computer or other network enabled device, add a passcode/password and repeatedly run the software updates until there are no more security updates to be found. Just because it’s new and shiny does not mean it’s secure!

12) And finally, don’t send ‘helpful’, ‘insightful’, or ‘if you want to know what I think’ text or email messages to the boss (or anyone else) while buoyed by Holiday spirits!

Monday, October 31, 2011

Where’s the Bazooka? Hackers at 12 o’clock!

By Martin Brown, General Manager, Security Technology & Strategy

We all appreciate that the perimeter of an organization can no longer be considered a neat circle delineating red and greenside networking. The various ingress points, access routes, devices moving around etc. etc., have all resulted in our nice neat circle looking more like a piece of red-brown mutant popcorn. Effectively, your perimeter is where you think your data last resided and that well may be different to where it is now.

Lately, however, we have seen drones introduced which, for a relatively low price, bring the ability to literally swoop in and attempt to invade your logical and physical perimeter, interrogating your environment and making off with sensitive data.

These self-contained drones range from a prosumer drone controllable by an iPhone over WiFi that lets you see what your roof looks like (and being WiFi not much further!), to a drone loaded with various promiscuous networking devices and video feed that can be flown from a considerable distance to a target, and then fly around it, testing, and/or hijacking networks and signals over the air with WiFi cracking and cellular spoofing giving it access to anything it can lay its dirty digital hands on. Voice or data traffic that is snared is then routed over 4G/3G or any open WiFi it finds back to the operator.

This is quite a change from the norm – we think walkways, windows and wireless – we don’t tend to think about how we secure the airspace above our organization. And while someone might be on top of their obvious physical security concerns, they might consider some parts of the building, those all the way up there on the umpteenth floor, or deep within the campus perimeter, to be out of harm’s way.

Are we moving to a point where the CSO has cameras installed on the roof of Corporate HQ, so when the hovering hacker is spotted, the gallant IT superhero dons their luminous external underwear, gallops up the 10 flights of stairs to the roof, briefly posing, neat rows of teeth glinting in the sunlight, before blowing the infiltrator out of the sky with the latest hi-tech heat seeking missile shot from their squared shoulder?

Being one of those people who are built for comfort and not for speed, I readily admit to lacking that superhero-like athleticism, and suspect in some cases so this may be more like the roof door crashes open, the IT bod collapses, red-faced, through the door onto the deck, flailing arms, gasping for air, as the rogue drone videos this epic failure for future distribution via YouTube. With hindsight, I’m thinking that remote controlled rocket launchers will be far more sensible – no galloping and no need to keep a superhero outfit in the office (unless you really want to)!

Will we see vendors offering devices that create a wall of interference from these drones? As the cost of drones falls even lower, into the price range of the proverbial hacker, who is able to do their own warflying around the neighborhood, or to order, how do we protect multiple airspaces? And, if they have control and landing ability, there is no reason that some could not settle inside your perimeter like a wireless data leech for an extended visit.

So, while we are probably some way yet from this as a widespread issue, it’s something to which we might want to give a little more thought, especially if greenfield sites are considered to be relatively immune to issues of unauthorized local monitoring. Unfortunately, it’s often those exact sites that become the locus of innovation for wannabe hackers with time on their hands. As well as looking on your network for signs of an attack you need to start looking above your network for the perp who’s sitting out of view, lowering a drone into the electronic range of their people and your networks ready to penetrate your defenses and impersonate networks.

Tuesday, October 18, 2011

I’m Sorry, Are My ‘Bits’ Showing?

By: Martin Brown, General Manager, Security Technology & Strategy

As I write this I am on the 20:37 out of London on a Wednesday evening. I, and my fellow lemmings, are leaving the big smoke to return to our humble dwellings and the comforts of home.

It’s dark outside, as winter draws in and as we devolve from lemming to troglodyte our attention is drawn inward from the passing countryside back inside the carriage where we endlessly survey our fellow trogs.

Speaking to someone else is of course forbidden, as to do so would break the cardinal, unwritten rule of the commuter, not to mention being branded as some sort of possessed nutter who those who travel regularly will then avoid sitting near in the future for fear of eye contact and having to make conversation… Still, having some extra spare seats around me would be nice…Maybe I’ll keep that in mind for another time…

As I look around, having previously memorized the LED scrolling route plan, there is nothing much to look at other than my fellow trogs. What becomes immediately apparent (apart from the somewhat disturbing view of one persons persistent attempt to perform DIY brain surgery via their nasal cavity) is that people have got all their “bits” on display.

The lady one seat in front on the opposite side of the aisle, your Blackberry is in full view, setting up meeting appointments, not to mention the risk of me seeing the lock code – be it numbers, phrase or gesture. The man with the laptop two rows in front, your Windows login, and document, email and spreadsheets are all clearly on display. The man on my immediate left, he’s asleep, and his PDA is lazily hanging on by a sticky finger (no, this is not the DIY brain surgeon from earlier…), and unlocked. And finally, the one which caused me to write this, the lady diagonally opposite me at the same table, who has left her phone in front of me most of my journey, with a personal message on the screen.

All of the above represent social engineering and data loss risks, with numbers, emails and other data on display…

The rise of mobile devices, consumerization if you wish, has catapulted corporate and personal data into a whole host of hostile environments – including public transport, where it can be observed by others either for gossip or benefit – neither of which result in a comfortable conversation.

Following the corporate data retention guidelines and installing mobile device policies is only part of the solution. Our user groups need to be educated as to what are ‘good practices’ and what is, well, daft, in terms of how and when they access the information.

If you don’t protect your data from casual or deliberate shoulder surfing, you will be exposing your ‘bits’, and bytes, in public for all to see.

As the comedian Frankie Howerd would say, “Oh err Missus!!”

Tuesday, May 31, 2011

Everyday Technology Used for Surveillance

By Toby Weir-Jones, Vice President of Product Development, BT Counterpane

The U.S. “war on terror” has brought a lot of surveillance technologies into the foreground and taught people about how little privacy they really have if someone is determined to listen. With court orders (for domestic use) and more general international understandings, technology that we use every day can become a tool for investigations or surveillance.

Think back to 1995 when the FBI arrested Kevin Mitnick in North Carolina. One of the ways they confirmed his location was by triangulating his position via cell phone activity, and while this was not the first time the FBI used such a technique, it was a relatively high-profile arrest.

Today, you can’t look at any news outlet without seeing detailed technical analyses of how your smart phone may (or may not!) be tracking your position, and consumers have published detailed accounts of how they recovered stolen property using built-in tracking and reporting capabilities. So even if your phone isn’t actively reporting your personal location to the matrix, you should generally assume that, with the right court order, it could.

It may seem James Bond like to “bug” a suspect – using covert audio surveillance devices. But bugs generally presume you know ahead of time where your target is going to be, so you can get into that space ahead of time and plant your equipment. Law enforcement agencies know that they need a portable device to give people aiding with investigations the ability to record their conversations, and have quietly worked with major auto parts manufacturers to disguise typical key fobs as recording devices. Of course, your smart phone could do that too, with the right software installed.

But what about situations in which there are total air gaps? We already know that Osama Bin Laden’s hideout had no phone or internet connections, implying that all communications had to be done in-person via messenger. But did that mean surveillance on the facility was impossible? Of course not.

We may never know the full extent of what intelligence gathering took place over many months, but despite having no physical access, it’s clear the U.S. Special Forces knew the detailed layout of the construction, exactly what security features were in place, and had a very high measure of confidence that their target was on site. We can assume that everything from Predator drones to disguised locals quietly observing the facility were part of the equation, and the key point was that they generally knew where to look.

There are plenty of other examples – all of which is possible because of the widespread proliferation of inexpensive information-gathering tools, coupled with the commercial forces of market research and consumer profiling.

The bottom line is to assume the information you generate on a daily basis is being recorded, and may be accessible to others. It may be anonymous, it may be intended to offer you a more customized user experience, but that doesn’t relieve you of the responsibility of awareness.

Wednesday, May 18, 2011

Assessing Risk in the Mobile World: Part One

By Jill Knesek, Chief Security Officer, BT Global Services

One of the hottest topics at the CIO water cooler at the moment is the question of how we should deal with the risks posed by personal mobile devices in the workplace.

While some companies ban the use of personal devices or heavily restrict their use, BT allows the use of most mobile devices as long as ExchangeActiveSync is used to connect to MS Exchange servers. This allows for the BT password policy to be pushed to the device ensuring some basic level of security. For tablets, such as the iPad, they must have hard disk encryption installed and implemented to protect locally stored data and emails.

I know that some of my peers think this is a risky choice. But when my team and I assessed the risk, we found that risks associated with personal mobile devices is similar enough to a BT-supported device that the benefits of allowing their use outweighed the risks, with a few exceptions.

While our Ethical Hacking team can test all BT-supported devices and software, it is harder for them to test all hardware and software associated with personal devices. Instead, they focus on the security features that are present whether it is a BT-supported device or a personal one, such as password security and hard disk encryption.

In most cases, being aware of these two elements will mitigate risk to an acceptable level, but there are still areas of exposure around personal software and the ever-popular applications could undermine our risk assessment. The other aspect which has the potential to cause complications is that when a vulnerability is identified it is much more difficult to get the problem patched or fixed because the necessary contractual relationships are not in place.

So, if your company assesses that the business value of having a highly responsive, mobile workforce outweighs the risks posed by personal devices, what steps should your IT team implement to provide the most secure operating environment? The top five things that my team and I recommend are:

Conduct a robust security awareness program for employees on critical issues
Require that all software and apps be fully tested by the company
Require strong password policies and email encryption
Set policies such as webmail access only; regular data deletion, or classification rules for data storage
Require all devices be capable of remote wipe to ensure that sensitive data can be removed promptly once the loss or theft is reported

Thursday, August 19, 2010

Mobile Device Security – A Growing Problem with Few Answers

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

It is no surprise that mobile device security is becoming a growing concern for CSOs everywhere. Although mobile phones have been part of many companies’ communications strategy for quite some time, what has changed significantly in the last few years is the substantial increase in mobile device sophistication and emergence of targeted threats – both seemingly outpacing comprehensive and effective security measures.

Today’s mobile devices are exponentially more powerful and complex than those from a few years ago. This combined with increases in inexpensive bandwidth and millions of available applications mean more people are using them for more complex tasks, which include a vast array of corporate information and application interactions. The opportunity to lose valuable data or expose corporate systems to unauthorized access has been considerably amplified.

Although there are some evolving security solutions emerging in the industry to address mobile device security, not all are comprehensive nor can they be referred to as “enterprise-ready.” Moreover, many large organizations may have as many as a dozen different mobile device platforms being used that represent a broad spectrum of diversity, further complicating meaningful security. Also, given today’s device capabilities, it is difficult to determine if a user is retrieving email, files or accessing applications from a computer or an unapproved mobile device.

Of course, all this is exacerbated by threats that specifically target mobile devices. Hackers are attracted to mobile devices because of the diversity of attack vectors and opportunity. These fall into three basic categories:

Access to information – There are numerous applications that promote mobile online banking, social networking, and, of course, files and e-mail stored on the device, all of which represent value to a hacker. Moreover, many mobile devices are VPN-capable, which can open internal systems to undesirable interactions.
Toll fraud – Hackers have produced several Trojans inserted in downloadable games and applications that surreptitiously dial international premium rate numbers that produce revenue for the hacker. Additionally, there are malware that permit eavesdropping and other forms of man-in-the-middle attacks.
Leverage – An emerging condition is where hackers are implementing root kits and other forms of malware that are essentially creating a botnet within the mobile domain, which can be used for a number of purposes, such as DDoS and SMS spam.

Concerns about the exposure of private information and communications is very real. In fact, just in the last few weeks, the U.A.E. has sought to block Blackberry messaging and e-mail, and the German government, which has advised officials not to use Blackberry and iPhone devices due to a dramatic increase of attacks and fear of snooping, is advising civil servants to use Simko2 by T-Systems. And unfortunately, it’s likely to get worse before it gets better.

So, what can you do?

First, focus on the basics: policy, access control, monitoring, and education. Try to minimize platform diversity within the organization, but this is far easier said than done. Seek mobile device encryption solutions — a lot of data loss can be attributed to simply users misplacing their phones. There are some good anti-virus solutions on the market that should be reviewed and tested; however, you may find you need more than one solution.

Lastly, use mobile device sophistication to your advantage! Produce corporate applications to help employees — even something as simple as an app that provides updated mobile security policies employees can reference, or access to approved software, or something that can help identify the device as it accesses corporate systems, such as certificates, or a proxy app to route Internet traffic through dedicated security systems under your control.

Anything is better than nothing. Use the same capabilities that are at the disposal of hackers to do harm, but do good. You may not get ahead of the curve, but at least you can start leveling the battlefield.

Monday, August 9, 2010

What CSOs Talk About at Dinner

By Jill Knesek, Chief Security Officer, BT Global Services

Last week I had the pleasure of meeting with some of Chicago’s outstanding CISOs and CSOs. We met for dinner to discuss those thorny and gnarly issues that keep us working overtime to make sure that our companies are secure and our employees excel at work. So, what was on our menu that night?

The first hot topic was methods of securing data across companies with disappearing perimeters. BT, like many companies, works to enable its workers to literally work anywhere to boost their productivity and enhance their work-life balance. But as the office walls disappear, new challenges abound.

While we touched on what value firewalls and IDSs provide, much more time was spent discussing endpoint security, such as personal firewalls, antivirus products and good patch management processes. I see particular value in hard disk encryption on laptops, which renders stored data nearly useless to thieves.

Obviously, mobile devices are top of mind for us. Not only do we have to worry about laptops — with more companies supporting a “BYOD” (bring your own device) policy, we have a whole new set of things to be concerned about. For example, it seems inevitable that companies will need to let employees bring their own hardware platform into the workplace. And, while we all love our iPads, iPhones, Blackberries, and Android phones, with hundreds of thousands of apps available for download and many thousands more becoming available each day, how do we secure them? While I wish I could say that we came up with a solution during dinner, this topic, for now, still generates more questions than answers.

The other topic that provoked a great deal of discussion as the economy emerges slowly from recession is how we secure new acquisitions. The biggest problem facing CSOs in this area is — how do we change the culture of a new acquisition without breaking the business model that made them a desirable target? But, the bottom line is that at the end of the day, CSOs are responsible for the security of all company assets, whether organic or acquired. From my view, the key is good communication with the acquired management team and a strong security awareness campaign, since employees remain our first line of defense. After that, it comes down to pure risk management and understanding the biggest threat against the acquired company — and mitigating that piece first.

And, from that discussion, we found ourselves deep in the nitty-gritty of Risk Management. I know this message is getting tired, but the reality is that having a mature risk management program with real stats and data to back up your risk register can be a great tool in communicating at the boardroom level. We can’t be Chicken Little, but we do need to rely on cold hard facts that resonate with the senior management team.

The example I used was how to relate a fraud case to the senior leadership team in terms of revenue lost from the bottom line. For example, if you lose $1 million in a fraud, how much revenue would it take to make up for that net loss? Well, if the revenue was from a service with a 15% margin, it would take nearly $7 million in new revenue to make up for the loss. Putting the cost of crime in terms of revenue helps the CFO and senior management appreciate the importance of reducing crime through security.

By the time we reached dessert, we’d hashed through these and other very interesting topics. And, while we didn’t come up with concrete solutions or definitive answers, we learned a lot from sharing our common experiences and unique responses.

I’d like to thank everyone who came and invite you all to carry on the conversation in cyberspace. Leave a comment below, or let me know what you think in the Security Leaders Group on LinkedIn.